Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.22 2026-04-11T12:26:17+00:00 2026-04-11T12:26:17+00:00 Lee Jones lee@kernel.org 2026-03-09T14:59:29+00:00 urn:sha1:8f71034649738fdeb6859b8d6cddf132024fac06 [ Upstream commit 0a3fe972a7cb1404f693d6f1711f32bc1d244b1c ] The memset() in hid_report_raw_event() has the good intention of clearing out bogus data by zeroing the area from the end of the incoming data string to the assumed end of the buffer. However, as we have previously seen, doing so can easily result in OOB reads and writes in the subsequent thread of execution. The current suggestion from one of the HID maintainers is to remove the memset() and simply return if the incoming event buffer size is not large enough to fill the associated report. Suggested-by Benjamin Tissoires <bentiss@kernel.org> Signed-off-by: Lee Jones <lee@kernel.org> [bentiss: changed the return value] Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2025-09-12T15:11:55+00:00 Benjamin Tissoires bentiss@kernel.org 2025-08-21T14:38:14+00:00 urn:sha1:4c2c5ff9f3d72fb41f884f7c493ae9df83379340 When a BPF gets loaded, it was previously not possible to bind a hid-generic device to hid-multitouch because the group was never updated. This change forces a rescan of the report descriptor after a bpf is loaded/unloaded so we set up the proper group. This was detected while Peter was trying to fix a Viewsonic device: the HID device sending multiotuch data through a proprietary collection was handled by hid-generic, and we don't have any way of attaching it to hid-multitouch because the pre-scanning wasn't able to see the Contact ID HID usage. Suggested-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> Signed-off-by: Jiri Kosina <jkosina@suse.com> 2025-09-12T15:11:55+00:00 Benjamin Tissoires bentiss@kernel.org 2025-08-21T14:38:13+00:00 urn:sha1:4e411a3f7bba10579bbeec3af77ae2a05c9e4259 When we load a bpf, we can change the report descriptor. However, the current implementation doesn't change the group meaning that we can not rebind a device from hid-generic to hid-multitouch. This is a preparatory patch to force a rescan of the device after the bpf has been loaded. Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Jiri Kosina <jkosina@suse.com> 2025-08-01T04:26:05+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-08-01T04:26:05+00:00 urn:sha1:b80a75cf6999fb79971b41eaec7af2bb4b514714 Pull HID updates from Jiri Kosina: - hardening of HID core parser against conversion to 0 bits in s32ton() by buggy/malicious devices (Alan Stern) - fix for potential NULL pointer dereference in hid-apple that could be caused by malicious device with APPLE_MAGIC_BACKLIGHT quirk present triggering overflow in data field (Qasim Ijaz) - support for Wake-on-touch in intel-thc (Even Xu) - support for "Input max input size control" and "Input interrupt delay" I2C features in order to improve compatibility of THC devices with legacy HIDI2C touch devices (Even Xu) - support for Touch Bars on x86 MacBook Pros (Kerem Karabay) - support for XP-PEN Artist 22R Pro (Joshua Goins) - third party trackpart support for MacBookPro15,1 (Aditya Garg) - Apple Magic Keyboard A311[89] USB-C support (Aditya Garg, Grigorii Sokoli) - support for operating modes in amd-sfh (Basavaraj Natikar) - avoid setting up battery timer for Apple and Magicmouse devices without battery (Aditya Garg) - fix for behavior of the hid-mcp2221 driver for !CONFIG_IIO cases (Heiko Schocher) - other assorted fixups and device ID additions * tag 'hid-for-linus-2025073101' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: (54 commits) HID: core: Harden s32ton() against conversion to 0 bits HID: apple: validate feature-report field count to prevent NULL pointer dereference HID: core: Improve the kerneldoc for hid_report_len() selftests/hid: sync python tests to hid-tools 0.10 selftests/hid: sync the python tests to hid-tools 0.8 selftests/hid: run ruff format on the python part HID: magicmouse: use secs_to_jiffies() for battery timeout HID: apple: use secs_to_jiffies() for battery timeout HID: magicmouse: avoid setting up battery timer when not needed HID: apple: avoid setting up battery timer for devices without battery HID: amd_sfh: Enable operating mode HID: uclogic: Add support for XP-PEN Artist 22R Pro HID: rate-limit hid_warn to prevent log flooding HID: replace scnprintf() with sysfs_emit() HID: uclogic: make read-only array reconnect_event static const HID: mcp-2221: Replace manual comparison with min() macro HID: intel-thc-hid: Separate max input size control conditional list HID: mcp2221: set gpio pin mode HID: multitouch: add device ID for Apple Touch Bar HID: multitouch: specify that Apple Touch Bar is direct ... 2025-07-31T20:43:21+00:00 Jiri Kosina jkosina@suse.com 2025-07-31T20:43:21+00:00 urn:sha1:bfb0195705f23568b77744cefc1cb81fd7a94d59 - hardening of HID core parser against conversion to 0 bits in s32ton() by buggy/malicious devices (Alan Stern) 2025-07-29T19:15:39+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-07-29T19:15:39+00:00 urn:sha1:22c5696e3fe029f4fc2decbe7cc6663b5d281223 Pull driver core updates from Danilo Krummrich: "debugfs: - Remove unneeded debugfs_file_{get,put}() instances - Remove last remnants of debugfs_real_fops() - Allow storing non-const void * in struct debugfs_inode_info::aux sysfs: - Switch back to attribute_group::bin_attrs (treewide) - Switch back to bin_attribute::read()/write() (treewide) - Constify internal references to 'struct bin_attribute' Support cache-ids for device-tree systems: - Add arch hook arch_compact_of_hwid() - Use arch_compact_of_hwid() to compact MPIDR values on arm64 Rust: - Device: - Introduce CoreInternal device context (for bus internal methods) - Provide generic drvdata accessors for bus devices - Provide Driver::unbind() callbacks - Use the infrastructure above for auxiliary, PCI and platform - Implement Device::as_bound() - Rename Device::as_ref() to Device::from_raw() (treewide) - Implement fwnode and device property abstractions - Implement example usage in the Rust platform sample driver - Devres: - Remove the inner reference count (Arc) and use pin-init instead - Replace Devres::new_foreign_owned() with devres::register() - Require T to be Send in Devres<T> - Initialize the data kept inside a Devres last - Provide an accessor for the Devres associated Device - Device ID: - Add support for ACPI device IDs and driver match tables - Split up generic device ID infrastructure - Use generic device ID infrastructure in net::phy - DMA: - Implement the dma::Device trait - Add DMA mask accessors to dma::Device - Implement dma::Device for PCI and platform devices - Use DMA masks from the DMA sample module - I/O: - Implement abstraction for resource regions (struct resource) - Implement resource-based ioremap() abstractions - Provide platform device accessors for I/O (remap) requests - Misc: - Support fallible PinInit types in Revocable - Implement Wrapper<T> for Opaque<T> - Merge pin-init blanket dependencies (for Devres) Misc: - Fix OF node leak in auxiliary_device_create() - Use util macros in device property iterators - Improve kobject sample code - Add device_link_test() for testing device link flags - Fix typo in Documentation/ABI/testing/sysfs-kernel-address_bits - Hint to prefer container_of_const() over container_of()" * tag 'driver-core-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/driver-core/driver-core: (84 commits) rust: io: fix broken intra-doc links to `platform::Device` rust: io: fix broken intra-doc link to missing `flags` module rust: io: mem: enable IoRequest doc-tests rust: platform: add resource accessors rust: io: mem: add a generic iomem abstraction rust: io: add resource abstraction rust: samples: dma: set DMA mask rust: platform: implement the `dma::Device` trait rust: pci: implement the `dma::Device` trait rust: dma: add DMA addressing capabilities rust: dma: implement `dma::Device` trait rust: net::phy Change module_phy_driver macro to use module_device_table macro rust: net::phy represent DeviceId as transparent wrapper over mdio_device_id rust: device_id: split out index support into a separate trait device: rust: rename Device::as_ref() to Device::from_raw() arm64: cacheinfo: Provide helper to compress MPIDR value into u32 cacheinfo: Add arch hook to compress CPU h/w id into 32 bits for cache-id cacheinfo: Set cache 'id' based on DT data container_of: Document container_of() is not to be used in new code driver core: auxiliary bus: fix OF node leak ... 2025-07-29T04:49:49+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-07-29T04:49:49+00:00 urn:sha1:177bf8620cf4ed290ee170a6c5966adc0924b336 Pull sound updates from Takashi Iwai: "This includes lots of file shuffling due to HD-audio code reorganization and many trivial changes, but otherwise there shouldn't be much surprise from the functionality POV. The PR includes the PM changes as prerequisite, too. Some highlights below: Core: - Performance optimizations in PCM core code - Refactoring of ASoC Kconfig menus to be hopefully more consistant and easier to navigate. - Refactoring of ASoC DAPM code, mainly hiding functionality that doesn't need to be exposed to drivers HD-audio reorganization: - All code are moved under sound/hda with a bit more understandable tree structure, as well as file renames - The huge Realtek driver code is split to several parts, a common helper module with driver modules per probe entry - HDMI and Cirrus codec drivers also split ASoC: - Further work on the generic handling for SoundWire SDCA devices - Support for AMD ACP7.2 and SoundWire on ACP 7.1, Fairphone 4 & 5, various Intel systems, Qualcomm QCS8275, Richtek RTQ9124 and TI TAS5753 HD-audio and USB-audio: - TAS2781 driver cleanup and TAS2770 support - EQ enablement in CA0132 driver - USB audio quirk code cleanups Others: - Cleanups of PM autosuspend call patterns with the update from the PM tree - Lots of strcpy() -> strscpy() conversions for fixed size arrays" * tag 'sound-6.17-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (385 commits) ALSA: hda: Add TAS2770 support ASoC: qcom: sm8250: Add Fairphone 4 soundcard compatible ASoC: dt-bindings: qcom,sm8250: Add Fairphone 4 sound card ASoC: dt-bindings: qcom,q6afe: Document q6usb subnode ASoC: SDCA: Fix implicit cast from le16 ASoC: SDCA: Shrink detected_mode_handler() stack frame ASoC: SDCA: Check devm_mutex_init() return value ASoC: SDCA: add route by the number of input pins in MU entity ALSA: hda/realtek: Add support for ASUS Commercial laptops using CS35L41 HDA ASoC: Intel: sof_rt5682: Add HDMI-In capture with rt5682 support for PTL. ASoC: codec: tlv320aic32x4: Fix reset GPIO check ASoC: dt-bindings: qcom,lpass-va-macro: Define clock-names in top-level ASoC: SDCA: Add hw_params() helper function ASoC: SDCA: Add a helper to get the SoundWire port number ASoC: SDCA: Add helper to add DAI constraints ASoC: soc-dai: Add private data to snd_soc_dai ASoC: SDCA: Move SDCA search functions and export ASoC: SDCA: Remove overly chatty input pin list warning ASoC: SDCA: Allow read-only controls to be deferrable ASoC: SDCA: Update memory allocations to zero initialise ... 2025-07-25T11:45:25+00:00 Alan Stern stern@rowland.harvard.edu 2025-07-23T14:37:04+00:00 urn:sha1:a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it returns a reasonable result instead of crashing when it is called with the number of bits set to 0 -- the same as what snto32() does. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/ Tested-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> 2025-07-13T07:53:27+00:00 Benjamin Tissoires bentiss@kernel.org 2025-07-10T14:01:35+00:00 urn:sha1:c2ca42f190b6714d6c481dfd3d9b62ea091c946b hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. Reported-by: Alan Stern <stern@rowland.harvard.edu> Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/ Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20250710-report-size-null-v2-3-ccf922b7c4e5@kernel.org Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> 2025-07-13T07:53:27+00:00 Benjamin Tissoires bentiss@kernel.org 2025-07-10T14:01:34+00:00 urn:sha1:0d0777ccaa2d46609d05b66ba0096802a2746193 The low level transport driver expects the first byte to be the report ID, even when the report ID is not use (in which case they just shift the buffer). However, __hid_request() whas not offsetting the buffer it used by one in this case, meaning that the raw_request() callback emitted by the transport driver would be stripped of the first byte. Note: this changes the API for uhid devices when a request is made through hid_hw_request. However, several considerations makes me think this is fine: - every request to a HID device made through hid_hw_request() would see that change, but every request made through hid_hw_raw_request() already has the new behaviour. So that means that the users are already facing situations where they might have or not the first byte being the null report ID when it is 0. We are making things more straightforward in the end. - uhid is mainly used for BLE devices - uhid is also used for testing, but I don't see that change a big issue - for BLE devices, we can check which kernel module is calling hid_hw_request() - and in those modules, we can check which are using a Bluetooth device - and then we can check if the command is used with a report ID or not. - surprise: none of the kernel module are using a report ID 0 - and finally, bluez, in its function set_report()[0], does the same shift if the report ID is 0 and the given buffer has a size > 0. [0] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/profiles/input/hog-lib.c#n879 Reported-by: Alan Stern <stern@rowland.harvard.edu> Closes: https://lore.kernel.org/linux-input/c75433e0-9b47-4072-bbe8-b1d14ea97b13@rowland.harvard.edu/ Reported-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8258d5439c49d4c35f43 Tested-by: syzbot+8258d5439c49d4c35f43@syzkaller.appspotmail.com Fixes: 4fa5a7f76cc7 ("HID: core: implement generic .request()") Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20250710-report-size-null-v2-2-ccf922b7c4e5@kernel.org Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>