From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 5 Feb 2022 12:55:13 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v5.10.98~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34f3b98da552799bbf3fc60ebcc86a9838878cc1;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	drm-i915-disable-dsb-usage-for-now.patch
	selinux-fix-double-free-of-cond_list-on-error-paths.patch
---

diff --git a/queue-5.15/drm-i915-disable-dsb-usage-for-now.patch b/queue-5.15/drm-i915-disable-dsb-usage-for-now.patch
new file mode 100644
index 00000000000..6906b7756f3
--- /dev/null
+++ b/queue-5.15/drm-i915-disable-dsb-usage-for-now.patch
@@ -0,0 +1,57 @@
+From 99510e1afb4863a225207146bd988064c5fd0629 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Thu, 14 Oct 2021 21:18:56 +0300
+Subject: drm/i915: Disable DSB usage for now
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 99510e1afb4863a225207146bd988064c5fd0629 upstream.
+
+Turns out the DSB has trouble correctly loading the gamma LUT.
+From a cursory look maybe like some entries do not load
+properly, or they get loaded with some gibberish. Unfortunately
+our current kms_color/etc. tests do not seem to catch this.
+
+I had a brief look at the generated DSB batch and it looked
+correct. Tried a few quick tricks like writing the index
+register twice/etc. but didn't see any improvement.
+Also tried switching to the 10bit gamma mode in case
+there is yet another issue with the multi-segment mode, but
+even the 10bit mode was showing issues.
+
+Switching to mmio fixes all of it. I suppose one theory is that
+maybe the DSB bangs on the LUT too quickly and it can't keep up
+and instead some data either gets dropped or corrupted. To confirm
+that someone should try to slow down the DSB's progress a bit.
+Another thought was that maybe the LUT has crappy dual porting
+and you get contention if you try to load it during active
+scanout. But why then would the mmio path work, unless it's
+just sufficiently slow?
+
+Whatever the case, this is currently busted so let's disable
+it until we get to the root of the problem.
+
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/3916
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20211014181856.17581-2-ville.syrjala@linux.intel.com
+Reviewed-by: Uma Shankar <uma.shankar@intel.com>
+Cc: Mario Kleiner <mario.kleiner.de@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_pci.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/i915_pci.c
++++ b/drivers/gpu/drm/i915/i915_pci.c
+@@ -865,7 +865,7 @@ static const struct intel_device_info js
+ 	}, \
+ 	TGL_CURSOR_OFFSETS, \
+ 	.has_global_mocs = 1, \
+-	.display.has_dsb = 1
++	.display.has_dsb = 0 /* FIXME: LUT load is broken with DSB */
+ 
+ static const struct intel_device_info tgl_info = {
+ 	GEN12_FEATURES,
diff --git a/queue-5.15/selinux-fix-double-free-of-cond_list-on-error-paths.patch b/queue-5.15/selinux-fix-double-free-of-cond_list-on-error-paths.patch
new file mode 100644
index 00000000000..3c222e4427d
--- /dev/null
+++ b/queue-5.15/selinux-fix-double-free-of-cond_list-on-error-paths.patch
@@ -0,0 +1,45 @@
+From 186edf7e368c40d06cf727a1ad14698ea67b74ad Mon Sep 17 00:00:00 2001
+From: Vratislav Bendel <vbendel@redhat.com>
+Date: Wed, 2 Feb 2022 12:25:11 +0100
+Subject: selinux: fix double free of cond_list on error paths
+
+From: Vratislav Bendel <vbendel@redhat.com>
+
+commit 186edf7e368c40d06cf727a1ad14698ea67b74ad upstream.
+
+On error path from cond_read_list() and duplicate_policydb_cond_list()
+the cond_list_destroy() gets called a second time in caller functions,
+resulting in NULL pointer deref.  Fix this by resetting the
+cond_list_len to 0 in cond_list_destroy(), making subsequent calls a
+noop.
+
+Also consistently reset the cond_list pointer to NULL after freeing.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Vratislav Bendel <vbendel@redhat.com>
+[PM: fix line lengths in the description]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/ss/conditional.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/ss/conditional.c
++++ b/security/selinux/ss/conditional.c
+@@ -152,6 +152,8 @@ static void cond_list_destroy(struct pol
+ 	for (i = 0; i < p->cond_list_len; i++)
+ 		cond_node_destroy(&p->cond_list[i]);
+ 	kfree(p->cond_list);
++	p->cond_list = NULL;
++	p->cond_list_len = 0;
+ }
+ 
+ void cond_policydb_destroy(struct policydb *p)
+@@ -441,7 +443,6 @@ int cond_read_list(struct policydb *p, v
+ 	return 0;
+ err:
+ 	cond_list_destroy(p);
+-	p->cond_list = NULL;
+ 	return rc;
+ }
+ 
diff --git a/queue-5.15/series b/queue-5.15/series
new file mode 100644
index 00000000000..8fdfe0c57c6
--- /dev/null
+++ b/queue-5.15/series
@@ -0,0 +1,2 @@
+drm-i915-disable-dsb-usage-for-now.patch
+selinux-fix-double-free-of-cond_list-on-error-paths.patch