From: Greg Kroah-Hartman Date: Sat, 30 Mar 2024 09:50:38 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v6.7.12~115 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d868222afa1784666769e01cab6cfc45b0d8c655;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch mmc-core-avoid-negative-index-with-array-access.patch mmc-core-initialize-mmc_blk_ioc_data.patch wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch --- diff --git a/queue-5.4/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch b/queue-5.4/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch new file mode 100644 index 00000000000..48c57d50ace --- /dev/null +++ b/queue-5.4/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch @@ -0,0 +1,42 @@ +From 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Wed, 20 Mar 2024 11:26:07 -0700 +Subject: exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack() + +From: Max Filippov + +commit 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 upstream. + +In NOMMU kernel the value of linux_binprm::p is the offset inside the +temporary program arguments array maintained in separate pages in the +linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p +thus must be adjusted when that array is copied to the user stack. +Without that adjustment the value passed by the NOMMU kernel to the ELF +program in the AT_EXECFN entry of the aux array doesn't make any sense +and it may break programs that try to access memory pointed to by that +entry. + +Adjust linux_binprm::exec before the successful return from the +transfer_args_to_stack(). + +Cc: +Fixes: b6a2fea39318 ("mm: variable length argument support") +Fixes: 5edc2a5123a7 ("binfmt_elf_fdpic: wire up AT_EXECFD, AT_EXECFN, AT_SECURE") +Signed-off-by: Max Filippov +Link: https://lore.kernel.org/r/20240320182607.1472887-1-jcmvbkbc@gmail.com +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + fs/exec.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -836,6 +836,7 @@ int transfer_args_to_stack(struct linux_ + goto out; + } + ++ bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE; + *sp_location = sp; + + out: diff --git a/queue-5.4/mmc-core-avoid-negative-index-with-array-access.patch b/queue-5.4/mmc-core-avoid-negative-index-with-array-access.patch new file mode 100644 index 00000000000..90c7cf3a877 --- /dev/null +++ b/queue-5.4/mmc-core-avoid-negative-index-with-array-access.patch @@ -0,0 +1,37 @@ +From cf55a7acd1ed38afe43bba1c8a0935b51d1dc014 Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Wed, 13 Mar 2024 15:37:44 +0200 +Subject: mmc: core: Avoid negative index with array access + +From: Mikko Rapeli + +commit cf55a7acd1ed38afe43bba1c8a0935b51d1dc014 upstream. + +Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") assigns +prev_idata = idatas[i - 1], but doesn't check that the iterator i is +greater than zero. Let's fix this by adding a check. + +Fixes: 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") +Link: https://lore.kernel.org/all/20231129092535.3278-1-avri.altman@wdc.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Mikko Rapeli +Reviewed-by: Avri Altman +Tested-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20240313133744.2405325-2-mikko.rapeli@linaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -511,7 +511,7 @@ static int __mmc_blk_ioctl_cmd(struct mm + if (idata->flags & MMC_BLK_IOC_DROP) + return 0; + +- if (idata->flags & MMC_BLK_IOC_SBC) ++ if (idata->flags & MMC_BLK_IOC_SBC && i > 0) + prev_idata = idatas[i - 1]; + + /* diff --git a/queue-5.4/mmc-core-initialize-mmc_blk_ioc_data.patch b/queue-5.4/mmc-core-initialize-mmc_blk_ioc_data.patch new file mode 100644 index 00000000000..a3fe3e4cec0 --- /dev/null +++ b/queue-5.4/mmc-core-initialize-mmc_blk_ioc_data.patch @@ -0,0 +1,41 @@ +From 0cdfe5b0bf295c0dee97436a8ed13336933a0211 Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli +Date: Wed, 13 Mar 2024 15:37:43 +0200 +Subject: mmc: core: Initialize mmc_blk_ioc_data + +From: Mikko Rapeli + +commit 0cdfe5b0bf295c0dee97436a8ed13336933a0211 upstream. + +Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") adds +flags uint to struct mmc_blk_ioc_data, but it does not get initialized for +RPMB ioctls which now fails. + +Let's fix this by always initializing the struct and flags to zero. + +Fixes: 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218587 +Link: https://lore.kernel.org/all/20231129092535.3278-1-avri.altman@wdc.com/ +Cc: stable@vger.kernel.org +Signed-off-by: Mikko Rapeli +Reviewed-by: Avri Altman +Acked-by: Adrian Hunter +Tested-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20240313133744.2405325-1-mikko.rapeli@linaro.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -358,7 +358,7 @@ static struct mmc_blk_ioc_data *mmc_blk_ + struct mmc_blk_ioc_data *idata; + int err; + +- idata = kmalloc(sizeof(*idata), GFP_KERNEL); ++ idata = kzalloc(sizeof(*idata), GFP_KERNEL); + if (!idata) { + err = -ENOMEM; + goto out; diff --git a/queue-5.4/series b/queue-5.4/series index 7ca90b9c7fc..4d9a8627025 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -110,3 +110,7 @@ bounds-support-non-power-of-two-config_nr_cpus.patch vt-fix-memory-overlapping-when-deleting-chars-in-the-buffer.patch mm-memory-failure-fix-an-incorrect-use-of-tail-pages.patch mm-migrate-set-swap-entry-values-of-thp-tail-pages-properly.patch +wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch +exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch +mmc-core-initialize-mmc_blk_ioc_data.patch +mmc-core-avoid-negative-index-with-array-access.patch diff --git a/queue-5.4/wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch b/queue-5.4/wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch new file mode 100644 index 00000000000..a9bb388f801 --- /dev/null +++ b/queue-5.4/wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch @@ -0,0 +1,44 @@ +From 4f2bdb3c5e3189297e156b3ff84b140423d64685 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sat, 16 Mar 2024 08:43:36 +0100 +Subject: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes + +From: Felix Fietkau + +commit 4f2bdb3c5e3189297e156b3ff84b140423d64685 upstream. + +When moving a station out of a VLAN and deleting the VLAN afterwards, the +fast_rx entry still holds a pointer to the VLAN's netdev, which can cause +use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx +after the VLAN change. + +Cc: stable@vger.kernel.org +Reported-by: ranygh@riseup.net +Signed-off-by: Felix Fietkau +Link: https://msgid.link/20240316074336.40442-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1670,15 +1670,14 @@ static int ieee80211_change_station(stru + } + + if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN && +- sta->sdata->u.vlan.sta) { +- ieee80211_clear_fast_rx(sta); ++ sta->sdata->u.vlan.sta) + RCU_INIT_POINTER(sta->sdata->u.vlan.sta, NULL); +- } + + if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) + ieee80211_vif_dec_num_mcast(sta->sdata); + + sta->sdata = vlansdata; ++ ieee80211_check_fast_rx(sta); + ieee80211_check_fast_xmit(sta); + + if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {