From: Greg Kroah-Hartman Date: Tue, 16 Nov 2021 10:50:03 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.4.160~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a81ae15580cf5c3b9cc20427a3f97cbe645f5dda;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: ath10k-fix-invalid-dma_addr_t-token-assignment.patch cifs-fix-memory-leak-of-smb3_fs_context_dup-server_hostname.patch mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch selftests-x86-iopl-adjust-to-the-faked-iopl-cli-sti-usage.patch --- diff --git a/queue-5.15/ath10k-fix-invalid-dma_addr_t-token-assignment.patch b/queue-5.15/ath10k-fix-invalid-dma_addr_t-token-assignment.patch new file mode 100644 index 00000000000..bf801c2e25a --- /dev/null +++ b/queue-5.15/ath10k-fix-invalid-dma_addr_t-token-assignment.patch @@ -0,0 +1,55 @@ +From 937e79c67740d1d84736730d679f3cb2552f990e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 20 Oct 2021 11:59:07 +0300 +Subject: ath10k: fix invalid dma_addr_t token assignment + +From: Arnd Bergmann + +commit 937e79c67740d1d84736730d679f3cb2552f990e upstream. + +Using a kernel pointer in place of a dma_addr_t token can +lead to undefined behavior if that makes it into cache +management functions. The compiler caught one such attempt +in a cast: + +drivers/net/wireless/ath/ath10k/mac.c: In function 'ath10k_add_interface': +drivers/net/wireless/ath/ath10k/mac.c:5586:47: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] + 5586 | arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf; + | ^ + +Looking through how this gets used down the way, I'm fairly +sure that beacon_paddr is never accessed again for ATH10K_DEV_TYPE_HL +devices, and if it was accessed, that would be a bug. + +Change the assignment to use a known-invalid address token +instead, which avoids the warning and makes it easier to catch +bugs if it does end up getting used. + +Fixes: e263bdab9c0e ("ath10k: high latency fixes for beacon buffer") +Signed-off-by: Arnd Bergmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211014075153.3655910-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -5583,7 +5583,15 @@ static int ath10k_add_interface(struct i + if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) { + arvif->beacon_buf = kmalloc(IEEE80211_MAX_FRAME_LEN, + GFP_KERNEL); +- arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf; ++ ++ /* Using a kernel pointer in place of a dma_addr_t ++ * token can lead to undefined behavior if that ++ * makes it into cache management functions. Use a ++ * known-invalid address token instead, which ++ * avoids the warning and makes it easier to catch ++ * bugs if it does end up getting used. ++ */ ++ arvif->beacon_paddr = DMA_MAPPING_ERROR; + } else { + arvif->beacon_buf = + dma_alloc_coherent(ar->dev, diff --git a/queue-5.15/cifs-fix-memory-leak-of-smb3_fs_context_dup-server_hostname.patch b/queue-5.15/cifs-fix-memory-leak-of-smb3_fs_context_dup-server_hostname.patch new file mode 100644 index 00000000000..c7f5f92b67f --- /dev/null +++ b/queue-5.15/cifs-fix-memory-leak-of-smb3_fs_context_dup-server_hostname.patch @@ -0,0 +1,71 @@ +From 869da64d071142d4ed562a3e909deb18e4e72c4e Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Fri, 12 Nov 2021 14:53:36 -0300 +Subject: cifs: fix memory leak of smb3_fs_context_dup::server_hostname + +From: Paulo Alcantara + +commit 869da64d071142d4ed562a3e909deb18e4e72c4e upstream. + +Fix memory leak of smb3_fs_context_dup::server_hostname when parsing +and duplicating fs contexts during mount(2) as reported by kmemleak: + + unreferenced object 0xffff888125715c90 (size 16): + comm "mount.cifs", pid 3832, jiffies 4304535868 (age 190.094s) + hex dump (first 16 bytes): + 7a 65 6c 64 61 2e 74 65 73 74 00 6b 6b 6b 6b a5 zelda.test.kkkk. + backtrace: + [] kstrdup+0x2e/0x60 + [] smb3_fs_context_dup+0x392/0x8d0 [cifs] + [] cifs_smb3_do_mount+0x143/0x1700 [cifs] + [] smb3_get_tree+0x2e8/0x520 [cifs] + [] vfs_get_tree+0x8a/0x2d0 + [] path_mount+0x423/0x1a10 + [] __x64_sys_mount+0x1fa/0x270 + [] do_syscall_64+0x3b/0x90 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + unreferenced object 0xffff888111deed20 (size 32): + comm "mount.cifs", pid 3832, jiffies 4304536044 (age 189.918s) + hex dump (first 32 bytes): + 44 46 53 52 4f 4f 54 31 2e 5a 45 4c 44 41 2e 54 DFSROOT1.ZELDA.T + 45 53 54 00 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 EST.kkkkkkkkkkk. + backtrace: + [] kstrndup+0x2d/0x90 + [] smb3_parse_devname+0x9e/0x360 [cifs] + [] cifs_setup_volume_info+0xa8/0x470 [cifs] + [] connect_dfs_target+0x309/0xc80 [cifs] + [] cifs_mount+0x8eb/0x17f0 [cifs] + [] cifs_smb3_do_mount+0x265/0x1700 [cifs] + [] smb3_get_tree+0x2e8/0x520 [cifs] + [] vfs_get_tree+0x8a/0x2d0 + [] path_mount+0x423/0x1a10 + [] __x64_sys_mount+0x1fa/0x270 + [] do_syscall_64+0x3b/0x90 + [] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 7be3248f3139 ("cifs: To match file servers, make sure the server hostname matches") +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/fs_context.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/fs_context.c ++++ b/fs/cifs/fs_context.c +@@ -307,6 +307,7 @@ smb3_fs_context_dup(struct smb3_fs_conte + new_ctx->nodename = NULL; + new_ctx->username = NULL; + new_ctx->password = NULL; ++ new_ctx->server_hostname = NULL; + new_ctx->domainname = NULL; + new_ctx->UNC = NULL; + new_ctx->source = NULL; +@@ -458,6 +459,7 @@ smb3_parse_devname(const char *devname, + return -EINVAL; + + /* record the server hostname */ ++ kfree(ctx->server_hostname); + ctx->server_hostname = kstrndup(devname + 2, pos - devname - 2, GFP_KERNEL); + if (!ctx->server_hostname) + return -ENOMEM; diff --git a/queue-5.15/mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch b/queue-5.15/mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch new file mode 100644 index 00000000000..20949ddc8b9 --- /dev/null +++ b/queue-5.15/mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch @@ -0,0 +1,78 @@ +From 0eab756f8821d255016c63bb55804c429ff4bdb1 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 13 Oct 2021 11:00:52 +0100 +Subject: mmc: moxart: Fix null pointer dereference on pointer host + +From: Colin Ian King + +commit 0eab756f8821d255016c63bb55804c429ff4bdb1 upstream. + +There are several error return paths that dereference the null pointer +host because the pointer has not yet been set to a valid value. +Fix this by adding a new out_mmc label and exiting via this label +to avoid the host clean up and hence the null pointer dereference. + +Addresses-Coverity: ("Explicit null dereference") +Fixes: 8105c2abbf36 ("mmc: moxart: Fix reference count leaks in moxart_probe") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20211013100052.125461-1-colin.king@canonical.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/moxart-mmc.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -566,37 +566,37 @@ static int moxart_probe(struct platform_ + if (!mmc) { + dev_err(dev, "mmc_alloc_host failed\n"); + ret = -ENOMEM; +- goto out; ++ goto out_mmc; + } + + ret = of_address_to_resource(node, 0, &res_mmc); + if (ret) { + dev_err(dev, "of_address_to_resource failed\n"); +- goto out; ++ goto out_mmc; + } + + irq = irq_of_parse_and_map(node, 0); + if (irq <= 0) { + dev_err(dev, "irq_of_parse_and_map failed\n"); + ret = -EINVAL; +- goto out; ++ goto out_mmc; + } + + clk = devm_clk_get(dev, NULL); + if (IS_ERR(clk)) { + ret = PTR_ERR(clk); +- goto out; ++ goto out_mmc; + } + + reg_mmc = devm_ioremap_resource(dev, &res_mmc); + if (IS_ERR(reg_mmc)) { + ret = PTR_ERR(reg_mmc); +- goto out; ++ goto out_mmc; + } + + ret = mmc_of_parse(mmc); + if (ret) +- goto out; ++ goto out_mmc; + + host = mmc_priv(mmc); + host->mmc = mmc; +@@ -687,6 +687,7 @@ out: + dma_release_channel(host->dma_chan_tx); + if (!IS_ERR_OR_NULL(host->dma_chan_rx)) + dma_release_channel(host->dma_chan_rx); ++out_mmc: + if (mmc) + mmc_free_host(mmc); + return ret; diff --git a/queue-5.15/selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch b/queue-5.15/selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch new file mode 100644 index 00000000000..1112fa32a80 --- /dev/null +++ b/queue-5.15/selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch @@ -0,0 +1,86 @@ +From a20eac0af02810669e187cb623bc904908c423af Mon Sep 17 00:00:00 2001 +From: Andrii Nakryiko +Date: Mon, 1 Nov 2021 16:01:18 -0700 +Subject: selftests/bpf: Fix also no-alu32 strobemeta selftest + +From: Andrii Nakryiko + +commit a20eac0af02810669e187cb623bc904908c423af upstream. + +Previous fix aded bpf_clamp_umax() helper use to re-validate boundaries. +While that works correctly, it introduces more branches, which blows up +past 1 million instructions in no-alu32 variant of strobemeta selftests. + +Switching len variable from u32 to u64 also fixes the issue and reduces +the number of validated instructions, so use that instead. Fix this +patch and bpf_clamp_umax() removed, both alu32 and no-alu32 selftests +pass. + +Fixes: 0133c20480b1 ("selftests/bpf: Fix strobemeta selftest regression") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20211101230118.1273019-1-andrii@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/progs/strobemeta.h | 15 ++------------- + 1 file changed, 2 insertions(+), 13 deletions(-) + +--- a/tools/testing/selftests/bpf/progs/strobemeta.h ++++ b/tools/testing/selftests/bpf/progs/strobemeta.h +@@ -10,14 +10,6 @@ + #include + #include + +-#define bpf_clamp_umax(VAR, UMAX) \ +- asm volatile ( \ +- "if %0 <= %[max] goto +1\n" \ +- "%0 = %[max]\n" \ +- : "+r"(VAR) \ +- : [max]"i"(UMAX) \ +- ) +- + typedef uint32_t pid_t; + struct task_struct {}; + +@@ -366,7 +358,7 @@ static __always_inline uint64_t read_str + void *payload) + { + void *location; +- uint32_t len; ++ uint64_t len; + + data->str_lens[idx] = 0; + location = calc_location(&cfg->str_locs[idx], tls_base); +@@ -398,7 +390,7 @@ static __always_inline void *read_map_va + struct strobe_map_descr* descr = &data->map_descrs[idx]; + struct strobe_map_raw map; + void *location; +- uint32_t len; ++ uint64_t len; + int i; + + descr->tag_len = 0; /* presume no tag is set */ +@@ -421,7 +413,6 @@ static __always_inline void *read_map_va + + len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, map.tag); + if (len <= STROBE_MAX_STR_LEN) { +- bpf_clamp_umax(len, STROBE_MAX_STR_LEN); + descr->tag_len = len; + payload += len; + } +@@ -439,7 +430,6 @@ static __always_inline void *read_map_va + len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, + map.entries[i].key); + if (len <= STROBE_MAX_STR_LEN) { +- bpf_clamp_umax(len, STROBE_MAX_STR_LEN); + descr->key_lens[i] = len; + payload += len; + } +@@ -447,7 +437,6 @@ static __always_inline void *read_map_va + len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, + map.entries[i].val); + if (len <= STROBE_MAX_STR_LEN) { +- bpf_clamp_umax(len, STROBE_MAX_STR_LEN); + descr->val_lens[i] = len; + payload += len; + } diff --git a/queue-5.15/selftests-x86-iopl-adjust-to-the-faked-iopl-cli-sti-usage.patch b/queue-5.15/selftests-x86-iopl-adjust-to-the-faked-iopl-cli-sti-usage.patch new file mode 100644 index 00000000000..40d5217db45 --- /dev/null +++ b/queue-5.15/selftests-x86-iopl-adjust-to-the-faked-iopl-cli-sti-usage.patch @@ -0,0 +1,160 @@ +From a72fdfd21e01c626273ddcf5ab740d4caef4be54 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Fri, 29 Oct 2021 19:27:32 +0200 +Subject: selftests/x86/iopl: Adjust to the faked iopl CLI/STI usage + +From: Borislav Petkov + +commit a72fdfd21e01c626273ddcf5ab740d4caef4be54 upstream. + +Commit in Fixes changed the iopl emulation to not #GP on CLI and STI +because it would break some insane luserspace tools which would toggle +interrupts. + +The corresponding selftest would rely on the fact that executing CLI/STI +would trigger a #GP and thus detect it this way but since that #GP is +not happening anymore, the detection is now wrong too. + +Extend the test to actually look at the IF flag and whether executing +those insns had any effect on it. The STI detection needs to have the +fact that interrupts were previously disabled, passed in so do that from +the previous CLI test, i.e., STI test needs to follow a previous CLI one +for it to make sense. + +Fixes: b968e84b509d ("x86/iopl: Fake iopl(3) CLI/STI usage") +Suggested-by: Thomas Gleixner +Signed-off-by: Borislav Petkov +Acked-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20211030083939.13073-1-bp@alien8.de +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/iopl.c | 78 +++++++++++++++++++++++++++---------- + 1 file changed, 58 insertions(+), 20 deletions(-) + +--- a/tools/testing/selftests/x86/iopl.c ++++ b/tools/testing/selftests/x86/iopl.c +@@ -85,48 +85,88 @@ static void expect_gp_outb(unsigned shor + printf("[OK]\toutb to 0x%02hx failed\n", port); + } + +-static bool try_cli(void) ++#define RET_FAULTED 0 ++#define RET_FAIL 1 ++#define RET_EMUL 2 ++ ++static int try_cli(void) + { ++ unsigned long flags; ++ + sethandler(SIGSEGV, sigsegv, SA_RESETHAND); + if (sigsetjmp(jmpbuf, 1) != 0) { +- return false; ++ return RET_FAULTED; + } else { +- asm volatile ("cli"); +- return true; ++ asm volatile("cli; pushf; pop %[flags]" ++ : [flags] "=rm" (flags)); ++ ++ /* X86_FLAGS_IF */ ++ if (!(flags & (1 << 9))) ++ return RET_FAIL; ++ else ++ return RET_EMUL; + } + clearhandler(SIGSEGV); + } + +-static bool try_sti(void) ++static int try_sti(bool irqs_off) + { ++ unsigned long flags; ++ + sethandler(SIGSEGV, sigsegv, SA_RESETHAND); + if (sigsetjmp(jmpbuf, 1) != 0) { +- return false; ++ return RET_FAULTED; + } else { +- asm volatile ("sti"); +- return true; ++ asm volatile("sti; pushf; pop %[flags]" ++ : [flags] "=rm" (flags)); ++ ++ /* X86_FLAGS_IF */ ++ if (irqs_off && (flags & (1 << 9))) ++ return RET_FAIL; ++ else ++ return RET_EMUL; + } + clearhandler(SIGSEGV); + } + +-static void expect_gp_sti(void) ++static void expect_gp_sti(bool irqs_off) + { +- if (try_sti()) { ++ int ret = try_sti(irqs_off); ++ ++ switch (ret) { ++ case RET_FAULTED: ++ printf("[OK]\tSTI faulted\n"); ++ break; ++ case RET_EMUL: ++ printf("[OK]\tSTI NOPped\n"); ++ break; ++ default: + printf("[FAIL]\tSTI worked\n"); + nerrs++; +- } else { +- printf("[OK]\tSTI faulted\n"); + } + } + +-static void expect_gp_cli(void) ++/* ++ * Returns whether it managed to disable interrupts. ++ */ ++static bool test_cli(void) + { +- if (try_cli()) { ++ int ret = try_cli(); ++ ++ switch (ret) { ++ case RET_FAULTED: ++ printf("[OK]\tCLI faulted\n"); ++ break; ++ case RET_EMUL: ++ printf("[OK]\tCLI NOPped\n"); ++ break; ++ default: + printf("[FAIL]\tCLI worked\n"); + nerrs++; +- } else { +- printf("[OK]\tCLI faulted\n"); ++ return true; + } ++ ++ return false; + } + + int main(void) +@@ -152,8 +192,7 @@ int main(void) + } + + /* Make sure that CLI/STI are blocked even with IOPL level 3 */ +- expect_gp_cli(); +- expect_gp_sti(); ++ expect_gp_sti(test_cli()); + expect_ok_outb(0x80); + + /* Establish an I/O bitmap to test the restore */ +@@ -204,8 +243,7 @@ int main(void) + printf("[RUN]\tparent: write to 0x80 (should fail)\n"); + + expect_gp_outb(0x80); +- expect_gp_cli(); +- expect_gp_sti(); ++ expect_gp_sti(test_cli()); + + /* Test the capability checks. */ + printf("\tiopl(3)\n"); diff --git a/queue-5.15/series b/queue-5.15/series index 2105ba80a3e..668560f2338 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -916,3 +916,8 @@ drm-amd-display-look-at-firmware-version-to-determine-using-dmub-on-dcn21.patch crypto-api-export-crypto_boot_test_finished.patch crypto-api-do-not-create-test-larvals-if-manager-is-disabled.patch media-vidtv-move-kfree-dvb-to-vidtv_bridge_dev_release.patch +cifs-fix-memory-leak-of-smb3_fs_context_dup-server_hostname.patch +ath10k-fix-invalid-dma_addr_t-token-assignment.patch +mmc-moxart-fix-null-pointer-dereference-on-pointer-host.patch +selftests-x86-iopl-adjust-to-the-faked-iopl-cli-sti-usage.patch +selftests-bpf-fix-also-no-alu32-strobemeta-selftest.patch