From: Greg Kroah-Hartman Date: Sun, 7 Jun 2026 07:37:12 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.12.93~20 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=b4dfa9349a9eb4cbb76b16ca6a8f840f83022c2a;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: hid-core-add-printk_ratelimited-variants-to-hid_warn-etc.patch hid-core-fix-size_t-specifier-in-hid_report_raw_event.patch hid-pass-the-buffer-size-to-hid_report_raw_event.patch --- diff --git a/queue-6.6/hid-core-add-printk_ratelimited-variants-to-hid_warn-etc.patch b/queue-6.6/hid-core-add-printk_ratelimited-variants-to-hid_warn-etc.patch new file mode 100644 index 0000000000..9ffee10c36 --- /dev/null +++ b/queue-6.6/hid-core-add-printk_ratelimited-variants-to-hid_warn-etc.patch @@ -0,0 +1,37 @@ +From 1d64624243af8329b4b219d8c39e28ea448f9929 Mon Sep 17 00:00:00 2001 +From: Vicki Pfau +Date: Mon, 6 Oct 2025 18:05:31 -0700 +Subject: HID: core: Add printk_ratelimited variants to hid_warn() etc + +From: Vicki Pfau + +commit 1d64624243af8329b4b219d8c39e28ea448f9929 upstream. + +hid_warn_ratelimited() is needed. Add the others as part of the block. + +Signed-off-by: Vicki Pfau +Signed-off-by: Jiri Kosina +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/hid.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -1252,4 +1252,15 @@ int hid_pidff_init_with_quirks(struct hi + #define hid_dbg_once(hid, fmt, ...) \ + dev_dbg_once(&(hid)->dev, fmt, ##__VA_ARGS__) + ++#define hid_err_ratelimited(hid, fmt, ...) \ ++ dev_err_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) ++#define hid_notice_ratelimited(hid, fmt, ...) \ ++ dev_notice_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) ++#define hid_warn_ratelimited(hid, fmt, ...) \ ++ dev_warn_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) ++#define hid_info_ratelimited(hid, fmt, ...) \ ++ dev_info_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) ++#define hid_dbg_ratelimited(hid, fmt, ...) \ ++ dev_dbg_ratelimited(&(hid)->dev, fmt, ##__VA_ARGS__) ++ + #endif diff --git a/queue-6.6/hid-core-fix-size_t-specifier-in-hid_report_raw_event.patch b/queue-6.6/hid-core-fix-size_t-specifier-in-hid_report_raw_event.patch new file mode 100644 index 0000000000..2b4ed36fee --- /dev/null +++ b/queue-6.6/hid-core-fix-size_t-specifier-in-hid_report_raw_event.patch @@ -0,0 +1,61 @@ +From 4d3a2a466b8d68d852a1f3bbf11204b718428dc4 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Sun, 17 May 2026 13:51:01 +0900 +Subject: HID: core: Fix size_t specifier in hid_report_raw_event() + +From: Nathan Chancellor + +commit 4d3a2a466b8d68d852a1f3bbf11204b718428dc4 upstream. + +When building for 32-bit platforms, for which 'size_t' is +'unsigned int', there are warnings around using the incorrect format +specifier to print bsize in hid_report_raw_event(): + + drivers/hid/hid-core.c:2054:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat] + 2053 | hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n", + | ~~~ + | %zu + 2054 | report->id, csize, bsize); + | ^~~~~ + drivers/hid/hid-core.c:2076:29: error: format specifies type 'long' but the argument has type 'size_t' (aka 'unsigned int') [-Werror,-Wformat] + 2075 | hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n", + | ~~~ + | %zu + 2076 | report->id, rsize, bsize); + | ^~~~~ + +Use the proper 'size_t' format specifier, '%zu', to clear up the +warnings. + +Cc: stable@vger.kernel.org +Fixes: 2c85c61d1332 ("HID: pass the buffer size to hid_report_raw_event") +Reported-by: Miguel Ojeda +Closes: https://lore.kernel.org/20260516020430.110135-1-ojeda@kernel.org/ +Signed-off-by: Nathan Chancellor +Signed-off-by: Linus Torvalds +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -2003,7 +2003,7 @@ int hid_report_raw_event(struct hid_devi + return 0; + + if (unlikely(bsize < csize)) { +- hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n", ++ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %zu)\n", + report->id, csize, bsize); + return -EINVAL; + } +@@ -2025,7 +2025,7 @@ int hid_report_raw_event(struct hid_devi + rsize = max_buffer_size; + + if (bsize < rsize) { +- hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n", ++ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %zu)\n", + report->id, rsize, bsize); + return -EINVAL; + } diff --git a/queue-6.6/hid-pass-the-buffer-size-to-hid_report_raw_event.patch b/queue-6.6/hid-pass-the-buffer-size-to-hid_report_raw_event.patch new file mode 100644 index 0000000000..4f1f989246 --- /dev/null +++ b/queue-6.6/hid-pass-the-buffer-size-to-hid_report_raw_event.patch @@ -0,0 +1,304 @@ +From 2c85c61d1332e1e16f020d76951baf167dcb6f7a Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Mon, 4 May 2026 10:47:22 +0200 +Subject: HID: pass the buffer size to hid_report_raw_event + +From: Benjamin Tissoires + +commit 2c85c61d1332e1e16f020d76951baf167dcb6f7a upstream. + +commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing +bogus memset()") enforced the provided data to be at least the size of +the declared buffer in the report descriptor to prevent a buffer +overflow. However, we can try to be smarter by providing both the buffer +size and the data size, meaning that hid_report_raw_event() can make +better decision whether we should plaining reject the buffer (buffer +overflow attempt) or if we can safely memset it to 0 and pass it to the +rest of the stack. + +Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()") +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires +Acked-by: Johan Hovold +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Jiri Kosina +[Lee: Backported to linux-6.12.y and beyond] +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/bpf/hid_bpf_dispatch.c | 3 ++- + drivers/hid/hid-core.c | 35 +++++++++++++++++++++++++---------- + drivers/hid/hid-gfrm.c | 4 ++-- + drivers/hid/hid-logitech-hidpp.c | 2 +- + drivers/hid/hid-multitouch.c | 2 +- + drivers/hid/hid-primax.c | 2 +- + drivers/hid/hid-vivaldi-common.c | 2 +- + drivers/hid/wacom_sys.c | 6 +++--- + drivers/staging/greybus/hid.c | 2 +- + include/linux/hid.h | 4 ++-- + include/linux/hid_bpf.h | 4 ++-- + 11 files changed, 41 insertions(+), 25 deletions(-) + +--- a/drivers/hid/bpf/hid_bpf_dispatch.c ++++ b/drivers/hid/bpf/hid_bpf_dispatch.c +@@ -47,7 +47,7 @@ __weak noinline int hid_bpf_device_event + + u8 * + dispatch_hid_bpf_device_event(struct hid_device *hdev, enum hid_report_type type, u8 *data, +- u32 *size, int interrupt) ++ size_t *buf_size, u32 *size, int interrupt) + { + struct hid_bpf_ctx_kern ctx_kern = { + .ctx = { +@@ -81,6 +81,7 @@ dispatch_hid_bpf_device_event(struct hid + *size = ret; + } + ++ *buf_size = ctx_kern.ctx.allocated_size; + return ctx_kern.data; + } + EXPORT_SYMBOL_GPL(dispatch_hid_bpf_device_event); +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1986,24 +1986,32 @@ out: + } + EXPORT_SYMBOL_GPL(__hid_request); + +-int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size, +- int interrupt) ++int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, ++ size_t bufsize, u32 size, int interrupt) + { + struct hid_report_enum *report_enum = hid->report_enum + type; + struct hid_report *report; + struct hid_driver *hdrv; + int max_buffer_size = HID_MAX_BUFFER_SIZE; + u32 rsize, csize = size; ++ size_t bsize = bufsize; + u8 *cdata = data; + int ret = 0; + + report = hid_get_report(report_enum, data); + if (!report) +- goto out; ++ return 0; ++ ++ if (unlikely(bsize < csize)) { ++ hid_warn_ratelimited(hid, "Event data for report %d is incorrect (%d vs %ld)\n", ++ report->id, csize, bsize); ++ return -EINVAL; ++ } + + if (report_enum->numbered) { + cdata++; + csize--; ++ bsize--; + } + + rsize = hid_compute_report_size(report); +@@ -2016,9 +2024,15 @@ int hid_report_raw_event(struct hid_devi + else if (rsize > max_buffer_size) + rsize = max_buffer_size; + ++ if (bsize < rsize) { ++ hid_warn_ratelimited(hid, "Event data for report %d was too short (%d vs %ld)\n", ++ report->id, rsize, bsize); ++ return -EINVAL; ++ } ++ + if (csize < rsize) { + dbg_hid("report %d is too short, (%d < %d)\n", report->id, +- csize, rsize); ++ csize, rsize); + memset(cdata + csize, 0, rsize - csize); + } + +@@ -2027,7 +2041,7 @@ int hid_report_raw_event(struct hid_devi + if (hid->claimed & HID_CLAIMED_HIDRAW) { + ret = hidraw_report_event(hid, data, size); + if (ret) +- goto out; ++ return ret; + } + + if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { +@@ -2039,7 +2053,7 @@ int hid_report_raw_event(struct hid_devi + + if (hid->claimed & HID_CLAIMED_INPUT) + hidinput_report_event(hid, report); +-out: ++ + return ret; + } + EXPORT_SYMBOL_GPL(hid_report_raw_event); +@@ -2055,12 +2069,13 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event); + * + * This is data entry for lower layers. + */ +-int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size, +- int interrupt) ++int hid_input_report(struct hid_device *hid, enum hid_report_type type, u8 *data, ++ u32 size, int interrupt) + { + struct hid_report_enum *report_enum; + struct hid_driver *hdrv; + struct hid_report *report; ++ size_t bufsize = size; + int ret = 0; + + if (!hid) +@@ -2076,7 +2091,7 @@ int hid_input_report(struct hid_device * + report_enum = hid->report_enum + type; + hdrv = hid->driver; + +- data = dispatch_hid_bpf_device_event(hid, type, data, &size, interrupt); ++ data = dispatch_hid_bpf_device_event(hid, type, data, &bufsize, &size, interrupt); + if (IS_ERR(data)) { + ret = PTR_ERR(data); + goto unlock; +@@ -2105,7 +2120,7 @@ int hid_input_report(struct hid_device * + goto unlock; + } + +- ret = hid_report_raw_event(hid, type, data, size, interrupt); ++ ret = hid_report_raw_event(hid, type, data, bufsize, size, interrupt); + + unlock: + up(&hid->driver_input_lock); +--- a/drivers/hid/hid-gfrm.c ++++ b/drivers/hid/hid-gfrm.c +@@ -66,7 +66,7 @@ static int gfrm_raw_event(struct hid_dev + switch (data[1]) { + case GFRM100_SEARCH_KEY_DOWN: + ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_dn, +- sizeof(search_key_dn), 1); ++ sizeof(search_key_dn), sizeof(search_key_dn), 1); + break; + + case GFRM100_SEARCH_KEY_AUDIO_DATA: +@@ -74,7 +74,7 @@ static int gfrm_raw_event(struct hid_dev + + case GFRM100_SEARCH_KEY_UP: + ret = hid_report_raw_event(hdev, HID_INPUT_REPORT, search_key_up, +- sizeof(search_key_up), 1); ++ sizeof(search_key_up), sizeof(search_key_up), 1); + break; + + default: +--- a/drivers/hid/hid-logitech-hidpp.c ++++ b/drivers/hid/hid-logitech-hidpp.c +@@ -3692,7 +3692,7 @@ static int hidpp10_consumer_keys_raw_eve + memcpy(&consumer_report[1], &data[3], 4); + /* We are called from atomic context */ + hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT, +- consumer_report, 5, 1); ++ consumer_report, sizeof(consumer_report), 5, 1); + + return 1; + } +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -479,7 +479,7 @@ static void mt_get_feature(struct hid_de + } + + ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, buf, +- size, 0); ++ size, size, 0); + if (ret) + dev_warn(&hdev->dev, "failed to report feature\n"); + } +--- a/drivers/hid/hid-primax.c ++++ b/drivers/hid/hid-primax.c +@@ -44,7 +44,7 @@ static int px_raw_event(struct hid_devic + data[0] |= (1 << (data[idx] - 0xE0)); + data[idx] = 0; + } +- hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, 0); ++ hid_report_raw_event(hid, HID_INPUT_REPORT, data, size, size, 0); + return 1; + + default: /* unknown report */ +--- a/drivers/hid/hid-vivaldi-common.c ++++ b/drivers/hid/hid-vivaldi-common.c +@@ -85,7 +85,7 @@ void vivaldi_feature_mapping(struct hid_ + } + + ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, report_data, +- report_len, 0); ++ report_len, report_len, 0); + if (ret) { + dev_warn(&hdev->dev, "failed to report feature %d\n", + field->report->id); +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -74,7 +74,7 @@ static void wacom_wac_queue_flush(struct + int err; + + size = kfifo_out(fifo, buf, sizeof(buf)); +- err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, false); ++ err = hid_report_raw_event(hdev, HID_INPUT_REPORT, buf, size, size, false); + if (err) { + hid_warn(hdev, "%s: unable to flush event due to error %d\n", + __func__, err); +@@ -319,7 +319,7 @@ static void wacom_feature_mapping(struct + data, n, WAC_CMD_RETRIES); + if (ret == n && features->type == HID_GENERIC) { + ret = hid_report_raw_event(hdev, +- HID_FEATURE_REPORT, data, n, 0); ++ HID_FEATURE_REPORT, data, n, n, 0); + } else if (ret == 2 && features->type != HID_GENERIC) { + features->touch_max = data[1]; + } else { +@@ -381,7 +381,7 @@ static void wacom_feature_mapping(struct + data, n, WAC_CMD_RETRIES); + if (ret == n) { + ret = hid_report_raw_event(hdev, HID_FEATURE_REPORT, +- data, n, 0); ++ data, n, n, 0); + } else { + hid_warn(hdev, "%s: could not retrieve sensor offsets\n", + __func__); +--- a/drivers/staging/greybus/hid.c ++++ b/drivers/staging/greybus/hid.c +@@ -201,7 +201,7 @@ static void gb_hid_init_report(struct gb + * we just need to setup the input fields, so using + * hid_report_raw_event is safe. + */ +- hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, size, 1); ++ hid_report_raw_event(ghid->hid, report->type, ghid->inbuf, ghid->bufsize, size, 1); + } + + static void gb_hid_init_reports(struct gb_hid *ghid) +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -1205,8 +1205,8 @@ static inline u32 hid_report_len(struct + return DIV_ROUND_UP(report->size, 8) + (report->id > 0); + } + +-int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, u32 size, +- int interrupt); ++int hid_report_raw_event(struct hid_device *hid, enum hid_report_type type, u8 *data, ++ size_t bufsize, u32 size, int interrupt); + + /* HID quirks API */ + unsigned long hid_lookup_quirk(const struct hid_device *hdev); +--- a/include/linux/hid_bpf.h ++++ b/include/linux/hid_bpf.h +@@ -147,7 +147,7 @@ struct hid_bpf_link { + + #ifdef CONFIG_HID_BPF + u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, u8 *data, +- u32 *size, int interrupt); ++ size_t *buf_size, u32 *size, int interrupt); + int hid_bpf_connect_device(struct hid_device *hdev); + void hid_bpf_disconnect_device(struct hid_device *hdev); + void hid_bpf_destroy_device(struct hid_device *hid); +@@ -155,7 +155,7 @@ void hid_bpf_device_init(struct hid_devi + u8 *call_hid_bpf_rdesc_fixup(struct hid_device *hdev, u8 *rdesc, unsigned int *size); + #else /* CONFIG_HID_BPF */ + static inline u8 *dispatch_hid_bpf_device_event(struct hid_device *hid, enum hid_report_type type, +- u8 *data, u32 *size, int interrupt) { return data; } ++ u8 *data, size_t *buf_size, u32 *size, int interrupt) { return data; } + static inline int hid_bpf_connect_device(struct hid_device *hdev) { return 0; } + static inline void hid_bpf_disconnect_device(struct hid_device *hdev) {} + static inline void hid_bpf_destroy_device(struct hid_device *hid) {} diff --git a/queue-6.6/series b/queue-6.6/series index 8d0ca44883..2c601cd33a 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -198,3 +198,6 @@ xhci-tegra-fix-ghost-usb-device-on-dual-role-port-un.patch serial-dz-fix-bootconsole-handover-lockup.patch serial-dz-convert-to-use-a-platform-device.patch serial-zs-convert-to-use-a-platform-device.patch +hid-core-add-printk_ratelimited-variants-to-hid_warn-etc.patch +hid-pass-the-buffer-size-to-hid_report_raw_event.patch +hid-core-fix-size_t-specifier-in-hid_report_raw_event.patch