--- /dev/null
+From 72262330f7b3ad2130e800cecf02adcce3c32c77 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Thu, 23 Oct 2025 13:31:41 +0100
+Subject: comedi: c6xdigio: Fix invalid PNP driver unregistration
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 72262330f7b3ad2130e800cecf02adcce3c32c77 upstream.
+
+The Comedi low-level driver "c6xdigio" seems to be for a parallel port
+connected device. When the Comedi core calls the driver's Comedi
+"attach" handler `c6xdigio_attach()` to configure a Comedi to use this
+driver, it tries to enable the parallel port PNP resources by
+registering a PNP driver with `pnp_register_driver()`, but ignores the
+return value. (The `struct pnp_driver` it uses has only the `name` and
+`id_table` members filled in.) The driver's Comedi "detach" handler
+`c6xdigio_detach()` unconditionally unregisters the PNP driver with
+`pnp_unregister_driver()`.
+
+It is possible for `c6xdigio_attach()` to return an error before it
+calls `pnp_register_driver()` and it is possible for the call to
+`pnp_register_driver()` to return an error (that is ignored). In both
+cases, the driver should not be calling `pnp_unregister_driver()` as it
+does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be
+called by the Comedi core if `c6xdigio_attach()` returns an error, or if
+the Comedi core decides to detach the Comedi device from the driver for
+some other reason.)
+
+The unconditional call to `pnp_unregister_driver()` without a previous
+successful call to `pnp_register_driver()` will cause
+`driver_unregister()` to issue a warning "Unexpected driver
+unregister!". This was detected by Syzbot [1].
+
+Also, the PNP driver registration and unregistration should be done at
+module init and exit time, respectively, not when attaching or detaching
+Comedi devices to the driver. (There might be more than one Comedi
+device being attached to the driver, although that is unlikely.)
+
+Change the driver to do the PNP driver registration at module init time,
+and the unregistration at module exit time. Since `c6xdigio_detach()`
+now only calls `comedi_legacy_detach()`, remove the function and change
+the Comedi driver "detach" handler to `comedi_legacy_detach`.
+
+-------------------------------------------
+[1] Syzbot sample crash report:
+Unexpected driver unregister!
+WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]
+WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270
+Modules linked in:
+CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
+RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]
+RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270
+Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41
+RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8
+RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001
+RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660
+R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000
+FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0
+Call Trace:
+ <TASK>
+ comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
+ comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
+ comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011
+ do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872
+ comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:597 [inline]
+ __se_sys_ioctl fs/ioctl.c:583 [inline]
+ __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fc05798eec9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffcf8184238 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007fc057be5fa0 RCX: 00007fc05798eec9
+RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
+RBP: 00007fc057a11f91 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 00007fc057be5fa0 R14: 00007fc057be5fa0 R15: 0000000000000003
+ </TASK>
+-------------------------------------------
+
+Reported-by: syzbot+6616bba359cec7a1def1@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6616bba359cec7a1def1
+Fixes: 2c89e159cd2f ("Staging: comedi: add c6xdigio driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20251023123141.6537-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/c6xdigio.c | 46 ++++++++++++++++++++++++++++----------
+ 1 file changed, 35 insertions(+), 11 deletions(-)
+
+--- a/drivers/comedi/drivers/c6xdigio.c
++++ b/drivers/comedi/drivers/c6xdigio.c
+@@ -249,9 +249,6 @@ static int c6xdigio_attach(struct comedi
+ if (ret)
+ return ret;
+
+- /* Make sure that PnP ports get activated */
+- pnp_register_driver(&c6xdigio_pnp_driver);
+-
+ s = &dev->subdevices[0];
+ /* pwm output subdevice */
+ s->type = COMEDI_SUBD_PWM;
+@@ -278,19 +275,46 @@ static int c6xdigio_attach(struct comedi
+ return 0;
+ }
+
+-static void c6xdigio_detach(struct comedi_device *dev)
+-{
+- comedi_legacy_detach(dev);
+- pnp_unregister_driver(&c6xdigio_pnp_driver);
+-}
+-
+ static struct comedi_driver c6xdigio_driver = {
+ .driver_name = "c6xdigio",
+ .module = THIS_MODULE,
+ .attach = c6xdigio_attach,
+- .detach = c6xdigio_detach,
++ .detach = comedi_legacy_detach,
+ };
+-module_comedi_driver(c6xdigio_driver);
++
++static bool c6xdigio_pnp_registered = false;
++
++static int __init c6xdigio_module_init(void)
++{
++ int ret;
++
++ ret = comedi_driver_register(&c6xdigio_driver);
++ if (ret)
++ return ret;
++
++ if (IS_ENABLED(CONFIG_PNP)) {
++ /* Try to activate the PnP ports */
++ ret = pnp_register_driver(&c6xdigio_pnp_driver);
++ if (ret) {
++ pr_warn("failed to register pnp driver - err %d\n",
++ ret);
++ ret = 0; /* ignore the error. */
++ } else {
++ c6xdigio_pnp_registered = true;
++ }
++ }
++
++ return 0;
++}
++module_init(c6xdigio_module_init);
++
++static void __exit c6xdigio_module_exit(void)
++{
++ if (c6xdigio_pnp_registered)
++ pnp_unregister_driver(&c6xdigio_pnp_driver);
++ comedi_driver_unregister(&c6xdigio_driver);
++}
++module_exit(c6xdigio_module_exit);
+
+ MODULE_AUTHOR("Comedi https://www.comedi.org");
+ MODULE_DESCRIPTION("Comedi driver for the C6x_DIGIO DSP daughter card");
--- /dev/null
+From 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Thu, 23 Oct 2025 16:22:32 +0300
+Subject: comedi: check device's attached status in compat ioctls
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee upstream.
+
+Syzbot identified an issue [1] that crashes kernel, seemingly due to
+unexistent callback dev->get_valid_routes(). By all means, this should
+not occur as said callback must always be set to
+get_zero_valid_routes() in __comedi_device_postconfig().
+
+As the crash seems to appear exclusively in i386 kernels, at least,
+judging from [1] reports, the blame lies with compat versions
+of standard IOCTL handlers. Several of them are modified and
+do not use comedi_unlocked_ioctl(). While functionality of these
+ioctls essentially copy their original versions, they do not
+have required sanity check for device's attached status. This,
+in turn, leads to a possibility of calling select IOCTLs on a
+device that has not been properly setup, even via COMEDI_DEVCONFIG.
+
+Doing so on unconfigured devices means that several crucial steps
+are missed, for instance, specifying dev->get_valid_routes()
+callback.
+
+Fix this somewhat crudely by ensuring device's attached status before
+performing any ioctls, improving logic consistency between modern
+and compat functions.
+
+[1] Syzbot report:
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+...
+CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0
+Call Trace:
+ <TASK>
+ get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]
+ parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401
+ do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594
+ compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]
+ comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273
+ __do_compat_sys_ioctl fs/ioctl.c:695 [inline]
+ __se_compat_sys_ioctl fs/ioctl.c:638 [inline]
+ __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638
+ do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
+...
+
+Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=ab8008c24e84adee93ff
+Fixes: 3fbfd2223a27 ("comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat")
+Cc: stable <stable@kernel.org>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://patch.msgid.link/20251023132234.395794-1-n.zhandarovich@fintech.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/comedi_fops.c | 42 ++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 36 insertions(+), 6 deletions(-)
+
+--- a/drivers/comedi/comedi_fops.c
++++ b/drivers/comedi/comedi_fops.c
+@@ -2971,7 +2971,12 @@ static int compat_chaninfo(struct file *
+ chaninfo.rangelist = compat_ptr(chaninfo32.rangelist);
+
+ mutex_lock(&dev->mutex);
+- err = do_chaninfo_ioctl(dev, &chaninfo);
++ if (!dev->attached) {
++ dev_dbg(dev->class_dev, "no driver attached\n");
++ err = -ENODEV;
++ } else {
++ err = do_chaninfo_ioctl(dev, &chaninfo);
++ }
+ mutex_unlock(&dev->mutex);
+ return err;
+ }
+@@ -2992,7 +2997,12 @@ static int compat_rangeinfo(struct file
+ rangeinfo.range_ptr = compat_ptr(rangeinfo32.range_ptr);
+
+ mutex_lock(&dev->mutex);
+- err = do_rangeinfo_ioctl(dev, &rangeinfo);
++ if (!dev->attached) {
++ dev_dbg(dev->class_dev, "no driver attached\n");
++ err = -ENODEV;
++ } else {
++ err = do_rangeinfo_ioctl(dev, &rangeinfo);
++ }
+ mutex_unlock(&dev->mutex);
+ return err;
+ }
+@@ -3068,7 +3078,12 @@ static int compat_cmd(struct file *file,
+ return rc;
+
+ mutex_lock(&dev->mutex);
+- rc = do_cmd_ioctl(dev, &cmd, ©, file);
++ if (!dev->attached) {
++ dev_dbg(dev->class_dev, "no driver attached\n");
++ rc = -ENODEV;
++ } else {
++ rc = do_cmd_ioctl(dev, &cmd, ©, file);
++ }
+ mutex_unlock(&dev->mutex);
+ if (copy) {
+ /* Special case: copy cmd back to user. */
+@@ -3093,7 +3108,12 @@ static int compat_cmdtest(struct file *f
+ return rc;
+
+ mutex_lock(&dev->mutex);
+- rc = do_cmdtest_ioctl(dev, &cmd, ©, file);
++ if (!dev->attached) {
++ dev_dbg(dev->class_dev, "no driver attached\n");
++ rc = -ENODEV;
++ } else {
++ rc = do_cmdtest_ioctl(dev, &cmd, ©, file);
++ }
+ mutex_unlock(&dev->mutex);
+ if (copy) {
+ err = put_compat_cmd(compat_ptr(arg), &cmd);
+@@ -3153,7 +3173,12 @@ static int compat_insnlist(struct file *
+ }
+
+ mutex_lock(&dev->mutex);
+- rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file);
++ if (!dev->attached) {
++ dev_dbg(dev->class_dev, "no driver attached\n");
++ rc = -ENODEV;
++ } else {
++ rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file);
++ }
+ mutex_unlock(&dev->mutex);
+ kfree(insns);
+ return rc;
+@@ -3172,7 +3197,12 @@ static int compat_insn(struct file *file
+ return rc;
+
+ mutex_lock(&dev->mutex);
+- rc = do_insn_ioctl(dev, &insn, file);
++ if (!dev->attached) {
++ dev_dbg(dev->class_dev, "no driver attached\n");
++ rc = -ENODEV;
++ } else {
++ rc = do_insn_ioctl(dev, &insn, file);
++ }
+ mutex_unlock(&dev->mutex);
+ return rc;
+ }
--- /dev/null
+From f24c6e3a39fa355dabfb684c9ca82db579534e72 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Thu, 23 Oct 2025 16:22:04 +0300
+Subject: comedi: multiq3: sanitize config options in multiq3_attach()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit f24c6e3a39fa355dabfb684c9ca82db579534e72 upstream.
+
+Syzbot identified an issue [1] in multiq3_attach() that induces a
+task timeout due to open() or COMEDI_DEVCONFIG ioctl operations,
+specifically, in the case of multiq3 driver.
+
+This problem arose when syzkaller managed to craft weird configuration
+options used to specify the number of channels in encoder subdevice.
+If a particularly great number is passed to s->n_chan in
+multiq3_attach() via it->options[2], then multiple calls to
+multiq3_encoder_reset() at the end of driver-specific attach() method
+will be running for minutes, thus blocking tasks and affected devices
+as well.
+
+While this issue is most likely not too dangerous for real-life
+devices, it still makes sense to sanitize configuration inputs. Enable
+a sensible limit on the number of encoder chips (4 chips max, each
+with 2 channels) to stop this behaviour from manifesting.
+
+[1] Syzbot crash:
+INFO: task syz.2.19:6067 blocked for more than 143 seconds.
+...
+Call Trace:
+ <TASK>
+ context_switch kernel/sched/core.c:5254 [inline]
+ __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862
+ __schedule_loop kernel/sched/core.c:6944 [inline]
+ schedule+0x165/0x360 kernel/sched/core.c:6959
+ schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016
+ __mutex_lock_common kernel/locking/mutex.c:676 [inline]
+ __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760
+ comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868
+ chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
+ do_dentry_open+0x953/0x13f0 fs/open.c:965
+ vfs_open+0x3b/0x340 fs/open.c:1097
+...
+
+Reported-by: syzbot+7811bb68a317954a0347@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=7811bb68a317954a0347
+Fixes: 77e01cdbad51 ("Staging: comedi: add multiq3 driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://patch.msgid.link/20251023132205.395753-1-n.zhandarovich@fintech.ru
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/multiq3.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/comedi/drivers/multiq3.c
++++ b/drivers/comedi/drivers/multiq3.c
+@@ -67,6 +67,11 @@
+ #define MULTIQ3_TRSFRCNTR_OL 0x10 /* xfer CNTR to OL (x and y) */
+ #define MULTIQ3_EFLAG_RESET 0x06 /* reset E bit of flag reg */
+
++/*
++ * Limit on the number of optional encoder channels
++ */
++#define MULTIQ3_MAX_ENC_CHANS 8
++
+ static void multiq3_set_ctrl(struct comedi_device *dev, unsigned int bits)
+ {
+ /*
+@@ -312,6 +317,10 @@ static int multiq3_attach(struct comedi_
+ s->insn_read = multiq3_encoder_insn_read;
+ s->insn_config = multiq3_encoder_insn_config;
+
++ /* sanity check for number of encoder channels */
++ if (s->n_chan > MULTIQ3_MAX_ENC_CHANS)
++ s->n_chan = MULTIQ3_MAX_ENC_CHANS;
++
+ for (i = 0; i < s->n_chan; i++)
+ multiq3_encoder_reset(dev, i);
+
hid-elecom-add-support-for-elecom-m-xt3urbk-018f.patch
loongarch-mask-all-interrupts-during-kexec-kdump.patch
samples-work-around-glibc-redefining-some-of-our-def.patch
+wifi-rtl8xxxu-add-usb-id-2001-3328-for-d-link-an3u-rev.-a1.patch
+wifi-rtw88-add-usb-id-2001-3329-for-d-link-ac13u-rev.-a1.patch
+comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch
+comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch
+comedi-check-device-s-attached-status-in-compat-ioctls.patch
+staging-rtl8723bs-fix-out-of-bounds-read-in-rtw_get_ie-parser.patch
+staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch
+staging-rtl8723bs-fix-out-of-bounds-read-in-onbeacon-esr-ie-parsing.patch
--- /dev/null
+From 502ddcc405b69fa92e0add6c1714d654504f6fd7 Mon Sep 17 00:00:00 2001
+From: Navaneeth K <knavaneeth786@gmail.com>
+Date: Thu, 20 Nov 2025 16:35:20 +0000
+Subject: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
+
+From: Navaneeth K <knavaneeth786@gmail.com>
+
+commit 502ddcc405b69fa92e0add6c1714d654504f6fd7 upstream.
+
+The Extended Supported Rates (ESR) IE handling in OnBeacon accessed
+*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these
+offsets lie within the received frame buffer. A malformed beacon with
+an ESR IE positioned at the end of the buffer could cause an
+out-of-bounds read, potentially triggering a kernel panic.
+
+Add a boundary check to ensure that the ESR IE body and the subsequent
+bytes are within the limits of the frame before attempting to access
+them.
+
+This prevents OOB reads caused by malformed beacon frames.
+
+Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+@@ -579,9 +579,11 @@ unsigned int OnBeacon(struct adapter *pa
+
+ p = rtw_get_ie(pframe + sizeof(struct ieee80211_hdr_3addr) + _BEACON_IE_OFFSET_, WLAN_EID_EXT_SUPP_RATES, &ielen, precv_frame->u.hdr.len - sizeof(struct ieee80211_hdr_3addr) - _BEACON_IE_OFFSET_);
+ if (p && ielen > 0) {
+- if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D))
+- /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */
+- *(p + 1) = ielen - 1;
++ if (p + 2 + ielen < pframe + len) {
++ if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D))
++ /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */
++ *(p + 1) = ielen - 1;
++ }
+ }
+
+ if (pmlmeext->sitesurvey_res.state == SCAN_PROCESS) {
--- /dev/null
+From 154828bf9559b9c8421fc2f0d7f7f76b3683aaed Mon Sep 17 00:00:00 2001
+From: Navaneeth K <knavaneeth786@gmail.com>
+Date: Thu, 20 Nov 2025 16:23:52 +0000
+Subject: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
+
+From: Navaneeth K <knavaneeth786@gmail.com>
+
+commit 154828bf9559b9c8421fc2f0d7f7f76b3683aaed upstream.
+
+The Information Element (IE) parser rtw_get_ie() trusted the length
+byte of each IE without validating that the IE body (len bytes after
+the 2-byte header) fits inside the remaining frame buffer. A malformed
+frame can advertise an IE length larger than the available data, causing
+the parser to increment its pointer beyond the buffer end. This results
+in out-of-bounds reads or, depending on the pattern, an infinite loop.
+
+Fix by validating that (offset + 2 + len) does not exceed the limit
+before accepting the IE or advancing to the next element.
+
+This prevents OOB reads and ensures the parser terminates safely on
+malformed frames.
+
+Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
++++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+@@ -140,22 +140,24 @@ u8 *rtw_get_ie(u8 *pbuf, signed int inde
+ signed int tmp, i;
+ u8 *p;
+
+- if (limit < 1)
++ if (limit < 2)
+ return NULL;
+
+ p = pbuf;
+ i = 0;
+ *len = 0;
+- while (1) {
++ while (i + 2 <= limit) {
++ tmp = *(p + 1);
++ if (i + 2 + tmp > limit)
++ break;
++
+ if (*p == index) {
+- *len = *(p + 1);
++ *len = tmp;
+ return p;
+ }
+- tmp = *(p + 1);
++
+ p += (tmp + 2);
+ i += (tmp + 2);
+- if (i >= limit)
+- break;
+ }
+ return NULL;
+ }
--- /dev/null
+From 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 Mon Sep 17 00:00:00 2001
+From: Navaneeth K <knavaneeth786@gmail.com>
+Date: Thu, 20 Nov 2025 16:33:08 +0000
+Subject: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
+
+From: Navaneeth K <knavaneeth786@gmail.com>
+
+commit 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 upstream.
+
+The Supported Rates IE length from an incoming Association Request frame
+was used directly as the memcpy() length when copying into a fixed-size
+16-byte stack buffer (supportRate). A malicious station can advertise an
+IE length larger than 16 bytes, causing a stack buffer overflow.
+
+Clamp ie_len to the buffer size before copying the Supported Rates IE,
+and correct the bounds check when merging Extended Supported Rates to
+prevent a second potential overflow.
+
+This prevents kernel stack corruption triggered by malformed association
+requests.
+
+Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+@@ -1033,6 +1033,9 @@ unsigned int OnAssocReq(struct adapter *
+ status = WLAN_STATUS_CHALLENGE_FAIL;
+ goto OnAssocReqFail;
+ } else {
++ if (ie_len > sizeof(supportRate))
++ ie_len = sizeof(supportRate);
++
+ memcpy(supportRate, p+2, ie_len);
+ supportRateNum = ie_len;
+
+@@ -1040,7 +1043,7 @@ unsigned int OnAssocReq(struct adapter *
+ pkt_len - WLAN_HDR_A3_LEN - ie_offset);
+ if (p) {
+
+- if (supportRateNum <= sizeof(supportRate)) {
++ if (supportRateNum + ie_len <= sizeof(supportRate)) {
+ memcpy(supportRate+supportRateNum, p+2, ie_len);
+ supportRateNum += ie_len;
+ }
--- /dev/null
+From 3f9553f65d0b77b724565bbe42c4daa3fab57d5c Mon Sep 17 00:00:00 2001
+From: Zenm Chen <zenmchen@gmail.com>
+Date: Mon, 29 Sep 2025 11:57:18 +0800
+Subject: wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1
+
+From: Zenm Chen <zenmchen@gmail.com>
+
+commit 3f9553f65d0b77b724565bbe42c4daa3fab57d5c upstream.
+
+Add USB ID 2001:3328 for D-Link AN3U rev. A1 which is a RTL8192FU-based
+Wi-Fi adapter.
+
+Compile tested only.
+
+Cc: stable@vger.kernel.org # 6.6.x
+Signed-off-by: Zenm Chen <zenmchen@gmail.com>
+Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250929035719.6172-1-zenmchen@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c
+@@ -8111,6 +8111,9 @@ static const struct usb_device_id dev_ta
+ /* TP-Link TL-WN823N V2 */
+ {USB_DEVICE_AND_INTERFACE_INFO(0x2357, 0x0135, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192fu_fops},
++/* D-Link AN3U rev. A1 */
++{USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3328, 0xff, 0xff, 0xff),
++ .driver_info = (unsigned long)&rtl8192fu_fops},
+ #ifdef CONFIG_RTL8XXXU_UNTESTED
+ /* Still supported by rtlwifi */
+ {USB_DEVICE_AND_INTERFACE_INFO(USB_VENDOR_ID_REALTEK, 0x8176, 0xff, 0xff, 0xff),
--- /dev/null
+From b377dcd9a286a6f81922ae442cd1c743bc4a2b35 Mon Sep 17 00:00:00 2001
+From: Zenm Chen <zenmchen@gmail.com>
+Date: Mon, 29 Sep 2025 11:57:19 +0800
+Subject: wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1
+
+From: Zenm Chen <zenmchen@gmail.com>
+
+commit b377dcd9a286a6f81922ae442cd1c743bc4a2b35 upstream.
+
+Add USB ID 2001:3329 for D-Link AC13U rev. A1 which is a RTL8812CU-based
+Wi-Fi adapter.
+
+Compile tested only.
+
+Cc: stable@vger.kernel.org # 6.6.x
+Signed-off-by: Zenm Chen <zenmchen@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250929035719.6172-2-zenmchen@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtw88/rtw8822cu.c
++++ b/drivers/net/wireless/realtek/rtw88/rtw8822cu.c
+@@ -21,6 +21,8 @@ static const struct usb_device_id rtw_88
+ .driver_info = (kernel_ulong_t)&(rtw8822c_hw_spec) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x13b1, 0x0043, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)&(rtw8822c_hw_spec) }, /* Alpha - Alpha */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3329, 0xff, 0xff, 0xff),
++ .driver_info = (kernel_ulong_t)&(rtw8822c_hw_spec) }, /* D-Link AC13U rev. A1 */
+ {},
+ };
+ MODULE_DEVICE_TABLE(usb, rtw_8822cu_id_table);
projects / thirdparty / kernel / stable-queue.git / commitdiff
