From: Greg Kroah-Hartman Date: Tue, 12 May 2026 12:24:05 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v6.12.88~69 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b0bd2b0eab3f5b34b7858a24a97bae8dbca777f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch wifi-ath5k-do-not-access-array-oob.patch wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch --- diff --git a/queue-5.10/series b/queue-5.10/series index 228435a6c8..69b269c33d 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -221,3 +221,9 @@ ipmi-ssif-fix-a-shutdown-race.patch ipmi-ssif-clean-up-kthread-on-errors.patch ipmi-ssif-remove-unnecessary-indention.patch ipmi-ssif-null-thread-on-error.patch +wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch +wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch +wifi-ath5k-do-not-access-array-oob.patch +wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch +usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch +usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch diff --git a/queue-5.10/usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch b/queue-5.10/usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch new file mode 100644 index 0000000000..e34f7dcb36 --- /dev/null +++ b/queue-5.10/usb-usblp-fix-heap-leak-in-ieee-1284-device-id-via-short-response.patch @@ -0,0 +1,49 @@ +From 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 20 Apr 2026 18:11:03 +0200 +Subject: usb: usblp: fix heap leak in IEEE 1284 device ID via short response + +From: Greg Kroah-Hartman + +commit 7a400c6fe3617e31e690e3f7ca37bb335e0498f3 upstream. + +usblp_ctrl_msg() collapses the usb_control_msg() return value to +0/-errno, discarding the actual number of bytes transferred. A broken +printer can complete the GET_DEVICE_ID control transfer short and the +driver has no way to know. + +usblp_cache_device_id_string() reads the 2-byte big-endian length prefix +from the response and trusts it (clamped only to the buffer bounds). +The buffer is kmalloc(1024) at probe time. A device that sends exactly +two bytes (e.g. 0x03 0xFF, claiming a 1023-byte ID) leaves +device_id_string[2..1022] holding stale kmalloc heap. + +That stale data is then exposed: + - via the ieee1284_id sysfs attribute (sprintf("%s", buf+2), truncated + at the first NUL in the stale heap), and + - via the IOCNR_GET_DEVICE_ID ioctl, which copy_to_user()s the full + claimed length regardless of NULs, up to 1021 bytes of uninitialized + heap, with the leak size chosen by the device. + +Fix this up by just zapping the buffer with zeros before each request +sent to the device. + +Cc: Pete Zaitcev +Assisted-by: gkh_clanker_t1000 +Cc: stable +Link: https://patch.msgid.link/2026042002-unicorn-greedily-3c63@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/usblp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -1365,6 +1365,7 @@ static int usblp_cache_device_id_string( + { + int err, length; + ++ memset(usblp->device_id_string, 0, USBLP_DEVICE_ID_SIZE); + err = usblp_get_id(usblp, 0, usblp->device_id_string, USBLP_DEVICE_ID_SIZE - 1); + if (err < 0) { + dev_dbg(&usblp->intf->dev, diff --git a/queue-5.10/usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch b/queue-5.10/usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch new file mode 100644 index 0000000000..8c816acfc0 --- /dev/null +++ b/queue-5.10/usb-usblp-fix-uninitialized-heap-leak-via-lpgetstatus-ioctl.patch @@ -0,0 +1,50 @@ +From b38e53cbfb9d84732e5984fbd73e128d592415c5 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 20 Apr 2026 18:11:04 +0200 +Subject: usb: usblp: fix uninitialized heap leak via LPGETSTATUS ioctl + +From: Greg Kroah-Hartman + +commit b38e53cbfb9d84732e5984fbd73e128d592415c5 upstream. + +Just like in a previous problem in this driver, usblp_ctrl_msg() will +collapse the usb_control_msg() return value to 0/-errno, discarding the +actual number of bytes transferred. + +Ideally that short command should be detected and error out, but many +printers are known to send "incorrect" responses back so we can't just +do that. + +statusbuf is kmalloc(8) at probe time and never filled before the first +LPGETSTATUS ioctl. + +usblp_read_status() requests 1 byte. If a malicious printer responds +with zero bytes, *statusbuf is one byte of stale kmalloc heap, +sign-extended into the local int status, which the LPGETSTATUS path then +copy_to_user()s directly to the ioctl caller. + +Fix this all by just zapping out the memory buffer when allocated at +probe time. If a later call does a short read, the data will be +identical to what the device sent it the last time, so there is no +"leak" of information happening. + +Cc: Pete Zaitcev +Assisted-by: gkh_clanker_t1000 +Cc: stable +Link: https://patch.msgid.link/2026042011-shredder-savage-48c6@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/usblp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/usblp.c ++++ b/drivers/usb/class/usblp.c +@@ -1166,7 +1166,7 @@ static int usblp_probe(struct usb_interf + } + + /* Allocate buffer for printer status */ +- usblp->statusbuf = kmalloc(STATUS_BUF_SIZE, GFP_KERNEL); ++ usblp->statusbuf = kzalloc(STATUS_BUF_SIZE, GFP_KERNEL); + if (!usblp->statusbuf) { + retval = -ENOMEM; + goto abort; diff --git a/queue-5.10/wifi-ath5k-do-not-access-array-oob.patch b/queue-5.10/wifi-ath5k-do-not-access-array-oob.patch new file mode 100644 index 0000000000..6c73e8f6c0 --- /dev/null +++ b/queue-5.10/wifi-ath5k-do-not-access-array-oob.patch @@ -0,0 +1,63 @@ +From d748603f12baff112caa3ab7d39f50100f010dbd Mon Sep 17 00:00:00 2001 +From: "Jiri Slaby (SUSE)" +Date: Tue, 9 Dec 2025 11:04:59 +0100 +Subject: wifi: ath5k: do not access array OOB + +From: Jiri Slaby (SUSE) + +commit d748603f12baff112caa3ab7d39f50100f010dbd upstream. + +Vincent reports: +> The ath5k driver seems to do an array-index-out-of-bounds access as +> shown by the UBSAN kernel message: +> UBSAN: array-index-out-of-bounds in drivers/net/wireless/ath/ath5k/base.c:1741:20 +> index 4 is out of range for type 'ieee80211_tx_rate [4]' +> ... +> Call Trace: +> +> dump_stack_lvl+0x5d/0x80 +> ubsan_epilogue+0x5/0x2b +> __ubsan_handle_out_of_bounds.cold+0x46/0x4b +> ath5k_tasklet_tx+0x4e0/0x560 [ath5k] +> tasklet_action_common+0xb5/0x1c0 + +It is real. 'ts->ts_final_idx' can be 3 on 5212, so: + info->status.rates[ts->ts_final_idx + 1].idx = -1; +with the array defined as: + struct ieee80211_tx_rate rates[IEEE80211_TX_MAX_RATES]; +while the size is: + #define IEEE80211_TX_MAX_RATES 4 +is indeed bogus. + +Set this 'idx = -1' sentinel only if the array index is less than the +array size. As mac80211 will not look at rates beyond the size +(IEEE80211_TX_MAX_RATES). + +Note: The effect of the OOB write is negligible. It just overwrites the +next member of info->status, i.e. ack_signal. + +Signed-off-by: Jiri Slaby (SUSE) +Reported-by: Vincent Danjean +Link: https://lore.kernel.org/all/aQYUkIaT87ccDCin@eldamar.lan +Closes: https://bugs.debian.org/1119093 +Fixes: 6d7b97b23e11 ("ath5k: fix tx status reporting issues") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251209100459.2253198-1-jirislaby@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath5k/base.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath5k/base.c ++++ b/drivers/net/wireless/ath/ath5k/base.c +@@ -1693,7 +1693,8 @@ ath5k_tx_frame_completed(struct ath5k_hw + } + + info->status.rates[ts->ts_final_idx].count = ts->ts_final_retry; +- info->status.rates[ts->ts_final_idx + 1].idx = -1; ++ if (ts->ts_final_idx + 1 < IEEE80211_TX_MAX_RATES) ++ info->status.rates[ts->ts_final_idx + 1].idx = -1; + + if (unlikely(ts->ts_status)) { + ah->stats.ack_fail++; diff --git a/queue-5.10/wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch b/queue-5.10/wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch new file mode 100644 index 0000000000..f66feb2bb5 --- /dev/null +++ b/queue-5.10/wifi-b43-enforce-bounds-check-on-firmware-key-index-in-b43_rx.patch @@ -0,0 +1,43 @@ +From 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Fri, 17 Apr 2026 11:11:44 +0000 +Subject: wifi: b43: enforce bounds check on firmware key index in b43_rx() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tristan Madani + +commit 1f4f78bf8549e6ac4f04fba4176854f3a6e0c332 upstream. + +The firmware-controlled key index in b43_rx() can exceed the dev->key[] +array size (58 entries). The existing B43_WARN_ON is non-enforcing in +production builds, allowing an out-of-bounds read. + +Make the B43_WARN_ON check enforcing by dropping the frame when the +firmware returns an invalid key index. + +Suggested-by: Jonas Gorski +Acked-by: Michael Büsch +Fixes: e4d6b7951812 ("[B43]: add mac80211-based driver for modern BCM43xx devices") +Cc: stable@vger.kernel.org +Signed-off-by: Tristan Madani +Link: https://patch.msgid.link/20260417111145.2694196-1-tristmd@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/b43/xmit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/b43/xmit.c ++++ b/drivers/net/wireless/broadcom/b43/xmit.c +@@ -702,7 +702,8 @@ void b43_rx(struct b43_wldev *dev, struc + * key index, but the ucode passed it slightly different. + */ + keyidx = b43_kidx_to_raw(dev, keyidx); +- B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key)); ++ if (B43_WARN_ON(keyidx >= ARRAY_SIZE(dev->key))) ++ goto drop; + + if (dev->key[keyidx].algorithm != B43_SEC_ALGO_NONE) { + wlhdr_len = ieee80211_hdrlen(fctl); diff --git a/queue-5.10/wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch b/queue-5.10/wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch new file mode 100644 index 0000000000..2acd847501 --- /dev/null +++ b/queue-5.10/wifi-b43legacy-enforce-bounds-check-on-firmware-key-index-in-rx-path.patch @@ -0,0 +1,38 @@ +From a035766f970bde2d4298346a31a80685be5c0205 Mon Sep 17 00:00:00 2001 +From: Tristan Madani +Date: Fri, 17 Apr 2026 11:11:45 +0000 +Subject: wifi: b43legacy: enforce bounds check on firmware key index in RX path + +From: Tristan Madani + +commit a035766f970bde2d4298346a31a80685be5c0205 upstream. + +Same fix as b43: the firmware-controlled key index in b43legacy_rx() +can exceed dev->max_nr_keys. The existing B43legacy_WARN_ON is +non-enforcing in production builds, allowing an out-of-bounds read of +dev->key[]. + +Make the check enforcing by dropping the frame for invalid indices. + +Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") +Cc: stable@vger.kernel.org +Signed-off-by: Tristan Madani +Link: https://patch.msgid.link/20260417111145.2694196-2-tristmd@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/b43legacy/xmit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/b43legacy/xmit.c ++++ b/drivers/net/wireless/broadcom/b43legacy/xmit.c +@@ -476,7 +476,8 @@ void b43legacy_rx(struct b43legacy_wldev + * key index, but the ucode passed it slightly different. + */ + keyidx = b43legacy_kidx_to_raw(dev, keyidx); +- B43legacy_WARN_ON(keyidx >= dev->max_nr_keys); ++ if (B43legacy_WARN_ON(keyidx >= dev->max_nr_keys)) ++ goto drop; + + if (dev->key[keyidx].algorithm != B43legacy_SEC_ALGO_NONE) { + /* Remove PROTECTED flag to mark it as decrypted. */ diff --git a/queue-5.10/wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch b/queue-5.10/wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch new file mode 100644 index 0000000000..64412eb364 --- /dev/null +++ b/queue-5.10/wifi-rsi-fix-kthread-lifetime-race-between-self-exit-and-external-stop.patch @@ -0,0 +1,50 @@ +From db57a1aa54ff68669781976e4edb045e09e2b65b Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Thu, 23 Apr 2026 02:38:46 +0900 +Subject: wifi: rsi: fix kthread lifetime race between self-exit and external-stop + +From: Jeongjun Park + +commit db57a1aa54ff68669781976e4edb045e09e2b65b upstream. + +RSI driver use both self-exit(kthread_complete_and_exit) and external-stop +(kthread_stop) when killing a kthread. Generally, kthread_stop() is called +first, and in this case, no particular issues occur. + +However, in rare instances where kthread_complete_and_exit() is called +first and then kthread_stop() is called, a UAF occurs because the kthread +object, which has already exited and been freed, is accessed again. + +Therefore, to prevent this with minimal modification, you must remove +kthread_stop() and change the code to wait until the self-exit operation +is completed. + +Cc: +Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/ +Fixes: 4c62764d0fc2 ("rsi: improve kernel thread handling to fix kernel panic") +Signed-off-by: Jeongjun Park +Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_common.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_common.h ++++ b/drivers/net/wireless/rsi/rsi_common.h +@@ -70,12 +70,11 @@ static inline int rsi_create_kthread(str + return 0; + } + +-static inline int rsi_kill_thread(struct rsi_thread *handle) ++static inline void rsi_kill_thread(struct rsi_thread *handle) + { + atomic_inc(&handle->thread_done); + rsi_set_event(&handle->event); +- +- return kthread_stop(handle->task); ++ wait_for_completion(&handle->completion); + } + + void rsi_mac80211_detach(struct rsi_hw *hw);