From: Greg Kroah-Hartman Date: Sat, 6 Sep 2025 20:17:37 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.299~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d5377cc0b694b540ea5823e9219d4f6cf913ba1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: batman-adv-fix-oob-read-write-in-network-coding-decode.patch drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch --- diff --git a/queue-5.4/batman-adv-fix-oob-read-write-in-network-coding-decode.patch b/queue-5.4/batman-adv-fix-oob-read-write-in-network-coding-decode.patch new file mode 100644 index 0000000000..7df0b5d225 --- /dev/null +++ b/queue-5.4/batman-adv-fix-oob-read-write-in-network-coding-decode.patch @@ -0,0 +1,44 @@ +From d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 Mon Sep 17 00:00:00 2001 +From: Stanislav Fort +Date: Sun, 31 Aug 2025 16:56:23 +0200 +Subject: batman-adv: fix OOB read/write in network-coding decode + +From: Stanislav Fort + +commit d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 upstream. + +batadv_nc_skb_decode_packet() trusts coded_len and checks only against +skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing +payload headroom, and the source skb length is not verified, allowing an +out-of-bounds read and a small out-of-bounds write. + +Validate that coded_len fits within the payload area of both destination +and source sk_buffs before XORing. + +Fixes: 2df5278b0267 ("batman-adv: network coding - receive coded packets and decode them") +Cc: stable@vger.kernel.org +Reported-by: Stanislav Fort +Signed-off-by: Stanislav Fort +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/network-coding.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -1694,7 +1694,12 @@ batadv_nc_skb_decode_packet(struct batad + + coding_len = ntohs(coded_packet_tmp.coded_len); + +- if (coding_len > skb->len) ++ /* ensure dst buffer is large enough (payload only) */ ++ if (coding_len + h_size > skb->len) ++ return NULL; ++ ++ /* ensure src buffer is large enough (payload only) */ ++ if (coding_len + h_size > nc_packet->skb->len) + return NULL; + + /* Here the magic is reversed: diff --git a/queue-5.4/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch b/queue-5.4/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch new file mode 100644 index 0000000000..4e00f0be9a --- /dev/null +++ b/queue-5.4/drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch @@ -0,0 +1,105 @@ +From 71403f58b4bb6c13b71c05505593a355f697fd94 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 6 Aug 2025 10:47:50 -0400 +Subject: drm/amdgpu: drop hw access in non-DC audio fini + +From: Alex Deucher + +commit 71403f58b4bb6c13b71c05505593a355f697fd94 upstream. + +We already disable the audio pins in hw_fini so +there is no need to do it again in sw_fini. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4481 +Cc: oushixiong +Signed-off-by: Alex Deucher +(cherry picked from commit 5eeb16ca727f11278b2917fd4311a7d7efb0bbd6) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 5 ----- + drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 5 ----- + 4 files changed, 20 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v10_0.c +@@ -1445,17 +1445,12 @@ static int dce_v10_0_audio_init(struct a + + static void dce_v10_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v10_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v11_0.c +@@ -1487,17 +1487,12 @@ static int dce_v11_0_audio_init(struct a + + static void dce_v11_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v11_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v6_0.c +@@ -1358,17 +1358,12 @@ static int dce_v6_0_audio_init(struct am + + static void dce_v6_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v6_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + +--- a/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/dce_v8_0.c +@@ -1408,17 +1408,12 @@ static int dce_v8_0_audio_init(struct am + + static void dce_v8_0_audio_fini(struct amdgpu_device *adev) + { +- int i; +- + if (!amdgpu_audio) + return; + + if (!adev->mode_info.audio.enabled) + return; + +- for (i = 0; i < adev->mode_info.audio.num_pins; i++) +- dce_v8_0_audio_enable(adev, &adev->mode_info.audio.pin[i], false); +- + adev->mode_info.audio.enabled = false; + } + diff --git a/queue-5.4/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch b/queue-5.4/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch new file mode 100644 index 0000000000..cff3a78c20 --- /dev/null +++ b/queue-5.4/e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch @@ -0,0 +1,55 @@ +From 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 Mon Sep 17 00:00:00 2001 +From: Vitaly Lifshits +Date: Sun, 17 Aug 2025 12:25:47 +0300 +Subject: e1000e: fix heap overflow in e1000_set_eeprom + +From: Vitaly Lifshits + +commit 90fb7db49c6dbac961c6b8ebfd741141ffbc8545 upstream. + +Fix a possible heap overflow in e1000_set_eeprom function by adding +input validation for the requested length of the change in the EEPROM. +In addition, change the variable type from int to size_t for better +code practices and rearrange declarations to RCT. + +Cc: stable@vger.kernel.org +Fixes: bc7f75fa9788 ("[E1000E]: New pci-express e1000 driver (currently for ICH9 devices only)") +Co-developed-by: Mikael Wessel +Signed-off-by: Mikael Wessel +Signed-off-by: Vitaly Lifshits +Tested-by: Mor Bar-Gabay +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/ethtool.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/ethtool.c ++++ b/drivers/net/ethernet/intel/e1000e/ethtool.c +@@ -552,12 +552,12 @@ static int e1000_set_eeprom(struct net_d + { + struct e1000_adapter *adapter = netdev_priv(netdev); + struct e1000_hw *hw = &adapter->hw; ++ size_t total_len, max_len; + u16 *eeprom_buff; +- void *ptr; +- int max_len; ++ int ret_val = 0; + int first_word; + int last_word; +- int ret_val = 0; ++ void *ptr; + u16 i; + + if (eeprom->len == 0) +@@ -572,6 +572,10 @@ static int e1000_set_eeprom(struct net_d + + max_len = hw->nvm.word_size * 2; + ++ if (check_add_overflow(eeprom->offset, eeprom->len, &total_len) || ++ total_len > max_len) ++ return -EFBIG; ++ + first_word = eeprom->offset >> 1; + last_word = (eeprom->offset + eeprom->len - 1) >> 1; + eeprom_buff = kmalloc(max_len, GFP_KERNEL); diff --git a/queue-5.4/series b/queue-5.4/series index 22f3845fdf..9e638cef8a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -17,3 +17,7 @@ net-atm-fix-memory-leak-in-atm_register_sysfs-when-d.patch ppp-fix-memory-leak-in-pad_compress_skb.patch alsa-usb-audio-add-mute-tlv-for-playback-volumes-on-some-devices.patch pcmcia-fix-a-null-pointer-dereference-in-__iodyn_find_io_region.patch +wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch +drm-amdgpu-drop-hw-access-in-non-dc-audio-fini.patch +batman-adv-fix-oob-read-write-in-network-coding-decode.patch +e1000e-fix-heap-overflow-in-e1000_set_eeprom.patch diff --git a/queue-5.4/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch b/queue-5.4/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch new file mode 100644 index 0000000000..2d6162dba0 --- /dev/null +++ b/queue-5.4/wifi-mwifiex-initialize-the-chan_stats-array-to-zero.patch @@ -0,0 +1,70 @@ +From 0e20450829ca3c1dbc2db536391537c57a40fe0b Mon Sep 17 00:00:00 2001 +From: Qianfeng Rong +Date: Fri, 15 Aug 2025 10:30:50 +0800 +Subject: wifi: mwifiex: Initialize the chan_stats array to zero + +From: Qianfeng Rong + +commit 0e20450829ca3c1dbc2db536391537c57a40fe0b upstream. + +The adapter->chan_stats[] array is initialized in +mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out +memory. The array is filled in mwifiex_update_chan_statistics() +and then the user can query the data in mwifiex_cfg80211_dump_survey(). + +There are two potential issues here. What if the user calls +mwifiex_cfg80211_dump_survey() before the data has been filled in. +Also the mwifiex_update_chan_statistics() function doesn't necessarily +initialize the whole array. Since the array was not initialized at +the start that could result in an information leak. + +Also this array is pretty small. It's a maximum of 900 bytes so it's +more appropriate to use kcalloc() instead vmalloc(). + +Cc: stable@vger.kernel.org +Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex") +Suggested-by: Dan Carpenter +Signed-off-by: Qianfeng Rong +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20250815023055.477719-1-rongqianfeng@vivo.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++-- + drivers/net/wireless/marvell/mwifiex/main.c | 4 ++-- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -4273,8 +4273,9 @@ int mwifiex_init_channel_scan_gap(struct + * additional active scan request for hidden SSIDs on passive channels. + */ + adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a); +- adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats), +- adapter->num_in_chan_stats)); ++ adapter->chan_stats = kcalloc(adapter->num_in_chan_stats, ++ sizeof(*adapter->chan_stats), ++ GFP_KERNEL); + + if (!adapter->chan_stats) + return -ENOMEM; +--- a/drivers/net/wireless/marvell/mwifiex/main.c ++++ b/drivers/net/wireless/marvell/mwifiex/main.c +@@ -635,7 +635,7 @@ static int _mwifiex_fw_dpc(const struct + goto done; + + err_add_intf: +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + err_init_chan_scan: + wiphy_unregister(adapter->wiphy); + wiphy_free(adapter->wiphy); +@@ -1448,7 +1448,7 @@ static void mwifiex_uninit_sw(struct mwi + wiphy_free(adapter->wiphy); + adapter->wiphy = NULL; + +- vfree(adapter->chan_stats); ++ kfree(adapter->chan_stats); + mwifiex_free_cmd_buffers(adapter); + } +