This is the start of the stable review cycle for the 5.10.149 release.
There are 4 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.149-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 5.10.149-rc1
Johannes Berg <[email protected]>
wifi: mac80211: fix MBSSID parsing use-after-free
Johannes Berg <[email protected]>
wifi: mac80211: don't parse mbssid in assoc response
Johannes Berg <[email protected]>
mac80211: mlme: find auth challenge directly
Sasha Levin <[email protected]>
Revert "fs: check FMODE_LSEEK to control internal pipe splicing"
-------------
Diffstat:
Makefile | 4 ++--
fs/splice.c | 10 ++++++----
net/mac80211/ieee80211_i.h | 4 ++--
net/mac80211/mlme.c | 21 +++++++++++++--------
net/mac80211/scan.c | 2 ++
net/mac80211/util.c | 11 ++++++-----
6 files changed, 31 insertions(+), 21 deletions(-)
This reverts commit fd0a6e99b61e6c08fa5cf585d54fd956f70c73a6.
Which was upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81.
The commit is missing dependencies and breaks NFS tests, remove it for
now.
Reported-by: Saeed Mirzamohammadi <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/splice.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/splice.c b/fs/splice.c
index 6610e55c0e2a..866d5c2367b2 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -806,15 +806,17 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
{
struct pipe_inode_info *pipe;
long ret, bytes;
+ umode_t i_mode;
size_t len;
int i, flags, more;
/*
- * We require the input to be seekable, as we don't want to randomly
- * drop data for eg socket -> socket splicing. Use the piped splicing
- * for that!
+ * We require the input being a regular file, as we don't want to
+ * randomly drop data for eg socket -> socket splicing. Use the
+ * piped splicing for that!
*/
- if (unlikely(!(in->f_mode & FMODE_LSEEK)))
+ i_mode = file_inode(in)->i_mode;
+ if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode)))
return -EINVAL;
/*
--
2.35.1
From: Johannes Berg <[email protected]>
This is simply not valid and simplifies the next commit.
I'll make a separate patch for this in the current main
tree as well.
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/mac80211/mlme.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3300,7 +3300,7 @@ static bool ieee80211_assoc_success(stru
}
capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems,
- mgmt->bssid, assoc_data->bss->bssid);
+ mgmt->bssid, NULL);
if (elems->aid_resp)
aid = le16_to_cpu(elems->aid_resp->aid);
@@ -3708,7 +3708,7 @@ static void ieee80211_rx_mgmt_assoc_resp
return;
ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
- mgmt->bssid, assoc_data->bss->bssid);
+ mgmt->bssid, NULL);
if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
elems.timeout_int &&
From: Johannes Berg <[email protected]>
Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream.
This is a different version of the commit, changed to store
the non-transmitted profile in the elems, and freeing it in
the few places where it's relevant, since that is only the
case when the last argument for parsing (the non-tx BSSID)
is non-NULL.
When we parse a multi-BSSID element, we might point some
element pointers into the allocated nontransmitted_profile.
However, we free this before returning, causing UAF when the
relevant pointers in the parsed elements are accessed.
Fix this by not allocating the scratch buffer separately but
as part of the returned structure instead, that way, there
are no lifetime issues with it.
The scratch buffer introduction as part of the returned data
here is taken from MLO feature work done by Ilan.
This fixes CVE-2022-42719.
Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
Co-developed-by: Ilan Peer <[email protected]>
Signed-off-by: Ilan Peer <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/mac80211/ieee80211_i.h | 2 ++
net/mac80211/mlme.c | 6 +++++-
net/mac80211/scan.c | 2 ++
net/mac80211/util.c | 7 ++++++-
4 files changed, 15 insertions(+), 2 deletions(-)
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1551,6 +1551,8 @@ struct ieee802_11_elems {
u8 country_elem_len;
u8 bssid_index_len;
+ void *nontx_profile;
+
/* whether a parse error occurred while retrieving these elements */
bool parse_error;
};
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3394,6 +3394,7 @@ static bool ieee80211_assoc_success(stru
sdata_info(sdata,
"AP bug: VHT operation missing from AssocResp\n");
}
+ kfree(bss_elems.nontx_profile);
}
/*
@@ -4045,6 +4046,7 @@ static void ieee80211_rx_mgmt_beacon(str
ifmgd->assoc_data->timeout = jiffies;
ifmgd->assoc_data->timeout_started = true;
run_again(sdata, ifmgd->assoc_data->timeout);
+ kfree(elems.nontx_profile);
return;
}
@@ -4222,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(str
ieee80211_report_disconnect(sdata, deauth_buf,
sizeof(deauth_buf), true,
WLAN_REASON_DEAUTH_LEAVING);
- return;
+ goto free;
}
if (sta && elems.opmode_notif)
@@ -4237,6 +4239,8 @@ static void ieee80211_rx_mgmt_beacon(str
elems.cisco_dtpc_elem);
ieee80211_bss_info_change_notify(sdata, changed);
+free:
+ kfree(elems.nontx_profile);
}
void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -227,6 +227,8 @@ ieee80211_bss_info_update(struct ieee802
rx_status, beacon);
}
+ kfree(elems.nontx_profile);
+
return bss;
}
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1483,6 +1483,11 @@ u32 ieee802_11_parse_elems_crc(const u8
cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
nontransmitted_profile,
nontransmitted_profile_len);
+ if (!nontransmitted_profile_len) {
+ nontransmitted_profile_len = 0;
+ kfree(nontransmitted_profile);
+ nontransmitted_profile = NULL;
+ }
}
crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,
@@ -1512,7 +1517,7 @@ u32 ieee802_11_parse_elems_crc(const u8
offsetofend(struct ieee80211_bssid_index, dtim_count))
elems->dtim_count = elems->bssid_index->dtim_count;
- kfree(nontransmitted_profile);
+ elems->nontx_profile = nontransmitted_profile;
return crc;
}
On Sun, Oct 16, 2022 at 08:46:10AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.149 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
Hi Greg,
5.10.149-rc1 tested.
Run tested on:
- Intel Skylake x86_64 (nuc6 i5-6260U)
In addition - build tested for:
- Allwinner A64
- Allwinner H3
- Allwinner H5
- Allwinner H6
- Rockchip RK3288
- Rockchip RK3328
- Rockchip RK3399pro
Tested-by: Rudi Heitbaum <[email protected]>
--
Rudi
Hi!
> This is the start of the stable review cycle for the 5.10.149 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-5.10.y
Tested-by: Pavel Machek (CIP) <[email protected]>
Best regards,
Pavel
> Pseudo-Shortlog of commits:
>
> Greg Kroah-Hartman <[email protected]>
> Linux 5.10.149-rc1
>
> Johannes Berg <[email protected]>
> wifi: mac80211: fix MBSSID parsing use-after-free
>
> Johannes Berg <[email protected]>
> wifi: mac80211: don't parse mbssid in assoc response
>
> Johannes Berg <[email protected]>
> mac80211: mlme: find auth challenge directly
>
> Sasha Levin <[email protected]>
> Revert "fs: check FMODE_LSEEK to control internal pipe splicing"
But I'm confused. Queue seems to contain different stuff, and I see
these patches only in origin/linux-5.10.y.
43e0669893b3a57024beab4348b1038cf7b98af8 (origin/queue/5.10) regulator: qcom_rpm: Fix circular deferral regression
50af1850d6adaccd414656e51e66aa2192f7786a hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API
7c8b9726479b0ee1275969c6e7b66bf0f6f701eb ASoC: wcd934x: fix order of Slimbus unprepare/disable
f010aef6ae5b81511f57f71175f2f46e98e22f42 ASoC: wcd9335: fix order of Slimbus unprepare/disable
ee39e253def995ca56788c767aba109070cec058 platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure
daa9a833bc179da7a759b35f70e3bd594d5dab5a quota: Check next/prev free block number after reading from quota file
d76384203c14e0afef7730a2a3016aac60ca8a79 HID: multitouch: Add memory barriers
..
79994c46b1cb8efd35211d95dbdf79c21173b17a ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free()
65cb91292340d565b98fa6f661cdb7465f4c9d67 ALSA: oss: Fix potential deadlock at unregistration
3783e64fee4a624f3ed1d7d6ae630890922edb7b (tag: v5.10.148) Linux 5.10.148
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
On Sun, Oct 16, 2022 at 08:46:10AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.149 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 163 pass: 163 fail: 0
Qemu test results:
total: 475 pass: 475 fail: 0
Tested-by: Guenter Roeck <[email protected]>
Guenter
On Sun, 16 Oct 2022 at 12:15, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.10.149 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro's test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
## Build
* kernel: 5.10.149-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-5.10.y
* git commit: ac0fb49345eeba8af1ef393f8921b7fbe4e3f99f
* git describe: v5.10.148-5-gac0fb49345ee
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.10.y/build/v5.10.148-5-gac0fb49345ee
## No Test Regressions (compared to v5.10.147-55-g4ff6e9bba3ff)
## No Metric Regressions (compared to v5.10.147-55-g4ff6e9bba3ff)
## No Test Fixes (compared to v5.10.147-55-g4ff6e9bba3ff)
## No Metric Fixes (compared to v5.10.147-55-g4ff6e9bba3ff)
## Test result summary
total: 108684, pass: 93951, fail: 1340, skip: 13134, xfail: 259
## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 333 total, 333 passed, 0 failed
* arm64: 65 total, 63 passed, 2 failed
* i386: 55 total, 53 passed, 2 failed
* mips: 56 total, 56 passed, 0 failed
* parisc: 12 total, 12 passed, 0 failed
* powerpc: 60 total, 55 passed, 5 failed
* riscv: 27 total, 27 passed, 0 failed
* s390: 24 total, 24 passed, 0 failed
* sh: 24 total, 24 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x86_64: 58 total, 56 passed, 2 failed
## Test suites summary
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-arm64/arm64.btitest.bti_c_func
* kselftest-arm64/arm64.btitest.bti_j_func
* kselftest-arm64/arm64.btitest.bti_jc_func
* kselftest-arm64/arm64.btitest.bti_none_func
* kselftest-arm64/arm64.btitest.nohint_func
* kselftest-arm64/arm64.btitest.paciasp_func
* kselftest-arm64/arm64.nobtitest.bti_c_func
* kselftest-arm64/arm64.nobtitest.bti_j_func
* kselftest-arm64/arm64.nobtitest.bti_jc_func
* kselftest-arm64/arm64.nobtitest.bti_none_func
* kselftest-arm64/arm64.nobtitest.nohint_func
* kselftest-arm64/arm64.nobtitest.paciasp_func
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-drivers-dma-buf
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-filesystems-binderfs
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-net-forwarding
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-filecaps
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-fsx
* ltp-hugetlb
* ltp-io
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-open-posix-tests
* ltp-pty
* ltp-sched
* ltp-securebits
* ltp-syscalls
* ltp-tracing
* network-basic-tests
* perf
* perf/Zstd-perf.data-compression
* rcutorture
* v4l2-compliance
* vdso
--
Linaro LKFT
https://lkft.linaro.org
Hi Greg,
On Sun, Oct 16, 2022 at 08:46:10AM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.149 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
Build test (gcc version 11.3.1 20220925):
mips: 63 configs -> no failure
arm: 104 configs -> no failure
arm64: 3 configs -> no failure
x86_64: 4 configs -> no failure
alpha allmodconfig -> no failure
powerpc allmodconfig -> no failure
riscv allmodconfig -> no failure
s390 allmodconfig -> no failure
xtensa allmodconfig -> no failure
Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]
arm64: Booted on rpi4b (4GB model). No regression. [2]
[1]. https://openqa.qa.codethink.co.uk/tests/2011
[2]. https://openqa.qa.codethink.co.uk/tests/2012
Tested-by: Sudip Mukherjee <[email protected]>
--
Regards
Sudip
On 10/15/22 23:46, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.149 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB, using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <[email protected]>
--
Florian
On 10/16/22 00:46, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.149 release.
> There are 4 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 18 Oct 2022 06:44:46 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah