From 5cf4fbb6a92834e61704b5e6ba54a2247e9241f6 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 28 Sep 2025 10:27:22 -0400 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...ix-null-dereference-in-hdmi-teardown.patch | 42 ++++++ queue-5.10/series | 1 + ...ix-null-dereference-in-hdmi-teardown.patch | 42 ++++++ queue-5.15/series | 1 + ...ix-null-dereference-in-hdmi-teardown.patch | 42 ++++++ queue-5.4/series | 1 + ...ix-null-dereference-in-hdmi-teardown.patch | 42 ++++++ ...ent-use-after-free-during-requeue-pi.patch | 88 +++++++++++ queue-6.1/series | 2 + ...ix-null-dereference-in-hdmi-teardown.patch | 42 ++++++ ...r-scheduler-entitiy-destruction-to-q.patch | 64 ++++++++ ...ent-use-after-free-during-requeue-pi.patch | 88 +++++++++++ ...laptop-fix-wmab-call-in-fan_mode_sto.patch | 141 ++++++++++++++++++ queue-6.12/series | 5 + ...rong-index-reference-in-smb2_compoun.patch | 41 +++++ ...display-remove-output_tf_change-flag.patch | 77 ++++++++++ ...ix-null-dereference-in-hdmi-teardown.patch | 42 ++++++ ...rd-reg_val-against-a-invalid_transco.patch | 47 ++++++ ...r-scheduler-entitiy-destruction-to-q.patch | 64 ++++++++ ...m-xe-fix-build-with-config_modules-n.patch | 52 +++++++ ...expose-sysfs-attributes-not-applicab.patch | 54 +++++++ ...ent-use-after-free-during-requeue-pi.patch | 89 +++++++++++ ...t-exit-on-failure-from-futex_hash_al.patch | 46 ++++++ ...memory-leak-of-gpio_regmap-structure.patch | 39 +++++ ...laptop-fix-wmab-call-in-fan_mode_sto.patch | 141 ++++++++++++++++++ queue-6.16/series | 11 ++ ...rong-index-reference-in-smb2_compoun.patch | 41 +++++ ...ix-null-dereference-in-hdmi-teardown.patch | 42 ++++++ ...ent-use-after-free-during-requeue-pi.patch | 88 +++++++++++ queue-6.6/series | 3 + ...rong-index-reference-in-smb2_compoun.patch | 41 +++++ 31 files changed, 1519 insertions(+) create mode 100644 queue-5.10/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch create mode 100644 queue-5.15/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch create mode 100644 queue-5.4/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch create mode 100644 queue-6.1/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch create mode 100644 queue-6.1/futex-prevent-use-after-free-during-requeue-pi.patch create mode 100644 queue-6.12/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch create mode 100644 queue-6.12/drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch create mode 100644 queue-6.12/futex-prevent-use-after-free-during-requeue-pi.patch create mode 100644 queue-6.12/platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch create mode 100644 queue-6.12/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch create mode 100644 queue-6.16/drm-amd-display-remove-output_tf_change-flag.patch create mode 100644 queue-6.16/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch create mode 100644 queue-6.16/drm-i915-ddi-guard-reg_val-against-a-invalid_transco.patch create mode 100644 queue-6.16/drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch create mode 100644 queue-6.16/drm-xe-fix-build-with-config_modules-n.patch create mode 100644 queue-6.16/drm-xe-vf-don-t-expose-sysfs-attributes-not-applicab.patch create mode 100644 queue-6.16/futex-prevent-use-after-free-during-requeue-pi.patch create mode 100644 queue-6.16/futex-use-correct-exit-on-failure-from-futex_hash_al.patch create mode 100644 queue-6.16/gpio-regmap-fix-memory-leak-of-gpio_regmap-structure.patch create mode 100644 queue-6.16/platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch create mode 100644 queue-6.16/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch create mode 100644 queue-6.6/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch create mode 100644 queue-6.6/futex-prevent-use-after-free-during-requeue-pi.patch create mode 100644 queue-6.6/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch diff --git a/queue-5.10/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch b/queue-5.10/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch new file mode 100644 index 0000000000..24f0d1db87 --- /dev/null +++ b/queue-5.10/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch @@ -0,0 +1,42 @@ +From 91c9cb968d9a5b6338f840aebe53a6b258b0c018 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 18:06:59 +0300 +Subject: drm/gma500: Fix null dereference in hdmi teardown + +From: Zabelin Nikita + +[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ] + +pci_set_drvdata sets the value of pdev->driver_data to NULL, +after which the driver_data obtained from the same dev is +dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is +extracted from it. To prevent this, swap these calls. + +Found by Linux Verification Center (linuxtesting.org) with Svacer. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Zabelin Nikita +Signed-off-by: Patrik Jakobsson +Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +index a097a59a9eaec..08e83b7513197 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +@@ -724,8 +724,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev) + + if (hdmi_dev) { + pdev = hdmi_dev->dev; +- pci_set_drvdata(pdev, NULL); + oaktrail_hdmi_i2c_exit(pdev); ++ pci_set_drvdata(pdev, NULL); + iounmap(hdmi_dev->regs); + kfree(hdmi_dev); + pci_dev_put(pdev); +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 0cff4f05be..4b2297e23e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -105,3 +105,4 @@ nexthop-emit-a-notification-when-a-nexthop-is-added.patch nexthop-emit-a-notification-when-a-single-nexthop-is.patch nexthop-forbid-fdb-status-change-while-nexthop-is-in.patch selftests-fib_nexthops-fix-creation-of-non-fdb-nexth.patch +drm-gma500-fix-null-dereference-in-hdmi-teardown.patch diff --git a/queue-5.15/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch b/queue-5.15/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch new file mode 100644 index 0000000000..bf923e452b --- /dev/null +++ b/queue-5.15/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch @@ -0,0 +1,42 @@ +From 7a1e440c772ae06fa55e17aa48eada5566a72d6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 18:06:59 +0300 +Subject: drm/gma500: Fix null dereference in hdmi teardown + +From: Zabelin Nikita + +[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ] + +pci_set_drvdata sets the value of pdev->driver_data to NULL, +after which the driver_data obtained from the same dev is +dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is +extracted from it. To prevent this, swap these calls. + +Found by Linux Verification Center (linuxtesting.org) with Svacer. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Zabelin Nikita +Signed-off-by: Patrik Jakobsson +Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +index a097a59a9eaec..08e83b7513197 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +@@ -724,8 +724,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev) + + if (hdmi_dev) { + pdev = hdmi_dev->dev; +- pci_set_drvdata(pdev, NULL); + oaktrail_hdmi_i2c_exit(pdev); ++ pci_set_drvdata(pdev, NULL); + iounmap(hdmi_dev->regs); + kfree(hdmi_dev); + pci_dev_put(pdev); +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 1a8e7690c1..a29e74766f 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -132,3 +132,4 @@ selftests-fib_nexthops-fix-creation-of-non-fdb-nexth.patch net-dsa-lantiq_gswip-do-also-enable-or-disable-cpu-p.patch net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch +drm-gma500-fix-null-dereference-in-hdmi-teardown.patch diff --git a/queue-5.4/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch b/queue-5.4/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch new file mode 100644 index 0000000000..fd8044e350 --- /dev/null +++ b/queue-5.4/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch @@ -0,0 +1,42 @@ +From 2f12e66e831603cb4944c8a2b94d07e82043a0b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 18:06:59 +0300 +Subject: drm/gma500: Fix null dereference in hdmi teardown + +From: Zabelin Nikita + +[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ] + +pci_set_drvdata sets the value of pdev->driver_data to NULL, +after which the driver_data obtained from the same dev is +dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is +extracted from it. To prevent this, swap these calls. + +Found by Linux Verification Center (linuxtesting.org) with Svacer. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Zabelin Nikita +Signed-off-by: Patrik Jakobsson +Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +index f4c520893ceb6..93a0a791b8c38 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +@@ -741,8 +741,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev) + + if (hdmi_dev) { + pdev = hdmi_dev->dev; +- pci_set_drvdata(pdev, NULL); + oaktrail_hdmi_i2c_exit(pdev); ++ pci_set_drvdata(pdev, NULL); + iounmap(hdmi_dev->regs); + kfree(hdmi_dev); + pci_dev_put(pdev); +-- +2.51.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 6984ee48a9..10a79af3f4 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -66,3 +66,4 @@ can-hi311x-populate-ndo_change_mtu-to-prevent-buffer.patch can-sun4i_can-populate-ndo_change_mtu-to-prevent-buf.patch can-mcba_usb-populate-ndo_change_mtu-to-prevent-buff.patch can-peak_usb-fix-shift-out-of-bounds-issue.patch +drm-gma500-fix-null-dereference-in-hdmi-teardown.patch diff --git a/queue-6.1/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch b/queue-6.1/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch new file mode 100644 index 0000000000..45e76d322b --- /dev/null +++ b/queue-6.1/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch @@ -0,0 +1,42 @@ +From 42232a4b46259a25df89da67582ae88f22240b70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 18:06:59 +0300 +Subject: drm/gma500: Fix null dereference in hdmi teardown + +From: Zabelin Nikita + +[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ] + +pci_set_drvdata sets the value of pdev->driver_data to NULL, +after which the driver_data obtained from the same dev is +dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is +extracted from it. To prevent this, swap these calls. + +Found by Linux Verification Center (linuxtesting.org) with Svacer. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Zabelin Nikita +Signed-off-by: Patrik Jakobsson +Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +index 95b7cb099e638..9c7d9584aac7f 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +@@ -724,8 +724,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev) + + if (hdmi_dev) { + pdev = hdmi_dev->dev; +- pci_set_drvdata(pdev, NULL); + oaktrail_hdmi_i2c_exit(pdev); ++ pci_set_drvdata(pdev, NULL); + iounmap(hdmi_dev->regs); + kfree(hdmi_dev); + pci_dev_put(pdev); +-- +2.51.0 + diff --git a/queue-6.1/futex-prevent-use-after-free-during-requeue-pi.patch b/queue-6.1/futex-prevent-use-after-free-during-requeue-pi.patch new file mode 100644 index 0000000000..c7b1bc8098 --- /dev/null +++ b/queue-6.1/futex-prevent-use-after-free-during-requeue-pi.patch @@ -0,0 +1,88 @@ +From f91f67aacab71cd0bc29896f5e4c88c1ac9296d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 12:42:43 +0200 +Subject: futex: Prevent use-after-free during requeue-PI + +From: Sebastian Andrzej Siewior + +[ Upstream commit b549113738e8c751b613118032a724b772aa83f2 ] + +syzbot managed to trigger the following race: + + T1 T2 + + futex_wait_requeue_pi() + futex_do_wait() + schedule() + futex_requeue() + futex_proxy_trylock_atomic() + futex_requeue_pi_prepare() + requeue_pi_wake_futex() + futex_requeue_pi_complete() + /* preempt */ + + * timeout/ signal wakes T1 * + + futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED + futex_hash_put() + // back to userland, on stack futex_q is garbage + + /* back */ + wake_up_state(q->task, TASK_NORMAL); + +In this scenario futex_wait_requeue_pi() is able to leave without using +futex_q::lock_ptr for synchronization. + +This can be prevented by reading futex_q::task before updating the +futex_q::requeue_state. A reference on the task_struct is not needed +because requeue_pi_wake_futex() is invoked with a spinlock_t held which +implies a RCU read section. + +Even if T1 terminates immediately after, the task_struct will remain valid +during T2's wake_up_state(). A READ_ONCE on futex_q::task before +futex_requeue_pi_complete() is enough because it ensures that the variable +is read before the state is updated. + +Read futex_q::task before updating the requeue state, use it for the +following wakeup. + +Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT") +Reported-by: syzbot+034246a838a10d181e78@syzkaller.appspotmail.com +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Closes: https://lore.kernel.org/all/68b75989.050a0220.3db4df.01dd.GAE@google.com/ +Signed-off-by: Sasha Levin +--- + kernel/futex/requeue.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c +index cba8b1a6a4cc2..7e43839ca7b05 100644 +--- a/kernel/futex/requeue.c ++++ b/kernel/futex/requeue.c +@@ -223,18 +223,20 @@ static inline + void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, + struct futex_hash_bucket *hb) + { +- q->key = *key; ++ struct task_struct *task; + ++ q->key = *key; + __futex_unqueue(q); + + WARN_ON(!q->rt_waiter); + q->rt_waiter = NULL; + + q->lock_ptr = &hb->lock; ++ task = READ_ONCE(q->task); + + /* Signal locked state to the waiter */ + futex_requeue_pi_complete(q, 1); +- wake_up_state(q->task, TASK_NORMAL); ++ wake_up_state(task, TASK_NORMAL); + } + + /** +-- +2.51.0 + diff --git a/queue-6.1/series b/queue-6.1/series index 8ed9aa9e7b..aa718e250c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -41,3 +41,5 @@ net-dsa-lantiq_gswip-do-also-enable-or-disable-cpu-p.patch net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch octeontx2-pf-fix-potential-use-after-free-in-otx2_tc.patch +drm-gma500-fix-null-dereference-in-hdmi-teardown.patch +futex-prevent-use-after-free-during-requeue-pi.patch diff --git a/queue-6.12/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch b/queue-6.12/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch new file mode 100644 index 0000000000..8844e55b01 --- /dev/null +++ b/queue-6.12/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch @@ -0,0 +1,42 @@ +From cf345629545ad87432f871805380b6e5a5d381b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 18:06:59 +0300 +Subject: drm/gma500: Fix null dereference in hdmi teardown + +From: Zabelin Nikita + +[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ] + +pci_set_drvdata sets the value of pdev->driver_data to NULL, +after which the driver_data obtained from the same dev is +dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is +extracted from it. To prevent this, swap these calls. + +Found by Linux Verification Center (linuxtesting.org) with Svacer. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Zabelin Nikita +Signed-off-by: Patrik Jakobsson +Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +index ed8626c73541c..f0ae675581d9a 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +@@ -726,8 +726,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev) + + if (hdmi_dev) { + pdev = hdmi_dev->dev; +- pci_set_drvdata(pdev, NULL); + oaktrail_hdmi_i2c_exit(pdev); ++ pci_set_drvdata(pdev, NULL); + iounmap(hdmi_dev->regs); + kfree(hdmi_dev); + pci_dev_put(pdev); +-- +2.51.0 + diff --git a/queue-6.12/drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch b/queue-6.12/drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch new file mode 100644 index 0000000000..8809fd1d98 --- /dev/null +++ b/queue-6.12/drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch @@ -0,0 +1,64 @@ +From 19633001c002899dc8b2dcfe227f38f51f4f6838 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Sep 2025 17:43:48 +0100 +Subject: drm/panthor: Defer scheduler entitiy destruction to queue release +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Adrián Larumbe + +[ Upstream commit 7d9c3442b02ab7dd3c44e20095a178fd57d2eccb ] + +Commit de8548813824 ("drm/panthor: Add the scheduler logical block") +handled destruction of a group's queues' drm scheduler entities early +into the group destruction procedure. + +However, that races with the group submit ioctl, because by the time +entities are destroyed (through the group destroy ioctl), the submission +procedure might've already obtained a group handle, and therefore the +ability to push jobs into entities. This is met with a DRM error message +within the drm scheduler core as a situation that should never occur. + +Fix by deferring drm scheduler entity destruction to queue release time. + +Fixes: de8548813824 ("drm/panthor: Add the scheduler logical block") +Signed-off-by: Adrián Larumbe +Reviewed-by: Steven Price +Reviewed-by: Boris Brezillon +Signed-off-by: Steven Price +Link: https://lore.kernel.org/r/20250919164436.531930-1-adrian.larumbe@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panthor/panthor_sched.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c +index 20135a9bc026e..0bc5b69ec636b 100644 +--- a/drivers/gpu/drm/panthor/panthor_sched.c ++++ b/drivers/gpu/drm/panthor/panthor_sched.c +@@ -865,8 +865,7 @@ static void group_free_queue(struct panthor_group *group, struct panthor_queue * + if (IS_ERR_OR_NULL(queue)) + return; + +- if (queue->entity.fence_context) +- drm_sched_entity_destroy(&queue->entity); ++ drm_sched_entity_destroy(&queue->entity); + + if (queue->scheduler.ops) + drm_sched_fini(&queue->scheduler); +@@ -3458,11 +3457,6 @@ int panthor_group_destroy(struct panthor_file *pfile, u32 group_handle) + if (!group) + return -EINVAL; + +- for (u32 i = 0; i < group->queue_count; i++) { +- if (group->queues[i]) +- drm_sched_entity_destroy(&group->queues[i]->entity); +- } +- + mutex_lock(&sched->reset.lock); + mutex_lock(&sched->lock); + group->destroyed = true; +-- +2.51.0 + diff --git a/queue-6.12/futex-prevent-use-after-free-during-requeue-pi.patch b/queue-6.12/futex-prevent-use-after-free-during-requeue-pi.patch new file mode 100644 index 0000000000..2c3e8db98f --- /dev/null +++ b/queue-6.12/futex-prevent-use-after-free-during-requeue-pi.patch @@ -0,0 +1,88 @@ +From 71c2180c1f3f1a882e6db1095e26f6fc3186aba9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 12:42:43 +0200 +Subject: futex: Prevent use-after-free during requeue-PI + +From: Sebastian Andrzej Siewior + +[ Upstream commit b549113738e8c751b613118032a724b772aa83f2 ] + +syzbot managed to trigger the following race: + + T1 T2 + + futex_wait_requeue_pi() + futex_do_wait() + schedule() + futex_requeue() + futex_proxy_trylock_atomic() + futex_requeue_pi_prepare() + requeue_pi_wake_futex() + futex_requeue_pi_complete() + /* preempt */ + + * timeout/ signal wakes T1 * + + futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED + futex_hash_put() + // back to userland, on stack futex_q is garbage + + /* back */ + wake_up_state(q->task, TASK_NORMAL); + +In this scenario futex_wait_requeue_pi() is able to leave without using +futex_q::lock_ptr for synchronization. + +This can be prevented by reading futex_q::task before updating the +futex_q::requeue_state. A reference on the task_struct is not needed +because requeue_pi_wake_futex() is invoked with a spinlock_t held which +implies a RCU read section. + +Even if T1 terminates immediately after, the task_struct will remain valid +during T2's wake_up_state(). A READ_ONCE on futex_q::task before +futex_requeue_pi_complete() is enough because it ensures that the variable +is read before the state is updated. + +Read futex_q::task before updating the requeue state, use it for the +following wakeup. + +Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT") +Reported-by: syzbot+034246a838a10d181e78@syzkaller.appspotmail.com +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Closes: https://lore.kernel.org/all/68b75989.050a0220.3db4df.01dd.GAE@google.com/ +Signed-off-by: Sasha Levin +--- + kernel/futex/requeue.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c +index b47bb764b3520..559aae55792c6 100644 +--- a/kernel/futex/requeue.c ++++ b/kernel/futex/requeue.c +@@ -225,18 +225,20 @@ static inline + void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, + struct futex_hash_bucket *hb) + { +- q->key = *key; ++ struct task_struct *task; + ++ q->key = *key; + __futex_unqueue(q); + + WARN_ON(!q->rt_waiter); + q->rt_waiter = NULL; + + q->lock_ptr = &hb->lock; ++ task = READ_ONCE(q->task); + + /* Signal locked state to the waiter */ + futex_requeue_pi_complete(q, 1); +- wake_up_state(q->task, TASK_NORMAL); ++ wake_up_state(task, TASK_NORMAL); + } + + /** +-- +2.51.0 + diff --git a/queue-6.12/platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch b/queue-6.12/platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch new file mode 100644 index 0000000000..9bffbea379 --- /dev/null +++ b/queue-6.12/platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch @@ -0,0 +1,141 @@ +From 184f9321b4ffefff4e183ea4795c046ad2b5aa12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Sep 2025 14:17:17 -0400 +Subject: platform/x86: lg-laptop: Fix WMAB call in fan_mode_store() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Lee + +[ Upstream commit 3ed17349f18774c24505b0c21dfbd3cc4f126518 ] + +When WMAB is called to set the fan mode, the new mode is read from either +bits 0-1 or bits 4-5 (depending on the value of some other EC register). +Thus when WMAB is called with bits 4-5 zeroed and called again with +bits 0-1 zeroed, the second call undoes the effect of the first call. +This causes writes to /sys/devices/platform/lg-laptop/fan_mode to have +no effect (and causes reads to always report a status of zero). + +Fix this by calling WMAB once, with the mode set in bits 0,1 and 4,5. +When the fan mode is returned from WMAB it always has this form, so +there is no need to preserve the other bits. As a bonus, the driver +now supports the "Performance" fan mode seen in the LG-provided Windows +control app, which provides less aggressive CPU throttling but louder +fan noise and shorter battery life. + +Also, correct the documentation to reflect that 0 corresponds to the +default mode (what the Windows app calls "Optimal") and 1 corresponds +to the silent mode. + +Fixes: dbf0c5a6b1f8 ("platform/x86: Add LG Gram laptop special features driver") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=204913#c4 +Signed-off-by: Daniel Lee +Link: https://patch.msgid.link/MN2PR06MB55989CB10E91C8DA00EE868DDC1CA@MN2PR06MB5598.namprd06.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + .../admin-guide/laptops/lg-laptop.rst | 4 +-- + drivers/platform/x86/lg-laptop.c | 34 ++++++++----------- + 2 files changed, 16 insertions(+), 22 deletions(-) + +diff --git a/Documentation/admin-guide/laptops/lg-laptop.rst b/Documentation/admin-guide/laptops/lg-laptop.rst +index 67fd6932cef4f..c4dd534f91edd 100644 +--- a/Documentation/admin-guide/laptops/lg-laptop.rst ++++ b/Documentation/admin-guide/laptops/lg-laptop.rst +@@ -48,8 +48,8 @@ This value is reset to 100 when the kernel boots. + Fan mode + -------- + +-Writing 1/0 to /sys/devices/platform/lg-laptop/fan_mode disables/enables +-the fan silent mode. ++Writing 0/1/2 to /sys/devices/platform/lg-laptop/fan_mode sets fan mode to ++Optimal/Silent/Performance respectively. + + + USB charge +diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c +index 4b57102c7f627..6af6cf477c5b5 100644 +--- a/drivers/platform/x86/lg-laptop.c ++++ b/drivers/platform/x86/lg-laptop.c +@@ -8,6 +8,7 @@ + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + + #include ++#include + #include + #include + #include +@@ -75,6 +76,9 @@ MODULE_PARM_DESC(fw_debug, "Enable printing of firmware debug messages"); + #define WMBB_USB_CHARGE 0x10B + #define WMBB_BATT_LIMIT 0x10C + ++#define FAN_MODE_LOWER GENMASK(1, 0) ++#define FAN_MODE_UPPER GENMASK(5, 4) ++ + #define PLATFORM_NAME "lg-laptop" + + MODULE_ALIAS("wmi:" WMI_EVENT_GUID0); +@@ -274,29 +278,19 @@ static ssize_t fan_mode_store(struct device *dev, + struct device_attribute *attr, + const char *buffer, size_t count) + { +- bool value; ++ unsigned long value; + union acpi_object *r; +- u32 m; + int ret; + +- ret = kstrtobool(buffer, &value); ++ ret = kstrtoul(buffer, 10, &value); + if (ret) + return ret; ++ if (value >= 3) ++ return -EINVAL; + +- r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0); +- if (!r) +- return -EIO; +- +- if (r->type != ACPI_TYPE_INTEGER) { +- kfree(r); +- return -EIO; +- } +- +- m = r->integer.value; +- kfree(r); +- r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xffffff0f) | (value << 4)); +- kfree(r); +- r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xfffffff0) | value); ++ r = lg_wmab(dev, WM_FAN_MODE, WM_SET, ++ FIELD_PREP(FAN_MODE_LOWER, value) | ++ FIELD_PREP(FAN_MODE_UPPER, value)); + kfree(r); + + return count; +@@ -305,7 +299,7 @@ static ssize_t fan_mode_store(struct device *dev, + static ssize_t fan_mode_show(struct device *dev, + struct device_attribute *attr, char *buffer) + { +- unsigned int status; ++ unsigned int mode; + union acpi_object *r; + + r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0); +@@ -317,10 +311,10 @@ static ssize_t fan_mode_show(struct device *dev, + return -EIO; + } + +- status = r->integer.value & 0x01; ++ mode = FIELD_GET(FAN_MODE_LOWER, r->integer.value); + kfree(r); + +- return sysfs_emit(buffer, "%d\n", status); ++ return sysfs_emit(buffer, "%d\n", mode); + } + + static ssize_t usb_charge_store(struct device *dev, +-- +2.51.0 + diff --git a/queue-6.12/series b/queue-6.12/series index 02db66d5e9..7865289a16 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -58,3 +58,8 @@ octeontx2-pf-fix-potential-use-after-free-in-otx2_tc.patch mm-gup-local-lru_add_drain-to-avoid-lru_add_drain_al.patch mm-revert-mm-gup-clear-the-lru-flag-of-a-page-before.patch mm-folio_may_be_lru_cached-unless-folio_test_large.patch +drm-gma500-fix-null-dereference-in-hdmi-teardown.patch +futex-prevent-use-after-free-during-requeue-pi.patch +drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch +platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch +smb-client-fix-wrong-index-reference-in-smb2_compoun.patch diff --git a/queue-6.12/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch b/queue-6.12/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch new file mode 100644 index 0000000000..fd3fba5cc8 --- /dev/null +++ b/queue-6.12/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch @@ -0,0 +1,41 @@ +From a868cfa5a1c8e69db8bdd9897340e552caba3cf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Sep 2025 17:16:45 +0900 +Subject: smb: client: fix wrong index reference in smb2_compound_op() + +From: Sang-Heon Jeon + +[ Upstream commit fbe2dc6a9c7318f7263f5e4d50f6272b931c5756 ] + +In smb2_compound_op(), the loop that processes each command's response +uses wrong indices when accessing response bufferes. + +This incorrect indexing leads to improper handling of command results. +Also, if incorrectly computed index is greather than or equal to +MAX_COMPOUND, it can cause out-of-bounds accesses. + +Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14 +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Sang-Heon Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c +index b51ccfb884394..104a563dc317f 100644 +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -641,7 +641,7 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon, + + tmp_rc = rc; + for (i = 0; i < num_cmds; i++) { +- char *buf = rsp_iov[i + i].iov_base; ++ char *buf = rsp_iov[i + 1].iov_base; + + if (buf && resp_buftype[i + 1] != CIFS_NO_BUFFER) + rc = server->ops->map_error(buf, false); +-- +2.51.0 + diff --git a/queue-6.16/drm-amd-display-remove-output_tf_change-flag.patch b/queue-6.16/drm-amd-display-remove-output_tf_change-flag.patch new file mode 100644 index 0000000000..b80d1b89e3 --- /dev/null +++ b/queue-6.16/drm-amd-display-remove-output_tf_change-flag.patch @@ -0,0 +1,77 @@ +From a80ea5f5f03a4ad4121ac60eefd7b9c9f4342b3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Sep 2025 18:51:05 -0300 +Subject: drm/amd/display: remove output_tf_change flag + +From: Melissa Wen + +[ Upstream commit 41b1f9fcba62b06195e625bb88c1031102892439 ] + +Remove this flag as the driver stopped managing it individually since +commit a4056c2a6344 ("drm/amd/display: use HW hdr mult for brightness +boost"). After some back and forth it was reintroduced as a condition to +`set_output_transfer_func()` in [1]. Without direct management, this +flag only changes value when all surface update flags are set true on +UPDATE_TYPE_FULL with no output TF status meaning. + +Fixes: bb622e0c0044 ("drm/amd/display: program output tf when required") [1] +Signed-off-by: Melissa Wen +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit 752e6f283ec59ae007aa15a93d5a4b2eefa8cec9) +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dc.h | 1 - + drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c | 6 ++---- + drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c | 6 ++---- + 3 files changed, 4 insertions(+), 9 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dc.h b/drivers/gpu/drm/amd/display/dc/dc.h +index 7dfbfb18593c1..f037f2d83400b 100644 +--- a/drivers/gpu/drm/amd/display/dc/dc.h ++++ b/drivers/gpu/drm/amd/display/dc/dc.h +@@ -1292,7 +1292,6 @@ union surface_update_flags { + uint32_t in_transfer_func_change:1; + uint32_t input_csc_change:1; + uint32_t coeff_reduction_change:1; +- uint32_t output_tf_change:1; + uint32_t pixel_format_change:1; + uint32_t plane_size_change:1; + uint32_t gamut_remap_change:1; +diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c +index 454e362ff096a..c0127d8b5b396 100644 +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn20/dcn20_hwseq.c +@@ -1990,10 +1990,8 @@ static void dcn20_program_pipe( + * updating on slave planes + */ + if (pipe_ctx->update_flags.bits.enable || +- pipe_ctx->update_flags.bits.plane_changed || +- pipe_ctx->stream->update_flags.bits.out_tf || +- (pipe_ctx->plane_state && +- pipe_ctx->plane_state->update_flags.bits.output_tf_change)) ++ pipe_ctx->update_flags.bits.plane_changed || ++ pipe_ctx->stream->update_flags.bits.out_tf) + hws->funcs.set_output_transfer_func(dc, pipe_ctx, pipe_ctx->stream); + + /* If the pipe has been enabled or has a different opp, we +diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c +index c4177a9a662fa..c68d01f378602 100644 +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c +@@ -2289,10 +2289,8 @@ void dcn401_program_pipe( + * updating on slave planes + */ + if (pipe_ctx->update_flags.bits.enable || +- pipe_ctx->update_flags.bits.plane_changed || +- pipe_ctx->stream->update_flags.bits.out_tf || +- (pipe_ctx->plane_state && +- pipe_ctx->plane_state->update_flags.bits.output_tf_change)) ++ pipe_ctx->update_flags.bits.plane_changed || ++ pipe_ctx->stream->update_flags.bits.out_tf) + hws->funcs.set_output_transfer_func(dc, pipe_ctx, pipe_ctx->stream); + + /* If the pipe has been enabled or has a different opp, we +-- +2.51.0 + diff --git a/queue-6.16/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch b/queue-6.16/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch new file mode 100644 index 0000000000..728c167acb --- /dev/null +++ b/queue-6.16/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch @@ -0,0 +1,42 @@ +From 75924c92cdf027ab521f179933aa59976d5e3c34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 18:06:59 +0300 +Subject: drm/gma500: Fix null dereference in hdmi teardown + +From: Zabelin Nikita + +[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ] + +pci_set_drvdata sets the value of pdev->driver_data to NULL, +after which the driver_data obtained from the same dev is +dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is +extracted from it. To prevent this, swap these calls. + +Found by Linux Verification Center (linuxtesting.org) with Svacer. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Zabelin Nikita +Signed-off-by: Patrik Jakobsson +Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +index 1cf3943691277..c0feca58511df 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +@@ -726,8 +726,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev) + + if (hdmi_dev) { + pdev = hdmi_dev->dev; +- pci_set_drvdata(pdev, NULL); + oaktrail_hdmi_i2c_exit(pdev); ++ pci_set_drvdata(pdev, NULL); + iounmap(hdmi_dev->regs); + kfree(hdmi_dev); + pci_dev_put(pdev); +-- +2.51.0 + diff --git a/queue-6.16/drm-i915-ddi-guard-reg_val-against-a-invalid_transco.patch b/queue-6.16/drm-i915-ddi-guard-reg_val-against-a-invalid_transco.patch new file mode 100644 index 0000000000..037e211ff4 --- /dev/null +++ b/queue-6.16/drm-i915-ddi-guard-reg_val-against-a-invalid_transco.patch @@ -0,0 +1,47 @@ +From 34ec1a54b1103484c087a1467ea453779a836e47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Sep 2025 09:52:08 +0530 +Subject: drm/i915/ddi: Guard reg_val against a INVALID_TRANSCODER + +From: Suraj Kandpal + +[ Upstream commit 7f97a0a871d9532f2e1a5ee7d16d0e364215bcac ] + +Currently we check if the encoder is INVALID or -1 and throw a +WARN_ON but we still end up writing the temp value which will +overflow and corrupt the whole programmed value. + +--v2 +-Assign a bogus transcoder to master in case we get a INVALID +TRANSCODER [Jani] + +Fixes: 6671c367a9bea ("drm/i915/tgl: Select master transcoder for MST stream") +Signed-off-by: Suraj Kandpal +Reviewed-by: Jani Nikula +Link: https://lore.kernel.org/r/20250908042208.1011144-1-suraj.kandpal@intel.com +(cherry picked from commit c8e8e9ab14a6ea926641d161768e1e3ef286a853) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_ddi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_ddi.c b/drivers/gpu/drm/i915/display/intel_ddi.c +index d58f8fc373265..55b8bfcf364ae 100644 +--- a/drivers/gpu/drm/i915/display/intel_ddi.c ++++ b/drivers/gpu/drm/i915/display/intel_ddi.c +@@ -593,8 +593,9 @@ intel_ddi_transcoder_func_reg_val_get(struct intel_encoder *encoder, + enum transcoder master; + + master = crtc_state->mst_master_transcoder; +- drm_WARN_ON(display->drm, +- master == INVALID_TRANSCODER); ++ if (drm_WARN_ON(display->drm, ++ master == INVALID_TRANSCODER)) ++ master = TRANSCODER_A; + temp |= TRANS_DDI_MST_TRANSPORT_SELECT(master); + } + } else { +-- +2.51.0 + diff --git a/queue-6.16/drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch b/queue-6.16/drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch new file mode 100644 index 0000000000..d090c21de1 --- /dev/null +++ b/queue-6.16/drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch @@ -0,0 +1,64 @@ +From 390f93d0562fb1a5fedf1928c86e7082dd0297cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Sep 2025 17:43:48 +0100 +Subject: drm/panthor: Defer scheduler entitiy destruction to queue release +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Adrián Larumbe + +[ Upstream commit 7d9c3442b02ab7dd3c44e20095a178fd57d2eccb ] + +Commit de8548813824 ("drm/panthor: Add the scheduler logical block") +handled destruction of a group's queues' drm scheduler entities early +into the group destruction procedure. + +However, that races with the group submit ioctl, because by the time +entities are destroyed (through the group destroy ioctl), the submission +procedure might've already obtained a group handle, and therefore the +ability to push jobs into entities. This is met with a DRM error message +within the drm scheduler core as a situation that should never occur. + +Fix by deferring drm scheduler entity destruction to queue release time. + +Fixes: de8548813824 ("drm/panthor: Add the scheduler logical block") +Signed-off-by: Adrián Larumbe +Reviewed-by: Steven Price +Reviewed-by: Boris Brezillon +Signed-off-by: Steven Price +Link: https://lore.kernel.org/r/20250919164436.531930-1-adrian.larumbe@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panthor/panthor_sched.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/panthor/panthor_sched.c b/drivers/gpu/drm/panthor/panthor_sched.c +index 43ee57728de54..e927d80d6a2af 100644 +--- a/drivers/gpu/drm/panthor/panthor_sched.c ++++ b/drivers/gpu/drm/panthor/panthor_sched.c +@@ -886,8 +886,7 @@ static void group_free_queue(struct panthor_group *group, struct panthor_queue * + if (IS_ERR_OR_NULL(queue)) + return; + +- if (queue->entity.fence_context) +- drm_sched_entity_destroy(&queue->entity); ++ drm_sched_entity_destroy(&queue->entity); + + if (queue->scheduler.ops) + drm_sched_fini(&queue->scheduler); +@@ -3558,11 +3557,6 @@ int panthor_group_destroy(struct panthor_file *pfile, u32 group_handle) + if (!group) + return -EINVAL; + +- for (u32 i = 0; i < group->queue_count; i++) { +- if (group->queues[i]) +- drm_sched_entity_destroy(&group->queues[i]->entity); +- } +- + mutex_lock(&sched->reset.lock); + mutex_lock(&sched->lock); + group->destroyed = true; +-- +2.51.0 + diff --git a/queue-6.16/drm-xe-fix-build-with-config_modules-n.patch b/queue-6.16/drm-xe-fix-build-with-config_modules-n.patch new file mode 100644 index 0000000000..2b232f5a3e --- /dev/null +++ b/queue-6.16/drm-xe-fix-build-with-config_modules-n.patch @@ -0,0 +1,52 @@ +From 8812ffe47ffdcd19de216826ca21b9f73a421c1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Sep 2025 14:54:51 -0700 +Subject: drm/xe: Fix build with CONFIG_MODULES=n + +From: Lucas De Marchi + +[ Upstream commit b67e7422d229dead0dddaad7e7c05558f24d552f ] + +When building with CONFIG_MODULES=n, the __exit functions are dropped. +However our init functions may call them for error handling, so they are +not good candidates for the exit sections. + +Fix this error reported by 0day: + + ld.lld: error: relocation refers to a symbol in a discarded section: xe_configfs_exit + >>> defined in vmlinux.a(drivers/gpu/drm/xe/xe_configfs.o) + >>> referenced by xe_module.c + >>> drivers/gpu/drm/xe/xe_module.o:(init_funcs) in archive vmlinux.a + +This is the only exit function using __exit. Drop it to fix the build. + +Cc: Riana Tauro +Reported-by: kernel test robot +Closes: https://lore.kernel.org/oe-kbuild-all/202506092221.1FmUQmI8-lkp@intel.com/ +Fixes: 16280ded45fb ("drm/xe: Add configfs to enable survivability mode") +Reviewed-by: Balasubramani Vivekanandan +Link: https://lore.kernel.org/r/20250912-fix-nomodule-build-v1-1-d11b70a92516@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit d9b2623319fa20c2206754284291817488329648) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_configfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_configfs.c b/drivers/gpu/drm/xe/xe_configfs.c +index 9a2b96b111ef5..2b591ed055612 100644 +--- a/drivers/gpu/drm/xe/xe_configfs.c ++++ b/drivers/gpu/drm/xe/xe_configfs.c +@@ -244,7 +244,7 @@ int __init xe_configfs_init(void) + return 0; + } + +-void __exit xe_configfs_exit(void) ++void xe_configfs_exit(void) + { + configfs_unregister_subsystem(&xe_configfs); + } +-- +2.51.0 + diff --git a/queue-6.16/drm-xe-vf-don-t-expose-sysfs-attributes-not-applicab.patch b/queue-6.16/drm-xe-vf-don-t-expose-sysfs-attributes-not-applicab.patch new file mode 100644 index 0000000000..fa50d1412c --- /dev/null +++ b/queue-6.16/drm-xe-vf-don-t-expose-sysfs-attributes-not-applicab.patch @@ -0,0 +1,54 @@ +From 94361615c92670fa595dfae130617b54c286d23b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 19:00:28 +0200 +Subject: drm/xe/vf: Don't expose sysfs attributes not applicable for VFs + +From: Michal Wajdeczko + +[ Upstream commit 500dad428e5b0de4c1bdfa893822a6e06ddad0b5 ] + +VFs can't read BMG_PCIE_CAP(0x138340) register nor access PCODE +(already guarded by the info.skip_pcode flag) so we shouldn't +expose attributes that require any of them to avoid errors like: + + [] xe 0000:03:00.1: [drm] Tile0: GT0: VF is trying to read an \ + inaccessible register 0x138340+0x0 + [] RIP: 0010:xe_gt_sriov_vf_read32+0x6c2/0x9a0 [xe] + [] Call Trace: + [] xe_mmio_read32+0x110/0x280 [xe] + [] auto_link_downgrade_capable_show+0x2e/0x70 [xe] + [] dev_attr_show+0x1a/0x70 + [] sysfs_kf_seq_show+0xaa/0x120 + [] kernfs_seq_show+0x41/0x60 + +Fixes: 0e414bf7ad01 ("drm/xe: Expose PCIe link downgrade attributes") +Fixes: cdc36b66cd41 ("drm/xe: Expose fan control and voltage regulator version") +Signed-off-by: Michal Wajdeczko +Cc: Lucas De Marchi +Cc: Lukasz Laguna +Reviewed-by: Raag Jadav +Reviewed-by: Lucas De Marchi +Link: https://lore.kernel.org/r/20250916170029.3313-2-michal.wajdeczko@intel.com +(cherry picked from commit a2d6223d224f333f705ed8495bf8bebfbc585c35) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/xe_device_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xe/xe_device_sysfs.c b/drivers/gpu/drm/xe/xe_device_sysfs.c +index b9440f8c781e3..652da4d294c0b 100644 +--- a/drivers/gpu/drm/xe/xe_device_sysfs.c ++++ b/drivers/gpu/drm/xe/xe_device_sysfs.c +@@ -166,7 +166,7 @@ int xe_device_sysfs_init(struct xe_device *xe) + return ret; + } + +- if (xe->info.platform == XE_BATTLEMAGE) { ++ if (xe->info.platform == XE_BATTLEMAGE && !IS_SRIOV_VF(xe)) { + ret = sysfs_create_files(&dev->kobj, auto_link_downgrade_attrs); + if (ret) + return ret; +-- +2.51.0 + diff --git a/queue-6.16/futex-prevent-use-after-free-during-requeue-pi.patch b/queue-6.16/futex-prevent-use-after-free-during-requeue-pi.patch new file mode 100644 index 0000000000..726aa5f84c --- /dev/null +++ b/queue-6.16/futex-prevent-use-after-free-during-requeue-pi.patch @@ -0,0 +1,89 @@ +From 2c87b95bc7d75c9a308d7c4647c66afda9d4e853 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 12:42:43 +0200 +Subject: futex: Prevent use-after-free during requeue-PI + +From: Sebastian Andrzej Siewior + +[ Upstream commit b549113738e8c751b613118032a724b772aa83f2 ] + +syzbot managed to trigger the following race: + + T1 T2 + + futex_wait_requeue_pi() + futex_do_wait() + schedule() + futex_requeue() + futex_proxy_trylock_atomic() + futex_requeue_pi_prepare() + requeue_pi_wake_futex() + futex_requeue_pi_complete() + /* preempt */ + + * timeout/ signal wakes T1 * + + futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED + futex_hash_put() + // back to userland, on stack futex_q is garbage + + /* back */ + wake_up_state(q->task, TASK_NORMAL); + +In this scenario futex_wait_requeue_pi() is able to leave without using +futex_q::lock_ptr for synchronization. + +This can be prevented by reading futex_q::task before updating the +futex_q::requeue_state. A reference on the task_struct is not needed +because requeue_pi_wake_futex() is invoked with a spinlock_t held which +implies a RCU read section. + +Even if T1 terminates immediately after, the task_struct will remain valid +during T2's wake_up_state(). A READ_ONCE on futex_q::task before +futex_requeue_pi_complete() is enough because it ensures that the variable +is read before the state is updated. + +Read futex_q::task before updating the requeue state, use it for the +following wakeup. + +Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT") +Reported-by: syzbot+034246a838a10d181e78@syzkaller.appspotmail.com +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Closes: https://lore.kernel.org/all/68b75989.050a0220.3db4df.01dd.GAE@google.com/ +Signed-off-by: Sasha Levin +--- + kernel/futex/requeue.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c +index c716a66f86929..d818b4d47f1ba 100644 +--- a/kernel/futex/requeue.c ++++ b/kernel/futex/requeue.c +@@ -230,8 +230,9 @@ static inline + void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, + struct futex_hash_bucket *hb) + { +- q->key = *key; ++ struct task_struct *task; + ++ q->key = *key; + __futex_unqueue(q); + + WARN_ON(!q->rt_waiter); +@@ -243,10 +244,11 @@ void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, + futex_hash_get(hb); + q->drop_hb_ref = true; + q->lock_ptr = &hb->lock; ++ task = READ_ONCE(q->task); + + /* Signal locked state to the waiter */ + futex_requeue_pi_complete(q, 1); +- wake_up_state(q->task, TASK_NORMAL); ++ wake_up_state(task, TASK_NORMAL); + } + + /** +-- +2.51.0 + diff --git a/queue-6.16/futex-use-correct-exit-on-failure-from-futex_hash_al.patch b/queue-6.16/futex-use-correct-exit-on-failure-from-futex_hash_al.patch new file mode 100644 index 0000000000..c4725d2449 --- /dev/null +++ b/queue-6.16/futex-use-correct-exit-on-failure-from-futex_hash_al.patch @@ -0,0 +1,46 @@ +From 7d512f9bcf2e974ea5e578e4eeae80851109d59d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 15:09:45 +0200 +Subject: futex: Use correct exit on failure from futex_hash_allocate_default() + +From: Sebastian Andrzej Siewior + +[ Upstream commit 4ec3c15462b9f44562f45723a92e2807746ba7d1 ] + +copy_process() uses the wrong error exit path from futex_hash_allocate_default(). +After exiting from futex_hash_allocate_default(), neither tasklist_lock +nor siglock has been acquired. The exit label bad_fork_core_free unlocks +both of these locks which is wrong. + +The next exit label, bad_fork_cancel_cgroup, is the correct exit. +sched_cgroup_fork() did not allocate any resources that need to freed. + +Use bad_fork_cancel_cgroup on error exit from futex_hash_allocate_default(). + +Fixes: 7c4f75a21f636 ("futex: Allow automatic allocation of process wide futex hash") +Reported-by: syzbot+80cb3cc5c14fad191a10@syzkaller.appspotmail.com +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Reviewed-by: Steven Rostedt (Google) +Closes: https://lore.kernel.org/all/68cb1cbd.050a0220.2ff435.0599.GAE@google.com +Signed-off-by: Sasha Levin +--- + kernel/fork.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/fork.c b/kernel/fork.c +index 1ee8eb11f38ba..0cbc174da76ac 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -2289,7 +2289,7 @@ __latent_entropy struct task_struct *copy_process( + if (need_futex_hash_allocate_default(clone_flags)) { + retval = futex_hash_allocate_default(); + if (retval) +- goto bad_fork_core_free; ++ goto bad_fork_cancel_cgroup; + /* + * If we fail beyond this point we don't free the allocated + * futex hash map. We assume that another thread will be created +-- +2.51.0 + diff --git a/queue-6.16/gpio-regmap-fix-memory-leak-of-gpio_regmap-structure.patch b/queue-6.16/gpio-regmap-fix-memory-leak-of-gpio_regmap-structure.patch new file mode 100644 index 0000000000..f6c461379f --- /dev/null +++ b/queue-6.16/gpio-regmap-fix-memory-leak-of-gpio_regmap-structure.patch @@ -0,0 +1,39 @@ +From b6ed2bc22892267cf1fb29615c310b902267c015 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Sep 2025 17:24:21 +0300 +Subject: gpio: regmap: fix memory leak of gpio_regmap structure + +From: Ioana Ciornei + +[ Upstream commit 3bd44edd6c55828fd4e11cb0efce5b7160bfa2de ] + +The gpio_regmap structure is leaked on the error path. Fix this by +jumping to the appropriate kfree instead of returning directly. + +Fixes: db305161880a ("gpio: regmap: Allow ngpio to be read from the property") +Signed-off-by: Ioana Ciornei +Suggested-by: Michael Walle +Reviewed-by: Michael Walle +Link: https://lore.kernel.org/r/20250922142427.3310221-7-ioana.ciornei@nxp.com +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-regmap.c b/drivers/gpio/gpio-regmap.c +index 87c4225784cfa..b3b84a404485e 100644 +--- a/drivers/gpio/gpio-regmap.c ++++ b/drivers/gpio/gpio-regmap.c +@@ -274,7 +274,7 @@ struct gpio_regmap *gpio_regmap_register(const struct gpio_regmap_config *config + if (!chip->ngpio) { + ret = gpiochip_get_ngpios(chip, chip->parent); + if (ret) +- return ERR_PTR(ret); ++ goto err_free_gpio; + } + + /* if not set, assume there is only one register */ +-- +2.51.0 + diff --git a/queue-6.16/platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch b/queue-6.16/platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch new file mode 100644 index 0000000000..652c6c286c --- /dev/null +++ b/queue-6.16/platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch @@ -0,0 +1,141 @@ +From df497b94ae5eff3e9fabeec0de9a6cb079691fb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Sep 2025 14:17:17 -0400 +Subject: platform/x86: lg-laptop: Fix WMAB call in fan_mode_store() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Lee + +[ Upstream commit 3ed17349f18774c24505b0c21dfbd3cc4f126518 ] + +When WMAB is called to set the fan mode, the new mode is read from either +bits 0-1 or bits 4-5 (depending on the value of some other EC register). +Thus when WMAB is called with bits 4-5 zeroed and called again with +bits 0-1 zeroed, the second call undoes the effect of the first call. +This causes writes to /sys/devices/platform/lg-laptop/fan_mode to have +no effect (and causes reads to always report a status of zero). + +Fix this by calling WMAB once, with the mode set in bits 0,1 and 4,5. +When the fan mode is returned from WMAB it always has this form, so +there is no need to preserve the other bits. As a bonus, the driver +now supports the "Performance" fan mode seen in the LG-provided Windows +control app, which provides less aggressive CPU throttling but louder +fan noise and shorter battery life. + +Also, correct the documentation to reflect that 0 corresponds to the +default mode (what the Windows app calls "Optimal") and 1 corresponds +to the silent mode. + +Fixes: dbf0c5a6b1f8 ("platform/x86: Add LG Gram laptop special features driver") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=204913#c4 +Signed-off-by: Daniel Lee +Link: https://patch.msgid.link/MN2PR06MB55989CB10E91C8DA00EE868DDC1CA@MN2PR06MB5598.namprd06.prod.outlook.com +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + .../admin-guide/laptops/lg-laptop.rst | 4 +-- + drivers/platform/x86/lg-laptop.c | 34 ++++++++----------- + 2 files changed, 16 insertions(+), 22 deletions(-) + +diff --git a/Documentation/admin-guide/laptops/lg-laptop.rst b/Documentation/admin-guide/laptops/lg-laptop.rst +index 67fd6932cef4f..c4dd534f91edd 100644 +--- a/Documentation/admin-guide/laptops/lg-laptop.rst ++++ b/Documentation/admin-guide/laptops/lg-laptop.rst +@@ -48,8 +48,8 @@ This value is reset to 100 when the kernel boots. + Fan mode + -------- + +-Writing 1/0 to /sys/devices/platform/lg-laptop/fan_mode disables/enables +-the fan silent mode. ++Writing 0/1/2 to /sys/devices/platform/lg-laptop/fan_mode sets fan mode to ++Optimal/Silent/Performance respectively. + + + USB charge +diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c +index 4b57102c7f627..6af6cf477c5b5 100644 +--- a/drivers/platform/x86/lg-laptop.c ++++ b/drivers/platform/x86/lg-laptop.c +@@ -8,6 +8,7 @@ + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + + #include ++#include + #include + #include + #include +@@ -75,6 +76,9 @@ MODULE_PARM_DESC(fw_debug, "Enable printing of firmware debug messages"); + #define WMBB_USB_CHARGE 0x10B + #define WMBB_BATT_LIMIT 0x10C + ++#define FAN_MODE_LOWER GENMASK(1, 0) ++#define FAN_MODE_UPPER GENMASK(5, 4) ++ + #define PLATFORM_NAME "lg-laptop" + + MODULE_ALIAS("wmi:" WMI_EVENT_GUID0); +@@ -274,29 +278,19 @@ static ssize_t fan_mode_store(struct device *dev, + struct device_attribute *attr, + const char *buffer, size_t count) + { +- bool value; ++ unsigned long value; + union acpi_object *r; +- u32 m; + int ret; + +- ret = kstrtobool(buffer, &value); ++ ret = kstrtoul(buffer, 10, &value); + if (ret) + return ret; ++ if (value >= 3) ++ return -EINVAL; + +- r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0); +- if (!r) +- return -EIO; +- +- if (r->type != ACPI_TYPE_INTEGER) { +- kfree(r); +- return -EIO; +- } +- +- m = r->integer.value; +- kfree(r); +- r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xffffff0f) | (value << 4)); +- kfree(r); +- r = lg_wmab(dev, WM_FAN_MODE, WM_SET, (m & 0xfffffff0) | value); ++ r = lg_wmab(dev, WM_FAN_MODE, WM_SET, ++ FIELD_PREP(FAN_MODE_LOWER, value) | ++ FIELD_PREP(FAN_MODE_UPPER, value)); + kfree(r); + + return count; +@@ -305,7 +299,7 @@ static ssize_t fan_mode_store(struct device *dev, + static ssize_t fan_mode_show(struct device *dev, + struct device_attribute *attr, char *buffer) + { +- unsigned int status; ++ unsigned int mode; + union acpi_object *r; + + r = lg_wmab(dev, WM_FAN_MODE, WM_GET, 0); +@@ -317,10 +311,10 @@ static ssize_t fan_mode_show(struct device *dev, + return -EIO; + } + +- status = r->integer.value & 0x01; ++ mode = FIELD_GET(FAN_MODE_LOWER, r->integer.value); + kfree(r); + +- return sysfs_emit(buffer, "%d\n", status); ++ return sysfs_emit(buffer, "%d\n", mode); + } + + static ssize_t usb_charge_store(struct device *dev, +-- +2.51.0 + diff --git a/queue-6.16/series b/queue-6.16/series index 10be2596a9..7b1c74c97c 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -83,3 +83,14 @@ net-mlx5e-fix-missing-fec-rs-stats-for-rs_544_514_in.patch net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch octeontx2-pf-fix-potential-use-after-free-in-otx2_tc.patch +drm-gma500-fix-null-dereference-in-hdmi-teardown.patch +futex-prevent-use-after-free-during-requeue-pi.patch +gpio-regmap-fix-memory-leak-of-gpio_regmap-structure.patch +drm-xe-vf-don-t-expose-sysfs-attributes-not-applicab.patch +drm-xe-fix-build-with-config_modules-n.patch +drm-i915-ddi-guard-reg_val-against-a-invalid_transco.patch +drm-amd-display-remove-output_tf_change-flag.patch +futex-use-correct-exit-on-failure-from-futex_hash_al.patch +drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch +platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch +smb-client-fix-wrong-index-reference-in-smb2_compoun.patch diff --git a/queue-6.16/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch b/queue-6.16/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch new file mode 100644 index 0000000000..5d01382764 --- /dev/null +++ b/queue-6.16/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch @@ -0,0 +1,41 @@ +From 0ddfb3315b3eefd9df9de761f3c29b8c472fefdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Sep 2025 17:16:45 +0900 +Subject: smb: client: fix wrong index reference in smb2_compound_op() + +From: Sang-Heon Jeon + +[ Upstream commit fbe2dc6a9c7318f7263f5e4d50f6272b931c5756 ] + +In smb2_compound_op(), the loop that processes each command's response +uses wrong indices when accessing response bufferes. + +This incorrect indexing leads to improper handling of command results. +Also, if incorrectly computed index is greather than or equal to +MAX_COMPOUND, it can cause out-of-bounds accesses. + +Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14 +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Sang-Heon Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c +index 86cad8ee8e6f3..ac3ce183bd59a 100644 +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -687,7 +687,7 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon, + } + + for (i = 0; i < num_cmds; i++) { +- char *buf = rsp_iov[i + i].iov_base; ++ char *buf = rsp_iov[i + 1].iov_base; + + if (buf && resp_buftype[i + 1] != CIFS_NO_BUFFER) + rc = server->ops->map_error(buf, false); +-- +2.51.0 + diff --git a/queue-6.6/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch b/queue-6.6/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch new file mode 100644 index 0000000000..e6173b45ec --- /dev/null +++ b/queue-6.6/drm-gma500-fix-null-dereference-in-hdmi-teardown.patch @@ -0,0 +1,42 @@ +From 7547a79ccaaba43bc2643efdfaa885ae92e401ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Sep 2025 18:06:59 +0300 +Subject: drm/gma500: Fix null dereference in hdmi teardown + +From: Zabelin Nikita + +[ Upstream commit 352e66900cde63f3dadb142364d3c35170bbaaff ] + +pci_set_drvdata sets the value of pdev->driver_data to NULL, +after which the driver_data obtained from the same dev is +dereferenced in oaktrail_hdmi_i2c_exit, and the i2c_dev is +extracted from it. To prevent this, swap these calls. + +Found by Linux Verification Center (linuxtesting.org) with Svacer. + +Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") +Signed-off-by: Zabelin Nikita +Signed-off-by: Patrik Jakobsson +Link: https://lore.kernel.org/r/20250918150703.2562604-1-n.zabelin@mt-integration.ru +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/oaktrail_hdmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/oaktrail_hdmi.c b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +index ed8626c73541c..f0ae675581d9a 100644 +--- a/drivers/gpu/drm/gma500/oaktrail_hdmi.c ++++ b/drivers/gpu/drm/gma500/oaktrail_hdmi.c +@@ -726,8 +726,8 @@ void oaktrail_hdmi_teardown(struct drm_device *dev) + + if (hdmi_dev) { + pdev = hdmi_dev->dev; +- pci_set_drvdata(pdev, NULL); + oaktrail_hdmi_i2c_exit(pdev); ++ pci_set_drvdata(pdev, NULL); + iounmap(hdmi_dev->regs); + kfree(hdmi_dev); + pci_dev_put(pdev); +-- +2.51.0 + diff --git a/queue-6.6/futex-prevent-use-after-free-during-requeue-pi.patch b/queue-6.6/futex-prevent-use-after-free-during-requeue-pi.patch new file mode 100644 index 0000000000..f401c47a74 --- /dev/null +++ b/queue-6.6/futex-prevent-use-after-free-during-requeue-pi.patch @@ -0,0 +1,88 @@ +From 359be6397a24e6e5d3953aa314a3b00e1a6eaadb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Sep 2025 12:42:43 +0200 +Subject: futex: Prevent use-after-free during requeue-PI + +From: Sebastian Andrzej Siewior + +[ Upstream commit b549113738e8c751b613118032a724b772aa83f2 ] + +syzbot managed to trigger the following race: + + T1 T2 + + futex_wait_requeue_pi() + futex_do_wait() + schedule() + futex_requeue() + futex_proxy_trylock_atomic() + futex_requeue_pi_prepare() + requeue_pi_wake_futex() + futex_requeue_pi_complete() + /* preempt */ + + * timeout/ signal wakes T1 * + + futex_requeue_pi_wakeup_sync() // Q_REQUEUE_PI_LOCKED + futex_hash_put() + // back to userland, on stack futex_q is garbage + + /* back */ + wake_up_state(q->task, TASK_NORMAL); + +In this scenario futex_wait_requeue_pi() is able to leave without using +futex_q::lock_ptr for synchronization. + +This can be prevented by reading futex_q::task before updating the +futex_q::requeue_state. A reference on the task_struct is not needed +because requeue_pi_wake_futex() is invoked with a spinlock_t held which +implies a RCU read section. + +Even if T1 terminates immediately after, the task_struct will remain valid +during T2's wake_up_state(). A READ_ONCE on futex_q::task before +futex_requeue_pi_complete() is enough because it ensures that the variable +is read before the state is updated. + +Read futex_q::task before updating the requeue state, use it for the +following wakeup. + +Fixes: 07d91ef510fb1 ("futex: Prevent requeue_pi() lock nesting issue on RT") +Reported-by: syzbot+034246a838a10d181e78@syzkaller.appspotmail.com +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Closes: https://lore.kernel.org/all/68b75989.050a0220.3db4df.01dd.GAE@google.com/ +Signed-off-by: Sasha Levin +--- + kernel/futex/requeue.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c +index cba8b1a6a4cc2..7e43839ca7b05 100644 +--- a/kernel/futex/requeue.c ++++ b/kernel/futex/requeue.c +@@ -223,18 +223,20 @@ static inline + void requeue_pi_wake_futex(struct futex_q *q, union futex_key *key, + struct futex_hash_bucket *hb) + { +- q->key = *key; ++ struct task_struct *task; + ++ q->key = *key; + __futex_unqueue(q); + + WARN_ON(!q->rt_waiter); + q->rt_waiter = NULL; + + q->lock_ptr = &hb->lock; ++ task = READ_ONCE(q->task); + + /* Signal locked state to the waiter */ + futex_requeue_pi_complete(q, 1); +- wake_up_state(q->task, TASK_NORMAL); ++ wake_up_state(task, TASK_NORMAL); + } + + /** +-- +2.51.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 3c5bd4d613..eb7e72f8ab 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -49,3 +49,6 @@ net-dsa-lantiq_gswip-do-also-enable-or-disable-cpu-p.patch net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch octeontx2-pf-fix-potential-use-after-free-in-otx2_tc.patch +drm-gma500-fix-null-dereference-in-hdmi-teardown.patch +futex-prevent-use-after-free-during-requeue-pi.patch +smb-client-fix-wrong-index-reference-in-smb2_compoun.patch diff --git a/queue-6.6/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch b/queue-6.6/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch new file mode 100644 index 0000000000..f22fb97bd1 --- /dev/null +++ b/queue-6.6/smb-client-fix-wrong-index-reference-in-smb2_compoun.patch @@ -0,0 +1,41 @@ +From 51253b642c778d5efe348ed89a3f5cc802faacdd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Sep 2025 17:16:45 +0900 +Subject: smb: client: fix wrong index reference in smb2_compound_op() + +From: Sang-Heon Jeon + +[ Upstream commit fbe2dc6a9c7318f7263f5e4d50f6272b931c5756 ] + +In smb2_compound_op(), the loop that processes each command's response +uses wrong indices when accessing response bufferes. + +This incorrect indexing leads to improper handling of command results. +Also, if incorrectly computed index is greather than or equal to +MAX_COMPOUND, it can cause out-of-bounds accesses. + +Fixes: 3681c74d342d ("smb: client: handle lack of EA support in smb2_query_path_info()") # 6.14 +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Sang-Heon Jeon +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/smb/client/smb2inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c +index 0cc80f472432a..79641d1ee8675 100644 +--- a/fs/smb/client/smb2inode.c ++++ b/fs/smb/client/smb2inode.c +@@ -641,7 +641,7 @@ static int smb2_compound_op(const unsigned int xid, struct cifs_tcon *tcon, + + tmp_rc = rc; + for (i = 0; i < num_cmds; i++) { +- char *buf = rsp_iov[i + i].iov_base; ++ char *buf = rsp_iov[i + 1].iov_base; + + if (buf && resp_buftype[i + 1] != CIFS_NO_BUFFER) + rc = server->ops->map_error(buf, false); +-- +2.51.0 + -- 2.47.3