From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 7 Apr 2026 11:19:07 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=16e18ff8fd01f60c428d0e40fbbad818658a034d;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
	wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
---

diff --git a/queue-5.10/drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch b/queue-5.10/drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
new file mode 100644
index 0000000000..028aafddf0
--- /dev/null
+++ b/queue-5.10/drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
@@ -0,0 +1,51 @@
+From f8995c2df519f382525ca4bc90553ad2ec611067 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 24 Mar 2026 17:42:51 +0100
+Subject: drm/ioc32: stop speculation on the drm_compat_ioctl path
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit f8995c2df519f382525ca4bc90553ad2ec611067 upstream.
+
+The drm compat ioctl path takes a user controlled pointer, and then
+dereferences it into a table of function pointers, the signature method
+of spectre problems.  Fix this up by calling array_index_nospec() on the
+index to the function pointer list.
+
+Fixes: 505b5240329b ("drm/ioctl: Fix Spectre v1 vulnerabilities")
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: David Airlie <airlied@gmail.com>
+Cc: Simona Vetter <simona@ffwll.ch>
+Cc: stable <stable@kernel.org>
+Assisted-by: gkh_clanker_2000
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Maxime Ripard <mripard@kernel.org>
+Reviewed-by: Simona Vetter <simona@ffwll.ch>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patch.msgid.link/2026032451-playing-rummage-8fa2@gregkh
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_ioc32.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/drm_ioc32.c
++++ b/drivers/gpu/drm/drm_ioc32.c
+@@ -28,6 +28,7 @@
+  * IN THE SOFTWARE.
+  */
+ #include <linux/compat.h>
++#include <linux/nospec.h>
+ #include <linux/ratelimit.h>
+ #include <linux/export.h>
+ 
+@@ -992,6 +993,7 @@ long drm_compat_ioctl(struct file *filp,
+ 	if (nr >= ARRAY_SIZE(drm_compat_ioctls))
+ 		return drm_ioctl(filp, cmd, arg);
+ 
++	nr = array_index_nospec(nr, ARRAY_SIZE(drm_compat_ioctls));
+ 	fn = drm_compat_ioctls[nr].fn;
+ 	if (!fn)
+ 		return drm_ioctl(filp, cmd, arg);
diff --git a/queue-5.10/series b/queue-5.10/series
index 3459bca0ca..a3e1f19afe 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -365,3 +365,5 @@ media-dvb-frontends-w7090p-fix-null-ptr-deref-in-w70.patch
 hwmon-pxe1610-check-return-value-of-page-select-writ.patch
 hwmon-occ-fix-missing-newline-in-occ_show_extended.patch
 riscv-kgdb-fix-several-debug-register-assignment-bug.patch
+drm-ioc32-stop-speculation-on-the-drm_compat_ioctl-path.patch
+wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
diff --git a/queue-5.10/wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch b/queue-5.10/wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
new file mode 100644
index 0000000000..1ac347ec9a
--- /dev/null
+++ b/queue-5.10/wifi-wilc1000-fix-u8-overflow-in-ssid-scan-buffer-size-calculation.patch
@@ -0,0 +1,42 @@
+From d049e56b1739101d1c4d81deedb269c52a8dbba0 Mon Sep 17 00:00:00 2001
+From: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+Date: Tue, 24 Mar 2026 19:06:24 +0900
+Subject: wifi: wilc1000: fix u8 overflow in SSID scan buffer size calculation
+
+From: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+
+commit d049e56b1739101d1c4d81deedb269c52a8dbba0 upstream.
+
+The variable valuesize is declared as u8 but accumulates the total
+length of all SSIDs to scan. Each SSID contributes up to 33 bytes
+(IEEE80211_MAX_SSID_LEN + 1), and with WILC_MAX_NUM_PROBED_SSID (10)
+SSIDs the total can reach 330, which wraps around to 74 when stored
+in a u8.
+
+This causes kmalloc to allocate only 75 bytes while the subsequent
+memcpy writes up to 331 bytes into the buffer, resulting in a 256-byte
+heap buffer overflow.
+
+Widen valuesize from u8 to u32 to accommodate the full range.
+
+Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yasuaki Torimaru <yasuakitorimaru@gmail.com>
+Link: https://patch.msgid.link/20260324100624.983458-1-yasuakitorimaru@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/microchip/wilc1000/hif.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/microchip/wilc1000/hif.c
++++ b/drivers/net/wireless/microchip/wilc1000/hif.c
+@@ -157,7 +157,7 @@ int wilc_scan(struct wilc_vif *vif, u8 s
+ 	u32 index = 0;
+ 	u32 i, scan_timeout;
+ 	u8 *buffer;
+-	u8 valuesize = 0;
++	u32 valuesize = 0;
+ 	u8 *search_ssid_vals = NULL;
+ 	struct host_if_drv *hif_drv = vif->hif_drv;
+