From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 30 Mar 2024 09:50:57 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v6.7.12~114
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d58694fff70ab77cc25af885e11a8947a72ce18;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
	gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch
	hexagon-vmlinux.lds.s-handle-attributes-section.patch
	mmc-core-avoid-negative-index-with-array-access.patch
	mmc-core-initialize-mmc_blk_ioc_data.patch
	net-ll_temac-platform_get_resource-replaced-by-wrong-function.patch
	wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
---

diff --git a/queue-5.10/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch b/queue-5.10/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
new file mode 100644
index 00000000000..a348225d315
--- /dev/null
+++ b/queue-5.10/exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
@@ -0,0 +1,42 @@
+From 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 20 Mar 2024 11:26:07 -0700
+Subject: exec: Fix NOMMU linux_binprm::exec in transfer_args_to_stack()
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+commit 2aea94ac14d1e0a8ae9e34febebe208213ba72f7 upstream.
+
+In NOMMU kernel the value of linux_binprm::p is the offset inside the
+temporary program arguments array maintained in separate pages in the
+linux_binprm::page. linux_binprm::exec being a copy of linux_binprm::p
+thus must be adjusted when that array is copied to the user stack.
+Without that adjustment the value passed by the NOMMU kernel to the ELF
+program in the AT_EXECFN entry of the aux array doesn't make any sense
+and it may break programs that try to access memory pointed to by that
+entry.
+
+Adjust linux_binprm::exec before the successful return from the
+transfer_args_to_stack().
+
+Cc: <stable@vger.kernel.org>
+Fixes: b6a2fea39318 ("mm: variable length argument support")
+Fixes: 5edc2a5123a7 ("binfmt_elf_fdpic: wire up AT_EXECFD, AT_EXECFN, AT_SECURE")
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Link: https://lore.kernel.org/r/20240320182607.1472887-1-jcmvbkbc@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exec.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -888,6 +888,7 @@ int transfer_args_to_stack(struct linux_
+ 			goto out;
+ 	}
+ 
++	bprm->exec += *sp_location - MAX_ARG_PAGES * PAGE_SIZE;
+ 	*sp_location = sp;
+ 
+ out:
diff --git a/queue-5.10/gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch b/queue-5.10/gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch
new file mode 100644
index 00000000000..75b4b72db69
--- /dev/null
+++ b/queue-5.10/gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch
@@ -0,0 +1,126 @@
+From b34490879baa847d16fc529c8ea6e6d34f004b38 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Mon, 25 Mar 2024 10:02:42 +0100
+Subject: gpio: cdev: sanitize the label before requesting the interrupt
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit b34490879baa847d16fc529c8ea6e6d34f004b38 upstream.
+
+When an interrupt is requested, a procfs directory is created under
+"/proc/irq/<irqnum>/<label>" where <label> is the string passed to one of
+the request_irq() variants.
+
+What follows is that the string must not contain the "/" character or
+the procfs mkdir operation will fail. We don't have such constraints for
+GPIO consumer labels which are used verbatim as interrupt labels for
+GPIO irqs. We must therefore sanitize the consumer string before
+requesting the interrupt.
+
+Let's replace all "/" with ":".
+
+Cc: stable@vger.kernel.org
+Reported-by: Stefan Wahren <wahrenst@gmx.net>
+Closes: https://lore.kernel.org/linux-gpio/39fe95cb-aa83-4b8b-8cab-63947a726754@gmx.net/
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Kent Gibson <warthog618@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib-cdev.c |   38 ++++++++++++++++++++++++++++++++------
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -749,10 +749,20 @@ static u32 gpio_v2_line_config_debounce_
+ 	return 0;
+ }
+ 
++static inline char *make_irq_label(const char *orig)
++{
++	return kstrdup_and_replace(orig, '/', ':', GFP_KERNEL);
++}
++
++static inline void free_irq_label(const char *label)
++{
++	kfree(label);
++}
++
+ static void edge_detector_stop(struct line *line)
+ {
+ 	if (line->irq) {
+-		free_irq(line->irq, line);
++		free_irq_label(free_irq(line->irq, line));
+ 		line->irq = 0;
+ 	}
+ 
+@@ -772,6 +782,7 @@ static int edge_detector_setup(struct li
+ 	u32 debounce_period_us;
+ 	unsigned long irqflags = 0;
+ 	int irq, ret;
++	char *label;
+ 
+ 	if (eflags && !kfifo_initialized(&line->req->events)) {
+ 		ret = kfifo_alloc(&line->req->events,
+@@ -804,11 +815,17 @@ static int edge_detector_setup(struct li
+ 			IRQF_TRIGGER_RISING : IRQF_TRIGGER_FALLING;
+ 	irqflags |= IRQF_ONESHOT;
+ 
++	label = make_irq_label(line->req->label);
++	if (!label)
++		return -ENOMEM;
++
+ 	/* Request a thread to read the events */
+ 	ret = request_threaded_irq(irq, edge_irq_handler, edge_irq_thread,
+-				   irqflags, line->req->label, line);
+-	if (ret)
++				   irqflags, label, line);
++	if (ret) {
++		free_irq_label(label);
+ 		return ret;
++	}
+ 
+ 	line->irq = irq;
+ 	return 0;
+@@ -1585,7 +1602,7 @@ static ssize_t lineevent_read(struct fil
+ static void lineevent_free(struct lineevent_state *le)
+ {
+ 	if (le->irq)
+-		free_irq(le->irq, le);
++		free_irq_label(free_irq(le->irq, le));
+ 	if (le->desc)
+ 		gpiod_free(le->desc);
+ 	kfree(le->label);
+@@ -1724,6 +1741,7 @@ static int lineevent_create(struct gpio_
+ 	int fd;
+ 	int ret;
+ 	int irq, irqflags = 0;
++	char *label;
+ 
+ 	if (copy_from_user(&eventreq, ip, sizeof(eventreq)))
+ 		return -EFAULT;
+@@ -1804,15 +1822,23 @@ static int lineevent_create(struct gpio_
+ 	INIT_KFIFO(le->events);
+ 	init_waitqueue_head(&le->wait);
+ 
++	label = make_irq_label(le->label);
++	if (!label) {
++		ret = -ENOMEM;
++		goto out_free_le;
++	}
++
+ 	/* Request a thread to read the events */
+ 	ret = request_threaded_irq(irq,
+ 				   lineevent_irq_handler,
+ 				   lineevent_irq_thread,
+ 				   irqflags,
+-				   le->label,
++				   label,
+ 				   le);
+-	if (ret)
++	if (ret) {
++		free_irq_label(label);
+ 		goto out_free_le;
++	}
+ 
+ 	le->irq = irq;
+ 
diff --git a/queue-5.10/hexagon-vmlinux.lds.s-handle-attributes-section.patch b/queue-5.10/hexagon-vmlinux.lds.s-handle-attributes-section.patch
new file mode 100644
index 00000000000..77e5dd1ea3d
--- /dev/null
+++ b/queue-5.10/hexagon-vmlinux.lds.s-handle-attributes-section.patch
@@ -0,0 +1,43 @@
+From 549aa9678a0b3981d4821bf244579d9937650562 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 19 Mar 2024 17:37:46 -0700
+Subject: hexagon: vmlinux.lds.S: handle attributes section
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 549aa9678a0b3981d4821bf244579d9937650562 upstream.
+
+After the linked LLVM change, the build fails with
+CONFIG_LD_ORPHAN_WARN_LEVEL="error", which happens with allmodconfig:
+
+  ld.lld: error: vmlinux.a(init/main.o):(.hexagon.attributes) is being placed in '.hexagon.attributes'
+
+Handle the attributes section in a similar manner as arm and riscv by
+adding it after the primary ELF_DETAILS grouping in vmlinux.lds.S, which
+fixes the error.
+
+Link: https://lkml.kernel.org/r/20240319-hexagon-handle-attributes-section-vmlinux-lds-s-v1-1-59855dab8872@kernel.org
+Fixes: 113616ec5b64 ("hexagon: select ARCH_WANT_LD_ORPHAN_WARN")
+Link: https://github.com/llvm/llvm-project/commit/31f4b329c8234fab9afa59494d7f8bdaeaefeaad
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Brian Cain <bcain@quicinc.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/hexagon/kernel/vmlinux.lds.S |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/hexagon/kernel/vmlinux.lds.S
++++ b/arch/hexagon/kernel/vmlinux.lds.S
+@@ -64,6 +64,7 @@ SECTIONS
+ 	STABS_DEBUG
+ 	DWARF_DEBUG
+ 	ELF_DETAILS
++	.hexagon.attributes 0 : { *(.hexagon.attributes) }
+ 
+ 	DISCARDS
+ }
diff --git a/queue-5.10/mmc-core-avoid-negative-index-with-array-access.patch b/queue-5.10/mmc-core-avoid-negative-index-with-array-access.patch
new file mode 100644
index 00000000000..6395c897131
--- /dev/null
+++ b/queue-5.10/mmc-core-avoid-negative-index-with-array-access.patch
@@ -0,0 +1,37 @@
+From cf55a7acd1ed38afe43bba1c8a0935b51d1dc014 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Wed, 13 Mar 2024 15:37:44 +0200
+Subject: mmc: core: Avoid negative index with array access
+
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+
+commit cf55a7acd1ed38afe43bba1c8a0935b51d1dc014 upstream.
+
+Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") assigns
+prev_idata = idatas[i - 1], but doesn't check that the iterator i is
+greater than zero. Let's fix this by adding a check.
+
+Fixes: 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu")
+Link: https://lore.kernel.org/all/20231129092535.3278-1-avri.altman@wdc.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20240313133744.2405325-2-mikko.rapeli@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -468,7 +468,7 @@ static int __mmc_blk_ioctl_cmd(struct mm
+ 	if (idata->flags & MMC_BLK_IOC_DROP)
+ 		return 0;
+ 
+-	if (idata->flags & MMC_BLK_IOC_SBC)
++	if (idata->flags & MMC_BLK_IOC_SBC && i > 0)
+ 		prev_idata = idatas[i - 1];
+ 
+ 	/*
diff --git a/queue-5.10/mmc-core-initialize-mmc_blk_ioc_data.patch b/queue-5.10/mmc-core-initialize-mmc_blk_ioc_data.patch
new file mode 100644
index 00000000000..b3036017713
--- /dev/null
+++ b/queue-5.10/mmc-core-initialize-mmc_blk_ioc_data.patch
@@ -0,0 +1,41 @@
+From 0cdfe5b0bf295c0dee97436a8ed13336933a0211 Mon Sep 17 00:00:00 2001
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+Date: Wed, 13 Mar 2024 15:37:43 +0200
+Subject: mmc: core: Initialize mmc_blk_ioc_data
+
+From: Mikko Rapeli <mikko.rapeli@linaro.org>
+
+commit 0cdfe5b0bf295c0dee97436a8ed13336933a0211 upstream.
+
+Commit 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu") adds
+flags uint to struct mmc_blk_ioc_data, but it does not get initialized for
+RPMB ioctls which now fails.
+
+Let's fix this by always initializing the struct and flags to zero.
+
+Fixes: 4d0c8d0aef63 ("mmc: core: Use mrq.sbc in close-ended ffu")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218587
+Link: https://lore.kernel.org/all/20231129092535.3278-1-avri.altman@wdc.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Link: https://lore.kernel.org/r/20240313133744.2405325-1-mikko.rapeli@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/block.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/block.c
++++ b/drivers/mmc/core/block.c
+@@ -359,7 +359,7 @@ static struct mmc_blk_ioc_data *mmc_blk_
+ 	struct mmc_blk_ioc_data *idata;
+ 	int err;
+ 
+-	idata = kmalloc(sizeof(*idata), GFP_KERNEL);
++	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
+ 	if (!idata) {
+ 		err = -ENOMEM;
+ 		goto out;
diff --git a/queue-5.10/net-ll_temac-platform_get_resource-replaced-by-wrong-function.patch b/queue-5.10/net-ll_temac-platform_get_resource-replaced-by-wrong-function.patch
new file mode 100644
index 00000000000..ea6f66b1307
--- /dev/null
+++ b/queue-5.10/net-ll_temac-platform_get_resource-replaced-by-wrong-function.patch
@@ -0,0 +1,41 @@
+From 3a38a829c8bc27d78552c28e582eb1d885d07d11 Mon Sep 17 00:00:00 2001
+From: Claus Hansen Ries <chr@terma.com>
+Date: Thu, 21 Mar 2024 13:08:59 +0000
+Subject: net: ll_temac: platform_get_resource replaced by wrong function
+
+From: Claus Hansen Ries <chr@terma.com>
+
+commit 3a38a829c8bc27d78552c28e582eb1d885d07d11 upstream.
+
+The function platform_get_resource was replaced with
+devm_platform_ioremap_resource_byname and is called using 0 as name.
+
+This eventually ends up in platform_get_resource_byname in the call
+stack, where it causes a null pointer in strcmp.
+
+	if (type == resource_type(r) && !strcmp(r->name, name))
+
+It should have been replaced with devm_platform_ioremap_resource.
+
+Fixes: bd69058f50d5 ("net: ll_temac: Use devm_platform_ioremap_resource_byname()")
+Signed-off-by: Claus Hansen Ries <chr@terma.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/cca18f9c630a41c18487729770b492bb@terma.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/xilinx/ll_temac_main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/xilinx/ll_temac_main.c
++++ b/drivers/net/ethernet/xilinx/ll_temac_main.c
+@@ -1427,7 +1427,7 @@ static int temac_probe(struct platform_d
+ 	}
+ 
+ 	/* map device registers */
+-	lp->regs = devm_platform_ioremap_resource_byname(pdev, 0);
++	lp->regs = devm_platform_ioremap_resource(pdev, 0);
+ 	if (IS_ERR(lp->regs)) {
+ 		dev_err(&pdev->dev, "could not map TEMAC registers\n");
+ 		return -ENOMEM;
diff --git a/queue-5.10/series b/queue-5.10/series
index 77c170cd5dc..17cb6f908f8 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -153,3 +153,10 @@ serial-sc16is7xx-convert-from-_raw_-to-_noinc_-regmap-functions-for-fifo.patch
 mm-memory-failure-fix-an-incorrect-use-of-tail-pages.patch
 mm-migrate-set-swap-entry-values-of-thp-tail-pages-properly.patch
 init-open-initrd.image-with-o_largefile.patch
+wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
+gpio-cdev-sanitize-the-label-before-requesting-the-interrupt.patch
+exec-fix-nommu-linux_binprm-exec-in-transfer_args_to_stack.patch
+hexagon-vmlinux.lds.s-handle-attributes-section.patch
+mmc-core-initialize-mmc_blk_ioc_data.patch
+mmc-core-avoid-negative-index-with-array-access.patch
+net-ll_temac-platform_get_resource-replaced-by-wrong-function.patch
diff --git a/queue-5.10/wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch b/queue-5.10/wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
new file mode 100644
index 00000000000..15b9e7b8681
--- /dev/null
+++ b/queue-5.10/wifi-mac80211-check-clear-fast-rx-for-non-4addr-sta-vlan-changes.patch
@@ -0,0 +1,44 @@
+From 4f2bdb3c5e3189297e156b3ff84b140423d64685 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 16 Mar 2024 08:43:36 +0100
+Subject: wifi: mac80211: check/clear fast rx for non-4addr sta VLAN changes
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 4f2bdb3c5e3189297e156b3ff84b140423d64685 upstream.
+
+When moving a station out of a VLAN and deleting the VLAN afterwards, the
+fast_rx entry still holds a pointer to the VLAN's netdev, which can cause
+use-after-free bugs. Fix this by immediately calling ieee80211_check_fast_rx
+after the VLAN change.
+
+Cc: stable@vger.kernel.org
+Reported-by: ranygh@riseup.net
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://msgid.link/20240316074336.40442-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1811,15 +1811,14 @@ static int ieee80211_change_station(stru
+ 		}
+ 
+ 		if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
+-		    sta->sdata->u.vlan.sta) {
+-			ieee80211_clear_fast_rx(sta);
++		    sta->sdata->u.vlan.sta)
+ 			RCU_INIT_POINTER(sta->sdata->u.vlan.sta, NULL);
+-		}
+ 
+ 		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+ 			ieee80211_vif_dec_num_mcast(sta->sdata);
+ 
+ 		sta->sdata = vlansdata;
++		ieee80211_check_fast_rx(sta);
+ 		ieee80211_check_fast_xmit(sta);
+ 
+ 		if (test_sta_flag(sta, WLAN_STA_AUTHORIZED)) {