commit 09be132bfe3a3075ddf160cc75865370ea35a0aa Author: Greg Kroah-Hartman Date: Mon Oct 17 17:26:07 2022 +0200 Linux 5.10.149 Link: https://lore.kernel.org/r/20221016064454.382206984@linuxfoundation.org Tested-by: Rudi Heitbaum Tested-by: Pavel Machek (CIP) Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Tested-by: Sudip Mukherjee Tested-by: Jon Hunter Signed-off-by: Greg Kroah-Hartman commit 31ce5da48a845bac48930bbde1d45e7449591728 Author: Johannes Berg Date: Fri Oct 14 18:41:50 2022 +0200 wifi: mac80211: fix MBSSID parsing use-after-free Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream. This is a different version of the commit, changed to store the non-transmitted profile in the elems, and freeing it in the few places where it's relevant, since that is only the case when the last argument for parsing (the non-tx BSSID) is non-NULL. When we parse a multi-BSSID element, we might point some element pointers into the allocated nontransmitted_profile. However, we free this before returning, causing UAF when the relevant pointers in the parsed elements are accessed. Fix this by not allocating the scratch buffer separately but as part of the returned structure instead, that way, there are no lifetime issues with it. The scratch buffer introduction as part of the returned data here is taken from MLO feature work done by Ilan. This fixes CVE-2022-42719. Fixes: 5023b14cf4df ("mac80211: support profile split between elements") Co-developed-by: Ilan Peer Signed-off-by: Ilan Peer Reviewed-by: Kees Cook Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 353b5c8d4bea712774ccc631782ed8cc3630528a Author: Johannes Berg Date: Fri Oct 14 18:41:49 2022 +0200 wifi: mac80211: don't parse mbssid in assoc response This is simply not valid and simplifies the next commit. I'll make a separate patch for this in the current main tree as well. Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 66dacdbc2e830e1187bf0f1171ca257d816ab7e3 Author: Johannes Berg Date: Fri Oct 14 18:41:48 2022 +0200 mac80211: mlme: find auth challenge directly There's no need to parse all elements etc. just to find the authentication challenge - use cfg80211_find_elem() instead. This also allows us to remove WLAN_EID_CHALLENGE handling from the element parsing entirely. Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit a07708a843558658de1cdff63ae653e6dcb8c81a Author: Sasha Levin Date: Sat Oct 15 07:18:38 2022 -0400 Revert "fs: check FMODE_LSEEK to control internal pipe splicing" This reverts commit fd0a6e99b61e6c08fa5cf585d54fd956f70c73a6. Which was upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81. The commit is missing dependencies and breaks NFS tests, remove it for now. Reported-by: Saeed Mirzamohammadi Signed-off-by: Sasha Levin