--- /dev/null
+From 937e79c67740d1d84736730d679f3cb2552f990e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 20 Oct 2021 11:59:07 +0300
+Subject: ath10k: fix invalid dma_addr_t token assignment
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 937e79c67740d1d84736730d679f3cb2552f990e upstream.
+
+Using a kernel pointer in place of a dma_addr_t token can
+lead to undefined behavior if that makes it into cache
+management functions. The compiler caught one such attempt
+in a cast:
+
+drivers/net/wireless/ath/ath10k/mac.c: In function 'ath10k_add_interface':
+drivers/net/wireless/ath/ath10k/mac.c:5586:47: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
+ 5586 | arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
+ | ^
+
+Looking through how this gets used down the way, I'm fairly
+sure that beacon_paddr is never accessed again for ATH10K_DEV_TYPE_HL
+devices, and if it was accessed, that would be a bug.
+
+Change the assignment to use a known-invalid address token
+instead, which avoids the warning and makes it easier to catch
+bugs if it does end up getting used.
+
+Fixes: e263bdab9c0e ("ath10k: high latency fixes for beacon buffer")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211014075153.3655910-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -5258,7 +5258,15 @@ static int ath10k_add_interface(struct i
+ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) {
+ arvif->beacon_buf = kmalloc(IEEE80211_MAX_FRAME_LEN,
+ GFP_KERNEL);
+- arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
++
++ /* Using a kernel pointer in place of a dma_addr_t
++ * token can lead to undefined behavior if that
++ * makes it into cache management functions. Use a
++ * known-invalid address token instead, which
++ * avoids the warning and makes it easier to catch
++ * bugs if it does end up getting used.
++ */
++ arvif->beacon_paddr = DMA_MAPPING_ERROR;
+ } else {
+ arvif->beacon_buf =
+ dma_alloc_coherent(ar->dev,
--- /dev/null
+From a20eac0af02810669e187cb623bc904908c423af Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Mon, 1 Nov 2021 16:01:18 -0700
+Subject: selftests/bpf: Fix also no-alu32 strobemeta selftest
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+commit a20eac0af02810669e187cb623bc904908c423af upstream.
+
+Previous fix aded bpf_clamp_umax() helper use to re-validate boundaries.
+While that works correctly, it introduces more branches, which blows up
+past 1 million instructions in no-alu32 variant of strobemeta selftests.
+
+Switching len variable from u32 to u64 also fixes the issue and reduces
+the number of validated instructions, so use that instead. Fix this
+patch and bpf_clamp_umax() removed, both alu32 and no-alu32 selftests
+pass.
+
+Fixes: 0133c20480b1 ("selftests/bpf: Fix strobemeta selftest regression")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20211101230118.1273019-1-andrii@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/progs/strobemeta.h | 15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+--- a/tools/testing/selftests/bpf/progs/strobemeta.h
++++ b/tools/testing/selftests/bpf/progs/strobemeta.h
+@@ -10,14 +10,6 @@
+ #include <linux/types.h>
+ #include "bpf_helpers.h"
+
+-#define bpf_clamp_umax(VAR, UMAX) \
+- asm volatile ( \
+- "if %0 <= %[max] goto +1\n" \
+- "%0 = %[max]\n" \
+- : "+r"(VAR) \
+- : [max]"i"(UMAX) \
+- )
+-
+ typedef uint32_t pid_t;
+ struct task_struct {};
+
+@@ -357,7 +349,7 @@ static __always_inline uint64_t read_str
+ void *payload)
+ {
+ void *location;
+- uint32_t len;
++ uint64_t len;
+
+ data->str_lens[idx] = 0;
+ location = calc_location(&cfg->str_locs[idx], tls_base);
+@@ -389,7 +381,7 @@ static __always_inline void *read_map_va
+ struct strobe_map_descr* descr = &data->map_descrs[idx];
+ struct strobe_map_raw map;
+ void *location;
+- uint32_t len;
++ uint64_t len;
+ int i;
+
+ descr->tag_len = 0; /* presume no tag is set */
+@@ -412,7 +404,6 @@ static __always_inline void *read_map_va
+
+ len = bpf_probe_read_str(payload, STROBE_MAX_STR_LEN, map.tag);
+ if (len <= STROBE_MAX_STR_LEN) {
+- bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->tag_len = len;
+ payload += len;
+ }
+@@ -430,7 +421,6 @@ static __always_inline void *read_map_va
+ len = bpf_probe_read_str(payload, STROBE_MAX_STR_LEN,
+ map.entries[i].key);
+ if (len <= STROBE_MAX_STR_LEN) {
+- bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->key_lens[i] = len;
+ payload += len;
+ }
+@@ -438,7 +428,6 @@ static __always_inline void *read_map_va
+ len = bpf_probe_read_str(payload, STROBE_MAX_STR_LEN,
+ map.entries[i].val);
+ if (len <= STROBE_MAX_STR_LEN) {
+- bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ descr->val_lens[i] = len;
+ payload += len;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
