ipmi-ssif-clean-up-kthread-on-errors.patch
ipmi-ssif-remove-unnecessary-indention.patch
ipmi-ssif-null-thread-on-error.patch
+wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch
+wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch
+wifi-ath5k-do-not-access-array-oob.patch
+wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch
+usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch
+usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch
--- /dev/null
+From 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 20 Apr 2026 18:11:03 +0200
+Subject: usb: usblp: fix heap leak in IEEE 1284 device ID via short response
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream.
+
+usblp_ctrl_msg() collapses the usb_control_msg() return value to
+0/-errno, discarding the actual number of bytes transferred. A broken
+printer can complete the GET_DEVICE_ID control transfer short and the
+driver has no way to know.
+
+usblp_cache_device_id_string() reads the 2-byte big-endian length prefix
+from the response and trusts it (clamped only to the buffer bounds).
+The buffer is kmalloc(1024) at probe time. A device that sends exactly
+two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves
+device_id_string[2..1022] holding stale kmalloc heap.
+
+That stale data is then exposed:
+ - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated
+ at the first NUL in the stale heap), and
+ - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full
+ claimed length regardless of NULs, up to 1021 bytes of uninitialized
+ heap, with the leak size chosen by the device.
+
+Fix this up by just zapping the buffer with zeros before each request
+sent to the device.
+
+Cc: Pete Zaitcev <zaitcev@redhat.com>
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1365,6 +1365,7 @@ static int usblp_cache_device_id_string(
+ {
+ int err, length;
+
++ memset(usblp->device_id_string, 0, USBLP_DEVICE_ID_SIZE);
+ err = usblp_get_id(usblp, 0, usblp->device_id_string, USBLP_DEVICE_ID_SIZE - 1);
+ if (err < 0) {
+ dev_dbg(&usblp->intf->dev,
--- /dev/null
+From b38e53cbfb9d84732e5984fbd73e128d592415c5 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 20 Apr 2026 18:11:04 +0200
+Subject: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream.
+
+Just like in a previous problem in this driver, usblp_ctrl_msg() will
+collapse the usb_control_msg() return value to 0/-errno, discarding the
+actual number of bytes transferred.
+
+Ideally that short command should be detected and error out, but many
+printers are known to send "incorrect" responses back so we can't just
+do that.
+
+statusbuf is kmalloc(8) at probe time and never filled before the first
+LPGETSTATUS ioctl.
+
+usblp_read_status() requests 1 byte. If a malicious printer responds
+with zero bytes, *statusbuf is one byte of stale kmalloc heap,
+sign-extended into the local int status, which the LPGETSTATUS path then
+copy_to_user()s directly to the ioctl caller.
+
+Fix this all by just zapping out the memory buffer when allocated at
+probe time. If a later call does a short read, the data will be
+identical to what the device sent it the last time, so there is no
+"leak" of information happening.
+
+Cc: Pete Zaitcev <zaitcev@redhat.com>
+Assisted-by: gkh_clanker_t1000
+Cc: stable <stable@kernel.org>
+Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1166,7 +1166,7 @@ static int usblp_probe(struct usb_interf
+ }
+
+ /* Allocate buffer for printer status */
+- usblp->statusbuf = kmalloc(STATUS_BUF_SIZE, GFP_KERNEL);
++ usblp->statusbuf = kzalloc(STATUS_BUF_SIZE, GFP_KERNEL);
+ if (!usblp->statusbuf) {
+ retval = -ENOMEM;
+ goto abort;
--- /dev/null
+From d748603f12baff112caa3ab7d39f50100f010dbd Mon Sep 17 00:00:00 2001
+From: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
+Date: Tue, 9 Dec 2025 11:04:59 +0100
+Subject: wifi: ath5k: do not access array OOB
+
+From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+
+commit d748603f12baff112caa3ab7d39f50100f010dbd upstream.
+
+Vincent reports:
+> The ath5k driver seems to do an array-index-out-of-bounds access as
+> shown by the UBSAN kernel message:
+> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20
+> index 4 is out of range for type 'ieee80211_tx_rate [4]'
+> ...
+> Call Trace:
+> <TASK>
+> dump_stack_lvl+0x5d/0x80
+> ubsan_epilogue+0x5/0x2b
+> __ubsan_handle_out_of_bounds.cold+0x46/0x4b
+> ath5k_tasklet_tx+0x4e0/0x560 [ath5k]
+> tasklet_action_common+0xb5/0x1c0
+
+It is real. 'ts->ts_final_idx' can be 3 on 5212, so:
+ info->status.rates[ts->ts_final_idx + 1].idx = -1;
+with the array defined as:
+ struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES];
+while the size is:
+ #define IEEE80211_TX_MAX_RATES 4
+is indeed bogus.
+
+Set this 'idx = -1' sentinel only if the array index is less than the
+array size. As mac80211 will not look at rates beyond the size
+(IEEE80211_TX_MAX_RATES).
+
+Note: The effect of the OOB write is negligible. It just overwrites the
+next member of info->status, i.e. ack_signal.
+
+Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
+Reported-by: Vincent Danjean <vdanjean@debian.org>
+Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan
+Closes: https://bugs.debian.org/1119093
+Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20251209100459.2253198-1-jirislaby@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath5k/base.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath5k/base.c
++++ b/drivers/net/wireless/ath/ath5k/base.c
+@@ -1693,7 +1693,8 @@ ath5k_tx_frame_completed(struct ath5k_hw
+ }
+
+ info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry;
+- info->status.rates[ts->ts_final_idx + 1].idx = -1;
++ if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES)
++ info->status.rates[ts->ts_final_idx + 1].idx = -1;
+
+ if (unlikely(ts->ts_status)) {
+ ah->stats.ack_fail++;
--- /dev/null
+From 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Fri, 17 Apr 2026 11:11:44 +0000
+Subject: wifi: b43: enforce bounds check on firmware key index in b43_rx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 upstream.
+
+The firmware-controlled key index in b43_rx() can exceed the dev->key[]
+array size (58 entries). The existing B43_WARN_ON is non-enforcing in
+production builds, allowing an out-of-bounds read.
+
+Make the B43_WARN_ON check enforcing by dropping the frame when the
+firmware returns an invalid key index.
+
+Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
+Acked-by: Michael Büsch <m@bues.ch>
+Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/b43/xmit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/b43/xmit.c
++++ b/drivers/net/wireless/broadcom/b43/xmit.c
+@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struc
+ * key index, but the ucode passed it slightly different.
+ */
+ keyidx = b43_kidx_to_raw(dev, keyidx);
+- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key));
++ if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)))
++ goto drop;
+
+ if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) {
+ wlhdr_len = ieee80211_hdrlen(fctl);
--- /dev/null
+From a035766f970bde2d4298346a31a80685be5c0205 Mon Sep 17 00:00:00 2001
+From: Tristan Madani <tristan@talencesecurity.com>
+Date: Fri, 17 Apr 2026 11:11:45 +0000
+Subject: wifi: b43legacy: enforce bounds check on firmware key index in RX path
+
+From: Tristan Madani <tristan@talencesecurity.com>
+
+commit a035766f970bde2d4298346a31a80685be5c0205 upstream.
+
+Same fix as b43: the firmware-controlled key index in b43legacy_rx()
+can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is
+non-enforcing in production builds, allowing an out-of-bounds read of
+dev->key[].
+
+Make the check enforcing by dropping the frame for invalid indices.
+
+Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
+Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c
++++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c
+@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev
+ * key index, but the ucode passed it slightly different.
+ */
+ keyidx = b43legacy_kidx_to_raw(dev, keyidx);
+- B43legacy_WARN_ON(keyidx >= dev->max_nr_keys);
++ if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys))
++ goto drop;
+
+ if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) {
+ /* Remove PROTECTED flag to mark it as decrypted. */
--- /dev/null
+From db57a1aa54ff68669781976e4edb045e09e2b65b Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Thu, 23 Apr 2026 02:38:46 +0900
+Subject: wifi: rsi: fix kthread lifetime race between self-exit and external-stop
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit db57a1aa54ff68669781976e4edb045e09e2b65b upstream.
+
+RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
+(kthread_stop) when killing a kthread. Generally, kthread_stop() is called
+first, and in this case, no particular issues occur.
+
+However, in rare instances where kthread_complete_and_exit() is called
+first and then kthread_stop() is called, a UAF occurs because the kthread
+object, which has already exited and been freed, is accessed again.
+
+Therefore, to prevent this with minimal modification, you must remove
+kthread_stop() and change the code to wait until the self-exit operation
+is completed.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/
+Fixes: 4c62764d0fc2 ("rsi: improve kernel thread handling to fix kernel panic")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_common.h | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/rsi/rsi_common.h
++++ b/drivers/net/wireless/rsi/rsi_common.h
+@@ -70,12 +70,11 @@ static inline int rsi_create_kthread(str
+ return 0;
+ }
+
+-static inline int rsi_kill_thread(struct rsi_thread *handle)
++static inline void rsi_kill_thread(struct rsi_thread *handle)
+ {
+ atomic_inc(&handle->thread_done);
+ rsi_set_event(&handle->event);
+-
+- return kthread_stop(handle->task);
++ wait_for_completion(&handle->completion);
+ }
+
+ void rsi_mac80211_detach(struct rsi_hw *hw);
projects / thirdparty / kernel / stable-queue.git / commitdiff
