From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Nov 2021 11:19:03 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v5.4.160~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7dc917fa6b381a3f2e5e3f52c2cca9e5d57563f2;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	ath10k-fix-invalid-dma_addr_t-token-assignment.patch
	mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch
	selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch
---

diff --git a/queue-5.10/ath10k-fix-invalid-dma_addr_t-token-assignment.patch b/queue-5.10/ath10k-fix-invalid-dma_addr_t-token-assignment.patch
new file mode 100644
index 00000000000..a5f9fa2f7e4
--- /dev/null
+++ b/queue-5.10/ath10k-fix-invalid-dma_addr_t-token-assignment.patch
@@ -0,0 +1,55 @@
+From 937e79c67740d1d84736730d679f3cb2552f990e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 20 Oct 2021 11:59:07 +0300
+Subject: ath10k: fix invalid dma_addr_t token assignment
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 937e79c67740d1d84736730d679f3cb2552f990e upstream.
+
+Using a kernel pointer in place of a dma_addr_t token can
+lead to undefined behavior if that makes it into cache
+management functions. The compiler caught one such attempt
+in a cast:
+
+drivers/net/wireless/ath/ath10k/mac.c: In function 'ath10k_add_interface':
+drivers/net/wireless/ath/ath10k/mac.c:5586:47: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
+ 5586 |                         arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
+      |                                               ^
+
+Looking through how this gets used down the way, I'm fairly
+sure that beacon_paddr is never accessed again for ATH10K_DEV_TYPE_HL
+devices, and if it was accessed, that would be a bug.
+
+Change the assignment to use a known-invalid address token
+instead, which avoids the warning and makes it easier to catch
+bugs if it does end up getting used.
+
+Fixes: e263bdab9c0e ("ath10k: high latency fixes for beacon buffer")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20211014075153.3655910-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/mac.c |   10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -5473,7 +5473,15 @@ static int ath10k_add_interface(struct i
+ 		if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) {
+ 			arvif->beacon_buf = kmalloc(IEEE80211_MAX_FRAME_LEN,
+ 						    GFP_KERNEL);
+-			arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
++
++			/* Using a kernel pointer in place of a dma_addr_t
++			 * token can lead to undefined behavior if that
++			 * makes it into cache management functions. Use a
++			 * known-invalid address token instead, which
++			 * avoids the warning and makes it easier to catch
++			 * bugs if it does end up getting used.
++			 */
++			arvif->beacon_paddr = DMA_MAPPING_ERROR;
+ 		} else {
+ 			arvif->beacon_buf =
+ 				dma_alloc_coherent(ar->dev,
diff --git a/queue-5.10/mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch b/queue-5.10/mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch
new file mode 100644
index 00000000000..ca7ad5094f6
--- /dev/null
+++ b/queue-5.10/mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch
@@ -0,0 +1,78 @@
+From 0eab756f8821d255016c63bb55804c429ff4bdb1 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 13 Oct 2021 11:00:52 +0100
+Subject: mmc: moxart: Fix null pointer dereference on pointer host
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 0eab756f8821d255016c63bb55804c429ff4bdb1 upstream.
+
+There are several error return paths that dereference the null pointer
+host because the pointer has not yet been set to a valid value.
+Fix this by adding a new out_mmc label and exiting via this label
+to avoid the host clean up and hence the null pointer dereference.
+
+Addresses-Coverity: ("Explicit null dereference")
+Fixes: 8105c2abbf36 ("mmc: moxart: Fix reference count leaks in moxart_probe")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20211013100052.125461-1-colin.king@canonical.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/moxart-mmc.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -569,37 +569,37 @@ static int moxart_probe(struct platform_
+ 	if (!mmc) {
+ 		dev_err(dev, "mmc_alloc_host failed\n");
+ 		ret = -ENOMEM;
+-		goto out;
++		goto out_mmc;
+ 	}
+ 
+ 	ret = of_address_to_resource(node, 0, &res_mmc);
+ 	if (ret) {
+ 		dev_err(dev, "of_address_to_resource failed\n");
+-		goto out;
++		goto out_mmc;
+ 	}
+ 
+ 	irq = irq_of_parse_and_map(node, 0);
+ 	if (irq <= 0) {
+ 		dev_err(dev, "irq_of_parse_and_map failed\n");
+ 		ret = -EINVAL;
+-		goto out;
++		goto out_mmc;
+ 	}
+ 
+ 	clk = devm_clk_get(dev, NULL);
+ 	if (IS_ERR(clk)) {
+ 		ret = PTR_ERR(clk);
+-		goto out;
++		goto out_mmc;
+ 	}
+ 
+ 	reg_mmc = devm_ioremap_resource(dev, &res_mmc);
+ 	if (IS_ERR(reg_mmc)) {
+ 		ret = PTR_ERR(reg_mmc);
+-		goto out;
++		goto out_mmc;
+ 	}
+ 
+ 	ret = mmc_of_parse(mmc);
+ 	if (ret)
+-		goto out;
++		goto out_mmc;
+ 
+ 	host = mmc_priv(mmc);
+ 	host->mmc = mmc;
+@@ -690,6 +690,7 @@ out:
+ 		dma_release_channel(host->dma_chan_tx);
+ 	if (!IS_ERR_OR_NULL(host->dma_chan_rx))
+ 		dma_release_channel(host->dma_chan_rx);
++out_mmc:
+ 	if (mmc)
+ 		mmc_free_host(mmc);
+ 	return ret;
diff --git a/queue-5.10/selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch b/queue-5.10/selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch
new file mode 100644
index 00000000000..1112fa32a80
--- /dev/null
+++ b/queue-5.10/selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch
@@ -0,0 +1,86 @@
+From a20eac0af02810669e187cb623bc904908c423af Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Mon, 1 Nov 2021 16:01:18 -0700
+Subject: selftests/bpf: Fix also no-alu32 strobemeta selftest
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+commit a20eac0af02810669e187cb623bc904908c423af upstream.
+
+Previous fix aded bpf_clamp_umax() helper use to re-validate boundaries.
+While that works correctly, it introduces more branches, which blows up
+past 1 million instructions in no-alu32 variant of strobemeta selftests.
+
+Switching len variable from u32 to u64 also fixes the issue and reduces
+the number of validated instructions, so use that instead. Fix this
+patch and bpf_clamp_umax() removed, both alu32 and no-alu32 selftests
+pass.
+
+Fixes: 0133c20480b1 ("selftests/bpf: Fix strobemeta selftest regression")
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20211101230118.1273019-1-andrii@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/progs/strobemeta.h |   15 ++-------------
+ 1 file changed, 2 insertions(+), 13 deletions(-)
+
+--- a/tools/testing/selftests/bpf/progs/strobemeta.h
++++ b/tools/testing/selftests/bpf/progs/strobemeta.h
+@@ -10,14 +10,6 @@
+ #include <linux/types.h>
+ #include <bpf/bpf_helpers.h>
+ 
+-#define bpf_clamp_umax(VAR, UMAX)					\
+-	asm volatile (							\
+-		"if %0 <= %[max] goto +1\n"				\
+-		"%0 = %[max]\n"						\
+-		: "+r"(VAR)						\
+-		: [max]"i"(UMAX)					\
+-	)
+-
+ typedef uint32_t pid_t;
+ struct task_struct {};
+ 
+@@ -366,7 +358,7 @@ static __always_inline uint64_t read_str
+ 					     void *payload)
+ {
+ 	void *location;
+-	uint32_t len;
++	uint64_t len;
+ 
+ 	data->str_lens[idx] = 0;
+ 	location = calc_location(&cfg->str_locs[idx], tls_base);
+@@ -398,7 +390,7 @@ static __always_inline void *read_map_va
+ 	struct strobe_map_descr* descr = &data->map_descrs[idx];
+ 	struct strobe_map_raw map;
+ 	void *location;
+-	uint32_t len;
++	uint64_t len;
+ 	int i;
+ 
+ 	descr->tag_len = 0; /* presume no tag is set */
+@@ -421,7 +413,6 @@ static __always_inline void *read_map_va
+ 
+ 	len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, map.tag);
+ 	if (len <= STROBE_MAX_STR_LEN) {
+-		bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ 		descr->tag_len = len;
+ 		payload += len;
+ 	}
+@@ -439,7 +430,6 @@ static __always_inline void *read_map_va
+ 		len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN,
+ 					      map.entries[i].key);
+ 		if (len <= STROBE_MAX_STR_LEN) {
+-			bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ 			descr->key_lens[i] = len;
+ 			payload += len;
+ 		}
+@@ -447,7 +437,6 @@ static __always_inline void *read_map_va
+ 		len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN,
+ 					      map.entries[i].val);
+ 		if (len <= STROBE_MAX_STR_LEN) {
+-			bpf_clamp_umax(len, STROBE_MAX_STR_LEN);
+ 			descr->val_lens[i] = len;
+ 			payload += len;
+ 		}
diff --git a/queue-5.10/series b/queue-5.10/series
index d3303346e11..8f42e34174d 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -571,3 +571,6 @@ drm-sun4i-fix-macros-in-sun8i_csc.h.patch
 pci-add-pci_exp_devctl_payload_-macros.patch
 pci-aardvark-fix-pcie-max-payload-size-setting.patch
 sunrpc-partial-revert-of-commit-6f9f17287e78.patch
+ath10k-fix-invalid-dma_addr_t-token-assignment.patch
+mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch
+selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch