--- /dev/null
+From c6b39f070722ea9963ffe756bfe94e89218c5e63 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Mon, 20 Apr 2020 13:35:28 +0800
+Subject: apparmor: Fix aa_label refcnt leak in policy_update
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit c6b39f070722ea9963ffe756bfe94e89218c5e63 upstream.
+
+policy_update() invokes begin_current_label_crit_section(), which
+returns a reference of the updated aa_label object to "label" with
+increased refcount.
+
+When policy_update() returns, "label" becomes invalid, so the refcount
+should be decreased to keep refcount balanced.
+
+The reference counting issue happens in one exception handling path of
+policy_update(). When aa_may_manage_policy() returns not NULL, the
+refcnt increased by begin_current_label_crit_section() is not decreased,
+causing a refcnt leak.
+
+Fix this issue by jumping to "end_section" label when
+aa_may_manage_policy() returns not NULL.
+
+Fixes: 5ac8c355ae00 ("apparmor: allow introspecting the loaded policy pre internal transform")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/apparmorfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -424,7 +424,7 @@ static ssize_t policy_update(u32 mask, c
+ */
+ error = aa_may_manage_policy(label, ns, mask);
+ if (error)
+- return error;
++ goto end_section;
+
+ data = aa_simple_write_to_buffer(buf, size, size, pos);
+ error = PTR_ERR(data);
+@@ -432,6 +432,7 @@ static ssize_t policy_update(u32 mask, c
+ error = aa_replace_profiles(ns, label, mask, data);
+ aa_put_loaddata(data);
+ }
++end_section:
+ end_current_label_crit_section(label);
+
+ return error;
--- /dev/null
+From a0b845ffa0d91855532b50fc040aeb2d8338dca4 Mon Sep 17 00:00:00 2001
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Date: Sun, 5 Apr 2020 13:11:55 +0800
+Subject: apparmor: fix potential label refcnt leak in aa_change_profile
+
+From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+
+commit a0b845ffa0d91855532b50fc040aeb2d8338dca4 upstream.
+
+aa_change_profile() invokes aa_get_current_label(), which returns
+a reference of the current task's label.
+
+According to the comment of aa_get_current_label(), the returned
+reference must be put with aa_put_label().
+However, when the original object pointed by "label" becomes
+unreachable because aa_change_profile() returns or a new object
+is assigned to "label", reference count increased by
+aa_get_current_label() is not decreased, causing a refcnt leak.
+
+Fix this by calling aa_put_label() before aa_change_profile() return
+and dropping unnecessary aa_get_current_label().
+
+Fixes: 9fcf78cca198 ("apparmor: update domain transitions that are subsets of confinement at nnp")
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/domain.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/security/apparmor/domain.c
++++ b/security/apparmor/domain.c
+@@ -1338,6 +1338,7 @@ int aa_change_profile(const char *fqname
+ ctx->nnp = aa_get_label(label);
+
+ if (!fqname || !*fqname) {
++ aa_put_label(label);
+ AA_DEBUG("no profile name");
+ return -EINVAL;
+ }
+@@ -1356,8 +1357,6 @@ int aa_change_profile(const char *fqname
+ op = OP_CHANGE_PROFILE;
+ }
+
+- label = aa_get_current_label();
+-
+ if (*fqname == '&') {
+ stack = true;
+ /* don't have label_parse() do stacking */
--- /dev/null
+From c54d481d71c6849e044690d3960aaebc730224cc Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Mon, 21 Oct 2019 10:23:47 -0500
+Subject: apparmor: Fix use-after-free in aa_audit_rule_init
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit c54d481d71c6849e044690d3960aaebc730224cc upstream.
+
+In the implementation of aa_audit_rule_init(), when aa_label_parse()
+fails the allocated memory for rule is released using
+aa_audit_rule_free(). But after this release, the return statement
+tries to access the label field of the rule which results in
+use-after-free. Before releasing the rule, copy errNo and return it
+after release.
+
+Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/apparmor/audit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -201,8 +201,9 @@ int aa_audit_rule_init(u32 field, u32 op
+ rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
+ GFP_KERNEL, true, false);
+ if (IS_ERR(rule->label)) {
++ int err = PTR_ERR(rule->label);
+ aa_audit_rule_free(rule);
+- return PTR_ERR(rule->label);
++ return err;
+ }
+
+ *vrule = rule;
--- /dev/null
+From f8f482deb078389b42768b2193e050a81aae137d Mon Sep 17 00:00:00 2001
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Date: Sat, 2 May 2020 20:15:51 +0300
+Subject: dmaengine: owl: Use correct lock in owl_dma_get_pchan()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+
+commit f8f482deb078389b42768b2193e050a81aae137d upstream.
+
+When the kernel is built with lockdep support and the owl-dma driver is
+used, the following message is shown:
+
+[ 2.496939] INFO: trying to register non-static key.
+[ 2.501889] the code is fine but needs lockdep annotation.
+[ 2.507357] turning off the locking correctness validator.
+[ 2.512834] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.3+ #15
+[ 2.519084] Hardware name: Generic DT based system
+[ 2.523878] Workqueue: events_freezable mmc_rescan
+[ 2.528681] [<801127f0>] (unwind_backtrace) from [<8010da58>] (show_stack+0x10/0x14)
+[ 2.536420] [<8010da58>] (show_stack) from [<8080fbe8>] (dump_stack+0xb4/0xe0)
+[ 2.543645] [<8080fbe8>] (dump_stack) from [<8017efa4>] (register_lock_class+0x6f0/0x718)
+[ 2.551816] [<8017efa4>] (register_lock_class) from [<8017b7d0>] (__lock_acquire+0x78/0x25f0)
+[ 2.560330] [<8017b7d0>] (__lock_acquire) from [<8017e5e4>] (lock_acquire+0xd8/0x1f4)
+[ 2.568159] [<8017e5e4>] (lock_acquire) from [<80831fb0>] (_raw_spin_lock_irqsave+0x3c/0x50)
+[ 2.576589] [<80831fb0>] (_raw_spin_lock_irqsave) from [<8051b5fc>] (owl_dma_issue_pending+0xbc/0x120)
+[ 2.585884] [<8051b5fc>] (owl_dma_issue_pending) from [<80668cbc>] (owl_mmc_request+0x1b0/0x390)
+[ 2.594655] [<80668cbc>] (owl_mmc_request) from [<80650ce0>] (mmc_start_request+0x94/0xbc)
+[ 2.602906] [<80650ce0>] (mmc_start_request) from [<80650ec0>] (mmc_wait_for_req+0x64/0xd0)
+[ 2.611245] [<80650ec0>] (mmc_wait_for_req) from [<8065aa10>] (mmc_app_send_scr+0x10c/0x144)
+[ 2.619669] [<8065aa10>] (mmc_app_send_scr) from [<80659b3c>] (mmc_sd_setup_card+0x4c/0x318)
+[ 2.628092] [<80659b3c>] (mmc_sd_setup_card) from [<80659f0c>] (mmc_sd_init_card+0x104/0x430)
+[ 2.636601] [<80659f0c>] (mmc_sd_init_card) from [<8065a3e0>] (mmc_attach_sd+0xcc/0x16c)
+[ 2.644678] [<8065a3e0>] (mmc_attach_sd) from [<8065301c>] (mmc_rescan+0x3ac/0x40c)
+[ 2.652332] [<8065301c>] (mmc_rescan) from [<80143244>] (process_one_work+0x2d8/0x780)
+[ 2.660239] [<80143244>] (process_one_work) from [<80143730>] (worker_thread+0x44/0x598)
+[ 2.668323] [<80143730>] (worker_thread) from [<8014b5f8>] (kthread+0x148/0x150)
+[ 2.675708] [<8014b5f8>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
+[ 2.682912] Exception stack(0xee8fdfb0 to 0xee8fdff8)
+[ 2.687954] dfa0: 00000000 00000000 00000000 00000000
+[ 2.696118] dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 2.704277] dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
+
+The obvious fix would be to use 'spin_lock_init()' on 'pchan->lock'
+before attempting to call 'spin_lock_irqsave()' in 'owl_dma_get_pchan()'.
+
+However, according to Manivannan Sadhasivam, 'pchan->lock' was supposed
+to only protect 'pchan->vchan' while 'od->lock' does a similar job in
+'owl_dma_terminate_pchan()'.
+
+Therefore, this patch substitutes 'pchan->lock' with 'od->lock' and
+removes the 'lock' attribute in 'owl_dma_pchan' struct.
+
+Fixes: 47e20577c24d ("dmaengine: Add Actions Semi Owl family S900 DMA driver")
+Signed-off-by: Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Andreas Färber <afaerber@suse.de>
+Link: https://lore.kernel.org/r/c6e6cdaca252b5364bd294093673951036488cf0.1588439073.git.cristian.ciocaltea@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/owl-dma.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/dma/owl-dma.c
++++ b/drivers/dma/owl-dma.c
+@@ -172,13 +172,11 @@ struct owl_dma_txd {
+ * @id: physical index to this channel
+ * @base: virtual memory base for the dma channel
+ * @vchan: the virtual channel currently being served by this physical channel
+- * @lock: a lock to use when altering an instance of this struct
+ */
+ struct owl_dma_pchan {
+ u32 id;
+ void __iomem *base;
+ struct owl_dma_vchan *vchan;
+- spinlock_t lock;
+ };
+
+ /**
+@@ -396,14 +394,14 @@ static struct owl_dma_pchan *owl_dma_get
+ for (i = 0; i < od->nr_pchans; i++) {
+ pchan = &od->pchans[i];
+
+- spin_lock_irqsave(&pchan->lock, flags);
++ spin_lock_irqsave(&od->lock, flags);
+ if (!pchan->vchan) {
+ pchan->vchan = vchan;
+- spin_unlock_irqrestore(&pchan->lock, flags);
++ spin_unlock_irqrestore(&od->lock, flags);
+ break;
+ }
+
+- spin_unlock_irqrestore(&pchan->lock, flags);
++ spin_unlock_irqrestore(&od->lock, flags);
+ }
+
+ return pchan;
--- /dev/null
+From 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sat, 16 May 2020 23:42:05 +0200
+Subject: dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 upstream.
+
+Commit b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
+has moved some code in the probe function and reordered the error handling
+path accordingly.
+However, a goto has been missed.
+
+Fix it and goto the right label if 'dma_async_device_register()' fails, so
+that all resources are released.
+
+Fixes: b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20200516214205.276266-1-christophe.jaillet@wanadoo.fr
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/tegra210-adma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/tegra210-adma.c
++++ b/drivers/dma/tegra210-adma.c
+@@ -793,7 +793,7 @@ static int tegra_adma_probe(struct platf
+ ret = dma_async_device_register(&tdma->dma_dev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "ADMA registration failed: %d\n", ret);
+- goto irq_dispose;
++ goto rpm_put;
+ }
+
+ ret = of_dma_controller_register(pdev->dev.of_node,
--- /dev/null
+From 40b697e256ccdb88aaff424b44b4d300eb8460e8 Mon Sep 17 00:00:00 2001
+From: Christian Gmeiner <christian.gmeiner@gmail.com>
+Date: Tue, 19 May 2020 07:30:15 +0200
+Subject: drm/etnaviv: fix perfmon domain interation
+
+From: Christian Gmeiner <christian.gmeiner@gmail.com>
+
+commit 40b697e256ccdb88aaff424b44b4d300eb8460e8 upstream.
+
+The GC860 has one GPU device which has a 2d and 3d core. In this case
+we want to expose perfmon information for both cores.
+
+The driver has one array which contains all possible perfmon domains
+with some meta data - doms_meta. Here we can see that for the GC860
+two elements of that array are relevant:
+
+ doms_3d: is at index 0 in the doms_meta array with 8 perfmon domains
+ doms_2d: is at index 1 in the doms_meta array with 1 perfmon domain
+
+The userspace driver wants to get a list of all perfmon domains and
+their perfmon signals. This is done by iterating over all domains and
+their signals. If the userspace driver wants to access the domain with
+id 8 the kernel driver fails and returns invalid data from doms_3d with
+and invalid offset.
+
+This results in:
+ Unable to handle kernel paging request at virtual address 00000000
+
+On such a device it is not possible to use the userspace driver at all.
+
+The fix for this off-by-one error is quite simple.
+
+Reported-by: Paul Cercueil <paul@crapouillou.net>
+Tested-by: Paul Cercueil <paul@crapouillou.net>
+Fixes: ed1dd899baa3 ("drm/etnaviv: rework perfmon query infrastructure")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Gmeiner <christian.gmeiner@gmail.com>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/etnaviv/etnaviv_perfmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_perfmon.c
+@@ -453,7 +453,7 @@ static const struct etnaviv_pm_domain *p
+ if (!(gpu->identity.features & meta->feature))
+ continue;
+
+- if (meta->nr_domains < (index - offset)) {
++ if (index - offset >= meta->nr_domains) {
+ offset += meta->nr_domains;
+ continue;
+ }
alsa-pcm-fix-incorrect-hw_base-increase.patch
alsa-hda-realtek-fix-silent-output-on-gigabyte-x570-aorus-xtreme.patch
alsa-hda-realtek-add-more-fixup-entries-for-clevo-machines.patch
+drm-etnaviv-fix-perfmon-domain-interation.patch
+apparmor-fix-use-after-free-in-aa_audit_rule_init.patch
+apparmor-fix-potential-label-refcnt-leak-in-aa_change_profile.patch
+apparmor-fix-aa_label-refcnt-leak-in-policy_update.patch
+dmaengine-tegra210-adma-fix-an-error-handling-path-in-tegra_adma_probe.patch
+dmaengine-owl-use-correct-lock-in-owl_dma_get_pchan.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
