--- /dev/null
+From c6b39f070722ea9963ffe756bfe94e89218c5e63 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Mon, 20 Apr 2020 13:35:28 +0800
+Subject: apparmor: Fix aa_label refcnt leak in policy_update
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit c6b39f070722ea9963ffe756bfe94e89218c5e63 upstream.
+
+policy_update() invokes begin_current_label_crit_section(), which
+returns a reference of the updated aa_label object to "label" with
+increased refcount.
+
+When policy_update() returns, "label" becomes invalid, so the refcount
+should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one exception handling path of
+policy_update(). When aa_may_manage_policy() returns not NULL, the
+refcnt increased by begin_current_label_crit_section() is not decreased,
+causing a refcnt leak.
+
+Fix this issue by jumping to "end_section" label when
+aa_may_manage_policy() returns not NULL.
+
+Fixes: 5ac8c355ae00 ("apparmor: allow introspecting the loaded policy pre internal transform")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/apparmorfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -454,7 +454,7 @@ static ssize_t policy_update(u32 mask, c
+ */
+ error = aa_may_manage_policy(label, ns, mask);
+ if (error)
+- return error;
++ goto end_section;
+
+ data = aa_simple_write_to_buffer(buf, size, size, pos);
+ error = PTR_ERR(data);
+@@ -462,6 +462,7 @@ static ssize_t policy_update(u32 mask, c
+ error = aa_replace_profiles(ns, label, mask, data);
+ aa_put_loaddata(data);
+ }
++end_section:
+ end_current_label_crit_section(label);
+
+ return error;
--- /dev/null
+From a0b845ffa0d91855532b50fc040aeb2d8338dca4 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Sun, 5 Apr 2020 13:11:55 +0800
+Subject: apparmor: fix potential label refcnt leak in aa_change_profile
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit a0b845ffa0d91855532b50fc040aeb2d8338dca4 upstream.
+
+aa_change_profile() invokes aa_get_current_label(), which returns
+a reference of the current task's label.
+
+According to the comment of aa_get_current_label(), the returned
+reference must be put with aa_put_label().
+However, when the original object pointed by "label" becomes
+unreachable because aa_change_profile() returns or a new object
+is assigned to "label", reference count increased by
+aa_get_current_label() is not decreased, causing a refcnt leak.
+
+Fix this by calling aa_put_label() before aa_change_profile() return
+and dropping unnecessary aa_get_current_label().
+
+Fixes: 9fcf78cca198 ("apparmor: update domain transitions that are subsets of confinement at nnp")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/domain.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -1328,6 +1328,7 @@ int aa_change_profile(const char *fqname
+ ctx->nnp = aa_get_label(label);
+
+ if (!fqname || !*fqname) {
++ aa_put_label(label);
+ AA_DEBUG("no profile name");
+ return -EINVAL;
+ }
+@@ -1346,8 +1347,6 @@ int aa_change_profile(const char *fqname
+ op = OP_CHANGE_PROFILE;
+ }
+
+- label = aa_get_current_label();
+-
+ if (*fqname == '&') {
+ stack = true;
+ /* don't have label_parse() do stacking */
--- /dev/null
+From c54d481d71c6849e044690d3960aaebc730224cc Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Mon, 21 Oct 2019 10:23:47 -0500
+Subject: apparmor: Fix use-after-free in aa_audit_rule_init
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit c54d481d71c6849e044690d3960aaebc730224cc upstream.
+
+In the implementation of aa_audit_rule_init(), when aa_label_parse()
+fails the allocated memory for rule is released using
+aa_audit_rule_free(). But after this release, the return statement
+tries to access the label field of the rule which results in
+use-after-free. Before releasing the rule, copy errNo and return it
+after release.
+
+Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/audit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -197,8 +197,9 @@ int aa_audit_rule_init(u32 field, u32 op
+ rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
+ GFP_KERNEL, true, false);
+ if (IS_ERR(rule->label)) {
++ int err = PTR_ERR(rule->label);
+ aa_audit_rule_free(rule);
+- return PTR_ERR(rule->label);
++ return err;
+ }
+
+ *vrule = rule;
--- /dev/null
+From 1cf6022bd9161081215028203919c33fcfa6debb Mon Sep 17 00:00:00 2001
+From: Keno Fischer <keno@juliacomputing.com>
+Date: Fri, 15 May 2020 18:22:53 -0400
+Subject: arm64: Fix PTRACE_SYSEMU semantics
+
+From: Keno Fischer <keno@juliacomputing.com>
+
+commit 1cf6022bd9161081215028203919c33fcfa6debb upstream.
+
+Quoth the man page:
+```
+ If the tracee was restarted by PTRACE_SYSCALL or PTRACE_SYSEMU, the
+ tracee enters syscall-enter-stop just prior to entering any system
+ call (which will not be executed if the restart was using
+ PTRACE_SYSEMU, regardless of any change made to registers at this
+ point or how the tracee is restarted after this stop).
+```
+
+The parenthetical comment is currently true on x86 and powerpc,
+but not currently true on arm64. arm64 re-checks the _TIF_SYSCALL_EMU
+flag after the syscall entry ptrace stop. However, at this point,
+it reflects which method was used to re-start the syscall
+at the entry stop, rather than the method that was used to reach it.
+Fix that by recording the original flag before performing the ptrace
+stop, bringing the behavior in line with documentation and x86/powerpc.
+
+Fixes: f086f67485c5 ("arm64: ptrace: add support for syscall emulation")
+Cc: <stable@vger.kernel.org> # 5.3.x-
+Signed-off-by: Keno Fischer <keno@juliacomputing.com>
+Acked-by: Will Deacon <will@kernel.org>
+Tested-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Bin Lu <Bin.Lu@arm.com>
+[catalin.marinas@arm.com: moved 'flags' bit masking]
+[catalin.marinas@arm.com: changed 'flags' type to unsigned long]
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/ptrace.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1829,10 +1829,11 @@ static void tracehook_report_syscall(str
+
+ int syscall_trace_enter(struct pt_regs *regs)
+ {
+- if (test_thread_flag(TIF_SYSCALL_TRACE) ||
+- test_thread_flag(TIF_SYSCALL_EMU)) {
++ unsigned long flags = READ_ONCE(current_thread_info()->flags);
++
++ if (flags & (_TIF_SYSCALL_EMU | _TIF_SYSCALL_TRACE)) {
+ tracehook_report_syscall(regs, PTRACE_SYSCALL_ENTER);
+- if (!in_syscall(regs) || test_thread_flag(TIF_SYSCALL_EMU))
++ if (!in_syscall(regs) || (flags & _TIF_SYSCALL_EMU))
+ return -1;
+ }
+
--- /dev/null
+From 6b41030fdc79086db5d673c5ed7169f3ee8c13b9 Mon Sep 17 00:00:00 2001
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+Date: Wed, 29 Apr 2020 08:15:22 +0100
+Subject: dmaengine: dmatest: Restore default for channel
+
+From: Vladimir Murzin <vladimir.murzin@arm.com>
+
+commit 6b41030fdc79086db5d673c5ed7169f3ee8c13b9 upstream.
+
+In case of dmatest is built-in and no channel was configured test
+doesn't run with:
+
+dmatest: Could not start test, no channels configured
+
+Even though description to "channel" parameter claims that default is
+any.
+
+Add default channel back as it used to be rather than reject test with
+no channel configuration.
+
+Fixes: d53513d5dc285d9a95a534fc41c5c08af6b60eac ("dmaengine: dmatest: Add support for multi channel testing)
+Reported-by: Dijil Mohan <Dijil.Mohan@arm.com>
+Signed-off-by: Vladimir Murzin <vladimir.murzin@arm.com>
+Link: https://lore.kernel.org/r/20200429071522.58148-1-vladimir.murzin@arm.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/dmatest.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/dma/dmatest.c
++++ b/drivers/dma/dmatest.c
+@@ -1166,10 +1166,11 @@ static int dmatest_run_set(const char *v
+ mutex_unlock(&info->lock);
+ return ret;
+ } else if (dmatest_run) {
+- if (is_threaded_test_pending(info))
+- start_threaded_tests(info);
+- else
+- pr_info("Could not start test, no channels configured\n");
++ if (!is_threaded_test_pending(info)) {
++ pr_info("No channels configured, continue with any\n");
++ add_threaded_test(info);
++ }
++ start_threaded_tests(info);
+ } else {
+ stop_threaded_test(info);
+ }
--- /dev/null
+From 4f302642b70c1348773fe7e3ded9fc315fa92990 Mon Sep 17 00:00:00 2001
+From: Dave Jiang <dave.jiang@intel.com>
+Date: Fri, 1 May 2020 08:21:18 -0700
+Subject: dmaengine: idxd: fix interrupt completion after unmasking
+
+From: Dave Jiang <dave.jiang@intel.com>
+
+commit 4f302642b70c1348773fe7e3ded9fc315fa92990 upstream.
+
+The current implementation may miss completions after we unmask the
+interrupt. In order to make sure we process all competions, we need to:
+1. Do an MMIO read from the device as a barrier to ensure that all PCI
+ writes for completions have arrived.
+2. Check for any additional completions that we missed.
+
+Fixes: 8f47d1a5e545 ("dmaengine: idxd: connect idxd to dmaengine subsystem")
+
+Reported-by: Sanjay Kumar <sanjay.k.kumar@intel.com>
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://lore.kernel.org/r/158834641769.35613.1341160109892008587.stgit@djiang5-desk3.ch.intel.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/idxd/device.c | 7 +++++++
+ drivers/dma/idxd/irq.c | 26 +++++++++++++++++++-------
+ 2 files changed, 26 insertions(+), 7 deletions(-)
+
+--- a/drivers/dma/idxd/device.c
++++ b/drivers/dma/idxd/device.c
+@@ -62,6 +62,13 @@ int idxd_unmask_msix_vector(struct idxd_
+ perm.ignore = 0;
+ iowrite32(perm.bits, idxd->reg_base + offset);
+
++ /*
++ * A readback from the device ensures that any previously generated
++ * completion record writes are visible to software based on PCI
++ * ordering rules.
++ */
++ perm.bits = ioread32(idxd->reg_base + offset);
++
+ return 0;
+ }
+
+--- a/drivers/dma/idxd/irq.c
++++ b/drivers/dma/idxd/irq.c
+@@ -173,6 +173,7 @@ static int irq_process_pending_llist(str
+ struct llist_node *head;
+ int queued = 0;
+
++ *processed = 0;
+ head = llist_del_all(&irq_entry->pending_llist);
+ if (!head)
+ return 0;
+@@ -197,6 +198,7 @@ static int irq_process_work_list(struct
+ struct list_head *node, *next;
+ int queued = 0;
+
++ *processed = 0;
+ if (list_empty(&irq_entry->work_list))
+ return 0;
+
+@@ -218,10 +220,9 @@ static int irq_process_work_list(struct
+ return queued;
+ }
+
+-irqreturn_t idxd_wq_thread(int irq, void *data)
++static int idxd_desc_process(struct idxd_irq_entry *irq_entry)
+ {
+- struct idxd_irq_entry *irq_entry = data;
+- int rc, processed = 0, retry = 0;
++ int rc, processed, total = 0;
+
+ /*
+ * There are two lists we are processing. The pending_llist is where
+@@ -244,15 +245,26 @@ irqreturn_t idxd_wq_thread(int irq, void
+ */
+ do {
+ rc = irq_process_work_list(irq_entry, &processed);
+- if (rc != 0) {
+- retry++;
++ total += processed;
++ if (rc != 0)
+ continue;
+- }
+
+ rc = irq_process_pending_llist(irq_entry, &processed);
+- } while (rc != 0 && retry != 10);
++ total += processed;
++ } while (rc != 0);
++
++ return total;
++}
++
++irqreturn_t idxd_wq_thread(int irq, void *data)
++{
++ struct idxd_irq_entry *irq_entry = data;
++ int processed;
+
++ processed = idxd_desc_process(irq_entry);
+ idxd_unmask_msix_vector(irq_entry->idxd, irq_entry->id);
++ /* catch anything unprocessed after unmasking */
++ processed += idxd_desc_process(irq_entry);
+
+ if (processed == 0)
+ return IRQ_NONE;
--- /dev/null
+From f8f482deb078389b42768b2193e050a81aae137d Mon Sep 17 00:00:00 2001
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Date: Sat, 2 May 2020 20:15:51 +0300
+Subject: dmaengine: owl: Use correct lock in owl_dma_get_pchan()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+
+commit f8f482deb078389b42768b2193e050a81aae137d upstream.
+
+When the kernel is built with lockdep support and the owl-dma driver is
+used, the following message is shown:
+
+[ 2.496939] INFO: trying to register non-static key.
+[ 2.501889] the code is fine but needs lockdep annotation.
+[ 2.507357] turning off the locking correctness validator.
+[ 2.512834] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.3+ #15
+[ 2.519084] Hardware name: Generic DT based system
+[ 2.523878] Workqueue: events_freezable mmc_rescan
+[ 2.528681] [<801127f0>] (unwind_backtrace) from [<8010da58>] (show_stack+0x10/0x14)
+[ 2.536420] [<8010da58>] (show_stack) from [<8080fbe8>] (dump_stack+0xb4/0xe0)
+[ 2.543645] [<8080fbe8>] (dump_stack) from [<8017efa4>] (register_lock_class+0x6f0/0x718)
+[ 2.551816] [<8017efa4>] (register_lock_class) from [<8017b7d0>] (__lock_acquire+0x78/0x25f0)
+[ 2.560330] [<8017b7d0>] (__lock_acquire) from [<8017e5e4>] (lock_acquire+0xd8/0x1f4)
+[ 2.568159] [<8017e5e4>] (lock_acquire) from [<80831fb0>] (_raw_spin_lock_irqsave+0x3c/0x50)
+[ 2.576589] [<80831fb0>] (_raw_spin_lock_irqsave) from [<8051b5fc>] (owl_dma_issue_pending+0xbc/0x120)
+[ 2.585884] [<8051b5fc>] (owl_dma_issue_pending) from [<80668cbc>] (owl_mmc_request+0x1b0/0x390)
+[ 2.594655] [<80668cbc>] (owl_mmc_request) from [<80650ce0>] (mmc_start_request+0x94/0xbc)
+[ 2.602906] [<80650ce0>] (mmc_start_request) from [<80650ec0>] (mmc_wait_for_req+0x64/0xd0)
+[ 2.611245] [<80650ec0>] (mmc_wait_for_req) from [<8065aa10>] (mmc_app_send_scr+0x10c/0x144)
+[ 2.619669] [<8065aa10>] (mmc_app_send_scr) from [<80659b3c>] (mmc_sd_setup_card+0x4c/0x318)
+[ 2.628092] [<80659b3c>] (mmc_sd_setup_card) from [<80659f0c>] (mmc_sd_init_card+0x104/0x430)
+[ 2.636601] [<80659f0c>] (mmc_sd_init_card) from [<8065a3e0>] (mmc_attach_sd+0xcc/0x16c)
+[ 2.644678] [<8065a3e0>] (mmc_attach_sd) from [<8065301c>] (mmc_rescan+0x3ac/0x40c)
+[ 2.652332] [<8065301c>] (mmc_rescan) from [<80143244>] (process_one_work+0x2d8/0x780)
+[ 2.660239] [<80143244>] (process_one_work) from [<80143730>] (worker_thread+0x44/0x598)
+[ 2.668323] [<80143730>] (worker_thread) from [<8014b5f8>] (kthread+0x148/0x150)
+[ 2.675708] [<8014b5f8>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+[ 2.682912] Exception stack(0xee8fdfb0 to 0xee8fdff8)
+[ 2.687954] dfa0: 00000000 00000000 00000000 00000000
+[ 2.696118] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 2.704277] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+The obvious fix would be to use 'spin_lock_init()' on 'pchan->lock'
+before attempting to call 'spin_lock_irqsave()' in 'owl_dma_get_pchan()'.
+
+However, according to Manivannan Sadhasivam, 'pchan->lock' was supposed
+to only protect 'pchan->vchan' while 'od->lock' does a similar job in
+'owl_dma_terminate_pchan()'.
+
+Therefore, this patch substitutes 'pchan->lock' with 'od->lock' and
+removes the 'lock' attribute in 'owl_dma_pchan' struct.
+
+Fixes: 47e20577c24d ("dmaengine: Add Actions Semi Owl family S900 DMA driver")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Andreas Färber <afaerber@suse.de>
+Link: https://lore.kernel.org/r/c6e6cdaca252b5364bd294093673951036488cf0.1588439073.git.cristian.ciocaltea@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/owl-dma.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/dma/owl-dma.c
++++ b/drivers/dma/owl-dma.c
+@@ -175,13 +175,11 @@ struct owl_dma_txd {
+ * @id: physical index to this channel
+ * @base: virtual memory base for the dma channel
+ * @vchan: the virtual channel currently being served by this physical channel
+- * @lock: a lock to use when altering an instance of this struct
+ */
+ struct owl_dma_pchan {
+ u32 id;
+ void __iomem *base;
+ struct owl_dma_vchan *vchan;
+- spinlock_t lock;
+ };
+
+ /**
+@@ -437,14 +435,14 @@ static struct owl_dma_pchan *owl_dma_get
+ for (i = 0; i < od->nr_pchans; i++) {
+ pchan = &od->pchans[i];
+
+- spin_lock_irqsave(&pchan->lock, flags);
++ spin_lock_irqsave(&od->lock, flags);
+ if (!pchan->vchan) {
+ pchan->vchan = vchan;
+- spin_unlock_irqrestore(&pchan->lock, flags);
++ spin_unlock_irqrestore(&od->lock, flags);
+ break;
+ }
+
+- spin_unlock_irqrestore(&pchan->lock, flags);
++ spin_unlock_irqrestore(&od->lock, flags);
+ }
+
+ return pchan;
--- /dev/null
+From 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 16 May 2020 23:42:05 +0200
+Subject: dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 upstream.
+
+Commit b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
+has moved some code in the probe function and reordered the error handling
+path accordingly.
+However, a goto has been missed.
+
+Fix it and goto the right label if 'dma_async_device_register()' fails, so
+that all resources are released.
+
+Fixes: b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20200516214205.276266-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/tegra210-adma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -900,7 +900,7 @@ static int tegra_adma_probe(struct platf
+ ret = dma_async_device_register(&tdma->dma_dev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "ADMA registration failed: %d\n", ret);
+- goto irq_dispose;
++ goto rpm_put;
+ }
+
+ ret = of_dma_controller_register(pdev->dev.of_node,
--- /dev/null
+From ad99cb5e783bb03d512092db3387ead9504aad3d Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 18 May 2020 14:29:55 +0300
+Subject: drm/etnaviv: Fix a leak in submit_pin_objects()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ad99cb5e783bb03d512092db3387ead9504aad3d upstream.
+
+If the mapping address is wrong then we have to release the reference to
+it before returning -EINVAL.
+
+Fixes: 088880ddc0b2 ("drm/etnaviv: implement softpin")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c
+@@ -238,8 +238,10 @@ static int submit_pin_objects(struct etn
+ }
+
+ if ((submit->flags & ETNA_SUBMIT_SOFTPIN) &&
+- submit->bos[i].va != mapping->iova)
++ submit->bos[i].va != mapping->iova) {
++ etnaviv_gem_mapping_unreference(mapping);
+ return -EINVAL;
++ }
+
+ atomic_inc(&etnaviv_obj->gpu_active);
+
--- /dev/null
+From 40b697e256ccdb88aaff424b44b4d300eb8460e8 Mon Sep 17 00:00:00 2001
+From: Christian Gmeiner <christian.gmeiner@gmail.com>
+Date: Tue, 19 May 2020 07:30:15 +0200
+Subject: drm/etnaviv: fix perfmon domain interation
+
+From: Christian Gmeiner <christian.gmeiner@gmail.com>
+
+commit 40b697e256ccdb88aaff424b44b4d300eb8460e8 upstream.
+
+The GC860 has one GPU device which has a 2d and 3d core. In this case
+we want to expose perfmon information for both cores.
+
+The driver has one array which contains all possible perfmon domains
+with some meta data - doms_meta. Here we can see that for the GC860
+two elements of that array are relevant:
+
+ doms_3d: is at index 0 in the doms_meta array with 8 perfmon domains
+ doms_2d: is at index 1 in the doms_meta array with 1 perfmon domain
+
+The userspace driver wants to get a list of all perfmon domains and
+their perfmon signals. This is done by iterating over all domains and
+their signals. If the userspace driver wants to access the domain with
+id 8 the kernel driver fails and returns invalid data from doms_3d with
+and invalid offset.
+
+This results in:
+ Unable to handle kernel paging request at virtual address 00000000
+
+On such a device it is not possible to use the userspace driver at all.
+
+The fix for this off-by-one error is quite simple.
+
+Reported-by: Paul Cercueil <paul@crapouillou.net>
+Tested-by: Paul Cercueil <paul@crapouillou.net>
+Fixes: ed1dd899baa3 ("drm/etnaviv: rework perfmon query infrastructure")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Gmeiner <christian.gmeiner@gmail.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/etnaviv/etnaviv_perfmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c
+@@ -453,7 +453,7 @@ static const struct etnaviv_pm_domain *p
+ if (!(gpu->identity.features & meta->feature))
+ continue;
+
+- if (meta->nr_domains < (index - offset)) {
++ if (index - offset >= meta->nr_domains) {
+ offset += meta->nr_domains;
+ continue;
+ }
--- /dev/null
+From dca4f40742e09ec5d908a7fc2862498e6cf9d911 Mon Sep 17 00:00:00 2001
+From: Venkata Narendra Kumar Gutta <vnkgutta@codeaurora.org>
+Date: Fri, 1 May 2020 12:00:17 +0530
+Subject: pinctrl: qcom: Add affinity callbacks to msmgpio IRQ chip
+
+From: Venkata Narendra Kumar Gutta <vnkgutta@codeaurora.org>
+
+commit dca4f40742e09ec5d908a7fc2862498e6cf9d911 upstream.
+
+Wakeup capable GPIO IRQs routed via PDC are not being migrated when a CPU
+is hotplugged. Add affinity callbacks to msmgpio IRQ chip to update the
+affinity of wakeup capable IRQs.
+
+Fixes: e35a6ae0eb3a ("pinctrl/msm: Setup GPIO chip in hierarchy")
+Signed-off-by: Venkata Narendra Kumar Gutta <vnkgutta@codeaurora.org>
+[mkshah: updated commit text and minor code fixes]
+Signed-off-by: Maulik Shah <mkshah@codeaurora.org>
+Tested-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Link: https://lore.kernel.org/r/1588314617-4556-1-git-send-email-mkshah@codeaurora.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/qcom/pinctrl-msm.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/pinctrl/qcom/pinctrl-msm.c
++++ b/drivers/pinctrl/qcom/pinctrl-msm.c
+@@ -1010,6 +1010,29 @@ static void msm_gpio_irq_relres(struct i
+ module_put(gc->owner);
+ }
+
++static int msm_gpio_irq_set_affinity(struct irq_data *d,
++ const struct cpumask *dest, bool force)
++{
++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
++ struct msm_pinctrl *pctrl = gpiochip_get_data(gc);
++
++ if (d->parent_data && test_bit(d->hwirq, pctrl->skip_wake_irqs))
++ return irq_chip_set_affinity_parent(d, dest, force);
++
++ return 0;
++}
++
++static int msm_gpio_irq_set_vcpu_affinity(struct irq_data *d, void *vcpu_info)
++{
++ struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
++ struct msm_pinctrl *pctrl = gpiochip_get_data(gc);
++
++ if (d->parent_data && test_bit(d->hwirq, pctrl->skip_wake_irqs))
++ return irq_chip_set_vcpu_affinity_parent(d, vcpu_info);
++
++ return 0;
++}
++
+ static void msm_gpio_irq_handler(struct irq_desc *desc)
+ {
+ struct gpio_chip *gc = irq_desc_get_handler_data(desc);
+@@ -1108,6 +1131,8 @@ static int msm_gpio_init(struct msm_pinc
+ pctrl->irq_chip.irq_set_wake = msm_gpio_irq_set_wake;
+ pctrl->irq_chip.irq_request_resources = msm_gpio_irq_reqres;
+ pctrl->irq_chip.irq_release_resources = msm_gpio_irq_relres;
++ pctrl->irq_chip.irq_set_affinity = msm_gpio_irq_set_affinity;
++ pctrl->irq_chip.irq_set_vcpu_affinity = msm_gpio_irq_set_vcpu_affinity;
+
+ np = of_parse_phandle(pctrl->dev->of_node, "wakeup-parent", 0);
+ if (np) {
--- /dev/null
+From 8659a0e0efdd975c73355dbc033f79ba3b31e82c Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 20 May 2020 23:36:05 +1000
+Subject: powerpc/64s: Disable STRICT_KERNEL_RWX
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 8659a0e0efdd975c73355dbc033f79ba3b31e82c upstream.
+
+Several strange crashes have been eventually traced back to
+STRICT_KERNEL_RWX and its interaction with code patching.
+
+Various paths in our ftrace, kprobes and other patching code need to
+be hardened against patching failures, otherwise we can end up running
+with partially/incorrectly patched ftrace paths, kprobes or jump
+labels, which can then cause strange crashes.
+
+Although fixes for those are in development, they're not -rc material.
+
+There also seem to be problems with the underlying strict RWX logic,
+which needs further debugging.
+
+So for now disable STRICT_KERNEL_RWX on 64-bit to prevent people from
+enabling the option and tripping over the bugs.
+
+Fixes: 1e0fc9d1eb2b ("powerpc/Kconfig: Enable STRICT_KERNEL_RWX for some configs")
+Cc: stable@vger.kernel.org # v4.13+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200520133605.972649-1-mpe@ellerman.id.au
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/Kconfig
++++ b/arch/powerpc/Kconfig
+@@ -129,7 +129,7 @@ config PPC
+ select ARCH_HAS_PTE_SPECIAL
+ select ARCH_HAS_MEMBARRIER_CALLBACKS
+ select ARCH_HAS_SCALED_CPUTIME if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64
+- select ARCH_HAS_STRICT_KERNEL_RWX if ((PPC_BOOK3S_64 || PPC32) && !HIBERNATION)
++ select ARCH_HAS_STRICT_KERNEL_RWX if (PPC32 && !HIBERNATION)
+ select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
+ select ARCH_HAS_UACCESS_FLUSHCACHE
+ select ARCH_HAS_UACCESS_MCSAFE if PPC64
alsa-hda-realtek-add-more-fixup-entries-for-clevo-machines.patch
scsi-qla2xxx-do-not-log-message-when-reading-port-speed-via-sysfs.patch
scsi-target-put-lun_ref-at-end-of-tmr-processing.patch
+arm64-fix-ptrace_sysemu-semantics.patch
+powerpc-64s-disable-strict_kernel_rwx.patch
+drm-etnaviv-fix-perfmon-domain-interation.patch
+pinctrl-qcom-add-affinity-callbacks-to-msmgpio-irq-chip.patch
+apparmor-fix-use-after-free-in-aa_audit_rule_init.patch
+apparmor-fix-potential-label-refcnt-leak-in-aa_change_profile.patch
+apparmor-fix-aa_label-refcnt-leak-in-policy_update.patch
+dmaengine-tegra210-adma-fix-an-error-handling-path-in-tegra_adma_probe.patch
+drm-etnaviv-fix-a-leak-in-submit_pin_objects.patch
+dmaengine-dmatest-restore-default-for-channel.patch
+dmaengine-idxd-fix-interrupt-completion-after-unmasking.patch
+dmaengine-owl-use-correct-lock-in-owl_dma_get_pchan.patch
+vsprintf-don-t-obfuscate-null-and-error-pointers.patch
--- /dev/null
+From 7bd57fbc4a4ddedc664cad0bbced1b469e24e921 Mon Sep 17 00:00:00 2001
+From: Ilya Dryomov <idryomov@gmail.com>
+Date: Tue, 19 May 2020 13:26:57 +0200
+Subject: vsprintf: don't obfuscate NULL and error pointers
+
+From: Ilya Dryomov <idryomov@gmail.com>
+
+commit 7bd57fbc4a4ddedc664cad0bbced1b469e24e921 upstream.
+
+I don't see what security concern is addressed by obfuscating NULL
+and IS_ERR() error pointers, printed with %p/%pK. Given the number
+of sites where %p is used (over 10000) and the fact that NULL pointers
+aren't uncommon, it probably wouldn't take long for an attacker to
+find the hash that corresponds to 0. Although harder, the same goes
+for most common error values, such as -1, -2, -11, -14, etc.
+
+The NULL part actually fixes a regression: NULL pointers weren't
+obfuscated until commit 3e5903eb9cff ("vsprintf: Prevent crash when
+dereferencing invalid pointers") which went into 5.2. I'm tacking
+the IS_ERR() part on here because error pointers won't leak kernel
+addresses and printing them as pointers shouldn't be any different
+from e.g. %d with PTR_ERR_OR_ZERO(). Obfuscating them just makes
+debugging based on existing pr_debug and friends excruciating.
+
+Note that the "always print 0's for %pK when kptr_restrict == 2"
+behaviour which goes way back is left as is.
+
+Example output with the patch applied:
+
+ ptr error-ptr NULL
+ %p: 0000000001f8cc5b fffffffffffffff2 0000000000000000
+ %pK, kptr = 0: 0000000001f8cc5b fffffffffffffff2 0000000000000000
+ %px: ffff888048c04020 fffffffffffffff2 0000000000000000
+ %pK, kptr = 1: ffff888048c04020 fffffffffffffff2 0000000000000000
+ %pK, kptr = 2: 0000000000000000 0000000000000000 0000000000000000
+
+Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers")
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/test_printf.c | 19 ++++++++++++++++++-
+ lib/vsprintf.c | 7 +++++++
+ 2 files changed, 25 insertions(+), 1 deletion(-)
+
+--- a/lib/test_printf.c
++++ b/lib/test_printf.c
+@@ -214,6 +214,7 @@ test_string(void)
+ #define PTR_STR "ffff0123456789ab"
+ #define PTR_VAL_NO_CRNG "(____ptrval____)"
+ #define ZEROS "00000000" /* hex 32 zero bits */
++#define ONES "ffffffff" /* hex 32 one bits */
+
+ static int __init
+ plain_format(void)
+@@ -245,6 +246,7 @@ plain_format(void)
+ #define PTR_STR "456789ab"
+ #define PTR_VAL_NO_CRNG "(ptrval)"
+ #define ZEROS ""
++#define ONES ""
+
+ static int __init
+ plain_format(void)
+@@ -330,14 +332,28 @@ test_hashed(const char *fmt, const void
+ test(buf, fmt, p);
+ }
+
++/*
++ * NULL pointers aren't hashed.
++ */
+ static void __init
+ null_pointer(void)
+ {
+- test_hashed("%p", NULL);
++ test(ZEROS "00000000", "%p", NULL);
+ test(ZEROS "00000000", "%px", NULL);
+ test("(null)", "%pE", NULL);
+ }
+
++/*
++ * Error pointers aren't hashed.
++ */
++static void __init
++error_pointer(void)
++{
++ test(ONES "fffffff5", "%p", ERR_PTR(-11));
++ test(ONES "fffffff5", "%px", ERR_PTR(-11));
++ test("(efault)", "%pE", ERR_PTR(-11));
++}
++
+ #define PTR_INVALID ((void *)0x000000ab)
+
+ static void __init
+@@ -649,6 +665,7 @@ test_pointer(void)
+ {
+ plain();
+ null_pointer();
++ error_pointer();
+ invalid_pointer();
+ symbol_ptr();
+ kernel_ptr();
+--- a/lib/vsprintf.c
++++ b/lib/vsprintf.c
+@@ -794,6 +794,13 @@ static char *ptr_to_id(char *buf, char *
+ unsigned long hashval;
+ int ret;
+
++ /*
++ * Print the real pointer value for NULL and error pointers,
++ * as they are not actual addresses.
++ */
++ if (IS_ERR_OR_NULL(ptr))
++ return pointer_string(buf, end, ptr, spec);
++
+ /* When debugging early boot use non-cryptographically secure hash. */
+ if (unlikely(debug_boot_weak_hash)) {
+ hashval = hash_long((unsigned long)ptr, 32);
projects / thirdparty / kernel / stable-queue.git / commitdiff
