From: Greg Kroah-Hartman Date: Tue, 25 Jun 2024 06:42:14 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.96~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cdcee8ade5e6fd0215d5739adc0450eb68d9d837;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: asoc-intel-sof-sdw-really-remove-four_speaker-quirk.patch drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch kprobe-ftrace-fix-build-error-due-to-bad-function-definition.patch net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch --- diff --git a/queue-6.6/asoc-intel-sof-sdw-really-remove-four_speaker-quirk.patch b/queue-6.6/asoc-intel-sof-sdw-really-remove-four_speaker-quirk.patch new file mode 100644 index 00000000000..863e951f79f --- /dev/null +++ b/queue-6.6/asoc-intel-sof-sdw-really-remove-four_speaker-quirk.patch @@ -0,0 +1,34 @@ +From 0bab4cfd7c1560095e29919e2ebe01783b9096dc Mon Sep 17 00:00:00 2001 +From: Pierre-Louis Bossart +Date: Fri, 26 Apr 2024 10:21:20 -0500 +Subject: ASoC: Intel: sof-sdw: really remove FOUR_SPEAKER quirk + +From: Pierre-Louis Bossart + +commit 0bab4cfd7c1560095e29919e2ebe01783b9096dc upstream. + +Two independent GitHub PRs let to the addition of one quirk after it +was removed.. + +Fixes: b10cb955c6c0 ("ASoC: Intel: sof_sdw: add quirk for Dell SKU 0C0F") +Reviewed-by: Bard Liao +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20240426152123.36284-10-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/boards/sof_sdw.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/sound/soc/intel/boards/sof_sdw.c ++++ b/sound/soc/intel/boards/sof_sdw.c +@@ -443,8 +443,7 @@ static const struct dmi_system_id sof_sd + DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "0C0F") + }, + .driver_data = (void *)(SOF_SDW_TGL_HDMI | +- RT711_JD2 | +- SOF_SDW_FOUR_SPK), ++ RT711_JD2), + }, + { + .callback = sof_sdw_quirk_cb, diff --git a/queue-6.6/drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch b/queue-6.6/drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch new file mode 100644 index 00000000000..0f669f0a0a6 --- /dev/null +++ b/queue-6.6/drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch @@ -0,0 +1,78 @@ +From f2703a3596a279b0be6eeed4c500bdbaa8dc3ce4 Mon Sep 17 00:00:00 2001 +From: Martin Leung +Date: Mon, 26 Feb 2024 13:20:08 -0500 +Subject: drm/amd/display: revert Exit idle optimizations before HDCP execution + +From: Martin Leung + +commit f2703a3596a279b0be6eeed4c500bdbaa8dc3ce4 upstream. + +why and how: +causes black screen on PNP on DCN 3.5 + +This reverts commit f30a3bea92bd ("drm/amd/display: Exit idle +optimizations before HDCP execution") + +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Nicholas Kazlauskas +Acked-by: Wayne Lin +Signed-off-by: Martin Leung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 10 ---------- + drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h | 8 -------- + 2 files changed, 18 deletions(-) + +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c +@@ -88,14 +88,6 @@ static uint8_t is_cp_desired_hdcp2(struc + !hdcp->connection.is_hdcp2_revoked; + } + +-static void exit_idle_optimizations(struct mod_hdcp *hdcp) +-{ +- struct mod_hdcp_dm *dm = &hdcp->config.dm; +- +- if (dm->funcs.exit_idle_optimizations) +- dm->funcs.exit_idle_optimizations(dm->handle); +-} +- + static enum mod_hdcp_status execution(struct mod_hdcp *hdcp, + struct mod_hdcp_event_context *event_ctx, + union mod_hdcp_transition_input *input) +@@ -551,8 +543,6 @@ enum mod_hdcp_status mod_hdcp_process_ev + memset(&event_ctx, 0, sizeof(struct mod_hdcp_event_context)); + event_ctx.event = event; + +- exit_idle_optimizations(hdcp); +- + /* execute and transition */ + exec_status = execution(hdcp, &event_ctx, &hdcp->auth.trans_input); + trans_status = transition( +--- a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h ++++ b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h +@@ -156,13 +156,6 @@ struct mod_hdcp_ddc { + } funcs; + }; + +-struct mod_hdcp_dm { +- void *handle; +- struct { +- void (*exit_idle_optimizations)(void *handle); +- } funcs; +-}; +- + struct mod_hdcp_psp { + void *handle; + void *funcs; +@@ -279,7 +272,6 @@ struct mod_hdcp_display_query { + struct mod_hdcp_config { + struct mod_hdcp_psp psp; + struct mod_hdcp_ddc ddc; +- struct mod_hdcp_dm dm; + uint8_t index; + }; + diff --git a/queue-6.6/hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch b/queue-6.6/hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch new file mode 100644 index 00000000000..5cfafcd0fba --- /dev/null +++ b/queue-6.6/hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch @@ -0,0 +1,37 @@ +From 89e1ee118d6f0ee6bd6e80d8fe08839875daa241 Mon Sep 17 00:00:00 2001 +From: Andrew Ballance +Date: Sun, 2 Jun 2024 03:50:23 -0500 +Subject: hid: asus: asus_report_fixup: fix potential read out of bounds + +From: Andrew Ballance + +commit 89e1ee118d6f0ee6bd6e80d8fe08839875daa241 upstream. + +syzbot reported a potential read out of bounds in asus_report_fixup. + +this patch adds checks so that a read out of bounds will not occur + +Signed-off-by: Andrew Ballance +Reported-by: +Closes: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c +Fixes: 59d2f5b7392e ("HID: asus: fix more n-key report descriptors if n-key quirked") +Link: https://lore.kernel.org/r/20240602085023.1720492-1-andrewjballance@gmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-asus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-asus.c ++++ b/drivers/hid/hid-asus.c +@@ -1235,8 +1235,8 @@ static __u8 *asus_report_fixup(struct hi + } + + /* match many more n-key devices */ +- if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) { +- for (int i = 0; i < *rsize + 1; i++) { ++ if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) { ++ for (int i = 0; i < *rsize - 15; i++) { + /* offset to the count from 0x5a report part always 14 */ + if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a && + rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) { diff --git a/queue-6.6/kprobe-ftrace-fix-build-error-due-to-bad-function-definition.patch b/queue-6.6/kprobe-ftrace-fix-build-error-due-to-bad-function-definition.patch new file mode 100644 index 00000000000..f8ef91dddbc --- /dev/null +++ b/queue-6.6/kprobe-ftrace-fix-build-error-due-to-bad-function-definition.patch @@ -0,0 +1,45 @@ +From 4b377b4868ef17b040065bd468668c707d2477a5 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 17 May 2024 19:17:55 -0700 +Subject: kprobe/ftrace: fix build error due to bad function definition + +From: Linus Torvalds + +commit 4b377b4868ef17b040065bd468668c707d2477a5 upstream. + +Commit 1a7d0890dd4a ("kprobe/ftrace: bail out if ftrace was killed") +introduced a bad K&R function definition, which we haven't accepted in a +long long time. + +Gcc seems to let it slide, but clang notices with the appropriate error: + + kernel/kprobes.c:1140:24: error: a function declaration without a prototype is deprecated in all > + 1140 | void kprobe_ftrace_kill() + | ^ + | void + +but this commit was apparently never in linux-next before it was sent +upstream, so it didn't get the appropriate build test coverage. + +Fixes: 1a7d0890dd4a kprobe/ftrace: bail out if ftrace was killed +Cc: Stephen Brennan +Cc: Masami Hiramatsu (Google) +Cc: Guo Ren +Cc: Steven Rostedt (Google) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1138,7 +1138,7 @@ static int disarm_kprobe_ftrace(struct k + ipmodify ? &kprobe_ipmodify_enabled : &kprobe_ftrace_enabled); + } + +-void kprobe_ftrace_kill() ++void kprobe_ftrace_kill(void) + { + kprobe_ftrace_disabled = true; + } diff --git a/queue-6.6/net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch b/queue-6.6/net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch new file mode 100644 index 00000000000..108a505b0da --- /dev/null +++ b/queue-6.6/net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch @@ -0,0 +1,135 @@ +From 86735b57c905e775f05de995df35379366b72168 Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Tue, 30 Apr 2024 19:11:13 +0200 +Subject: net/sched: unregister lockdep keys in qdisc_create/qdisc_alloc error path + +From: Davide Caratti + +commit 86735b57c905e775f05de995df35379366b72168 upstream. + +Naresh and Eric report several errors (corrupted elements in the dynamic +key hash list), when running tdc.py or syzbot. The error path of +qdisc_alloc() and qdisc_create() frees the qdisc memory, but it forgets +to unregister the lockdep key, thus causing use-after-free like the +following one: + + ================================================================== + BUG: KASAN: slab-use-after-free in lockdep_register_key+0x5f2/0x700 + Read of size 8 at addr ffff88811236f2a8 by task ip/7925 + + CPU: 26 PID: 7925 Comm: ip Kdump: loaded Not tainted 6.9.0-rc2+ #648 + Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 + Call Trace: + + dump_stack_lvl+0x7c/0xc0 + print_report+0xc9/0x610 + kasan_report+0x89/0xc0 + lockdep_register_key+0x5f2/0x700 + qdisc_alloc+0x21d/0xb60 + qdisc_create_dflt+0x63/0x3c0 + attach_one_default_qdisc.constprop.37+0x8e/0x170 + dev_activate+0x4bd/0xc30 + __dev_open+0x275/0x380 + __dev_change_flags+0x3f1/0x570 + dev_change_flags+0x7c/0x160 + do_setlink+0x1ea1/0x34b0 + __rtnl_newlink+0x8c9/0x1510 + rtnl_newlink+0x61/0x90 + rtnetlink_rcv_msg+0x2f0/0xbc0 + netlink_rcv_skb+0x120/0x380 + netlink_unicast+0x420/0x630 + netlink_sendmsg+0x732/0xbc0 + __sock_sendmsg+0x1ea/0x280 + ____sys_sendmsg+0x5a9/0x990 + ___sys_sendmsg+0xf1/0x180 + __sys_sendmsg+0xd3/0x180 + do_syscall_64+0x96/0x180 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + RIP: 0033:0x7f9503f4fa07 + Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + RSP: 002b:00007fff6c729068 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 000000006630c681 RCX: 00007f9503f4fa07 + RDX: 0000000000000000 RSI: 00007fff6c7290d0 RDI: 0000000000000003 + RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000078 + R10: 000000000000009b R11: 0000000000000246 R12: 0000000000000001 + R13: 00007fff6c729180 R14: 0000000000000000 R15: 000055bf67dd9040 + + + Allocated by task 7745: + kasan_save_stack+0x1c/0x40 + kasan_save_track+0x10/0x30 + __kasan_kmalloc+0x7b/0x90 + __kmalloc_node+0x1ff/0x460 + qdisc_alloc+0xae/0xb60 + qdisc_create+0xdd/0xfb0 + tc_modify_qdisc+0x37e/0x1960 + rtnetlink_rcv_msg+0x2f0/0xbc0 + netlink_rcv_skb+0x120/0x380 + netlink_unicast+0x420/0x630 + netlink_sendmsg+0x732/0xbc0 + __sock_sendmsg+0x1ea/0x280 + ____sys_sendmsg+0x5a9/0x990 + ___sys_sendmsg+0xf1/0x180 + __sys_sendmsg+0xd3/0x180 + do_syscall_64+0x96/0x180 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + + Freed by task 7745: + kasan_save_stack+0x1c/0x40 + kasan_save_track+0x10/0x30 + kasan_save_free_info+0x36/0x60 + __kasan_slab_free+0xfe/0x180 + kfree+0x113/0x380 + qdisc_create+0xafb/0xfb0 + tc_modify_qdisc+0x37e/0x1960 + rtnetlink_rcv_msg+0x2f0/0xbc0 + netlink_rcv_skb+0x120/0x380 + netlink_unicast+0x420/0x630 + netlink_sendmsg+0x732/0xbc0 + __sock_sendmsg+0x1ea/0x280 + ____sys_sendmsg+0x5a9/0x990 + ___sys_sendmsg+0xf1/0x180 + __sys_sendmsg+0xd3/0x180 + do_syscall_64+0x96/0x180 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + +Fix this ensuring that lockdep_unregister_key() is called before the +qdisc struct is freed, also in the error path of qdisc_create() and +qdisc_alloc(). + +Fixes: af0cb3fa3f9e ("net/sched: fix false lockdep warning on qdisc root lock") +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/netdev/20240429221706.1492418-1-naresh.kamboju@linaro.org/ +Signed-off-by: Davide Caratti +Reviewed-by: Eric Dumazet +Reviewed-by: Ido Schimmel +Tested-by: Naresh Kamboju +Tested-by: Ido Schimmel +Link: https://lore.kernel.org/r/2aa1ca0c0a3aa0acc15925c666c777a4b5de553c.1714496886.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_api.c | 1 + + net/sched/sch_generic.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1360,6 +1360,7 @@ err_out4: + ops->destroy(sch); + qdisc_put_stab(rtnl_dereference(sch->stab)); + err_out3: ++ lockdep_unregister_key(&sch->root_lock_key); + netdev_put(dev, &sch->dev_tracker); + qdisc_free(sch); + err_out2: +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -978,6 +978,7 @@ struct Qdisc *qdisc_alloc(struct netdev_ + + return sch; + errout1: ++ lockdep_unregister_key(&sch->root_lock_key); + kfree(sch); + errout: + return ERR_PTR(err); diff --git a/queue-6.6/revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch b/queue-6.6/revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch new file mode 100644 index 00000000000..5d4fcebb600 --- /dev/null +++ b/queue-6.6/revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch @@ -0,0 +1,71 @@ +From 14d7c92f8df9c0964ae6f8b813c1b3ac38120825 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 17 Jun 2024 12:57:03 -0700 +Subject: Revert "mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default" + +From: Linus Torvalds + +commit 14d7c92f8df9c0964ae6f8b813c1b3ac38120825 upstream. + +This reverts commit 3afb76a66b5559a7b595155803ce23801558a7a9. + +This was a wrongheaded workaround for an issue that had already been +fixed much better by commit 4ef9ad19e176 ("mm: huge_memory: don't force +huge page alignment on 32 bit"). + +Asking users questions at kernel compile time that they can't make sense +of is not a viable strategy. And the fact that even the kernel VM +maintainers apparently didn't catch that this "fix" is not a fix any +more pretty much proves the point that people can't be expected to +understand the implications of the question. + +It may well be the case that we could improve things further, and that +__thp_get_unmapped_area() should take the mapping randomization into +account even for 64-bit kernels. Maybe we should not be so eager to use +THP mappings. + +But in no case should this be a kernel config option. + +Cc: Rafael Aquini +Cc: Andrew Morton +Cc: Jiri Slaby +Cc: Suren Baghdasaryan +Cc: Matthew Wilcox (Oracle) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/Kconfig | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -1037,21 +1037,10 @@ config ARCH_MMAP_RND_BITS_MAX + config ARCH_MMAP_RND_BITS_DEFAULT + int + +-config FORCE_MAX_MMAP_RND_BITS +- bool "Force maximum number of bits to use for ASLR of mmap base address" +- default y if !64BIT +- help +- ARCH_MMAP_RND_BITS and ARCH_MMAP_RND_COMPAT_BITS represent the number +- of bits to use for ASLR and if no custom value is assigned (EXPERT) +- then the architecture's lower bound (minimum) value is assumed. +- This toggle changes that default assumption to assume the arch upper +- bound (maximum) value instead. +- + config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MAX if FORCE_MAX_MMAP_RND_BITS + default ARCH_MMAP_RND_BITS_MIN + depends on HAVE_ARCH_MMAP_RND_BITS + help +@@ -1086,7 +1075,6 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MAX if FORCE_MAX_MMAP_RND_BITS + default ARCH_MMAP_RND_COMPAT_BITS_MIN + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help diff --git a/queue-6.6/series b/queue-6.6/series index e36ad0b1b84..bbfb5067fd9 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -184,3 +184,9 @@ vgacon-rework-screen_info-ifdef-checks.patch efi-move-screen_info-into-efi-init-code.patch efi-loongarch-directly-position-the-loaded-image-fil.patch loongarch-fix-entry-point-in-kernel-image-header.patch +drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch +asoc-intel-sof-sdw-really-remove-four_speaker-quirk.patch +net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch +kprobe-ftrace-fix-build-error-due-to-bad-function-definition.patch +hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch +revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch