--- /dev/null
+From c6b39f070722ea9963ffe756bfe94e89218c5e63 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Mon, 20 Apr 2020 13:35:28 +0800
+Subject: apparmor: Fix aa_label refcnt leak in policy_update
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit c6b39f070722ea9963ffe756bfe94e89218c5e63 upstream.
+
+policy_update() invokes begin_current_label_crit_section(), which
+returns a reference of the updated aa_label object to "label" with
+increased refcount.
+
+When policy_update() returns, "label" becomes invalid, so the refcount
+should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one exception handling path of
+policy_update(). When aa_may_manage_policy() returns not NULL, the
+refcnt increased by begin_current_label_crit_section() is not decreased,
+causing a refcnt leak.
+
+Fix this issue by jumping to "end_section" label when
+aa_may_manage_policy() returns not NULL.
+
+Fixes: 5ac8c355ae00 ("apparmor: allow introspecting the loaded policy pre internal transform")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/apparmorfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -424,7 +424,7 @@ static ssize_t policy_update(u32 mask, c
+ */
+ error = aa_may_manage_policy(label, ns, mask);
+ if (error)
+- return error;
++ goto end_section;
+
+ data = aa_simple_write_to_buffer(buf, size, size, pos);
+ error = PTR_ERR(data);
+@@ -432,6 +432,7 @@ static ssize_t policy_update(u32 mask, c
+ error = aa_replace_profiles(ns, label, mask, data);
+ aa_put_loaddata(data);
+ }
++end_section:
+ end_current_label_crit_section(label);
+
+ return error;
--- /dev/null
+From a0b845ffa0d91855532b50fc040aeb2d8338dca4 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Sun, 5 Apr 2020 13:11:55 +0800
+Subject: apparmor: fix potential label refcnt leak in aa_change_profile
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit a0b845ffa0d91855532b50fc040aeb2d8338dca4 upstream.
+
+aa_change_profile() invokes aa_get_current_label(), which returns
+a reference of the current task's label.
+
+According to the comment of aa_get_current_label(), the returned
+reference must be put with aa_put_label().
+However, when the original object pointed by "label" becomes
+unreachable because aa_change_profile() returns or a new object
+is assigned to "label", reference count increased by
+aa_get_current_label() is not decreased, causing a refcnt leak.
+
+Fix this by calling aa_put_label() before aa_change_profile() return
+and dropping unnecessary aa_get_current_label().
+
+Fixes: 9fcf78cca198 ("apparmor: update domain transitions that are subsets of confinement at nnp")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/domain.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -1334,6 +1334,7 @@ int aa_change_profile(const char *fqname
+ ctx->nnp = aa_get_label(label);
+
+ if (!fqname || !*fqname) {
++ aa_put_label(label);
+ AA_DEBUG("no profile name");
+ return -EINVAL;
+ }
+@@ -1352,8 +1353,6 @@ int aa_change_profile(const char *fqname
+ op = OP_CHANGE_PROFILE;
+ }
+
+- label = aa_get_current_label();
+-
+ if (*fqname == '&') {
+ stack = true;
+ /* don't have label_parse() do stacking */
--- /dev/null
+From c54d481d71c6849e044690d3960aaebc730224cc Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Mon, 21 Oct 2019 10:23:47 -0500
+Subject: apparmor: Fix use-after-free in aa_audit_rule_init
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit c54d481d71c6849e044690d3960aaebc730224cc upstream.
+
+In the implementation of aa_audit_rule_init(), when aa_label_parse()
+fails the allocated memory for rule is released using
+aa_audit_rule_free(). But after this release, the return statement
+tries to access the label field of the rule which results in
+use-after-free. Before releasing the rule, copy errNo and return it
+after release.
+
+Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/audit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op
+ rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
+ GFP_KERNEL, true, false);
+ if (IS_ERR(rule->label)) {
++ int err = PTR_ERR(rule->label);
+ aa_audit_rule_free(rule);
+- return PTR_ERR(rule->label);
++ return err;
+ }
+
+ *vrule = rule;
--- /dev/null
+From 1cf6022bd9161081215028203919c33fcfa6debb Mon Sep 17 00:00:00 2001
+From: Keno Fischer <keno@juliacomputing.com>
+Date: Fri, 15 May 2020 18:22:53 -0400
+Subject: arm64: Fix PTRACE_SYSEMU semantics
+
+From: Keno Fischer <keno@juliacomputing.com>
+
+commit 1cf6022bd9161081215028203919c33fcfa6debb upstream.
+
+Quoth the man page:
+```
+ If the tracee was restarted by PTRACE_SYSCALL or PTRACE_SYSEMU, the
+ tracee enters syscall-enter-stop just prior to entering any system
+ call (which will not be executed if the restart was using
+ PTRACE_SYSEMU, regardless of any change made to registers at this
+ point or how the tracee is restarted after this stop).
+```
+
+The parenthetical comment is currently true on x86 and powerpc,
+but not currently true on arm64. arm64 re-checks the _TIF_SYSCALL_EMU
+flag after the syscall entry ptrace stop. However, at this point,
+it reflects which method was used to re-start the syscall
+at the entry stop, rather than the method that was used to reach it.
+Fix that by recording the original flag before performing the ptrace
+stop, bringing the behavior in line with documentation and x86/powerpc.
+
+Fixes: f086f67485c5 ("arm64: ptrace: add support for syscall emulation")
+Cc: <stable@vger.kernel.org> # 5.3.x-
+Signed-off-by: Keno Fischer <keno@juliacomputing.com>
+Acked-by: Will Deacon <will@kernel.org>
+Tested-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Bin Lu <Bin.Lu@arm.com>
+[catalin.marinas@arm.com: moved 'flags' bit masking]
+[catalin.marinas@arm.com: changed 'flags' type to unsigned long]
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1829,10 +1829,11 @@ static void tracehook_report_syscall(str
+
+ int syscall_trace_enter(struct pt_regs *regs)
+ {
+- if (test_thread_flag(TIF_SYSCALL_TRACE) ||
+- test_thread_flag(TIF_SYSCALL_EMU)) {
++ unsigned long flags = READ_ONCE(current_thread_info()->flags);
++
++ if (flags & (_TIF_SYSCALL_EMU | _TIF_SYSCALL_TRACE)) {
+ tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
+- if (!in_syscall(regs) || test_thread_flag(TIF_SYSCALL_EMU))
++ if (!in_syscall(regs) || (flags & _TIF_SYSCALL_EMU))
+ return -1;
+ }
+
--- /dev/null
+From 6b41030fdc79086db5d673c5ed7169f3ee8c13b9 Mon Sep 17 00:00:00 2001
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+Date: Wed, 29 Apr 2020 08:15:22 +0100
+Subject: dmaengine: dmatest: Restore default for channel
+
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+
+commit 6b41030fdc79086db5d673c5ed7169f3ee8c13b9 upstream.
+
+In case of dmatest is built-in and no channel was configured test
+doesn't run with:
+
+dmatest: Could not start test, no channels configured
+
+Even though description to "channel" parameter claims that default is
+any.
+
+Add default channel back as it used to be rather than reject test with
+no channel configuration.
+
+Fixes: d53513d5dc285d9a95a534fc41c5c08af6b60eac ("dmaengine: dmatest: Add support for multi channel testing)
+Reported-by: Dijil Mohan <Dijil.Mohan@arm.com>
+Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Link: https://lore.kernel.org/r/20200429071522.58148-1-vladimir.murzin@arm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/dmatest.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -1166,10 +1166,11 @@ static int dmatest_run_set(const char *v
+ mutex_unlock(&info->lock);
+ return ret;
+ } else if (dmatest_run) {
+- if (is_threaded_test_pending(info))
+- start_threaded_tests(info);
+- else
+- pr_info("Could not start test, no channels configured\n");
++ if (!is_threaded_test_pending(info)) {
++ pr_info("No channels configured, continue with any\n");
++ add_threaded_test(info);
++ }
++ start_threaded_tests(info);
+ } else {
+ stop_threaded_test(info);
+ }
--- /dev/null
+From f8f482deb078389b42768b2193e050a81aae137d Mon Sep 17 00:00:00 2001
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Date: Sat, 2 May 2020 20:15:51 +0300
+Subject: dmaengine: owl: Use correct lock in owl_dma_get_pchan()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+
+commit f8f482deb078389b42768b2193e050a81aae137d upstream.
+
+When the kernel is built with lockdep support and the owl-dma driver is
+used, the following message is shown:
+
+[ 2.496939] INFO: trying to register non-static key.
+[ 2.501889] the code is fine but needs lockdep annotation.
+[ 2.507357] turning off the locking correctness validator.
+[ 2.512834] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.3+ #15
+[ 2.519084] Hardware name: Generic DT based system
+[ 2.523878] Workqueue: events_freezable mmc_rescan
+[ 2.528681] [<801127f0>] (unwind_backtrace) from [<8010da58>] (show_stack+0x10/0x14)
+[ 2.536420] [<8010da58>] (show_stack) from [<8080fbe8>] (dump_stack+0xb4/0xe0)
+[ 2.543645] [<8080fbe8>] (dump_stack) from [<8017efa4>] (register_lock_class+0x6f0/0x718)
+[ 2.551816] [<8017efa4>] (register_lock_class) from [<8017b7d0>] (__lock_acquire+0x78/0x25f0)
+[ 2.560330] [<8017b7d0>] (__lock_acquire) from [<8017e5e4>] (lock_acquire+0xd8/0x1f4)
+[ 2.568159] [<8017e5e4>] (lock_acquire) from [<80831fb0>] (_raw_spin_lock_irqsave+0x3c/0x50)
+[ 2.576589] [<80831fb0>] (_raw_spin_lock_irqsave) from [<8051b5fc>] (owl_dma_issue_pending+0xbc/0x120)
+[ 2.585884] [<8051b5fc>] (owl_dma_issue_pending) from [<80668cbc>] (owl_mmc_request+0x1b0/0x390)
+[ 2.594655] [<80668cbc>] (owl_mmc_request) from [<80650ce0>] (mmc_start_request+0x94/0xbc)
+[ 2.602906] [<80650ce0>] (mmc_start_request) from [<80650ec0>] (mmc_wait_for_req+0x64/0xd0)
+[ 2.611245] [<80650ec0>] (mmc_wait_for_req) from [<8065aa10>] (mmc_app_send_scr+0x10c/0x144)
+[ 2.619669] [<8065aa10>] (mmc_app_send_scr) from [<80659b3c>] (mmc_sd_setup_card+0x4c/0x318)
+[ 2.628092] [<80659b3c>] (mmc_sd_setup_card) from [<80659f0c>] (mmc_sd_init_card+0x104/0x430)
+[ 2.636601] [<80659f0c>] (mmc_sd_init_card) from [<8065a3e0>] (mmc_attach_sd+0xcc/0x16c)
+[ 2.644678] [<8065a3e0>] (mmc_attach_sd) from [<8065301c>] (mmc_rescan+0x3ac/0x40c)
+[ 2.652332] [<8065301c>] (mmc_rescan) from [<80143244>] (process_one_work+0x2d8/0x780)
+[ 2.660239] [<80143244>] (process_one_work) from [<80143730>] (worker_thread+0x44/0x598)
+[ 2.668323] [<80143730>] (worker_thread) from [<8014b5f8>] (kthread+0x148/0x150)
+[ 2.675708] [<8014b5f8>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+[ 2.682912] Exception stack(0xee8fdfb0 to 0xee8fdff8)
+[ 2.687954] dfa0: 00000000 00000000 00000000 00000000
+[ 2.696118] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 2.704277] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+The obvious fix would be to use 'spin_lock_init()' on 'pchan->lock'
+before attempting to call 'spin_lock_irqsave()' in 'owl_dma_get_pchan()'.
+
+However, according to Manivannan Sadhasivam, 'pchan->lock' was supposed
+to only protect 'pchan->vchan' while 'od->lock' does a similar job in
+'owl_dma_terminate_pchan()'.
+
+Therefore, this patch substitutes 'pchan->lock' with 'od->lock' and
+removes the 'lock' attribute in 'owl_dma_pchan' struct.
+
+Fixes: 47e20577c24d ("dmaengine: Add Actions Semi Owl family S900 DMA driver")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Andreas Färber <afaerber@suse.de>
+Link: https://lore.kernel.org/r/c6e6cdaca252b5364bd294093673951036488cf0.1588439073.git.cristian.ciocaltea@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/owl-dma.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/dma/owl-dma.c
++++ b/drivers/dma/owl-dma.c
+@@ -175,13 +175,11 @@ struct owl_dma_txd {
+ * @id: physical index to this channel
+ * @base: virtual memory base for the dma channel
+ * @vchan: the virtual channel currently being served by this physical channel
+- * @lock: a lock to use when altering an instance of this struct
+ */
+ struct owl_dma_pchan {
+ u32 id;
+ void __iomem *base;
+ struct owl_dma_vchan *vchan;
+- spinlock_t lock;
+ };
+
+ /**
+@@ -437,14 +435,14 @@ static struct owl_dma_pchan *owl_dma_get
+ for (i = 0; i < od->nr_pchans; i++) {
+ pchan = &od->pchans[i];
+
+- spin_lock_irqsave(&pchan->lock, flags);
++ spin_lock_irqsave(&od->lock, flags);
+ if (!pchan->vchan) {
+ pchan->vchan = vchan;
+- spin_unlock_irqrestore(&pchan->lock, flags);
++ spin_unlock_irqrestore(&od->lock, flags);
+ break;
+ }
+
+- spin_unlock_irqrestore(&pchan->lock, flags);
++ spin_unlock_irqrestore(&od->lock, flags);
+ }
+
+ return pchan;
--- /dev/null
+From 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 16 May 2020 23:42:05 +0200
+Subject: dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 upstream.
+
+Commit b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
+has moved some code in the probe function and reordered the error handling
+path accordingly.
+However, a goto has been missed.
+
+Fix it and goto the right label if 'dma_async_device_register()' fails, so
+that all resources are released.
+
+Fixes: b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20200516214205.276266-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/tegra210-adma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -900,7 +900,7 @@ static int tegra_adma_probe(struct platf
+ ret = dma_async_device_register(&tdma->dma_dev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "ADMA registration failed: %d\n", ret);
+- goto irq_dispose;
++ goto rpm_put;
+ }
+
+ ret = of_dma_controller_register(pdev->dev.of_node,
--- /dev/null
+From ad99cb5e783bb03d512092db3387ead9504aad3d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 18 May 2020 14:29:55 +0300
+Subject: drm/etnaviv: Fix a leak in submit_pin_objects()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ad99cb5e783bb03d512092db3387ead9504aad3d upstream.
+
+If the mapping address is wrong then we have to release the reference to
+it before returning -EINVAL.
+
+Fixes: 088880ddc0b2 ("drm/etnaviv: implement softpin")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c
+@@ -240,8 +240,10 @@ static int submit_pin_objects(struct etn
+ }
+
+ if ((submit->flags & ETNA_SUBMIT_SOFTPIN) &&
+- submit->bos[i].va != mapping->iova)
++ submit->bos[i].va != mapping->iova) {
++ etnaviv_gem_mapping_unreference(mapping);
+ return -EINVAL;
++ }
+
+ atomic_inc(&etnaviv_obj->gpu_active);
+
--- /dev/null
+From 40b697e256ccdb88aaff424b44b4d300eb8460e8 Mon Sep 17 00:00:00 2001
+From: Christian Gmeiner <christian.gmeiner@gmail.com>
+Date: Tue, 19 May 2020 07:30:15 +0200
+Subject: drm/etnaviv: fix perfmon domain interation
+
+From: Christian Gmeiner <christian.gmeiner@gmail.com>
+
+commit 40b697e256ccdb88aaff424b44b4d300eb8460e8 upstream.
+
+The GC860 has one GPU device which has a 2d and 3d core. In this case
+we want to expose perfmon information for both cores.
+
+The driver has one array which contains all possible perfmon domains
+with some meta data - doms_meta. Here we can see that for the GC860
+two elements of that array are relevant:
+
+ doms_3d: is at index 0 in the doms_meta array with 8 perfmon domains
+ doms_2d: is at index 1 in the doms_meta array with 1 perfmon domain
+
+The userspace driver wants to get a list of all perfmon domains and
+their perfmon signals. This is done by iterating over all domains and
+their signals. If the userspace driver wants to access the domain with
+id 8 the kernel driver fails and returns invalid data from doms_3d with
+and invalid offset.
+
+This results in:
+ Unable to handle kernel paging request at virtual address 00000000
+
+On such a device it is not possible to use the userspace driver at all.
+
+The fix for this off-by-one error is quite simple.
+
+Reported-by: Paul Cercueil <paul@crapouillou.net>
+Tested-by: Paul Cercueil <paul@crapouillou.net>
+Fixes: ed1dd899baa3 ("drm/etnaviv: rework perfmon query infrastructure")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Gmeiner <christian.gmeiner@gmail.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/etnaviv/etnaviv_perfmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c
+@@ -453,7 +453,7 @@ static const struct etnaviv_pm_domain *p
+ if (!(gpu->identity.features & meta->feature))
+ continue;
+
+- if (meta->nr_domains < (index - offset)) {
++ if (index - offset >= meta->nr_domains) {
+ offset += meta->nr_domains;
+ continue;
+ }
alsa-hda-realtek-add-more-fixup-entries-for-clevo-machines.patch
scsi-qla2xxx-do-not-log-message-when-reading-port-speed-via-sysfs.patch
scsi-target-put-lun_ref-at-end-of-tmr-processing.patch
+arm64-fix-ptrace_sysemu-semantics.patch
+drm-etnaviv-fix-perfmon-domain-interation.patch
+apparmor-fix-use-after-free-in-aa_audit_rule_init.patch
+apparmor-fix-potential-label-refcnt-leak-in-aa_change_profile.patch
+apparmor-fix-aa_label-refcnt-leak-in-policy_update.patch
+dmaengine-tegra210-adma-fix-an-error-handling-path-in-tegra_adma_probe.patch
+drm-etnaviv-fix-a-leak-in-submit_pin_objects.patch
+dmaengine-dmatest-restore-default-for-channel.patch
+dmaengine-owl-use-correct-lock-in-owl_dma_get_pchan.patch
+vsprintf-don-t-obfuscate-null-and-error-pointers.patch
--- /dev/null
+From 7bd57fbc4a4ddedc664cad0bbced1b469e24e921 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 19 May 2020 13:26:57 +0200
+Subject: vsprintf: don't obfuscate NULL and error pointers
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 7bd57fbc4a4ddedc664cad0bbced1b469e24e921 upstream.
+
+I don't see what security concern is addressed by obfuscating NULL
+and IS_ERR() error pointers, printed with %p/%pK. Given the number
+of sites where %p is used (over 10000) and the fact that NULL pointers
+aren't uncommon, it probably wouldn't take long for an attacker to
+find the hash that corresponds to 0. Although harder, the same goes
+for most common error values, such as -1, -2, -11, -14, etc.
+
+The NULL part actually fixes a regression: NULL pointers weren't
+obfuscated until commit 3e5903eb9cff ("vsprintf: Prevent crash when
+dereferencing invalid pointers") which went into 5.2. I'm tacking
+the IS_ERR() part on here because error pointers won't leak kernel
+addresses and printing them as pointers shouldn't be any different
+from e.g. %d with PTR_ERR_OR_ZERO(). Obfuscating them just makes
+debugging based on existing pr_debug and friends excruciating.
+
+Note that the "always print 0's for %pK when kptr_restrict == 2"
+behaviour which goes way back is left as is.
+
+Example output with the patch applied:
+
+ ptr error-ptr NULL
+ %p: 0000000001f8cc5b fffffffffffffff2 0000000000000000
+ %pK, kptr = 0: 0000000001f8cc5b fffffffffffffff2 0000000000000000
+ %px: ffff888048c04020 fffffffffffffff2 0000000000000000
+ %pK, kptr = 1: ffff888048c04020 fffffffffffffff2 0000000000000000
+ %pK, kptr = 2: 0000000000000000 0000000000000000 0000000000000000
+
+Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/test_printf.c | 19 ++++++++++++++++++-
+ lib/vsprintf.c | 7 +++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- a/lib/test_printf.c
++++ b/lib/test_printf.c
+@@ -212,6 +212,7 @@ test_string(void)
+ #define PTR_STR "ffff0123456789ab"
+ #define PTR_VAL_NO_CRNG "(____ptrval____)"
+ #define ZEROS "00000000" /* hex 32 zero bits */
++#define ONES "ffffffff" /* hex 32 one bits */
+
+ static int __init
+ plain_format(void)
+@@ -243,6 +244,7 @@ plain_format(void)
+ #define PTR_STR "456789ab"
+ #define PTR_VAL_NO_CRNG "(ptrval)"
+ #define ZEROS ""
++#define ONES ""
+
+ static int __init
+ plain_format(void)
+@@ -328,14 +330,28 @@ test_hashed(const char *fmt, const void
+ test(buf, fmt, p);
+ }
+
++/*
++ * NULL pointers aren't hashed.
++ */
+ static void __init
+ null_pointer(void)
+ {
+- test_hashed("%p", NULL);
++ test(ZEROS "00000000", "%p", NULL);
+ test(ZEROS "00000000", "%px", NULL);
+ test("(null)", "%pE", NULL);
+ }
+
++/*
++ * Error pointers aren't hashed.
++ */
++static void __init
++error_pointer(void)
++{
++ test(ONES "fffffff5", "%p", ERR_PTR(-11));
++ test(ONES "fffffff5", "%px", ERR_PTR(-11));
++ test("(efault)", "%pE", ERR_PTR(-11));
++}
++
+ #define PTR_INVALID ((void *)0x000000ab)
+
+ static void __init
+@@ -598,6 +614,7 @@ test_pointer(void)
+ {
+ plain();
+ null_pointer();
++ error_pointer();
+ invalid_pointer();
+ symbol_ptr();
+ kernel_ptr();
+--- a/lib/vsprintf.c
++++ b/lib/vsprintf.c
+@@ -746,6 +746,13 @@ static char *ptr_to_id(char *buf, char *
+ const char *str = sizeof(ptr) == 8 ? "(____ptrval____)" : "(ptrval)";
+ unsigned long hashval;
+
++ /*
++ * Print the real pointer value for NULL and error pointers,
++ * as they are not actual addresses.
++ */
++ if (IS_ERR_OR_NULL(ptr))
++ return pointer_string(buf, end, ptr, spec);
++
+ /* When debugging early boot use non-cryptographically secure hash. */
+ if (unlikely(debug_boot_weak_hash)) {
+ hashval = hash_long((unsigned long)ptr, 32);
projects / thirdparty / kernel / stable-queue.git / commitdiff
