From d4d6916e4f2fd219e33f09472402ce666a84e37c Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sat, 29 Jun 2024 07:50:02 -0400
Subject: [PATCH] Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...c-card-set-priv-pdev-before-using-it.patch | 54 +++++++++++
 ...les-fully-validate-nft_data_value-on.patch | 92 +++++++++++++++++++
 queue-4.19/series                             |  2 +
 3 files changed, 148 insertions(+)
 create mode 100644 queue-4.19/asoc-fsl-asoc-card-set-priv-pdev-before-using-it.patch
 create mode 100644 queue-4.19/netfilter-nf_tables-fully-validate-nft_data_value-on.patch

diff --git a/queue-4.19/asoc-fsl-asoc-card-set-priv-pdev-before-using-it.patch b/queue-4.19/asoc-fsl-asoc-card-set-priv-pdev-before-using-it.patch
new file mode 100644
index 00000000000..0401e8dbbea
--- /dev/null
+++ b/queue-4.19/asoc-fsl-asoc-card-set-priv-pdev-before-using-it.patch
@@ -0,0 +1,54 @@
+From e86534d6458df8c87b2dc02e1f9e239d9328dca8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 15:25:03 +0200
+Subject: ASoC: fsl-asoc-card: set priv->pdev before using it
+
+From: Elinor Montmasson <elinor.montmasson@savoirfairelinux.com>
+
+[ Upstream commit 90f3feb24172185f1832636264943e8b5e289245 ]
+
+priv->pdev pointer was set after being used in
+fsl_asoc_card_audmux_init().
+Move this assignment at the start of the probe function, so
+sub-functions can correctly use pdev through priv.
+
+fsl_asoc_card_audmux_init() dereferences priv->pdev to get access to the
+dev struct, used with dev_err macros.
+As priv is zero-initialised, there would be a NULL pointer dereference.
+Note that if priv->dev is dereferenced before assignment but never used,
+for example if there is no error to be printed, the driver won't crash
+probably due to compiler optimisations.
+
+Fixes: 708b4351f08c ("ASoC: fsl: Add Freescale Generic ASoC Sound Card with ASRC support")
+Signed-off-by: Elinor Montmasson <elinor.montmasson@savoirfairelinux.com>
+Link: https://patch.msgid.link/20240620132511.4291-2-elinor.montmasson@savoirfairelinux.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/fsl/fsl-asoc-card.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c
+index 600d9be9706ef..b2929c31c0011 100644
+--- a/sound/soc/fsl/fsl-asoc-card.c
++++ b/sound/soc/fsl/fsl-asoc-card.c
+@@ -479,6 +479,8 @@ static int fsl_asoc_card_probe(struct platform_device *pdev)
+ 	if (!priv)
+ 		return -ENOMEM;
+ 
++	priv->pdev = pdev;
++
+ 	cpu_np = of_parse_phandle(np, "audio-cpu", 0);
+ 	/* Give a chance to old DT binding */
+ 	if (!cpu_np)
+@@ -591,7 +593,6 @@ static int fsl_asoc_card_probe(struct platform_device *pdev)
+ 		 codec_dev->name);
+ 
+ 	/* Initialize sound card */
+-	priv->pdev = pdev;
+ 	priv->card.dev = &pdev->dev;
+ 	priv->card.name = priv->name;
+ 	priv->card.dai_link = priv->dai_link;
+-- 
+2.43.0
+
diff --git a/queue-4.19/netfilter-nf_tables-fully-validate-nft_data_value-on.patch b/queue-4.19/netfilter-nf_tables-fully-validate-nft_data_value-on.patch
new file mode 100644
index 00000000000..257dc755e62
--- /dev/null
+++ b/queue-4.19/netfilter-nf_tables-fully-validate-nft_data_value-on.patch
@@ -0,0 +1,92 @@
+From d6c0905adcf42c6b93685032e6c9e804fa699d9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 23:15:38 +0200
+Subject: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data
+ registers
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit 7931d32955e09d0a11b1fe0b6aac1bfa061c005c ]
+
+register store validation for NFT_DATA_VALUE is conditional, however,
+the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
+only requires a new helper function to infer the register type from the
+set datatype so this conditional check can be removed. Otherwise,
+pointer to chain object can be leaked through the registers.
+
+Fixes: 96518518cc41 ("netfilter: add nftables")
+Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/netfilter/nf_tables.h | 5 +++++
+ net/netfilter/nf_tables_api.c     | 8 ++++----
+ net/netfilter/nft_lookup.c        | 3 ++-
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 9ce7837520f39..4a0f51c2b3b91 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -445,6 +445,11 @@ static inline void *nft_set_priv(const struct nft_set *set)
+ 	return (void *)set->data;
+ }
+ 
++static inline enum nft_data_types nft_set_datatype(const struct nft_set *set)
++{
++	return set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
++}
++
+ static inline bool nft_set_gc_is_pending(const struct nft_set *s)
+ {
+ 	return refcount_read(&s->refs) != 1;
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 2c31470dd61f5..f2611406af141 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4154,8 +4154,7 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
+ 
+ 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
+ 	    nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
+-			  set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
+-			  set->dlen) < 0)
++			  nft_set_datatype(set), set->dlen) < 0)
+ 		goto nla_put_failure;
+ 
+ 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR) &&
+@@ -7655,6 +7654,9 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
+ 
+ 		return 0;
+ 	default:
++		if (type != NFT_DATA_VALUE)
++			return -EINVAL;
++
+ 		if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
+ 			return -EINVAL;
+ 		if (len == 0)
+@@ -7663,8 +7665,6 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
+ 		    FIELD_SIZEOF(struct nft_regs, data))
+ 			return -ERANGE;
+ 
+-		if (data != NULL && type != NFT_DATA_VALUE)
+-			return -EINVAL;
+ 		return 0;
+ 	}
+ }
+diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
+index 3c380fb326511..bb8bd562c1ba2 100644
+--- a/net/netfilter/nft_lookup.c
++++ b/net/netfilter/nft_lookup.c
+@@ -101,7 +101,8 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
+ 			return -EINVAL;
+ 
+ 		err = nft_parse_register_store(ctx, tb[NFTA_LOOKUP_DREG],
+-					       &priv->dreg, NULL, set->dtype,
++					       &priv->dreg, NULL,
++					       nft_set_datatype(set),
+ 					       set->dlen);
+ 		if (err < 0)
+ 			return err;
+-- 
+2.43.0
+
diff --git a/queue-4.19/series b/queue-4.19/series
index c3ed2c8687e..914f3d2044f 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -112,3 +112,5 @@ drm-amdgpu-fix-ubsan-warning-in-kv_dpm.c.patch
 revert-x86-mm-numa-use-numa_no_node-when-calling-mem.patch
 revert-mm-memblock-replace-dereferences-of-memblock_.patch
 netfilter-nf_tables-validate-family-when-identifying.patch
+asoc-fsl-asoc-card-set-priv-pdev-before-using-it.patch
+netfilter-nf_tables-fully-validate-nft_data_value-on.patch
-- 
2.47.3