--- /dev/null
+From 937e79c67740d1d84736730d679f3cb2552f990e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 20 Oct 2021 11:59:07 +0300
+Subject: ath10k: fix invalid dma_addr_t token assignment
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 937e79c67740d1d84736730d679f3cb2552f990e upstream.
+
+Using a kernel pointer in place of a dma_addr_t token can
+lead to undefined behavior if that makes it into cache
+management functions. The compiler caught one such attempt
+in a cast:
+
+drivers/net/wireless/ath/ath10k/mac.c: In function 'ath10k_add_interface':
+drivers/net/wireless/ath/ath10k/mac.c:5586:47: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
+ 5586 | arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
+ | ^
+
+Looking through how this gets used down the way, I'm fairly
+sure that beacon_paddr is never accessed again for ATH10K_DEV_TYPE_HL
+devices, and if it was accessed, that would be a bug.
+
+Change the assignment to use a known-invalid address token
+instead, which avoids the warning and makes it easier to catch
+bugs if it does end up getting used.
+
+Fixes: e263bdab9c0e ("ath10k: high latency fixes for beacon buffer")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211014075153.3655910-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -5473,7 +5473,15 @@ static int ath10k_add_interface(struct i
+ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) {
+ arvif->beacon_buf = kmalloc(IEEE80211_MAX_FRAME_LEN,
+ GFP_KERNEL);
+- arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
++
++ /* Using a kernel pointer in place of a dma_addr_t
++ * token can lead to undefined behavior if that
++ * makes it into cache management functions. Use a
++ * known-invalid address token instead, which
++ * avoids the warning and makes it easier to catch
++ * bugs if it does end up getting used.
++ */
++ arvif->beacon_paddr = DMA_MAPPING_ERROR;
+ } else {
+ arvif->beacon_buf =
+ dma_alloc_coherent(ar->dev,
--- /dev/null
+From 0eab756f8821d255016c63bb55804c429ff4bdb1 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 13 Oct 2021 11:00:52 +0100
+Subject: mmc: moxart: Fix null pointer dereference on pointer host
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 0eab756f8821d255016c63bb55804c429ff4bdb1 upstream.
+
+There are several error return paths that dereference the null pointer
+host because the pointer has not yet been set to a valid value.
+Fix this by adding a new out_mmc label and exiting via this label
+to avoid the host clean up and hence the null pointer dereference.
+
+Addresses-Coverity: ("Explicit null dereference")
+Fixes: 8105c2abbf36 ("mmc: moxart: Fix reference count leaks in moxart_probe")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20211013100052.125461-1-colin.king@canonical.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/moxart-mmc.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -569,37 +569,37 @@ static int moxart_probe(struct platform_
+ if (!mmc) {
+ dev_err(dev, "mmc_alloc_host failed\n");
+ ret = -ENOMEM;
+- goto out;
++ goto out_mmc;
+ }
+
+ ret = of_address_to_resource(node, 0, &res_mmc);
+ if (ret) {
+ dev_err(dev, "of_address_to_resource failed\n");
+- goto out;
++ goto out_mmc;
+ }
+
+ irq = irq_of_parse_and_map(node, 0);
+ if (irq <= 0) {
+ dev_err(dev, "irq_of_parse_and_map failed\n");
+ ret = -EINVAL;
+- goto out;
++ goto out_mmc;
+ }
+
+ clk = devm_clk_get(dev, NULL);
+ if (IS_ERR(clk)) {
+ ret = PTR_ERR(clk);
+- goto out;
++ goto out_mmc;
+ }
+
+ reg_mmc = devm_ioremap_resource(dev, &res_mmc);
+ if (IS_ERR(reg_mmc)) {
+ ret = PTR_ERR(reg_mmc);
+- goto out;
++ goto out_mmc;
+ }
+
+ ret = mmc_of_parse(mmc);
+ if (ret)
+- goto out;
++ goto out_mmc;
+
+ host = mmc_priv(mmc);
+ host->mmc = mmc;
+@@ -690,6 +690,7 @@ out:
+ dma_release_channel(host->dma_chan_tx);
+ if (!IS_ERR_OR_NULL(host->dma_chan_rx))
+ dma_release_channel(host->dma_chan_rx);
++out_mmc:
+ if (mmc)
+ mmc_free_host(mmc);
+ return ret;
--- /dev/null
+From a20eac0af02810669e187cb623bc904908c423af Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Mon, 1 Nov 2021 16:01:18 -0700
+Subject: selftests/bpf: Fix also no-alu32 strobemeta selftest
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+commit a20eac0af02810669e187cb623bc904908c423af upstream.
+
+Previous fix aded bpf_clamp_umax() helper use to re-validate boundaries.
+While that works correctly, it introduces more branches, which blows up
+past 1 million instructions in no-alu32 variant of strobemeta selftests.
+
+Switching len variable from u32 to u64 also fixes the issue and reduces
+the number of validated instructions, so use that instead. Fix this
+patch and bpf_clamp_umax() removed, both alu32 and no-alu32 selftests
+pass.
+
+Fixes: 0133c20480b1 ("selftests/bpf: Fix strobemeta selftest regression")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20211101230118.1273019-1-andrii@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/progs/strobemeta.h | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+--- a/tools/testing/selftests/bpf/progs/strobemeta.h
++++ b/tools/testing/selftests/bpf/progs/strobemeta.h
+@@ -10,14 +10,6 @@
+ #include <linux/types.h>
+ #include <bpf/bpf_helpers.h>
+
+-#define bpf_clamp_umax(VAR, UMAX) \
+- asm volatile ( \
+- "if %0 <= %[max] goto +1\n" \
+- "%0 = %[max]\n" \
+- : "+r"(VAR) \
+- : [max]"i"(UMAX) \
+- )
+-
+ typedef uint32_t pid_t;
+ struct task_struct {};
+
+@@ -366,7 +358,7 @@ static __always_inline uint64_t read_str
+ void *payload)
+ {
+ void *location;
+- uint32_t len;
++ uint64_t len;
+
+ data->str_lens[idx] = 0;
+ location = calc_location(&cfg->str_locs[idx], tls_base);
+@@ -398,7 +390,7 @@ static __always_inline void *read_map_va
+ struct strobe_map_descr* descr = &data->map_descrs[idx];
+ struct strobe_map_raw map;
+ void *location;
+- uint32_t len;
++ uint64_t len;
+ int i;
+
+ descr->tag_len = 0; /* presume no tag is set */
+@@ -421,7 +413,6 @@ static __always_inline void *read_map_va
+
+ len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, map.tag);
+ if (len <= STROBE_MAX_STR_LEN) {
+- bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->tag_len = len;
+ payload += len;
+ }
+@@ -439,7 +430,6 @@ static __always_inline void *read_map_va
+ len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN,
+ map.entries[i].key);
+ if (len <= STROBE_MAX_STR_LEN) {
+- bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->key_lens[i] = len;
+ payload += len;
+ }
+@@ -447,7 +437,6 @@ static __always_inline void *read_map_va
+ len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN,
+ map.entries[i].val);
+ if (len <= STROBE_MAX_STR_LEN) {
+- bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->val_lens[i] = len;
+ payload += len;
+ }
pci-add-pci_exp_devctl_payload_-macros.patch
pci-aardvark-fix-pcie-max-payload-size-setting.patch
sunrpc-partial-revert-of-commit-6f9f17287e78.patch
+ath10k-fix-invalid-dma_addr_t-token-assignment.patch
+mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch
+selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
