aboutsummaryrefslogtreecommitdiffstats
diff options
Diffstat
-rw-r--r--queue-5.10/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch47
-rw-r--r--queue-5.10/i2c-tiny-usb-disable-zero-length-read-messages.patch47
-rw-r--r--queue-5.10/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch47
-rw-r--r--queue-5.10/series3
4 files changed, 144 insertions, 0 deletions
diff --git a/queue-5.10/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch b/queue-5.10/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch
new file mode 100644
index 0000000000..5c4fb2b6f1
--- /dev/null
+++ b/queue-5.10/i2c-robotfuzz-osif-disable-zero-length-read-messages.patch
@@ -0,0 +1,47 @@
+From 56ad91c1aa9c18064348edf69308080b03c9dc48 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Thu, 22 May 2025 08:42:35 +0200
+Subject: i2c: robotfuzz-osif: disable zero-length read messages
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit 56ad91c1aa9c18064348edf69308080b03c9dc48 upstream.
+
+This driver passes the length of an i2c_msg directly to
+usb_control_msg(). If the message is now a read and of length 0, it
+violates the USB protocol and a warning will be printed. Enable the
+I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
+read messages altogether.
+
+Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: <stable@vger.kernel.org> # v3.14+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250522064234.3721-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c
++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c
+@@ -111,6 +111,11 @@ static u32 osif_func(struct i2c_adapter
+ return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
+ }
+
++/* prevent invalid 0-length usb_control_msg */
++static const struct i2c_adapter_quirks osif_quirks = {
++ .flags = I2C_AQ_NO_ZERO_LEN_READ,
++};
++
+ static const struct i2c_algorithm osif_algorithm = {
+ .master_xfer = osif_xfer,
+ .functionality = osif_func,
+@@ -143,6 +148,7 @@ static int osif_probe(struct usb_interfa
+
+ priv->adapter.owner = THIS_MODULE;
+ priv->adapter.class = I2C_CLASS_HWMON;
++ priv->adapter.quirks = &osif_quirks;
+ priv->adapter.algo = &osif_algorithm;
+ priv->adapter.algo_data = priv;
+ snprintf(priv->adapter.name, sizeof(priv->adapter.name),
diff --git a/queue-5.10/i2c-tiny-usb-disable-zero-length-read-messages.patch b/queue-5.10/i2c-tiny-usb-disable-zero-length-read-messages.patch
new file mode 100644
index 0000000000..03052ff62a
--- /dev/null
+++ b/queue-5.10/i2c-tiny-usb-disable-zero-length-read-messages.patch
@@ -0,0 +1,47 @@
+From cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Thu, 22 May 2025 08:43:49 +0200
+Subject: i2c: tiny-usb: disable zero-length read messages
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 upstream.
+
+This driver passes the length of an i2c_msg directly to
+usb_control_msg(). If the message is now a read and of length 0, it
+violates the USB protocol and a warning will be printed. Enable the
+I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
+read messages altogether.
+
+Fixes: e8c76eed2ecd ("i2c: New i2c-tiny-usb bus driver")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: <stable@vger.kernel.org> # v2.6.22+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250522064349.3823-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-tiny-usb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-tiny-usb.c
++++ b/drivers/i2c/busses/i2c-tiny-usb.c
+@@ -140,6 +140,11 @@ out:
+ return ret;
+ }
+
++/* prevent invalid 0-length usb_control_msg */
++static const struct i2c_adapter_quirks usb_quirks = {
++ .flags = I2C_AQ_NO_ZERO_LEN_READ,
++};
++
+ /* This is the actual algorithm we define */
+ static const struct i2c_algorithm usb_algorithm = {
+ .master_xfer = usb_xfer,
+@@ -244,6 +249,7 @@ static int i2c_tiny_usb_probe(struct usb
+ /* setup i2c adapter description */
+ dev->adapter.owner = THIS_MODULE;
+ dev->adapter.class = I2C_CLASS_HWMON;
++ dev->adapter.quirks = &usb_quirks;
+ dev->adapter.algo = &usb_algorithm;
+ dev->adapter.algo_data = dev;
+ snprintf(dev->adapter.name, sizeof(dev->adapter.name),
diff --git a/queue-5.10/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch b/queue-5.10/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch
new file mode 100644
index 0000000000..69f6e8bed9
--- /dev/null
+++ b/queue-5.10/s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch
@@ -0,0 +1,47 @@
+From 7360ee47599af91a1d5f4e74d635d9408a54e489 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Wed, 11 Jun 2025 22:20:10 +0300
+Subject: s390/pkey: Prevent overflow in size calculation for memdup_user()
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 7360ee47599af91a1d5f4e74d635d9408a54e489 upstream.
+
+Number of apqn target list entries contained in 'nr_apqns' variable is
+determined by userspace via an ioctl call so the result of the product in
+calculation of size passed to memdup_user() may overflow.
+
+In this case the actual size of the allocated area and the value
+describing it won't be in sync leading to various types of unpredictable
+behaviour later.
+
+Use a proper memdup_array_user() helper which returns an error if an
+overflow is detected. Note that it is different from when nr_apqns is
+initially zero - that case is considered valid and should be handled in
+subsequent pkey_handler implementations.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250611192011.206057-1-pchelkin@ispras.ru
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/pkey_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/crypto/pkey_api.c
++++ b/drivers/s390/crypto/pkey_api.c
+@@ -1119,7 +1119,7 @@ static void *_copy_apqns_from_user(void
+ if (!uapqns || nr_apqns == 0)
+ return NULL;
+
+- return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn));
++ return memdup_array_user(uapqns, nr_apqns, sizeof(struct pkey_apqn));
+ }
+
+ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
diff --git a/queue-5.10/series b/queue-5.10/series
index 0a13b3d0ef..e072b64166 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -48,3 +48,6 @@ uio_hv_generic-query-the-ringbuffer-size-for-device.patch
uio_hv_generic-align-ring-size-to-system-page.patch
pci-cadence-ep-correct-pba-offset-in-.set_msix-callb.patch
net_sched-sch_sfq-reject-invalid-perturb-period.patch
+i2c-tiny-usb-disable-zero-length-read-messages.patch
+i2c-robotfuzz-osif-disable-zero-length-read-messages.patch
+s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch
generated by cgit 1.2.3-korg (git 2.43.0) at 2025-07-04 05:45:11 +0000