--- /dev/null
+From f2703a3596a279b0be6eeed4c500bdbaa8dc3ce4 Mon Sep 17 00:00:00 2001
+From: Martin Leung <martin.leung@amd.com>
+Date: Mon, 26 Feb 2024 13:20:08 -0500
+Subject: drm/amd/display: revert Exit idle optimizations before HDCP execution
+
+From: Martin Leung <martin.leung@amd.com>
+
+commit f2703a3596a279b0be6eeed4c500bdbaa8dc3ce4 upstream.
+
+why and how:
+causes black screen on PNP on DCN 3.5
+
+This reverts commit f30a3bea92bd ("drm/amd/display: Exit idle
+optimizations before HDCP execution")
+
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Martin Leung <martin.leung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 10 ----------
+ drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h | 8 --------
+ 2 files changed, 18 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c
+@@ -88,14 +88,6 @@ static uint8_t is_cp_desired_hdcp2(struc
+ !hdcp->connection.is_hdcp2_revoked;
+ }
+
+-static void exit_idle_optimizations(struct mod_hdcp *hdcp)
+-{
+- struct mod_hdcp_dm *dm = &hdcp->config.dm;
+-
+- if (dm->funcs.exit_idle_optimizations)
+- dm->funcs.exit_idle_optimizations(dm->handle);
+-}
+-
+ static enum mod_hdcp_status execution(struct mod_hdcp *hdcp,
+ struct mod_hdcp_event_context *event_ctx,
+ union mod_hdcp_transition_input *input)
+@@ -551,8 +543,6 @@ enum mod_hdcp_status mod_hdcp_process_ev
+ memset(&event_ctx, 0, sizeof(struct mod_hdcp_event_context));
+ event_ctx.event = event;
+
+- exit_idle_optimizations(hdcp);
+-
+ /* execute and transition */
+ exec_status = execution(hdcp, &event_ctx, &hdcp->auth.trans_input);
+ trans_status = transition(
+--- a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h
++++ b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h
+@@ -155,13 +155,6 @@ struct mod_hdcp_ddc {
+ } funcs;
+ };
+
+-struct mod_hdcp_dm {
+- void *handle;
+- struct {
+- void (*exit_idle_optimizations)(void *handle);
+- } funcs;
+-};
+-
+ struct mod_hdcp_psp {
+ void *handle;
+ void *funcs;
+@@ -278,7 +271,6 @@ struct mod_hdcp_display_query {
+ struct mod_hdcp_config {
+ struct mod_hdcp_psp psp;
+ struct mod_hdcp_ddc ddc;
+- struct mod_hdcp_dm dm;
+ uint8_t index;
+ };
+
--- /dev/null
+From 89e1ee118d6f0ee6bd6e80d8fe08839875daa241 Mon Sep 17 00:00:00 2001
+From: Andrew Ballance <andrewjballance@gmail.com>
+Date: Sun, 2 Jun 2024 03:50:23 -0500
+Subject: hid: asus: asus_report_fixup: fix potential read out of bounds
+
+From: Andrew Ballance <andrewjballance@gmail.com>
+
+commit 89e1ee118d6f0ee6bd6e80d8fe08839875daa241 upstream.
+
+syzbot reported a potential read out of bounds in asus_report_fixup.
+
+this patch adds checks so that a read out of bounds will not occur
+
+Signed-off-by: Andrew Ballance <andrewjballance@gmail.com>
+Reported-by: <syzbot+07762f019fd03d01f04c@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c
+Fixes: 59d2f5b7392e ("HID: asus: fix more n-key report descriptors if n-key quirked")
+Link: https://lore.kernel.org/r/20240602085023.1720492-1-andrewjballance@gmail.com
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-asus.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hid-asus.c
++++ b/drivers/hid/hid-asus.c
+@@ -1247,8 +1247,8 @@ static __u8 *asus_report_fixup(struct hi
+ }
+
+ /* match many more n-key devices */
+- if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) {
+- for (int i = 0; i < *rsize + 1; i++) {
++ if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) {
++ for (int i = 0; i < *rsize - 15; i++) {
+ /* offset to the count from 0x5a report part always 14 */
+ if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a &&
+ rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) {
--- /dev/null
+From 86735b57c905e775f05de995df35379366b72168 Mon Sep 17 00:00:00 2001
+From: Davide Caratti <dcaratti@redhat.com>
+Date: Tue, 30 Apr 2024 19:11:13 +0200
+Subject: net/sched: unregister lockdep keys in qdisc_create/qdisc_alloc error path
+
+From: Davide Caratti <dcaratti@redhat.com>
+
+commit 86735b57c905e775f05de995df35379366b72168 upstream.
+
+Naresh and Eric report several errors (corrupted elements in the dynamic
+key hash list), when running tdc.py or syzbot. The error path of
+qdisc_alloc() and qdisc_create() frees the qdisc memory, but it forgets
+to unregister the lockdep key, thus causing use-after-free like the
+following one:
+
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in lockdep_register_key+0x5f2/0x700
+ Read of size 8 at addr ffff88811236f2a8 by task ip/7925
+
+ CPU: 26 PID: 7925 Comm: ip Kdump: loaded Not tainted 6.9.0-rc2+ #648
+ Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x7c/0xc0
+ print_report+0xc9/0x610
+ kasan_report+0x89/0xc0
+ lockdep_register_key+0x5f2/0x700
+ qdisc_alloc+0x21d/0xb60
+ qdisc_create_dflt+0x63/0x3c0
+ attach_one_default_qdisc.constprop.37+0x8e/0x170
+ dev_activate+0x4bd/0xc30
+ __dev_open+0x275/0x380
+ __dev_change_flags+0x3f1/0x570
+ dev_change_flags+0x7c/0x160
+ do_setlink+0x1ea1/0x34b0
+ __rtnl_newlink+0x8c9/0x1510
+ rtnl_newlink+0x61/0x90
+ rtnetlink_rcv_msg+0x2f0/0xbc0
+ netlink_rcv_skb+0x120/0x380
+ netlink_unicast+0x420/0x630
+ netlink_sendmsg+0x732/0xbc0
+ __sock_sendmsg+0x1ea/0x280
+ ____sys_sendmsg+0x5a9/0x990
+ ___sys_sendmsg+0xf1/0x180
+ __sys_sendmsg+0xd3/0x180
+ do_syscall_64+0x96/0x180
+ entry_SYSCALL_64_after_hwframe+0x71/0x79
+ RIP: 0033:0x7f9503f4fa07
+ Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
+ RSP: 002b:00007fff6c729068 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+ RAX: ffffffffffffffda RBX: 000000006630c681 RCX: 00007f9503f4fa07
+ RDX: 0000000000000000 RSI: 00007fff6c7290d0 RDI: 0000000000000003
+ RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000078
+ R10: 000000000000009b R11: 0000000000000246 R12: 0000000000000001
+ R13: 00007fff6c729180 R14: 0000000000000000 R15: 000055bf67dd9040
+ </TASK>
+
+ Allocated by task 7745:
+ kasan_save_stack+0x1c/0x40
+ kasan_save_track+0x10/0x30
+ __kasan_kmalloc+0x7b/0x90
+ __kmalloc_node+0x1ff/0x460
+ qdisc_alloc+0xae/0xb60
+ qdisc_create+0xdd/0xfb0
+ tc_modify_qdisc+0x37e/0x1960
+ rtnetlink_rcv_msg+0x2f0/0xbc0
+ netlink_rcv_skb+0x120/0x380
+ netlink_unicast+0x420/0x630
+ netlink_sendmsg+0x732/0xbc0
+ __sock_sendmsg+0x1ea/0x280
+ ____sys_sendmsg+0x5a9/0x990
+ ___sys_sendmsg+0xf1/0x180
+ __sys_sendmsg+0xd3/0x180
+ do_syscall_64+0x96/0x180
+ entry_SYSCALL_64_after_hwframe+0x71/0x79
+
+ Freed by task 7745:
+ kasan_save_stack+0x1c/0x40
+ kasan_save_track+0x10/0x30
+ kasan_save_free_info+0x36/0x60
+ __kasan_slab_free+0xfe/0x180
+ kfree+0x113/0x380
+ qdisc_create+0xafb/0xfb0
+ tc_modify_qdisc+0x37e/0x1960
+ rtnetlink_rcv_msg+0x2f0/0xbc0
+ netlink_rcv_skb+0x120/0x380
+ netlink_unicast+0x420/0x630
+ netlink_sendmsg+0x732/0xbc0
+ __sock_sendmsg+0x1ea/0x280
+ ____sys_sendmsg+0x5a9/0x990
+ ___sys_sendmsg+0xf1/0x180
+ __sys_sendmsg+0xd3/0x180
+ do_syscall_64+0x96/0x180
+ entry_SYSCALL_64_after_hwframe+0x71/0x79
+
+Fix this ensuring that lockdep_unregister_key() is called before the
+qdisc struct is freed, also in the error path of qdisc_create() and
+qdisc_alloc().
+
+Fixes: af0cb3fa3f9e ("net/sched: fix false lockdep warning on qdisc root lock")
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/netdev/20240429221706.1492418-1-naresh.kamboju@linaro.org/
+Signed-off-by: Davide Caratti <dcaratti@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Tested-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://lore.kernel.org/r/2aa1ca0c0a3aa0acc15925c666c777a4b5de553c.1714496886.git.dcaratti@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/sch_api.c | 1 +
+ net/sched/sch_generic.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1353,6 +1353,7 @@ err_out5:
+ if (ops->destroy)
+ ops->destroy(sch);
+ err_out3:
++ lockdep_unregister_key(&sch->root_lock_key);
+ netdev_put(dev, &sch->dev_tracker);
+ qdisc_free(sch);
+ err_out2:
+--- a/net/sched/sch_generic.c
++++ b/net/sched/sch_generic.c
+@@ -978,6 +978,7 @@ struct Qdisc *qdisc_alloc(struct netdev_
+
+ return sch;
+ errout1:
++ lockdep_unregister_key(&sch->root_lock_key);
+ kfree(sch);
+ errout:
+ return ERR_PTR(err);
--- /dev/null
+From 14d7c92f8df9c0964ae6f8b813c1b3ac38120825 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 17 Jun 2024 12:57:03 -0700
+Subject: Revert "mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default"
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 14d7c92f8df9c0964ae6f8b813c1b3ac38120825 upstream.
+
+This reverts commit 3afb76a66b5559a7b595155803ce23801558a7a9.
+
+This was a wrongheaded workaround for an issue that had already been
+fixed much better by commit 4ef9ad19e176 ("mm: huge_memory: don't force
+huge page alignment on 32 bit").
+
+Asking users questions at kernel compile time that they can't make sense
+of is not a viable strategy. And the fact that even the kernel VM
+maintainers apparently didn't catch that this "fix" is not a fix any
+more pretty much proves the point that people can't be expected to
+understand the implications of the question.
+
+It may well be the case that we could improve things further, and that
+__thp_get_unmapped_area() should take the mapping randomization into
+account even for 64-bit kernels. Maybe we should not be so eager to use
+THP mappings.
+
+But in no case should this be a kernel config option.
+
+Cc: Rafael Aquini <aquini@redhat.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/Kconfig | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -981,21 +981,10 @@ config ARCH_MMAP_RND_BITS_MAX
+ config ARCH_MMAP_RND_BITS_DEFAULT
+ int
+
+-config FORCE_MAX_MMAP_RND_BITS
+- bool "Force maximum number of bits to use for ASLR of mmap base address"
+- default y if !64BIT
+- help
+- ARCH_MMAP_RND_BITS and ARCH_MMAP_RND_COMPAT_BITS represent the number
+- of bits to use for ASLR and if no custom value is assigned (EXPERT)
+- then the architecture's lower bound (minimum) value is assumed.
+- This toggle changes that default assumption to assume the arch upper
+- bound (maximum) value instead.
+-
+ config ARCH_MMAP_RND_BITS
+ int "Number of bits to use for ASLR of mmap base address" if EXPERT
+ range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
+ default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT
+- default ARCH_MMAP_RND_BITS_MAX if FORCE_MAX_MMAP_RND_BITS
+ default ARCH_MMAP_RND_BITS_MIN
+ depends on HAVE_ARCH_MMAP_RND_BITS
+ help
+@@ -1030,7 +1019,6 @@ config ARCH_MMAP_RND_COMPAT_BITS
+ int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT
+ range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX
+ default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT
+- default ARCH_MMAP_RND_COMPAT_BITS_MAX if FORCE_MAX_MMAP_RND_BITS
+ default ARCH_MMAP_RND_COMPAT_BITS_MIN
+ depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS
+ help
x86-cpu-fix-x86_match_cpu-to-match-just-x86_vendor_i.patch
revert-kheaders-substituting-sort-in-archive-creatio.patch
kheaders-explicitly-define-file-modes-for-archived-h.patch
+drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch
+net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch
+hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch
+revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
