user/sven/linux.git, branch v5.4.219 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.4.219 2022-10-17T15:24:32Z Linux 5.4.219 2022-10-17T15:24:32Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2022-10-17T15:24:32Z urn:sha1:fd92cfed8bc6668d314acd1e6da708a80826f768 Link: https://lore.kernel.org/r/20221016064454.327821011@linuxfoundation.org Tested-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> Tested-by: Jon Hunter <jonathanh@nvidia.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> wifi: mac80211: fix MBSSID parsing use-after-free 2022-10-17T15:24:32Z Johannes Berg johannes.berg@intel.com 2022-10-14T16:47:05Z urn:sha1:0cb5be43dc4b79da010522f79a06fa56f944d3cd Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. This is a different version of the commit, changed to store the non-transmitted profile in the elems, and freeing it in the few places where it's relevant, since that is only the case when the last argument for parsing (the non-tx BSSID) is non-NULL. When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed. Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it. The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan. This fixes CVE-2022-42719. Fixes: 5023b14cf4df ("mac80211: support profile split between elements") Co-developed-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> wifi: mac80211: don't parse mbssid in assoc response 2022-10-17T15:24:32Z Johannes Berg johannes.berg@intel.com 2022-10-14T16:47:04Z urn:sha1:9478c5f9c007b51e173a723ced44971c1a81ef42 This is simply not valid and simplifies the next commit. I'll make a separate patch for this in the current main tree as well. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> mac80211: mlme: find auth challenge directly 2022-10-17T15:24:32Z Johannes Berg johannes.berg@intel.com 2022-10-14T16:47:03Z urn:sha1:7f441a6c90fe165b57b8514a5ae360344edc6d6d There's no need to parse all elements etc. just to find the authentication challenge - use cfg80211_find_elem() instead. This also allows us to remove WLAN_EID_CHALLENGE handling from the element parsing entirely. Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Revert "fs: check FMODE_LSEEK to control internal pipe splicing" 2022-10-17T15:24:32Z Sasha Levin sashal@kernel.org 2022-10-15T11:18:38Z urn:sha1:c248c3330d5f09cbf08fb0d2025bcd075b0f8672 This reverts commit fd0a6e99b61e6c08fa5cf585d54fd956f70c73a6. Which was upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81. The commit is missing dependencies and breaks NFS tests, remove it for now. Reported-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Linux 5.4.218 2022-10-15T05:54:41Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2022-10-15T05:54:41Z urn:sha1:1d0da8674c23e8d65398c33a4d5018eaf02e1c64 Link: https://lore.kernel.org/r/20221013175144.245431424@linuxfoundation.org Tested-by: Florian Fainelli <f.fainelli@gmail.com> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Jon Hunter <jonathanh@nvidia.com> Tested-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Input: xpad - fix wireless 360 controller breaking after suspend 2022-10-15T05:54:41Z Cameron Gutman aicommander@gmail.com 2022-08-18T15:44:09Z urn:sha1:3ff54a91e4ea8bfb287cf38f22b41d613fba49c6 commit a17b9841152e7f4621619902b347e2cc39c32996 upstream. Suspending and resuming the system can sometimes cause the out URB to get hung after a reset_resume. This causes LED setting and force feedback to break on resume. To avoid this, just drop the reset_resume callback so the USB core rebinds xpad to the wireless pads on resume if a reset happened. A nice side effect of this change is the LED ring on wireless controllers is now set correctly on system resume. Cc: stable@vger.kernel.org Fixes: 4220f7db1e42 ("Input: xpad - workaround dead irq_out after suspend/ resume") Signed-off-by: Cameron Gutman <aicommander@gmail.com> Signed-off-by: Pavel Rojtberg <rojtberg@gmail.com> Link: https://lore.kernel.org/r/20220818154411.510308-3-rojtberg@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Input: xpad - add supported devices as contributed on github 2022-10-15T05:54:41Z Pavel Rojtberg rojtberg@gmail.com 2022-08-18T15:44:08Z urn:sha1:690467759573ecee80d2a215ddbb4c5efe574868 commit b382c5e37344883dc97525d05f1f6b788f549985 upstream. This is based on multiple commits at https://github.com/paroj/xpad Cc: stable@vger.kernel.org Signed-off-by: Jasper Poppe <jgpoppe@gmail.com> Signed-off-by: Jeremy Palmer <jpalmer@linz.govt.nz> Signed-off-by: Ruineka <ruinairas1992@gmail.com> Signed-off-by: Cleber de Mattos Casali <clebercasali@gmail.com> Signed-off-by: Kyle Gospodnetich <me@kylegospodneti.ch> Signed-off-by: Pavel Rojtberg <rojtberg@gmail.com> Link: https://lore.kernel.org/r/20220818154411.510308-2-rojtberg@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> wifi: cfg80211: update hidden BSSes to avoid WARN_ON 2022-10-15T05:54:41Z Johannes Berg johannes.berg@intel.com 2022-10-05T21:11:43Z urn:sha1:9389750ac6b0d462703629322c596a516a8f80dc commit c90b93b5b782891ebfda49d4e5da36632fefd5d1 upstream. When updating beacon elements in a non-transmitted BSS, also update the hidden sub-entries to the same beacon elements, so that a future update through other paths won't trigger a WARN_ON(). The warning is triggered because the beacon elements in the hidden BSSes that are children of the BSS should always be the same as in the parent. Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> wifi: mac80211_hwsim: avoid mac80211 warning on bad rate 2022-10-15T05:54:41Z Johannes Berg johannes.berg@intel.com 2022-10-05T13:10:09Z urn:sha1:7fab3bf5205976388a80e2d3e3ce9fc39160e068 commit 1833b6f46d7e2830251a063935ab464256defe22 upstream. If the tool on the other side (e.g. wmediumd) gets confused about the rate, we hit a warning in mac80211. Silence that by effectively duplicating the check here and dropping the frame silently (in mac80211 it's dropped with the warning). Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>