From: Greg Kroah-Hartman Date: Tue, 17 Mar 2026 11:47:52 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.18.19~55 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=470d82b0457bedc311c6b1027b6bfa500d2c08a1;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch --- diff --git a/queue-5.10/irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch b/queue-5.10/irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch new file mode 100644 index 0000000000..05e37aaf8a --- /dev/null +++ b/queue-5.10/irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch @@ -0,0 +1,62 @@ +From ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Fri, 6 Feb 2026 15:48:16 +0000 +Subject: irqchip/gic-v3-its: Limit number of per-device MSIs to the range the ITS supports + +From: Marc Zyngier + +commit ce9e40a9a5e5cff0b1b0d2fa582b3d71a8ce68e8 upstream. + +The ITS driver blindly assumes that EventIDs are in abundant supply, to the +point where it never checks how many the hardware actually supports. + +It turns out that some pretty esoteric integrations make it so that only a +few bits are available, all the way down to a single bit. + +Enforce the advertised limitation at the point of allocating the device +structure, and hope that the endpoint driver can deal with such limitation. + +Fixes: 84a6a2e7fc18d ("irqchip: GICv3: ITS: device allocation and configuration") +Signed-off-by: Marc Zyngier +Signed-off-by: Thomas Gleixner +Reviewed-by: Robin Murphy +Reviewed-by: Zenghui Yu +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20260206154816.3582887-1-maz@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its.c | 4 ++++ + include/linux/irqchip/arm-gic-v3.h | 1 + + 2 files changed, 5 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -3382,6 +3382,7 @@ static struct its_device *its_create_dev + int lpi_base; + int nr_lpis; + int nr_ites; ++ int id_bits; + int sz; + + if (!its_alloc_device_table(its, dev_id)) +@@ -3394,7 +3395,10 @@ static struct its_device *its_create_dev + /* + * Even if the device wants a single LPI, the ITT must be + * sized as a power of two (and you need at least one bit...). ++ * Also honor the ITS's own EID limit. + */ ++ id_bits = FIELD_GET(GITS_TYPER_IDBITS, its->typer) + 1; ++ nvecs = min_t(unsigned int, nvecs, BIT(id_bits)); + nr_ites = max(2, nvecs); + sz = nr_ites * (FIELD_GET(GITS_TYPER_ITT_ENTRY_SIZE, its->typer) + 1); + sz = max(sz, ITS_ITT_ALIGN) + ITS_ITT_ALIGN - 1; +--- a/include/linux/irqchip/arm-gic-v3.h ++++ b/include/linux/irqchip/arm-gic-v3.h +@@ -392,6 +392,7 @@ + #define GITS_TYPER_VLPIS (1UL << 1) + #define GITS_TYPER_ITT_ENTRY_SIZE_SHIFT 4 + #define GITS_TYPER_ITT_ENTRY_SIZE GENMASK_ULL(7, 4) ++#define GITS_TYPER_IDBITS GENMASK_ULL(12, 8) + #define GITS_TYPER_IDBITS_SHIFT 8 + #define GITS_TYPER_DEVBITS_SHIFT 13 + #define GITS_TYPER_DEVBITS GENMASK_ULL(17, 13) diff --git a/queue-5.10/series b/queue-5.10/series index 8b43c24cf2..5409efa687 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -109,3 +109,6 @@ libceph-fix-potential-out-of-bounds-access-in-ceph_handle_auth_reply.patch ceph-fix-i_nlink-underrun-during-async-unlink.patch time-add-kernel-doc-in-time.c.patch time-jiffies-mark-jiffies_64_to_clock_t-notrace.patch +irqchip-gic-v3-its-limit-number-of-per-device-msis-to-the-range-the-its-supports.patch +staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch +staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch diff --git a/queue-5.10/staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch b/queue-5.10/staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch new file mode 100644 index 0000000000..a6c3a630f4 --- /dev/null +++ b/queue-5.10/staging-rtl8723bs-fix-potential-out-of-bounds-read-in-rtw_restruct_wmm_ie.patch @@ -0,0 +1,39 @@ +From a75281626fc8fa6dc6c9cc314ee423e8bc45203b Mon Sep 17 00:00:00 2001 +From: Luka Gejak +Date: Tue, 24 Feb 2026 14:26:47 +0100 +Subject: staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie + +From: Luka Gejak + +commit a75281626fc8fa6dc6c9cc314ee423e8bc45203b upstream. + +The current code checks 'i + 5 < in_len' at the end of the if statement. +However, it accesses 'in_ie[i + 5]' before that check, which can lead +to an out-of-bounds read. Move the length check to the beginning of the +conditional to ensure the index is within bounds before accessing the +array. + +Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") +Cc: stable +Signed-off-by: Luka Gejak +Reviewed-by: Dan Carpenter +Link: https://patch.msgid.link/20260224132647.11642-2-luka.gejak@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_mlme.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_mlme.c ++++ b/drivers/staging/rtl8723bs/core/rtw_mlme.c +@@ -2257,7 +2257,10 @@ int rtw_restruct_wmm_ie(struct adapter * + while (i < in_len) { + ielength = initial_out_len; + +- if (in_ie[i] == 0xDD && in_ie[i+2] == 0x00 && in_ie[i+3] == 0x50 && in_ie[i+4] == 0xF2 && in_ie[i+5] == 0x02 && i+5 < in_len) { /* WMM element ID and OUI */ ++ if (i + 5 < in_len && ++ in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && ++ in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 && ++ in_ie[i + 5] == 0x02) { + for (j = i; j < i + 9; j++) { + out_ie[ielength] = in_ie[j]; + ielength++; diff --git a/queue-5.10/staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch b/queue-5.10/staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch new file mode 100644 index 0000000000..c4095c697f --- /dev/null +++ b/queue-5.10/staging-rtl8723bs-properly-validate-the-data-in-rtw_get_ie_ex.patch @@ -0,0 +1,57 @@ +From f0109b9d3e1e455429279d602f6276e34689750a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 23 Feb 2026 14:31:35 +0100 +Subject: staging: rtl8723bs: properly validate the data in rtw_get_ie_ex() + +From: Greg Kroah-Hartman + +commit f0109b9d3e1e455429279d602f6276e34689750a upstream. + +Just like in commit 154828bf9559 ("staging: rtl8723bs: fix out-of-bounds +read in rtw_get_ie() parser"), we don't trust the data in the frame so +we should check the length better before acting on it + +Cc: stable +Assisted-by: gkh_clanker_2000 +Tested-by: Navaneeth K +Reviewed-by: Navaneeth K +Link: https://patch.msgid.link/2026022336-arrange-footwork-6e54@gregkh +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c ++++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c +@@ -194,21 +194,25 @@ u8 *rtw_get_ie_ex(u8 *in_ie, uint in_len + + cnt = 0; + +- while (cnt < in_len) { ++ while (cnt + 2 <= in_len) { ++ u8 ie_len = in_ie[cnt + 1]; ++ ++ if (cnt + 2 + ie_len > in_len) ++ break; ++ + if (eid == in_ie[cnt] +- && (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) { ++ && (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) { + target_ie = &in_ie[cnt]; + + if (ie) +- memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2); ++ memcpy(ie, &in_ie[cnt], ie_len + 2); + + if (ielen) +- *ielen = in_ie[cnt+1]+2; ++ *ielen = ie_len + 2; + + break; +- } else { +- cnt += in_ie[cnt+1]+2; /* goto next */ + } ++ cnt += ie_len + 2; /* goto next */ + } + + return target_ie;