Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v7.0-rc7 2026-02-22T01:09:51+00:00 2026-02-22T01:09:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-22T00:37:42+00:00 urn:sha1:bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43 This was done entirely with mindless brute force, using git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' | xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/' to convert the new alloc_obj() users that had a simple GFP_KERNEL argument to just drop that argument. Note that due to the extreme simplicity of the scripting, any slightly more complex cases spread over multiple lines would not be triggered: they definitely exist, but this covers the vast bulk of the cases, and the resulting diff is also then easier to check automatically. For the same reason the 'flex' versions will be done as a separate conversion. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2025-09-29T04:29:03+00:00 Zhen Ni zhen.ni@easystack.cn 2025-09-28T06:37:37+00:00 urn:sha1:d3366a04770eea807f2826cbdb96934dd8c9bf79 Struct ff_effect_compat is embedded twice inside uinput_ff_upload_compat, contains internal padding. In particular, there is a hole after struct ff_replay to satisfy alignment requirements for the following union member. Without clearing the structure, copy_to_user() may leak stack data to userspace. Initialize ff_up_compat to zero before filling valid fields. Fixes: 2d56f3a32c0e ("Input: refactor evdev 32bit compat to be shareable with uinput") Cc: stable@vger.kernel.org Signed-off-by: Zhen Ni <zhen.ni@easystack.cn> Link: https://lore.kernel.org/r/20250928063737.74590-1-zhen.ni@easystack.cn Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2024-09-27T15:18:43+00:00 Al Viro viro@zeniv.linux.org.uk 2024-09-27T01:56:11+00:00 urn:sha1:cb787f4ac0c2e439ea8d7e6387b925f74576bdf8 no_llseek had been defined to NULL two years ago, in commit 868941b14441 ("fs: remove no_llseek") To quote that commit, At -rc1 we'll need do a mechanical removal of no_llseek - git grep -l -w no_llseek | grep -v porting.rst | while read i; do sed -i '/\<no_llseek\>/d' $i done would do it. Unfortunately, that hadn't been done. Linus, could you do that now, so that we could finally put that thing to rest? All instances are of the form .llseek = no_llseek, so it's obviously safe. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2024-08-05T01:00:46+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2024-08-05T00:50:25+00:00 urn:sha1:206f533a0a7c683982af473079c4111f4a0f9f5e From: Dmitry Torokhov <dmitry.torokhov@gmail.com> When exercising uinput interface syzkaller may try setting up device with a really large number of slots, which causes memory allocation failure in input_mt_init_slots(). While this allocation failure is handled properly and request is rejected, it results in syzkaller reports. Additionally, such request may put undue burden on the system which will try to free a lot of memory for a bogus request. Fix it by limiting allowed number of slots to 100. This can easily be extended if we see devices that can track more than 100 contacts. Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Reported-by: syzbot <syzbot+0122fa359a69694395d5@syzkaller.appspotmail.com> Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5 Link: https://lore.kernel.org/r/Zqgi7NYEbpRsJfa2@google.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2024-06-03T04:32:01+00:00 Erick Archer erick.archer@outlook.com 2024-06-03T04:26:14+00:00 urn:sha1:a0bd7adadb50471331f0ca28caf068f7fab37b64 It is preferred to use sizeof(*pointer) instead of sizeof(type) due to the type of the variable can change and one needs not change the former (unlike the latter). This patch has no effect on runtime behavior. Signed-off-by: Erick Archer <erick.archer@outlook.com> Link: https://lore.kernel.org/r/AS8PR02MB7237884EB989EFF55D1BEF8B8BFE2@AS8PR02MB7237.eurprd02.prod.outlook.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2023-05-02T03:22:11+00:00 Biswarup Pal biswarupp@google.com 2023-05-02T03:19:19+00:00 urn:sha1:3a2df60200a03f78173f1fd831aa54c08464dcde Currently, uinput doesn't use the input_set_timestamp API, so any event injected using uinput is not accurately timestamped in terms of measuring when the actual event happened. Hence, call the input_set_timestamp API from uinput in order to provide a more accurate sense of time for the event. Propagate only the timestamps which are a) positive, b) within a pre-defined offset (10 secs) from the current time, and c) not in the future. Signed-off-by: Biswarup Pal <biswarupp@google.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Siarhei Vishniakou <svv@google.com> Link: https://lore.kernel.org/r/20230427000152.1407471-1-biswarupp@google.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2019-12-13T23:00:36+00:00 Arnd Bergmann arnd@arndb.de 2019-12-13T22:06:58+00:00 urn:sha1:f729a1b0f8df7091cea3729fc0e414f5326e1163 Going through all uses of timeval, I noticed that we screwed up input_event in the previous attempts to fix it: The time fields now match between kernel and user space, but all following fields are in the wrong place. Add the required padding that is implied by the glibc timeval definition to fix the layout, and use a struct initializer to avoid leaking kernel stack data. Fixes: 141e5dcaa735 ("Input: input_event - fix the CONFIG_SPARC64 mixup") Fixes: 2e746942ebac ("Input: input_event - provide override for sparc64") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Link: https://lore.kernel.org/r/20191213204936.3643476-2-arnd@arndb.de Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2019-12-13T23:00:30+00:00 Dmitry Torokhov dmitry.torokhov@gmail.com 2019-12-13T22:03:56+00:00 urn:sha1:add218099472805a06bc334852d8e2af5d74e4ac uinput device is always available for writing so we should always report EPOLLOUT and EPOLLWRNORM bits, not only when there is nothing to read from the device. Fixes: d4b675e1b527 ("Input: uinput - fix returning EPOLLOUT from uinput_poll") Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Link: https://lore.kernel.org/r/20191209202254.GA107567@dtor-ws Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> 2019-12-05T01:58:15+00:00 Marcel Holtmann marcel@holtmann.org 2019-12-05T01:27:16+00:00 urn:sha1:d4b675e1b5272149d4c6fac6870df6ebdbd8be82 Always return EPOLLOUT from uinput_poll to allow polling /dev/uinput for writable state. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Link: https://lore.kernel.org/r/20191204025014.5189-1-marcel@holtmann.org Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>