From: Greg Kroah-Hartman Date: Thu, 4 Jun 2026 10:17:52 +0000 (+0200) Subject: drop some patches that broke the builds X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=fc23c9d38e96a959ab0937d9315479ae0ed130f6;p=thirdparty%2Fkernel%2Fstable-queue.git drop some patches that broke the builds --- diff --git a/queue-5.10/bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch b/queue-5.10/bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch deleted file mode 100644 index 22b9ac5b9b..0000000000 --- a/queue-5.10/bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 Mon Sep 17 00:00:00 2001 -From: Muhammad Bilal -Date: Wed, 20 May 2026 18:56:43 -0400 -Subject: Bluetooth: HIDP: fix missing length checks in hidp_input_report() - -From: Muhammad Bilal - -commit 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 upstream. - -hidp_input_report() reads keyboard and mouse payload data from an skb -without first verifying that skb->len contains enough data. - -hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching -to hidp_input_report(). If a paired device sends a truncated packet, -the handler reads beyond the valid skb data, resulting in an -out-of-bounds read of skb data. The OOB bytes may be interpreted as -phantom key presses or spurious mouse movement. - -Replace the open-coded length tracking and pointer arithmetic with -skb_pull_data() calls. skb_pull_data() returns NULL if the requested -bytes are not present, eliminating the need for a manual size variable -and the separate skb->len guard. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Cc: stable@vger.kernel.org -Signed-off-by: Muhammad Bilal -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Greg Kroah-Hartman ---- - net/bluetooth/hidp/core.c | 23 ++++++++++++++++++----- - 1 file changed, 18 insertions(+), 5 deletions(-) - ---- a/net/bluetooth/hidp/core.c -+++ b/net/bluetooth/hidp/core.c -@@ -179,12 +179,21 @@ static void hidp_input_report(struct hid - { - struct input_dev *dev = session->input; - unsigned char *keys = session->keys; -- unsigned char *udata = skb->data + 1; -- signed char *sdata = skb->data + 1; -- int i, size = skb->len - 1; -+ unsigned char *udata; -+ signed char *sdata; -+ u8 *hdr; -+ int i; -+ -+ hdr = skb_pull_data(skb, 1); -+ if (!hdr) -+ return; - -- switch (skb->data[0]) { -+ switch (*hdr) { - case 0x01: /* Keyboard report */ -+ udata = skb_pull_data(skb, 8); -+ if (!udata) -+ break; -+ - for (i = 0; i < 8; i++) - input_report_key(dev, hidp_keycode[i + 224], (udata[0] >> i) & 1); - -@@ -213,6 +222,10 @@ static void hidp_input_report(struct hid - break; - - case 0x02: /* Mouse report */ -+ sdata = skb_pull_data(skb, 3); -+ if (!sdata) -+ break; -+ - input_report_key(dev, BTN_LEFT, sdata[0] & 0x01); - input_report_key(dev, BTN_RIGHT, sdata[0] & 0x02); - input_report_key(dev, BTN_MIDDLE, sdata[0] & 0x04); -@@ -222,7 +235,7 @@ static void hidp_input_report(struct hid - input_report_rel(dev, REL_X, sdata[1]); - input_report_rel(dev, REL_Y, sdata[2]); - -- if (size > 3) -+ if (skb->len > 0) - input_report_rel(dev, REL_WHEEL, sdata[3]); - break; - } diff --git a/queue-5.10/series b/queue-5.10/series index c5d1a3615e..efde0e2c3f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -53,7 +53,6 @@ bluetooth-btusb-allow-firmware-re-download-when-version-matches.patch hpfs-fix-a-crash-if-hpfs_map_dnode_bitmap-fails.patch ipc-limit-next_id-allocation-to-the-valid-id-range.patch bluetooth-l2cap-fix-chan-ref-leak-in-l2cap_chan_timeout-on-conn.patch -bluetooth-hidp-fix-missing-length-checks-in-hidp_input_report.patch parport-fix-race-between-port-and-client-registration.patch iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch diff --git a/queue-5.15/iio-dac-ad5686-acquire-lock-when-doing-powerdown-control.patch b/queue-5.15/iio-dac-ad5686-acquire-lock-when-doing-powerdown-control.patch deleted file mode 100644 index 2bf66782e8..0000000000 --- a/queue-5.15/iio-dac-ad5686-acquire-lock-when-doing-powerdown-control.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 5237c3175cae5ab05f18878cec3301a04403859e Mon Sep 17 00:00:00 2001 -From: Rodrigo Alencar -Date: Tue, 5 May 2026 13:35:04 +0100 -Subject: iio: dac: ad5686: acquire lock when doing powerdown control - -From: Rodrigo Alencar - -commit 5237c3175cae5ab05f18878cec3301a04403859e upstream. - -Protect access of pwr_down_mode and pwr_down_mask fields with existing -mutex lock. Each channel exposes their own attributes for controlling -powerdown modes and powerdown state. This fixes potential race conditions -as those the write functions perform non-atomic read-modify-write -operations to those pwr_down_* fields. This issue exists since the ad5686 -driver was first introduced. - -Fixes: c2f37c8dcadc ("iio: dac: New driver for AD5686R, AD5685R, AD5684R Digital to analog converters") -Signed-off-by: Rodrigo Alencar -Cc: -Signed-off-by: Jonathan Cameron -Signed-off-by: Greg Kroah-Hartman ---- - drivers/iio/dac/ad5686.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/drivers/iio/dac/ad5686.c -+++ b/drivers/iio/dac/ad5686.c -@@ -30,6 +30,8 @@ static int ad5686_get_powerdown_mode(str - { - struct ad5686_state *st = iio_priv(indio_dev); - -+ guard(mutex)(&st->lock); -+ - return ((st->pwr_down_mode >> (chan->channel * 2)) & 0x3) - 1; - } - -@@ -39,6 +41,8 @@ static int ad5686_set_powerdown_mode(str - { - struct ad5686_state *st = iio_priv(indio_dev); - -+ guard(mutex)(&st->lock); -+ - st->pwr_down_mode &= ~(0x3 << (chan->channel * 2)); - st->pwr_down_mode |= ((mode + 1) << (chan->channel * 2)); - -@@ -57,6 +61,8 @@ static ssize_t ad5686_read_dac_powerdown - { - struct ad5686_state *st = iio_priv(indio_dev); - -+ guard(mutex)(&st->lock); -+ - return sysfs_emit(buf, "%d\n", !!(st->pwr_down_mask & - (0x3 << (chan->channel * 2)))); - } -@@ -77,6 +83,8 @@ static ssize_t ad5686_write_dac_powerdow - if (ret) - return ret; - -+ guard(mutex)(&st->lock); -+ - if (readin) - st->pwr_down_mask |= (0x3 << (chan->channel * 2)); - else diff --git a/queue-5.15/series b/queue-5.15/series index cd3a627fdd..71583abb3a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -69,7 +69,6 @@ parport-fix-race-between-port-and-client-registration.patch iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch iio-dac-ad5686-fix-input-raw-value-check.patch -iio-dac-ad5686-acquire-lock-when-doing-powerdown-control.patch iio-adc-viperboard-fix-error-handling-in-vprbrd_iio_read_raw.patch iio-gyro-itg3200-fix-i2c-read-into-the-wrong-stack-location.patch iio-ssp_sensors-cancel-delayed-work_refresh-on-remove.patch diff --git a/queue-6.1/kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch b/queue-6.1/kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch deleted file mode 100644 index fbb989ca79..0000000000 --- a/queue-6.1/kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f185e05dce6f170f83c4ba602e969b1c3c7a22e6 Mon Sep 17 00:00:00 2001 -From: Sean Christopherson -Date: Fri, 1 May 2026 13:22:32 -0700 -Subject: KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 - -From: Sean Christopherson - -commit f185e05dce6f170f83c4ba602e969b1c3c7a22e6 upstream. - -Now that all paths in KVM properly validate the length needed for the -scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM -attempts to configured the scratch area with min_len==0 to guard against -future bugs. - -Cc: stable@vger.kernel.org -Reviewed-by: Tom Lendacky -Reviewed-by: Michael Roth -Signed-off-by: Sean Christopherson -Message-ID: <20260501202250.2115252-8-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kvm/svm/sev.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/arch/x86/kvm/svm/sev.c -+++ b/arch/x86/kvm/svm/sev.c -@@ -2658,6 +2658,9 @@ static int setup_vmgexit_scratch(struct - u64 scratch_gpa_beg, scratch_gpa_end; - void *scratch_va; - -+ if (WARN_ON_ONCE(!min_len)) -+ goto e_scratch; -+ - scratch_gpa_beg = svm->sev_es.sw_scratch; - if (!scratch_gpa_beg) { - pr_err("vmgexit: scratch gpa not provided\n"); diff --git a/queue-6.1/series b/queue-6.1/series index 166246ed55..3250f1c433 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -100,7 +100,6 @@ bluetooth-iso-fix-uaf-in-iso_recv_frame.patch bluetooth-iso-serialize-iso_sock_clear_timer-with-socket-lock.patch parport-fix-race-between-port-and-client-registration.patch usb-cdc-acm-fix-bit-overlap-and-move-quirk-definitions-to-header.patch -kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch iio-dac-ad5686-fix-input-raw-value-check.patch diff --git a/queue-6.6/kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch b/queue-6.6/kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch deleted file mode 100644 index 9d0cc52c59..0000000000 --- a/queue-6.6/kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f185e05dce6f170f83c4ba602e969b1c3c7a22e6 Mon Sep 17 00:00:00 2001 -From: Sean Christopherson -Date: Fri, 1 May 2026 13:22:32 -0700 -Subject: KVM: SEV: WARN if KVM attempts to setup scratch area with min_len==0 - -From: Sean Christopherson - -commit f185e05dce6f170f83c4ba602e969b1c3c7a22e6 upstream. - -Now that all paths in KVM properly validate the length needed for the -scratch area, and are guaranteed to pass in a non-zero length, WARN if KVM -attempts to configured the scratch area with min_len==0 to guard against -future bugs. - -Cc: stable@vger.kernel.org -Reviewed-by: Tom Lendacky -Reviewed-by: Michael Roth -Signed-off-by: Sean Christopherson -Message-ID: <20260501202250.2115252-8-seanjc@google.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kvm/svm/sev.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/arch/x86/kvm/svm/sev.c -+++ b/arch/x86/kvm/svm/sev.c -@@ -2692,6 +2692,9 @@ static int setup_vmgexit_scratch(struct - u64 scratch_gpa_beg, scratch_gpa_end; - void *scratch_va; - -+ if (WARN_ON_ONCE(!min_len)) -+ goto e_scratch; -+ - scratch_gpa_beg = svm->sev_es.sw_scratch; - if (!scratch_gpa_beg) { - pr_err("vmgexit: scratch gpa not provided\n"); diff --git a/queue-6.6/series b/queue-6.6/series index 2964164fe4..614738058a 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -105,7 +105,6 @@ parport-fix-race-between-port-and-client-registration.patch usb-cdc-acm-fix-bit-overlap-and-move-quirk-definitions-to-header.patch kvm-arm64-pmu-preserve-aarch32-counter-low-bits.patch kvm-svm-flush-the-current-tlb-when-transitioning-from-xavic-x2avic.patch -kvm-sev-warn-if-kvm-attempts-to-setup-scratch-area-with-min_len-0.patch iio-adc-xilinx-xadc-fix-sequencer-mode-in-postdisable-for-dual-mux.patch iio-dac-max5821-fix-return-value-check-in-powerdown-sync.patch iio-dac-ad5686-fix-input-raw-value-check.patch