From 20afdc89f89ac810f86e4ea36ae350d6da84e155 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Mon, 27 May 2024 20:34:43 +0800
Subject: [PATCH 1/2] wifi: mac80211: check/clear fast rx for non-4addr sta
 VLAN changes

stable inclusion
from stable-v5.10.215
commit e8b067c4058c0121ac8ca71559df8e2e08ff1a7e
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q8YT
CVE: CVE-2024-35789

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e8b067c4058c0121ac8ca71559df8e2e08ff1a7e

---------------------------

commit 4f2bdb3c5e3189297e156b3ff84b140423d64685 upstream.

When moving a station out of a VLAN and deleting the VLAN afterwards, the
fast_rx entry still holds a pointer to the VLAN's netdev, which can cause
use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx
after the VLAN change.

Cc: stable@vger.kernel.org
Reported-by: ranygh@riseup.net
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://msgid.link/20240316074336.40442-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Liu Jian <liujian56@huawei.com>
(cherry picked from commit b06eeb160bb6de65c72d6dc863ebc5baecb22107)
---
 net/mac80211/cfg.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 70126518ad16..bede84209ecf 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1814,15 +1814,14 @@ static int ieee80211_change_station(struct wiphy *wiphy,
 		}
 
 		if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
-		    sta->sdata->u.vlan.sta) {
-			ieee80211_clear_fast_rx(sta);
+		    sta->sdata->u.vlan.sta)
 			RCU_INIT_POINTER(sta->sdata->u.vlan.sta, NULL);
-		}
 
 		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
 			ieee80211_vif_dec_num_mcast(sta->sdata);
 
 		sta->sdata = vlansdata;
+		ieee80211_check_fast_rx(sta);
 		ieee80211_check_fast_xmit(sta);
 
 		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {
-- 
Gitee


From 00d7ed14889234f066da2801b14dc57d7da544fa Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Tue, 28 May 2024 17:13:45 +0800
Subject: [PATCH 2/2] mptcp: use OPTION_MPTCP_MPJ_SYNACK in
 subflow_finish_connect()

mainline inclusion
from mainline-v6.8-rc1
commit be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9D1
CVE: CVE-2024-35840

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be1d9d9d38da922bd4beeec5b6dd821ff5a1dfeb

--------------------------------

subflow_finish_connect() uses four fields (backup, join_id, thmac, none)
that may contain garbage unless OPTION_MPTCP_MPJ_SYNACK has been set
in mptcp_parse_option()

Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Krystad <peter.krystad@linux.intel.com>
Cc: Matthieu Baerts <matttbe@kernel.org>
Cc: Mat Martineau <martineau@kernel.org>
Cc: Geliang Tang <geliang.tang@linux.dev>
Reviewed-by: Simon Horman <horms@kernel.org>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20240111194917.4044654-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Conflicts:
	net/mptcp/options.c
	net/mptcp/protocol.h
	net/mptcp/subflow.c
[The introduction of suboptions is from commit 74c7dfbee3e1, and
OPTION_MPTCP_MPJ_SYNACK assignment of suboptions is from commit 89e23277f9c1.
Just focus on OPTION_MPTCP_MPJ_SYNACK related logic.]
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
(cherry picked from commit 964bc2774b1c3f48f480dcb3bf05e58f3af67cdb)
---
 net/mptcp/options.c  | 2 ++
 net/mptcp/protocol.h | 1 +
 net/mptcp/subflow.c  | 3 ++-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 2cc80a07ff23..501011bec8b8 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -113,6 +113,7 @@ static void mptcp_parse_option(const struct sk_buff *skb,
 				 mp_opt->backup, mp_opt->join_id,
 				 mp_opt->token, mp_opt->nonce);
 		} else if (opsize == TCPOLEN_MPTCP_MPJ_SYNACK) {
+			mp_opt->suboptions |= OPTION_MPTCP_MPJ_SYNACK;
 			mp_opt->backup = *ptr++ & MPTCPOPT_BACKUP;
 			mp_opt->join_id = *ptr++;
 			mp_opt->thmac = get_unaligned_be64(ptr);
@@ -299,6 +300,7 @@ void mptcp_get_options(const struct sk_buff *skb,
 	mp_opt->port = 0;
 	mp_opt->rm_addr = 0;
 	mp_opt->dss = 0;
+	mp_opt->suboptions = 0;
 
 	length = (th->doff * 4) - sizeof(struct tcphdr);
 	ptr = (const unsigned char *)(th + 1);
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index 3e5af8397434..9f8fb7b1f4fa 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -107,6 +107,7 @@ struct mptcp_options_received {
 		family : 4,
 		echo : 1,
 		backup : 1;
+	u16	suboptions;
 	u32	token;
 	u32	nonce;
 	u64	thmac;
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 9d2e73db4c27..1b73230c0262 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -323,7 +323,7 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb)
 	} else if (subflow->request_join) {
 		u8 hmac[SHA256_DIGEST_SIZE];
 
-		if (!mp_opt.mp_join)
+		if (!(mp_opt.suboptions & OPTION_MPTCP_MPJ_SYNACK))
 			goto do_reset;
 
 		subflow->thmac = mp_opt.thmac;
@@ -542,6 +542,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
 	 * are not parsed
 	 */
 	mp_opt.mp_capable = 0;
+	mp_opt.suboptions = 0;
 
 	/* hopefully temporary handling for MP_JOIN+syncookie */
 	subflow_req = mptcp_subflow_rsk(req);
-- 
Gitee