<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/drivers/input/joystick, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-23T03:55:41+00:00</updated>
<entry>
<title>Input: iforce - bound the device-reported force-feedback effect index</title>
<updated>2026-06-23T03:55:41+00:00</updated>
<author>
<name>Bryam Vargas</name>
<email>hexlabsecurity@proton.me</email>
</author>
<published>2026-06-23T03:47:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=0e9943d2e4c63496b6ca84bc66fd3c71d40558e2'/>
<id>urn:sha1:0e9943d2e4c63496b6ca84bc66fd3c71d40558e2</id>
<content type='text'>
iforce_process_packet() handles a status report (packet id 0x02) by
taking a force-feedback effect index straight from the device wire and
using it to address the per-effect state array:

	i = data[1] &amp; 0x7f;
	if (data[1] &amp; 0x80) {
		if (!test_and_set_bit(FF_CORE_IS_PLAYED,
				      iforce-&gt;core_effects[i].flags))
			...
	} else if (test_and_clear_bit(FF_CORE_IS_PLAYED,
				      iforce-&gt;core_effects[i].flags)) {
		...
	}

The index is masked only with 0x7f, so it ranges 0..127, but
core_effects[] holds only IFORCE_EFFECTS_MAX (32) entries.  For an index
of 32..127 the test_and_set_bit()/test_and_clear_bit() is an
out-of-bounds single-bit read-modify-write past the array.  core_effects[]
is the second-to-last member of struct iforce, so the write lands in the
trailing members and beyond the embedding kzalloc()'d iforce_serio /
iforce_usb object.

data[1] is unvalidated device payload on both transports (the USB
interrupt endpoint and serio), and the status path is not gated on force
feedback being present, so a malicious or counterfeit device can set or
clear a bit at an attacker-chosen offset past the object.

Reject an out-of-range index instead of indexing with it.  Bound against
the array dimension IFORCE_EFFECTS_MAX rather than dev-&gt;ff-&gt;max_effects so
the check guarantees memory safety regardless of how many effects the
device registered.  A legitimate "effect started/stopped" status always
carries an index below IFORCE_EFFECTS_MAX, so well-formed devices are
unaffected; the neighbouring mark_core_as_ready() loop is already bounded
and is left untouched.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260613-b4-disp-4828d263-v1-1-02320e1a89dd@proton.me
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Merge tag 'v7.1-rc6' into next</title>
<updated>2026-06-01T02:43:25+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-06-01T02:43:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=fff88709f9a9153af85b5224b4594caa5387ca60'/>
<id>urn:sha1:fff88709f9a9153af85b5224b4594caa5387ca60</id>
<content type='text'>
Sync up with mainline to pull in a fix to IMS PCU driver and other
enhancements.
</content>
</entry>
<entry>
<title>Input: Use named initializers for arrays of i2c_device_data</title>
<updated>2026-05-31T05:10:47+00:00</updated>
<author>
<name>Uwe Kleine-König (The Capable Hub)</name>
<email>u.kleine-koenig@baylibre.com</email>
</author>
<published>2026-05-15T16:48:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=47ceab218c827cd5861bd1615763433a870a2d45'/>
<id>urn:sha1:47ceab218c827cd5861bd1615763433a870a2d45</id>
<content type='text'>
While being less compact, using named initializers allows to more easily
see which members of the structs are assigned which value without having
to lookup the declaration of the struct. And it's also more robust
against changes to the struct definition.

The mentioned robustness is relevant for a planned change to struct
i2c_device_id that replaces .driver_data by an anonymous union.

This patch doesn't modify the compiled arrays, only their representation
in source form benefits. The former was confirmed with x86 and arm64
builds.

Signed-off-by: Uwe Kleine-König (The Capable Hub) &lt;u.kleine-koenig@baylibre.com&gt;
Link: https://patch.msgid.link/20260515164848.497608-2-u.kleine-koenig@baylibre.com
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: xpad - add "Nova 2 Lite" from GameSir</title>
<updated>2026-05-01T04:45:32+00:00</updated>
<author>
<name>Qbeliw Tanaka</name>
<email>q.tanaka@gmx.com</email>
</author>
<published>2026-05-01T04:44:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=1f6ac0f8441c48c4cc250141e1da8486c13512ba'/>
<id>urn:sha1:1f6ac0f8441c48c4cc250141e1da8486c13512ba</id>
<content type='text'>
Add support for the gamepad "Nova 2 Lite" from GameSir, compatible with
the Xbox 360 gamepad.

Signed-off-by: Qbeliw Tanaka &lt;q.tanaka@gmx.com&gt;
Link: https://patch.msgid.link/20260429.162040.930225048583399359.q.tanaka@gmx.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: xpad - add support for ASUS ROG RAIKIRI II</title>
<updated>2026-05-01T04:40:04+00:00</updated>
<author>
<name>Dmitriy Zharov</name>
<email>contact@zharov.dev</email>
</author>
<published>2026-04-30T18:35:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=c897cf120696b94f56ed0f3197ba9a77071a59ec'/>
<id>urn:sha1:c897cf120696b94f56ed0f3197ba9a77071a59ec</id>
<content type='text'>
Add the VID/PIDs for the ASUS ROG RAIKIRI II controller to xpad_device
and the VID to xpad_table. The controller has a physical PC/XBOX toggle
which switches between XBOX360 and XBOXONE protocols.

Signed-off-by: Dmitriy Zharov &lt;contact@zharov.dev&gt;
Link: https://patch.msgid.link/20260430183522.122151-1-contact@zharov.dev
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: xpad - fix out-of-bounds access for Share button</title>
<updated>2026-04-27T04:13:05+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-04-27T04:09:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=6cdc46b38cf146ce81d4831b6472dbf7731849a2'/>
<id>urn:sha1:6cdc46b38cf146ce81d4831b6472dbf7731849a2</id>
<content type='text'>
xpadone_process_packet() receives len directly from urb-&gt;actual_length
and uses it to index the share-button byte at data[len - 18] or
data[len - 26]. Since both len and data[0] are under the device's
control, a broken controller can send a GIP_CMD_INPUT packet with
actual_length &lt; 18 (e.g. 5 bytes) and reach this code path, causing
accesses beyond the actual array.

Fix this by calculating the offset and checking bounds against the
packet length.

Reported-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Fixes: 4ef46367073b ("Input: xpad - fix Share button on Xbox One controllers")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'next' into for-linus</title>
<updated>2026-04-20T01:28:57+00:00</updated>
<author>
<name>Dmitry Torokhov</name>
<email>dmitry.torokhov@gmail.com</email>
</author>
<published>2026-04-20T01:28:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f4b369c6fe0ceaba2da2daff8c9eb415f85926dd'/>
<id>urn:sha1:f4b369c6fe0ceaba2da2daff8c9eb415f85926dd</id>
<content type='text'>
Prepare input updates for 7.1 merge window.
</content>
</entry>
<entry>
<title>Input: gf2k - skip invalid hat lookup values</title>
<updated>2026-04-07T05:10:13+00:00</updated>
<author>
<name>Pengpeng Hou</name>
<email>pengpeng@iscas.ac.cn</email>
</author>
<published>2026-04-07T01:56:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=bc561dc8ba5b9fe56ed1757bdad218c9a0f992f1'/>
<id>urn:sha1:bc561dc8ba5b9fe56ed1757bdad218c9a0f992f1</id>
<content type='text'>
gf2k_read() decodes the hat position from a 4-bit field and uses it
directly to index gf2k_hat_to_axis[]. The lookup table only has nine
entries, so malformed packets can read past the end of the fixed table.

Skip hat reporting when the decoded value falls outside the lookup
table instead of forcing it to the neutral position. This keeps the
fix local and avoids reporting a made-up axis state for malformed
packets.

Signed-off-by: Pengpeng Hou &lt;pengpeng@iscas.ac.cn&gt;
Link: https://patch.msgid.link/20260407120001.1-gf2k-v2-pengpeng@iscas.ac.cn
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: xpad - add support for BETOP BTP-KP50B/C controller's wireless mode</title>
<updated>2026-04-04T05:37:30+00:00</updated>
<author>
<name>Shengyu Qu</name>
<email>wiagn233@outlook.com</email>
</author>
<published>2026-04-04T05:07:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=0d9363a764d9d601a05591f9695cea8b429e9be3'/>
<id>urn:sha1:0d9363a764d9d601a05591f9695cea8b429e9be3</id>
<content type='text'>
BETOP's BTP-KP50B and BTP-KP50C controller's wireless dongles are both
working as standard Xbox 360 controllers. Add USB device IDs for them to
xpad driver.

Signed-off-by: Shengyu Qu &lt;wiagn233@outlook.com&gt;
Link: https://patch.msgid.link/TY4PR01MB14432B4B298EA186E5F86C46B9855A@TY4PR01MB14432.jpnprd01.prod.outlook.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
<entry>
<title>Input: xpad - add support for Razer Wolverine V3 Pro</title>
<updated>2026-04-04T05:37:29+00:00</updated>
<author>
<name>Zoltan Illes</name>
<email>zoliviragh@gmail.com</email>
</author>
<published>2026-04-04T05:03:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=e2b0ae529db4766584e77647cefe3ec15c3d842e'/>
<id>urn:sha1:e2b0ae529db4766584e77647cefe3ec15c3d842e</id>
<content type='text'>
Add device IDs for the Razer Wolverine V3 Pro controller in both
wired (0x0a57) and wireless 2.4 GHz dongle (0x0a59) modes.

The controller uses the Xbox 360 protocol (vendor-specific class,
subclass 93, protocol 1) on interface 0 with an identical 20-byte
input report layout, so no additional processing is needed.

Signed-off-by: Zoltan Illes &lt;zoliviragh@gmail.com&gt;
Link: https://patch.msgid.link/20260329220031.1325509-1-137647604+ZlordHUN@users.noreply.github.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov &lt;dmitry.torokhov@gmail.com&gt;
</content>
</entry>
</feed>
