Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-7.0.y 2026-05-14T13:31:04+00:00 2026-05-14T13:31:04+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-04-20T16:11:04+00:00 urn:sha1:6b0e7438e31c74b01514d31ff35c1e688c4baaba commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream. Just like in a previous problem in this driver, usblp_ctrl_msg() will collapse the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. Ideally that short command should be detected and error out, but many printers are known to send "incorrect" responses back so we can't just do that. statusbuf is kmalloc(8) at probe time and never filled before the first LPGETSTATUS ioctl. usblp_read_status() requests 1 byte. If a malicious printer responds with zero bytes, *statusbuf is one byte of stale kmalloc heap, sign-extended into the local int status, which the LPGETSTATUS path then copy_to_user()s directly to the ioctl caller. Fix this all by just zapping out the memory buffer when allocated at probe time. If a later call does a short read, the data will be identical to what the device sent it the last time, so there is no "leak" of information happening. Cc: Pete Zaitcev <zaitcev@redhat.com> Assisted-by: gkh_clanker_t1000 Cc: stable <stable@kernel.org> Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-05-14T13:31:04+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2026-04-20T16:11:03+00:00 urn:sha1:522d17e93a85575256894212d10e5a1fa6f36529 commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream. usblp_ctrl_msg() collapses the usb_control_msg() return value to 0/-errno, discarding the actual number of bytes transferred. A broken printer can complete the GET_DEVICE_ID control transfer short and the driver has no way to know. usblp_cache_device_id_string() reads the 2-byte big-endian length prefix from the response and trusts it (clamped only to the buffer bounds). The buffer is kmalloc(1024) at probe time. A device that sends exactly two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves device_id_string[2..1022] holding stale kmalloc heap. That stale data is then exposed: - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated at the first NUL in the stale heap), and - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full claimed length regardless of NULs, up to 1021 bytes of uninitialized heap, with the leak size chosen by the device. Fix this up by just zapping the buffer with zeros before each request sent to the device. Cc: Pete Zaitcev <zaitcev@redhat.com> Assisted-by: gkh_clanker_t1000 Cc: stable <stable@kernel.org> Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-02-22T01:09:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-22T00:37:42+00:00 urn:sha1:bf4afc53b77aeaa48b5409da5c8da6bb4eff7f43 This was done entirely with mindless brute force, using git grep -l '\<k[vmz]*alloc_objs*(.*, GFP_KERNEL)' | xargs sed -i 's/\(alloc_objs*(.*\), GFP_KERNEL)/\1)/' to convert the new alloc_obj() users that had a simple GFP_KERNEL argument to just drop that argument. Note that due to the extreme simplicity of the scripting, any slightly more complex cases spread over multiple lines would not be triggered: they definitely exist, but this covers the vast bulk of the cases, and the resulting diff is also then easier to check automatically. For the same reason the 'flex' versions will be done as a separate conversion. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2026-02-21T09:02:28+00:00 Kees Cook kees@kernel.org 2026-02-21T07:49:23+00:00 urn:sha1:69050f8d6d075dc01af7a5f2f550a8067510366f This is the result of running the Coccinelle script from scripts/coccinelle/api/kmalloc_objs.cocci. The script is designed to avoid scalar types (which need careful case-by-case checking), and instead replace kmalloc-family calls that allocate struct or union object instances: Single allocations: kmalloc(sizeof(TYPE), ...) are replaced with: kmalloc_obj(TYPE, ...) Array allocations: kmalloc_array(COUNT, sizeof(TYPE), ...) are replaced with: kmalloc_objs(TYPE, COUNT, ...) Flex array allocations: kmalloc(struct_size(PTR, FAM, COUNT), ...) are replaced with: kmalloc_flex(*PTR, FAM, COUNT, ...) (where TYPE may also be *VAR) The resulting allocations no longer return "void *", instead returning "TYPE *". Signed-off-by: Kees Cook <kees@kernel.org> 2025-09-06T13:20:22+00:00 Thorsten Blum thorsten.blum@linux.dev 2025-08-29T17:37:12+00:00 urn:sha1:43ae982cd0ec7fb6fea40fabef2c872e6f9b213d Use min_t() to improve usblp_read() and avoid calculating 'avail - usblp->readcount' twice. Use min_t(ssize_t,,) instead of min() to avoid a signedness error. Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev> Link: https://lore.kernel.org/r/20250829173713.56222-1-thorsten.blum@linux.dev Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-07-21T14:30:54+00:00 Darshan Rathod darshan.rathod@siqol.com 2025-07-18T09:10:45+00:00 urn:sha1:d8e1ecffb4a282791be1b3d81a05541749b0db64 This patch cleans up a few cases where assignments were made inside of if conditions, like if ((rv = func()) < 0) into two lines, to improve readability and be more in-line with Linux kernel coding style. It also cleans up checkpatch warnings like: ERROR: do not use assignment in if condition No functional change, just a style and maintainability fix. Signed-off-by: Darshan Rathod <darshan.rathod@siqol.com> Link: https://lore.kernel.org/r/20250718091045.264129-1-darshan.rathod@siqol.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2025-01-13T05:11:06+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2025-01-13T05:11:06+00:00 urn:sha1:2919c4a3d883361105185f9d2f658e1a4545a1a7 We need the USB fixes in here as well for testing. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-12-23T17:50:41+00:00 Jun Yan jerrysteve1101@gmail.com 2024-12-12T14:38:52+00:00 urn:sha1:7a3d76a0b60b3f6fc3375e4de2174bab43f64545 Fix the regression introduced by commit d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt"), which causes that unsupported protocols can also be set via ioctl when the num_altsetting of the device is 1. Move the check for protocol support to the earlier stage. Fixes: d8c6edfa3f4e ("USB: usblp: don't call usb_set_interface if there's a single alt") Cc: stable <stable@kernel.org> Signed-off-by: Jun Yan <jerrysteve1101@gmail.com> Link: https://lore.kernel.org/r/20241212143852.671889-1-jerrysteve1101@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-12-23T17:40:39+00:00 Jun Yan jerrysteve1101@gmail.com 2024-12-13T14:53:14+00:00 urn:sha1:c975c9b8f8204c34213e9a6821f597bbda021f8e remove redundant semicolon in LPIOC_SOFT_RESET to fix the incorrect macro expansion syntax. Signed-off-by: Jun Yan <jerrysteve1101@gmail.com> Link: https://lore.kernel.org/r/20241213145314.785616-1-jerrysteve1101@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-10-20T10:11:56+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2022-10-01T16:51:28+00:00 urn:sha1:5033ac5c580cb22245a0c2b9e53d508e8fdd50d8 With the changes to the driver core to make more pointers const, the USB subsystem also needs to be modified to take a const * for the devnode callback so that the driver core's constant pointer will also be properly propagated. Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: Juergen Stuber <starblue@users.sourceforge.net> Reviewed-by: Johan Hovold <johan@kernel.org> Acked-by: Pete Zaitcev <zaitcev@redhat.com> Reviewed-by: Jiri Kosina <jkosina@suse.cz> Link: https://lore.kernel.org/r/20221001165128.2688526-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>