From: Greg Kroah-Hartman Date: Thu, 4 Jun 2026 08:51:06 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=f19bb71c97b3efa891b44122d04d6829dc306eca;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch bluetooth-l2cap-fix-chan-ref-leak-in-l2cap_chan_timeout-on-conn.patch hpfs-fix-a-crash-if-hpfs_map_dnode_bitmap-fails.patch iio-adc-viperboard-fix-error-handling-in-vprbrd_iio_read_raw.patch iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch iio-buffer-hw-consumer-fix-use-after-free-in-error-path.patch iio-dac-ad5686-fix-input-raw-value-check.patch iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch iio-gyro-itg3200-fix-i2c-read-into-the-wrong-stack-location.patch iio-light-cm3323-fix-reg_conf-not-being-initialized-correctly.patch iio-ssp_sensors-cancel-delayed-work_refresh-on-remove.patch iio-temperature-tsys01-fix-broken-prom-checksum-validation.patch input-elan_i2c-validate-firmware-size-before-use.patch ipc-limit-next_id-allocation-to-the-valid-id-range.patch parport-fix-race-between-port-and-client-registration.patch usb-dwc2-fix-use-after-free-in-debug-code.patch usb-serial-omninet-fix-memory-corruption-with-small-endpoint.patch --- diff --git a/queue-5.10/bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch b/queue-5.10/bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch new file mode 100644 index 0000000000..22b9ac5b9b --- /dev/null +++ b/queue-5.10/bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch @@ -0,0 +1,80 @@ +From 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 Mon Sep 17 00:00:00 2001 +From: Muhammad Bilal +Date: Wed, 20 May 2026 18:56:43 -0400 +Subject: Bluetooth: HIDP: fix missing length checks in hidp_input_report() + +From: Muhammad Bilal + +commit 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 upstream. + +hidp_input_report() reads keyboard and mouse payload data from an skb +without first verifying that skb->len contains enough data. + +hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching +to hidp_input_report(). If a paired device sends a truncated packet, +the handler reads beyond the valid skb data, resulting in an +out-of-bounds read of skb data. The OOB bytes may be interpreted as +phantom key presses or spurious mouse movement. + +Replace the open-coded length tracking and pointer arithmetic with +skb_pull_data() calls. skb_pull_data() returns NULL if the requested +bytes are not present, eliminating the need for a manual size variable +and the separate skb->len guard. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Muhammad Bilal +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hidp/core.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -179,12 +179,21 @@ static void hidp_input_report(struct hid + { + struct input_dev *dev = session->input; + unsigned char *keys = session->keys; +- unsigned char *udata = skb->data + 1; +- signed char *sdata = skb->data + 1; +- int i, size = skb->len - 1; ++ unsigned char *udata; ++ signed char *sdata; ++ u8 *hdr; ++ int i; ++ ++ hdr = skb_pull_data(skb, 1); ++ if (!hdr) ++ return; + +- switch (skb->data[0]) { ++ switch (*hdr) { + case 0x01: /* Keyboard report */ ++ udata = skb_pull_data(skb, 8); ++ if (!udata) ++ break; ++ + for (i = 0; i < 8; i++) + input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1); + +@@ -213,6 +222,10 @@ static void hidp_input_report(struct hid + break; + + case 0x02: /* Mouse report */ ++ sdata = skb_pull_data(skb, 3); ++ if (!sdata) ++ break; ++ + input_report_key(dev, BTN_LEFT, sdata[0] & 0x01); + input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02); + input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04); +@@ -222,7 +235,7 @@ static void hidp_input_report(struct hid + input_report_rel(dev, REL_X, sdata[1]); + input_report_rel(dev, REL_Y, sdata[2]); + +- if (size > 3) ++ if (skb->len > 0) + input_report_rel(dev, REL_WHEEL, sdata[3]); + break; + } diff --git a/queue-5.10/bluetooth-l2cap-fix-chan-ref-leak-in-l2cap_chan_timeout-on-conn.patch b/queue-5.10/bluetooth-l2cap-fix-chan-ref-leak-in-l2cap_chan_timeout-on-conn.patch new file mode 100644 index 0000000000..93138b1e15 --- /dev/null +++ b/queue-5.10/bluetooth-l2cap-fix-chan-ref-leak-in-l2cap_chan_timeout-on-conn.patch @@ -0,0 +1,40 @@ +From 9dbd84990394c51f5cee1e8871bb5ff8af5ed939 Mon Sep 17 00:00:00 2001 +From: Siwei Zhang +Date: Wed, 20 May 2026 22:30:36 -0400 +Subject: Bluetooth: L2CAP: fix chan ref leak in l2cap_chan_timeout() on !conn + +From: Siwei Zhang + +commit 9dbd84990394c51f5cee1e8871bb5ff8af5ed939 upstream. + +__set_chan_timer() takes a l2cap_chan reference via l2cap_chan_hold() +before scheduling the delayed work. The normal path in +l2cap_chan_timeout() drops this reference with l2cap_chan_put() at the +end, but the early return when chan->conn is NULL skips the put, +leaking the reference. + +Add the missing l2cap_chan_put() before the early return. + +Fixes: adf0398cee86 ("Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout") +Cc: stable@vger.kernel.org +Signed-off-by: Siwei Zhang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/l2cap_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -435,8 +435,10 @@ static void l2cap_chan_timeout(struct wo + + BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); + +- if (!conn) ++ if (!conn) { ++ l2cap_chan_put(chan); + return; ++ } + + mutex_lock(&conn->chan_lock); + /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling diff --git a/queue-5.10/hpfs-fix-a-crash-if-hpfs_map_dnode_bitmap-fails.patch b/queue-5.10/hpfs-fix-a-crash-if-hpfs_map_dnode_bitmap-fails.patch new file mode 100644 index 0000000000..772c2de40a --- /dev/null +++ b/queue-5.10/hpfs-fix-a-crash-if-hpfs_map_dnode_bitmap-fails.patch @@ -0,0 +1,32 @@ +From 974820a59efde7c1a7e1260bcfe9bb81f833cc9f Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 25 May 2026 14:48:58 +0200 +Subject: hpfs: fix a crash if hpfs_map_dnode_bitmap fails + +From: Mikulas Patocka + +commit 974820a59efde7c1a7e1260bcfe9bb81f833cc9f upstream. + +If hpfs_map_dnode_bitmap fails, the code would call hpfs_brelse4 on +uninitialized quad buffer head, causing a crash. + +Signed-off-by: Mikulas Patocka +Reported-by: Farhad Alemi +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/hpfs/alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/hpfs/alloc.c ++++ b/fs/hpfs/alloc.c +@@ -372,8 +372,8 @@ int hpfs_check_free_dnodes(struct super_ + return 0; + } + } ++ hpfs_brelse4(&qbh); + } +- hpfs_brelse4(&qbh); + i = 0; + if (hpfs_sb(s)->sb_c_bitmap != -1) { + bmp = hpfs_map_bitmap(s, b, &qbh, "chkdn1"); diff --git a/queue-5.10/iio-adc-viperboard-fix-error-handling-in-vprbrd_iio_read_raw.patch b/queue-5.10/iio-adc-viperboard-fix-error-handling-in-vprbrd_iio_read_raw.patch new file mode 100644 index 0000000000..4621c0024b --- /dev/null +++ b/queue-5.10/iio-adc-viperboard-fix-error-handling-in-vprbrd_iio_read_raw.patch @@ -0,0 +1,44 @@ +From 422b5bbf333f75fb486855ad0eedc23cf21f3277 Mon Sep 17 00:00:00 2001 +From: Salah Triki +Date: Thu, 7 May 2026 20:07:51 +0100 +Subject: iio: adc: viperboard: Fix error handling in vprbrd_iio_read_raw +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Salah Triki + +commit 422b5bbf333f75fb486855ad0eedc23cf21f3277 upstream. + +The driver proceeds to the reception phase even if the preceding +transmission fails. + +This uses a goto error label for an early bail out and ensures the mutex is +properly unlocked in case of failure. + +Fixes: ffd8a6e7a778 ("iio: adc: Add viperboard adc driver") +Signed-off-by: Salah Triki +Reviewed-by: Joshua Crofts +Reviewed-by: Maxwell Doose +Reviewed-by: Nuno Sá +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/viperboard_adc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/viperboard_adc.c ++++ b/drivers/iio/adc/viperboard_adc.c +@@ -70,8 +70,10 @@ static int vprbrd_iio_read_raw(struct ii + VPRBRD_USB_TYPE_OUT, 0x0000, 0x0000, admsg, + sizeof(struct vprbrd_adc_msg), VPRBRD_USB_TIMEOUT_MS); + if (ret != sizeof(struct vprbrd_adc_msg)) { +- dev_err(&iio_dev->dev, "usb send error on adc read\n"); ++ mutex_unlock(&vb->lock); + error = -EREMOTEIO; ++ dev_err(&iio_dev->dev, "usb send error on adc read\n"); ++ goto error; + } + + ret = usb_control_msg(vb->usb_dev, diff --git a/queue-5.10/iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch b/queue-5.10/iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch new file mode 100644 index 0000000000..c745806627 --- /dev/null +++ b/queue-5.10/iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch @@ -0,0 +1,75 @@ +From 852534744c2d35626a604f128ff0b8ec12805591 Mon Sep 17 00:00:00 2001 +From: Christofer Jonason +Date: Wed, 4 Mar 2026 10:07:27 +0100 +Subject: iio: adc: xilinx-xadc: Fix sequencer mode in postdisable for dual mux +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christofer Jonason + +commit 852534744c2d35626a604f128ff0b8ec12805591 upstream. + +xadc_postdisable() unconditionally sets the sequencer to continuous +mode. For dual external multiplexer configurations this is incorrect: +simultaneous sampling mode is required so that ADC-A samples through +the mux on VAUX[0-7] while ADC-B simultaneously samples through the +mux on VAUX[8-15]. In continuous mode only ADC-A is active, so +VAUX[8-15] channels return incorrect data. + +Since postdisable is also called from xadc_probe() to set the initial +idle state, the wrong sequencer mode is active from the moment the +driver loads. + +The preenable path already uses xadc_get_seq_mode() which returns +SIMULTANEOUS for dual mux. Fix postdisable to do the same. + +Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver") +Cc: stable@vger.kernel.org +Signed-off-by: Christofer Jonason +Reviewed-by: Andy Shevchenko +Reviewed-by: Nuno Sá +Reviewed-by: Salih Erim +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/xilinx-xadc-core.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/xilinx-xadc-core.c ++++ b/drivers/iio/adc/xilinx-xadc-core.c +@@ -770,6 +770,7 @@ static int xadc_postdisable(struct iio_d + { + struct xadc *xadc = iio_priv(indio_dev); + unsigned long scan_mask; ++ int seq_mode; + int ret; + int i; + +@@ -777,6 +778,12 @@ static int xadc_postdisable(struct iio_d + for (i = 0; i < indio_dev->num_channels; i++) + scan_mask |= BIT(indio_dev->channels[i].scan_index); + ++ /* ++ * Use the correct sequencer mode for the idle state: simultaneous ++ * mode for dual external mux configurations, continuous otherwise. ++ */ ++ seq_mode = xadc_get_seq_mode(xadc, scan_mask); ++ + /* Enable all channels and calibration */ + ret = xadc_write_adc_reg(xadc, XADC_REG_SEQ(0), scan_mask & 0xffff); + if (ret) +@@ -787,11 +794,11 @@ static int xadc_postdisable(struct iio_d + return ret; + + ret = xadc_update_adc_reg(xadc, XADC_REG_CONF1, XADC_CONF1_SEQ_MASK, +- XADC_CONF1_SEQ_CONTINUOUS); ++ seq_mode); + if (ret) + return ret; + +- return xadc_power_adc_b(xadc, XADC_CONF1_SEQ_CONTINUOUS); ++ return xadc_power_adc_b(xadc, seq_mode); + } + + static int xadc_preenable(struct iio_dev *indio_dev) diff --git a/queue-5.10/iio-buffer-hw-consumer-fix-use-after-free-in-error-path.patch b/queue-5.10/iio-buffer-hw-consumer-fix-use-after-free-in-error-path.patch new file mode 100644 index 0000000000..5f811ee3d1 --- /dev/null +++ b/queue-5.10/iio-buffer-hw-consumer-fix-use-after-free-in-error-path.patch @@ -0,0 +1,54 @@ +From 6f5ed4f2c7c83f33344e0ba179f72a12e5dad4a4 Mon Sep 17 00:00:00 2001 +From: Felix Gu +Date: Thu, 30 Apr 2026 21:29:06 +0800 +Subject: iio: buffer: hw-consumer: fix use-after-free in error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Felix Gu + +commit 6f5ed4f2c7c83f33344e0ba179f72a12e5dad4a4 upstream. + +In the err_put_buffers cleanup path of iio_hw_consumer_alloc(), the code +was using list_for_each_entry() to iterate through buffers while calling +iio_buffer_put() which can free the current buffer if refcount drops to 0. +The list_for_each_entry() loop macro then evaluates buf->head.next to +continue iteration, accessing the freed buffer. + +Fix this by using list_for_each_entry_safe(). + +Fixes: 48b66f8f936f ("iio: Add hardware consumer buffer support") +Reported-by: sashiko +Closes: https://sashiko.dev/#/patchset/20260427-iio_buf-v1-1-2bbdac844647%40gmail.com +Signed-off-by: Felix Gu +Reviewed-by: Andy Shevchenko +Reviewed-by: Nuno Sá +Reviewed-by: Maxwell Doose +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/buffer/industrialio-hw-consumer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/buffer/industrialio-hw-consumer.c ++++ b/drivers/iio/buffer/industrialio-hw-consumer.c +@@ -82,7 +82,7 @@ static struct hw_consumer_buffer *iio_hw + */ + struct iio_hw_consumer *iio_hw_consumer_alloc(struct device *dev) + { +- struct hw_consumer_buffer *buf; ++ struct hw_consumer_buffer *buf, *tmp; + struct iio_hw_consumer *hwc; + struct iio_channel *chan; + int ret; +@@ -113,7 +113,7 @@ struct iio_hw_consumer *iio_hw_consumer_ + return hwc; + + err_put_buffers: +- list_for_each_entry(buf, &hwc->buffers, head) ++ list_for_each_entry_safe(buf, tmp, &hwc->buffers, head) + iio_buffer_put(&buf->buffer); + iio_channel_release_all(hwc->channels); + err_free_hwc: diff --git a/queue-5.10/iio-dac-ad5686-fix-input-raw-value-check.patch b/queue-5.10/iio-dac-ad5686-fix-input-raw-value-check.patch new file mode 100644 index 0000000000..eb1037ea39 --- /dev/null +++ b/queue-5.10/iio-dac-ad5686-fix-input-raw-value-check.patch @@ -0,0 +1,35 @@ +From d01220ee5e43c65a206df827b39bf5cf5f7b9dce Mon Sep 17 00:00:00 2001 +From: Rodrigo Alencar +Date: Fri, 1 May 2026 10:14:55 +0100 +Subject: iio: dac: ad5686: fix input raw value check + +From: Rodrigo Alencar + +commit d01220ee5e43c65a206df827b39bf5cf5f7b9dce upstream. + +Fix range check for input raw value, which is off by one, i.e., for a +10-bit DAC the max valid value is 1023, but 1 << 10 equals 1024, which +passes the previous check, allowing an out-of-range write. The issue +exists since the ad5686 driver was first introduced. + +Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters") +Reviewed-by: Andy Shevchenko +Signed-off-by: Rodrigo Alencar +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5686.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad5686.c ++++ b/drivers/iio/dac/ad5686.c +@@ -154,7 +154,7 @@ static int ad5686_write_raw(struct iio_d + + switch (mask) { + case IIO_CHAN_INFO_RAW: +- if (val > (1 << chan->scan_type.realbits) || val < 0) ++ if (val >= (1 << chan->scan_type.realbits) || val < 0) + return -EINVAL; + + mutex_lock(&st->lock); diff --git a/queue-5.10/iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch b/queue-5.10/iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch new file mode 100644 index 0000000000..b167f53f54 --- /dev/null +++ b/queue-5.10/iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch @@ -0,0 +1,54 @@ +From d0a228d903425e653f18a4341e60c0538afb6d41 Mon Sep 17 00:00:00 2001 +From: Salah Triki +Date: Mon, 27 Apr 2026 22:33:19 +0100 +Subject: iio: dac: max5821: fix return value check in powerdown sync + +From: Salah Triki + +commit d0a228d903425e653f18a4341e60c0538afb6d41 upstream. + +The function max5821_sync_powerdown_mode() returned the result of +i2c_master_send() directly. If a partial transfer occurred, it would +be incorrectly treated as a success by the caller. + +While the caller currently handles the positive return value of 2 as +success, this patch refactors the function to return 0 on full success +and -EIO on short writes. This ensures robust error handling for +incomplete transfers and improves code maintainability by using +sizeof(outbuf). + +Fixes: 472988972737 ("iio: add support of the max5821") +Signed-off-by: Salah Triki +Reviewed-by: Andy Shevchenko +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/max5821.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/dac/max5821.c ++++ b/drivers/iio/dac/max5821.c +@@ -91,6 +91,7 @@ static int max5821_sync_powerdown_mode(s + const struct iio_chan_spec *chan) + { + u8 outbuf[2]; ++ int ret; + + outbuf[0] = MAX5821_EXTENDED_COMMAND_MODE; + +@@ -104,7 +105,13 @@ static int max5821_sync_powerdown_mode(s + else + outbuf[1] |= MAX5821_EXTENDED_POWER_UP; + +- return i2c_master_send(data->client, outbuf, 2); ++ ret = i2c_master_send(data->client, outbuf, sizeof(outbuf)); ++ if (ret < 0) ++ return ret; ++ if (ret != sizeof(outbuf)) ++ return -EIO; ++ ++ return 0; + } + + static ssize_t max5821_write_dac_powerdown(struct iio_dev *indio_dev, diff --git a/queue-5.10/iio-gyro-itg3200-fix-i2c-read-into-the-wrong-stack-location.patch b/queue-5.10/iio-gyro-itg3200-fix-i2c-read-into-the-wrong-stack-location.patch new file mode 100644 index 0000000000..b9a66a4e6f --- /dev/null +++ b/queue-5.10/iio-gyro-itg3200-fix-i2c-read-into-the-wrong-stack-location.patch @@ -0,0 +1,53 @@ +From 6bdc3023d62ed5c7d591f0eb27a5adb37fb892ae Mon Sep 17 00:00:00 2001 +From: David Carlier +Date: Tue, 5 May 2026 14:37:48 +0100 +Subject: iio: gyro: itg3200: fix i2c read into the wrong stack location + +From: David Carlier + +commit 6bdc3023d62ed5c7d591f0eb27a5adb37fb892ae upstream. + +itg3200_read_all_channels() takes `__be16 *buf' as a parameter and +fills the i2c_msg destination as `(char *)&buf'. Since `buf' is the +parameter (a pointer), `&buf' is the address of the local pointer +slot on the stack of itg3200_read_all_channels(), not the address +of the caller's scan buffer. The (char *) cast hides the type +mismatch. + +i2c_transfer() therefore writes ITG3200_SCAN_ELEMENTS * sizeof(s16) += 8 bytes into the parameter's stack slot, which is discarded when +the function returns. The caller's scan buffer in +itg3200_trigger_handler() is never written to, so +iio_push_to_buffers_with_timestamp() pushes uninitialised stack +contents to userspace via /dev/iio:deviceX every scan -- both a +functional bug (no actual gyroscope or temperature data is +delivered through the triggered buffer) and an information leak. + +The non-buffered read_raw() path is unaffected: it goes through +itg3200_read_reg_s16() which uses `&out' on a local s16 value, +where that is correct. + +Drop the spurious `&' so the i2c read writes into the caller's +buffer. + +Fixes: 9dbf091da080 ("iio: gyro: Add itg3200") +Cc: stable@vger.kernel.org +Signed-off-by: David Carlier +Reviewed-by: Andy Shevchenko +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/itg3200_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/gyro/itg3200_buffer.c ++++ b/drivers/iio/gyro/itg3200_buffer.c +@@ -34,7 +34,7 @@ static int itg3200_read_all_channels(str + .addr = i2c->addr, + .flags = i2c->flags | I2C_M_RD, + .len = ITG3200_SCAN_ELEMENTS * sizeof(s16), +- .buf = (char *)&buf, ++ .buf = (char *)buf, + }, + }; + diff --git a/queue-5.10/iio-light-cm3323-fix-reg_conf-not-being-initialized-correctly.patch b/queue-5.10/iio-light-cm3323-fix-reg_conf-not-being-initialized-correctly.patch new file mode 100644 index 0000000000..5395af029f --- /dev/null +++ b/queue-5.10/iio-light-cm3323-fix-reg_conf-not-being-initialized-correctly.patch @@ -0,0 +1,66 @@ +From 1f4f0bcc5255dec5c4c3a1551bf49d8c33b69b20 Mon Sep 17 00:00:00 2001 +From: Aldo Conte +Date: Tue, 7 Apr 2026 17:17:01 +0200 +Subject: iio: light: cm3323: fix reg_conf not being initialized correctly + +From: Aldo Conte + +commit 1f4f0bcc5255dec5c4c3a1551bf49d8c33b69b20 upstream. + +The code stores the return value of i2c_smbus_write_word_data() +in data->reg_conf; however, this value represents the result +of the write operation and not the value actually written to +the configuration register. This meant that the contents of +data->reg_conf did not truly reflect the contents +of the hardware register. + +Instead, save the value of the register before the write +and use this value in the I2C write. + +The bug was found by code inspection: i2c_smbus_write_word_data() +returns 0 on success, not the value written to the register. + +Tested using i2c-stub on a Raspberry Pi 3B running a custom 6.19.10 +kernel. Before loading the driver, the configuration register 0x00 +CM3323_CMD_CONF was populated with 0x0030 using +`i2cset -y 11 0x10 0x00 0x0030 w`, encoding an integration time of 320ms +in bits[6:4]. + +Due to incorrect initialization of data->reg_conf in +cm3323_init(), the print of integration_time returns 0.040000 +instead of the expected 0.320000. This happens because the read of the +integration_time depends on cm3323_get_it_bits() that is based on the +value of data->reg_conf, which is erroneously set to 0. + +With this fix applied, data->reg_conf correctly saves 0x0030 after init +and the successive integration_time reports 0.320000 as expected. + +Fixes: 8b0544263761 ("iio: light: Add support for Capella CM3323 color sensor") +Cc: stable@vger.kernel.org +Signed-off-by: Aldo Conte +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/cm3323.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iio/light/cm3323.c ++++ b/drivers/iio/light/cm3323.c +@@ -89,15 +89,14 @@ static int cm3323_init(struct iio_dev *i + + /* enable sensor and set auto force mode */ + ret &= ~(CM3323_CONF_SD_BIT | CM3323_CONF_AF_BIT); ++ data->reg_conf = ret; + +- ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, ret); ++ ret = i2c_smbus_write_word_data(data->client, CM3323_CMD_CONF, data->reg_conf); + if (ret < 0) { + dev_err(&data->client->dev, "Error writing reg_conf\n"); + return ret; + } + +- data->reg_conf = ret; +- + return 0; + } + diff --git a/queue-5.10/iio-ssp_sensors-cancel-delayed-work_refresh-on-remove.patch b/queue-5.10/iio-ssp_sensors-cancel-delayed-work_refresh-on-remove.patch new file mode 100644 index 0000000000..839b2d6bc0 --- /dev/null +++ b/queue-5.10/iio-ssp_sensors-cancel-delayed-work_refresh-on-remove.patch @@ -0,0 +1,31 @@ +From eedf7602fbd929e97e0c480da501dc7a34beb2a8 Mon Sep 17 00:00:00 2001 +From: Sanjay Chitroda +Date: Sun, 26 Apr 2026 14:47:04 +0530 +Subject: iio: ssp_sensors: cancel delayed work_refresh on remove + +From: Sanjay Chitroda + +commit eedf7602fbd929e97e0c480da501dc7a34beb2a8 upstream. + +The work_refresh may still be pending or running when the device is +removed, cancel the delayed work_refresh in remove path. + +Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver") +Signed-off-by: Sanjay Chitroda +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/common/ssp_sensors/ssp_dev.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/common/ssp_sensors/ssp_dev.c ++++ b/drivers/iio/common/ssp_sensors/ssp_dev.c +@@ -602,6 +602,7 @@ static int ssp_remove(struct spi_device + ssp_clean_pending_list(data); + + free_irq(data->spi->irq, data); ++ cancel_delayed_work_sync(&data->work_refresh); + + del_timer_sync(&data->wdt_timer); + cancel_work_sync(&data->work_wdt); diff --git a/queue-5.10/iio-temperature-tsys01-fix-broken-prom-checksum-validation.patch b/queue-5.10/iio-temperature-tsys01-fix-broken-prom-checksum-validation.patch new file mode 100644 index 0000000000..c105712276 --- /dev/null +++ b/queue-5.10/iio-temperature-tsys01-fix-broken-prom-checksum-validation.patch @@ -0,0 +1,41 @@ +From 4701e471c16866e7aa8f5e6a3a6b0d31e097e2c9 Mon Sep 17 00:00:00 2001 +From: Salah Triki +Date: Tue, 5 May 2026 08:10:24 +0100 +Subject: iio: temperature: tsys01: fix broken PROM checksum validation + +From: Salah Triki + +commit 4701e471c16866e7aa8f5e6a3a6b0d31e097e2c9 upstream. + +The current implementation of tsys01_crc_valid() incorrectly sums the +first word (n_prom[0]) repeatedly instead of iterating over the 8 words +retrieved from the PROM. This leads to a checksum mismatch and probe +failure on hardware. + +According to the TSYS01 datasheet, the PROM consists of 8 words. A valid +check must iterate through all 8 words to verify the integrity of the +calibration data. The current driver only checks the first word 8 times. + +Note: This fix was identified during a code audit and is based on +datasheet specifications. It has not been tested on real hardware. + +Fixes: 43e53407f680 ("Add tsys01 meas-spec driver support") +Signed-off-by: Salah Triki +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/temperature/tsys01.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/temperature/tsys01.c ++++ b/drivers/iio/temperature/tsys01.c +@@ -119,7 +119,7 @@ static bool tsys01_crc_valid(u16 *n_prom + u8 sum = 0; + + for (cnt = 0; cnt < TSYS01_PROM_WORDS_NB; cnt++) +- sum += ((n_prom[0] >> 8) + (n_prom[0] & 0xFF)); ++ sum += ((n_prom[cnt] >> 8) + (n_prom[cnt] & 0xFF)); + + return (sum == 0); + } diff --git a/queue-5.10/input-elan_i2c-validate-firmware-size-before-use.patch b/queue-5.10/input-elan_i2c-validate-firmware-size-before-use.patch new file mode 100644 index 0000000000..fe41400a1a --- /dev/null +++ b/queue-5.10/input-elan_i2c-validate-firmware-size-before-use.patch @@ -0,0 +1,36 @@ +From 76b0d0baa9ae9c60e726bbe1b6ff0bec2c993634 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Sat, 25 Apr 2026 22:07:06 -0700 +Subject: Input: elan_i2c - validate firmware size before use + +From: Dmitry Torokhov + +commit 76b0d0baa9ae9c60e726bbe1b6ff0bec2c993634 upstream. + +Ensure that the firmware file is large enough to contain the expected +number of pages and the signature (which resides at the end of the +firmware blob) before accessing them to prevent potential out-of-bounds +reads. + +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/ae2dOgiFvXRm4BHo@google.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/elan_i2c_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -608,6 +608,11 @@ static ssize_t elan_sysfs_update_fw(stru + return error; + } + ++ if (fw->size < data->fw_signature_address + sizeof(signature)) { ++ dev_err(dev, "firmware file too small\n"); ++ return -EBADF; ++ } ++ + /* Firmware file must match signature data */ + fw_signature = &fw->data[data->fw_signature_address]; + if (memcmp(fw_signature, signature, sizeof(signature)) != 0) { diff --git a/queue-5.10/ipc-limit-next_id-allocation-to-the-valid-id-range.patch b/queue-5.10/ipc-limit-next_id-allocation-to-the-valid-id-range.patch new file mode 100644 index 0000000000..1203503ce6 --- /dev/null +++ b/queue-5.10/ipc-limit-next_id-allocation-to-the-valid-id-range.patch @@ -0,0 +1,81 @@ +From fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 Mon Sep 17 00:00:00 2001 +From: Linpu Yu +Date: Sun, 10 May 2026 13:43:30 +0800 +Subject: ipc: limit next_id allocation to the valid ID range + +From: Linpu Yu + +commit fa0b9b2b7ae3539908d69c2b9ac0d144d9bc5139 upstream. + +The checkpoint/restore sysctl path can request the next SysV IPC id +through ids->next_id. ipc_idr_alloc() currently forwards that request to +idr_alloc() with an open-ended upper bound. + +If the valid tail of the SysV IPC id space is full, the allocation can +spill beyond ipc_mni. The returned SysV IPC id still uses the normal +index encoding, so later lookup and removal can target the wrong slot. +This leaves the real IDR entry behind and breaks the IDR state for the +object. + +The bug is in ipc_idr_alloc() in the checkpoint/restore path. + +1. ids->next_id is passed to: + + idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), 0, ...) + +2. The zero upper bound makes the allocation effectively open-ended. + Once the valid SysV IPC tail is occupied, idr_alloc() can spill past + ipc_mni and allocate an entry beyond the valid IPC id range. + +3. The new object id is still encoded with the narrower SysV IPC index + width: + + new->id = (new->seq << ipcmni_seq_shift()) + idx + +4. Later removal goes through ipc_rmid(), which uses: + + ipcid_to_idx(ipcp->id) + + That truncates the real IDR index. An object actually stored at a + high index can then be removed as if it lived at a low in-range + index. + +5. For shared memory, shm_destroy() frees the current object anyway, but + the real high IDR slot is left behind as a dangling pointer. + +6. A subsequent walk of /proc/sysvipc/shm reaches the stale IDR entry + and dereferences freed memory. + +Prevent this by bounding the requested allocation to ipc_mni so the +checkpoint/restore path fails once the valid range is exhausted. + +Link: https://lore.kernel.org/cover.1778336914.git.linpu5433@gmail.com +Link: https://lore.kernel.org/2eebe949bfa7d1f6e13b5be6a92c64c850ce9d45.1778336914.git.linpu5433@gmail.com +Fixes: 03f595668017 ("ipc: add sysctl to specify desired next object id") +Signed-off-by: Linpu Yu +Signed-off-by: Ren Wei +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Cc: Kees Cook +Cc: Stanislav Kinsbursky +Cc: Davidlohr Bueso +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + ipc/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -252,7 +252,7 @@ static inline int ipc_idr_alloc(struct i + } else { + new->seq = ipcid_to_seqx(next_id); + idx = idr_alloc(&ids->ipcs_idr, new, ipcid_to_idx(next_id), +- 0, GFP_NOWAIT); ++ ipc_mni, GFP_NOWAIT); + } + if (idx >= 0) + new->id = (new->seq << ipcmni_seq_shift()) + idx; diff --git a/queue-5.10/parport-fix-race-between-port-and-client-registration.patch b/queue-5.10/parport-fix-race-between-port-and-client-registration.patch new file mode 100644 index 0000000000..b625cf253c --- /dev/null +++ b/queue-5.10/parport-fix-race-between-port-and-client-registration.patch @@ -0,0 +1,109 @@ +From ef15ccbb3e8640a723c42ad90eaf81d66ae02017 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Tue, 5 May 2026 20:45:12 +0200 +Subject: parport: Fix race between port and client registration + +From: Ben Hutchings + +commit ef15ccbb3e8640a723c42ad90eaf81d66ae02017 upstream. + +The parport subsystem registers port devices before they are fully +initialised, resulting in a race condition where client drivers such +as lp can attach to ports that are not completely initialised or even +being torn down. + +When the port and client drivers are built as modules and loaded +around the same time during boot, this occasionally results in a +crash. I was able to make this happen reliably in a VM with a +PC-style parallel port by patching parport_pc to fail probing: + +> --- a/drivers/parport/parport_pc.c +> +++ b/drivers/parport/parport_pc.c +> @@ -2069,7 +2069,7 @@ static struct parport *__parport_pc_probe_port(unsigned long int base, +> if (!p) +> goto out3; +> +> - base_res = request_region(base, 3, p->name); +> + base_res = NULL; +> if (!base_res) +> goto out4; +> + +and then running: + + while true; do + modprobe lp & modprobe parport_pc + wait + rmmod lp parport_pc + done + +for a few seconds. + +In the long term I think port registration should be changed to put +the call to device_add() inside parport_announce_port(), but since the +latter currently cannot fail this will require changing all port +drivers. + +For now, add a flag to indicate whether a port has been "announced" +and only try to attach client drivers to ports when the flag is set. + +Fixes: 6fa45a226897 ("parport: add device-model to parport subsystem") +Closes: https://bugs.debian.org/1130365 +Closes: https://lore.kernel.org/all/6ba903ad-9897-42bb-8c2d-337385cc3746@molgen.mpg.de/ +Cc: stable +Signed-off-by: Ben Hutchings +Acked-by: Sudip Mukherjee +Link: https://patch.msgid.link/afo6uBv68GDevbMD@decadent.org.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parport/share.c | 11 +++++++++-- + include/linux/parport.h | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/parport/share.c ++++ b/drivers/parport/share.c +@@ -223,10 +223,14 @@ static void get_lowlevel_driver(void) + static int port_check(struct device *dev, void *dev_drv) + { + struct parport_driver *drv = dev_drv; ++ struct parport *port; + + /* only send ports, do not send other devices connected to bus */ +- if (is_parport(dev)) +- drv->match_port(to_parport_dev(dev)); ++ if (is_parport(dev)) { ++ port = to_parport_dev(dev); ++ if (test_bit(PARPORT_ANNOUNCED, &port->devflags)) ++ drv->match_port(port); ++ } + return 0; + } + +@@ -553,6 +557,7 @@ void parport_announce_port(struct parpor + if (slave) + attach_driver_chain(slave); + } ++ set_bit(PARPORT_ANNOUNCED, &port->devflags); + mutex_unlock(®istration_lock); + } + EXPORT_SYMBOL(parport_announce_port); +@@ -582,6 +587,8 @@ void parport_remove_port(struct parport + + mutex_lock(®istration_lock); + ++ clear_bit(PARPORT_ANNOUNCED, &port->devflags); ++ + /* Spread the word. */ + detach_driver_chain(port); + +--- a/include/linux/parport.h ++++ b/include/linux/parport.h +@@ -245,6 +245,7 @@ struct parport { + + unsigned long devflags; + #define PARPORT_DEVPROC_REGISTERED 0 ++#define PARPORT_ANNOUNCED 1 + struct pardevice *proc_device; /* Currently register proc device */ + + struct list_head full_list; diff --git a/queue-5.10/series b/queue-5.10/series index 731a16e628..c5d1a3615e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -50,3 +50,20 @@ usb-typec-wcove-don-t-write-past-struct-pd_message-in-wcove_read_rx_buffer.patch usb-serial-safe_serial-fix-memory-corruption-with-small-endpoint.patch input-ims-pcu-fix-usb_free_coherent-size-in-ims_pcu_buffers_free.patch bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch +hpfs-fix-a-crash-if-hpfs_map_dnode_bitmap-fails.patch +ipc-limit-next_id-allocation-to-the-valid-id-range.patch +bluetooth-l2cap-fix-chan-ref-leak-in-l2cap_chan_timeout-on-conn.patch +bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch +parport-fix-race-between-port-and-client-registration.patch +iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch +iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch +iio-dac-ad5686-fix-input-raw-value-check.patch +iio-adc-viperboard-fix-error-handling-in-vprbrd_iio_read_raw.patch +iio-gyro-itg3200-fix-i2c-read-into-the-wrong-stack-location.patch +iio-ssp_sensors-cancel-delayed-work_refresh-on-remove.patch +iio-temperature-tsys01-fix-broken-prom-checksum-validation.patch +iio-light-cm3323-fix-reg_conf-not-being-initialized-correctly.patch +iio-buffer-hw-consumer-fix-use-after-free-in-error-path.patch +usb-serial-omninet-fix-memory-corruption-with-small-endpoint.patch +usb-dwc2-fix-use-after-free-in-debug-code.patch +input-elan_i2c-validate-firmware-size-before-use.patch diff --git a/queue-5.10/usb-dwc2-fix-use-after-free-in-debug-code.patch b/queue-5.10/usb-dwc2-fix-use-after-free-in-debug-code.patch new file mode 100644 index 0000000000..5b460d37ea --- /dev/null +++ b/queue-5.10/usb-dwc2-fix-use-after-free-in-debug-code.patch @@ -0,0 +1,46 @@ +From 9ea06a3fbf9f16e0d98c52cb3b99642be15ec281 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 20 May 2026 08:59:28 +0300 +Subject: usb: dwc2: Fix use after free in debug code + +From: Dan Carpenter + +commit 9ea06a3fbf9f16e0d98c52cb3b99642be15ec281 upstream. + +We're not allowed to dereference "urb" after calling +usb_hcd_giveback_urb() so save the urb->status ahead of time. + +Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver") +Cc: stable +Signed-off-by: Dan Carpenter +Link: https://patch.msgid.link/ag1NwBpqT4IEQcdJ@stanley.mountain +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -4718,6 +4718,7 @@ static int _dwc2_hcd_urb_dequeue(struct + struct dwc2_hsotg *hsotg = dwc2_hcd_to_hsotg(hcd); + int rc; + unsigned long flags; ++ int urb_status; + + dev_dbg(hsotg->dev, "DWC OTG HCD URB Dequeue\n"); + dwc2_dump_urb_info(hcd, urb, "urb_dequeue"); +@@ -4742,11 +4743,12 @@ static int _dwc2_hcd_urb_dequeue(struct + + /* Higher layer software sets URB status */ + spin_unlock(&hsotg->lock); ++ urb_status = urb->status; + usb_hcd_giveback_urb(hcd, urb, status); + spin_lock(&hsotg->lock); + + dev_dbg(hsotg->dev, "Called usb_hcd_giveback_urb()\n"); +- dev_dbg(hsotg->dev, " urb->status = %d\n", urb->status); ++ dev_dbg(hsotg->dev, " urb->status = %d\n", urb_status); + out: + spin_unlock_irqrestore(&hsotg->lock, flags); + diff --git a/queue-5.10/usb-serial-omninet-fix-memory-corruption-with-small-endpoint.patch b/queue-5.10/usb-serial-omninet-fix-memory-corruption-with-small-endpoint.patch new file mode 100644 index 0000000000..40176722a4 --- /dev/null +++ b/queue-5.10/usb-serial-omninet-fix-memory-corruption-with-small-endpoint.patch @@ -0,0 +1,55 @@ +From 60df93d30f9bdd27db17c4d80ed80ef718d7226b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 22 May 2026 16:20:58 +0200 +Subject: USB: serial: omninet: fix memory corruption with small endpoint + +From: Johan Hovold + +commit 60df93d30f9bdd27db17c4d80ed80ef718d7226b upstream. + +Make sure that the bulk-out buffers are at least as large as the +hardcoded transfer size to avoid user-controlled slab corruption should +a malicious device report a smaller endpoint max packet size than +expected. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/omninet.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/omninet.c ++++ b/drivers/usb/serial/omninet.c +@@ -30,6 +30,10 @@ + /* This one seems to be a re-branded ZyXEL device */ + #define BT_IGNITIONPRO_ID 0x2000 + ++#define OMNINET_HEADERLEN 4 ++#define OMNINET_BULKOUTSIZE 64 ++#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN) ++ + /* function prototypes */ + static void omninet_process_read_urb(struct urb *urb); + static int omninet_prepare_write_buffer(struct usb_serial_port *port, +@@ -55,6 +59,7 @@ static struct usb_serial_driver zyxel_om + .description = "ZyXEL - omni.net lcd plus usb", + .id_table = id_table, + .num_bulk_out = 2, ++ .bulk_out_size = OMNINET_BULKOUTSIZE, + .calc_num_ports = omninet_calc_num_ports, + .port_probe = omninet_port_probe, + .port_remove = omninet_port_remove, +@@ -133,10 +138,6 @@ static int omninet_port_remove(struct us + return 0; + } + +-#define OMNINET_HEADERLEN 4 +-#define OMNINET_BULKOUTSIZE 64 +-#define OMNINET_PAYLOADSIZE (OMNINET_BULKOUTSIZE - OMNINET_HEADERLEN) +- + static void omninet_process_read_urb(struct urb *urb) + { + struct usb_serial_port *port = urb->context;