From: Greg Kroah-Hartman Date: Tue, 9 Dec 2025 04:39:09 +0000 (+0900) Subject: 6.17-stable patches X-Git-Tag: v6.12.62~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a46de110810591a97cb6370859d11687be2e5718;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch comedi-check-device-s-attached-status-in-compat-ioctls.patch comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch iio-adc-ad4080-fix-chip-identification.patch staging-rtl8723bs-fix-out-of-bounds-read-in-onbeacon-esr-ie-parsing.patch staging-rtl8723bs-fix-out-of-bounds-read-in-rtw_get_ie-parser.patch staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch wifi-rtl8xxxu-add-usb-id-2001-3328-for-d-link-an3u-rev.-a1.patch wifi-rtw88-add-usb-id-2001-3329-for-d-link-ac13u-rev.-a1.patch --- diff --git a/queue-6.17/comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch b/queue-6.17/comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch new file mode 100644 index 0000000000..d15b380057 --- /dev/null +++ b/queue-6.17/comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch @@ -0,0 +1,166 @@ +From 72262330f7b3ad2130e800cecf02adcce3c32c77 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Thu, 23 Oct 2025 13:31:41 +0100 +Subject: comedi: c6xdigio: Fix invalid PNP driver unregistration + +From: Ian Abbott + +commit 72262330f7b3ad2130e800cecf02adcce3c32c77 upstream. + +The Comedi low-level driver "c6xdigio" seems to be for a parallel port +connected device. When the Comedi core calls the driver's Comedi +"attach" handler `c6xdigio_attach()` to configure a Comedi to use this +driver, it tries to enable the parallel port PNP resources by +registering a PNP driver with `pnp_register_driver()`, but ignores the +return value. (The `struct pnp_driver` it uses has only the `name` and +`id_table` members filled in.) The driver's Comedi "detach" handler +`c6xdigio_detach()` unconditionally unregisters the PNP driver with +`pnp_unregister_driver()`. + +It is possible for `c6xdigio_attach()` to return an error before it +calls `pnp_register_driver()` and it is possible for the call to +`pnp_register_driver()` to return an error (that is ignored). In both +cases, the driver should not be calling `pnp_unregister_driver()` as it +does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be +called by the Comedi core if `c6xdigio_attach()` returns an error, or if +the Comedi core decides to detach the Comedi device from the driver for +some other reason.) + +The unconditional call to `pnp_unregister_driver()` without a previous +successful call to `pnp_register_driver()` will cause +`driver_unregister()` to issue a warning "Unexpected driver +unregister!". This was detected by Syzbot [1]. + +Also, the PNP driver registration and unregistration should be done at +module init and exit time, respectively, not when attaching or detaching +Comedi devices to the driver. (There might be more than one Comedi +device being attached to the driver, although that is unlikely.) + +Change the driver to do the PNP driver registration at module init time, +and the unregistration at module exit time. Since `c6xdigio_detach()` +now only calls `comedi_legacy_detach()`, remove the function and change +the Comedi driver "detach" handler to `comedi_legacy_detach`. + +------------------------------------------- +[1] Syzbot sample crash report: +Unexpected driver unregister! +WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline] +WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270 +Modules linked in: +CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 +RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline] +RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270 +Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 +RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 +RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 +R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 +FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 +Call Trace: + + comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207 + comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215 + comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011 + do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872 + comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fc05798eec9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffcf8184238 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007fc057be5fa0 RCX: 00007fc05798eec9 +RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003 +RBP: 00007fc057a11f91 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fc057be5fa0 R14: 00007fc057be5fa0 R15: 0000000000000003 + +------------------------------------------- + +Reported-by: syzbot+6616bba359cec7a1def1@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6616bba359cec7a1def1 +Fixes: 2c89e159cd2f ("Staging: comedi: add c6xdigio driver") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20251023123141.6537-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/c6xdigio.c | 46 ++++++++++++++++++++++++++++---------- + 1 file changed, 35 insertions(+), 11 deletions(-) + +--- a/drivers/comedi/drivers/c6xdigio.c ++++ b/drivers/comedi/drivers/c6xdigio.c +@@ -249,9 +249,6 @@ static int c6xdigio_attach(struct comedi + if (ret) + return ret; + +- /* Make sure that PnP ports get activated */ +- pnp_register_driver(&c6xdigio_pnp_driver); +- + s = &dev->subdevices[0]; + /* pwm output subdevice */ + s->type = COMEDI_SUBD_PWM; +@@ -278,19 +275,46 @@ static int c6xdigio_attach(struct comedi + return 0; + } + +-static void c6xdigio_detach(struct comedi_device *dev) +-{ +- comedi_legacy_detach(dev); +- pnp_unregister_driver(&c6xdigio_pnp_driver); +-} +- + static struct comedi_driver c6xdigio_driver = { + .driver_name = "c6xdigio", + .module = THIS_MODULE, + .attach = c6xdigio_attach, +- .detach = c6xdigio_detach, ++ .detach = comedi_legacy_detach, + }; +-module_comedi_driver(c6xdigio_driver); ++ ++static bool c6xdigio_pnp_registered = false; ++ ++static int __init c6xdigio_module_init(void) ++{ ++ int ret; ++ ++ ret = comedi_driver_register(&c6xdigio_driver); ++ if (ret) ++ return ret; ++ ++ if (IS_ENABLED(CONFIG_PNP)) { ++ /* Try to activate the PnP ports */ ++ ret = pnp_register_driver(&c6xdigio_pnp_driver); ++ if (ret) { ++ pr_warn("failed to register pnp driver - err %d\n", ++ ret); ++ ret = 0; /* ignore the error. */ ++ } else { ++ c6xdigio_pnp_registered = true; ++ } ++ } ++ ++ return 0; ++} ++module_init(c6xdigio_module_init); ++ ++static void __exit c6xdigio_module_exit(void) ++{ ++ if (c6xdigio_pnp_registered) ++ pnp_unregister_driver(&c6xdigio_pnp_driver); ++ comedi_driver_unregister(&c6xdigio_driver); ++} ++module_exit(c6xdigio_module_exit); + + MODULE_AUTHOR("Comedi https://www.comedi.org"); + MODULE_DESCRIPTION("Comedi driver for the C6x_DIGIO DSP daughter card"); diff --git a/queue-6.17/comedi-check-device-s-attached-status-in-compat-ioctls.patch b/queue-6.17/comedi-check-device-s-attached-status-in-compat-ioctls.patch new file mode 100644 index 0000000000..87f613c57c --- /dev/null +++ b/queue-6.17/comedi-check-device-s-attached-status-in-compat-ioctls.patch @@ -0,0 +1,146 @@ +From 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Thu, 23 Oct 2025 16:22:32 +0300 +Subject: comedi: check device's attached status in compat ioctls + +From: Nikita Zhandarovich + +commit 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee upstream. + +Syzbot identified an issue [1] that crashes kernel, seemingly due to +unexistent callback dev->get_valid_routes(). By all means, this should +not occur as said callback must always be set to +get_zero_valid_routes() in __comedi_device_postconfig(). + +As the crash seems to appear exclusively in i386 kernels, at least, +judging from [1] reports, the blame lies with compat versions +of standard IOCTL handlers. Several of them are modified and +do not use comedi_unlocked_ioctl(). While functionality of these +ioctls essentially copy their original versions, they do not +have required sanity check for device's attached status. This, +in turn, leads to a possibility of calling select IOCTLs on a +device that has not been properly setup, even via COMEDI_DEVCONFIG. + +Doing so on unconfigured devices means that several crucial steps +are missed, for instance, specifying dev->get_valid_routes() +callback. + +Fix this somewhat crudely by ensuring device's attached status before +performing any ioctls, improving logic consistency between modern +and compat functions. + +[1] Syzbot report: +BUG: kernel NULL pointer dereference, address: 0000000000000000 +... +CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 +Call Trace: + + get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] + parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 + do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 + compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] + comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 + __do_compat_sys_ioctl fs/ioctl.c:695 [inline] + __se_compat_sys_ioctl fs/ioctl.c:638 [inline] + __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 + do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] +... + +Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ab8008c24e84adee93ff +Fixes: 3fbfd2223a27 ("comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat") +Cc: stable +Reviewed-by: Ian Abbott +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20251023132234.395794-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/comedi_fops.c | 42 ++++++++++++++++++++++++++++++++++++------ + 1 file changed, 36 insertions(+), 6 deletions(-) + +--- a/drivers/comedi/comedi_fops.c ++++ b/drivers/comedi/comedi_fops.c +@@ -3023,7 +3023,12 @@ static int compat_chaninfo(struct file * + chaninfo.rangelist = compat_ptr(chaninfo32.rangelist); + + mutex_lock(&dev->mutex); +- err = do_chaninfo_ioctl(dev, &chaninfo); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ err = -ENODEV; ++ } else { ++ err = do_chaninfo_ioctl(dev, &chaninfo); ++ } + mutex_unlock(&dev->mutex); + return err; + } +@@ -3044,7 +3049,12 @@ static int compat_rangeinfo(struct file + rangeinfo.range_ptr = compat_ptr(rangeinfo32.range_ptr); + + mutex_lock(&dev->mutex); +- err = do_rangeinfo_ioctl(dev, &rangeinfo); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ err = -ENODEV; ++ } else { ++ err = do_rangeinfo_ioctl(dev, &rangeinfo); ++ } + mutex_unlock(&dev->mutex); + return err; + } +@@ -3120,7 +3130,12 @@ static int compat_cmd(struct file *file, + return rc; + + mutex_lock(&dev->mutex); +- rc = do_cmd_ioctl(dev, &cmd, ©, file); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ rc = -ENODEV; ++ } else { ++ rc = do_cmd_ioctl(dev, &cmd, ©, file); ++ } + mutex_unlock(&dev->mutex); + if (copy) { + /* Special case: copy cmd back to user. */ +@@ -3145,7 +3160,12 @@ static int compat_cmdtest(struct file *f + return rc; + + mutex_lock(&dev->mutex); +- rc = do_cmdtest_ioctl(dev, &cmd, ©, file); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ rc = -ENODEV; ++ } else { ++ rc = do_cmdtest_ioctl(dev, &cmd, ©, file); ++ } + mutex_unlock(&dev->mutex); + if (copy) { + err = put_compat_cmd(compat_ptr(arg), &cmd); +@@ -3205,7 +3225,12 @@ static int compat_insnlist(struct file * + } + + mutex_lock(&dev->mutex); +- rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ rc = -ENODEV; ++ } else { ++ rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file); ++ } + mutex_unlock(&dev->mutex); + kfree(insns); + return rc; +@@ -3224,7 +3249,12 @@ static int compat_insn(struct file *file + return rc; + + mutex_lock(&dev->mutex); +- rc = do_insn_ioctl(dev, &insn, file); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ rc = -ENODEV; ++ } else { ++ rc = do_insn_ioctl(dev, &insn, file); ++ } + mutex_unlock(&dev->mutex); + return rc; + } diff --git a/queue-6.17/comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch b/queue-6.17/comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch new file mode 100644 index 0000000000..a89aa6f033 --- /dev/null +++ b/queue-6.17/comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch @@ -0,0 +1,81 @@ +From f24c6e3a39fa355dabfb684c9ca82db579534e72 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Thu, 23 Oct 2025 16:22:04 +0300 +Subject: comedi: multiq3: sanitize config options in multiq3_attach() + +From: Nikita Zhandarovich + +commit f24c6e3a39fa355dabfb684c9ca82db579534e72 upstream. + +Syzbot identified an issue [1] in multiq3_attach() that induces a +task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, +specifically, in the case of multiq3 driver. + +This problem arose when syzkaller managed to craft weird configuration +options used to specify the number of channels in encoder subdevice. +If a particularly great number is passed to s->n_chan in +multiq3_attach() via it->options[2], then multiple calls to +multiq3_encoder_reset() at the end of driver-specific attach() method +will be running for minutes, thus blocking tasks and affected devices +as well. + +While this issue is most likely not too dangerous for real-life +devices, it still makes sense to sanitize configuration inputs. Enable +a sensible limit on the number of encoder chips (4 chips max, each +with 2 channels) to stop this behaviour from manifesting. + +[1] Syzbot crash: +INFO: task syz.2.19:6067 blocked for more than 143 seconds. +... +Call Trace: + + context_switch kernel/sched/core.c:5254 [inline] + __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 + __schedule_loop kernel/sched/core.c:6944 [inline] + schedule+0x165/0x360 kernel/sched/core.c:6959 + schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 + __mutex_lock_common kernel/locking/mutex.c:676 [inline] + __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 + comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 + chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 + do_dentry_open+0x953/0x13f0 fs/open.c:965 + vfs_open+0x3b/0x340 fs/open.c:1097 +... + +Reported-by: syzbot+7811bb68a317954a0347@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7811bb68a317954a0347 +Fixes: 77e01cdbad51 ("Staging: comedi: add multiq3 driver") +Cc: stable +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Ian Abbott +Link: https://patch.msgid.link/20251023132205.395753-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/comedi/drivers/multiq3.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/comedi/drivers/multiq3.c ++++ b/drivers/comedi/drivers/multiq3.c +@@ -67,6 +67,11 @@ + #define MULTIQ3_TRSFRCNTR_OL 0x10 /* xfer CNTR to OL (x and y) */ + #define MULTIQ3_EFLAG_RESET 0x06 /* reset E bit of flag reg */ + ++/* ++ * Limit on the number of optional encoder channels ++ */ ++#define MULTIQ3_MAX_ENC_CHANS 8 ++ + static void multiq3_set_ctrl(struct comedi_device *dev, unsigned int bits) + { + /* +@@ -312,6 +317,10 @@ static int multiq3_attach(struct comedi_ + s->insn_read = multiq3_encoder_insn_read; + s->insn_config = multiq3_encoder_insn_config; + ++ /* sanity check for number of encoder channels */ ++ if (s->n_chan > MULTIQ3_MAX_ENC_CHANS) ++ s->n_chan = MULTIQ3_MAX_ENC_CHANS; ++ + for (i = 0; i < s->n_chan; i++) + multiq3_encoder_reset(dev, i); + diff --git a/queue-6.17/iio-adc-ad4080-fix-chip-identification.patch b/queue-6.17/iio-adc-ad4080-fix-chip-identification.patch new file mode 100644 index 0000000000..3bca59c1f5 --- /dev/null +++ b/queue-6.17/iio-adc-ad4080-fix-chip-identification.patch @@ -0,0 +1,65 @@ +From b66cddc8be7278fd14650ff9182f3794397f8b31 Mon Sep 17 00:00:00 2001 +From: Antoniu Miclaus +Date: Tue, 7 Oct 2025 11:15:20 +0000 +Subject: iio: adc: ad4080: fix chip identification +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Antoniu Miclaus + +commit b66cddc8be7278fd14650ff9182f3794397f8b31 upstream. + +Fix AD4080 chip identification by using the correct 16-bit product ID +(0x0050) instead of GENMASK(2, 0). Update the chip reading logic to +use regmap_bulk_read to read both PRODUCT_ID_L and PRODUCT_ID_H +registers and combine them into a 16-bit value. + +The original implementation was incorrectly reading only 3 bits, +which would not correctly identify the AD4080 chip. + +Fixes: 6b31ba1811b6 ("iio: adc: ad4080: add driver support") +Signed-off-by: Antoniu Miclaus +Reviewed-by: Nuno Sá +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad4080.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/iio/adc/ad4080.c ++++ b/drivers/iio/adc/ad4080.c +@@ -125,7 +125,7 @@ + + /* Miscellaneous Definitions */ + #define AD4080_SPI_READ BIT(7) +-#define AD4080_CHIP_ID GENMASK(2, 0) ++#define AD4080_CHIP_ID 0x0050 + + #define AD4080_LVDS_CNV_CLK_CNT_MAX 7 + +@@ -445,7 +445,8 @@ static int ad4080_setup(struct iio_dev * + { + struct ad4080_state *st = iio_priv(indio_dev); + struct device *dev = regmap_get_device(st->regmap); +- unsigned int id; ++ __le16 id_le; ++ u16 id; + int ret; + + ret = regmap_write(st->regmap, AD4080_REG_INTERFACE_CONFIG_A, +@@ -458,10 +459,12 @@ static int ad4080_setup(struct iio_dev * + if (ret) + return ret; + +- ret = regmap_read(st->regmap, AD4080_REG_CHIP_TYPE, &id); ++ ret = regmap_bulk_read(st->regmap, AD4080_REG_PRODUCT_ID_L, &id_le, ++ sizeof(id_le)); + if (ret) + return ret; + ++ id = le16_to_cpu(id_le); + if (id != AD4080_CHIP_ID) + dev_info(dev, "Unrecognized CHIP_ID 0x%X\n", id); + diff --git a/queue-6.17/series b/queue-6.17/series index 8a4c1d0f9b..e636111f76 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -50,3 +50,12 @@ loongarch-mask-all-interrupts-during-kexec-kdump.patch samples-work-around-glibc-redefining-some-of-our-def.patch platform-x86-hp-wmi-add-omen-16-wf1xxx-fan-support.patch platform-x86-hp-wmi-add-omen-max-16-ah0xx-fan-suppor.patch +wifi-rtl8xxxu-add-usb-id-2001-3328-for-d-link-an3u-rev.-a1.patch +wifi-rtw88-add-usb-id-2001-3329-for-d-link-ac13u-rev.-a1.patch +iio-adc-ad4080-fix-chip-identification.patch +comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch +comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch +comedi-check-device-s-attached-status-in-compat-ioctls.patch +staging-rtl8723bs-fix-out-of-bounds-read-in-rtw_get_ie-parser.patch +staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch +staging-rtl8723bs-fix-out-of-bounds-read-in-onbeacon-esr-ie-parsing.patch diff --git a/queue-6.17/staging-rtl8723bs-fix-out-of-bounds-read-in-onbeacon-esr-ie-parsing.patch b/queue-6.17/staging-rtl8723bs-fix-out-of-bounds-read-in-onbeacon-esr-ie-parsing.patch new file mode 100644 index 0000000000..9895ba2150 --- /dev/null +++ b/queue-6.17/staging-rtl8723bs-fix-out-of-bounds-read-in-onbeacon-esr-ie-parsing.patch @@ -0,0 +1,45 @@ +From 502ddcc405b69fa92e0add6c1714d654504f6fd7 Mon Sep 17 00:00:00 2001 +From: Navaneeth K +Date: Thu, 20 Nov 2025 16:35:20 +0000 +Subject: staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing + +From: Navaneeth K + +commit 502ddcc405b69fa92e0add6c1714d654504f6fd7 upstream. + +The Extended Supported Rates (ESR) IE handling in OnBeacon accessed +*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these +offsets lie within the received frame buffer. A malformed beacon with +an ESR IE positioned at the end of the buffer could cause an +out-of-bounds read, potentially triggering a kernel panic. + +Add a boundary check to ensure that the ESR IE body and the subsequent +bytes are within the limits of the frame before attempting to access +them. + +This prevents OOB reads caused by malformed beacon frames. + +Signed-off-by: Navaneeth K +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +@@ -579,9 +579,11 @@ unsigned int OnBeacon(struct adapter *pa + + p = rtw_get_ie(pframe + sizeof(struct ieee80211_hdr_3addr) + _BEACON_IE_OFFSET_, WLAN_EID_EXT_SUPP_RATES, &ielen, precv_frame->u.hdr.len - sizeof(struct ieee80211_hdr_3addr) - _BEACON_IE_OFFSET_); + if (p && ielen > 0) { +- if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D)) +- /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */ +- *(p + 1) = ielen - 1; ++ if (p + 2 + ielen < pframe + len) { ++ if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D)) ++ /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */ ++ *(p + 1) = ielen - 1; ++ } + } + + if (pmlmeext->sitesurvey_res.state == SCAN_PROCESS) { diff --git a/queue-6.17/staging-rtl8723bs-fix-out-of-bounds-read-in-rtw_get_ie-parser.patch b/queue-6.17/staging-rtl8723bs-fix-out-of-bounds-read-in-rtw_get_ie-parser.patch new file mode 100644 index 0000000000..eee604c095 --- /dev/null +++ b/queue-6.17/staging-rtl8723bs-fix-out-of-bounds-read-in-rtw_get_ie-parser.patch @@ -0,0 +1,62 @@ +From 154828bf9559b9c8421fc2f0d7f7f76b3683aaed Mon Sep 17 00:00:00 2001 +From: Navaneeth K +Date: Thu, 20 Nov 2025 16:23:52 +0000 +Subject: staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser + +From: Navaneeth K + +commit 154828bf9559b9c8421fc2f0d7f7f76b3683aaed upstream. + +The Information Element (IE) parser rtw_get_ie() trusted the length +byte of each IE without validating that the IE body (len bytes after +the 2-byte header) fits inside the remaining frame buffer. A malformed +frame can advertise an IE length larger than the available data, causing +the parser to increment its pointer beyond the buffer end. This results +in out-of-bounds reads or, depending on the pattern, an infinite loop. + +Fix by validating that (offset + 2 + len) does not exceed the limit +before accepting the IE or advancing to the next element. + +This prevents OOB reads and ensures the parser terminates safely on +malformed frames. + +Signed-off-by: Navaneeth K +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c ++++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c +@@ -140,22 +140,24 @@ u8 *rtw_get_ie(u8 *pbuf, signed int inde + signed int tmp, i; + u8 *p; + +- if (limit < 1) ++ if (limit < 2) + return NULL; + + p = pbuf; + i = 0; + *len = 0; +- while (1) { ++ while (i + 2 <= limit) { ++ tmp = *(p + 1); ++ if (i + 2 + tmp > limit) ++ break; ++ + if (*p == index) { +- *len = *(p + 1); ++ *len = tmp; + return p; + } +- tmp = *(p + 1); ++ + p += (tmp + 2); + i += (tmp + 2); +- if (i >= limit) +- break; + } + return NULL; + } diff --git a/queue-6.17/staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch b/queue-6.17/staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch new file mode 100644 index 0000000000..330617ba82 --- /dev/null +++ b/queue-6.17/staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch @@ -0,0 +1,49 @@ +From 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 Mon Sep 17 00:00:00 2001 +From: Navaneeth K +Date: Thu, 20 Nov 2025 16:33:08 +0000 +Subject: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing + +From: Navaneeth K + +commit 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 upstream. + +The Supported Rates IE length from an incoming Association Request frame +was used directly as the memcpy() length when copying into a fixed-size +16-byte stack buffer (supportRate). A malicious station can advertise an +IE length larger than 16 bytes, causing a stack buffer overflow. + +Clamp ie_len to the buffer size before copying the Supported Rates IE, +and correct the bounds check when merging Extended Supported Rates to +prevent a second potential overflow. + +This prevents kernel stack corruption triggered by malformed association +requests. + +Signed-off-by: Navaneeth K +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +@@ -1033,6 +1033,9 @@ unsigned int OnAssocReq(struct adapter * + status = WLAN_STATUS_CHALLENGE_FAIL; + goto OnAssocReqFail; + } else { ++ if (ie_len > sizeof(supportRate)) ++ ie_len = sizeof(supportRate); ++ + memcpy(supportRate, p+2, ie_len); + supportRateNum = ie_len; + +@@ -1040,7 +1043,7 @@ unsigned int OnAssocReq(struct adapter * + pkt_len - WLAN_HDR_A3_LEN - ie_offset); + if (p) { + +- if (supportRateNum <= sizeof(supportRate)) { ++ if (supportRateNum + ie_len <= sizeof(supportRate)) { + memcpy(supportRate+supportRateNum, p+2, ie_len); + supportRateNum += ie_len; + } diff --git a/queue-6.17/wifi-rtl8xxxu-add-usb-id-2001-3328-for-d-link-an3u-rev.-a1.patch b/queue-6.17/wifi-rtl8xxxu-add-usb-id-2001-3328-for-d-link-an3u-rev.-a1.patch new file mode 100644 index 0000000000..fea88037c8 --- /dev/null +++ b/queue-6.17/wifi-rtl8xxxu-add-usb-id-2001-3328-for-d-link-an3u-rev.-a1.patch @@ -0,0 +1,36 @@ +From 3f9553f65d0b77b724565bbe42c4daa3fab57d5c Mon Sep 17 00:00:00 2001 +From: Zenm Chen +Date: Mon, 29 Sep 2025 11:57:18 +0800 +Subject: wifi: rtl8xxxu: Add USB ID 2001:3328 for D-Link AN3U rev. A1 + +From: Zenm Chen + +commit 3f9553f65d0b77b724565bbe42c4daa3fab57d5c upstream. + +Add USB ID 2001:3328 for D-Link AN3U rev. A1 which is a RTL8192FU-based +Wi-Fi adapter. + +Compile tested only. + +Cc: stable@vger.kernel.org # 6.6.x +Signed-off-by: Zenm Chen +Reviewed-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250929035719.6172-1-zenmchen@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtl8xxxu/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c +@@ -8113,6 +8113,9 @@ static const struct usb_device_id dev_ta + /* TP-Link TL-WN823N V2 */ + {USB_DEVICE_AND_INTERFACE_INFO(0x2357, 0x0135, 0xff, 0xff, 0xff), + .driver_info = (unsigned long)&rtl8192fu_fops}, ++/* D-Link AN3U rev. A1 */ ++{USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3328, 0xff, 0xff, 0xff), ++ .driver_info = (unsigned long)&rtl8192fu_fops}, + #ifdef CONFIG_RTL8XXXU_UNTESTED + /* Still supported by rtlwifi */ + {USB_DEVICE_AND_INTERFACE_INFO(USB_VENDOR_ID_REALTEK, 0x8176, 0xff, 0xff, 0xff), diff --git a/queue-6.17/wifi-rtw88-add-usb-id-2001-3329-for-d-link-ac13u-rev.-a1.patch b/queue-6.17/wifi-rtw88-add-usb-id-2001-3329-for-d-link-ac13u-rev.-a1.patch new file mode 100644 index 0000000000..7567b66742 --- /dev/null +++ b/queue-6.17/wifi-rtw88-add-usb-id-2001-3329-for-d-link-ac13u-rev.-a1.patch @@ -0,0 +1,35 @@ +From b377dcd9a286a6f81922ae442cd1c743bc4a2b35 Mon Sep 17 00:00:00 2001 +From: Zenm Chen +Date: Mon, 29 Sep 2025 11:57:19 +0800 +Subject: wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 + +From: Zenm Chen + +commit b377dcd9a286a6f81922ae442cd1c743bc4a2b35 upstream. + +Add USB ID 2001:3329 for D-Link AC13U rev. A1 which is a RTL8812CU-based +Wi-Fi adapter. + +Compile tested only. + +Cc: stable@vger.kernel.org # 6.6.x +Signed-off-by: Zenm Chen +Acked-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20250929035719.6172-2-zenmchen@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/realtek/rtw88/rtw8822cu.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822cu.c +@@ -21,6 +21,8 @@ static const struct usb_device_id rtw_88 + .driver_info = (kernel_ulong_t)&(rtw8822c_hw_spec) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x13b1, 0x0043, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t)&(rtw8822c_hw_spec) }, /* Alpha - Alpha */ ++ { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3329, 0xff, 0xff, 0xff), ++ .driver_info = (kernel_ulong_t)&(rtw8822c_hw_spec) }, /* D-Link AC13U rev. A1 */ + {}, + }; + MODULE_DEVICE_TABLE(usb, rtw_8822cu_id_table);