Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.1.y 2026-05-28T15:43:16+00:00 2026-05-28T15:43:16+00:00 Lee Jones lee@kernel.org 2026-05-27T16:05:26+00:00 urn:sha1:c0a8899e02ddebd51e2589835182c239c2e224ae wacom_hid_set_device_mode() currently assumes that the HID_DG_INPUTMODE usage is always located in the first field (field[0]) of the feature report. However, a device can specify HID_DG_INPUTMODE in a different field. If HID_DG_INPUTMODE is in a field other than the first one and the first field has a report_count smaller than the usage_index of HID_DG_INPUTMODE, this leads to an out-of-bounds write to r->field[0]->value. Fix this by storing the field index of HID_DG_INPUTMODE in 'struct hid_data' during feature mapping. In wacom_hid_set_device_mode(), use this stored field index to access the correct field and add bounds checks to ensure both the field index and the value index are within valid ranges before writing. Cc: stable@vger.kernel.org Fixes: 5ae6e89f7409 ("HID: wacom: implement the finger part of the HID generic handling") Tested-by: Ping Cheng <ping.cheng@wacom.com> Reviewed-by: Ping Cheng <ping.cheng@wacom.com> Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> 2026-05-12T16:03:37+00:00 Benjamin Tissoires bentiss@kernel.org 2026-05-04T08:47:22+00:00 urn:sha1:2c85c61d1332e1e16f020d76951baf167dcb6f7a commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()") enforced the provided data to be at least the size of the declared buffer in the report descriptor to prevent a buffer overflow. However, we can try to be smarter by providing both the buffer size and the data size, meaning that hid_report_raw_event() can make better decision whether we should plaining reject the buffer (buffer overflow attempt) or if we can safely memset it to 0 and pass it to the rest of the stack. Fixes: 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()") Cc: stable@vger.kernel.org Signed-off-by: Benjamin Tissoires <bentiss@kernel.org> Acked-by: Johan Hovold <johan@kernel.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jiri Kosina <jkosina@suse.com> 2026-02-22T01:09:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-22T00:37:42+00:00 urn:sha1:bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43 This was done entirely with mindless brute force, using git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' | xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/' to convert the new alloc_obj() users that had a simple GFP_KERNEL argument to just drop that argument. Note that due to the extreme simplicity of the scripting, any slightly more complex cases spread over multiple lines would not be triggered: they definitely exist, but this covers the vast bulk of the cases, and the resulting diff is also then easier to check automatically. For the same reason the 'flex' versions will be done as a separate conversion. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2026-01-28T18:23:17+00:00 Bastien Nocera hadess@hadess.net 2026-01-13T09:24:58+00:00 urn:sha1:a864d16be15625df365a5945f566efc2e36f73c3 This increases build coverage and allows to drop an #ifdef. Signed-off-by: Bastien Nocera <hadess@hadess.net> Signed-off-by: Jiri Kosina <jkosina@suse.com> 2025-06-10T22:27:10+00:00 Thomas Zeitlhofer thomas.zeitlhofer+lkml@ze-it.at 2025-05-19T08:54:46+00:00 urn:sha1:f3054152c12e2eed1e72704aff47b0ea58229584 Commit fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended inactivity") introduced wacom_aes_battery_handler() which is scheduled as a delayed work (aes_battery_work). In wacom_remove(), aes_battery_work is not canceled. Consequently, if the device is removed while aes_battery_work is still pending, then hard crashes or "Oops: general protection fault..." are experienced when wacom_aes_battery_handler() is finally called. E.g., this happens with built-in USB devices after resume from hibernate when aes_battery_work was still pending at the time of hibernation. So, take care to cancel aes_battery_work in wacom_remove(). Fixes: fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended inactivity") Signed-off-by: Thomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at> Acked-by: Ping Cheng <ping.cheng@wacom.com> Signed-off-by: Jiri Kosina <jkosina@suse.com> 2025-06-10T19:10:27+00:00 Qasim Ijaz qasdev00@gmail.com 2025-06-06T18:49:59+00:00 urn:sha1:85a720f4337f0ddf1603c8b75a8f1ffbbe022ef9 When sysfs_create_files() fails in wacom_initialize_remotes() the error is returned and the cleanup action will not have been registered yet. As a result the kobject???s refcount is never dropped, so the kobject can never be freed leading to a reference leak. Fix this by calling kobject_put() before returning. Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated") Acked-by: Ping Cheng <ping.cheng@wacom.com> Cc: stable@vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.com> 2025-06-10T19:10:27+00:00 Qasim Ijaz qasdev00@gmail.com 2025-06-06T18:49:58+00:00 urn:sha1:1a19ae437ca5d5c7d9ec2678946fb339b1c706bf When sysfs_create_files() fails during wacom_initialize_remotes() the fifo buffer is not freed leading to a memory leak. Fix this by calling kfifo_free() before returning. Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated") Reviewed-by: Ping Cheng <ping.cheng@wacom.com> Cc: stable@vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.com> 2025-06-10T19:10:27+00:00 Qasim Ijaz qasdev00@gmail.com 2025-06-06T18:49:57+00:00 urn:sha1:5ae416c5b1e2e816aee7b3fc8347adf70afabb4c During wacom_initialize_remotes() a fifo buffer is allocated with kfifo_alloc() and later a cleanup action is registered during devm_add_action_or_reset() to clean it up. However if the code fails to create a kobject and register it with sysfs the code simply returns -ENOMEM before the cleanup action is registered leading to a memory leak. Fix this by ensuring the fifo is freed when the kobject creation and registration process fails. Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated") Reviewed-by: Ping Cheng <ping.cheng@wacom.com> Cc: stable@vger.kernel.org Signed-off-by: Qasim Ijaz <qasdev00@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.com> 2025-05-15T17:57:24+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-05-15T17:57:24+00:00 urn:sha1:fe661d01ab40eb4d1e7c6a8ace699901e6aef77b Pull HID fixes from Benjamin Tissoires: - fix a few potential memory leaks in the wacom driver (Qasim Ijaz) - AMD SFH fixes when there is only one SRA sensor (Mario Limonciello) - HID-BPF dispatch UAF fix that happens on removal of the Logitech DJ receiver (Rong Zhang) - various minor fixes and usual device ID additions * tag 'hid-for-linus-2025051501' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: HID: bpf: abort dispatch if device destroyed HID: quirks: Add ADATA XPG alpha wireless mouse support HID: hid-steam: Remove the unused variable connected HID: amd_sfh: Avoid clearing reports for SRA sensor HID: amd_sfh: Fix SRA sensor when it's the only sensor HID: wacom: fix shift OOB in kfifo allocation for zero pktlen HID: uclogic: Add NULL check in uclogic_input_configured() HID: wacom: fix memory leak on size mismatch in wacom_wac_queue_flush() HID: wacom: handle kzalloc() allocation failure in wacom_wac_queue_flush() HID: thrustmaster: fix memory leak in thrustmaster_interrupts() HID: hid-appletb-kbd: Fix wrong date and kernel version in sysfs interface docs HID: bpf: fix BTN_STYLUS for the XP Pen ACK05 remote