--- /dev/null
+From 937e79c67740d1d84736730d679f3cb2552f990e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 20 Oct 2021 11:59:07 +0300
+Subject: ath10k: fix invalid dma_addr_t token assignment
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 937e79c67740d1d84736730d679f3cb2552f990e upstream.
+
+Using a kernel pointer in place of a dma_addr_t token can
+lead to undefined behavior if that makes it into cache
+management functions. The compiler caught one such attempt
+in a cast:
+
+drivers/net/wireless/ath/ath10k/mac.c: In function 'ath10k_add_interface':
+drivers/net/wireless/ath/ath10k/mac.c:5586:47: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
+ 5586 | arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
+ | ^
+
+Looking through how this gets used down the way, I'm fairly
+sure that beacon_paddr is never accessed again for ATH10K_DEV_TYPE_HL
+devices, and if it was accessed, that would be a bug.
+
+Change the assignment to use a known-invalid address token
+instead, which avoids the warning and makes it easier to catch
+bugs if it does end up getting used.
+
+Fixes: e263bdab9c0e ("ath10k: high latency fixes for beacon buffer")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211014075153.3655910-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -5583,7 +5583,15 @@ static int ath10k_add_interface(struct i
+ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) {
+ arvif->beacon_buf = kmalloc(IEEE80211_MAX_FRAME_LEN,
+ GFP_KERNEL);
+- arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
++
++ /* Using a kernel pointer in place of a dma_addr_t
++ * token can lead to undefined behavior if that
++ * makes it into cache management functions. Use a
++ * known-invalid address token instead, which
++ * avoids the warning and makes it easier to catch
++ * bugs if it does end up getting used.
++ */
++ arvif->beacon_paddr = DMA_MAPPING_ERROR;
+ } else {
+ arvif->beacon_buf =
+ dma_alloc_coherent(ar->dev,
--- /dev/null
+From 869da64d071142d4ed562a3e909deb18e4e72c4e Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@cjr.nz>
+Date: Fri, 12 Nov 2021 14:53:36 -0300
+Subject: cifs: fix memory leak of smb3_fs_context_dup::server_hostname
+
+From: Paulo Alcantara <pc@cjr.nz>
+
+commit 869da64d071142d4ed562a3e909deb18e4e72c4e upstream.
+
+Fix memory leak of smb3_fs_context_dup::server_hostname when parsing
+and duplicating fs contexts during mount(2) as reported by kmemleak:
+
+ unreferenced object 0xffff888125715c90 (size 16):
+ comm "mount.cifs", pid 3832, jiffies 4304535868 (age 190.094s)
+ hex dump (first 16 bytes):
+ 7a 65 6c 64 61 2e 74 65 73 74 00 6b 6b 6b 6b a5 zelda.test.kkkk.
+ backtrace:
+ [<ffffffff8168106e>] kstrdup+0x2e/0x60
+ [<ffffffffa027a362>] smb3_fs_context_dup+0x392/0x8d0 [cifs]
+ [<ffffffffa0136353>] cifs_smb3_do_mount+0x143/0x1700 [cifs]
+ [<ffffffffa02795e8>] smb3_get_tree+0x2e8/0x520 [cifs]
+ [<ffffffff817a19aa>] vfs_get_tree+0x8a/0x2d0
+ [<ffffffff8181e3e3>] path_mount+0x423/0x1a10
+ [<ffffffff8181fbca>] __x64_sys_mount+0x1fa/0x270
+ [<ffffffff83ae364b>] do_syscall_64+0x3b/0x90
+ [<ffffffff83c0007c>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+ unreferenced object 0xffff888111deed20 (size 32):
+ comm "mount.cifs", pid 3832, jiffies 4304536044 (age 189.918s)
+ hex dump (first 32 bytes):
+ 44 46 53 52 4f 4f 54 31 2e 5a 45 4c 44 41 2e 54 DFSROOT1.ZELDA.T
+ 45 53 54 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 EST.kkkkkkkkkkk.
+ backtrace:
+ [<ffffffff8168118d>] kstrndup+0x2d/0x90
+ [<ffffffffa027ab2e>] smb3_parse_devname+0x9e/0x360 [cifs]
+ [<ffffffffa01870c8>] cifs_setup_volume_info+0xa8/0x470 [cifs]
+ [<ffffffffa018c469>] connect_dfs_target+0x309/0xc80 [cifs]
+ [<ffffffffa018d6cb>] cifs_mount+0x8eb/0x17f0 [cifs]
+ [<ffffffffa0136475>] cifs_smb3_do_mount+0x265/0x1700 [cifs]
+ [<ffffffffa02795e8>] smb3_get_tree+0x2e8/0x520 [cifs]
+ [<ffffffff817a19aa>] vfs_get_tree+0x8a/0x2d0
+ [<ffffffff8181e3e3>] path_mount+0x423/0x1a10
+ [<ffffffff8181fbca>] __x64_sys_mount+0x1fa/0x270
+ [<ffffffff83ae364b>] do_syscall_64+0x3b/0x90
+ [<ffffffff83c0007c>] entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 7be3248f3139 ("cifs: To match file servers, make sure the server hostname matches")
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/fs_context.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/cifs/fs_context.c
++++ b/fs/cifs/fs_context.c
+@@ -307,6 +307,7 @@ smb3_fs_context_dup(struct smb3_fs_conte
+ new_ctx->nodename = NULL;
+ new_ctx->username = NULL;
+ new_ctx->password = NULL;
++ new_ctx->server_hostname = NULL;
+ new_ctx->domainname = NULL;
+ new_ctx->UNC = NULL;
+ new_ctx->source = NULL;
+@@ -458,6 +459,7 @@ smb3_parse_devname(const char *devname,
+ return -EINVAL;
+
+ /* record the server hostname */
++ kfree(ctx->server_hostname);
+ ctx->server_hostname = kstrndup(devname + 2, pos - devname - 2, GFP_KERNEL);
+ if (!ctx->server_hostname)
+ return -ENOMEM;
--- /dev/null
+From 0eab756f8821d255016c63bb55804c429ff4bdb1 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 13 Oct 2021 11:00:52 +0100
+Subject: mmc: moxart: Fix null pointer dereference on pointer host
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 0eab756f8821d255016c63bb55804c429ff4bdb1 upstream.
+
+There are several error return paths that dereference the null pointer
+host because the pointer has not yet been set to a valid value.
+Fix this by adding a new out_mmc label and exiting via this label
+to avoid the host clean up and hence the null pointer dereference.
+
+Addresses-Coverity: ("Explicit null dereference")
+Fixes: 8105c2abbf36 ("mmc: moxart: Fix reference count leaks in moxart_probe")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20211013100052.125461-1-colin.king@canonical.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/moxart-mmc.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -566,37 +566,37 @@ static int moxart_probe(struct platform_
+ if (!mmc) {
+ dev_err(dev, "mmc_alloc_host failed\n");
+ ret = -ENOMEM;
+- goto out;
++ goto out_mmc;
+ }
+
+ ret = of_address_to_resource(node, 0, &res_mmc);
+ if (ret) {
+ dev_err(dev, "of_address_to_resource failed\n");
+- goto out;
++ goto out_mmc;
+ }
+
+ irq = irq_of_parse_and_map(node, 0);
+ if (irq <= 0) {
+ dev_err(dev, "irq_of_parse_and_map failed\n");
+ ret = -EINVAL;
+- goto out;
++ goto out_mmc;
+ }
+
+ clk = devm_clk_get(dev, NULL);
+ if (IS_ERR(clk)) {
+ ret = PTR_ERR(clk);
+- goto out;
++ goto out_mmc;
+ }
+
+ reg_mmc = devm_ioremap_resource(dev, &res_mmc);
+ if (IS_ERR(reg_mmc)) {
+ ret = PTR_ERR(reg_mmc);
+- goto out;
++ goto out_mmc;
+ }
+
+ ret = mmc_of_parse(mmc);
+ if (ret)
+- goto out;
++ goto out_mmc;
+
+ host = mmc_priv(mmc);
+ host->mmc = mmc;
+@@ -687,6 +687,7 @@ out:
+ dma_release_channel(host->dma_chan_tx);
+ if (!IS_ERR_OR_NULL(host->dma_chan_rx))
+ dma_release_channel(host->dma_chan_rx);
++out_mmc:
+ if (mmc)
+ mmc_free_host(mmc);
+ return ret;
--- /dev/null
+From a20eac0af02810669e187cb623bc904908c423af Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Mon, 1 Nov 2021 16:01:18 -0700
+Subject: selftests/bpf: Fix also no-alu32 strobemeta selftest
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+commit a20eac0af02810669e187cb623bc904908c423af upstream.
+
+Previous fix aded bpf_clamp_umax() helper use to re-validate boundaries.
+While that works correctly, it introduces more branches, which blows up
+past 1 million instructions in no-alu32 variant of strobemeta selftests.
+
+Switching len variable from u32 to u64 also fixes the issue and reduces
+the number of validated instructions, so use that instead. Fix this
+patch and bpf_clamp_umax() removed, both alu32 and no-alu32 selftests
+pass.
+
+Fixes: 0133c20480b1 ("selftests/bpf: Fix strobemeta selftest regression")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20211101230118.1273019-1-andrii@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/progs/strobemeta.h | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+--- a/tools/testing/selftests/bpf/progs/strobemeta.h
++++ b/tools/testing/selftests/bpf/progs/strobemeta.h
+@@ -10,14 +10,6 @@
+ #include <linux/types.h>
+ #include <bpf/bpf_helpers.h>
+
+-#define bpf_clamp_umax(VAR, UMAX) \
+- asm volatile ( \
+- "if %0 <= %[max] goto +1\n" \
+- "%0 = %[max]\n" \
+- : "+r"(VAR) \
+- : [max]"i"(UMAX) \
+- )
+-
+ typedef uint32_t pid_t;
+ struct task_struct {};
+
+@@ -366,7 +358,7 @@ static __always_inline uint64_t read_str
+ void *payload)
+ {
+ void *location;
+- uint32_t len;
++ uint64_t len;
+
+ data->str_lens[idx] = 0;
+ location = calc_location(&cfg->str_locs[idx], tls_base);
+@@ -398,7 +390,7 @@ static __always_inline void *read_map_va
+ struct strobe_map_descr* descr = &data->map_descrs[idx];
+ struct strobe_map_raw map;
+ void *location;
+- uint32_t len;
++ uint64_t len;
+ int i;
+
+ descr->tag_len = 0; /* presume no tag is set */
+@@ -421,7 +413,6 @@ static __always_inline void *read_map_va
+
+ len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, map.tag);
+ if (len <= STROBE_MAX_STR_LEN) {
+- bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->tag_len = len;
+ payload += len;
+ }
+@@ -439,7 +430,6 @@ static __always_inline void *read_map_va
+ len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN,
+ map.entries[i].key);
+ if (len <= STROBE_MAX_STR_LEN) {
+- bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->key_lens[i] = len;
+ payload += len;
+ }
+@@ -447,7 +437,6 @@ static __always_inline void *read_map_va
+ len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN,
+ map.entries[i].val);
+ if (len <= STROBE_MAX_STR_LEN) {
+- bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->val_lens[i] = len;
+ payload += len;
+ }
--- /dev/null
+From a72fdfd21e01c626273ddcf5ab740d4caef4be54 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Fri, 29 Oct 2021 19:27:32 +0200
+Subject: selftests/x86/iopl: Adjust to the faked iopl CLI/STI usage
+
+From: Borislav Petkov <bp@suse.de>
+
+commit a72fdfd21e01c626273ddcf5ab740d4caef4be54 upstream.
+
+Commit in Fixes changed the iopl emulation to not #GP on CLI and STI
+because it would break some insane luserspace tools which would toggle
+interrupts.
+
+The corresponding selftest would rely on the fact that executing CLI/STI
+would trigger a #GP and thus detect it this way but since that #GP is
+not happening anymore, the detection is now wrong too.
+
+Extend the test to actually look at the IF flag and whether executing
+those insns had any effect on it. The STI detection needs to have the
+fact that interrupts were previously disabled, passed in so do that from
+the previous CLI test, i.e., STI test needs to follow a previous CLI one
+for it to make sense.
+
+Fixes: b968e84b509d ("x86/iopl: Fake iopl(3) CLI/STI usage")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20211030083939.13073-1-bp@alien8.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/x86/iopl.c | 78 +++++++++++++++++++++++++++----------
+ 1 file changed, 58 insertions(+), 20 deletions(-)
+
+--- a/tools/testing/selftests/x86/iopl.c
++++ b/tools/testing/selftests/x86/iopl.c
+@@ -85,48 +85,88 @@ static void expect_gp_outb(unsigned shor
+ printf("[OK]\toutb to 0x%02hx failed\n", port);
+ }
+
+-static bool try_cli(void)
++#define RET_FAULTED 0
++#define RET_FAIL 1
++#define RET_EMUL 2
++
++static int try_cli(void)
+ {
++ unsigned long flags;
++
+ sethandler(SIGSEGV, sigsegv, SA_RESETHAND);
+ if (sigsetjmp(jmpbuf, 1) != 0) {
+- return false;
++ return RET_FAULTED;
+ } else {
+- asm volatile ("cli");
+- return true;
++ asm volatile("cli; pushf; pop %[flags]"
++ : [flags] "=rm" (flags));
++
++ /* X86_FLAGS_IF */
++ if (!(flags & (1 << 9)))
++ return RET_FAIL;
++ else
++ return RET_EMUL;
+ }
+ clearhandler(SIGSEGV);
+ }
+
+-static bool try_sti(void)
++static int try_sti(bool irqs_off)
+ {
++ unsigned long flags;
++
+ sethandler(SIGSEGV, sigsegv, SA_RESETHAND);
+ if (sigsetjmp(jmpbuf, 1) != 0) {
+- return false;
++ return RET_FAULTED;
+ } else {
+- asm volatile ("sti");
+- return true;
++ asm volatile("sti; pushf; pop %[flags]"
++ : [flags] "=rm" (flags));
++
++ /* X86_FLAGS_IF */
++ if (irqs_off && (flags & (1 << 9)))
++ return RET_FAIL;
++ else
++ return RET_EMUL;
+ }
+ clearhandler(SIGSEGV);
+ }
+
+-static void expect_gp_sti(void)
++static void expect_gp_sti(bool irqs_off)
+ {
+- if (try_sti()) {
++ int ret = try_sti(irqs_off);
++
++ switch (ret) {
++ case RET_FAULTED:
++ printf("[OK]\tSTI faulted\n");
++ break;
++ case RET_EMUL:
++ printf("[OK]\tSTI NOPped\n");
++ break;
++ default:
+ printf("[FAIL]\tSTI worked\n");
+ nerrs++;
+- } else {
+- printf("[OK]\tSTI faulted\n");
+ }
+ }
+
+-static void expect_gp_cli(void)
++/*
++ * Returns whether it managed to disable interrupts.
++ */
++static bool test_cli(void)
+ {
+- if (try_cli()) {
++ int ret = try_cli();
++
++ switch (ret) {
++ case RET_FAULTED:
++ printf("[OK]\tCLI faulted\n");
++ break;
++ case RET_EMUL:
++ printf("[OK]\tCLI NOPped\n");
++ break;
++ default:
+ printf("[FAIL]\tCLI worked\n");
+ nerrs++;
+- } else {
+- printf("[OK]\tCLI faulted\n");
++ return true;
+ }
++
++ return false;
+ }
+
+ int main(void)
+@@ -152,8 +192,7 @@ int main(void)
+ }
+
+ /* Make sure that CLI/STI are blocked even with IOPL level 3 */
+- expect_gp_cli();
+- expect_gp_sti();
++ expect_gp_sti(test_cli());
+ expect_ok_outb(0x80);
+
+ /* Establish an I/O bitmap to test the restore */
+@@ -204,8 +243,7 @@ int main(void)
+ printf("[RUN]\tparent: write to 0x80 (should fail)\n");
+
+ expect_gp_outb(0x80);
+- expect_gp_cli();
+- expect_gp_sti();
++ expect_gp_sti(test_cli());
+
+ /* Test the capability checks. */
+ printf("\tiopl(3)\n");
crypto-api-export-crypto_boot_test_finished.patch
crypto-api-do-not-create-test-larvals-if-manager-is-disabled.patch
media-vidtv-move-kfree-dvb-to-vidtv_bridge_dev_release.patch
+cifs-fix-memory-leak-of-smb3_fs_context_dup-server_hostname.patch
+ath10k-fix-invalid-dma_addr_t-token-assignment.patch
+mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch
+selftests-x86-iopl-adjust-to-the-faked-iopl-cli-sti-usage.patch
+selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
