--- /dev/null
+From d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 Mon Sep 17 00:00:00 2001
+From: Stanislav Fort <stanislav.fort@aisle.com>
+Date: Sun, 31 Aug 2025 16:56:23 +0200
+Subject: batman-adv: fix OOB read/write in network-coding decode
+
+From: Stanislav Fort <stanislav.fort@aisle.com>
+
+commit d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 upstream.
+
+batadv_nc_skb_decode_packet() trusts coded_len and checks only against
+skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing
+payload headroom, and the source skb length is not verified, allowing an
+out-of-bounds read and a small out-of-bounds write.
+
+Validate that coded_len fits within the payload area of both destination
+and source sk_buffs before XORing.
+
+Fixes: 2df5278b0267 ("batman-adv: network coding - receive coded packets and decode them")
+Cc: stable@vger.kernel.org
+Reported-by: Stanislav Fort <disclosure@aisle.com>
+Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/network-coding.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/network-coding.c
++++ b/net/batman-adv/network-coding.c
+@@ -1694,7 +1694,12 @@ batadv_nc_skb_decode_packet(struct batad
+
+ coding_len = ntohs(coded_packet_tmp.coded_len);
+
+- if (coding_len > skb->len)
++ /* ensure dst buffer is large enough (payload only) */
++ if (coding_len + h_size > skb->len)
++ return NULL;
++
++ /* ensure src buffer is large enough (payload only) */
++ if (coding_len + h_size > nc_packet->skb->len)
+ return NULL;
+
+ /* Here the magic is reversed:
--- /dev/null
+From 71403f58b4bb6c13b71c05505593a355f697fd94 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 6 Aug 2025 10:47:50 -0400
+Subject: drm/amdgpu: drop hw access in non-DC audio fini
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 71403f58b4bb6c13b71c05505593a355f697fd94 upstream.
+
+We already disable the audio pins in hw_fini so
+there is no need to do it again in sw_fini.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4481
+Cc: oushixiong <oushixiong1025@163.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 5eeb16ca727f11278b2917fd4311a7d7efb0bbd6)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 -----
+ drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 -----
+ 4 files changed, 20 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c
+@@ -1445,17 +1445,12 @@ static int dce_v10_0_audio_init(struct a
+
+ static void dce_v10_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v10_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c
+@@ -1487,17 +1487,12 @@ static int dce_v11_0_audio_init(struct a
+
+ static void dce_v11_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v11_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c
+@@ -1358,17 +1358,12 @@ static int dce_v6_0_audio_init(struct am
+
+ static void dce_v6_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v6_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c
+@@ -1408,17 +1408,12 @@ static int dce_v8_0_audio_init(struct am
+
+ static void dce_v8_0_audio_fini(struct amdgpu_device *adev)
+ {
+- int i;
+-
+ if (!amdgpu_audio)
+ return;
+
+ if (!adev->mode_info.audio.enabled)
+ return;
+
+- for (i = 0; i < adev->mode_info.audio.num_pins; i++)
+- dce_v8_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false);
+-
+ adev->mode_info.audio.enabled = false;
+ }
+
--- /dev/null
+From 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 Mon Sep 17 00:00:00 2001
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Date: Sun, 17 Aug 2025 12:25:47 +0300
+Subject: e1000e: fix heap overflow in e1000_set_eeprom
+
+From: Vitaly Lifshits <vitaly.lifshits@intel.com>
+
+commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 upstream.
+
+Fix a possible heap overflow in e1000_set_eeprom function by adding
+input validation for the requested length of the change in the EEPROM.
+In addition, change the variable type from int to size_t for better
+code practices and rearrange declarations to RCT.
+
+Cc: stable@vger.kernel.org
+Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)")
+Co-developed-by: Mikael Wessel <post@mikaelkw.online>
+Signed-off-by: Mikael Wessel <post@mikaelkw.online>
+Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
+Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/ethtool.c
++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c
+@@ -552,12 +552,12 @@ static int e1000_set_eeprom(struct net_d
+ {
+ struct e1000_adapter *adapter = netdev_priv(netdev);
+ struct e1000_hw *hw = &adapter->hw;
++ size_t total_len, max_len;
+ u16 *eeprom_buff;
+- void *ptr;
+- int max_len;
++ int ret_val = 0;
+ int first_word;
+ int last_word;
+- int ret_val = 0;
++ void *ptr;
+ u16 i;
+
+ if (eeprom->len == 0)
+@@ -572,6 +572,10 @@ static int e1000_set_eeprom(struct net_d
+
+ max_len = hw->nvm.word_size * 2;
+
++ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) ||
++ total_len > max_len)
++ return -EFBIG;
++
+ first_word = eeprom->offset >> 1;
+ last_word = (eeprom->offset + eeprom->len - 1) >> 1;
+ eeprom_buff = kmalloc(max_len, GFP_KERNEL);
ppp-fix-memory-leak-in-pad_compress_skb.patch
alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch
pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch
+wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch
+drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch
+batman-adv-fix-oob-read-write-in-network-coding-decode.patch
+e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch
--- /dev/null
+From 0e20450829ca3c1dbc2db536391537c57a40fe0b Mon Sep 17 00:00:00 2001
+From: Qianfeng Rong <rongqianfeng@vivo.com>
+Date: Fri, 15 Aug 2025 10:30:50 +0800
+Subject: wifi: mwifiex: Initialize the chan_stats array to zero
+
+From: Qianfeng Rong <rongqianfeng@vivo.com>
+
+commit 0e20450829ca3c1dbc2db536391537c57a40fe0b upstream.
+
+The adapter->chan_stats[] array is initialized in
+mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out
+memory. The array is filled in mwifiex_update_chan_statistics()
+and then the user can query the data in mwifiex_cfg80211_dump_survey().
+
+There are two potential issues here. What if the user calls
+mwifiex_cfg80211_dump_survey() before the data has been filled in.
+Also the mwifiex_update_chan_statistics() function doesn't necessarily
+initialize the whole array. Since the array was not initialized at
+the start that could result in an information leak.
+
+Also this array is pretty small. It's a maximum of 900 bytes so it's
+more appropriate to use kcalloc() instead vmalloc().
+
+Cc: stable@vger.kernel.org
+Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex")
+Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20250815023055.477719-1-rongqianfeng@vivo.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++--
+ drivers/net/wireless/marvell/mwifiex/main.c | 4 ++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+@@ -4273,8 +4273,9 @@ int mwifiex_init_channel_scan_gap(struct
+ * additional active scan request for hidden SSIDs on passive channels.
+ */
+ adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a);
+- adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats),
+- adapter->num_in_chan_stats));
++ adapter->chan_stats = kcalloc(adapter->num_in_chan_stats,
++ sizeof(*adapter->chan_stats),
++ GFP_KERNEL);
+
+ if (!adapter->chan_stats)
+ return -ENOMEM;
+--- a/drivers/net/wireless/marvell/mwifiex/main.c
++++ b/drivers/net/wireless/marvell/mwifiex/main.c
+@@ -635,7 +635,7 @@ static int _mwifiex_fw_dpc(const struct
+ goto done;
+
+ err_add_intf:
+- vfree(adapter->chan_stats);
++ kfree(adapter->chan_stats);
+ err_init_chan_scan:
+ wiphy_unregister(adapter->wiphy);
+ wiphy_free(adapter->wiphy);
+@@ -1448,7 +1448,7 @@ static void mwifiex_uninit_sw(struct mwi
+ wiphy_free(adapter->wiphy);
+ adapter->wiphy = NULL;
+
+- vfree(adapter->chan_stats);
++ kfree(adapter->chan_stats);
+ mwifiex_free_cmd_buffers(adapter);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
