From: Greg Kroah-Hartman Date: Mon, 20 Jan 2025 15:33:04 +0000 (+0100) Subject: 6.1-stable patches X-Git-Tag: v6.6.73~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b3e50aebc7d1027084d68eb63af85ea54a553667;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: block-fix-uaf-for-flush-rq-while-iterating-tags.patch drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch drm-amdgpu-fix-usage-slab-after-free.patch iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch --- diff --git a/queue-6.1/block-fix-uaf-for-flush-rq-while-iterating-tags.patch b/queue-6.1/block-fix-uaf-for-flush-rq-while-iterating-tags.patch new file mode 100644 index 0000000000..f11f51b975 --- /dev/null +++ b/queue-6.1/block-fix-uaf-for-flush-rq-while-iterating-tags.patch @@ -0,0 +1,162 @@ +From 3802f73bd80766d70f319658f334754164075bc3 Mon Sep 17 00:00:00 2001 +From: Yu Kuai +Date: Mon, 4 Nov 2024 19:00:05 +0800 +Subject: block: fix uaf for flush rq while iterating tags + +From: Yu Kuai + +commit 3802f73bd80766d70f319658f334754164075bc3 upstream. + +blk_mq_clear_flush_rq_mapping() is not called during scsi probe, by +checking blk_queue_init_done(). However, QUEUE_FLAG_INIT_DONE is cleared +in del_gendisk by commit aec89dc5d421 ("block: keep q_usage_counter in +atomic mode after del_gendisk"), hence for disk like scsi, following +blk_mq_destroy_queue() will not clear flush rq from tags->rqs[] as well, +cause following uaf that is found by our syzkaller for v6.6: + +================================================================== +BUG: KASAN: slab-use-after-free in blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 +Read of size 4 at addr ffff88811c969c20 by task kworker/1:2H/224909 + +CPU: 1 PID: 224909 Comm: kworker/1:2H Not tainted 6.6.0-ga836a5060850 #32 +Workqueue: kblockd blk_mq_timeout_work +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 +print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364 +print_report+0x3e/0x70 mm/kasan/report.c:475 +kasan_report+0xb8/0xf0 mm/kasan/report.c:588 +blk_mq_find_and_get_req+0x16e/0x1a0 block/blk-mq-tag.c:261 +bt_iter block/blk-mq-tag.c:288 [inline] +__sbitmap_for_each_set include/linux/sbitmap.h:295 [inline] +sbitmap_for_each_set include/linux/sbitmap.h:316 [inline] +bt_for_each+0x455/0x790 block/blk-mq-tag.c:325 +blk_mq_queue_tag_busy_iter+0x320/0x740 block/blk-mq-tag.c:534 +blk_mq_timeout_work+0x1a3/0x7b0 block/blk-mq.c:1673 +process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 +process_scheduled_works kernel/workqueue.c:2704 [inline] +worker_thread+0x804/0xe40 kernel/workqueue.c:2785 +kthread+0x346/0x450 kernel/kthread.c:388 +ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 +ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 + +Allocated by task 942: +kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +____kasan_kmalloc mm/kasan/common.c:374 [inline] +__kasan_kmalloc mm/kasan/common.c:383 [inline] +__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:380 +kasan_kmalloc include/linux/kasan.h:198 [inline] +__do_kmalloc_node mm/slab_common.c:1007 [inline] +__kmalloc_node+0x69/0x170 mm/slab_common.c:1014 +kmalloc_node include/linux/slab.h:620 [inline] +kzalloc_node include/linux/slab.h:732 [inline] +blk_alloc_flush_queue+0x144/0x2f0 block/blk-flush.c:499 +blk_mq_alloc_hctx+0x601/0x940 block/blk-mq.c:3788 +blk_mq_alloc_and_init_hctx+0x27f/0x330 block/blk-mq.c:4261 +blk_mq_realloc_hw_ctxs+0x488/0x5e0 block/blk-mq.c:4294 +blk_mq_init_allocated_queue+0x188/0x860 block/blk-mq.c:4350 +blk_mq_init_queue_data block/blk-mq.c:4166 [inline] +blk_mq_init_queue+0x8d/0x100 block/blk-mq.c:4176 +scsi_alloc_sdev+0x843/0xd50 drivers/scsi/scsi_scan.c:335 +scsi_probe_and_add_lun+0x77c/0xde0 drivers/scsi/scsi_scan.c:1189 +__scsi_scan_target+0x1fc/0x5a0 drivers/scsi/scsi_scan.c:1727 +scsi_scan_channel drivers/scsi/scsi_scan.c:1815 [inline] +scsi_scan_channel+0x14b/0x1e0 drivers/scsi/scsi_scan.c:1791 +scsi_scan_host_selected+0x2fe/0x400 drivers/scsi/scsi_scan.c:1844 +scsi_scan+0x3a0/0x3f0 drivers/scsi/scsi_sysfs.c:151 +store_scan+0x2a/0x60 drivers/scsi/scsi_sysfs.c:191 +dev_attr_store+0x5c/0x90 drivers/base/core.c:2388 +sysfs_kf_write+0x11c/0x170 fs/sysfs/file.c:136 +kernfs_fop_write_iter+0x3fc/0x610 fs/kernfs/file.c:338 +call_write_iter include/linux/fs.h:2083 [inline] +new_sync_write+0x1b4/0x2d0 fs/read_write.c:493 +vfs_write+0x76c/0xb00 fs/read_write.c:586 +ksys_write+0x127/0x250 fs/read_write.c:639 +do_syscall_x64 arch/x86/entry/common.c:51 [inline] +do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81 +entry_SYSCALL_64_after_hwframe+0x78/0xe2 + +Freed by task 244687: +kasan_save_stack+0x22/0x50 mm/kasan/common.c:45 +kasan_set_track+0x25/0x30 mm/kasan/common.c:52 +kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 +____kasan_slab_free mm/kasan/common.c:236 [inline] +__kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244 +kasan_slab_free include/linux/kasan.h:164 [inline] +slab_free_hook mm/slub.c:1815 [inline] +slab_free_freelist_hook mm/slub.c:1841 [inline] +slab_free mm/slub.c:3807 [inline] +__kmem_cache_free+0xe4/0x520 mm/slub.c:3820 +blk_free_flush_queue+0x40/0x60 block/blk-flush.c:520 +blk_mq_hw_sysfs_release+0x4a/0x170 block/blk-mq-sysfs.c:37 +kobject_cleanup+0x136/0x410 lib/kobject.c:689 +kobject_release lib/kobject.c:720 [inline] +kref_put include/linux/kref.h:65 [inline] +kobject_put+0x119/0x140 lib/kobject.c:737 +blk_mq_release+0x24f/0x3f0 block/blk-mq.c:4144 +blk_free_queue block/blk-core.c:298 [inline] +blk_put_queue+0xe2/0x180 block/blk-core.c:314 +blkg_free_workfn+0x376/0x6e0 block/blk-cgroup.c:144 +process_one_work+0x7c4/0x1450 kernel/workqueue.c:2631 +process_scheduled_works kernel/workqueue.c:2704 [inline] +worker_thread+0x804/0xe40 kernel/workqueue.c:2785 +kthread+0x346/0x450 kernel/kthread.c:388 +ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 +ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:293 + +Other than blk_mq_clear_flush_rq_mapping(), the flag is only used in +blk_register_queue() from initialization path, hence it's safe not to +clear the flag in del_gendisk. And since QUEUE_FLAG_REGISTERED already +make sure that queue should only be registered once, there is no need +to test the flag as well. + +Fixes: 6cfeadbff3f8 ("blk-mq: don't clear flush_rq from tags->rqs[]") +Depends-on: commit aec89dc5d421 ("block: keep q_usage_counter in atomic mode after del_gendisk") +Signed-off-by: Yu Kuai +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20241104110005.1412161-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: BRUNO VERNAY +Signed-off-by: Hugo SIMELIERE +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-sysfs.c | 6 ++---- + block/genhd.c | 9 +++------ + 2 files changed, 5 insertions(+), 10 deletions(-) + +--- a/block/blk-sysfs.c ++++ b/block/blk-sysfs.c +@@ -858,10 +858,8 @@ unlock: + * faster to shut down and is made fully functional here as + * request_queues for non-existent devices never get registered. + */ +- if (!blk_queue_init_done(q)) { +- blk_queue_flag_set(QUEUE_FLAG_INIT_DONE, q); +- percpu_ref_switch_to_percpu(&q->q_usage_counter); +- } ++ blk_queue_flag_set(QUEUE_FLAG_INIT_DONE, q); ++ percpu_ref_switch_to_percpu(&q->q_usage_counter); + + return ret; + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -685,13 +685,10 @@ void del_gendisk(struct gendisk *disk) + * If the disk does not own the queue, allow using passthrough requests + * again. Else leave the queue frozen to fail all I/O. + */ +- if (!test_bit(GD_OWNS_QUEUE, &disk->state)) { +- blk_queue_flag_clear(QUEUE_FLAG_INIT_DONE, q); ++ if (!test_bit(GD_OWNS_QUEUE, &disk->state)) + __blk_mq_unfreeze_queue(q, true); +- } else { +- if (queue_is_mq(q)) +- blk_mq_exit_queue(q); +- } ++ else if (queue_is_mq(q)) ++ blk_mq_exit_queue(q); + } + EXPORT_SYMBOL(del_gendisk); + diff --git a/queue-6.1/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch b/queue-6.1/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch new file mode 100644 index 0000000000..2fb5879cc9 --- /dev/null +++ b/queue-6.1/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch @@ -0,0 +1,106 @@ +From 63de35a8fcfca59ae8750d469a7eb220c7557baf Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Wed, 25 Sep 2024 20:04:15 +0530 +Subject: drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' + +From: Srinivasan Shanmugam + +commit 63de35a8fcfca59ae8750d469a7eb220c7557baf upstream. + +An issue was identified in the dcn21_link_encoder_create function where +an out-of-bounds access could occur when the hpd_source index was used +to reference the link_enc_hpd_regs array. This array has a fixed size +and the index was not being checked against the array's bounds before +accessing it. + +This fix adds a conditional check to ensure that the hpd_source index is +within the valid range of the link_enc_hpd_regs array. If the index is +out of bounds, the function now returns NULL to prevent undefined +behavior. + +References: + +[ 65.920507] ------------[ cut here ]------------ +[ 65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29 +[ 65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]' +[ 65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G OE 6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13 +[ 65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020 +[ 65.920527] Call Trace: +[ 65.920529] +[ 65.920532] dump_stack_lvl+0x48/0x70 +[ 65.920541] dump_stack+0x10/0x20 +[ 65.920543] __ubsan_handle_out_of_bounds+0xa2/0xe0 +[ 65.920549] dcn21_link_encoder_create+0xd9/0x140 [amdgpu] +[ 65.921009] link_create+0x6d3/0xed0 [amdgpu] +[ 65.921355] create_links+0x18a/0x4e0 [amdgpu] +[ 65.921679] dc_create+0x360/0x720 [amdgpu] +[ 65.921999] ? dmi_matches+0xa0/0x220 +[ 65.922004] amdgpu_dm_init+0x2b6/0x2c90 [amdgpu] +[ 65.922342] ? console_unlock+0x77/0x120 +[ 65.922348] ? dev_printk_emit+0x86/0xb0 +[ 65.922354] dm_hw_init+0x15/0x40 [amdgpu] +[ 65.922686] amdgpu_device_init+0x26a8/0x33a0 [amdgpu] +[ 65.922921] amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu] +[ 65.923087] amdgpu_pci_probe+0x1b7/0x630 [amdgpu] +[ 65.923087] local_pci_probe+0x4b/0xb0 +[ 65.923087] pci_device_probe+0xc8/0x280 +[ 65.923087] really_probe+0x187/0x300 +[ 65.923087] __driver_probe_device+0x85/0x130 +[ 65.923087] driver_probe_device+0x24/0x110 +[ 65.923087] __driver_attach+0xac/0x1d0 +[ 65.923087] ? __pfx___driver_attach+0x10/0x10 +[ 65.923087] bus_for_each_dev+0x7d/0xd0 +[ 65.923087] driver_attach+0x1e/0x30 +[ 65.923087] bus_add_driver+0xf2/0x200 +[ 65.923087] driver_register+0x64/0x130 +[ 65.923087] ? __pfx_amdgpu_init+0x10/0x10 [amdgpu] +[ 65.923087] __pci_register_driver+0x61/0x70 +[ 65.923087] amdgpu_init+0x7d/0xff0 [amdgpu] +[ 65.923087] do_one_initcall+0x49/0x310 +[ 65.923087] ? kmalloc_trace+0x136/0x360 +[ 65.923087] do_init_module+0x6a/0x270 +[ 65.923087] load_module+0x1fce/0x23a0 +[ 65.923087] init_module_from_file+0x9c/0xe0 +[ 65.923087] ? init_module_from_file+0x9c/0xe0 +[ 65.923087] idempotent_init_module+0x179/0x230 +[ 65.923087] __x64_sys_finit_module+0x5d/0xa0 +[ 65.923087] do_syscall_64+0x76/0x120 +[ 65.923087] entry_SYSCALL_64_after_hwframe+0x6e/0x76 +[ 65.923087] RIP: 0033:0x7f2d80f1e88d +[ 65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48 +[ 65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +[ 65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d +[ 65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f +[ 65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002 +[ 65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480 +[ 65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0 +[ 65.923087] +[ 65.923927] ---[ end trace ]--- + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Roman Li +Signed-off-by: Alex Deucher +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +@@ -1340,7 +1340,7 @@ static struct link_encoder *dcn21_link_e + kzalloc(sizeof(struct dcn21_link_encoder), GFP_KERNEL); + int link_regs_id; + +- if (!enc21) ++ if (!enc21 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs)) + return NULL; + + link_regs_id = diff --git a/queue-6.1/drm-amdgpu-fix-usage-slab-after-free.patch b/queue-6.1/drm-amdgpu-fix-usage-slab-after-free.patch new file mode 100644 index 0000000000..b82bb3726f --- /dev/null +++ b/queue-6.1/drm-amdgpu-fix-usage-slab-after-free.patch @@ -0,0 +1,219 @@ +From b61badd20b443eabe132314669bb51a263982e5c Mon Sep 17 00:00:00 2001 +From: Vitaly Prosyak +Date: Mon, 11 Nov 2024 17:24:08 -0500 +Subject: drm/amdgpu: fix usage slab after free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vitaly Prosyak + +commit b61badd20b443eabe132314669bb51a263982e5c upstream. + +[ +0.000021] BUG: KASAN: slab-use-after-free in drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000027] Read of size 8 at addr ffff8881b8605f88 by task amd_pci_unplug/2147 + +[ +0.000023] CPU: 6 PID: 2147 Comm: amd_pci_unplug Not tainted 6.10.0+ #1 +[ +0.000016] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 +[ +0.000016] Call Trace: +[ +0.000008] +[ +0.000009] dump_stack_lvl+0x76/0xa0 +[ +0.000017] print_report+0xce/0x5f0 +[ +0.000017] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000019] ? srso_return_thunk+0x5/0x5f +[ +0.000015] ? kasan_complete_mode_report_info+0x72/0x200 +[ +0.000016] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000019] kasan_report+0xbe/0x110 +[ +0.000015] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000023] __asan_report_load8_noabort+0x14/0x30 +[ +0.000014] drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000020] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? __kasan_check_write+0x14/0x30 +[ +0.000016] ? __pfx_drm_sched_entity_flush+0x10/0x10 [gpu_sched] +[ +0.000020] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? __kasan_check_write+0x14/0x30 +[ +0.000013] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? enable_work+0x124/0x220 +[ +0.000015] ? __pfx_enable_work+0x10/0x10 +[ +0.000013] ? srso_return_thunk+0x5/0x5f +[ +0.000014] ? free_large_kmalloc+0x85/0xf0 +[ +0.000016] drm_sched_entity_destroy+0x18/0x30 [gpu_sched] +[ +0.000020] amdgpu_vce_sw_fini+0x55/0x170 [amdgpu] +[ +0.000735] ? __kasan_check_read+0x11/0x20 +[ +0.000016] vce_v4_0_sw_fini+0x80/0x110 [amdgpu] +[ +0.000726] amdgpu_device_fini_sw+0x331/0xfc0 [amdgpu] +[ +0.000679] ? mutex_unlock+0x80/0xe0 +[ +0.000017] ? __pfx_amdgpu_device_fini_sw+0x10/0x10 [amdgpu] +[ +0.000662] ? srso_return_thunk+0x5/0x5f +[ +0.000014] ? __kasan_check_write+0x14/0x30 +[ +0.000013] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? mutex_unlock+0x80/0xe0 +[ +0.000016] amdgpu_driver_release_kms+0x16/0x80 [amdgpu] +[ +0.000663] drm_minor_release+0xc9/0x140 [drm] +[ +0.000081] drm_release+0x1fd/0x390 [drm] +[ +0.000082] __fput+0x36c/0xad0 +[ +0.000018] __fput_sync+0x3c/0x50 +[ +0.000014] __x64_sys_close+0x7d/0xe0 +[ +0.000014] x64_sys_call+0x1bc6/0x2680 +[ +0.000014] do_syscall_64+0x70/0x130 +[ +0.000014] ? srso_return_thunk+0x5/0x5f +[ +0.000014] ? irqentry_exit_to_user_mode+0x60/0x190 +[ +0.000015] ? srso_return_thunk+0x5/0x5f +[ +0.000014] ? irqentry_exit+0x43/0x50 +[ +0.000012] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? exc_page_fault+0x7c/0x110 +[ +0.000015] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ +0.000014] RIP: 0033:0x7ffff7b14f67 +[ +0.000013] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff +[ +0.000026] RSP: 002b:00007fffffffe378 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 +[ +0.000019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffff7b14f67 +[ +0.000014] RDX: 0000000000000000 RSI: 00007ffff7f6f47a RDI: 0000000000000003 +[ +0.000014] RBP: 00007fffffffe3a0 R08: 0000555555569890 R09: 0000000000000000 +[ +0.000014] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffffffe5c8 +[ +0.000013] R13: 00005555555552a9 R14: 0000555555557d48 R15: 00007ffff7ffd040 +[ +0.000020] + +[ +0.000016] Allocated by task 383 on cpu 7 at 26.880319s: +[ +0.000014] kasan_save_stack+0x28/0x60 +[ +0.000008] kasan_save_track+0x18/0x70 +[ +0.000007] kasan_save_alloc_info+0x38/0x60 +[ +0.000007] __kasan_kmalloc+0xc1/0xd0 +[ +0.000007] kmalloc_trace_noprof+0x180/0x380 +[ +0.000007] drm_sched_init+0x411/0xec0 [gpu_sched] +[ +0.000012] amdgpu_device_init+0x695f/0xa610 [amdgpu] +[ +0.000658] amdgpu_driver_load_kms+0x1a/0x120 [amdgpu] +[ +0.000662] amdgpu_pci_probe+0x361/0xf30 [amdgpu] +[ +0.000651] local_pci_probe+0xe7/0x1b0 +[ +0.000009] pci_device_probe+0x248/0x890 +[ +0.000008] really_probe+0x1fd/0x950 +[ +0.000008] __driver_probe_device+0x307/0x410 +[ +0.000007] driver_probe_device+0x4e/0x150 +[ +0.000007] __driver_attach+0x223/0x510 +[ +0.000006] bus_for_each_dev+0x102/0x1a0 +[ +0.000007] driver_attach+0x3d/0x60 +[ +0.000006] bus_add_driver+0x2ac/0x5f0 +[ +0.000006] driver_register+0x13d/0x490 +[ +0.000008] __pci_register_driver+0x1ee/0x2b0 +[ +0.000007] llc_sap_close+0xb0/0x160 [llc] +[ +0.000009] do_one_initcall+0x9c/0x3e0 +[ +0.000008] do_init_module+0x241/0x760 +[ +0.000008] load_module+0x51ac/0x6c30 +[ +0.000006] __do_sys_init_module+0x234/0x270 +[ +0.000007] __x64_sys_init_module+0x73/0xc0 +[ +0.000006] x64_sys_call+0xe3/0x2680 +[ +0.000006] do_syscall_64+0x70/0x130 +[ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e + +[ +0.000015] Freed by task 2147 on cpu 6 at 160.507651s: +[ +0.000013] kasan_save_stack+0x28/0x60 +[ +0.000007] kasan_save_track+0x18/0x70 +[ +0.000007] kasan_save_free_info+0x3b/0x60 +[ +0.000007] poison_slab_object+0x115/0x1c0 +[ +0.000007] __kasan_slab_free+0x34/0x60 +[ +0.000007] kfree+0xfa/0x2f0 +[ +0.000007] drm_sched_fini+0x19d/0x410 [gpu_sched] +[ +0.000012] amdgpu_fence_driver_sw_fini+0xc4/0x2f0 [amdgpu] +[ +0.000662] amdgpu_device_fini_sw+0x77/0xfc0 [amdgpu] +[ +0.000653] amdgpu_driver_release_kms+0x16/0x80 [amdgpu] +[ +0.000655] drm_minor_release+0xc9/0x140 [drm] +[ +0.000071] drm_release+0x1fd/0x390 [drm] +[ +0.000071] __fput+0x36c/0xad0 +[ +0.000008] __fput_sync+0x3c/0x50 +[ +0.000007] __x64_sys_close+0x7d/0xe0 +[ +0.000007] x64_sys_call+0x1bc6/0x2680 +[ +0.000007] do_syscall_64+0x70/0x130 +[ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e + +[ +0.000014] The buggy address belongs to the object at ffff8881b8605f80 + which belongs to the cache kmalloc-64 of size 64 +[ +0.000020] The buggy address is located 8 bytes inside of + freed 64-byte region [ffff8881b8605f80, ffff8881b8605fc0) + +[ +0.000028] The buggy address belongs to the physical page: +[ +0.000011] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b8605 +[ +0.000008] anon flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) +[ +0.000007] page_type: 0xffffefff(slab) +[ +0.000009] raw: 0017ffffc0000000 ffff8881000428c0 0000000000000000 dead000000000001 +[ +0.000006] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000 +[ +0.000006] page dumped because: kasan: bad access detected + +[ +0.000012] Memory state around the buggy address: +[ +0.000011] ffff8881b8605e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ +0.000015] ffff8881b8605f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc +[ +0.000015] >ffff8881b8605f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ +0.000013] ^ +[ +0.000011] ffff8881b8606000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc +[ +0.000014] ffff8881b8606080: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb +[ +0.000013] ================================================================== + +The issue reproduced on VG20 during the IGT pci_unplug test. +The root cause of the issue is that the function drm_sched_fini is called before drm_sched_entity_kill. +In drm_sched_fini, the drm_sched_rq structure is freed, but this structure is later accessed by +each entity within the run queue, leading to invalid memory access. +To resolve this, the order of cleanup calls is updated: + + Before: + amdgpu_fence_driver_sw_fini + amdgpu_device_ip_fini + + After: + amdgpu_device_ip_fini + amdgpu_fence_driver_sw_fini + +This updated order ensures that all entities in the IPs are cleaned up first, followed by proper +cleanup of the schedulers. + +Additional Investigation: + +During debugging, another issue was identified in the amdgpu_vce_sw_fini function. The vce.vcpu_bo +buffer must be freed only as the final step in the cleanup process to prevent any premature +access during earlier cleanup stages. + +v2: Using Christian suggestion call drm_sched_entity_destroy before drm_sched_fini. + +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Vitaly Prosyak +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Alva Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4131,8 +4131,8 @@ void amdgpu_device_fini_sw(struct amdgpu + int idx; + bool px; + +- amdgpu_fence_driver_sw_fini(adev); + amdgpu_device_ip_fini(adev); ++ amdgpu_fence_driver_sw_fini(adev); + release_firmware(adev->firmware.gpu_info_fw); + adev->firmware.gpu_info_fw = NULL; + adev->accel_working = false; +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +@@ -220,15 +220,15 @@ int amdgpu_vce_sw_fini(struct amdgpu_dev + + drm_sched_entity_destroy(&adev->vce.entity); + +- amdgpu_bo_free_kernel(&adev->vce.vcpu_bo, &adev->vce.gpu_addr, +- (void **)&adev->vce.cpu_addr); +- + for (i = 0; i < adev->vce.num_rings; i++) + amdgpu_ring_fini(&adev->vce.ring[i]); + + release_firmware(adev->vce.fw); + mutex_destroy(&adev->vce.idle_mutex); + ++ amdgpu_bo_free_kernel(&adev->vce.vcpu_bo, &adev->vce.gpu_addr, ++ (void **)&adev->vce.cpu_addr); ++ + return 0; + } + diff --git a/queue-6.1/iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch b/queue-6.1/iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch new file mode 100644 index 0000000000..2fae8730e2 --- /dev/null +++ b/queue-6.1/iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch @@ -0,0 +1,38 @@ +From 38724591364e1e3b278b4053f102b49ea06ee17c Mon Sep 17 00:00:00 2001 +From: Javier Carrasco +Date: Mon, 25 Nov 2024 22:16:12 +0100 +Subject: iio: adc: rockchip_saradc: fix information leak in triggered buffer + +From: Javier Carrasco + +commit 38724591364e1e3b278b4053f102b49ea06ee17c upstream. + +The 'data' local struct is used to push data to user space from a +triggered buffer, but it does not set values for inactive channels, as +it only uses iio_for_each_active_channel() to assign new values. + +Initialize the struct to zero before using it to avoid pushing +uninitialized information to userspace. + +Cc: stable@vger.kernel.org +Fixes: 4e130dc7b413 ("iio: adc: rockchip_saradc: Add support iio buffers") +Signed-off-by: Javier Carrasco +Link: https://patch.msgid.link/20241125-iio_memset_scan_holes-v1-4-0cb6e98d895c@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/rockchip_saradc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/rockchip_saradc.c ++++ b/drivers/iio/adc/rockchip_saradc.c +@@ -270,6 +270,8 @@ static irqreturn_t rockchip_saradc_trigg + int ret; + int i, j = 0; + ++ memset(&data, 0, sizeof(data)); ++ + mutex_lock(&i_dev->mlock); + + for_each_set_bit(i, i_dev->active_scan_mask, i_dev->masklength) { diff --git a/queue-6.1/iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch b/queue-6.1/iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch new file mode 100644 index 0000000000..cefaefe165 --- /dev/null +++ b/queue-6.1/iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch @@ -0,0 +1,68 @@ +From c0f866de4ce447bca3191b9cefac60c4b36a7922 Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Tue, 12 Nov 2024 10:30:10 +0100 +Subject: iio: imu: inv_icm42600: fix spi burst write not supported + +From: Jean-Baptiste Maneyrol + +commit c0f866de4ce447bca3191b9cefac60c4b36a7922 upstream. + +Burst write with SPI is not working for all icm42600 chips. It was +only used for setting user offsets with regmap_bulk_write. + +Add specific SPI regmap config for using only single write with SPI. + +Fixes: 9f9ff91b775b ("iio: imu: inv_icm42600: add SPI driver for inv_icm42600 driver") +Cc: stable@vger.kernel.org +Signed-off-by: Jean-Baptiste Maneyrol +Link: https://patch.msgid.link/20241112-inv-icm42600-fix-spi-burst-write-not-supported-v2-1-97690dc03607@tdk.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600.h | 1 + + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 11 +++++++++++ + drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c | 3 ++- + 3 files changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600.h ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600.h +@@ -360,6 +360,7 @@ struct inv_icm42600_state { + typedef int (*inv_icm42600_bus_setup)(struct inv_icm42600_state *); + + extern const struct regmap_config inv_icm42600_regmap_config; ++extern const struct regmap_config inv_icm42600_spi_regmap_config; + extern const struct dev_pm_ops inv_icm42600_pm_ops; + + const struct iio_mount_matrix * +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +@@ -43,6 +43,17 @@ const struct regmap_config inv_icm42600_ + }; + EXPORT_SYMBOL_GPL(inv_icm42600_regmap_config); + ++/* define specific regmap for SPI not supporting burst write */ ++const struct regmap_config inv_icm42600_spi_regmap_config = { ++ .reg_bits = 8, ++ .val_bits = 8, ++ .max_register = 0x4FFF, ++ .ranges = inv_icm42600_regmap_ranges, ++ .num_ranges = ARRAY_SIZE(inv_icm42600_regmap_ranges), ++ .use_single_write = true, ++}; ++EXPORT_SYMBOL_NS_GPL(inv_icm42600_spi_regmap_config, IIO_ICM42600); ++ + struct inv_icm42600_hw { + uint8_t whoami; + const char *name; +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_spi.c +@@ -59,7 +59,8 @@ static int inv_icm42600_probe(struct spi + return -EINVAL; + chip = (uintptr_t)match; + +- regmap = devm_regmap_init_spi(spi, &inv_icm42600_regmap_config); ++ /* use SPI specific regmap */ ++ regmap = devm_regmap_init_spi(spi, &inv_icm42600_spi_regmap_config); + if (IS_ERR(regmap)) + return PTR_ERR(regmap); + diff --git a/queue-6.1/iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch b/queue-6.1/iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch new file mode 100644 index 0000000000..8cbb19d163 --- /dev/null +++ b/queue-6.1/iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch @@ -0,0 +1,48 @@ +From 65a60a590142c54a3f3be11ff162db2d5b0e1e06 Mon Sep 17 00:00:00 2001 +From: Jean-Baptiste Maneyrol +Date: Wed, 13 Nov 2024 21:25:45 +0100 +Subject: iio: imu: inv_icm42600: fix timestamps after suspend if sensor is on + +From: Jean-Baptiste Maneyrol + +commit 65a60a590142c54a3f3be11ff162db2d5b0e1e06 upstream. + +Currently suspending while sensors are one will result in timestamping +continuing without gap at resume. It can work with monotonic clock but +not with other clocks. Fix that by resetting timestamping. + +Fixes: ec74ae9fd37c ("iio: imu: inv_icm42600: add accurate timestamping") +Cc: stable@vger.kernel.org +Signed-off-by: Jean-Baptiste Maneyrol +Link: https://patch.msgid.link/20241113-inv_icm42600-fix-timestamps-after-suspend-v1-1-dfc77c394173@tdk.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/inv_icm42600/inv_icm42600_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c ++++ b/drivers/iio/imu/inv_icm42600/inv_icm42600_core.c +@@ -720,6 +720,8 @@ out_unlock: + static int __maybe_unused inv_icm42600_resume(struct device *dev) + { + struct inv_icm42600_state *st = dev_get_drvdata(dev); ++ struct inv_icm42600_timestamp *gyro_ts = iio_priv(st->indio_gyro); ++ struct inv_icm42600_timestamp *accel_ts = iio_priv(st->indio_accel); + int ret; + + mutex_lock(&st->lock); +@@ -740,9 +742,12 @@ static int __maybe_unused inv_icm42600_r + goto out_unlock; + + /* restore FIFO data streaming */ +- if (st->fifo.on) ++ if (st->fifo.on) { ++ inv_icm42600_timestamp_reset(gyro_ts); ++ inv_icm42600_timestamp_reset(accel_ts); + ret = regmap_write(st->map, INV_ICM42600_REG_FIFO_CONFIG, + INV_ICM42600_FIFO_CONFIG_STREAM); ++ } + + out_unlock: + mutex_unlock(&st->lock); diff --git a/queue-6.1/series b/queue-6.1/series index bc15f62a95..d51cf20647 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -46,3 +46,9 @@ irqchip-gic-v3-its-don-t-enable-interrupts-in-its_irq_set_vcpu_affinity.patch hrtimers-handle-cpu-state-correctly-on-hotplug.patch drm-i915-fb-relax-clear-color-alignment-to-64-bytes.patch revert-pci-use-preserve_config-in-place-of-pci_flags.patch +iio-imu-inv_icm42600-fix-spi-burst-write-not-supported.patch +iio-imu-inv_icm42600-fix-timestamps-after-suspend-if-sensor-is-on.patch +iio-adc-rockchip_saradc-fix-information-leak-in-triggered-buffer.patch +drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch +drm-amdgpu-fix-usage-slab-after-free.patch +block-fix-uaf-for-flush-rq-while-iterating-tags.patch