From nobody Thu Apr 9 10:52:19 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC6D2C433FE for ; Sun, 16 Oct 2022 06:45:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229790AbiJPGph (ORCPT ); Sun, 16 Oct 2022 02:45:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229643AbiJPGpe (ORCPT ); Sun, 16 Oct 2022 02:45:34 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED98A36084; Sat, 15 Oct 2022 23:45:31 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 61F93B80B70; Sun, 16 Oct 2022 06:45:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 78E9DC433D7; Sun, 16 Oct 2022 06:45:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902729; bh=TBeS4Ug3OnoGaH9ToiRRRWEOuovZ0kDuT+LCqlrudDw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=egBkgLMTXJ/Z8IbFgNnWCq1wF+MSVE29WLR1BX2IAV38bI93WclPvRRVqsNaV93r7 vNGPoq3DkSMDKq3KXZHTTn12063jqkuadqgTA0I+d8TFvLYndGXqfSmRm/OG1adUqK GaklQv4xjzFG0i56fKO+eFNjqm4qap9RdECRu7cU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Saeed Mirzamohammadi , Sasha Levin Subject: [PATCH 5.10 1/4] Revert "fs: check FMODE_LSEEK to control internal pipe splicing" Date: Sun, 16 Oct 2022 08:46:11 +0200 Message-Id: <20221016064454.424548581@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.382206984@linuxfoundation.org> References: <20221016064454.382206984@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This reverts commit fd0a6e99b61e6c08fa5cf585d54fd956f70c73a6. Which was upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81. The commit is missing dependencies and breaks NFS tests, remove it for now. Reported-by: Saeed Mirzamohammadi Signed-off-by: Sasha Levin Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Rudi Heitbaum Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- fs/splice.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/splice.c b/fs/splice.c index 6610e55c0e2a..866d5c2367b2 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -806,15 +806,17 @@ ssize_t splice_direct_to_actor(struct file *in, struc= t splice_desc *sd, { struct pipe_inode_info *pipe; long ret, bytes; + umode_t i_mode; size_t len; int i, flags, more; =20 /* - * We require the input to be seekable, as we don't want to randomly - * drop data for eg socket -> socket splicing. Use the piped splicing - * for that! + * We require the input being a regular file, as we don't want to + * randomly drop data for eg socket -> socket splicing. Use the + * piped splicing for that! */ - if (unlikely(!(in->f_mode & FMODE_LSEEK))) + i_mode =3D file_inode(in)->i_mode; + if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode))) return -EINVAL; =20 /* --=20 2.35.1 From nobody Thu Apr 9 10:52:19 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 503E6C433FE for ; Sun, 16 Oct 2022 06:45:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229821AbiJPGps (ORCPT ); Sun, 16 Oct 2022 02:45:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38858 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229799AbiJPGpo (ORCPT ); Sun, 16 Oct 2022 02:45:44 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5710333423; Sat, 15 Oct 2022 23:45:37 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 613FB60A6F; Sun, 16 Oct 2022 06:45:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 73F2AC433C1; Sun, 16 Oct 2022 06:45:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902736; bh=DATtFxyW73e4CfeKhfHyo634vm8S27gJN70GI7pPcNw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1xvefH7iBIPVHyJvqneBZ9/ndfW+MwJtItFE2IZ/5B67NUhod6RfBDyf7HVxJu0sE giafrGLCt4Puru/CvSjWjBuP4VBjQzAfD8Zkr0G8tuE0mMG+AZQ7o+FIIubPx98QOp zUe43xRrgCYcP1kuK4Ie/870oI/TFHahBcW6ZR1g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.10 2/4] mac80211: mlme: find auth challenge directly Date: Sun, 16 Oct 2022 08:46:12 +0200 Message-Id: <20221016064454.457942478@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.382206984@linuxfoundation.org> References: <20221016064454.382206984@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg There's no need to parse all elements etc. just to find the authentication challenge - use cfg80211_find_elem() instead. This also allows us to remove WLAN_EID_CHALLENGE handling from the element parsing entirely. Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a0= 07d6154cbf1fb3a8c48489e86f@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Rudi Heitbaum Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/mac80211/ieee80211_i.h | 2 -- net/mac80211/mlme.c | 11 ++++++----- net/mac80211/util.c | 4 ---- 3 files changed, 6 insertions(+), 11 deletions(-) --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1485,7 +1485,6 @@ struct ieee802_11_elems { const u8 *supp_rates; const u8 *ds_params; const struct ieee80211_tim_ie *tim; - const u8 *challenge; const u8 *rsn; const u8 *rsnx; const u8 *erp_info; @@ -1538,7 +1537,6 @@ struct ieee802_11_elems { u8 ssid_len; u8 supp_rates_len; u8 tim_len; - u8 challenge_len; u8 rsn_len; u8 rsnx_len; u8 ext_supp_rates_len; --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2899,14 +2899,14 @@ static void ieee80211_auth_challenge(str { struct ieee80211_local *local =3D sdata->local; struct ieee80211_mgd_auth_data *auth_data =3D sdata->u.mgd.auth_data; + const struct element *challenge; u8 *pos; - struct ieee802_11_elems elems; u32 tx_flags =3D 0; =20 pos =3D mgmt->u.auth.variable; - ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, auth_data->bss->bssid); - if (!elems.challenge) + challenge =3D cfg80211_find_elem(WLAN_EID_CHALLENGE, pos, + len - (pos - (u8 *)mgmt)); + if (!challenge) return; auth_data->expected_transaction =3D 4; drv_mgd_prepare_tx(sdata->local, sdata, 0); @@ -2914,7 +2914,8 @@ static void ieee80211_auth_challenge(str tx_flags =3D IEEE80211_TX_CTL_REQ_TX_STATUS | IEEE80211_TX_INTFL_MLME_CONN_TX; ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0, - elems.challenge - 2, elems.challenge_len + 2, + (void *)challenge, + challenge->datalen + sizeof(*challenge), auth_data->bss->bssid, auth_data->bss->bssid, auth_data->key, auth_data->key_len, auth_data->key_idx, tx_flags); --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1124,10 +1124,6 @@ _ieee802_11_parse_elems_crc(const u8 *st } else elem_parse_failed =3D true; break; - case WLAN_EID_CHALLENGE: - elems->challenge =3D pos; - elems->challenge_len =3D elen; - break; case WLAN_EID_VENDOR_SPECIFIC: if (elen >=3D 4 && pos[0] =3D=3D 0x00 && pos[1] =3D=3D 0x50 && pos[2] =3D=3D 0xf2) { From nobody Thu Apr 9 10:52:19 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D411C433FE for ; Sun, 16 Oct 2022 06:45:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229597AbiJPGpu (ORCPT ); Sun, 16 Oct 2022 02:45:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38866 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229802AbiJPGpo (ORCPT ); Sun, 16 Oct 2022 02:45:44 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6794A3743B; Sat, 15 Oct 2022 23:45:42 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C08DDB80B65; Sun, 16 Oct 2022 06:45:40 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3220EC433C1; Sun, 16 Oct 2022 06:45:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902739; bh=wJQ0U41KLRy5gUD5LL0D8LqduAlTFDOlhxPc+h6eaFI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dksST5maNe3bQNWUDD2pVGfR5qfSyR2G9gBGUksi2ggllnISIr938ceIJQy497l5A NZJsjCe8MtPHFPrmfVkQyiXkxFt70G0lu07PjzxjvHa5QHM5RH3TEPcMt6M6y69Lkn CUJOR38YHAeWhVW6HTbL4nnvf6RJwwJpeFQko0V8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Johannes Berg Subject: [PATCH 5.10 3/4] wifi: mac80211: dont parse mbssid in assoc response Date: Sun, 16 Oct 2022 08:46:13 +0200 Message-Id: <20221016064454.487620750@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.382206984@linuxfoundation.org> References: <20221016064454.382206984@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg This is simply not valid and simplifies the next commit. I'll make a separate patch for this in the current main tree as well. Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Rudi Heitbaum Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/mac80211/mlme.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3300,7 +3300,7 @@ static bool ieee80211_assoc_success(stru } capab_info =3D le16_to_cpu(mgmt->u.assoc_resp.capab_info); ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); =20 if (elems->aid_resp) aid =3D le16_to_cpu(elems->aid_resp->aid); @@ -3708,7 +3708,7 @@ static void ieee80211_rx_mgmt_assoc_resp return; =20 ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems, - mgmt->bssid, assoc_data->bss->bssid); + mgmt->bssid, NULL); =20 if (status_code =3D=3D WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY && elems.timeout_int && From nobody Thu Apr 9 10:52:19 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8C7BC433FE for ; Sun, 16 Oct 2022 06:45:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229666AbiJPGpy (ORCPT ); Sun, 16 Oct 2022 02:45:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38954 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229811AbiJPGpq (ORCPT ); Sun, 16 Oct 2022 02:45:46 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D80B23640B; Sat, 15 Oct 2022 23:45:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C1471B8085D; Sun, 16 Oct 2022 06:45:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 193FBC433C1; Sun, 16 Oct 2022 06:45:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1665902742; bh=0ZJ2LFMzVXl5F47JimqShryDmS3PyF4FnsQtVAmloX8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D8uK9pJz9Mojebeda5EB5gQS0gbyHdswywKTz7bTgFvYWctziushWr+MeuXRKinm2 yz1/3pNGF0TCzJmlbyo+9KI4wNoEN2s+bOghHjoUii6Zu1Rat8cPZqPK4ufjhPKfzk A9ZhNUSV6euxA9AiEVp7uLa2L6OXdlWwsZqS3Y8w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ilan Peer , Kees Cook , Johannes Berg Subject: [PATCH 5.10 4/4] wifi: mac80211: fix MBSSID parsing use-after-free Date: Sun, 16 Oct 2022 08:46:14 +0200 Message-Id: <20221016064454.521268644@linuxfoundation.org> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221016064454.382206984@linuxfoundation.org> References: <20221016064454.382206984@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Johannes Berg Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. This is a different version of the commit, changed to store the non-transmitted profile in the elems, and freeing it in the few places where it's relevant, since that is only the case when the last argument for parsing (the non-tx BSSID) is non-NULL. When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed. Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it. The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan. This fixes CVE-2022-42719. Fixes: 5023b14cf4df ("mac80211: support profile split between elements") Co-developed-by: Ilan Peer Signed-off-by: Ilan Peer Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Pavel Machek (CIP) Tested-by: Rudi Heitbaum Tested-by: Shuah Khan Tested-by: Sudip Mukherjee --- net/mac80211/ieee80211_i.h | 2 ++ net/mac80211/mlme.c | 6 +++++- net/mac80211/scan.c | 2 ++ net/mac80211/util.c | 7 ++++++- 4 files changed, 15 insertions(+), 2 deletions(-) --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1551,6 +1551,8 @@ struct ieee802_11_elems { u8 country_elem_len; u8 bssid_index_len; =20 + void *nontx_profile; + /* whether a parse error occurred while retrieving these elements */ bool parse_error; }; --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -3394,6 +3394,7 @@ static bool ieee80211_assoc_success(stru sdata_info(sdata, "AP bug: VHT operation missing from AssocResp\n"); } + kfree(bss_elems.nontx_profile); } =20 /* @@ -4045,6 +4046,7 @@ static void ieee80211_rx_mgmt_beacon(str ifmgd->assoc_data->timeout =3D jiffies; ifmgd->assoc_data->timeout_started =3D true; run_again(sdata, ifmgd->assoc_data->timeout); + kfree(elems.nontx_profile); return; } =20 @@ -4222,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(str ieee80211_report_disconnect(sdata, deauth_buf, sizeof(deauth_buf), true, WLAN_REASON_DEAUTH_LEAVING); - return; + goto free; } =20 if (sta && elems.opmode_notif) @@ -4237,6 +4239,8 @@ static void ieee80211_rx_mgmt_beacon(str elems.cisco_dtpc_elem); =20 ieee80211_bss_info_change_notify(sdata, changed); +free: + kfree(elems.nontx_profile); } =20 void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata, --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c @@ -227,6 +227,8 @@ ieee80211_bss_info_update(struct ieee802 rx_status, beacon); } =20 + kfree(elems.nontx_profile); + return bss; } =20 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1483,6 +1483,11 @@ u32 ieee802_11_parse_elems_crc(const u8 cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE, nontransmitted_profile, nontransmitted_profile_len); + if (!nontransmitted_profile_len) { + nontransmitted_profile_len =3D 0; + kfree(nontransmitted_profile); + nontransmitted_profile =3D NULL; + } } =20 crc =3D _ieee802_11_parse_elems_crc(start, len, action, elems, filter, @@ -1512,7 +1517,7 @@ u32 ieee802_11_parse_elems_crc(const u8 offsetofend(struct ieee80211_bssid_index, dtim_count)) elems->dtim_count =3D elems->bssid_index->dtim_count; =20 - kfree(nontransmitted_profile); + elems->nontx_profile =3D nontransmitted_profile; =20 return crc; }