--- /dev/null
+From 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 20 Mar 2024 11:26:07 -0700
+Subject: exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 upstream.
+
+In NOMMU kernel the value of linux_binprm::p is the offset inside the
+temporary program arguments array maintained in separate pages in the
+linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p
+thus must be adjusted when that array is copied to the user stack.
+Without that adjustment the value passed by the NOMMU kernel to the ELF
+program in the AT_EXECFN entry of the aux array doesn't make any sense
+and it may break programs that try to access memory pointed to by that
+entry.
+
+Adjust linux_binprm::exec before the successful return from the
+transfer_args_to_stack().
+
+Cc: <stable@vger.kernel.org>
+Fixes: b6a2fea39318 ("mm: variable length argument support")
+Fixes: 5edc2a5123a7 ("binfmt_elf_fdpic: wire up AT_EXECFD, AT_EXECFN, AT_SECURE")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Link: https://lore.kernel.org/r/20240320182607.1472887-1-jcmvbkbc@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -823,6 +823,7 @@ int transfer_args_to_stack(struct linux_
+ goto out;
+ }
+
++ bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE;
+ *sp_location = sp;
+
+ out:
vt-fix-memory-overlapping-when-deleting-chars-in-the-buffer.patch
mm-memory-failure-fix-an-incorrect-use-of-tail-pages.patch
mm-migrate-set-swap-entry-values-of-thp-tail-pages-properly.patch
+wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
+exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch
printk-update-console_may_schedule-in-console_tryloc.patch
btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch
--- /dev/null
+From 4f2bdb3c5e3189297e156b3ff84b140423d64685 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 16 Mar 2024 08:43:36 +0100
+Subject: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 4f2bdb3c5e3189297e156b3ff84b140423d64685 upstream.
+
+When moving a station out of a VLAN and deleting the VLAN afterwards, the
+fast_rx entry still holds a pointer to the VLAN's netdev, which can cause
+use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx
+after the VLAN change.
+
+Cc: stable@vger.kernel.org
+Reported-by: ranygh@riseup.net
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://msgid.link/20240316074336.40442-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1548,15 +1548,14 @@ static int ieee80211_change_station(stru
+ }
+
+ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
+- sta->sdata->u.vlan.sta) {
+- ieee80211_clear_fast_rx(sta);
++ sta->sdata->u.vlan.sta)
+ RCU_INIT_POINTER(sta->sdata->u.vlan.sta, NULL);
+- }
+
+ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+ ieee80211_vif_dec_num_mcast(sta->sdata);
+
+ sta->sdata = vlansdata;
++ ieee80211_check_fast_rx(sta);
+ ieee80211_check_fast_xmit(sta);
+
+ if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
