From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 25 Mar 2022 15:00:51 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v4.9.309~13
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=756e886fe59f52e4749854857b73e6f558095a72;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	m68k-fix-access_ok-for-coldfire.patch
	nds32-fix-access_ok-checks-in-get-put_user.patch
	wcn36xx-differentiate-wcn3660-from-wcn3620.patch
---

diff --git a/queue-5.15/m68k-fix-access_ok-for-coldfire.patch b/queue-5.15/m68k-fix-access_ok-for-coldfire.patch
new file mode 100644
index 00000000000..87e4812bfad
--- /dev/null
+++ b/queue-5.15/m68k-fix-access_ok-for-coldfire.patch
@@ -0,0 +1,51 @@
+From 26509034bef198525d5936c116cbd0c3fa491c0b Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 15 Feb 2022 17:59:41 +0100
+Subject: m68k: fix access_ok for coldfire
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 26509034bef198525d5936c116cbd0c3fa491c0b upstream.
+
+While most m68k platforms use separate address spaces for user
+and kernel space, at least coldfire does not, and the other
+ones have a TASK_SIZE that is less than the entire 4GB address
+range.
+
+Using the default implementation of __access_ok() stops coldfire
+user space from trivially accessing kernel memory.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/m68k/include/asm/uaccess.h |   15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/arch/m68k/include/asm/uaccess.h
++++ b/arch/m68k/include/asm/uaccess.h
+@@ -12,14 +12,17 @@
+ #include <asm/extable.h>
+ 
+ /* We let the MMU do all checking */
+-static inline int access_ok(const void __user *addr,
++static inline int access_ok(const void __user *ptr,
+ 			    unsigned long size)
+ {
+-	/*
+-	 * XXX: for !CONFIG_CPU_HAS_ADDRESS_SPACES this really needs to check
+-	 * for TASK_SIZE!
+-	 */
+-	return 1;
++	unsigned long limit = TASK_SIZE;
++	unsigned long addr = (unsigned long)ptr;
++
++	if (IS_ENABLED(CONFIG_CPU_HAS_ADDRESS_SPACES) ||
++	    !IS_ENABLED(CONFIG_MMU))
++		return 1;
++
++	return (size <= limit) && (addr <= (limit - size));
+ }
+ 
+ /*
diff --git a/queue-5.15/nds32-fix-access_ok-checks-in-get-put_user.patch b/queue-5.15/nds32-fix-access_ok-checks-in-get-put_user.patch
new file mode 100644
index 00000000000..2b5e79e9393
--- /dev/null
+++ b/queue-5.15/nds32-fix-access_ok-checks-in-get-put_user.patch
@@ -0,0 +1,75 @@
+From 8926d88ced46700bf6117ceaf391480b943ea9f4 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 14 Feb 2022 15:48:14 +0100
+Subject: nds32: fix access_ok() checks in get/put_user
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 8926d88ced46700bf6117ceaf391480b943ea9f4 upstream.
+
+The get_user()/put_user() functions are meant to check for
+access_ok(), while the __get_user()/__put_user() functions
+don't.
+
+This broke in 4.19 for nds32, when it gained an extraneous
+check in __get_user(), but lost the check it needs in
+__put_user().
+
+Fixes: 487913ab18c2 ("nds32: Extract the checking and getting pointer to a macro")
+Cc: stable@vger.kernel.org @ v4.19+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/nds32/include/asm/uaccess.h |   22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+--- a/arch/nds32/include/asm/uaccess.h
++++ b/arch/nds32/include/asm/uaccess.h
+@@ -70,9 +70,7 @@ static inline void set_fs(mm_segment_t f
+  * versions are void (ie, don't return a value as such).
+  */
+ 
+-#define get_user	__get_user					\
+-
+-#define __get_user(x, ptr)						\
++#define get_user(x, ptr)						\
+ ({									\
+ 	long __gu_err = 0;						\
+ 	__get_user_check((x), (ptr), __gu_err);				\
+@@ -85,6 +83,14 @@ static inline void set_fs(mm_segment_t f
+ 	(void)0;							\
+ })
+ 
++#define __get_user(x, ptr)						\
++({									\
++	long __gu_err = 0;						\
++	const __typeof__(*(ptr)) __user *__p = (ptr);			\
++	__get_user_err((x), __p, (__gu_err));				\
++	__gu_err;							\
++})
++
+ #define __get_user_check(x, ptr, err)					\
+ ({									\
+ 	const __typeof__(*(ptr)) __user *__p = (ptr);			\
+@@ -165,12 +171,18 @@ do {									\
+ 		: "r"(addr), "i"(-EFAULT)				\
+ 		: "cc")
+ 
+-#define put_user	__put_user					\
++#define put_user(x, ptr)						\
++({									\
++	long __pu_err = 0;						\
++	__put_user_check((x), (ptr), __pu_err);				\
++	__pu_err;							\
++})
+ 
+ #define __put_user(x, ptr)						\
+ ({									\
+ 	long __pu_err = 0;						\
+-	__put_user_err((x), (ptr), __pu_err);				\
++	__typeof__(*(ptr)) __user *__p = (ptr);				\
++	__put_user_err((x), __p, __pu_err);				\
+ 	__pu_err;							\
+ })
+ 
diff --git a/queue-5.15/series b/queue-5.15/series
index 8f995f6133c..6085876505d 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -32,3 +32,6 @@ rcu-don-t-deboost-before-reporting-expedited-quiescent-state.patch
 uaccess-fix-integer-overflow-on-access_ok.patch
 mac80211-fix-potential-double-free-on-mesh-join.patch
 tpm-use-try_get_ops-in-tpm-space.c.patch
+wcn36xx-differentiate-wcn3660-from-wcn3620.patch
+m68k-fix-access_ok-for-coldfire.patch
+nds32-fix-access_ok-checks-in-get-put_user.patch
diff --git a/queue-5.15/wcn36xx-differentiate-wcn3660-from-wcn3620.patch b/queue-5.15/wcn36xx-differentiate-wcn3660-from-wcn3620.patch
new file mode 100644
index 00000000000..10cc36496c1
--- /dev/null
+++ b/queue-5.15/wcn36xx-differentiate-wcn3660-from-wcn3620.patch
@@ -0,0 +1,53 @@
+From 98d504a82cc75840bec8e3c6ae0e4f411921962b Mon Sep 17 00:00:00 2001
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Date: Tue, 25 Jan 2022 00:40:46 +0000
+Subject: wcn36xx: Differentiate wcn3660 from wcn3620
+
+From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+
+commit 98d504a82cc75840bec8e3c6ae0e4f411921962b upstream.
+
+The spread of capability between the three WiFi silicon parts wcn36xx
+supports is:
+
+wcn3620 - 802.11 a/b/g
+wcn3660 - 802.11 a/b/g/n
+wcn3680 - 802.11 a/b/g/n/ac
+
+We currently treat wcn3660 as wcn3620 thus limiting it to 2GHz channels.
+Fix this regression by ensuring we differentiate between all three parts.
+
+Fixes: 8490987bdb9a ("wcn36xx: Hook and identify RF_IRIS_WCN3680")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20220125004046.4058284-1-bryan.odonoghue@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/wcn36xx/main.c    |    3 +++
+ drivers/net/wireless/ath/wcn36xx/wcn36xx.h |    1 +
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/ath/wcn36xx/main.c
++++ b/drivers/net/wireless/ath/wcn36xx/main.c
+@@ -1474,6 +1474,9 @@ static int wcn36xx_platform_get_resource
+ 	if (iris_node) {
+ 		if (of_device_is_compatible(iris_node, "qcom,wcn3620"))
+ 			wcn->rf_id = RF_IRIS_WCN3620;
++		if (of_device_is_compatible(iris_node, "qcom,wcn3660") ||
++		    of_device_is_compatible(iris_node, "qcom,wcn3660b"))
++			wcn->rf_id = RF_IRIS_WCN3660;
+ 		if (of_device_is_compatible(iris_node, "qcom,wcn3680"))
+ 			wcn->rf_id = RF_IRIS_WCN3680;
+ 		of_node_put(iris_node);
+--- a/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
++++ b/drivers/net/wireless/ath/wcn36xx/wcn36xx.h
+@@ -97,6 +97,7 @@ enum wcn36xx_ampdu_state {
+ 
+ #define RF_UNKNOWN	0x0000
+ #define RF_IRIS_WCN3620	0x3620
++#define RF_IRIS_WCN3660	0x3660
+ #define RF_IRIS_WCN3680	0x3680
+ 
+ static inline void buff_to_be(u32 *buf, size_t len)