From 0a5e349290d2b53d2ee82485157ab892224a260c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 10:52:54 +0200 Subject: [PATCH] 5.15-stable patches added patches: drm-amd-display-add-null-checks-for-stream-and-plane-before-dereferencing.patch drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch drm-amdgpu-fix-usage-slab-after-free.patch landlock-add-the-errata-interface.patch --- ...tream-and-plane-before-dereferencing.patch | 53 +++ ...-access-in-dcn21_link_encoder_create.patch | 107 ++++++ ...hen-link-nums-greater-than-max_links.patch | 60 ++++ ...drm-amdgpu-fix-usage-slab-after-free.patch | 221 ++++++++++++ .../landlock-add-the-errata-interface.patch | 336 ++++++++++++++++++ queue-5.15/series | 5 + 6 files changed, 782 insertions(+) create mode 100644 queue-5.15/drm-amd-display-add-null-checks-for-stream-and-plane-before-dereferencing.patch create mode 100644 queue-5.15/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch create mode 100644 queue-5.15/drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch create mode 100644 queue-5.15/drm-amdgpu-fix-usage-slab-after-free.patch create mode 100644 queue-5.15/landlock-add-the-errata-interface.patch diff --git a/queue-5.15/drm-amd-display-add-null-checks-for-stream-and-plane-before-dereferencing.patch b/queue-5.15/drm-amd-display-add-null-checks-for-stream-and-plane-before-dereferencing.patch new file mode 100644 index 0000000000..6a9189a846 --- /dev/null +++ b/queue-5.15/drm-amd-display-add-null-checks-for-stream-and-plane-before-dereferencing.patch @@ -0,0 +1,53 @@ +From 15c2990e0f0108b9c3752d7072a97d45d4283aea Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Mon, 27 May 2024 20:15:21 +0530 +Subject: drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing + +From: Srinivasan Shanmugam + +commit 15c2990e0f0108b9c3752d7072a97d45d4283aea upstream. + +This commit adds null checks for the 'stream' and 'plane' variables in +the dcn30_apply_idle_power_optimizations function. These variables were +previously assumed to be null at line 922, but they were used later in +the code without checking if they were null. This could potentially lead +to a null pointer dereference, which would cause a crash. + +The null checks ensure that 'stream' and 'plane' are not null before +they are used, preventing potential crashes. + +Fixes the below static smatch checker: +drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922) +drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922) + +Cc: Tom Chung +Cc: Nicholas Kazlauskas +Cc: Bhawanpreet Lakha +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Hersen Wu +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Aurabindo Pillai +Signed-off-by: Alex Deucher +Signed-off-by: Zhi Yang +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +@@ -784,6 +784,9 @@ bool dcn30_apply_idle_power_optimization + stream = dc->current_state->streams[0]; + plane = (stream ? dc->current_state->stream_status[0].plane_states[0] : NULL); + ++ if (!stream || !plane) ++ return false; ++ + if (stream && plane) { + cursor_cache_enable = stream->cursor_position.enable && + plane->address.grph.cursor_cache_addr.quad_part; diff --git a/queue-5.15/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch b/queue-5.15/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch new file mode 100644 index 0000000000..93b296b132 --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch @@ -0,0 +1,107 @@ +From 63de35a8fcfca59ae8750d469a7eb220c7557baf Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Wed, 25 Sep 2024 20:04:15 +0530 +Subject: drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' + +From: Srinivasan Shanmugam + +commit 63de35a8fcfca59ae8750d469a7eb220c7557baf upstream. + +An issue was identified in the dcn21_link_encoder_create function where +an out-of-bounds access could occur when the hpd_source index was used +to reference the link_enc_hpd_regs array. This array has a fixed size +and the index was not being checked against the array's bounds before +accessing it. + +This fix adds a conditional check to ensure that the hpd_source index is +within the valid range of the link_enc_hpd_regs array. If the index is +out of bounds, the function now returns NULL to prevent undefined +behavior. + +References: + +[ 65.920507] ------------[ cut here ]------------ +[ 65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29 +[ 65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]' +[ 65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G OE 6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13 +[ 65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020 +[ 65.920527] Call Trace: +[ 65.920529] +[ 65.920532] dump_stack_lvl+0x48/0x70 +[ 65.920541] dump_stack+0x10/0x20 +[ 65.920543] __ubsan_handle_out_of_bounds+0xa2/0xe0 +[ 65.920549] dcn21_link_encoder_create+0xd9/0x140 [amdgpu] +[ 65.921009] link_create+0x6d3/0xed0 [amdgpu] +[ 65.921355] create_links+0x18a/0x4e0 [amdgpu] +[ 65.921679] dc_create+0x360/0x720 [amdgpu] +[ 65.921999] ? dmi_matches+0xa0/0x220 +[ 65.922004] amdgpu_dm_init+0x2b6/0x2c90 [amdgpu] +[ 65.922342] ? console_unlock+0x77/0x120 +[ 65.922348] ? dev_printk_emit+0x86/0xb0 +[ 65.922354] dm_hw_init+0x15/0x40 [amdgpu] +[ 65.922686] amdgpu_device_init+0x26a8/0x33a0 [amdgpu] +[ 65.922921] amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu] +[ 65.923087] amdgpu_pci_probe+0x1b7/0x630 [amdgpu] +[ 65.923087] local_pci_probe+0x4b/0xb0 +[ 65.923087] pci_device_probe+0xc8/0x280 +[ 65.923087] really_probe+0x187/0x300 +[ 65.923087] __driver_probe_device+0x85/0x130 +[ 65.923087] driver_probe_device+0x24/0x110 +[ 65.923087] __driver_attach+0xac/0x1d0 +[ 65.923087] ? __pfx___driver_attach+0x10/0x10 +[ 65.923087] bus_for_each_dev+0x7d/0xd0 +[ 65.923087] driver_attach+0x1e/0x30 +[ 65.923087] bus_add_driver+0xf2/0x200 +[ 65.923087] driver_register+0x64/0x130 +[ 65.923087] ? __pfx_amdgpu_init+0x10/0x10 [amdgpu] +[ 65.923087] __pci_register_driver+0x61/0x70 +[ 65.923087] amdgpu_init+0x7d/0xff0 [amdgpu] +[ 65.923087] do_one_initcall+0x49/0x310 +[ 65.923087] ? kmalloc_trace+0x136/0x360 +[ 65.923087] do_init_module+0x6a/0x270 +[ 65.923087] load_module+0x1fce/0x23a0 +[ 65.923087] init_module_from_file+0x9c/0xe0 +[ 65.923087] ? init_module_from_file+0x9c/0xe0 +[ 65.923087] idempotent_init_module+0x179/0x230 +[ 65.923087] __x64_sys_finit_module+0x5d/0xa0 +[ 65.923087] do_syscall_64+0x76/0x120 +[ 65.923087] entry_SYSCALL_64_after_hwframe+0x6e/0x76 +[ 65.923087] RIP: 0033:0x7f2d80f1e88d +[ 65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48 +[ 65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 +[ 65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d +[ 65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f +[ 65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002 +[ 65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480 +[ 65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0 +[ 65.923087] +[ 65.923927] ---[ end trace ]--- + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Roman Li +Signed-off-by: Alex Deucher +Signed-off-by: Bin Lan +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c +@@ -1852,7 +1852,7 @@ static struct link_encoder *dcn21_link_e + kzalloc(sizeof(struct dcn21_link_encoder), GFP_KERNEL); + int link_regs_id; + +- if (!enc21) ++ if (!enc21 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs)) + return NULL; + + link_regs_id = diff --git a/queue-5.15/drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch b/queue-5.15/drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch new file mode 100644 index 0000000000..870fc822c2 --- /dev/null +++ b/queue-5.15/drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch @@ -0,0 +1,60 @@ +From cf8b16857db702ceb8d52f9219a4613363e2b1cf Mon Sep 17 00:00:00 2001 +From: Hersen Wu +Date: Wed, 24 Apr 2024 16:15:15 -0400 +Subject: drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links + +From: Hersen Wu + +commit cf8b16857db702ceb8d52f9219a4613363e2b1cf upstream. + +[Why] +Coverity report OVERRUN warning. There are +only max_links elements within dc->links. link +count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31. + +[How] +Make sure link count less than max_links. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +[Minor conflict resolved due to code context change. And the macro MAX_LINKS + is introduced by Commit 60df5628144b ("drm/amd/display: handle invalid + connector indices") after 6.10. So here we still use the original array + length MAX_PIPES * 2] +Signed-off-by: Jianqi Ren +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4321,17 +4321,17 @@ static int amdgpu_dm_initialize_drm_devi + } + #endif + ++ if (link_cnt > (MAX_PIPES * 2)) { ++ DRM_ERROR( ++ "KMS: Cannot support more than %d display indexes\n", ++ MAX_PIPES * 2); ++ goto fail; ++ } ++ + /* loops over all connectors on the board */ + for (i = 0; i < link_cnt; i++) { + struct dc_link *link = NULL; + +- if (i > AMDGPU_DM_MAX_DISPLAY_INDEX) { +- DRM_ERROR( +- "KMS: Cannot support more than %d display indexes\n", +- AMDGPU_DM_MAX_DISPLAY_INDEX); +- continue; +- } +- + aconnector = kzalloc(sizeof(*aconnector), GFP_KERNEL); + if (!aconnector) + goto fail; diff --git a/queue-5.15/drm-amdgpu-fix-usage-slab-after-free.patch b/queue-5.15/drm-amdgpu-fix-usage-slab-after-free.patch new file mode 100644 index 0000000000..9571f193a0 --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-usage-slab-after-free.patch @@ -0,0 +1,221 @@ +From b61badd20b443eabe132314669bb51a263982e5c Mon Sep 17 00:00:00 2001 +From: Vitaly Prosyak +Date: Mon, 11 Nov 2024 17:24:08 -0500 +Subject: drm/amdgpu: fix usage slab after free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Vitaly Prosyak + +commit b61badd20b443eabe132314669bb51a263982e5c upstream. + +[ +0.000021] BUG: KASAN: slab-use-after-free in drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000027] Read of size 8 at addr ffff8881b8605f88 by task amd_pci_unplug/2147 + +[ +0.000023] CPU: 6 PID: 2147 Comm: amd_pci_unplug Not tainted 6.10.0+ #1 +[ +0.000016] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 +[ +0.000016] Call Trace: +[ +0.000008] +[ +0.000009] dump_stack_lvl+0x76/0xa0 +[ +0.000017] print_report+0xce/0x5f0 +[ +0.000017] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000019] ? srso_return_thunk+0x5/0x5f +[ +0.000015] ? kasan_complete_mode_report_info+0x72/0x200 +[ +0.000016] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000019] kasan_report+0xbe/0x110 +[ +0.000015] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000023] __asan_report_load8_noabort+0x14/0x30 +[ +0.000014] drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched] +[ +0.000020] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? __kasan_check_write+0x14/0x30 +[ +0.000016] ? __pfx_drm_sched_entity_flush+0x10/0x10 [gpu_sched] +[ +0.000020] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? __kasan_check_write+0x14/0x30 +[ +0.000013] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? enable_work+0x124/0x220 +[ +0.000015] ? __pfx_enable_work+0x10/0x10 +[ +0.000013] ? srso_return_thunk+0x5/0x5f +[ +0.000014] ? free_large_kmalloc+0x85/0xf0 +[ +0.000016] drm_sched_entity_destroy+0x18/0x30 [gpu_sched] +[ +0.000020] amdgpu_vce_sw_fini+0x55/0x170 [amdgpu] +[ +0.000735] ? __kasan_check_read+0x11/0x20 +[ +0.000016] vce_v4_0_sw_fini+0x80/0x110 [amdgpu] +[ +0.000726] amdgpu_device_fini_sw+0x331/0xfc0 [amdgpu] +[ +0.000679] ? mutex_unlock+0x80/0xe0 +[ +0.000017] ? __pfx_amdgpu_device_fini_sw+0x10/0x10 [amdgpu] +[ +0.000662] ? srso_return_thunk+0x5/0x5f +[ +0.000014] ? __kasan_check_write+0x14/0x30 +[ +0.000013] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? mutex_unlock+0x80/0xe0 +[ +0.000016] amdgpu_driver_release_kms+0x16/0x80 [amdgpu] +[ +0.000663] drm_minor_release+0xc9/0x140 [drm] +[ +0.000081] drm_release+0x1fd/0x390 [drm] +[ +0.000082] __fput+0x36c/0xad0 +[ +0.000018] __fput_sync+0x3c/0x50 +[ +0.000014] __x64_sys_close+0x7d/0xe0 +[ +0.000014] x64_sys_call+0x1bc6/0x2680 +[ +0.000014] do_syscall_64+0x70/0x130 +[ +0.000014] ? srso_return_thunk+0x5/0x5f +[ +0.000014] ? irqentry_exit_to_user_mode+0x60/0x190 +[ +0.000015] ? srso_return_thunk+0x5/0x5f +[ +0.000014] ? irqentry_exit+0x43/0x50 +[ +0.000012] ? srso_return_thunk+0x5/0x5f +[ +0.000013] ? exc_page_fault+0x7c/0x110 +[ +0.000015] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ +0.000014] RIP: 0033:0x7ffff7b14f67 +[ +0.000013] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff +[ +0.000026] RSP: 002b:00007fffffffe378 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 +[ +0.000019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffff7b14f67 +[ +0.000014] RDX: 0000000000000000 RSI: 00007ffff7f6f47a RDI: 0000000000000003 +[ +0.000014] RBP: 00007fffffffe3a0 R08: 0000555555569890 R09: 0000000000000000 +[ +0.000014] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffffffe5c8 +[ +0.000013] R13: 00005555555552a9 R14: 0000555555557d48 R15: 00007ffff7ffd040 +[ +0.000020] + +[ +0.000016] Allocated by task 383 on cpu 7 at 26.880319s: +[ +0.000014] kasan_save_stack+0x28/0x60 +[ +0.000008] kasan_save_track+0x18/0x70 +[ +0.000007] kasan_save_alloc_info+0x38/0x60 +[ +0.000007] __kasan_kmalloc+0xc1/0xd0 +[ +0.000007] kmalloc_trace_noprof+0x180/0x380 +[ +0.000007] drm_sched_init+0x411/0xec0 [gpu_sched] +[ +0.000012] amdgpu_device_init+0x695f/0xa610 [amdgpu] +[ +0.000658] amdgpu_driver_load_kms+0x1a/0x120 [amdgpu] +[ +0.000662] amdgpu_pci_probe+0x361/0xf30 [amdgpu] +[ +0.000651] local_pci_probe+0xe7/0x1b0 +[ +0.000009] pci_device_probe+0x248/0x890 +[ +0.000008] really_probe+0x1fd/0x950 +[ +0.000008] __driver_probe_device+0x307/0x410 +[ +0.000007] driver_probe_device+0x4e/0x150 +[ +0.000007] __driver_attach+0x223/0x510 +[ +0.000006] bus_for_each_dev+0x102/0x1a0 +[ +0.000007] driver_attach+0x3d/0x60 +[ +0.000006] bus_add_driver+0x2ac/0x5f0 +[ +0.000006] driver_register+0x13d/0x490 +[ +0.000008] __pci_register_driver+0x1ee/0x2b0 +[ +0.000007] llc_sap_close+0xb0/0x160 [llc] +[ +0.000009] do_one_initcall+0x9c/0x3e0 +[ +0.000008] do_init_module+0x241/0x760 +[ +0.000008] load_module+0x51ac/0x6c30 +[ +0.000006] __do_sys_init_module+0x234/0x270 +[ +0.000007] __x64_sys_init_module+0x73/0xc0 +[ +0.000006] x64_sys_call+0xe3/0x2680 +[ +0.000006] do_syscall_64+0x70/0x130 +[ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e + +[ +0.000015] Freed by task 2147 on cpu 6 at 160.507651s: +[ +0.000013] kasan_save_stack+0x28/0x60 +[ +0.000007] kasan_save_track+0x18/0x70 +[ +0.000007] kasan_save_free_info+0x3b/0x60 +[ +0.000007] poison_slab_object+0x115/0x1c0 +[ +0.000007] __kasan_slab_free+0x34/0x60 +[ +0.000007] kfree+0xfa/0x2f0 +[ +0.000007] drm_sched_fini+0x19d/0x410 [gpu_sched] +[ +0.000012] amdgpu_fence_driver_sw_fini+0xc4/0x2f0 [amdgpu] +[ +0.000662] amdgpu_device_fini_sw+0x77/0xfc0 [amdgpu] +[ +0.000653] amdgpu_driver_release_kms+0x16/0x80 [amdgpu] +[ +0.000655] drm_minor_release+0xc9/0x140 [drm] +[ +0.000071] drm_release+0x1fd/0x390 [drm] +[ +0.000071] __fput+0x36c/0xad0 +[ +0.000008] __fput_sync+0x3c/0x50 +[ +0.000007] __x64_sys_close+0x7d/0xe0 +[ +0.000007] x64_sys_call+0x1bc6/0x2680 +[ +0.000007] do_syscall_64+0x70/0x130 +[ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e + +[ +0.000014] The buggy address belongs to the object at ffff8881b8605f80 + which belongs to the cache kmalloc-64 of size 64 +[ +0.000020] The buggy address is located 8 bytes inside of + freed 64-byte region [ffff8881b8605f80, ffff8881b8605fc0) + +[ +0.000028] The buggy address belongs to the physical page: +[ +0.000011] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b8605 +[ +0.000008] anon flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff) +[ +0.000007] page_type: 0xffffefff(slab) +[ +0.000009] raw: 0017ffffc0000000 ffff8881000428c0 0000000000000000 dead000000000001 +[ +0.000006] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000 +[ +0.000006] page dumped because: kasan: bad access detected + +[ +0.000012] Memory state around the buggy address: +[ +0.000011] ffff8881b8605e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ +0.000015] ffff8881b8605f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc +[ +0.000015] >ffff8881b8605f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +[ +0.000013] ^ +[ +0.000011] ffff8881b8606000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc +[ +0.000014] ffff8881b8606080: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb +[ +0.000013] ================================================================== + +The issue reproduced on VG20 during the IGT pci_unplug test. +The root cause of the issue is that the function drm_sched_fini is called before drm_sched_entity_kill. +In drm_sched_fini, the drm_sched_rq structure is freed, but this structure is later accessed by +each entity within the run queue, leading to invalid memory access. +To resolve this, the order of cleanup calls is updated: + + Before: + amdgpu_fence_driver_sw_fini + amdgpu_device_ip_fini + + After: + amdgpu_device_ip_fini + amdgpu_fence_driver_sw_fini + +This updated order ensures that all entities in the IPs are cleaned up first, followed by proper +cleanup of the schedulers. + +Additional Investigation: + +During debugging, another issue was identified in the amdgpu_vce_sw_fini function. The vce.vcpu_bo +buffer must be freed only as the final step in the cleanup process to prevent any premature +access during earlier cleanup stages. + +v2: Using Christian suggestion call drm_sched_entity_destroy before drm_sched_fini. + +Cc: Christian König +Cc: Alex Deucher +Signed-off-by: Vitaly Prosyak +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +[Minor context change fixed.] +Signed-off-by: Bin Lan +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4008,8 +4008,8 @@ void amdgpu_device_fini_hw(struct amdgpu + + void amdgpu_device_fini_sw(struct amdgpu_device *adev) + { +- amdgpu_fence_driver_sw_fini(adev); + amdgpu_device_ip_fini(adev); ++ amdgpu_fence_driver_sw_fini(adev); + release_firmware(adev->firmware.gpu_info_fw); + adev->firmware.gpu_info_fw = NULL; + adev->accel_working = false; +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +@@ -220,15 +220,15 @@ int amdgpu_vce_sw_fini(struct amdgpu_dev + + drm_sched_entity_destroy(&adev->vce.entity); + +- amdgpu_bo_free_kernel(&adev->vce.vcpu_bo, &adev->vce.gpu_addr, +- (void **)&adev->vce.cpu_addr); +- + for (i = 0; i < adev->vce.num_rings; i++) + amdgpu_ring_fini(&adev->vce.ring[i]); + + release_firmware(adev->vce.fw); + mutex_destroy(&adev->vce.idle_mutex); + ++ amdgpu_bo_free_kernel(&adev->vce.vcpu_bo, &adev->vce.gpu_addr, ++ (void **)&adev->vce.cpu_addr); ++ + return 0; + } + diff --git a/queue-5.15/landlock-add-the-errata-interface.patch b/queue-5.15/landlock-add-the-errata-interface.patch new file mode 100644 index 0000000000..004dd2f1b5 --- /dev/null +++ b/queue-5.15/landlock-add-the-errata-interface.patch @@ -0,0 +1,336 @@ +From 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Tue, 18 Mar 2025 17:14:37 +0100 +Subject: landlock: Add the errata interface +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac upstream. + +Some fixes may require user space to check if they are applied on the +running kernel before using a specific feature. For instance, this +applies when a restriction was previously too restrictive and is now +getting relaxed (e.g. for compatibility reasons). However, non-visible +changes for legitimate use (e.g. security fixes) do not require an +erratum. + +Because fixes are backported down to a specific Landlock ABI, we need a +way to avoid cherry-pick conflicts. The solution is to only update a +file related to the lower ABI impacted by this issue. All the ABI files +are then used to create a bitmask of fixes. + +The new errata interface is similar to the one used to get the supported +Landlock ABI version, but it returns a bitmask instead because the order +of fixes may not match the order of versions, and not all fixes may +apply to all versions. + +The actual errata will come with dedicated commits. The description is +not actually used in the code but serves as documentation. + +Create the landlock_abi_version symbol and use its value to check errata +consistency. + +Update test_base's create_ruleset_checks_ordering tests and add errata +tests. + +This commit is backportable down to the first version of Landlock. + +Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features") +Cc: Günther Noack +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/landlock.h | 2 + security/landlock/errata.h | 87 +++++++++++++++++++++++++++ + security/landlock/setup.c | 30 +++++++++ + security/landlock/setup.h | 3 + security/landlock/syscalls.c | 22 +++++- + tools/testing/selftests/landlock/base_test.c | 46 +++++++++++++- + 6 files changed, 185 insertions(+), 5 deletions(-) + create mode 100644 security/landlock/errata.h + +--- a/include/uapi/linux/landlock.h ++++ b/include/uapi/linux/landlock.h +@@ -32,9 +32,11 @@ struct landlock_ruleset_attr { + * + * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI + * version. ++ * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues. + */ + /* clang-format off */ + #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0) ++#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1) + /* clang-format on */ + + /** +--- /dev/null ++++ b/security/landlock/errata.h +@@ -0,0 +1,87 @@ ++/* SPDX-License-Identifier: GPL-2.0-only */ ++/* ++ * Landlock - Errata information ++ * ++ * Copyright © 2025 Microsoft Corporation ++ */ ++ ++#ifndef _SECURITY_LANDLOCK_ERRATA_H ++#define _SECURITY_LANDLOCK_ERRATA_H ++ ++#include ++ ++struct landlock_erratum { ++ const int abi; ++ const u8 number; ++}; ++ ++/* clang-format off */ ++#define LANDLOCK_ERRATUM(NUMBER) \ ++ { \ ++ .abi = LANDLOCK_ERRATA_ABI, \ ++ .number = NUMBER, \ ++ }, ++/* clang-format on */ ++ ++/* ++ * Some fixes may require user space to check if they are applied on the running ++ * kernel before using a specific feature. For instance, this applies when a ++ * restriction was previously too restrictive and is now getting relaxed (for ++ * compatibility or semantic reasons). However, non-visible changes for ++ * legitimate use (e.g. security fixes) do not require an erratum. ++ */ ++static const struct landlock_erratum landlock_errata_init[] __initconst = { ++ ++/* ++ * Only Sparse may not implement __has_include. If a compiler does not ++ * implement __has_include, a warning will be printed at boot time (see ++ * setup.c). ++ */ ++#ifdef __has_include ++ ++#define LANDLOCK_ERRATA_ABI 1 ++#if __has_include("errata/abi-1.h") ++#include "errata/abi-1.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ ++#define LANDLOCK_ERRATA_ABI 2 ++#if __has_include("errata/abi-2.h") ++#include "errata/abi-2.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ ++#define LANDLOCK_ERRATA_ABI 3 ++#if __has_include("errata/abi-3.h") ++#include "errata/abi-3.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ ++#define LANDLOCK_ERRATA_ABI 4 ++#if __has_include("errata/abi-4.h") ++#include "errata/abi-4.h" ++#endif ++#undef LANDLOCK_ERRATA_ABI ++ ++/* ++ * For each new erratum, we need to include all the ABI files up to the impacted ++ * ABI to make all potential future intermediate errata easy to backport. ++ * ++ * If such change involves more than one ABI addition, then it must be in a ++ * dedicated commit with the same Fixes tag as used for the actual fix. ++ * ++ * Each commit creating a new security/landlock/errata/abi-*.h file must have a ++ * Depends-on tag to reference the commit that previously added the line to ++ * include this new file, except if the original Fixes tag is enough. ++ * ++ * Each erratum must be documented in its related ABI file, and a dedicated ++ * commit must update Documentation/userspace-api/landlock.rst to include this ++ * erratum. This commit will not be backported. ++ */ ++ ++#endif ++ ++ {} ++}; ++ ++#endif /* _SECURITY_LANDLOCK_ERRATA_H */ +--- a/security/landlock/setup.c ++++ b/security/landlock/setup.c +@@ -6,11 +6,13 @@ + * Copyright © 2018-2020 ANSSI + */ + ++#include + #include + #include + + #include "common.h" + #include "cred.h" ++#include "errata.h" + #include "fs.h" + #include "ptrace.h" + #include "setup.h" +@@ -23,8 +25,36 @@ struct lsm_blob_sizes landlock_blob_size + .lbs_superblock = sizeof(struct landlock_superblock_security), + }; + ++int landlock_errata __ro_after_init; ++ ++static void __init compute_errata(void) ++{ ++ size_t i; ++ ++#ifndef __has_include ++ /* ++ * This is a safeguard to make sure the compiler implements ++ * __has_include (see errata.h). ++ */ ++ WARN_ON_ONCE(1); ++ return; ++#endif ++ ++ for (i = 0; landlock_errata_init[i].number; i++) { ++ const int prev_errata = landlock_errata; ++ ++ if (WARN_ON_ONCE(landlock_errata_init[i].abi > ++ landlock_abi_version)) ++ continue; ++ ++ landlock_errata |= BIT(landlock_errata_init[i].number - 1); ++ WARN_ON_ONCE(prev_errata == landlock_errata); ++ } ++} ++ + static int __init landlock_init(void) + { ++ compute_errata(); + landlock_add_cred_hooks(); + landlock_add_ptrace_hooks(); + landlock_add_fs_hooks(); +--- a/security/landlock/setup.h ++++ b/security/landlock/setup.h +@@ -11,7 +11,10 @@ + + #include + ++extern const int landlock_abi_version; ++ + extern bool landlock_initialized; ++extern int landlock_errata; + + extern struct lsm_blob_sizes landlock_blob_sizes; + +--- a/security/landlock/syscalls.c ++++ b/security/landlock/syscalls.c +@@ -150,7 +150,9 @@ static const struct file_operations rule + * the new ruleset. + * @size: Size of the pointed &struct landlock_ruleset_attr (needed for + * backward and forward compatibility). +- * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION. ++ * @flags: Supported value: ++ * - %LANDLOCK_CREATE_RULESET_VERSION ++ * - %LANDLOCK_CREATE_RULESET_ERRATA + * + * This system call enables to create a new Landlock ruleset, and returns the + * related file descriptor on success. +@@ -159,6 +161,10 @@ static const struct file_operations rule + * 0, then the returned value is the highest supported Landlock ABI version + * (starting at 1). + * ++ * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is ++ * 0, then the returned value is a bitmask of fixed issues for the current ++ * Landlock ABI version. ++ * + * Possible returned errors are: + * + * - EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time; +@@ -181,9 +187,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset, + return -EOPNOTSUPP; + + if (flags) { +- if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr && +- !size) +- return LANDLOCK_ABI_VERSION; ++ if (attr || size) ++ return -EINVAL; ++ ++ if (flags == LANDLOCK_CREATE_RULESET_VERSION) ++ return landlock_abi_version; ++ ++ if (flags == LANDLOCK_CREATE_RULESET_ERRATA) ++ return landlock_errata; ++ + return -EINVAL; + } + +@@ -213,6 +225,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset, + return ruleset_fd; + } + ++const int landlock_abi_version = LANDLOCK_ABI_VERSION; ++ + /* + * Returns an owned ruleset from a FD. It is thus needed to call + * landlock_put_ruleset() on the return value. +--- a/tools/testing/selftests/landlock/base_test.c ++++ b/tools/testing/selftests/landlock/base_test.c +@@ -98,10 +98,54 @@ TEST(abi_version) + ASSERT_EQ(EINVAL, errno); + } + ++/* ++ * Old source trees might not have the set of Kselftest fixes related to kernel ++ * UAPI headers. ++ */ ++#ifndef LANDLOCK_CREATE_RULESET_ERRATA ++#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1) ++#endif ++ ++TEST(errata) ++{ ++ const struct landlock_ruleset_attr ruleset_attr = { ++ .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE, ++ }; ++ int errata; ++ ++ errata = landlock_create_ruleset(NULL, 0, ++ LANDLOCK_CREATE_RULESET_ERRATA); ++ /* The errata bitmask will not be backported to tests. */ ++ ASSERT_LE(0, errata); ++ TH_LOG("errata: 0x%x", errata); ++ ++ ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0, ++ LANDLOCK_CREATE_RULESET_ERRATA)); ++ ASSERT_EQ(EINVAL, errno); ++ ++ ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr), ++ LANDLOCK_CREATE_RULESET_ERRATA)); ++ ASSERT_EQ(EINVAL, errno); ++ ++ ASSERT_EQ(-1, ++ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr), ++ LANDLOCK_CREATE_RULESET_ERRATA)); ++ ASSERT_EQ(EINVAL, errno); ++ ++ ASSERT_EQ(-1, landlock_create_ruleset( ++ NULL, 0, ++ LANDLOCK_CREATE_RULESET_VERSION | ++ LANDLOCK_CREATE_RULESET_ERRATA)); ++ ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0, ++ LANDLOCK_CREATE_RULESET_ERRATA | ++ 1 << 31)); ++ ASSERT_EQ(EINVAL, errno); ++} ++ + /* Tests ordering of syscall argument checks. */ + TEST(create_ruleset_checks_ordering) + { +- const int last_flag = LANDLOCK_CREATE_RULESET_VERSION; ++ const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA; + const int invalid_flag = last_flag << 1; + int ruleset_fd; + const struct landlock_ruleset_attr ruleset_attr = { diff --git a/queue-5.15/series b/queue-5.15/series index c1bf4b7e4f..b308c8d7be 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -211,3 +211,8 @@ powerpc-rtas-prevent-spectre-v1-gadget-construction-in-sys_rtas.patch phy-tegra-xusb-fix-return-value-of-tegra_xusb_find_port_node-function.patch wifi-ath10k-avoid-null-pointer-error-during-sdio-remove.patch xen-swiotlb-relax-alignment-requirements.patch +drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch +drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch +drm-amd-display-add-null-checks-for-stream-and-plane-before-dereferencing.patch +drm-amdgpu-fix-usage-slab-after-free.patch +landlock-add-the-errata-interface.patch -- 2.47.3