From: Greg Kroah-Hartman Date: Tue, 29 Apr 2025 14:30:23 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.4.293~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0ea51e19d6ec9ee9fcd56fcd6071bb23c2e64d43;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: drm-amd-display-fix-double-free-issue-during-amdgpu-module-unload.patch xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch --- diff --git a/queue-5.15/drm-amd-display-fix-double-free-issue-during-amdgpu-module-unload.patch b/queue-5.15/drm-amd-display-fix-double-free-issue-during-amdgpu-module-unload.patch new file mode 100644 index 0000000000..17d8d813bc --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-double-free-issue-during-amdgpu-module-unload.patch @@ -0,0 +1,79 @@ +From 20b5a8f9f4670a8503aa9fa95ca632e77c6bf55d Mon Sep 17 00:00:00 2001 +From: Tim Huang +Date: Thu, 15 Aug 2024 18:45:22 -0400 +Subject: drm/amd/display: fix double free issue during amdgpu module unload + +From: Tim Huang + +commit 20b5a8f9f4670a8503aa9fa95ca632e77c6bf55d upstream. + +Flexible endpoints use DIGs from available inflexible endpoints, +so only the encoders of inflexible links need to be freed. +Otherwise, a double free issue may occur when unloading the +amdgpu module. + +[ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0 +[ 279.190577] Call Trace: +[ 279.190580] +[ 279.190582] ? show_regs+0x69/0x80 +[ 279.190590] ? die+0x3b/0x90 +[ 279.190595] ? do_trap+0xc8/0xe0 +[ 279.190601] ? do_error_trap+0x73/0xa0 +[ 279.190605] ? __slab_free+0x152/0x2f0 +[ 279.190609] ? exc_invalid_op+0x56/0x70 +[ 279.190616] ? __slab_free+0x152/0x2f0 +[ 279.190642] ? asm_exc_invalid_op+0x1f/0x30 +[ 279.190648] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] +[ 279.191096] ? __slab_free+0x152/0x2f0 +[ 279.191102] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] +[ 279.191469] kfree+0x260/0x2b0 +[ 279.191474] dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] +[ 279.191821] link_destroy+0xd7/0x130 [amdgpu] +[ 279.192248] dc_destruct+0x90/0x270 [amdgpu] +[ 279.192666] dc_destroy+0x19/0x40 [amdgpu] +[ 279.193020] amdgpu_dm_fini+0x16e/0x200 [amdgpu] +[ 279.193432] dm_hw_fini+0x26/0x40 [amdgpu] +[ 279.193795] amdgpu_device_fini_hw+0x24c/0x400 [amdgpu] +[ 279.194108] amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu] +[ 279.194436] amdgpu_pci_remove+0x40/0x80 [amdgpu] +[ 279.194632] pci_device_remove+0x3a/0xa0 +[ 279.194638] device_remove+0x40/0x70 +[ 279.194642] device_release_driver_internal+0x1ad/0x210 +[ 279.194647] driver_detach+0x4e/0xa0 +[ 279.194650] bus_remove_driver+0x6f/0xf0 +[ 279.194653] driver_unregister+0x33/0x60 +[ 279.194657] pci_unregister_driver+0x44/0x90 +[ 279.194662] amdgpu_exit+0x19/0x1f0 [amdgpu] +[ 279.194939] __do_sys_delete_module.isra.0+0x198/0x2f0 +[ 279.194946] __x64_sys_delete_module+0x16/0x20 +[ 279.194950] do_syscall_64+0x58/0x120 +[ 279.194954] entry_SYSCALL_64_after_hwframe+0x6e/0x76 +[ 279.194980] + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Tim Huang +Reviewed-by: Roman Li +Signed-off-by: Roman Li +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +[ dc_link_destruct() moved from core/dc_link.c to link/link_factory.c since +commit: 54618888d1ea ("drm/amd/display: break down dc_link.c"), so modified +the path to apply on 5.15.y ] +Signed-off-by: Xiangyu Chen +Signed-off-by: He Zhe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc_link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c +@@ -79,7 +79,7 @@ static void dc_link_destruct(struct dc_l + if (link->panel_cntl) + link->panel_cntl->funcs->destroy(&link->panel_cntl); + +- if (link->link_enc) { ++ if (link->link_enc && !link->is_dig_mapping_flexible) { + /* Update link encoder resource tracking variables. These are used for + * the dynamic assignment of link encoders to streams. Virtual links + * are not assigned encoder resources on creation. diff --git a/queue-5.15/series b/queue-5.15/series index 7a5f42f830..a89e21255d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -364,3 +364,5 @@ crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch net-dsa-mv88e6xxx-fix-atu_move_port_mask-for-6341-family.patch net-dsa-mv88e6xxx-enable-pvt-for-6321-switch.patch net-dsa-mv88e6xxx-enable-.port_set_policy-for-6320-family.patch +drm-amd-display-fix-double-free-issue-during-amdgpu-module-unload.patch +xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch diff --git a/queue-5.15/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch b/queue-5.15/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch new file mode 100644 index 0000000000..7bf8b8b6ef --- /dev/null +++ b/queue-5.15/xdp-reset-bpf_redirect_info-before-running-a-xdp-s-bpf-prog.patch @@ -0,0 +1,64 @@ +From bigeasy@linutronix.de Tue Apr 29 16:24:20 2025 +From: Sebastian Andrzej Siewior +Date: Thu, 24 Apr 2025 15:03:14 +0200 +Subject: xdp: Reset bpf_redirect_info before running a xdp's BPF prog. +To: Greg KH +Cc: stable@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, "Ricardo Cañuelo Navarro" , "Alexei Starovoitov" , "Andrii Nakryiko" , "Daniel Borkmann" , "David S. Miller" , "Jakub Kicinski" , "Jesper Dangaard Brouer" , "John Fastabend" , "Thomas Gleixner" , "Toke Høiland-Jørgensen" +Message-ID: <20250424130314.C9jOS1c5@linutronix.de> +Content-Disposition: inline + +From: Sebastian Andrzej Siewior + +Ricardo reported a KASAN discovered use after free in v6.6-stable. + +The syzbot starts a BPF program via xdp_test_run_batch() which assigns +ri->tgt_value via dev_hash_map_redirect() and the return code isn't +XDP_REDIRECT it looks like nonsense. So the output in +bpf_warn_invalid_xdp_action() appears once. +Then the TUN driver runs another BPF program (on the same CPU) which +returns XDP_REDIRECT without setting ri->tgt_value first. It invokes +bpf_trace_printk() to print four characters and obtain the required +return value. This is enough to get xdp_do_redirect() invoked which +then accesses the pointer in tgt_value which might have been already +deallocated. + +This problem does not affect upstream because since commit + 401cb7dae8130 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") + +the per-CPU variable is referenced via task's task_struct and exists on +the stack during NAPI callback. Therefore it is cleared once before the +first invocation and remains valid within the RCU section of the NAPI +callback. + +Instead of performing the huge backport of the commit (plus its fix ups) +here is an alternative version which only resets the variable in +question prior invoking the BPF program. + +Acked-by: Toke Høiland-Jørgensen +Reported-by: Ricardo Cañuelo Navarro +Closes: https://lore.kernel.org/all/20250226-20250204-kasan-slab-use-after-free-read-in-dev_map_enqueue__submit-v3-0-360efec441ba@igalia.com/ +Fixes: 97f91a7cf04ff ("bpf: add bpf_redirect_map helper routine") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/filter.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -800,7 +800,14 @@ static __always_inline u32 bpf_prog_run_ + * under local_bh_disable(), which provides the needed RCU protection + * for accessing map entries. + */ +- u32 act = __bpf_prog_run(prog, xdp, BPF_DISPATCHER_FUNC(xdp)); ++ struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info); ++ u32 act; ++ ++ if (ri->map_id || ri->map_type) { ++ ri->map_id = 0; ++ ri->map_type = BPF_MAP_TYPE_UNSPEC; ++ } ++ act = __bpf_prog_run(prog, xdp, BPF_DISPATCHER_FUNC(xdp)); + + if (static_branch_unlikely(&bpf_master_redirect_enabled_key)) { + if (act == XDP_TX && netif_is_bond_slave(xdp->rxq->dev))