From: Greg Kroah-Hartman Date: Tue, 25 Jun 2024 06:46:25 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v6.1.96~17 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d4609d69beaf9b1d84d12a50ef1cd0a1f3d8f8ea;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch --- diff --git a/queue-6.1/drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch b/queue-6.1/drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch new file mode 100644 index 00000000000..b4def124267 --- /dev/null +++ b/queue-6.1/drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch @@ -0,0 +1,78 @@ +From f2703a3596a279b0be6eeed4c500bdbaa8dc3ce4 Mon Sep 17 00:00:00 2001 +From: Martin Leung +Date: Mon, 26 Feb 2024 13:20:08 -0500 +Subject: drm/amd/display: revert Exit idle optimizations before HDCP execution + +From: Martin Leung + +commit f2703a3596a279b0be6eeed4c500bdbaa8dc3ce4 upstream. + +why and how: +causes black screen on PNP on DCN 3.5 + +This reverts commit f30a3bea92bd ("drm/amd/display: Exit idle +optimizations before HDCP execution") + +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Nicholas Kazlauskas +Acked-by: Wayne Lin +Signed-off-by: Martin Leung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c | 10 ---------- + drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h | 8 -------- + 2 files changed, 18 deletions(-) + +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp.c +@@ -88,14 +88,6 @@ static uint8_t is_cp_desired_hdcp2(struc + !hdcp->connection.is_hdcp2_revoked; + } + +-static void exit_idle_optimizations(struct mod_hdcp *hdcp) +-{ +- struct mod_hdcp_dm *dm = &hdcp->config.dm; +- +- if (dm->funcs.exit_idle_optimizations) +- dm->funcs.exit_idle_optimizations(dm->handle); +-} +- + static enum mod_hdcp_status execution(struct mod_hdcp *hdcp, + struct mod_hdcp_event_context *event_ctx, + union mod_hdcp_transition_input *input) +@@ -551,8 +543,6 @@ enum mod_hdcp_status mod_hdcp_process_ev + memset(&event_ctx, 0, sizeof(struct mod_hdcp_event_context)); + event_ctx.event = event; + +- exit_idle_optimizations(hdcp); +- + /* execute and transition */ + exec_status = execution(hdcp, &event_ctx, &hdcp->auth.trans_input); + trans_status = transition( +--- a/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h ++++ b/drivers/gpu/drm/amd/display/modules/inc/mod_hdcp.h +@@ -155,13 +155,6 @@ struct mod_hdcp_ddc { + } funcs; + }; + +-struct mod_hdcp_dm { +- void *handle; +- struct { +- void (*exit_idle_optimizations)(void *handle); +- } funcs; +-}; +- + struct mod_hdcp_psp { + void *handle; + void *funcs; +@@ -278,7 +271,6 @@ struct mod_hdcp_display_query { + struct mod_hdcp_config { + struct mod_hdcp_psp psp; + struct mod_hdcp_ddc ddc; +- struct mod_hdcp_dm dm; + uint8_t index; + }; + diff --git a/queue-6.1/hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch b/queue-6.1/hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch new file mode 100644 index 00000000000..8eb5f03dd49 --- /dev/null +++ b/queue-6.1/hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch @@ -0,0 +1,37 @@ +From 89e1ee118d6f0ee6bd6e80d8fe08839875daa241 Mon Sep 17 00:00:00 2001 +From: Andrew Ballance +Date: Sun, 2 Jun 2024 03:50:23 -0500 +Subject: hid: asus: asus_report_fixup: fix potential read out of bounds + +From: Andrew Ballance + +commit 89e1ee118d6f0ee6bd6e80d8fe08839875daa241 upstream. + +syzbot reported a potential read out of bounds in asus_report_fixup. + +this patch adds checks so that a read out of bounds will not occur + +Signed-off-by: Andrew Ballance +Reported-by: +Closes: https://syzkaller.appspot.com/bug?extid=07762f019fd03d01f04c +Fixes: 59d2f5b7392e ("HID: asus: fix more n-key report descriptors if n-key quirked") +Link: https://lore.kernel.org/r/20240602085023.1720492-1-andrewjballance@gmail.com +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-asus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hid/hid-asus.c ++++ b/drivers/hid/hid-asus.c +@@ -1247,8 +1247,8 @@ static __u8 *asus_report_fixup(struct hi + } + + /* match many more n-key devices */ +- if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD) { +- for (int i = 0; i < *rsize + 1; i++) { ++ if (drvdata->quirks & QUIRK_ROG_NKEY_KEYBOARD && *rsize > 15) { ++ for (int i = 0; i < *rsize - 15; i++) { + /* offset to the count from 0x5a report part always 14 */ + if (rdesc[i] == 0x85 && rdesc[i + 1] == 0x5a && + rdesc[i + 14] == 0x95 && rdesc[i + 15] == 0x05) { diff --git a/queue-6.1/net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch b/queue-6.1/net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch new file mode 100644 index 00000000000..b3a47a9ad2f --- /dev/null +++ b/queue-6.1/net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch @@ -0,0 +1,135 @@ +From 86735b57c905e775f05de995df35379366b72168 Mon Sep 17 00:00:00 2001 +From: Davide Caratti +Date: Tue, 30 Apr 2024 19:11:13 +0200 +Subject: net/sched: unregister lockdep keys in qdisc_create/qdisc_alloc error path + +From: Davide Caratti + +commit 86735b57c905e775f05de995df35379366b72168 upstream. + +Naresh and Eric report several errors (corrupted elements in the dynamic +key hash list), when running tdc.py or syzbot. The error path of +qdisc_alloc() and qdisc_create() frees the qdisc memory, but it forgets +to unregister the lockdep key, thus causing use-after-free like the +following one: + + ================================================================== + BUG: KASAN: slab-use-after-free in lockdep_register_key+0x5f2/0x700 + Read of size 8 at addr ffff88811236f2a8 by task ip/7925 + + CPU: 26 PID: 7925 Comm: ip Kdump: loaded Not tainted 6.9.0-rc2+ #648 + Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 + Call Trace: + + dump_stack_lvl+0x7c/0xc0 + print_report+0xc9/0x610 + kasan_report+0x89/0xc0 + lockdep_register_key+0x5f2/0x700 + qdisc_alloc+0x21d/0xb60 + qdisc_create_dflt+0x63/0x3c0 + attach_one_default_qdisc.constprop.37+0x8e/0x170 + dev_activate+0x4bd/0xc30 + __dev_open+0x275/0x380 + __dev_change_flags+0x3f1/0x570 + dev_change_flags+0x7c/0x160 + do_setlink+0x1ea1/0x34b0 + __rtnl_newlink+0x8c9/0x1510 + rtnl_newlink+0x61/0x90 + rtnetlink_rcv_msg+0x2f0/0xbc0 + netlink_rcv_skb+0x120/0x380 + netlink_unicast+0x420/0x630 + netlink_sendmsg+0x732/0xbc0 + __sock_sendmsg+0x1ea/0x280 + ____sys_sendmsg+0x5a9/0x990 + ___sys_sendmsg+0xf1/0x180 + __sys_sendmsg+0xd3/0x180 + do_syscall_64+0x96/0x180 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + RIP: 0033:0x7f9503f4fa07 + Code: 0a 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10 + RSP: 002b:00007fff6c729068 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 000000006630c681 RCX: 00007f9503f4fa07 + RDX: 0000000000000000 RSI: 00007fff6c7290d0 RDI: 0000000000000003 + RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000078 + R10: 000000000000009b R11: 0000000000000246 R12: 0000000000000001 + R13: 00007fff6c729180 R14: 0000000000000000 R15: 000055bf67dd9040 + + + Allocated by task 7745: + kasan_save_stack+0x1c/0x40 + kasan_save_track+0x10/0x30 + __kasan_kmalloc+0x7b/0x90 + __kmalloc_node+0x1ff/0x460 + qdisc_alloc+0xae/0xb60 + qdisc_create+0xdd/0xfb0 + tc_modify_qdisc+0x37e/0x1960 + rtnetlink_rcv_msg+0x2f0/0xbc0 + netlink_rcv_skb+0x120/0x380 + netlink_unicast+0x420/0x630 + netlink_sendmsg+0x732/0xbc0 + __sock_sendmsg+0x1ea/0x280 + ____sys_sendmsg+0x5a9/0x990 + ___sys_sendmsg+0xf1/0x180 + __sys_sendmsg+0xd3/0x180 + do_syscall_64+0x96/0x180 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + + Freed by task 7745: + kasan_save_stack+0x1c/0x40 + kasan_save_track+0x10/0x30 + kasan_save_free_info+0x36/0x60 + __kasan_slab_free+0xfe/0x180 + kfree+0x113/0x380 + qdisc_create+0xafb/0xfb0 + tc_modify_qdisc+0x37e/0x1960 + rtnetlink_rcv_msg+0x2f0/0xbc0 + netlink_rcv_skb+0x120/0x380 + netlink_unicast+0x420/0x630 + netlink_sendmsg+0x732/0xbc0 + __sock_sendmsg+0x1ea/0x280 + ____sys_sendmsg+0x5a9/0x990 + ___sys_sendmsg+0xf1/0x180 + __sys_sendmsg+0xd3/0x180 + do_syscall_64+0x96/0x180 + entry_SYSCALL_64_after_hwframe+0x71/0x79 + +Fix this ensuring that lockdep_unregister_key() is called before the +qdisc struct is freed, also in the error path of qdisc_create() and +qdisc_alloc(). + +Fixes: af0cb3fa3f9e ("net/sched: fix false lockdep warning on qdisc root lock") +Reported-by: Linux Kernel Functional Testing +Closes: https://lore.kernel.org/netdev/20240429221706.1492418-1-naresh.kamboju@linaro.org/ +Signed-off-by: Davide Caratti +Reviewed-by: Eric Dumazet +Reviewed-by: Ido Schimmel +Tested-by: Naresh Kamboju +Tested-by: Ido Schimmel +Link: https://lore.kernel.org/r/2aa1ca0c0a3aa0acc15925c666c777a4b5de553c.1714496886.git.dcaratti@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/sch_api.c | 1 + + net/sched/sch_generic.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1353,6 +1353,7 @@ err_out5: + if (ops->destroy) + ops->destroy(sch); + err_out3: ++ lockdep_unregister_key(&sch->root_lock_key); + netdev_put(dev, &sch->dev_tracker); + qdisc_free(sch); + err_out2: +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -978,6 +978,7 @@ struct Qdisc *qdisc_alloc(struct netdev_ + + return sch; + errout1: ++ lockdep_unregister_key(&sch->root_lock_key); + kfree(sch); + errout: + return ERR_PTR(err); diff --git a/queue-6.1/revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch b/queue-6.1/revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch new file mode 100644 index 00000000000..bb28b221abe --- /dev/null +++ b/queue-6.1/revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch @@ -0,0 +1,71 @@ +From 14d7c92f8df9c0964ae6f8b813c1b3ac38120825 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Mon, 17 Jun 2024 12:57:03 -0700 +Subject: Revert "mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default" + +From: Linus Torvalds + +commit 14d7c92f8df9c0964ae6f8b813c1b3ac38120825 upstream. + +This reverts commit 3afb76a66b5559a7b595155803ce23801558a7a9. + +This was a wrongheaded workaround for an issue that had already been +fixed much better by commit 4ef9ad19e176 ("mm: huge_memory: don't force +huge page alignment on 32 bit"). + +Asking users questions at kernel compile time that they can't make sense +of is not a viable strategy. And the fact that even the kernel VM +maintainers apparently didn't catch that this "fix" is not a fix any +more pretty much proves the point that people can't be expected to +understand the implications of the question. + +It may well be the case that we could improve things further, and that +__thp_get_unmapped_area() should take the mapping randomization into +account even for 64-bit kernels. Maybe we should not be so eager to use +THP mappings. + +But in no case should this be a kernel config option. + +Cc: Rafael Aquini +Cc: Andrew Morton +Cc: Jiri Slaby +Cc: Suren Baghdasaryan +Cc: Matthew Wilcox (Oracle) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + arch/Kconfig | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/arch/Kconfig ++++ b/arch/Kconfig +@@ -981,21 +981,10 @@ config ARCH_MMAP_RND_BITS_MAX + config ARCH_MMAP_RND_BITS_DEFAULT + int + +-config FORCE_MAX_MMAP_RND_BITS +- bool "Force maximum number of bits to use for ASLR of mmap base address" +- default y if !64BIT +- help +- ARCH_MMAP_RND_BITS and ARCH_MMAP_RND_COMPAT_BITS represent the number +- of bits to use for ASLR and if no custom value is assigned (EXPERT) +- then the architecture's lower bound (minimum) value is assumed. +- This toggle changes that default assumption to assume the arch upper +- bound (maximum) value instead. +- + config ARCH_MMAP_RND_BITS + int "Number of bits to use for ASLR of mmap base address" if EXPERT + range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX + default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT +- default ARCH_MMAP_RND_BITS_MAX if FORCE_MAX_MMAP_RND_BITS + default ARCH_MMAP_RND_BITS_MIN + depends on HAVE_ARCH_MMAP_RND_BITS + help +@@ -1030,7 +1019,6 @@ config ARCH_MMAP_RND_COMPAT_BITS + int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT + range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX + default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT +- default ARCH_MMAP_RND_COMPAT_BITS_MAX if FORCE_MAX_MMAP_RND_BITS + default ARCH_MMAP_RND_COMPAT_BITS_MIN + depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS + help diff --git a/queue-6.1/series b/queue-6.1/series index 2d3130fb03a..a62547c6397 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -125,3 +125,7 @@ x86-cpu-vfm-add-new-macros-to-work-with-vendor-famil.patch x86-cpu-fix-x86_match_cpu-to-match-just-x86_vendor_i.patch revert-kheaders-substituting-sort-in-archive-creatio.patch kheaders-explicitly-define-file-modes-for-archived-h.patch +drm-amd-display-revert-exit-idle-optimizations-before-hdcp-execution.patch +net-sched-unregister-lockdep-keys-in-qdisc_create-qdisc_alloc-error-path.patch +hid-asus-asus_report_fixup-fix-potential-read-out-of-bounds.patch +revert-mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch