From: Greg Kroah-Hartman Date: Tue, 9 Dec 2025 04:36:35 +0000 (+0900) Subject: 5.10-stable patches X-Git-Tag: v6.12.62~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3ac7b049b81f4c72becfa2044d127a8c14d88f9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch comedi-check-device-s-attached-status-in-compat-ioctls.patch comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch --- diff --git a/queue-5.10/comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch b/queue-5.10/comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch new file mode 100644 index 0000000000..6f5a1447ff --- /dev/null +++ b/queue-5.10/comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch @@ -0,0 +1,166 @@ +From 72262330f7b3ad2130e800cecf02adcce3c32c77 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Thu, 23 Oct 2025 13:31:41 +0100 +Subject: comedi: c6xdigio: Fix invalid PNP driver unregistration + +From: Ian Abbott + +commit 72262330f7b3ad2130e800cecf02adcce3c32c77 upstream. + +The Comedi low-level driver "c6xdigio" seems to be for a parallel port +connected device. When the Comedi core calls the driver's Comedi +"attach" handler `c6xdigio_attach()` to configure a Comedi to use this +driver, it tries to enable the parallel port PNP resources by +registering a PNP driver with `pnp_register_driver()`, but ignores the +return value. (The `struct pnp_driver` it uses has only the `name` and +`id_table` members filled in.) The driver's Comedi "detach" handler +`c6xdigio_detach()` unconditionally unregisters the PNP driver with +`pnp_unregister_driver()`. + +It is possible for `c6xdigio_attach()` to return an error before it +calls `pnp_register_driver()` and it is possible for the call to +`pnp_register_driver()` to return an error (that is ignored). In both +cases, the driver should not be calling `pnp_unregister_driver()` as it +does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be +called by the Comedi core if `c6xdigio_attach()` returns an error, or if +the Comedi core decides to detach the Comedi device from the driver for +some other reason.) + +The unconditional call to `pnp_unregister_driver()` without a previous +successful call to `pnp_register_driver()` will cause +`driver_unregister()` to issue a warning "Unexpected driver +unregister!". This was detected by Syzbot [1]. + +Also, the PNP driver registration and unregistration should be done at +module init and exit time, respectively, not when attaching or detaching +Comedi devices to the driver. (There might be more than one Comedi +device being attached to the driver, although that is unlikely.) + +Change the driver to do the PNP driver registration at module init time, +and the unregistration at module exit time. Since `c6xdigio_detach()` +now only calls `comedi_legacy_detach()`, remove the function and change +the Comedi driver "detach" handler to `comedi_legacy_detach`. + +------------------------------------------- +[1] Syzbot sample crash report: +Unexpected driver unregister! +WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline] +WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270 +Modules linked in: +CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 +RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline] +RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270 +Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41 +RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8 +RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001 +RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660 +R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000 +FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0 +Call Trace: + + comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207 + comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215 + comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011 + do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872 + comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178 + vfs_ioctl fs/ioctl.c:51 [inline] + __do_sys_ioctl fs/ioctl.c:597 [inline] + __se_sys_ioctl fs/ioctl.c:583 [inline] + __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +RIP: 0033:0x7fc05798eec9 +Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffcf8184238 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007fc057be5fa0 RCX: 00007fc05798eec9 +RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003 +RBP: 00007fc057a11f91 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fc057be5fa0 R14: 00007fc057be5fa0 R15: 0000000000000003 + +------------------------------------------- + +Reported-by: syzbot+6616bba359cec7a1def1@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=6616bba359cec7a1def1 +Fixes: 2c89e159cd2f ("Staging: comedi: add c6xdigio driver") +Cc: stable +Signed-off-by: Ian Abbott +Link: https://patch.msgid.link/20251023123141.6537-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/c6xdigio.c | 46 ++++++++++++++++++++++-------- + 1 file changed, 35 insertions(+), 11 deletions(-) + +--- a/drivers/staging/comedi/drivers/c6xdigio.c ++++ b/drivers/staging/comedi/drivers/c6xdigio.c +@@ -250,9 +250,6 @@ static int c6xdigio_attach(struct comedi + if (ret) + return ret; + +- /* Make sure that PnP ports get activated */ +- pnp_register_driver(&c6xdigio_pnp_driver); +- + s = &dev->subdevices[0]; + /* pwm output subdevice */ + s->type = COMEDI_SUBD_PWM; +@@ -279,19 +276,46 @@ static int c6xdigio_attach(struct comedi + return 0; + } + +-static void c6xdigio_detach(struct comedi_device *dev) +-{ +- comedi_legacy_detach(dev); +- pnp_unregister_driver(&c6xdigio_pnp_driver); +-} +- + static struct comedi_driver c6xdigio_driver = { + .driver_name = "c6xdigio", + .module = THIS_MODULE, + .attach = c6xdigio_attach, +- .detach = c6xdigio_detach, ++ .detach = comedi_legacy_detach, + }; +-module_comedi_driver(c6xdigio_driver); ++ ++static bool c6xdigio_pnp_registered = false; ++ ++static int __init c6xdigio_module_init(void) ++{ ++ int ret; ++ ++ ret = comedi_driver_register(&c6xdigio_driver); ++ if (ret) ++ return ret; ++ ++ if (IS_ENABLED(CONFIG_PNP)) { ++ /* Try to activate the PnP ports */ ++ ret = pnp_register_driver(&c6xdigio_pnp_driver); ++ if (ret) { ++ pr_warn("failed to register pnp driver - err %d\n", ++ ret); ++ ret = 0; /* ignore the error. */ ++ } else { ++ c6xdigio_pnp_registered = true; ++ } ++ } ++ ++ return 0; ++} ++module_init(c6xdigio_module_init); ++ ++static void __exit c6xdigio_module_exit(void) ++{ ++ if (c6xdigio_pnp_registered) ++ pnp_unregister_driver(&c6xdigio_pnp_driver); ++ comedi_driver_unregister(&c6xdigio_driver); ++} ++module_exit(c6xdigio_module_exit); + + MODULE_AUTHOR("Comedi https://www.comedi.org"); + MODULE_DESCRIPTION("Comedi driver for the C6x_DIGIO DSP daughter card"); diff --git a/queue-5.10/comedi-check-device-s-attached-status-in-compat-ioctls.patch b/queue-5.10/comedi-check-device-s-attached-status-in-compat-ioctls.patch new file mode 100644 index 0000000000..5f095e6c06 --- /dev/null +++ b/queue-5.10/comedi-check-device-s-attached-status-in-compat-ioctls.patch @@ -0,0 +1,146 @@ +From 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Thu, 23 Oct 2025 16:22:32 +0300 +Subject: comedi: check device's attached status in compat ioctls + +From: Nikita Zhandarovich + +commit 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee upstream. + +Syzbot identified an issue [1] that crashes kernel, seemingly due to +unexistent callback dev->get_valid_routes(). By all means, this should +not occur as said callback must always be set to +get_zero_valid_routes() in __comedi_device_postconfig(). + +As the crash seems to appear exclusively in i386 kernels, at least, +judging from [1] reports, the blame lies with compat versions +of standard IOCTL handlers. Several of them are modified and +do not use comedi_unlocked_ioctl(). While functionality of these +ioctls essentially copy their original versions, they do not +have required sanity check for device's attached status. This, +in turn, leads to a possibility of calling select IOCTLs on a +device that has not been properly setup, even via COMEDI_DEVCONFIG. + +Doing so on unconfigured devices means that several crucial steps +are missed, for instance, specifying dev->get_valid_routes() +callback. + +Fix this somewhat crudely by ensuring device's attached status before +performing any ioctls, improving logic consistency between modern +and compat functions. + +[1] Syzbot report: +BUG: kernel NULL pointer dereference, address: 0000000000000000 +... +CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0 +Call Trace: + + get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline] + parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401 + do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594 + compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline] + comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273 + __do_compat_sys_ioctl fs/ioctl.c:695 [inline] + __se_compat_sys_ioctl fs/ioctl.c:638 [inline] + __ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638 + do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] +... + +Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=ab8008c24e84adee93ff +Fixes: 3fbfd2223a27 ("comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat") +Cc: stable +Reviewed-by: Ian Abbott +Signed-off-by: Nikita Zhandarovich +Link: https://patch.msgid.link/20251023132234.395794-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/comedi_fops.c | 42 ++++++++++++++++++++++++++++++----- + 1 file changed, 36 insertions(+), 6 deletions(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -2961,7 +2961,12 @@ static int compat_chaninfo(struct file * + chaninfo.rangelist = compat_ptr(chaninfo32.rangelist); + + mutex_lock(&dev->mutex); +- err = do_chaninfo_ioctl(dev, &chaninfo); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ err = -ENODEV; ++ } else { ++ err = do_chaninfo_ioctl(dev, &chaninfo); ++ } + mutex_unlock(&dev->mutex); + return err; + } +@@ -2982,7 +2987,12 @@ static int compat_rangeinfo(struct file + rangeinfo.range_ptr = compat_ptr(rangeinfo32.range_ptr); + + mutex_lock(&dev->mutex); +- err = do_rangeinfo_ioctl(dev, &rangeinfo); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ err = -ENODEV; ++ } else { ++ err = do_rangeinfo_ioctl(dev, &rangeinfo); ++ } + mutex_unlock(&dev->mutex); + return err; + } +@@ -3058,7 +3068,12 @@ static int compat_cmd(struct file *file, + return rc; + + mutex_lock(&dev->mutex); +- rc = do_cmd_ioctl(dev, &cmd, ©, file); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ rc = -ENODEV; ++ } else { ++ rc = do_cmd_ioctl(dev, &cmd, ©, file); ++ } + mutex_unlock(&dev->mutex); + if (copy) { + /* Special case: copy cmd back to user. */ +@@ -3083,7 +3098,12 @@ static int compat_cmdtest(struct file *f + return rc; + + mutex_lock(&dev->mutex); +- rc = do_cmdtest_ioctl(dev, &cmd, ©, file); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ rc = -ENODEV; ++ } else { ++ rc = do_cmdtest_ioctl(dev, &cmd, ©, file); ++ } + mutex_unlock(&dev->mutex); + if (copy) { + err = put_compat_cmd(compat_ptr(arg), &cmd); +@@ -3143,7 +3163,12 @@ static int compat_insnlist(struct file * + } + + mutex_lock(&dev->mutex); +- rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ rc = -ENODEV; ++ } else { ++ rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file); ++ } + mutex_unlock(&dev->mutex); + kfree(insns); + return rc; +@@ -3162,7 +3187,12 @@ static int compat_insn(struct file *file + return rc; + + mutex_lock(&dev->mutex); +- rc = do_insn_ioctl(dev, &insn, file); ++ if (!dev->attached) { ++ dev_dbg(dev->class_dev, "no driver attached\n"); ++ rc = -ENODEV; ++ } else { ++ rc = do_insn_ioctl(dev, &insn, file); ++ } + mutex_unlock(&dev->mutex); + return rc; + } diff --git a/queue-5.10/comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch b/queue-5.10/comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch new file mode 100644 index 0000000000..e611226b8f --- /dev/null +++ b/queue-5.10/comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch @@ -0,0 +1,81 @@ +From f24c6e3a39fa355dabfb684c9ca82db579534e72 Mon Sep 17 00:00:00 2001 +From: Nikita Zhandarovich +Date: Thu, 23 Oct 2025 16:22:04 +0300 +Subject: comedi: multiq3: sanitize config options in multiq3_attach() + +From: Nikita Zhandarovich + +commit f24c6e3a39fa355dabfb684c9ca82db579534e72 upstream. + +Syzbot identified an issue [1] in multiq3_attach() that induces a +task timeout due to open() or COMEDI_DEVCONFIG ioctl operations, +specifically, in the case of multiq3 driver. + +This problem arose when syzkaller managed to craft weird configuration +options used to specify the number of channels in encoder subdevice. +If a particularly great number is passed to s->n_chan in +multiq3_attach() via it->options[2], then multiple calls to +multiq3_encoder_reset() at the end of driver-specific attach() method +will be running for minutes, thus blocking tasks and affected devices +as well. + +While this issue is most likely not too dangerous for real-life +devices, it still makes sense to sanitize configuration inputs. Enable +a sensible limit on the number of encoder chips (4 chips max, each +with 2 channels) to stop this behaviour from manifesting. + +[1] Syzbot crash: +INFO: task syz.2.19:6067 blocked for more than 143 seconds. +... +Call Trace: + + context_switch kernel/sched/core.c:5254 [inline] + __schedule+0x17c4/0x4d60 kernel/sched/core.c:6862 + __schedule_loop kernel/sched/core.c:6944 [inline] + schedule+0x165/0x360 kernel/sched/core.c:6959 + schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016 + __mutex_lock_common kernel/locking/mutex.c:676 [inline] + __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760 + comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868 + chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414 + do_dentry_open+0x953/0x13f0 fs/open.c:965 + vfs_open+0x3b/0x340 fs/open.c:1097 +... + +Reported-by: syzbot+7811bb68a317954a0347@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=7811bb68a317954a0347 +Fixes: 77e01cdbad51 ("Staging: comedi: add multiq3 driver") +Cc: stable +Signed-off-by: Nikita Zhandarovich +Reviewed-by: Ian Abbott +Link: https://patch.msgid.link/20251023132205.395753-1-n.zhandarovich@fintech.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/comedi/drivers/multiq3.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/staging/comedi/drivers/multiq3.c ++++ b/drivers/staging/comedi/drivers/multiq3.c +@@ -68,6 +68,11 @@ + #define MULTIQ3_TRSFRCNTR_OL 0x10 /* xfer CNTR to OL (x and y) */ + #define MULTIQ3_EFLAG_RESET 0x06 /* reset E bit of flag reg */ + ++/* ++ * Limit on the number of optional encoder channels ++ */ ++#define MULTIQ3_MAX_ENC_CHANS 8 ++ + static void multiq3_set_ctrl(struct comedi_device *dev, unsigned int bits) + { + /* +@@ -313,6 +318,10 @@ static int multiq3_attach(struct comedi_ + s->insn_read = multiq3_encoder_insn_read; + s->insn_config = multiq3_encoder_insn_config; + ++ /* sanity check for number of encoder channels */ ++ if (s->n_chan > MULTIQ3_MAX_ENC_CHANS) ++ s->n_chan = MULTIQ3_MAX_ENC_CHANS; ++ + for (i = 0; i < s->n_chan; i++) + multiq3_encoder_reset(dev, i); + diff --git a/queue-5.10/series b/queue-5.10/series index af3d28711a..6513653cb3 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -22,3 +22,7 @@ pinctrl-qcom-msm-fix-deadlock-in-pinmux-configuratio.patch platform-x86-acer-wmi-ignore-backlight-event.patch platform-x86-huawei-wmi-add-keys-for-honor-models.patch samples-work-around-glibc-redefining-some-of-our-def.patch +comedi-c6xdigio-fix-invalid-pnp-driver-unregistration.patch +comedi-multiq3-sanitize-config-options-in-multiq3_attach.patch +comedi-check-device-s-attached-status-in-compat-ioctls.patch +staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch diff --git a/queue-5.10/staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch b/queue-5.10/staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch new file mode 100644 index 0000000000..fa08ab768a --- /dev/null +++ b/queue-5.10/staging-rtl8723bs-fix-stack-buffer-overflow-in-onassocreq-ie-parsing.patch @@ -0,0 +1,49 @@ +From 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 Mon Sep 17 00:00:00 2001 +From: Navaneeth K +Date: Thu, 20 Nov 2025 16:33:08 +0000 +Subject: staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing + +From: Navaneeth K + +commit 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 upstream. + +The Supported Rates IE length from an incoming Association Request frame +was used directly as the memcpy() length when copying into a fixed-size +16-byte stack buffer (supportRate). A malicious station can advertise an +IE length larger than 16 bytes, causing a stack buffer overflow. + +Clamp ie_len to the buffer size before copying the Supported Rates IE, +and correct the bounds check when merging Extended Supported Rates to +prevent a second potential overflow. + +This prevents kernel stack corruption triggered by malformed association +requests. + +Signed-off-by: Navaneeth K +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c +@@ -1281,6 +1281,9 @@ unsigned int OnAssocReq(struct adapter * + status = _STATS_FAILURE_; + goto OnAssocReqFail; + } else { ++ if (ie_len > sizeof(supportRate)) ++ ie_len = sizeof(supportRate); ++ + memcpy(supportRate, p+2, ie_len); + supportRateNum = ie_len; + +@@ -1288,7 +1291,7 @@ unsigned int OnAssocReq(struct adapter * + pkt_len - WLAN_HDR_A3_LEN - ie_offset); + if (p != NULL) { + +- if (supportRateNum <= sizeof(supportRate)) { ++ if (supportRateNum + ie_len <= sizeof(supportRate)) { + memcpy(supportRate+supportRateNum, p+2, ie_len); + supportRateNum += ie_len; + }