<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/staging, branch v7.2-rc3</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>staging: rtl8723bs: fix OOB reads in rtw_get_sec_ie(), rtw_get_wapi_ie(), and rtw_get_wps_attr()</title>
<updated>2026-07-07T11:43:27+00:00</updated>
<author>
<name>Alexandru Hossu</name>
<email>hossu.alexandru@gmail.com</email>
</author>
<published>2026-05-22T00:45:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1463ca3ec6601cbb097d8d87dbf5dcf1cb86a344'/>
<id>1463ca3ec6601cbb097d8d87dbf5dcf1cb86a344</id>
<content type='text'>
Three IE/attribute parsing functions have missing bounds checks.

rtw_get_sec_ie() and rtw_get_wapi_ie() iterate over a raw IE buffer
without verifying that the header bytes (tag + length) are within the
remaining buffer before reading them.  Additionally, rtw_get_sec_ie()
compares the 4-byte WPA OUI at cnt+2 without checking that at least
6 bytes remain, and rtw_get_wapi_ie() compares a 4-byte WAPI OUI at
cnt+6 without checking that at least 10 bytes remain.

rtw_get_wps_attr() reads wps_ie[0] and wps_ie+2 unconditionally at
entry, before verifying that wps_ielen is large enough to contain
the 6-byte WPS IE header (element_id + length + 4-byte OUI).  Inside
the attribute loop, get_unaligned_be16() is called on attr_ptr and
attr_ptr+2 without checking that 4 bytes remain in the buffer.

Add a cnt+2 bounds check before each loop body in rtw_get_sec_ie()
and rtw_get_wapi_ie(), guard each multi-byte comparison with a minimum
IE length requirement, add a wps_ielen &lt; 6 early return in
rtw_get_wps_attr(), and add a 4-byte bounds check in its inner loop.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-8-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Three IE/attribute parsing functions have missing bounds checks.

rtw_get_sec_ie() and rtw_get_wapi_ie() iterate over a raw IE buffer
without verifying that the header bytes (tag + length) are within the
remaining buffer before reading them.  Additionally, rtw_get_sec_ie()
compares the 4-byte WPA OUI at cnt+2 without checking that at least
6 bytes remain, and rtw_get_wapi_ie() compares a 4-byte WAPI OUI at
cnt+6 without checking that at least 10 bytes remain.

rtw_get_wps_attr() reads wps_ie[0] and wps_ie+2 unconditionally at
entry, before verifying that wps_ielen is large enough to contain
the 6-byte WPS IE header (element_id + length + 4-byte OUI).  Inside
the attribute loop, get_unaligned_be16() is called on attr_ptr and
attr_ptr+2 without checking that 4 bytes remain in the buffer.

Add a cnt+2 bounds check before each loop body in rtw_get_sec_ie()
and rtw_get_wapi_ie(), guard each multi-byte comparison with a minimum
IE length requirement, add a wps_ielen &lt; 6 early return in
rtw_get_wps_attr(), and add a 4-byte bounds check in its inner loop.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-8-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: rtl8723bs: fix OOB reads in is_ap_in_tkip() IE loop</title>
<updated>2026-07-07T11:43:25+00:00</updated>
<author>
<name>Alexandru Hossu</name>
<email>hossu.alexandru@gmail.com</email>
</author>
<published>2026-05-22T00:45:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3bf39f711ff27c64be8680a8938bcc5001982e81'/>
<id>3bf39f711ff27c64be8680a8938bcc5001982e81</id>
<content type='text'>
The loop in is_ap_in_tkip() iterates over IEs without verifying that
enough bytes remain before dereferencing the IE header or its payload:

- pIE-&gt;element_id and pIE-&gt;length are read without checking that
  i + sizeof(*pIE) &lt;= ie_length, so a truncated IE at the end of the
  buffer causes an OOB read.

- For WLAN_EID_VENDOR_SPECIFIC the code compares pIE-&gt;data + 12,
  which requires pIE-&gt;length &gt;= 16.  For WLAN_EID_RSN it compares
  pIE-&gt;data + 8, requiring pIE-&gt;length &gt;= 12.  Neither requirement
  is checked.

Add the missing IE header and payload bounds checks and guard each
data access with an explicit pIE-&gt;length minimum, matching the
pattern established in update_beacon_info().

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-7-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The loop in is_ap_in_tkip() iterates over IEs without verifying that
enough bytes remain before dereferencing the IE header or its payload:

- pIE-&gt;element_id and pIE-&gt;length are read without checking that
  i + sizeof(*pIE) &lt;= ie_length, so a truncated IE at the end of the
  buffer causes an OOB read.

- For WLAN_EID_VENDOR_SPECIFIC the code compares pIE-&gt;data + 12,
  which requires pIE-&gt;length &gt;= 16.  For WLAN_EID_RSN it compares
  pIE-&gt;data + 8, requiring pIE-&gt;length &gt;= 12.  Neither requirement
  is checked.

Add the missing IE header and payload bounds checks and guard each
data access with an explicit pIE-&gt;length minimum, matching the
pattern established in update_beacon_info().

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-7-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: rtl8723bs: fix OOB read in OnAssocRsp() IE loop</title>
<updated>2026-07-07T11:43:22+00:00</updated>
<author>
<name>Alexandru Hossu</name>
<email>hossu.alexandru@gmail.com</email>
</author>
<published>2026-05-22T00:45:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f9654207e92283e0acac5d64fe5f8835383b5a23'/>
<id>f9654207e92283e0acac5d64fe5f8835383b5a23</id>
<content type='text'>
The IE parsing loop in OnAssocRsp() advances by (pIE-&gt;length + 2) each
iteration but only guards on i &lt; pkt_len. When a malicious AP sends an
AssocResponse whose last IE has only one byte remaining in the frame
(the element_id byte lands at pkt_len-1), the loop reads pIE-&gt;length
from pframe[pkt_len], which is one byte past the allocated receive buffer.

Additionally, even when the header bytes are in bounds, pIE-&gt;length
itself can extend the data window beyond pkt_len, silently passing a
truncated IE to the handler functions.

Add two guards at the top of the loop body:
  1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
  2. Break if the IE's declared data extends past pkt_len.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Link: https://patch.msgid.link/20260522004531.1038924-6-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The IE parsing loop in OnAssocRsp() advances by (pIE-&gt;length + 2) each
iteration but only guards on i &lt; pkt_len. When a malicious AP sends an
AssocResponse whose last IE has only one byte remaining in the frame
(the element_id byte lands at pkt_len-1), the loop reads pIE-&gt;length
from pframe[pkt_len], which is one byte past the allocated receive buffer.

Additionally, even when the header bytes are in bounds, pIE-&gt;length
itself can extend the data window beyond pkt_len, silently passing a
truncated IE to the handler functions.

Add two guards at the top of the loop body:
  1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
  2. Break if the IE's declared data extends past pkt_len.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Link: https://patch.msgid.link/20260522004531.1038924-6-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: rtl8723bs: fix OOB write in HT_caps_handler()</title>
<updated>2026-07-07T11:43:19+00:00</updated>
<author>
<name>Alexandru Hossu</name>
<email>hossu.alexandru@gmail.com</email>
</author>
<published>2026-05-22T00:45:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f8001e1a516ba3b495728c65b61f799cbfad6bd0'/>
<id>f8001e1a516ba3b495728c65b61f799cbfad6bd0</id>
<content type='text'>
HT_caps_handler() iterates pIE-&gt;length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE-&gt;length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can
set it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.

Truncate the iteration count to the size of HT_caps.u.HT_cap using
umin() so that data from a longer-than-expected IE is silently ignored
rather than written out of bounds, preserving interoperability with APs
that pad the element. An early return on oversized IEs was considered
but rejected: it would bypass the pmlmeinfo-&gt;HT_caps_enable = 1
assignment that precedes the loop, silently disabling HT mode for APs
that append extra bytes to the HT Capabilities IE.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Link: https://patch.msgid.link/20260522004531.1038924-5-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
HT_caps_handler() iterates pIE-&gt;length bytes and writes into
HT_caps.u.HT_cap[], which is a fixed 26-byte array (sizeof struct
HT_caps_element). Because pIE-&gt;length is a raw u8 from an over-the-air
802.11 AssocResponse frame and is never validated, a malicious AP can
set it up to 255, causing up to 229 bytes of out-of-bounds writes into
adjacent fields of struct mlme_ext_info.

Truncate the iteration count to the size of HT_caps.u.HT_cap using
umin() so that data from a longer-than-expected IE is silently ignored
rather than written out of bounds, preserving interoperability with APs
that pad the element. An early return on oversized IEs was considered
but rejected: it would bypass the pmlmeinfo-&gt;HT_caps_enable = 1
assignment that precedes the loop, silently disabling HT mode for APs
that append extra bytes to the HT Capabilities IE.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Link: https://patch.msgid.link/20260522004531.1038924-5-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: rtl8723bs: fix heap buffer overflow in rtw_cfg80211_set_wpa_ie()</title>
<updated>2026-07-07T11:43:16+00:00</updated>
<author>
<name>Alexandru Hossu</name>
<email>hossu.alexandru@gmail.com</email>
</author>
<published>2026-05-22T00:45:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5a752a616e756844388a1a45404db9fc29fec655'/>
<id>5a752a616e756844388a1a45404db9fc29fec655</id>
<content type='text'>
supplicant_ie is a 256-byte array in struct security_priv. The WPA and
WPA2 IE copy paths use:

    memcpy(padapter-&gt;securitypriv.supplicant_ie, &amp;pwpa[0], wpa_ielen + 2);

where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
supplies a connect request via nl80211 with a crafted WPA IE of length 255,
wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
the adjacent last_mic_err_time field.

rtw_parse_wpa_ie() does not prevent this: its length consistency check
compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
when wpa_ie_len = 257, so the check passes silently.

Add explicit bounds checks for both the WPA and WPA2 paths before the
memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
supplicant_ie buffer.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-4-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
supplicant_ie is a 256-byte array in struct security_priv. The WPA and
WPA2 IE copy paths use:

    memcpy(padapter-&gt;securitypriv.supplicant_ie, &amp;pwpa[0], wpa_ielen + 2);

where wpa_ielen is the raw IE length field (u8, 0-255). When a local user
supplies a connect request via nl80211 with a crafted WPA IE of length 255,
wpa_ielen + 2 equals 257, overflowing the 256-byte buffer by one byte into
the adjacent last_mic_err_time field.

rtw_parse_wpa_ie() does not prevent this: its length consistency check
compares *(wpa_ie+1) against (u8)(wpa_ie_len-2), which is (u8)(255) == 255
when wpa_ie_len = 257, so the check passes silently.

Add explicit bounds checks for both the WPA and WPA2 paths before the
memcpy, rejecting any IE whose total size (wpa_ielen + 2) exceeds the
supplicant_ie buffer.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-4-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: rtl8723bs: fix OOB reads in IE loops in issue_assocreq() and join_cmd_hdl()</title>
<updated>2026-07-07T11:43:14+00:00</updated>
<author>
<name>Alexandru Hossu</name>
<email>hossu.alexandru@gmail.com</email>
</author>
<published>2026-05-22T00:45:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ef61d628dfad38fead1fd2e08979ae9126d011d5'/>
<id>ef61d628dfad38fead1fd2e08979ae9126d011d5</id>
<content type='text'>
Two IE parsing loops are missing the header bounds checks before they
dereference pIE-&gt;length:

 - issue_assocreq() walks pmlmeinfo-&gt;network.ies to build the
   association request. If the stored IE data ends with only an
   element_id byte and no length byte, pIE-&gt;length is read one byte
   past the end of the buffer.

 - join_cmd_hdl() walks pnetwork-&gt;ies during station join and has
   the same problem under the same conditions.

Both buffers are filled from AP beacon and probe-response frames, so a
malicious AP that sends a truncated final IE can trigger the issue.

Apply the two-guard pattern established in update_beacon_info():
  1. Break if fewer than sizeof(*pIE) bytes remain.
  2. Break if the IE's declared data extends past the buffer end.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-3-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Two IE parsing loops are missing the header bounds checks before they
dereference pIE-&gt;length:

 - issue_assocreq() walks pmlmeinfo-&gt;network.ies to build the
   association request. If the stored IE data ends with only an
   element_id byte and no length byte, pIE-&gt;length is read one byte
   past the end of the buffer.

 - join_cmd_hdl() walks pnetwork-&gt;ies during station join and has
   the same problem under the same conditions.

Both buffers are filled from AP beacon and probe-response frames, so a
malicious AP that sends a truncated final IE can trigger the issue.

Apply the two-guard pattern established in update_beacon_info():
  1. Break if fewer than sizeof(*pIE) bytes remain.
  2. Break if the IE's declared data extends past the buffer end.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-3-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: rtl8723bs: fix OOB read in update_beacon_info() IE loop</title>
<updated>2026-07-07T11:43:10+00:00</updated>
<author>
<name>Alexandru Hossu</name>
<email>hossu.alexandru@gmail.com</email>
</author>
<published>2026-05-22T00:45:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ed51de4a86e173c3b0ef78e039c2e49e08b11f16'/>
<id>ed51de4a86e173c3b0ef78e039c2e49e08b11f16</id>
<content type='text'>
The IE parsing loop in update_beacon_info() advances by
(pIE-&gt;length + 2) each iteration but only guards on i &lt; len.
When a malicious AP sends a Beacon whose last IE has only one byte
remaining in the frame (the element_id byte lands at len-1), the loop
reads pIE-&gt;length from one byte past the allocated receive buffer.

Additionally, even when the header bytes are in bounds, pIE-&gt;length
itself can extend the data window beyond len, passing a truncated IE
to the handler functions.

Add two guards at the top of the loop body:
  1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
  2. Break if the IE's declared data extends past len.

Also replace i += (pIE-&gt;length + 2) with i += sizeof(*pIE) + pIE-&gt;length
for consistency with the sizeof(*pIE) guards added above.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-2-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The IE parsing loop in update_beacon_info() advances by
(pIE-&gt;length + 2) each iteration but only guards on i &lt; len.
When a malicious AP sends a Beacon whose last IE has only one byte
remaining in the frame (the element_id byte lands at len-1), the loop
reads pIE-&gt;length from one byte past the allocated receive buffer.

Additionally, even when the header bytes are in bounds, pIE-&gt;length
itself can extend the data window beyond len, passing a truncated IE
to the handler functions.

Add two guards at the top of the loop body:
  1. Break if fewer than sizeof(*pIE) bytes remain (can't read header).
  2. Break if the IE's declared data extends past len.

Also replace i += (pIE-&gt;length + 2) with i += sizeof(*pIE) + pIE-&gt;length
for consistency with the sizeof(*pIE) guards added above.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Reviewed-by: Luka Gejak &lt;luka.gejak@linux.dev&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004531.1038924-2-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: rtl8723bs: fix WEP length underflow and OOB read in OnAuth()</title>
<updated>2026-07-07T11:42:23+00:00</updated>
<author>
<name>Alexandru Hossu</name>
<email>hossu.alexandru@gmail.com</email>
</author>
<published>2026-05-22T00:46:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a1fc19d61f661d47204f095b593de507884849f7'/>
<id>a1fc19d61f661d47204f095b593de507884849f7</id>
<content type='text'>
OnAuth() has two bugs in the shared-key authentication path.

When the Privacy bit is set, rtw_wep_decrypt() is called without
verifying that the frame is long enough to contain a valid WEP IV and
ICV.  Inside rtw_wep_decrypt(), length is computed as:

    length = len - WLAN_HDR_A3_LEN - iv_len

and then passed as (length - 4) to crc32_le().  If len is less than
WLAN_HDR_A3_LEN + iv_len + icv_len (32 bytes), length - 4 is negative
and, after the implicit cast to size_t, causes crc32_le() to read far
beyond the frame buffer.  Add a minimum length check before accessing
the IV field and calling the decryption path.

When processing a seq=3 response, rtw_get_ie() stores the Challenge
Text IE length in ie_len, but the subsequent memcmp() always reads 128
bytes regardless of ie_len.  IEEE 802.11 mandates a challenge text of
exactly 128 bytes; reject any IE whose length field differs, matching
the check already applied to OnAuthClient().

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004605.1039209-1-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
OnAuth() has two bugs in the shared-key authentication path.

When the Privacy bit is set, rtw_wep_decrypt() is called without
verifying that the frame is long enough to contain a valid WEP IV and
ICV.  Inside rtw_wep_decrypt(), length is computed as:

    length = len - WLAN_HDR_A3_LEN - iv_len

and then passed as (length - 4) to crc32_le().  If len is less than
WLAN_HDR_A3_LEN + iv_len + icv_len (32 bytes), length - 4 is negative
and, after the implicit cast to size_t, causes crc32_le() to read far
beyond the frame buffer.  Add a minimum length check before accessing
the IV field and calling the decryption path.

When processing a seq=3 response, rtw_get_ie() stores the Challenge
Text IE length in ie_len, but the subsequent memcmp() always reads 128
bytes regardless of ie_len.  IEEE 802.11 mandates a challenge text of
exactly 128 bytes; reject any IE whose length field differs, matching
the check already applied to OnAuthClient().

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Alexandru Hossu &lt;hossu.alexandru@gmail.com&gt;
Link: https://patch.msgid.link/20260522004605.1039209-1-hossu.alexandru@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: vme_user: fix location monitor leak in tsi148 bridge</title>
<updated>2026-07-07T11:41:56+00:00</updated>
<author>
<name>Hao-Qun Huang</name>
<email>alvinhuang0603@gmail.com</email>
</author>
<published>2026-07-04T06:58:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=151edde741f8bc7f2931c5f44ab376d32b0c8beb'/>
<id>151edde741f8bc7f2931c5f44ab376d32b0c8beb</id>
<content type='text'>
tsi148_probe() allocates a location monitor resource and links it into
tsi148_bridge-&gt;lm_resources. The probe error path frees this list, but
tsi148_remove() only frees the dma, slave and master resource lists, so
the location monitor resource is leaked on device unbind or module
unload.

Free the lm_resources list in tsi148_remove() as well, before
tsi148_bridge is freed.

Fixes: d22b8ed9a3b0 ("Staging: vme: add Tundra TSI148 VME-PCI Bridge driver")
Cc: stable &lt;stable@kernel.org&gt;
Cc: Martyn Welch &lt;martyn@welchs.me.uk&gt;
Assisted-by: Claude:claude-fable-5
Signed-off-by: Hao-Qun Huang &lt;alvinhuang0603@gmail.com&gt;
Link: https://patch.msgid.link/20260704065817.403111-2-alvinhuang0603@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
tsi148_probe() allocates a location monitor resource and links it into
tsi148_bridge-&gt;lm_resources. The probe error path frees this list, but
tsi148_remove() only frees the dma, slave and master resource lists, so
the location monitor resource is leaked on device unbind or module
unload.

Free the lm_resources list in tsi148_remove() as well, before
tsi148_bridge is freed.

Fixes: d22b8ed9a3b0 ("Staging: vme: add Tundra TSI148 VME-PCI Bridge driver")
Cc: stable &lt;stable@kernel.org&gt;
Cc: Martyn Welch &lt;martyn@welchs.me.uk&gt;
Assisted-by: Claude:claude-fable-5
Signed-off-by: Hao-Qun Huang &lt;alvinhuang0603@gmail.com&gt;
Link: https://patch.msgid.link/20260704065817.403111-2-alvinhuang0603@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>staging: vme_user: fix location monitor leak in fake bridge</title>
<updated>2026-07-07T11:41:49+00:00</updated>
<author>
<name>Hao-Qun Huang</name>
<email>alvinhuang0603@gmail.com</email>
</author>
<published>2026-07-04T06:58:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e8422d89e8af41d87f0e9db564be8e2634f4c602'/>
<id>e8422d89e8af41d87f0e9db564be8e2634f4c602</id>
<content type='text'>
fake_init() allocates a location monitor resource and links it into
fake_bridge-&gt;lm_resources. The init error path frees this list, but
fake_exit() only frees the slave and master resource lists. Loading
and unloading the module therefore triggers a kmemleak warning:

  unreferenced object 0xffff8b8b82aebe40 (size 64):
    comm "init", pid 1, jiffies 4294894572
    backtrace (crc c1e013ef):
      kmemleak_alloc+0x4e/0x90
      __kmalloc_cache_noprof+0x338/0x430
      0xffffffffc0602246
      do_one_initcall+0x4f/0x320
      do_init_module+0x68/0x270
      load_module+0x2a3b/0x2d90

Free the lm_resources list in fake_exit() as well, before fake_bridge
is freed.

Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Cc: stable &lt;stable@kernel.org&gt;
Cc: Martyn Welch &lt;martyn@welchs.me.uk&gt;
Assisted-by: Claude:claude-fable-5
Signed-off-by: Hao-Qun Huang &lt;alvinhuang0603@gmail.com&gt;
Link: https://patch.msgid.link/20260704065817.403111-1-alvinhuang0603@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
fake_init() allocates a location monitor resource and links it into
fake_bridge-&gt;lm_resources. The init error path frees this list, but
fake_exit() only frees the slave and master resource lists. Loading
and unloading the module therefore triggers a kmemleak warning:

  unreferenced object 0xffff8b8b82aebe40 (size 64):
    comm "init", pid 1, jiffies 4294894572
    backtrace (crc c1e013ef):
      kmemleak_alloc+0x4e/0x90
      __kmalloc_cache_noprof+0x338/0x430
      0xffffffffc0602246
      do_one_initcall+0x4f/0x320
      do_init_module+0x68/0x270
      load_module+0x2a3b/0x2d90

Free the lm_resources list in fake_exit() as well, before fake_bridge
is freed.

Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Cc: stable &lt;stable@kernel.org&gt;
Cc: Martyn Welch &lt;martyn@welchs.me.uk&gt;
Assisted-by: Claude:claude-fable-5
Signed-off-by: Hao-Qun Huang &lt;alvinhuang0603@gmail.com&gt;
Link: https://patch.msgid.link/20260704065817.403111-1-alvinhuang0603@gmail.com
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
