greybus-dev

greybus-dev@lists.linaro.org

18 participants
777 discussions

[PATCH v3 0/4] HID: Proper fix for OOM in hid-core

by Benjamin Tissoires

Commit 0a3fe972a7cb ("HID: core: Mitigate potential OOB by removing bogus memset()") enforced the provided data to be at least the size of the declared buffer in the report descriptor to prevent a buffer overflow. We only had corner cases of malicious devices exposing the OOM because in most cases, the buffer provided by the transport layer needs to be allocated at probe time and is large enough to handle all the possible reports. However, the patch from above, which enforces the spec a little bit more introduced both regressions for devices not following the spec (not necesserally malicious), but also a stream of errors for those devices. Let's revert to the old behavior by giving more information to HID core to be able to decide whether it can or not memset the rest of the buffer to 0 and continue the processing. Note that the first commit makes an API change, but the callers are relatively limited, so it should be fine on its own. The second patch can't really make the same kind of API change because we have too many callers in various subsystems. We can switch them one by one to the safe approach when needed. The last 2 patches are small cleanups I initially put together with the 2 first patches, but they can be applied on their own and don't need to be pulled in stable like the first 2. Cheers, Benjamin Signed-off-by: Benjamin Tissoires <bentiss(a)kernel.org> --- Changes in v3: - fixed ghib -> ghid in greybus - fixed i386 size_t debug size reported by kernel-bot - Link to v2: https://lore.kernel.org/r/20260416-wip-fix-core-v2-0-be92570e5627@kernel.org Changes in v2: - added a small blurb explaining the difference between the safe and the non safe version of hid_safe_input_report - Link to v1: https://lore.kernel.org/r/20260415-wip-fix-core-v1-0-ed3c4c823175@kernel.org --- Benjamin Tissoires (4): HID: pass the buffer size to hid_report_raw_event HID: core: introduce hid_safe_input_report() HID: multitouch: use __free(kfree) to clean up temporary buffers HID: wacom: use __free(kfree) to clean up temporary buffers drivers/hid/bpf/hid_bpf_dispatch.c | 6 ++-- drivers/hid/hid-core.c | 67 ++++++++++++++++++++++++++++++-------- drivers/hid/hid-gfrm.c | 4 +-- drivers/hid/hid-logitech-hidpp.c | 2 +- drivers/hid/hid-multitouch.c | 18 ++++------ drivers/hid/hid-primax.c | 2 +- drivers/hid/hid-vivaldi-common.c | 2 +- drivers/hid/i2c-hid/i2c-hid-core.c | 7 ++-- drivers/hid/usbhid/hid-core.c | 11 ++++--- drivers/hid/wacom_sys.c | 46 +++++++++----------------- drivers/staging/greybus/hid.c | 2 +- include/linux/hid.h | 6 ++-- include/linux/hid_bpf.h | 14 +++++--- 13 files changed, 109 insertions(+), 78 deletions(-) --- base-commit: 7df6572f1cb381d6b89ceed58e3b076c233c2cd0 change-id: 20260415-wip-fix-core-7d85c8516ed0 Best regards, -- Benjamin Tissoires <bentiss(a)kernel.org>

10 minutes

[PATCH] staging: greybus: uart: document locking and fix indentation

by AkaLuiz

Add comments describing what the lock fields in struct gb_tty protect, and fix the indentation of the wait_for_completion_timeout() call. Signed-off-by: AkaLuiz <luizcarlosmdea(a)gmail.com> --- drivers/staging/greybus/uart.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c index 7d060b4cd33d..85586e9a4341 100644 --- a/drivers/staging/greybus/uart.c +++ b/drivers/staging/greybus/uart.c @@ -50,12 +50,12 @@ struct gb_tty { unsigned int minor; unsigned char clocal; bool disconnected; - spinlock_t read_lock; - spinlock_t write_lock; + spinlock_t read_lock; /* protects iocount and oldcount for TIOCMIWAIT */ + spinlock_t write_lock; /* protects write_fifo and credits */ struct async_icount iocount; struct async_icount oldcount; wait_queue_head_t wioctl; - struct mutex mutex; + struct mutex mutex; /* protects disconnected during lookup and removal */ u8 ctrlin; /* input control lines */ u8 ctrlout; /* output control lines */ struct gb_uart_set_line_coding_request line_coding; @@ -318,7 +318,7 @@ static int gb_uart_wait_for_all_credits(struct gb_tty *gb_tty) return 0; ret = wait_for_completion_timeout(&gb_tty->credits_complete, - msecs_to_jiffies(GB_UART_CREDIT_WAIT_TIMEOUT_MSEC)); + msecs_to_jiffies(GB_UART_CREDIT_WAIT_TIMEOUT_MSEC)); if (!ret) { dev_err(&gb_tty->gbphy_dev->dev, "time out waiting for credits\n"); -- 2.54.0

10 hours, 14 minutes

[PATCH] staging: greybus: uart: document c_cflag handling in set_termios

by Debjeet Banerjee

gb_tty_set_termios() derives UART line configuration from a subset of termios->c_cflag bits, namely CSIZE, CSTOPB, PARENB, PARODD, CMSPAR, CRTSCTS, CLOCAL and CBAUD. Other c_cflag bits are not interpreted by the driver and are not represented in the Greybus UART protocol messages. The existing FIXME suggests clearing unsupported bits from termios. However, the driver already limits its behavior to the supported subset when constructing line coding, and unused bits are effectively ignored. No invalid or unsupported values are propagated to the hardware. Replace the FIXME with a comment documenting which c_cflag bits are consumed by the driver and clarifying that other bits are ignored. No functional change intended. Signed-off-by: Debjeet Banerjee <debjeetbanerjee48(a)gmail.com> --- drivers/staging/greybus/uart.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c index 7d060b4cd33d..49d685a6ad8c 100644 --- a/drivers/staging/greybus/uart.c +++ b/drivers/staging/greybus/uart.c @@ -494,8 +494,20 @@ static void gb_tty_set_termios(struct tty_struct *tty, (termios->c_cflag & CMSPAR ? 2 : 0) : 0; newline.data_bits = tty_get_char_size(termios->c_cflag); - - /* FIXME: needs to clear unsupported bits in the termios */ + /* + * The Greybus UART driver only interprets a subset of termios + * c_cflag bits when configuring line settings: + * + * - CSIZE via tty_get_char_size() for data bits + * - CSTOPB for stop-bit format + * - PARENB, PARODD, CMSPAR for parity encoding + * - CRTSCTS for hardware flow control + * - CLOCAL for modem control handling + * - CBAUD via C_BAUD() for baud rate and B0 semantics + * + * Other c_cflag bits are ignored as they are not represented in + * the Greybus UART protocol. + */ gb_tty->clocal = ((termios->c_cflag & CLOCAL) != 0); if (C_BAUD(tty) == B0) { -- 2.53.0

12 hours, 17 minutes

[PATCH] staging: greybus: add missing newlines to sysfs_emit() output

by Yousef Alhouseen

Sysfs show() callbacks should emit a trailing newline for text output. Several Greybus audio manager module attributes currently omit the newline, which triggers checkpatch warnings and makes the attributes less convenient to read from userspace. Append missing newlines to the affected sysfs_emit() format strings. Signed-off-by: Yousef Alhouseen <alhouseenyousef(a)gmail.com> --- drivers/staging/greybus/audio_manager_module.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/staging/greybus/audio_manager_module.c b/drivers/staging/greybus/audio_manager_module.c index dc90cc2d2308..5737f2a32f5a 100644 --- a/drivers/staging/greybus/audio_manager_module.c +++ b/drivers/staging/greybus/audio_manager_module.c @@ -75,7 +75,7 @@ static void gb_audio_module_release(struct kobject *kobj) static ssize_t gb_audio_module_name_show(struct gb_audio_manager_module *module, struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "%s", module->desc.name); + return sysfs_emit(buf, "%s\n", module->desc.name); } static struct gb_audio_manager_module_attribute gb_audio_module_name_attribute = @@ -84,7 +84,7 @@ static struct gb_audio_manager_module_attribute gb_audio_module_name_attribute = static ssize_t gb_audio_module_vid_show(struct gb_audio_manager_module *module, struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "%d", module->desc.vid); + return sysfs_emit(buf, "%d\n", module->desc.vid); } static struct gb_audio_manager_module_attribute gb_audio_module_vid_attribute = @@ -93,7 +93,7 @@ static struct gb_audio_manager_module_attribute gb_audio_module_vid_attribute = static ssize_t gb_audio_module_pid_show(struct gb_audio_manager_module *module, struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "%d", module->desc.pid); + return sysfs_emit(buf, "%d\n", module->desc.pid); } static struct gb_audio_manager_module_attribute gb_audio_module_pid_attribute = @@ -103,7 +103,7 @@ static ssize_t gb_audio_module_intf_id_show(struct gb_audio_manager_module *modu struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "%d", module->desc.intf_id); + return sysfs_emit(buf, "%d\n", module->desc.intf_id); } static struct gb_audio_manager_module_attribute @@ -114,7 +114,7 @@ static ssize_t gb_audio_module_ip_devices_show(struct gb_audio_manager_module *m struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "0x%X", module->desc.ip_devices); + return sysfs_emit(buf, "0x%X\n", module->desc.ip_devices); } static struct gb_audio_manager_module_attribute @@ -125,7 +125,7 @@ static ssize_t gb_audio_module_op_devices_show(struct gb_audio_manager_module *m struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "0x%X", module->desc.op_devices); + return sysfs_emit(buf, "0x%X\n", module->desc.op_devices); } static struct gb_audio_manager_module_attribute -- 2.54.0

4 days, 2 hours

[PATCH] staging: greybus: audio: add missing newlines to sysfs attributes

by Nikolai Grlica

Sysfs attribute output should be newline-terminated. Add missing newlines to the Greybus audio manager module attribute show functions. Signed-off-by: Nikolai Grlica <grlicanikolai(a)gmail.com> --- drivers/staging/greybus/audio_manager_module.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/staging/greybus/audio_manager_module.c b/drivers/staging/greybus/audio_manager_module.c index dc90cc2d2308..5737f2a32f5a 100644 --- a/drivers/staging/greybus/audio_manager_module.c +++ b/drivers/staging/greybus/audio_manager_module.c @@ -75,7 +75,7 @@ static void gb_audio_module_release(struct kobject *kobj) static ssize_t gb_audio_module_name_show(struct gb_audio_manager_module *module, struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "%s", module->desc.name); + return sysfs_emit(buf, "%s\n", module->desc.name); } static struct gb_audio_manager_module_attribute gb_audio_module_name_attribute = @@ -84,7 +84,7 @@ static struct gb_audio_manager_module_attribute gb_audio_module_name_attribute = static ssize_t gb_audio_module_vid_show(struct gb_audio_manager_module *module, struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "%d", module->desc.vid); + return sysfs_emit(buf, "%d\n", module->desc.vid); } static struct gb_audio_manager_module_attribute gb_audio_module_vid_attribute = @@ -93,7 +93,7 @@ static struct gb_audio_manager_module_attribute gb_audio_module_vid_attribute = static ssize_t gb_audio_module_pid_show(struct gb_audio_manager_module *module, struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "%d", module->desc.pid); + return sysfs_emit(buf, "%d\n", module->desc.pid); } static struct gb_audio_manager_module_attribute gb_audio_module_pid_attribute = @@ -103,7 +103,7 @@ static ssize_t gb_audio_module_intf_id_show(struct gb_audio_manager_module *modu struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "%d", module->desc.intf_id); + return sysfs_emit(buf, "%d\n", module->desc.intf_id); } static struct gb_audio_manager_module_attribute @@ -114,7 +114,7 @@ static ssize_t gb_audio_module_ip_devices_show(struct gb_audio_manager_module *m struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "0x%X", module->desc.ip_devices); + return sysfs_emit(buf, "0x%X\n", module->desc.ip_devices); } static struct gb_audio_manager_module_attribute @@ -125,7 +125,7 @@ static ssize_t gb_audio_module_op_devices_show(struct gb_audio_manager_module *m struct gb_audio_manager_module_attribute *attr, char *buf) { - return sysfs_emit(buf, "0x%X", module->desc.op_devices); + return sysfs_emit(buf, "0x%X\n", module->desc.op_devices); } static struct gb_audio_manager_module_attribute base-commit: 81f55766523e5293604cb96c5e98d10da345ff33 -- 2.54.0

5 days, 6 hours

Re: [PATCH] Greybus audio protocols drivers: correct sscanf() return value check

by Dan Carpenter

On Sun, May 10, 2026 at 08:41:43PM +0200, Alexander A. Klimov wrote: > manager_sysfs_add_store() passes 6 pointers to sscanf(), > but required latter to return 7 which always failed the operation. > I corrected it to 6. > > Signed-off-by: Alexander A. Klimov <grandmaster(a)al2klimov.de> > --- This needs a Fixes tag. Fixes: 49b9137a6002 ("staging: greybus: audio: remove redundant slot field") You need to add Pankaj Bharadiya <pankaj.bharadiya(a)gmail.com> to the CC list. Although that patch is from 10 years ago so it means no one is using this. regards, dan carpenter

1 week

[PATCH] Greybus audio protocols drivers: correct sscanf() return value check

by Alexander A. Klimov

manager_sysfs_add_store() passes 6 pointers to sscanf(), but required latter to return 7 which always failed the operation. I corrected it to 6. Signed-off-by: Alexander A. Klimov <grandmaster(a)al2klimov.de> --- drivers/staging/greybus/audio_manager_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/greybus/audio_manager_sysfs.c b/drivers/staging/greybus/audio_manager_sysfs.c index fcd518f954..ff323ca815 100644 --- a/drivers/staging/greybus/audio_manager_sysfs.c +++ b/drivers/staging/greybus/audio_manager_sysfs.c @@ -23,7 +23,7 @@ static ssize_t manager_sysfs_add_store(struct kobject *kobj, desc.name, &desc.vid, &desc.pid, &desc.intf_id, &desc.ip_devices, &desc.op_devices); - if (num != 7) + if (num != 6) return -EINVAL; num = gb_audio_manager_add(&desc); -- 2.54.0

1 week, 1 day

[PATCH v1] greybus: authentication: validate CAP response payload size

by Muhammad Bilal

cap_get_ims_certificate() and cap_authenticate() copy variable-length response data directly into fixed-size UAPI buffers using the untrusted op->response->payload_size value without any bounds checks. A malicious or compromised Greybus endpoint can return an oversized certificate or signature payload, causing a kernel heap overflow. Fix both functions by: - Rejecting responses shorter than sizeof(*response) with -EPROTO. - Rejecting payloads exceeding CAP_CERTIFICATE_MAX_SIZE (1600) or CAP_SIGNATURE_MAX_SIZE (320) with -EMSGSIZE. - Copying only the validated size into the UAPI buffer. Fixes: e3eda54d0b5f ("greybus: Add Component Authentication Protocol support") Signed-off-by: Muhammad Bilal <meatuni001(a)gmail.com> --- drivers/staging/greybus/authentication.c | 34 +++++++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/drivers/staging/greybus/authentication.c b/drivers/staging/greybus/authentication.c index 97b9937bb..103cc15d2 100644 --- a/drivers/staging/greybus/authentication.c +++ b/drivers/staging/greybus/authentication.c @@ -109,6 +109,7 @@ static int cap_get_ims_certificate(struct gb_cap *cap, u32 class, u32 id, struct gb_cap_get_ims_certificate_request *request; struct gb_cap_get_ims_certificate_response *response; size_t max_size = gb_operation_get_payload_size_max(connection); + size_t cert_size; struct gb_operation *op; int ret; @@ -131,9 +132,21 @@ static int cap_get_ims_certificate(struct gb_cap *cap, u32 class, u32 id, } response = op->response->payload; + + if (op->response->payload_size < sizeof(*response)) { + ret = -EPROTO; + goto done; + } + + cert_size = op->response->payload_size - sizeof(*response); + if (cert_size > CAP_CERTIFICATE_MAX_SIZE) { + ret = -EMSGSIZE; + goto done; + } + *result = response->result_code; - *size = op->response->payload_size - sizeof(*response); - memcpy(certificate, response->certificate, *size); + *size = (u32)cert_size; + memcpy(certificate, response->certificate, cert_size); done: gb_operation_put(op); @@ -148,6 +161,7 @@ static int cap_authenticate(struct gb_cap *cap, u32 auth_type, u8 *uid, struct gb_cap_authenticate_request *request; struct gb_cap_authenticate_response *response; size_t max_size = gb_operation_get_payload_size_max(connection); + size_t sig_size; struct gb_operation *op; int ret; @@ -170,10 +184,22 @@ static int cap_authenticate(struct gb_cap *cap, u32 auth_type, u8 *uid, } response = op->response->payload; + + if (op->response->payload_size < sizeof(*response)) { + ret = -EPROTO; + goto done; + } + + sig_size = op->response->payload_size - sizeof(*response); + if (sig_size > CAP_SIGNATURE_MAX_SIZE) { + ret = -EMSGSIZE; + goto done; + } + *result = response->result_code; - *signature_size = op->response->payload_size - sizeof(*response); + *signature_size = (u32)sig_size; memcpy(auth_response, response->response, sizeof(response->response)); - memcpy(signature, response->signature, *signature_size); + memcpy(signature, response->signature, sig_size); done: gb_operation_put(op); -- 2.54.0

1 week, 2 days

[PATCH] staging: greybus: split gb_audio_gb_get_topology()

by Khaled Saleh

Split gb_audio_gb_get_topology() into smaller helper functions to improve readability and maintainability. No functional change intended. Signed-off-by: Khaled Saleh <khaled.saleh.req(a)gmail.com> --- drivers/staging/greybus/audio_gb.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/drivers/staging/greybus/audio_gb.c b/drivers/staging/greybus/audio_gb.c index 9d8994fdb41a..b5ead09532c8 100644 --- a/drivers/staging/greybus/audio_gb.c +++ b/drivers/staging/greybus/audio_gb.c @@ -8,13 +8,10 @@ #include <linux/greybus.h> #include "audio_codec.h" -/* TODO: Split into separate calls */ -int gb_audio_gb_get_topology(struct gb_connection *connection, - struct gb_audio_topology **topology) +static int gb_audio_gb_get_topology_size(struct gb_connection *connection, + u16 *size) { struct gb_audio_get_topology_size_response size_resp; - struct gb_audio_topology *topo; - u16 size; int ret; ret = gb_operation_sync(connection, GB_AUDIO_TYPE_GET_TOPOLOGY_SIZE, @@ -22,10 +19,24 @@ int gb_audio_gb_get_topology(struct gb_connection *connection, if (ret) return ret; - size = le16_to_cpu(size_resp.size); - if (size < sizeof(*topo)) + *size = le16_to_cpu(size_resp.size); + if (*size < sizeof(struct gb_audio_topology)) return -ENODATA; + return 0; +} + +int gb_audio_gb_get_topology(struct gb_connection *connection, + struct gb_audio_topology **topology) +{ + struct gb_audio_topology *topo; + u16 size; + int ret; + + ret = gb_audio_gb_get_topology_size(connection, &size); + if (ret) + return ret; + topo = kzalloc(size, GFP_KERNEL); if (!topo) return -ENOMEM; -- 2.34.1

1 week, 2 days

[PATCH v3] staging: greybus: bootrom: replace dev_info with dev_dbg for firmware name

by Bentley Blacketer

The original dev_info call was intentionally temporary, with a FIXME comment noting it should be downgraded to dev_dbg once modules with valid VID/PID values were common. Project Ara was cancelled in 2016, so that time has long passed. Remove the FIXME comment and downgrade to dev_dbg as originally intended. Tested via code inspection only, as Project Ara hardware is no longer available. Signed-off-by: Bentley Blacketer <sonionwhat(a)gmail.com> Signed-off-by: Bentley Blacketer <sonionwhat(a)gmail.com> --- drivers/staging/greybus/bootrom.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/drivers/staging/greybus/bootrom.c b/drivers/staging/greybus/bootrom.c index 83921d90c..058044ba7 100644 --- a/drivers/staging/greybus/bootrom.c +++ b/drivers/staging/greybus/bootrom.c @@ -163,18 +163,13 @@ static int find_firmware(struct gb_bootrom *bootrom, u8 stage) * * XXX Name it properly.. */ - snprintf(firmware_name, sizeof(firmware_name), +snprintf(firmware_name, sizeof(firmware_name), FW_NAME_PREFIX "%08x_%08x_%08x_%08x_s2l.tftf", intf->ddbl1_manufacturer_id, intf->ddbl1_product_id, intf->vendor_id, intf->product_id); - // FIXME: - // Turn to dev_dbg later after everyone has valid bootloaders with good - // ids, but leave this as dev_info for now to make it easier to track - // down "empty" vid/pid modules. - dev_info(&connection->bundle->dev, "Firmware file '%s' requested\n", + dev_dbg(&connection->bundle->dev, "Firmware file '%s' requested\n", firmware_name); - rc = request_firmware(&bootrom->fw, firmware_name, &connection->bundle->dev); if (rc) { -- 2.54.0

2 weeks, 1 day

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

greybus-dev