commit fd92cfed8bc6668d314acd1e6da708a80826f768
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Mon Oct 17 17:24:32 2022 +0200

    Linux 5.4.219
    
    Link: https://lore.kernel.org/r/20221016064454.327821011@linuxfoundation.org
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0cb5be43dc4b79da010522f79a06fa56f944d3cd
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Oct 14 18:47:05 2022 +0200

    wifi: mac80211: fix MBSSID parsing use-after-free
    
    Commit ff05d4b45dd89b922578dac497dcabf57cf771c6 upstream.
    This is a different version of the commit, changed to store
    the non-transmitted profile in the elems, and freeing it in
    the few places where it's relevant, since that is only the
    case when the last argument for parsing (the non-tx BSSID)
    is non-NULL.
    
    When we parse a multi-BSSID element, we might point some
    element pointers into the allocated nontransmitted_profile.
    However, we free this before returning, causing UAF when the
    relevant pointers in the parsed elements are accessed.
    
    Fix this by not allocating the scratch buffer separately but
    as part of the returned structure instead, that way, there
    are no lifetime issues with it.
    
    The scratch buffer introduction as part of the returned data
    here is taken from MLO feature work done by Ilan.
    
    This fixes CVE-2022-42719.
    
    Fixes: 5023b14cf4df ("mac80211: support profile split between elements")
    Co-developed-by: Ilan Peer <ilan.peer@intel.com>
    Signed-off-by: Ilan Peer <ilan.peer@intel.com>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9478c5f9c007b51e173a723ced44971c1a81ef42
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Oct 14 18:47:04 2022 +0200

    wifi: mac80211: don't parse mbssid in assoc response
    
    This is simply not valid and simplifies the next commit.
    I'll make a separate patch for this in the current main
    tree as well.
    
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7f441a6c90fe165b57b8514a5ae360344edc6d6d
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Oct 14 18:47:03 2022 +0200

    mac80211: mlme: find auth challenge directly
    
    There's no need to parse all elements etc. just to find the
    authentication challenge - use cfg80211_find_elem() instead.
    This also allows us to remove WLAN_EID_CHALLENGE handling
    from the element parsing entirely.
    
    Link: https://lore.kernel.org/r/20210920154009.45f9b3a15722.Ice3159ffad03a007d6154cbf1fb3a8c48489e86f@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c248c3330d5f09cbf08fb0d2025bcd075b0f8672
Author: Sasha Levin <sashal@kernel.org>
Date:   Sat Oct 15 07:18:38 2022 -0400

    Revert "fs: check FMODE_LSEEK to control internal pipe splicing"
    
    This reverts commit fd0a6e99b61e6c08fa5cf585d54fd956f70c73a6.
    
    Which was upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81.
    
    The commit is missing dependencies and breaks NFS tests, remove it for
    now.
    
    Reported-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>