From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 30 Mar 2024 09:50:17 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v6.7.12~116
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d9424dd376ac4116b02ded2b50baaf45aa8c1b67;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
	wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
---

diff --git a/queue-4.19/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch b/queue-4.19/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
new file mode 100644
index 00000000000..d1ef3907806
--- /dev/null
+++ b/queue-4.19/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
@@ -0,0 +1,42 @@
+From 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 20 Mar 2024 11:26:07 -0700
+Subject: exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 upstream.
+
+In NOMMU kernel the value of linux_binprm::p is the offset inside the
+temporary program arguments array maintained in separate pages in the
+linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p
+thus must be adjusted when that array is copied to the user stack.
+Without that adjustment the value passed by the NOMMU kernel to the ELF
+program in the AT_EXECFN entry of the aux array doesn't make any sense
+and it may break programs that try to access memory pointed to by that
+entry.
+
+Adjust linux_binprm::exec before the successful return from the
+transfer_args_to_stack().
+
+Cc: <stable@vger.kernel.org>
+Fixes: b6a2fea39318 ("mm: variable length argument support")
+Fixes: 5edc2a5123a7 ("binfmt_elf_fdpic: wire up AT_EXECFD, AT_EXECFN, AT_SECURE")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Link: https://lore.kernel.org/r/20240320182607.1472887-1-jcmvbkbc@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exec.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -823,6 +823,7 @@ int transfer_args_to_stack(struct linux_
+ 			goto out;
+ 	}
+ 
++	bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE;
+ 	*sp_location = sp;
+ 
+ out:
diff --git a/queue-4.19/series b/queue-4.19/series
index d5a685b3d2f..34bc0a08c9f 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -79,6 +79,8 @@ vt-fix-unicode-buffer-corruption-when-deleting-characters.patch
 vt-fix-memory-overlapping-when-deleting-chars-in-the-buffer.patch
 mm-memory-failure-fix-an-incorrect-use-of-tail-pages.patch
 mm-migrate-set-swap-entry-values-of-thp-tail-pages-properly.patch
+wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
+exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
 fs-aio-check-iocb_aio_rw-before-the-struct-aio_kiocb-conversion.patch
 printk-update-console_may_schedule-in-console_tryloc.patch
 btrfs-allocate-btrfs_ioctl_defrag_range_args-on-stack.patch
diff --git a/queue-4.19/wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch b/queue-4.19/wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
new file mode 100644
index 00000000000..ef0a0ed0745
--- /dev/null
+++ b/queue-4.19/wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
@@ -0,0 +1,44 @@
+From 4f2bdb3c5e3189297e156b3ff84b140423d64685 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 16 Mar 2024 08:43:36 +0100
+Subject: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 4f2bdb3c5e3189297e156b3ff84b140423d64685 upstream.
+
+When moving a station out of a VLAN and deleting the VLAN afterwards, the
+fast_rx entry still holds a pointer to the VLAN's netdev, which can cause
+use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx
+after the VLAN change.
+
+Cc: stable@vger.kernel.org
+Reported-by: ranygh@riseup.net
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://msgid.link/20240316074336.40442-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1548,15 +1548,14 @@ static int ieee80211_change_station(stru
+ 		}
+ 
+ 		if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
+-		    sta->sdata->u.vlan.sta) {
+-			ieee80211_clear_fast_rx(sta);
++		    sta->sdata->u.vlan.sta)
+ 			RCU_INIT_POINTER(sta->sdata->u.vlan.sta, NULL);
+-		}
+ 
+ 		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+ 			ieee80211_vif_dec_num_mcast(sta->sdata);
+ 
+ 		sta->sdata = vlansdata;
++		ieee80211_check_fast_rx(sta);
+ 		ieee80211_check_fast_xmit(sta);
+ 
+ 		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {