mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-09 06:41:06 -04:00
Code Issues Packages Projects Releases Wiki Activity
1,339,258 Commits 1 Branch 929 Tags
d4673f3c3b3dcb74e36e53cdfc880baa7a87b330
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Chris Bainbridge d4673f3c3b drm/amd/display: Fix slab-use-after-free in hdcp 
The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector
objects without incrementing the kref reference counts. When using a
USB-C dock, and the dock is unplugged, the corresponding
amdgpu_dm_connector objects are freed, creating dangling pointers in the
HDCP code. When the dock is plugged back, the dangling pointers are
dereferenced, resulting in a slab-use-after-free:

[   66.775837] BUG: KASAN: slab-use-after-free in event_property_validate+0x42f/0x6c0 [amdgpu]
[   66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10

[   66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233
[   66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024
[   66.776186] Workqueue: events event_property_validate [amdgpu]
[   66.776494] Call Trace:
[   66.776496]  <TASK>
[   66.776497]  dump_stack_lvl+0x70/0xa0
[   66.776504]  print_report+0x175/0x555
[   66.776507]  ? __virt_addr_valid+0x243/0x450
[   66.776510]  ? kasan_complete_mode_report_info+0x66/0x1c0
[   66.776515]  kasan_report+0xeb/0x1c0
[   66.776518]  ? event_property_validate+0x42f/0x6c0 [amdgpu]
[   66.776819]  ? event_property_validate+0x42f/0x6c0 [amdgpu]
[   66.777121]  __asan_report_load4_noabort+0x14/0x20
[   66.777124]  event_property_validate+0x42f/0x6c0 [amdgpu]
[   66.777342]  ? __lock_acquire+0x6b40/0x6b40
[   66.777347]  ? enable_assr+0x250/0x250 [amdgpu]
[   66.777571]  process_one_work+0x86b/0x1510
[   66.777575]  ? pwq_dec_nr_in_flight+0xcf0/0xcf0
[   66.777578]  ? assign_work+0x16b/0x280
[   66.777580]  ? lock_is_held_type+0xa3/0x130
[   66.777583]  worker_thread+0x5c0/0xfa0
[   66.777587]  ? process_one_work+0x1510/0x1510
[   66.777588]  kthread+0x3a2/0x840
[   66.777591]  ? kthread_is_per_cpu+0xd0/0xd0
[   66.777594]  ? trace_hardirqs_on+0x4f/0x60
[   66.777597]  ? _raw_spin_unlock_irq+0x27/0x60
[   66.777599]  ? calculate_sigpending+0x77/0xa0
[   66.777602]  ? kthread_is_per_cpu+0xd0/0xd0
[   66.777605]  ret_from_fork+0x40/0x90
[   66.777607]  ? kthread_is_per_cpu+0xd0/0xd0
[   66.777609]  ret_from_fork_asm+0x11/0x20
[   66.777614]  </TASK>

[   66.777643] Allocated by task 10:
[   66.777646]  kasan_save_stack+0x39/0x60
[   66.777649]  kasan_save_track+0x14/0x40
[   66.777652]  kasan_save_alloc_info+0x37/0x50
[   66.777655]  __kasan_kmalloc+0xbb/0xc0
[   66.777658]  __kmalloc_cache_noprof+0x1c8/0x4b0
[   66.777661]  dm_dp_add_mst_connector+0xdd/0x5c0 [amdgpu]
[   66.777880]  drm_dp_mst_port_add_connector+0x47e/0x770 [drm_display_helper]
[   66.777892]  drm_dp_send_link_address+0x1554/0x2bf0 [drm_display_helper]
[   66.777901]  drm_dp_check_and_send_link_address+0x187/0x1f0 [drm_display_helper]
[   66.777909]  drm_dp_mst_link_probe_work+0x2b8/0x410 [drm_display_helper]
[   66.777917]  process_one_work+0x86b/0x1510
[   66.777919]  worker_thread+0x5c0/0xfa0
[   66.777922]  kthread+0x3a2/0x840
[   66.777925]  ret_from_fork+0x40/0x90
[   66.777927]  ret_from_fork_asm+0x11/0x20

[   66.777932] Freed by task 1713:
[   66.777935]  kasan_save_stack+0x39/0x60
[   66.777938]  kasan_save_track+0x14/0x40
[   66.777940]  kasan_save_free_info+0x3b/0x60
[   66.777944]  __kasan_slab_free+0x52/0x70
[   66.777946]  kfree+0x13f/0x4b0
[   66.777949]  dm_dp_mst_connector_destroy+0xfa/0x150 [amdgpu]
[   66.778179]  drm_connector_free+0x7d/0xb0
[   66.778184]  drm_mode_object_put.part.0+0xee/0x160
[   66.778188]  drm_mode_object_put+0x37/0x50
[   66.778191]  drm_atomic_state_default_clear+0x220/0xd60
[   66.778194]  __drm_atomic_state_free+0x16e/0x2a0
[   66.778197]  drm_mode_atomic_ioctl+0x15ed/0x2ba0
[   66.778200]  drm_ioctl_kernel+0x17a/0x310
[   66.778203]  drm_ioctl+0x584/0xd10
[   66.778206]  amdgpu_drm_ioctl+0xd2/0x1c0 [amdgpu]
[   66.778375]  __x64_sys_ioctl+0x139/0x1a0
[   66.778378]  x64_sys_call+0xee7/0xfb0
[   66.778381]  do_syscall_64+0x87/0x140
[   66.778385]  entry_SYSCALL_64_after_hwframe+0x4b/0x53

Fix this by properly incrementing and decrementing the reference counts
when making and deleting copies of the amdgpu_dm_connector pointers.

(Mario: rebase on current code and update fixes tag)

Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4006
Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Fixes: da3fd7ac0b ("drm/amd/display: Update CP property based on HW query")
Reviewed-by: Alex Hung <alex.hung@amd.com>
Link: https://lore.kernel.org/r/20250417215005.37964-1-mario.limonciello@amd.com
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2025-04-30 18:03:08 -04:00
arch
Backmerge tag 'v6.14-rc6' into drm-next
2025-03-12 09:43:12 +10:00
block
Merge tag 'block-6.14-20250306' of git://git.kernel.dk/linux
2025-03-07 11:12:33 -10:00
certs
sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
2024-09-20 19:52:48 +03:00
crypto
treewide: const qualify ctl_tables where applicable
2025-01-28 13:48:37 +01:00
Documentation
Documentation/amdgpu: Add Ryzen AI 350 series processors
2025-04-11 16:59:54 -04:00
drivers
drm/amd/display: Fix slab-use-after-free in hdcp
2025-04-30 18:03:08 -04:00
fs
Merge tag 'mm-hotfixes-stable-2025-03-08-16-27' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2025-03-08 14:34:06 -10:00
include
drm/amdgpu: Add queue id support to the user queue wait IOCTL
2025-04-22 08:51:44 -04:00
init
Merge tag 'kbuild-v6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
2025-01-31 12:07:07 -08:00
io_uring
Merge tag 'io_uring-6.14-20250306' of git://git.kernel.dk/linux
2025-03-07 11:09:33 -10:00
ipc
treewide: const qualify ctl_tables where applicable
2025-01-28 13:48:37 +01:00
kernel
Merge tag 'sched-urgent-2025-03-07' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2025-03-07 10:58:54 -10:00
lib
Merge tag 'mm-hotfixes-stable-2025-03-08-16-27' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2025-03-08 14:34:06 -10:00
LICENSES
LICENSES: add 0BSD license text
2024-09-01 20:43:24 -07:00
mm
Backmerge tag 'v6.14-rc6' into drm-next
2025-03-12 09:43:12 +10:00
net
net: ipv6: fix missing dst ref drop in ila lwtunnel
2025-03-06 11:08:45 +01:00
rust
rust: firmware: add module_firmware! macro
2025-03-09 19:23:31 +01:00
samples
Merge tag 'driver-core-6.14-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
2025-02-16 12:54:42 -08:00
scripts
kbuild: install-extmod-build: Fix build when specifying KBUILD_OUTPUT
2025-03-06 20:32:30 +09:00
security
Merge tag 'landlock-6.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux
2025-02-26 11:55:44 -08:00
sound
Backmerge tag 'v6.14-rc6' into drm-next
2025-03-12 09:43:12 +10:00
tools
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
2025-03-09 09:04:08 -10:00
usr
kbuild: hdrcheck: fix cross build with clang
2025-03-05 04:06:45 +09:00
virt
KVM: remove kvm_arch_post_init_vm
2025-02-04 11:27:45 -05:00
.clang-format
clang-format: Update with v6.11-rc1's for_each macro list
2024-08-02 13:20:31 +02:00
.clippy.toml
rust: give Clippy the minimum supported Rust version
2025-01-10 00:17:25 +01:00
.cocciconfig
.editorconfig
.editorconfig: remove trim_trailing_whitespace option
2024-06-13 16:47:52 +02:00
.get_maintainer.ignore
MAINTAINERS: Retire Ralf Baechle
2024-11-12 15:48:59 +01:00
.gitattributes
.gitattributes: set diff driver for Rust source code files
2023-05-31 17:48:25 +02:00
.gitignore
rust: use host dylib naming convention to support macOS
2025-01-10 01:01:24 +01:00
.mailmap
Backmerge tag 'v6.14-rc6' into drm-next
2025-03-12 09:43:12 +10:00
.rustfmt.toml
rust: add .rustfmt.toml
2022-09-28 09:02:20 +02:00
COPYING
COPYING: state that all contributions really are covered by this file
2020-02-10 13:32:20 -08:00
CREDITS
Merge tag 'drm-misc-next-2025-02-12' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-next
2025-02-14 10:24:02 +10:00
Kbuild
drm: ensure drm headers are self-contained and pass kernel-doc
2025-02-12 10:44:43 +02:00
Kconfig
kbuild: ensure full rebuild when the compiler is updated
2020-05-12 13:28:33 +09:00
MAINTAINERS
Merge tag 'nova-next-6.15-2025-03-09' of gitlab.freedesktop.org:drm/nova into drm-next
2025-03-13 06:03:55 +10:00
Makefile
Linux 6.14-rc6
2025-03-09 13:45:25 -10:00
README
README: Fix spelling
2024-03-18 03:36:32 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.
Description
No description provided
Readme 3.4 GiB
Languages
C 97%
Assembly 1%
Shell 0.6%
Rust 0.5%
Python 0.4%
Other 0.3%