--- /dev/null
+From 1f5f12ece722aacea1769fb644f27790ede339dc Mon Sep 17 00:00:00 2001
+From: Peng Zhang <zhangpeng.00@bytedance.com>
+Date: Tue, 11 Apr 2023 12:10:04 +0800
+Subject: maple_tree: fix a potential memory leak, OOB access, or other unpredictable bug
+
+From: Peng Zhang <zhangpeng.00@bytedance.com>
+
+commit 1f5f12ece722aacea1769fb644f27790ede339dc upstream.
+
+In mas_alloc_nodes(), "node->node_count = 0" means to initialize the
+node_count field of the new node, but the node may not be a new node. It
+may be a node that existed before and node_count has a value, setting it
+to 0 will cause a memory leak. At this time, mas->alloc->total will be
+greater than the actual number of nodes in the linked list, which may
+cause many other errors. For example, out-of-bounds access in
+mas_pop_node(), and mas_pop_node() may return addresses that should not be
+used. Fix it by initializing node_count only for new nodes.
+
+Also, by the way, an if-else statement was removed to simplify the code.
+
+Link: https://lkml.kernel.org/r/20230411041005.26205-1-zhangpeng.00@bytedance.com
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Peng Zhang <zhangpeng.00@bytedance.com>
+Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -1298,26 +1298,21 @@ static inline void mas_alloc_nodes(struc
+ node = mas->alloc;
+ node->request_count = 0;
+ while (requested) {
+- max_req = MAPLE_ALLOC_SLOTS;
+- if (node->node_count) {
+- unsigned int offset = node->node_count;
+-
+- slots = (void **)&node->slot[offset];
+- max_req -= offset;
+- } else {
+- slots = (void **)&node->slot;
+- }
+-
++ max_req = MAPLE_ALLOC_SLOTS - node->node_count;
++ slots = (void **)&node->slot[node->node_count];
+ max_req = min(requested, max_req);
+ count = mt_alloc_bulk(gfp, max_req, slots);
+ if (!count)
+ goto nomem_bulk;
+
++ if (node->node_count == 0) {
++ node->slot[0]->node_count = 0;
++ node->slot[0]->request_count = 0;
++ }
++
+ node->node_count += count;
+ allocated += count;
+ node = node->slot[0];
+- node->node_count = 0;
+- node->request_count = 0;
+ requested -= count;
+ }
+ mas->alloc->total = allocated;
--- /dev/null
+From 06e8fd999334bcd76b4d72d7b9206d4aea89764e Mon Sep 17 00:00:00 2001
+From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
+Date: Fri, 14 Apr 2023 10:57:27 -0400
+Subject: maple_tree: fix mas_empty_area() search
+
+From: Liam R. Howlett <Liam.Howlett@oracle.com>
+
+commit 06e8fd999334bcd76b4d72d7b9206d4aea89764e upstream.
+
+The internal function of mas_awalk() was incorrectly skipping the last
+entry in a node, which could potentially be NULL. This is only a problem
+for the left-most node in the tree - otherwise that NULL would not exist.
+
+Fix mas_awalk() by using the metadata to obtain the end of the node for
+the loop and the logical pivot as apposed to the raw pivot value.
+
+Link: https://lkml.kernel.org/r/20230414145728.4067069-2-Liam.Howlett@oracle.com
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Reported-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -5064,10 +5064,10 @@ static inline bool mas_anode_descend(str
+ {
+ enum maple_type type = mte_node_type(mas->node);
+ unsigned long pivot, min, gap = 0;
+- unsigned char offset;
+- unsigned long *gaps;
+- unsigned long *pivots = ma_pivots(mas_mn(mas), type);
+- void __rcu **slots = ma_slots(mas_mn(mas), type);
++ unsigned char offset, data_end;
++ unsigned long *gaps, *pivots;
++ void __rcu **slots;
++ struct maple_node *node;
+ bool found = false;
+
+ if (ma_is_dense(type)) {
+@@ -5075,13 +5075,15 @@ static inline bool mas_anode_descend(str
+ return true;
+ }
+
+- gaps = ma_gaps(mte_to_node(mas->node), type);
++ node = mas_mn(mas);
++ pivots = ma_pivots(node, type);
++ slots = ma_slots(node, type);
++ gaps = ma_gaps(node, type);
+ offset = mas->offset;
+ min = mas_safe_min(mas, pivots, offset);
+- for (; offset < mt_slots[type]; offset++) {
+- pivot = mas_safe_pivot(mas, pivots, offset, type);
+- if (offset && !pivot)
+- break;
++ data_end = ma_data_end(node, type, pivots, mas->max);
++ for (; offset <= data_end; offset++) {
++ pivot = mas_logical_pivot(mas, pivots, offset, type);
+
+ /* Not within lower bounds */
+ if (mas->index > pivot)
--- /dev/null
+From fad8e4291da5e3243e086622df63cb952db444d8 Mon Sep 17 00:00:00 2001
+From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
+Date: Fri, 14 Apr 2023 10:57:26 -0400
+Subject: maple_tree: make maple state reusable after mas_empty_area_rev()
+
+From: Liam R. Howlett <Liam.Howlett@oracle.com>
+
+commit fad8e4291da5e3243e086622df63cb952db444d8 upstream.
+
+Stop using maple state min/max for the range by passing through pointers
+for those values. This will allow the maple state to be reused without
+resetting.
+
+Also add some logic to fail out early on searching with invalid
+arguments.
+
+Link: https://lkml.kernel.org/r/20230414145728.4067069-1-Liam.Howlett@oracle.com
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Liam R. Howlett <Liam.Howlett@oracle.com>
+Reported-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -4973,7 +4973,8 @@ not_found:
+ * Return: True if found in a leaf, false otherwise.
+ *
+ */
+-static bool mas_rev_awalk(struct ma_state *mas, unsigned long size)
++static bool mas_rev_awalk(struct ma_state *mas, unsigned long size,
++ unsigned long *gap_min, unsigned long *gap_max)
+ {
+ enum maple_type type = mte_node_type(mas->node);
+ struct maple_node *node = mas_mn(mas);
+@@ -5038,8 +5039,8 @@ static bool mas_rev_awalk(struct ma_stat
+
+ if (unlikely(ma_is_leaf(type))) {
+ mas->offset = offset;
+- mas->min = min;
+- mas->max = min + gap - 1;
++ *gap_min = min;
++ *gap_max = min + gap - 1;
+ return true;
+ }
+
+@@ -5315,6 +5316,9 @@ int mas_empty_area(struct ma_state *mas,
+ unsigned long *pivots;
+ enum maple_type mt;
+
++ if (min >= max)
++ return -EINVAL;
++
+ if (mas_is_start(mas))
+ mas_start(mas);
+ else if (mas->offset >= 2)
+@@ -5369,6 +5373,9 @@ int mas_empty_area_rev(struct ma_state *
+ {
+ struct maple_enode *last = mas->node;
+
++ if (min >= max)
++ return -EINVAL;
++
+ if (mas_is_start(mas)) {
+ mas_start(mas);
+ mas->offset = mas_data_end(mas);
+@@ -5388,7 +5395,7 @@ int mas_empty_area_rev(struct ma_state *
+ mas->index = min;
+ mas->last = max;
+
+- while (!mas_rev_awalk(mas, size)) {
++ while (!mas_rev_awalk(mas, size, &min, &max)) {
+ if (last == mas->node) {
+ if (!mas_rewind_node(mas))
+ return -EBUSY;
+@@ -5403,17 +5410,9 @@ int mas_empty_area_rev(struct ma_state *
+ if (unlikely(mas->offset == MAPLE_NODE_SLOTS))
+ return -EBUSY;
+
+- /*
+- * mas_rev_awalk() has set mas->min and mas->max to the gap values. If
+- * the maximum is outside the window we are searching, then use the last
+- * location in the search.
+- * mas->max and mas->min is the range of the gap.
+- * mas->index and mas->last are currently set to the search range.
+- */
+-
+ /* Trim the upper limit to the max. */
+- if (mas->max <= mas->last)
+- mas->last = mas->max;
++ if (max <= mas->last)
++ mas->last = max;
+
+ mas->index = mas->last - size + 1;
+ return 0;
loongarch-check-unwind_error-in-arch_stack_walk.patch
loongarch-fix-probing-of-the-crc32-feature.patch
loongarch-mark-3-symbol-exports-as-non-gpl.patch
+wifi-ath9k-don-t-mark-channelmap-stack-variable-read-only-in-ath9k_mci_update_wlan_channels.patch
+maple_tree-make-maple-state-reusable-after-mas_empty_area_rev.patch
+maple_tree-fix-mas_empty_area-search.patch
+maple_tree-fix-a-potential-memory-leak-oob-access-or-other-unpredictable-bug.patch
--- /dev/null
+From 0f2a4af27b649c13ba76431552fe49c60120d0f6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
+Date: Thu, 13 Apr 2023 23:41:18 +0200
+Subject: wifi: ath9k: Don't mark channelmap stack variable read-only in ath9k_mci_update_wlan_channels()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@toke.dk>
+
+commit 0f2a4af27b649c13ba76431552fe49c60120d0f6 upstream.
+
+This partially reverts commit e161d4b60ae3a5356e07202e0bfedb5fad82c6aa.
+
+Turns out the channelmap variable is not actually read-only, it's modified
+through the MCI_GPM_CLR_CHANNEL_BIT() macro further down in the function,
+so making it read-only causes page faults when that code is hit.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=217183
+Link: https://lore.kernel.org/r/20230413214118.153781-1-toke@toke.dk
+Fixes: e161d4b60ae3 ("wifi: ath9k: Make arrays prof_prio and channelmap static const")
+Cc: stable@vger.kernel.org
+Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath9k/mci.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/mci.c b/drivers/net/wireless/ath/ath9k/mci.c
+index 3363fc4e8966..a0845002d6fe 100644
+--- a/drivers/net/wireless/ath/ath9k/mci.c
++++ b/drivers/net/wireless/ath/ath9k/mci.c
+@@ -646,9 +646,7 @@ void ath9k_mci_update_wlan_channels(struct ath_softc *sc, bool allow_all)
+ struct ath_hw *ah = sc->sc_ah;
+ struct ath9k_hw_mci *mci = &ah->btcoex_hw.mci;
+ struct ath9k_channel *chan = ah->curchan;
+- static const u32 channelmap[] = {
+- 0x00000000, 0xffff0000, 0xffffffff, 0x7fffffff
+- };
++ u32 channelmap[] = {0x00000000, 0xffff0000, 0xffffffff, 0x7fffffff};
+ int i;
+ s16 chan_start, chan_end;
+ u16 wlan_chan;
+--
+2.40.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
