From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 20 Jan 2025 15:23:59 +0000 (+0100)
Subject: 6.6-stable patches
X-Git-Tag: v6.6.73~8
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c5330d6404f7cefce98ebd194be96434fa72554;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	block-fix-uaf-for-flush-rq-while-iterating-tags.patch
	drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch
	iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch
---

diff --git a/queue-6.6/block-fix-uaf-for-flush-rq-while-iterating-tags.patch b/queue-6.6/block-fix-uaf-for-flush-rq-while-iterating-tags.patch
new file mode 100644
index 0000000000..305937414c
--- /dev/null
+++ b/queue-6.6/block-fix-uaf-for-flush-rq-while-iterating-tags.patch
@@ -0,0 +1,162 @@
+From 3802f73bd80766d70f319658f334754164075bc3 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Mon, 4 Nov 2024 19:00:05 +0800
+Subject: block: fix uaf for flush rq while iterating tags
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit 3802f73bd80766d70f319658f334754164075bc3 upstream.
+
+blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by
+checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared
+in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in
+atomic mode after del_gendisk"), hence for disk like scsi, following
+blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well,
+cause following uaf that is found by our syzkaller for v6.6:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261
+Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909
+
+CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32
+Workqueue: kblockd blk_mq_timeout_work
+Call Trace:
+
+__dump_stack lib/dump_stack.c:88 [inline]
+dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
+print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364
+print_report+0x3e/0x70 mm/kasan/report.c:475
+kasan_report+0xb8/0xf0 mm/kasan/report.c:588
+blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261
+bt_iter block/blk-mq-tag.c:288 [inline]
+__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline]
+sbitmap_for_each_set include/linux/sbitmap.h:316 [inline]
+bt_for_each+0x455/0x790 block/blk-mq-tag.c:325
+blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534
+blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673
+process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631
+process_scheduled_works kernel/workqueue.c:2704 [inline]
+worker_thread+0x804/0xe40 kernel/workqueue.c:2785
+kthread+0x346/0x450 kernel/kthread.c:388
+ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293
+
+Allocated by task 942:
+kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+____kasan_kmalloc mm/kasan/common.c:374 [inline]
+__kasan_kmalloc mm/kasan/common.c:383 [inline]
+__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380
+kasan_kmalloc include/linux/kasan.h:198 [inline]
+__do_kmalloc_node mm/slab_common.c:1007 [inline]
+__kmalloc_node+0x69/0x170 mm/slab_common.c:1014
+kmalloc_node include/linux/slab.h:620 [inline]
+kzalloc_node include/linux/slab.h:732 [inline]
+blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499
+blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788
+blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261
+blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294
+blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350
+blk_mq_init_queue_data block/blk-mq.c:4166 [inline]
+blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176
+scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335
+scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189
+__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727
+scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline]
+scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791
+scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844
+scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151
+store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191
+dev_attr_store+0x5c/0x90 drivers/base/core.c:2388
+sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136
+kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338
+call_write_iter include/linux/fs.h:2083 [inline]
+new_sync_write+0x1b4/0x2d0 fs/read_write.c:493
+vfs_write+0x76c/0xb00 fs/read_write.c:586
+ksys_write+0x127/0x250 fs/read_write.c:639
+do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
+entry_SYSCALL_64_after_hwframe+0x78/0xe2
+
+Freed by task 244687:
+kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
+____kasan_slab_free mm/kasan/common.c:236 [inline]
+__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244
+kasan_slab_free include/linux/kasan.h:164 [inline]
+slab_free_hook mm/slub.c:1815 [inline]
+slab_free_freelist_hook mm/slub.c:1841 [inline]
+slab_free mm/slub.c:3807 [inline]
+__kmem_cache_free+0xe4/0x520 mm/slub.c:3820
+blk_free_flush_queue+0x40/0x60 block/blk-flush.c:520
+blk_mq_hw_sysfs_release+0x4a/0x170 block/blk-mq-sysfs.c:37
+kobject_cleanup+0x136/0x410 lib/kobject.c:689
+kobject_release lib/kobject.c:720 [inline]
+kref_put include/linux/kref.h:65 [inline]
+kobject_put+0x119/0x140 lib/kobject.c:737
+blk_mq_release+0x24f/0x3f0 block/blk-mq.c:4144
+blk_free_queue block/blk-core.c:298 [inline]
+blk_put_queue+0xe2/0x180 block/blk-core.c:314
+blkg_free_workfn+0x376/0x6e0 block/blk-cgroup.c:144
+process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631
+process_scheduled_works kernel/workqueue.c:2704 [inline]
+worker_thread+0x804/0xe40 kernel/workqueue.c:2785
+kthread+0x346/0x450 kernel/kthread.c:388
+ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293
+
+Other than blk_mq_clear_flush_rq_mapping(), the flag is only used in
+blk_register_queue() from initialization path, hence it's safe not to
+clear the flag in del_gendisk. And since QUEUE_FLAG_REGISTERED already
+make sure that queue should only be registered once, there is no need
+to test the flag as well.
+
+Fixes: 6cfeadbff3f8 ("blk-mq: don't clear flush_rq from tags->rqs[]")
+Depends-on: commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241104110005.1412161-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: BRUNO VERNAY <bruno.vernay@se.com>
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-sysfs.c |    6 ++----
+ block/genhd.c     |    9 +++------
+ 2 files changed, 5 insertions(+), 10 deletions(-)
+
+--- a/block/blk-sysfs.c
++++ b/block/blk-sysfs.c
+@@ -842,10 +842,8 @@ int blk_register_queue(struct gendisk *d
+ 	 * faster to shut down and is made fully functional here as
+ 	 * request_queues for non-existent devices never get registered.
+ 	 */
+-	if (!blk_queue_init_done(q)) {
+-		blk_queue_flag_set(QUEUE_FLAG_INIT_DONE, q);
+-		percpu_ref_switch_to_percpu(&q->q_usage_counter);
+-	}
++	blk_queue_flag_set(QUEUE_FLAG_INIT_DONE, q);
++	percpu_ref_switch_to_percpu(&q->q_usage_counter);
+ 
+ 	return ret;
+ 
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -710,13 +710,10 @@ void del_gendisk(struct gendisk *disk)
+ 	 * If the disk does not own the queue, allow using passthrough requests
+ 	 * again.  Else leave the queue frozen to fail all I/O.
+ 	 */
+-	if (!test_bit(GD_OWNS_QUEUE, &disk->state)) {
+-		blk_queue_flag_clear(QUEUE_FLAG_INIT_DONE, q);
++	if (!test_bit(GD_OWNS_QUEUE, &disk->state))
+ 		__blk_mq_unfreeze_queue(q, true);
+-	} else {
+-		if (queue_is_mq(q))
+-			blk_mq_exit_queue(q);
+-	}
++	else if (queue_is_mq(q))
++		blk_mq_exit_queue(q);
+ }
+ EXPORT_SYMBOL(del_gendisk);
+ 
diff --git a/queue-6.6/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch b/queue-6.6/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch
new file mode 100644
index 0000000000..175b99fc8d
--- /dev/null
+++ b/queue-6.6/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch
@@ -0,0 +1,106 @@
+From 63de35a8fcfca59ae8750d469a7eb220c7557baf Mon Sep 17 00:00:00 2001
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Date: Wed, 25 Sep 2024 20:04:15 +0530
+Subject: drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+commit 63de35a8fcfca59ae8750d469a7eb220c7557baf upstream.
+
+An issue was identified in the dcn21_link_encoder_create function where
+an out-of-bounds access could occur when the hpd_source index was used
+to reference the link_enc_hpd_regs array. This array has a fixed size
+and the index was not being checked against the array's bounds before
+accessing it.
+
+This fix adds a conditional check to ensure that the hpd_source index is
+within the valid range of the link_enc_hpd_regs array. If the index is
+out of bounds, the function now returns NULL to prevent undefined
+behavior.
+
+References:
+
+[   65.920507] ------------[ cut here ]------------
+[   65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29
+[   65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]'
+[   65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G           OE      6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13
+[   65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020
+[   65.920527] Call Trace:
+[   65.920529]  <TASK>
+[   65.920532]  dump_stack_lvl+0x48/0x70
+[   65.920541]  dump_stack+0x10/0x20
+[   65.920543]  __ubsan_handle_out_of_bounds+0xa2/0xe0
+[   65.920549]  dcn21_link_encoder_create+0xd9/0x140 [amdgpu]
+[   65.921009]  link_create+0x6d3/0xed0 [amdgpu]
+[   65.921355]  create_links+0x18a/0x4e0 [amdgpu]
+[   65.921679]  dc_create+0x360/0x720 [amdgpu]
+[   65.921999]  ? dmi_matches+0xa0/0x220
+[   65.922004]  amdgpu_dm_init+0x2b6/0x2c90 [amdgpu]
+[   65.922342]  ? console_unlock+0x77/0x120
+[   65.922348]  ? dev_printk_emit+0x86/0xb0
+[   65.922354]  dm_hw_init+0x15/0x40 [amdgpu]
+[   65.922686]  amdgpu_device_init+0x26a8/0x33a0 [amdgpu]
+[   65.922921]  amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu]
+[   65.923087]  amdgpu_pci_probe+0x1b7/0x630 [amdgpu]
+[   65.923087]  local_pci_probe+0x4b/0xb0
+[   65.923087]  pci_device_probe+0xc8/0x280
+[   65.923087]  really_probe+0x187/0x300
+[   65.923087]  __driver_probe_device+0x85/0x130
+[   65.923087]  driver_probe_device+0x24/0x110
+[   65.923087]  __driver_attach+0xac/0x1d0
+[   65.923087]  ? __pfx___driver_attach+0x10/0x10
+[   65.923087]  bus_for_each_dev+0x7d/0xd0
+[   65.923087]  driver_attach+0x1e/0x30
+[   65.923087]  bus_add_driver+0xf2/0x200
+[   65.923087]  driver_register+0x64/0x130
+[   65.923087]  ? __pfx_amdgpu_init+0x10/0x10 [amdgpu]
+[   65.923087]  __pci_register_driver+0x61/0x70
+[   65.923087]  amdgpu_init+0x7d/0xff0 [amdgpu]
+[   65.923087]  do_one_initcall+0x49/0x310
+[   65.923087]  ? kmalloc_trace+0x136/0x360
+[   65.923087]  do_init_module+0x6a/0x270
+[   65.923087]  load_module+0x1fce/0x23a0
+[   65.923087]  init_module_from_file+0x9c/0xe0
+[   65.923087]  ? init_module_from_file+0x9c/0xe0
+[   65.923087]  idempotent_init_module+0x179/0x230
+[   65.923087]  __x64_sys_finit_module+0x5d/0xa0
+[   65.923087]  do_syscall_64+0x76/0x120
+[   65.923087]  entry_SYSCALL_64_after_hwframe+0x6e/0x76
+[   65.923087] RIP: 0033:0x7f2d80f1e88d
+[   65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48
+[   65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[   65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d
+[   65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f
+[   65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002
+[   65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480
+[   65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0
+[   65.923087]  </TASK>
+[   65.923927] ---[ end trace ]---
+
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Roman Li <roman.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Bin Lan <lanbincn@qq.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+@@ -1315,7 +1315,7 @@ static struct link_encoder *dcn21_link_e
+ 		kzalloc(sizeof(struct dcn21_link_encoder), GFP_KERNEL);
+ 	int link_regs_id;
+ 
+-	if (!enc21)
++	if (!enc21 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
+ 		return NULL;
+ 
+ 	link_regs_id =
diff --git a/queue-6.6/iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch b/queue-6.6/iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch
new file mode 100644
index 0000000000..f3a2a17009
--- /dev/null
+++ b/queue-6.6/iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch
@@ -0,0 +1,68 @@
+From c0f866de4ce447bca3191b9cefac60c4b36a7922 Mon Sep 17 00:00:00 2001
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Date: Tue, 12 Nov 2024 10:30:10 +0100
+Subject: iio: imu: inv_icm42600: fix spi burst write not supported
+
+From: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+
+commit c0f866de4ce447bca3191b9cefac60c4b36a7922 upstream.
+
+Burst write with SPI is not working for all icm42600 chips. It was
+only used for setting user offsets with regmap_bulk_write.
+
+Add specific SPI regmap config for using only single write with SPI.
+
+Fixes: 9f9ff91b775b ("iio: imu: inv_icm42600: add SPI driver for inv_icm42600 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jean-Baptiste Maneyrol <jean-baptiste.maneyrol@tdk.com>
+Link: https://patch.msgid.link/20241112-inv-icm42600-fix-spi-burst-write-not-supported-v2-1-97690dc03607@tdk.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/inv_icm42600/inv_icm42600.h      |    1 +
+ drivers/iio/imu/inv_icm42600/inv_icm42600_core.c |   11 +++++++++++
+ drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c  |    3 ++-
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600.h
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600.h
+@@ -362,6 +362,7 @@ struct inv_icm42600_state {
+ typedef int (*inv_icm42600_bus_setup)(struct inv_icm42600_state *);
+ 
+ extern const struct regmap_config inv_icm42600_regmap_config;
++extern const struct regmap_config inv_icm42600_spi_regmap_config;
+ extern const struct dev_pm_ops inv_icm42600_pm_ops;
+ 
+ const struct iio_mount_matrix *
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c
+@@ -44,6 +44,17 @@ const struct regmap_config inv_icm42600_
+ };
+ EXPORT_SYMBOL_NS_GPL(inv_icm42600_regmap_config, IIO_ICM42600);
+ 
++/* define specific regmap for SPI not supporting burst write */
++const struct regmap_config inv_icm42600_spi_regmap_config = {
++	.reg_bits = 8,
++	.val_bits = 8,
++	.max_register = 0x4FFF,
++	.ranges = inv_icm42600_regmap_ranges,
++	.num_ranges = ARRAY_SIZE(inv_icm42600_regmap_ranges),
++	.use_single_write = true,
++};
++EXPORT_SYMBOL_NS_GPL(inv_icm42600_spi_regmap_config, IIO_ICM42600);
++
+ struct inv_icm42600_hw {
+ 	uint8_t whoami;
+ 	const char *name;
+--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c
++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c
+@@ -59,7 +59,8 @@ static int inv_icm42600_probe(struct spi
+ 		return -EINVAL;
+ 	chip = (uintptr_t)match;
+ 
+-	regmap = devm_regmap_init_spi(spi, &inv_icm42600_regmap_config);
++	/* use SPI specific regmap */
++	regmap = devm_regmap_init_spi(spi, &inv_icm42600_spi_regmap_config);
+ 	if (IS_ERR(regmap))
+ 		return PTR_ERR(regmap);
+ 
diff --git a/queue-6.6/series b/queue-6.6/series
index 64e9c47c83..b3d9ef9b09 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -59,3 +59,6 @@ hrtimers-handle-cpu-state-correctly-on-hotplug.patch
 drm-i915-fb-relax-clear-color-alignment-to-64-bytes.patch
 drm-amdgpu-always-sync-the-gfx-pipe-on-ctx-switch.patch
 revert-pci-use-preserve_config-in-place-of-pci_flags.patch
+iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch
+drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch
+block-fix-uaf-for-flush-rq-while-iterating-tags.patch