From: Greg Kroah-Hartman Date: Sat, 23 May 2020 12:22:09 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.225~46 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1fd90a1bf09370120defdb747e676b2b1b5b65fa;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: apparmor-fix-aa_label-refcnt-leak-in-policy_update.patch apparmor-fix-potential-label-refcnt-leak-in-aa_change_profile.patch apparmor-fix-use-after-free-in-aa_audit_rule_init.patch arm64-fix-ptrace_sysemu-semantics.patch dmaengine-dmatest-restore-default-for-channel.patch dmaengine-owl-use-correct-lock-in-owl_dma_get_pchan.patch dmaengine-tegra210-adma-fix-an-error-handling-path-in-tegra_adma_probe.patch drm-etnaviv-fix-a-leak-in-submit_pin_objects.patch drm-etnaviv-fix-perfmon-domain-interation.patch vsprintf-don-t-obfuscate-null-and-error-pointers.patch --- diff --git a/queue-5.4/apparmor-fix-aa_label-refcnt-leak-in-policy_update.patch b/queue-5.4/apparmor-fix-aa_label-refcnt-leak-in-policy_update.patch new file mode 100644 index 00000000000..936faa52d34 --- /dev/null +++ b/queue-5.4/apparmor-fix-aa_label-refcnt-leak-in-policy_update.patch @@ -0,0 +1,53 @@ +From c6b39f070722ea9963ffe756bfe94e89218c5e63 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Mon, 20 Apr 2020 13:35:28 +0800 +Subject: apparmor: Fix aa_label refcnt leak in policy_update + +From: Xiyu Yang + +commit c6b39f070722ea9963ffe756bfe94e89218c5e63 upstream. + +policy_update() invokes begin_current_label_crit_section(), which +returns a reference of the updated aa_label object to "label" with +increased refcount. + +When policy_update() returns, "label" becomes invalid, so the refcount +should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +policy_update(). When aa_may_manage_policy() returns not NULL, the +refcnt increased by begin_current_label_crit_section() is not decreased, +causing a refcnt leak. + +Fix this issue by jumping to "end_section" label when +aa_may_manage_policy() returns not NULL. + +Fixes: 5ac8c355ae00 ("apparmor: allow introspecting the loaded policy pre internal transform") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/apparmorfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -424,7 +424,7 @@ static ssize_t policy_update(u32 mask, c + */ + error = aa_may_manage_policy(label, ns, mask); + if (error) +- return error; ++ goto end_section; + + data = aa_simple_write_to_buffer(buf, size, size, pos); + error = PTR_ERR(data); +@@ -432,6 +432,7 @@ static ssize_t policy_update(u32 mask, c + error = aa_replace_profiles(ns, label, mask, data); + aa_put_loaddata(data); + } ++end_section: + end_current_label_crit_section(label); + + return error; diff --git a/queue-5.4/apparmor-fix-potential-label-refcnt-leak-in-aa_change_profile.patch b/queue-5.4/apparmor-fix-potential-label-refcnt-leak-in-aa_change_profile.patch new file mode 100644 index 00000000000..d60aa8c5f46 --- /dev/null +++ b/queue-5.4/apparmor-fix-potential-label-refcnt-leak-in-aa_change_profile.patch @@ -0,0 +1,51 @@ +From a0b845ffa0d91855532b50fc040aeb2d8338dca4 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Sun, 5 Apr 2020 13:11:55 +0800 +Subject: apparmor: fix potential label refcnt leak in aa_change_profile + +From: Xiyu Yang + +commit a0b845ffa0d91855532b50fc040aeb2d8338dca4 upstream. + +aa_change_profile() invokes aa_get_current_label(), which returns +a reference of the current task's label. + +According to the comment of aa_get_current_label(), the returned +reference must be put with aa_put_label(). +However, when the original object pointed by "label" becomes +unreachable because aa_change_profile() returns or a new object +is assigned to "label", reference count increased by +aa_get_current_label() is not decreased, causing a refcnt leak. + +Fix this by calling aa_put_label() before aa_change_profile() return +and dropping unnecessary aa_get_current_label(). + +Fixes: 9fcf78cca198 ("apparmor: update domain transitions that are subsets of confinement at nnp") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/domain.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/security/apparmor/domain.c ++++ b/security/apparmor/domain.c +@@ -1334,6 +1334,7 @@ int aa_change_profile(const char *fqname + ctx->nnp = aa_get_label(label); + + if (!fqname || !*fqname) { ++ aa_put_label(label); + AA_DEBUG("no profile name"); + return -EINVAL; + } +@@ -1352,8 +1353,6 @@ int aa_change_profile(const char *fqname + op = OP_CHANGE_PROFILE; + } + +- label = aa_get_current_label(); +- + if (*fqname == '&') { + stack = true; + /* don't have label_parse() do stacking */ diff --git a/queue-5.4/apparmor-fix-use-after-free-in-aa_audit_rule_init.patch b/queue-5.4/apparmor-fix-use-after-free-in-aa_audit_rule_init.patch new file mode 100644 index 00000000000..3411db13a56 --- /dev/null +++ b/queue-5.4/apparmor-fix-use-after-free-in-aa_audit_rule_init.patch @@ -0,0 +1,38 @@ +From c54d481d71c6849e044690d3960aaebc730224cc Mon Sep 17 00:00:00 2001 +From: Navid Emamdoost +Date: Mon, 21 Oct 2019 10:23:47 -0500 +Subject: apparmor: Fix use-after-free in aa_audit_rule_init + +From: Navid Emamdoost + +commit c54d481d71c6849e044690d3960aaebc730224cc upstream. + +In the implementation of aa_audit_rule_init(), when aa_label_parse() +fails the allocated memory for rule is released using +aa_audit_rule_free(). But after this release, the return statement +tries to access the label field of the rule which results in +use-after-free. Before releasing the rule, copy errNo and return it +after release. + +Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path") +Signed-off-by: Navid Emamdoost +Signed-off-by: John Johansen +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/audit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/apparmor/audit.c ++++ b/security/apparmor/audit.c +@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op + rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, + GFP_KERNEL, true, false); + if (IS_ERR(rule->label)) { ++ int err = PTR_ERR(rule->label); + aa_audit_rule_free(rule); +- return PTR_ERR(rule->label); ++ return err; + } + + *vrule = rule; diff --git a/queue-5.4/arm64-fix-ptrace_sysemu-semantics.patch b/queue-5.4/arm64-fix-ptrace_sysemu-semantics.patch new file mode 100644 index 00000000000..60f97ae335e --- /dev/null +++ b/queue-5.4/arm64-fix-ptrace_sysemu-semantics.patch @@ -0,0 +1,58 @@ +From 1cf6022bd9161081215028203919c33fcfa6debb Mon Sep 17 00:00:00 2001 +From: Keno Fischer +Date: Fri, 15 May 2020 18:22:53 -0400 +Subject: arm64: Fix PTRACE_SYSEMU semantics + +From: Keno Fischer + +commit 1cf6022bd9161081215028203919c33fcfa6debb upstream. + +Quoth the man page: +``` + If the tracee was restarted by PTRACE_SYSCALL or PTRACE_SYSEMU, the + tracee enters syscall-enter-stop just prior to entering any system + call (which will not be executed if the restart was using + PTRACE_SYSEMU, regardless of any change made to registers at this + point or how the tracee is restarted after this stop). +``` + +The parenthetical comment is currently true on x86 and powerpc, +but not currently true on arm64. arm64 re-checks the _TIF_SYSCALL_EMU +flag after the syscall entry ptrace stop. However, at this point, +it reflects which method was used to re-start the syscall +at the entry stop, rather than the method that was used to reach it. +Fix that by recording the original flag before performing the ptrace +stop, bringing the behavior in line with documentation and x86/powerpc. + +Fixes: f086f67485c5 ("arm64: ptrace: add support for syscall emulation") +Cc: # 5.3.x- +Signed-off-by: Keno Fischer +Acked-by: Will Deacon +Tested-by: Sudeep Holla +Tested-by: Bin Lu +[catalin.marinas@arm.com: moved 'flags' bit masking] +[catalin.marinas@arm.com: changed 'flags' type to unsigned long] +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/ptrace.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1829,10 +1829,11 @@ static void tracehook_report_syscall(str + + int syscall_trace_enter(struct pt_regs *regs) + { +- if (test_thread_flag(TIF_SYSCALL_TRACE) || +- test_thread_flag(TIF_SYSCALL_EMU)) { ++ unsigned long flags = READ_ONCE(current_thread_info()->flags); ++ ++ if (flags & (_TIF_SYSCALL_EMU | _TIF_SYSCALL_TRACE)) { + tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER); +- if (!in_syscall(regs) || test_thread_flag(TIF_SYSCALL_EMU)) ++ if (!in_syscall(regs) || (flags & _TIF_SYSCALL_EMU)) + return -1; + } + diff --git a/queue-5.4/dmaengine-dmatest-restore-default-for-channel.patch b/queue-5.4/dmaengine-dmatest-restore-default-for-channel.patch new file mode 100644 index 00000000000..b5b308d68cc --- /dev/null +++ b/queue-5.4/dmaengine-dmatest-restore-default-for-channel.patch @@ -0,0 +1,49 @@ +From 6b41030fdc79086db5d673c5ed7169f3ee8c13b9 Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Wed, 29 Apr 2020 08:15:22 +0100 +Subject: dmaengine: dmatest: Restore default for channel + +From: Vladimir Murzin + +commit 6b41030fdc79086db5d673c5ed7169f3ee8c13b9 upstream. + +In case of dmatest is built-in and no channel was configured test +doesn't run with: + +dmatest: Could not start test, no channels configured + +Even though description to "channel" parameter claims that default is +any. + +Add default channel back as it used to be rather than reject test with +no channel configuration. + +Fixes: d53513d5dc285d9a95a534fc41c5c08af6b60eac ("dmaengine: dmatest: Add support for multi channel testing) +Reported-by: Dijil Mohan +Signed-off-by: Vladimir Murzin +Link: https://lore.kernel.org/r/20200429071522.58148-1-vladimir.murzin@arm.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/dmatest.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/dma/dmatest.c ++++ b/drivers/dma/dmatest.c +@@ -1166,10 +1166,11 @@ static int dmatest_run_set(const char *v + mutex_unlock(&info->lock); + return ret; + } else if (dmatest_run) { +- if (is_threaded_test_pending(info)) +- start_threaded_tests(info); +- else +- pr_info("Could not start test, no channels configured\n"); ++ if (!is_threaded_test_pending(info)) { ++ pr_info("No channels configured, continue with any\n"); ++ add_threaded_test(info); ++ } ++ start_threaded_tests(info); + } else { + stop_threaded_test(info); + } diff --git a/queue-5.4/dmaengine-owl-use-correct-lock-in-owl_dma_get_pchan.patch b/queue-5.4/dmaengine-owl-use-correct-lock-in-owl_dma_get_pchan.patch new file mode 100644 index 00000000000..75d3846f0ba --- /dev/null +++ b/queue-5.4/dmaengine-owl-use-correct-lock-in-owl_dma_get_pchan.patch @@ -0,0 +1,101 @@ +From f8f482deb078389b42768b2193e050a81aae137d Mon Sep 17 00:00:00 2001 +From: Cristian Ciocaltea +Date: Sat, 2 May 2020 20:15:51 +0300 +Subject: dmaengine: owl: Use correct lock in owl_dma_get_pchan() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cristian Ciocaltea + +commit f8f482deb078389b42768b2193e050a81aae137d upstream. + +When the kernel is built with lockdep support and the owl-dma driver is +used, the following message is shown: + +[ 2.496939] INFO: trying to register non-static key. +[ 2.501889] the code is fine but needs lockdep annotation. +[ 2.507357] turning off the locking correctness validator. +[ 2.512834] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.3+ #15 +[ 2.519084] Hardware name: Generic DT based system +[ 2.523878] Workqueue: events_freezable mmc_rescan +[ 2.528681] [<801127f0>] (unwind_backtrace) from [<8010da58>] (show_stack+0x10/0x14) +[ 2.536420] [<8010da58>] (show_stack) from [<8080fbe8>] (dump_stack+0xb4/0xe0) +[ 2.543645] [<8080fbe8>] (dump_stack) from [<8017efa4>] (register_lock_class+0x6f0/0x718) +[ 2.551816] [<8017efa4>] (register_lock_class) from [<8017b7d0>] (__lock_acquire+0x78/0x25f0) +[ 2.560330] [<8017b7d0>] (__lock_acquire) from [<8017e5e4>] (lock_acquire+0xd8/0x1f4) +[ 2.568159] [<8017e5e4>] (lock_acquire) from [<80831fb0>] (_raw_spin_lock_irqsave+0x3c/0x50) +[ 2.576589] [<80831fb0>] (_raw_spin_lock_irqsave) from [<8051b5fc>] (owl_dma_issue_pending+0xbc/0x120) +[ 2.585884] [<8051b5fc>] (owl_dma_issue_pending) from [<80668cbc>] (owl_mmc_request+0x1b0/0x390) +[ 2.594655] [<80668cbc>] (owl_mmc_request) from [<80650ce0>] (mmc_start_request+0x94/0xbc) +[ 2.602906] [<80650ce0>] (mmc_start_request) from [<80650ec0>] (mmc_wait_for_req+0x64/0xd0) +[ 2.611245] [<80650ec0>] (mmc_wait_for_req) from [<8065aa10>] (mmc_app_send_scr+0x10c/0x144) +[ 2.619669] [<8065aa10>] (mmc_app_send_scr) from [<80659b3c>] (mmc_sd_setup_card+0x4c/0x318) +[ 2.628092] [<80659b3c>] (mmc_sd_setup_card) from [<80659f0c>] (mmc_sd_init_card+0x104/0x430) +[ 2.636601] [<80659f0c>] (mmc_sd_init_card) from [<8065a3e0>] (mmc_attach_sd+0xcc/0x16c) +[ 2.644678] [<8065a3e0>] (mmc_attach_sd) from [<8065301c>] (mmc_rescan+0x3ac/0x40c) +[ 2.652332] [<8065301c>] (mmc_rescan) from [<80143244>] (process_one_work+0x2d8/0x780) +[ 2.660239] [<80143244>] (process_one_work) from [<80143730>] (worker_thread+0x44/0x598) +[ 2.668323] [<80143730>] (worker_thread) from [<8014b5f8>] (kthread+0x148/0x150) +[ 2.675708] [<8014b5f8>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20) +[ 2.682912] Exception stack(0xee8fdfb0 to 0xee8fdff8) +[ 2.687954] dfa0: 00000000 00000000 00000000 00000000 +[ 2.696118] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 2.704277] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 + +The obvious fix would be to use 'spin_lock_init()' on 'pchan->lock' +before attempting to call 'spin_lock_irqsave()' in 'owl_dma_get_pchan()'. + +However, according to Manivannan Sadhasivam, 'pchan->lock' was supposed +to only protect 'pchan->vchan' while 'od->lock' does a similar job in +'owl_dma_terminate_pchan()'. + +Therefore, this patch substitutes 'pchan->lock' with 'od->lock' and +removes the 'lock' attribute in 'owl_dma_pchan' struct. + +Fixes: 47e20577c24d ("dmaengine: Add Actions Semi Owl family S900 DMA driver") +Signed-off-by: Cristian Ciocaltea +Reviewed-by: Manivannan Sadhasivam +Acked-by: Andreas Färber +Link: https://lore.kernel.org/r/c6e6cdaca252b5364bd294093673951036488cf0.1588439073.git.cristian.ciocaltea@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/owl-dma.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/dma/owl-dma.c ++++ b/drivers/dma/owl-dma.c +@@ -175,13 +175,11 @@ struct owl_dma_txd { + * @id: physical index to this channel + * @base: virtual memory base for the dma channel + * @vchan: the virtual channel currently being served by this physical channel +- * @lock: a lock to use when altering an instance of this struct + */ + struct owl_dma_pchan { + u32 id; + void __iomem *base; + struct owl_dma_vchan *vchan; +- spinlock_t lock; + }; + + /** +@@ -437,14 +435,14 @@ static struct owl_dma_pchan *owl_dma_get + for (i = 0; i < od->nr_pchans; i++) { + pchan = &od->pchans[i]; + +- spin_lock_irqsave(&pchan->lock, flags); ++ spin_lock_irqsave(&od->lock, flags); + if (!pchan->vchan) { + pchan->vchan = vchan; +- spin_unlock_irqrestore(&pchan->lock, flags); ++ spin_unlock_irqrestore(&od->lock, flags); + break; + } + +- spin_unlock_irqrestore(&pchan->lock, flags); ++ spin_unlock_irqrestore(&od->lock, flags); + } + + return pchan; diff --git a/queue-5.4/dmaengine-tegra210-adma-fix-an-error-handling-path-in-tegra_adma_probe.patch b/queue-5.4/dmaengine-tegra210-adma-fix-an-error-handling-path-in-tegra_adma_probe.patch new file mode 100644 index 00000000000..3d08b3d05f8 --- /dev/null +++ b/queue-5.4/dmaengine-tegra210-adma-fix-an-error-handling-path-in-tegra_adma_probe.patch @@ -0,0 +1,40 @@ +From 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 16 May 2020 23:42:05 +0200 +Subject: dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' + +From: Christophe JAILLET + +commit 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 upstream. + +Commit b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe") +has moved some code in the probe function and reordered the error handling +path accordingly. +However, a goto has been missed. + +Fix it and goto the right label if 'dma_async_device_register()' fails, so +that all resources are released. + +Fixes: b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jon Hunter +Acked-by: Thierry Reding +Link: https://lore.kernel.org/r/20200516214205.276266-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/tegra210-adma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -900,7 +900,7 @@ static int tegra_adma_probe(struct platf + ret = dma_async_device_register(&tdma->dma_dev); + if (ret < 0) { + dev_err(&pdev->dev, "ADMA registration failed: %d\n", ret); +- goto irq_dispose; ++ goto rpm_put; + } + + ret = of_dma_controller_register(pdev->dev.of_node, diff --git a/queue-5.4/drm-etnaviv-fix-a-leak-in-submit_pin_objects.patch b/queue-5.4/drm-etnaviv-fix-a-leak-in-submit_pin_objects.patch new file mode 100644 index 00000000000..c84d1b7c85f --- /dev/null +++ b/queue-5.4/drm-etnaviv-fix-a-leak-in-submit_pin_objects.patch @@ -0,0 +1,35 @@ +From ad99cb5e783bb03d512092db3387ead9504aad3d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 18 May 2020 14:29:55 +0300 +Subject: drm/etnaviv: Fix a leak in submit_pin_objects() + +From: Dan Carpenter + +commit ad99cb5e783bb03d512092db3387ead9504aad3d upstream. + +If the mapping address is wrong then we have to release the reference to +it before returning -EINVAL. + +Fixes: 088880ddc0b2 ("drm/etnaviv: implement softpin") +Signed-off-by: Dan Carpenter +Signed-off-by: Lucas Stach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c +@@ -240,8 +240,10 @@ static int submit_pin_objects(struct etn + } + + if ((submit->flags & ETNA_SUBMIT_SOFTPIN) && +- submit->bos[i].va != mapping->iova) ++ submit->bos[i].va != mapping->iova) { ++ etnaviv_gem_mapping_unreference(mapping); + return -EINVAL; ++ } + + atomic_inc(&etnaviv_obj->gpu_active); + diff --git a/queue-5.4/drm-etnaviv-fix-perfmon-domain-interation.patch b/queue-5.4/drm-etnaviv-fix-perfmon-domain-interation.patch new file mode 100644 index 00000000000..5c974b1b968 --- /dev/null +++ b/queue-5.4/drm-etnaviv-fix-perfmon-domain-interation.patch @@ -0,0 +1,55 @@ +From 40b697e256ccdb88aaff424b44b4d300eb8460e8 Mon Sep 17 00:00:00 2001 +From: Christian Gmeiner +Date: Tue, 19 May 2020 07:30:15 +0200 +Subject: drm/etnaviv: fix perfmon domain interation + +From: Christian Gmeiner + +commit 40b697e256ccdb88aaff424b44b4d300eb8460e8 upstream. + +The GC860 has one GPU device which has a 2d and 3d core. In this case +we want to expose perfmon information for both cores. + +The driver has one array which contains all possible perfmon domains +with some meta data - doms_meta. Here we can see that for the GC860 +two elements of that array are relevant: + + doms_3d: is at index 0 in the doms_meta array with 8 perfmon domains + doms_2d: is at index 1 in the doms_meta array with 1 perfmon domain + +The userspace driver wants to get a list of all perfmon domains and +their perfmon signals. This is done by iterating over all domains and +their signals. If the userspace driver wants to access the domain with +id 8 the kernel driver fails and returns invalid data from doms_3d with +and invalid offset. + +This results in: + Unable to handle kernel paging request at virtual address 00000000 + +On such a device it is not possible to use the userspace driver at all. + +The fix for this off-by-one error is quite simple. + +Reported-by: Paul Cercueil +Tested-by: Paul Cercueil +Fixes: ed1dd899baa3 ("drm/etnaviv: rework perfmon query infrastructure") +Cc: stable@vger.kernel.org +Signed-off-by: Christian Gmeiner +Signed-off-by: Lucas Stach +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/etnaviv/etnaviv_perfmon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c ++++ b/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c +@@ -453,7 +453,7 @@ static const struct etnaviv_pm_domain *p + if (!(gpu->identity.features & meta->feature)) + continue; + +- if (meta->nr_domains < (index - offset)) { ++ if (index - offset >= meta->nr_domains) { + offset += meta->nr_domains; + continue; + } diff --git a/queue-5.4/series b/queue-5.4/series index da3f2f9add5..fffe2ed16f0 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -62,3 +62,13 @@ alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-xtreme.patch alsa-hda-realtek-add-more-fixup-entries-for-clevo-machines.patch scsi-qla2xxx-do-not-log-message-when-reading-port-speed-via-sysfs.patch scsi-target-put-lun_ref-at-end-of-tmr-processing.patch +arm64-fix-ptrace_sysemu-semantics.patch +drm-etnaviv-fix-perfmon-domain-interation.patch +apparmor-fix-use-after-free-in-aa_audit_rule_init.patch +apparmor-fix-potential-label-refcnt-leak-in-aa_change_profile.patch +apparmor-fix-aa_label-refcnt-leak-in-policy_update.patch +dmaengine-tegra210-adma-fix-an-error-handling-path-in-tegra_adma_probe.patch +drm-etnaviv-fix-a-leak-in-submit_pin_objects.patch +dmaengine-dmatest-restore-default-for-channel.patch +dmaengine-owl-use-correct-lock-in-owl_dma_get_pchan.patch +vsprintf-don-t-obfuscate-null-and-error-pointers.patch diff --git a/queue-5.4/vsprintf-don-t-obfuscate-null-and-error-pointers.patch b/queue-5.4/vsprintf-don-t-obfuscate-null-and-error-pointers.patch new file mode 100644 index 00000000000..aff09f15ef8 --- /dev/null +++ b/queue-5.4/vsprintf-don-t-obfuscate-null-and-error-pointers.patch @@ -0,0 +1,122 @@ +From 7bd57fbc4a4ddedc664cad0bbced1b469e24e921 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Tue, 19 May 2020 13:26:57 +0200 +Subject: vsprintf: don't obfuscate NULL and error pointers + +From: Ilya Dryomov + +commit 7bd57fbc4a4ddedc664cad0bbced1b469e24e921 upstream. + +I don't see what security concern is addressed by obfuscating NULL +and IS_ERR() error pointers, printed with %p/%pK. Given the number +of sites where %p is used (over 10000) and the fact that NULL pointers +aren't uncommon, it probably wouldn't take long for an attacker to +find the hash that corresponds to 0. Although harder, the same goes +for most common error values, such as -1, -2, -11, -14, etc. + +The NULL part actually fixes a regression: NULL pointers weren't +obfuscated until commit 3e5903eb9cff ("vsprintf: Prevent crash when +dereferencing invalid pointers") which went into 5.2. I'm tacking +the IS_ERR() part on here because error pointers won't leak kernel +addresses and printing them as pointers shouldn't be any different +from e.g. %d with PTR_ERR_OR_ZERO(). Obfuscating them just makes +debugging based on existing pr_debug and friends excruciating. + +Note that the "always print 0's for %pK when kptr_restrict == 2" +behaviour which goes way back is left as is. + +Example output with the patch applied: + + ptr error-ptr NULL + %p: 0000000001f8cc5b fffffffffffffff2 0000000000000000 + %pK, kptr = 0: 0000000001f8cc5b fffffffffffffff2 0000000000000000 + %px: ffff888048c04020 fffffffffffffff2 0000000000000000 + %pK, kptr = 1: ffff888048c04020 fffffffffffffff2 0000000000000000 + %pK, kptr = 2: 0000000000000000 0000000000000000 0000000000000000 + +Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers") +Signed-off-by: Ilya Dryomov +Reviewed-by: Petr Mladek +Reviewed-by: Sergey Senozhatsky +Reviewed-by: Andy Shevchenko +Acked-by: Steven Rostedt (VMware) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/test_printf.c | 19 ++++++++++++++++++- + lib/vsprintf.c | 7 +++++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +--- a/lib/test_printf.c ++++ b/lib/test_printf.c +@@ -212,6 +212,7 @@ test_string(void) + #define PTR_STR "ffff0123456789ab" + #define PTR_VAL_NO_CRNG "(____ptrval____)" + #define ZEROS "00000000" /* hex 32 zero bits */ ++#define ONES "ffffffff" /* hex 32 one bits */ + + static int __init + plain_format(void) +@@ -243,6 +244,7 @@ plain_format(void) + #define PTR_STR "456789ab" + #define PTR_VAL_NO_CRNG "(ptrval)" + #define ZEROS "" ++#define ONES "" + + static int __init + plain_format(void) +@@ -328,14 +330,28 @@ test_hashed(const char *fmt, const void + test(buf, fmt, p); + } + ++/* ++ * NULL pointers aren't hashed. ++ */ + static void __init + null_pointer(void) + { +- test_hashed("%p", NULL); ++ test(ZEROS "00000000", "%p", NULL); + test(ZEROS "00000000", "%px", NULL); + test("(null)", "%pE", NULL); + } + ++/* ++ * Error pointers aren't hashed. ++ */ ++static void __init ++error_pointer(void) ++{ ++ test(ONES "fffffff5", "%p", ERR_PTR(-11)); ++ test(ONES "fffffff5", "%px", ERR_PTR(-11)); ++ test("(efault)", "%pE", ERR_PTR(-11)); ++} ++ + #define PTR_INVALID ((void *)0x000000ab) + + static void __init +@@ -598,6 +614,7 @@ test_pointer(void) + { + plain(); + null_pointer(); ++ error_pointer(); + invalid_pointer(); + symbol_ptr(); + kernel_ptr(); +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -746,6 +746,13 @@ static char *ptr_to_id(char *buf, char * + const char *str = sizeof(ptr) == 8 ? "(____ptrval____)" : "(ptrval)"; + unsigned long hashval; + ++ /* ++ * Print the real pointer value for NULL and error pointers, ++ * as they are not actual addresses. ++ */ ++ if (IS_ERR_OR_NULL(ptr)) ++ return pointer_string(buf, end, ptr, spec); ++ + /* When debugging early boot use non-cryptographically secure hash. */ + if (unlikely(debug_boot_weak_hash)) { + hashval = hash_long((unsigned long)ptr, 32);