From: Greg Kroah-Hartman Date: Sun, 9 Nov 2025 03:37:17 +0000 (+0900) Subject: 6.12-stable patches X-Git-Tag: v6.12.58~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0350573a7aee115b7e4215c7a8595cad5f7c33f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch drm-amd-display-fix-null-deref-in-debugfs-odm_combine_segments.patch drm-amdgpu-smu-handle-s0ix-for-vangogh.patch drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch iommufd-don-t-overflow-during-division-for-dirty-tracking.patch lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch parisc-avoid-crash-due-to-unaligned-access-in-unwinder.patch rtc-rx8025-fix-incorrect-register-reference.patch scsi-ufs-core-add-a-quirk-to-suppress-link_startup_again.patch scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch scsi-ufs-ufs-pci-set-ufshcd_quirk_perform_link_startup_once-for-intel-adl.patch smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch smb-client-validate-change-notify-buffer-before-copy.patch virtio-net-fix-received-length-check-in-big-packets.patch x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch --- diff --git a/queue-6.12/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch b/queue-6.12/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch new file mode 100644 index 0000000000..4344bebc0d --- /dev/null +++ b/queue-6.12/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch @@ -0,0 +1,60 @@ +From 8d59fba49362c65332395789fd82771f1028d87e Mon Sep 17 00:00:00 2001 +From: Ilia Gavrilov +Date: Mon, 20 Oct 2025 15:12:55 +0000 +Subject: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() + +From: Ilia Gavrilov + +commit 8d59fba49362c65332395789fd82771f1028d87e upstream. + +In the parse_adv_monitor_pattern() function, the value of +the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). +The size of the 'value' array in the mgmt_adv_pattern structure is 31. +If the value of 'pattern[i].length' is set in the user space +and exceeds 31, the 'patterns[i].value' array can be accessed +out of bound when copied. + +Increasing the size of the 'value' array in +the 'mgmt_adv_pattern' structure will break the userspace. +Considering this, and to avoid OOB access revert the limits for 'offset' +and 'length' back to the value of HCI_MAX_AD_LENGTH. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: db08722fc7d4 ("Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/mgmt.h | 2 +- + net/bluetooth/mgmt.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/include/net/bluetooth/mgmt.h ++++ b/include/net/bluetooth/mgmt.h +@@ -774,7 +774,7 @@ struct mgmt_adv_pattern { + __u8 ad_type; + __u8 offset; + __u8 length; +- __u8 value[31]; ++ __u8 value[HCI_MAX_AD_LENGTH]; + } __packed; + + #define MGMT_OP_ADD_ADV_PATTERNS_MONITOR 0x0052 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -5365,9 +5365,9 @@ static u8 parse_adv_monitor_pattern(stru + for (i = 0; i < pattern_count; i++) { + offset = patterns[i].offset; + length = patterns[i].length; +- if (offset >= HCI_MAX_EXT_AD_LENGTH || +- length > HCI_MAX_EXT_AD_LENGTH || +- (offset + length) > HCI_MAX_EXT_AD_LENGTH) ++ if (offset >= HCI_MAX_AD_LENGTH || ++ length > HCI_MAX_AD_LENGTH || ++ (offset + length) > HCI_MAX_AD_LENGTH) + return MGMT_STATUS_INVALID_PARAMS; + + p = kmalloc(sizeof(*p), GFP_KERNEL); diff --git a/queue-6.12/drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch b/queue-6.12/drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch new file mode 100644 index 0000000000..35281d64b4 --- /dev/null +++ b/queue-6.12/drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch @@ -0,0 +1,63 @@ +From 3c6a743c6961cc2cab453b343bb157d6bbbf8120 Mon Sep 17 00:00:00 2001 +From: Wayne Lin +Date: Wed, 5 Nov 2025 10:36:31 +0800 +Subject: drm/amd/display: Enable mst when it's detected but yet to be initialized + +From: Wayne Lin + +commit 3c6a743c6961cc2cab453b343bb157d6bbbf8120 upstream. + +[Why] +drm_dp_mst_topology_queue_probe() is used under the assumption that +mst is already initialized. If we connect system with SST first +then switch to the mst branch during suspend, we will fail probing +topology by calling the wrong API since the mst manager is yet to +be initialized. + +[How] +At dm_resume(), once it's detected as mst branc connected, check if +the mst is initialized already. If not, call +dm_helpers_dp_mst_start_top_mgr() instead to initialize mst + +V2: Adjust the commit msg a bit + +Fixes: bc068194f548 ("drm/amd/display: Don't write DP_MSTM_CTRL after LT") +Cc: Fangzhi Zuo +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Tom Chung +Signed-off-by: Wayne Lin +Signed-off-by: Alex Deucher +(cherry picked from commit 62320fb8d91a0bddc44a228203cfa9bfbb5395bd) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -3424,6 +3424,7 @@ static int dm_resume(void *handle) + /* Do mst topology probing after resuming cached state*/ + drm_connector_list_iter_begin(ddev, &iter); + drm_for_each_connector_iter(connector, &iter) { ++ bool init = false; + + if (connector->connector_type == DRM_MODE_CONNECTOR_WRITEBACK) + continue; +@@ -3433,7 +3434,14 @@ static int dm_resume(void *handle) + aconnector->mst_root) + continue; + +- drm_dp_mst_topology_queue_probe(&aconnector->mst_mgr); ++ scoped_guard(mutex, &aconnector->mst_mgr.lock) { ++ init = !aconnector->mst_mgr.mst_primary; ++ } ++ if (init) ++ dm_helpers_dp_mst_start_top_mgr(aconnector->dc_link->ctx, ++ aconnector->dc_link, false); ++ else ++ drm_dp_mst_topology_queue_probe(&aconnector->mst_mgr); + } + drm_connector_list_iter_end(&iter); + diff --git a/queue-6.12/drm-amd-display-fix-null-deref-in-debugfs-odm_combine_segments.patch b/queue-6.12/drm-amd-display-fix-null-deref-in-debugfs-odm_combine_segments.patch new file mode 100644 index 0000000000..52d64a93a3 --- /dev/null +++ b/queue-6.12/drm-amd-display-fix-null-deref-in-debugfs-odm_combine_segments.patch @@ -0,0 +1,101 @@ +From 6dd97ceb645c08aca9fc871a3006e47fe699f0ac Mon Sep 17 00:00:00 2001 +From: Rong Zhang +Date: Tue, 14 Oct 2025 00:47:35 +0800 +Subject: drm/amd/display: Fix NULL deref in debugfs odm_combine_segments + +From: Rong Zhang + +commit 6dd97ceb645c08aca9fc871a3006e47fe699f0ac upstream. + +When a connector is connected but inactive (e.g., disabled by desktop +environments), pipe_ctx->stream_res.tg will be destroyed. Then, reading +odm_combine_segments causes kernel NULL pointer dereference. + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] SMP NOPTI + CPU: 16 UID: 0 PID: 26474 Comm: cat Not tainted 6.17.0+ #2 PREEMPT(lazy) e6a17af9ee6db7c63e9d90dbe5b28ccab67520c6 + Hardware name: LENOVO 21Q4/LNVNB161216, BIOS PXCN25WW 03/27/2025 + RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] + Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> + RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 + RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 + RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 + RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 + R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 + R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 + FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 + PKRU: 55555554 + Call Trace: + + seq_read_iter+0x125/0x490 + ? __alloc_frozen_pages_noprof+0x18f/0x350 + seq_read+0x12c/0x170 + full_proxy_read+0x51/0x80 + vfs_read+0xbc/0x390 + ? __handle_mm_fault+0xa46/0xef0 + ? do_syscall_64+0x71/0x900 + ksys_read+0x73/0xf0 + do_syscall_64+0x71/0x900 + ? count_memcg_events+0xc2/0x190 + ? handle_mm_fault+0x1d7/0x2d0 + ? do_user_addr_fault+0x21a/0x690 + ? exc_page_fault+0x7e/0x1a0 + entry_SYSCALL_64_after_hwframe+0x6c/0x74 + RIP: 0033:0x7f44d4031687 + Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00> + RSP: 002b:00007ffdb4b5f0b0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 + RAX: ffffffffffffffda RBX: 00007f44d3f9f740 RCX: 00007f44d4031687 + RDX: 0000000000040000 RSI: 00007f44d3f5e000 RDI: 0000000000000003 + RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000202 R12: 00007f44d3f5e000 + R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000040000 + + Modules linked in: tls tcp_diag inet_diag xt_mark ccm snd_hrtimer snd_seq_dummy snd_seq_midi snd_seq_oss snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device x> + snd_hda_codec_atihdmi snd_hda_codec_realtek_lib lenovo_wmi_helpers think_lmi snd_hda_codec_generic snd_hda_codec_hdmi snd_soc_core kvm snd_compress uvcvideo sn> + platform_profile joydev amd_pmc mousedev mac_hid sch_fq_codel uinput i2c_dev parport_pc ppdev lp parport nvme_fabrics loop nfnetlink ip_tables x_tables dm_cryp> + CR2: 0000000000000000 + ---[ end trace 0000000000000000 ]--- + RIP: 0010:odm_combine_segments_show+0x93/0xf0 [amdgpu] + Code: 41 83 b8 b0 00 00 00 01 75 6e 48 98 ba a1 ff ff ff 48 c1 e0 0c 48 8d 8c 07 d8 02 00 00 48 85 c9 74 2d 48 8b bc 07 f0 08 00 00 <48> 8b 07 48 8b 80 08 02 00> + RSP: 0018:ffffd1bf4b953c58 EFLAGS: 00010286 + RAX: 0000000000005000 RBX: ffff8e35976b02d0 RCX: ffff8e3aeed052d8 + RDX: 00000000ffffffa1 RSI: ffff8e35a3120800 RDI: 0000000000000000 + RBP: 0000000000000000 R08: ffff8e3580eb0000 R09: ffff8e35976b02d0 + R10: ffffd1bf4b953c78 R11: 0000000000000000 R12: ffffd1bf4b953d08 + R13: 0000000000040000 R14: 0000000000000001 R15: 0000000000000001 + FS: 00007f44d3f9f740(0000) GS:ffff8e3caa47f000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000006485c2000 CR4: 0000000000f50ef0 + PKRU: 55555554 + +Fix this by checking pipe_ctx->stream_res.tg before dereferencing. + +Fixes: 07926ba8a44f ("drm/amd/display: Add debugfs interface for ODM combine info") +Signed-off-by: Rong Zhang +Reviewed-by: Mario Limoncello +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit f19bbecd34e3c15eed7e5e593db2ac0fc7a0e6d8) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +@@ -1277,7 +1277,8 @@ static int odm_combine_segments_show(str + if (connector->status != connector_status_connected) + return -ENODEV; + +- if (pipe_ctx != NULL && pipe_ctx->stream_res.tg->funcs->get_odm_combine_segments) ++ if (pipe_ctx && pipe_ctx->stream_res.tg && ++ pipe_ctx->stream_res.tg->funcs->get_odm_combine_segments) + pipe_ctx->stream_res.tg->funcs->get_odm_combine_segments(pipe_ctx->stream_res.tg, &segments); + + seq_printf(m, "%d\n", segments); diff --git a/queue-6.12/drm-amdgpu-smu-handle-s0ix-for-vangogh.patch b/queue-6.12/drm-amdgpu-smu-handle-s0ix-for-vangogh.patch new file mode 100644 index 0000000000..5eef3fc05b --- /dev/null +++ b/queue-6.12/drm-amdgpu-smu-handle-s0ix-for-vangogh.patch @@ -0,0 +1,53 @@ +From 7c5609b72bfe57d8c601d9561e0d2551b605c017 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 24 Oct 2025 13:08:11 -0400 +Subject: drm/amdgpu/smu: Handle S0ix for vangogh + +From: Alex Deucher + +commit 7c5609b72bfe57d8c601d9561e0d2551b605c017 upstream. + +Fix the flows for S0ix. There is no need to stop +rlc or reintialize PMFW in S0ix. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4659 +Reviewed-by: Mario Limonciello +Reported-by: Antheas Kapenekakis +Tested-by: Antheas Kapenekakis +Signed-off-by: Alex Deucher +(cherry picked from commit fd39b5a5830d8f2553e0c09d4d50bdff28b10080) +Cc: # c81f5cebe849: drm/amdgpu: Drop PMFW RLC notifier from amdgpu_device_suspend() +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 ++++++ + drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 3 +++ + 2 files changed, 9 insertions(+) + +--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +@@ -1942,6 +1942,12 @@ static int smu_disable_dpms(struct smu_c + smu->is_apu && (amdgpu_in_reset(adev) || adev->in_s0ix)) + return 0; + ++ /* vangogh s0ix */ ++ if ((amdgpu_ip_version(adev, MP1_HWIP, 0) == IP_VERSION(11, 5, 0) || ++ amdgpu_ip_version(adev, MP1_HWIP, 0) == IP_VERSION(11, 5, 2)) && ++ adev->in_s0ix) ++ return 0; ++ + /* + * For gpu reset, runpm and hibernation through BACO, + * BACO feature has to be kept enabled. +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c +@@ -2214,6 +2214,9 @@ static int vangogh_post_smu_init(struct + uint32_t total_cu = adev->gfx.config.max_cu_per_sh * + adev->gfx.config.max_sh_per_se * adev->gfx.config.max_shader_engines; + ++ if (adev->in_s0ix) ++ return 0; ++ + /* allow message will be sent after enable message on Vangogh*/ + if (smu_cmn_feature_is_enabled(smu, SMU_FEATURE_DPM_GFXCLK_BIT) && + (adev->pg_flags & AMD_PG_SUPPORT_GFX_PG)) { diff --git a/queue-6.12/drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch b/queue-6.12/drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch new file mode 100644 index 0000000000..a211712916 --- /dev/null +++ b/queue-6.12/drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch @@ -0,0 +1,119 @@ +From 487df8b698345dd5a91346335f05170ed5f29d4e Mon Sep 17 00:00:00 2001 +From: Pierre-Eric Pelloux-Prayer +Date: Tue, 4 Nov 2025 10:53:57 +0100 +Subject: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Eric Pelloux-Prayer + +commit 487df8b698345dd5a91346335f05170ed5f29d4e upstream. + +The Mesa issue referenced below pointed out a possible deadlock: + +[ 1231.611031] Possible interrupt unsafe locking scenario: + +[ 1231.611033] CPU0 CPU1 +[ 1231.611034] ---- ---- +[ 1231.611035] lock(&xa->xa_lock#17); +[ 1231.611038] local_irq_disable(); +[ 1231.611039] lock(&fence->lock); +[ 1231.611041] lock(&xa->xa_lock#17); +[ 1231.611044] +[ 1231.611045] lock(&fence->lock); +[ 1231.611047] + *** DEADLOCK *** + +In this example, CPU0 would be any function accessing job->dependencies +through the xa_* functions that don't disable interrupts (eg: +drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). + +CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling +callback so in an interrupt context. It will deadlock when trying to +grab the xa_lock which is already held by CPU0. + +Replacing all xa_* usage by their xa_*_irq counterparts would fix +this issue, but Christian pointed out another issue: dma_fence_signal +takes fence.lock and so does dma_fence_add_callback. + + dma_fence_signal() // locks f1.lock + -> drm_sched_entity_kill_jobs_cb() + -> foreach dependencies + -> dma_fence_add_callback() // locks f2.lock + +This will deadlock if f1 and f2 share the same spinlock. + +To fix both issues, the code iterating on dependencies and re-arming them +is moved out to drm_sched_entity_kill_jobs_work(). + +Cc: stable@vger.kernel.org # v6.2+ +Fixes: 2fdb8a8f07c2 ("drm/scheduler: rework entity flush, kill and fini") +Link: https://gitlab.freedesktop.org/mesa/mesa/-/issues/13908 +Reported-by: Mikhail Gavrilov +Suggested-by: Christian König +Reviewed-by: Christian König +Signed-off-by: Pierre-Eric Pelloux-Prayer +[phasta: commit message nits] +Signed-off-by: Philipp Stanner +Link: https://patch.msgid.link/20251104095358.15092-1-pierre-eric.pelloux-prayer@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 34 +++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -186,26 +186,15 @@ int drm_sched_entity_error(struct drm_sc + } + EXPORT_SYMBOL(drm_sched_entity_error); + ++static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f, ++ struct dma_fence_cb *cb); ++ + static void drm_sched_entity_kill_jobs_work(struct work_struct *wrk) + { + struct drm_sched_job *job = container_of(wrk, typeof(*job), work); +- +- drm_sched_fence_scheduled(job->s_fence, NULL); +- drm_sched_fence_finished(job->s_fence, -ESRCH); +- WARN_ON(job->s_fence->parent); +- job->sched->ops->free_job(job); +-} +- +-/* Signal the scheduler finished fence when the entity in question is killed. */ +-static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f, +- struct dma_fence_cb *cb) +-{ +- struct drm_sched_job *job = container_of(cb, struct drm_sched_job, +- finish_cb); ++ struct dma_fence *f; + unsigned long index; + +- dma_fence_put(f); +- + /* Wait for all dependencies to avoid data corruptions */ + xa_for_each(&job->dependencies, index, f) { + struct drm_sched_fence *s_fence = to_drm_sched_fence(f); +@@ -233,6 +222,21 @@ static void drm_sched_entity_kill_jobs_c + dma_fence_put(f); + } + ++ drm_sched_fence_scheduled(job->s_fence, NULL); ++ drm_sched_fence_finished(job->s_fence, -ESRCH); ++ WARN_ON(job->s_fence->parent); ++ job->sched->ops->free_job(job); ++} ++ ++/* Signal the scheduler finished fence when the entity in question is killed. */ ++static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f, ++ struct dma_fence_cb *cb) ++{ ++ struct drm_sched_job *job = container_of(cb, struct drm_sched_job, ++ finish_cb); ++ ++ dma_fence_put(f); ++ + INIT_WORK(&job->work, drm_sched_entity_kill_jobs_work); + schedule_work(&job->work); + } diff --git a/queue-6.12/iommufd-don-t-overflow-during-division-for-dirty-tracking.patch b/queue-6.12/iommufd-don-t-overflow-during-division-for-dirty-tracking.patch new file mode 100644 index 0000000000..e6364c1009 --- /dev/null +++ b/queue-6.12/iommufd-don-t-overflow-during-division-for-dirty-tracking.patch @@ -0,0 +1,43 @@ +From cb30dfa75d55eced379a42fd67bd5fb7ec38555e Mon Sep 17 00:00:00 2001 +From: Jason Gunthorpe +Date: Wed, 8 Oct 2025 15:17:18 -0300 +Subject: iommufd: Don't overflow during division for dirty tracking + +From: Jason Gunthorpe + +commit cb30dfa75d55eced379a42fd67bd5fb7ec38555e upstream. + +If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow +to 0 and this triggers divide by 0. + +In this case the index should just be 0, so reorganize things to divide +by shift and avoid hitting any overflows. + +Link: https://patch.msgid.link/r/0-v1-663679b57226+172-iommufd_dirty_div0_jgg@nvidia.com +Cc: stable@vger.kernel.org +Fixes: 58ccf0190d19 ("vfio: Add an IOVA bitmap support") +Reviewed-by: Joao Martins +Reviewed-by: Nicolin Chen +Reviewed-by: Kevin Tian +Reported-by: syzbot+093a8a8b859472e6c257@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=093a8a8b859472e6c257 +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iommufd/iova_bitmap.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/iommufd/iova_bitmap.c ++++ b/drivers/iommu/iommufd/iova_bitmap.c +@@ -130,9 +130,8 @@ struct iova_bitmap { + static unsigned long iova_bitmap_offset_to_index(struct iova_bitmap *bitmap, + unsigned long iova) + { +- unsigned long pgsize = 1UL << bitmap->mapped.pgshift; +- +- return iova / (BITS_PER_TYPE(*bitmap->bitmap) * pgsize); ++ return (iova >> bitmap->mapped.pgshift) / ++ BITS_PER_TYPE(*bitmap->bitmap); + } + + /* diff --git a/queue-6.12/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch b/queue-6.12/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch new file mode 100644 index 0000000000..8d97b85dee --- /dev/null +++ b/queue-6.12/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch @@ -0,0 +1,37 @@ +From 2b81082ad37cc3f28355fb73a6a69b91ff7dbf20 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 3 Nov 2025 12:11:24 -0700 +Subject: lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC + +From: Nathan Chancellor + +commit 2b81082ad37cc3f28355fb73a6a69b91ff7dbf20 upstream. + +Commit 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with +clang-17 and older") inadvertently disabled KASAN in curve25519-hacl64.o +for GCC unconditionally because clang-min-version will always evaluate +to nothing for GCC. Add a check for CONFIG_CC_IS_CLANG to avoid applying +the workaround for GCC, which is only needed for clang-17 and older. + +Cc: stable@vger.kernel.org +Fixes: 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") +Signed-off-by: Nathan Chancellor +Acked-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20251103-curve25519-hacl64-fix-kasan-workaround-v2-1-ab581cbd8035@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + lib/crypto/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/crypto/Makefile ++++ b/lib/crypto/Makefile +@@ -34,7 +34,7 @@ libcurve25519-generic-y := curve25519 + libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := curve25519-hacl64.o + libcurve25519-generic-y += curve25519-generic.o + # clang versions prior to 18 may blow out the stack with KASAN +-ifeq ($(call clang-min-version, 180000),) ++ifeq ($(CONFIG_CC_IS_CLANG)_$(call clang-min-version, 180000),y_) + KASAN_SANITIZE_curve25519-hacl64.o := n + endif + diff --git a/queue-6.12/parisc-avoid-crash-due-to-unaligned-access-in-unwinder.patch b/queue-6.12/parisc-avoid-crash-due-to-unaligned-access-in-unwinder.patch new file mode 100644 index 0000000000..887c009b92 --- /dev/null +++ b/queue-6.12/parisc-avoid-crash-due-to-unaligned-access-in-unwinder.patch @@ -0,0 +1,94 @@ +From fd9f30d1038ee1624baa17a6ff11effe5f7617cb Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 3 Nov 2025 22:38:26 +0100 +Subject: parisc: Avoid crash due to unaligned access in unwinder + +From: Helge Deller + +commit fd9f30d1038ee1624baa17a6ff11effe5f7617cb upstream. + +Guenter Roeck reported this kernel crash on his emulated B160L machine: + +Starting network: udhcpc: started, v1.36.1 + Backtrace: + [<104320d4>] unwind_once+0x1c/0x5c + [<10434a00>] walk_stackframe.isra.0+0x74/0xb8 + [<10434a6c>] arch_stack_walk+0x28/0x38 + [<104e5efc>] stack_trace_save+0x48/0x5c + [<105d1bdc>] set_track_prepare+0x44/0x6c + [<105d9c80>] ___slab_alloc+0xfc4/0x1024 + [<105d9d38>] __slab_alloc.isra.0+0x58/0x90 + [<105dc80c>] kmem_cache_alloc_noprof+0x2ac/0x4a0 + [<105b8e54>] __anon_vma_prepare+0x60/0x280 + [<105a823c>] __vmf_anon_prepare+0x68/0x94 + [<105a8b34>] do_wp_page+0x8cc/0xf10 + [<105aad88>] handle_mm_fault+0x6c0/0xf08 + [<10425568>] do_page_fault+0x110/0x440 + [<10427938>] handle_interruption+0x184/0x748 + [<11178398>] schedule+0x4c/0x190 + BUG: spinlock recursion on CPU#0, ifconfig/2420 + lock: terminate_lock.2+0x0/0x1c, .magic: dead4ead, .owner: ifconfig/2420, .owner_cpu: 0 + +While creating the stack trace, the unwinder uses the stack pointer to guess +the previous frame to read the previous stack pointer from memory. The crash +happens, because the unwinder tries to read from unaligned memory and as such +triggers the unalignment trap handler which then leads to the spinlock +recursion and finally to a deadlock. + +Fix it by checking the alignment before accessing the memory. + +Reported-by: Guenter Roeck +Signed-off-by: Helge Deller +Tested-by: Guenter Roeck +Cc: stable@vger.kernel.org # v6.12+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/unwind.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/arch/parisc/kernel/unwind.c b/arch/parisc/kernel/unwind.c +index f7e0fee5ee55..7ac88ff13d3c 100644 +--- a/arch/parisc/kernel/unwind.c ++++ b/arch/parisc/kernel/unwind.c +@@ -35,6 +35,8 @@ + + #define KERNEL_START (KERNEL_BINARY_TEXT_START) + ++#define ALIGNMENT_OK(ptr, type) (((ptr) & (sizeof(type) - 1)) == 0) ++ + extern struct unwind_table_entry __start___unwind[]; + extern struct unwind_table_entry __stop___unwind[]; + +@@ -257,12 +259,15 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + if (pc_is_kernel_fn(pc, _switch_to) || + pc == (unsigned long)&_switch_to_ret) { + info->prev_sp = info->sp - CALLEE_SAVE_FRAME_SIZE; +- info->prev_ip = *(unsigned long *)(info->prev_sp - RP_OFFSET); ++ if (ALIGNMENT_OK(info->prev_sp, long)) ++ info->prev_ip = *(unsigned long *)(info->prev_sp - RP_OFFSET); ++ else ++ info->prev_ip = info->prev_sp = 0; + return 1; + } + + #ifdef CONFIG_IRQSTACKS +- if (pc == (unsigned long)&_call_on_stack) { ++ if (pc == (unsigned long)&_call_on_stack && ALIGNMENT_OK(info->sp, long)) { + info->prev_sp = *(unsigned long *)(info->sp - FRAME_SIZE - REG_SZ); + info->prev_ip = *(unsigned long *)(info->sp - FRAME_SIZE - RP_OFFSET); + return 1; +@@ -370,8 +375,10 @@ static void unwind_frame_regs(struct unwind_frame_info *info) + info->prev_sp = info->sp - frame_size; + if (e->Millicode) + info->rp = info->r31; +- else if (rpoffset) ++ else if (rpoffset && ALIGNMENT_OK(info->prev_sp, long)) + info->rp = *(unsigned long *)(info->prev_sp - rpoffset); ++ else ++ info->rp = 0; + info->prev_ip = info->rp; + info->rp = 0; + } +-- +2.51.2 + diff --git a/queue-6.12/rtc-rx8025-fix-incorrect-register-reference.patch b/queue-6.12/rtc-rx8025-fix-incorrect-register-reference.patch new file mode 100644 index 0000000000..f42165f86f --- /dev/null +++ b/queue-6.12/rtc-rx8025-fix-incorrect-register-reference.patch @@ -0,0 +1,33 @@ +From 162f24cbb0f6ec596e7e9f3e91610d79dc805229 Mon Sep 17 00:00:00 2001 +From: Yuta Hayama +Date: Wed, 15 Oct 2025 12:07:05 +0900 +Subject: rtc: rx8025: fix incorrect register reference + +From: Yuta Hayama + +commit 162f24cbb0f6ec596e7e9f3e91610d79dc805229 upstream. + +This code is intended to operate on the CTRL1 register, but ctrl[1] is +actually CTRL2. Correctly, ctrl[0] is CTRL1. + +Signed-off-by: Yuta Hayama +Fixes: 71af91565052 ("rtc: rx8025: fix 12/24 hour mode detection on RX-8035") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/eae5f479-5d28-4a37-859d-d54794e7628c@lineo.co.jp +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-rx8025.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-rx8025.c ++++ b/drivers/rtc/rtc-rx8025.c +@@ -316,7 +316,7 @@ static int rx8025_init_client(struct i2c + return hour_reg; + rx8025->is_24 = (hour_reg & RX8035_BIT_HOUR_1224); + } else { +- rx8025->is_24 = (ctrl[1] & RX8025_BIT_CTRL1_1224); ++ rx8025->is_24 = (ctrl[0] & RX8025_BIT_CTRL1_1224); + } + out: + return err; diff --git a/queue-6.12/scsi-ufs-core-add-a-quirk-to-suppress-link_startup_again.patch b/queue-6.12/scsi-ufs-core-add-a-quirk-to-suppress-link_startup_again.patch new file mode 100644 index 0000000000..8570c73c38 --- /dev/null +++ b/queue-6.12/scsi-ufs-core-add-a-quirk-to-suppress-link_startup_again.patch @@ -0,0 +1,60 @@ +From d34caa89a132cd69efc48361d4772251546fdb88 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Fri, 24 Oct 2025 11:59:16 +0300 +Subject: scsi: ufs: core: Add a quirk to suppress link_startup_again + +From: Adrian Hunter + +commit d34caa89a132cd69efc48361d4772251546fdb88 upstream. + +ufshcd_link_startup() has a facility (link_startup_again) to issue +DME_LINKSTARTUP a 2nd time even though the 1st time was successful. + +Some older hardware benefits from that, however the behaviour is +non-standard, and has been found to cause link startup to be unreliable +for some Intel Alder Lake based host controllers. + +Add UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE to suppress +link_startup_again, in preparation for setting the quirk for affected +controllers. + +Fixes: 7dc9fb47bc9a ("scsi: ufs: ufs-pci: Add support for Intel ADL") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Hunter +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20251024085918.31825-3-adrian.hunter@intel.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/core/ufshcd.c | 3 ++- + include/ufs/ufshcd.h | 7 +++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/ufs/core/ufshcd.c ++++ b/drivers/ufs/core/ufshcd.c +@@ -5028,7 +5028,8 @@ static int ufshcd_link_startup(struct uf + * If UFS device isn't active then we will have to issue link startup + * 2 times to make sure the device state move to active. + */ +- if (!ufshcd_is_ufs_dev_active(hba)) ++ if (!(hba->quirks & UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE) && ++ !ufshcd_is_ufs_dev_active(hba)) + link_startup_again = true; + + link_startup: +--- a/include/ufs/ufshcd.h ++++ b/include/ufs/ufshcd.h +@@ -687,6 +687,13 @@ enum ufshcd_quirks { + * single doorbell mode. + */ + UFSHCD_QUIRK_BROKEN_LSDBS_CAP = 1 << 25, ++ ++ /* ++ * This quirk indicates that DME_LINKSTARTUP should not be issued a 2nd ++ * time (refer link_startup_again) after the 1st time was successful, ++ * because it causes link startup to become unreliable. ++ */ ++ UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE = 1 << 26, + }; + + enum ufshcd_caps { diff --git a/queue-6.12/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch b/queue-6.12/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch new file mode 100644 index 0000000000..a00f103985 --- /dev/null +++ b/queue-6.12/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch @@ -0,0 +1,138 @@ +From bb44826c3bdbf1fa3957008a04908f45e5666463 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Fri, 24 Oct 2025 11:59:15 +0300 +Subject: scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers + +From: Adrian Hunter + +commit bb44826c3bdbf1fa3957008a04908f45e5666463 upstream. + +Intel platforms with UFS, can support Suspend-to-Idle (S0ix) and +Suspend-to-RAM (S3). For S0ix the link state should be HIBERNATE. For +S3, state is lost, so the link state must be OFF. Driver policy, +expressed by spm_lvl, can be 3 (link HIBERNATE, device SLEEP) for S0ix +but must be changed to 5 (link OFF, device POWEROFF) for S3. + +Fix support for S0ix/S3 by switching spm_lvl as needed. During suspend +->prepare(), if the suspend target state is not Suspend-to-Idle, ensure +the spm_lvl is at least 5 to ensure that resume will be possible from +deep sleep states. During suspend ->complete(), restore the spm_lvl to +its original value that is suitable for S0ix. + +This fix is first needed in Intel Alder Lake based controllers. + +Fixes: 7dc9fb47bc9a ("scsi: ufs: ufs-pci: Add support for Intel ADL") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Hunter +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20251024085918.31825-2-adrian.hunter@intel.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufshcd-pci.c | 67 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 65 insertions(+), 2 deletions(-) + +--- a/drivers/ufs/host/ufshcd-pci.c ++++ b/drivers/ufs/host/ufshcd-pci.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -36,6 +37,7 @@ struct intel_host { + u32 dsm_fns; + u32 active_ltr; + u32 idle_ltr; ++ int saved_spm_lvl; + struct dentry *debugfs_root; + struct gpio_desc *reset_gpio; + }; +@@ -378,6 +380,7 @@ static int ufs_intel_common_init(struct + host = devm_kzalloc(hba->dev, sizeof(*host), GFP_KERNEL); + if (!host) + return -ENOMEM; ++ host->saved_spm_lvl = -1; + ufshcd_set_variant(hba, host); + intel_dsm_init(host, hba->dev); + if (INTEL_DSM_SUPPORTED(host, RESET)) { +@@ -588,6 +591,66 @@ static int ufshcd_pci_restore(struct dev + + return ufshcd_system_resume(dev); + } ++ ++static int ufs_intel_suspend_prepare(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ struct intel_host *host = ufshcd_get_variant(hba); ++ int err; ++ ++ /* ++ * Only s2idle (S0ix) retains link state. Force power-off ++ * (UFS_PM_LVL_5) for any other case. ++ */ ++ if (pm_suspend_target_state != PM_SUSPEND_TO_IDLE && hba->spm_lvl < UFS_PM_LVL_5) { ++ host->saved_spm_lvl = hba->spm_lvl; ++ hba->spm_lvl = UFS_PM_LVL_5; ++ } ++ ++ err = ufshcd_suspend_prepare(dev); ++ ++ if (err < 0 && host->saved_spm_lvl != -1) { ++ hba->spm_lvl = host->saved_spm_lvl; ++ host->saved_spm_lvl = -1; ++ } ++ ++ return err; ++} ++ ++static void ufs_intel_resume_complete(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ struct intel_host *host = ufshcd_get_variant(hba); ++ ++ ufshcd_resume_complete(dev); ++ ++ if (host->saved_spm_lvl != -1) { ++ hba->spm_lvl = host->saved_spm_lvl; ++ host->saved_spm_lvl = -1; ++ } ++} ++ ++static int ufshcd_pci_suspend_prepare(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ ++ if (!strcmp(hba->vops->name, "intel-pci")) ++ return ufs_intel_suspend_prepare(dev); ++ ++ return ufshcd_suspend_prepare(dev); ++} ++ ++static void ufshcd_pci_resume_complete(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ ++ if (!strcmp(hba->vops->name, "intel-pci")) { ++ ufs_intel_resume_complete(dev); ++ return; ++ } ++ ++ ufshcd_resume_complete(dev); ++} + #endif + + /** +@@ -668,8 +731,8 @@ static const struct dev_pm_ops ufshcd_pc + .thaw = ufshcd_system_resume, + .poweroff = ufshcd_system_suspend, + .restore = ufshcd_pci_restore, +- .prepare = ufshcd_suspend_prepare, +- .complete = ufshcd_resume_complete, ++ .prepare = ufshcd_pci_suspend_prepare, ++ .complete = ufshcd_pci_resume_complete, + #endif + }; + diff --git a/queue-6.12/scsi-ufs-ufs-pci-set-ufshcd_quirk_perform_link_startup_once-for-intel-adl.patch b/queue-6.12/scsi-ufs-ufs-pci-set-ufshcd_quirk_perform_link_startup_once-for-intel-adl.patch new file mode 100644 index 0000000000..41e67beb53 --- /dev/null +++ b/queue-6.12/scsi-ufs-ufs-pci-set-ufshcd_quirk_perform_link_startup_once-for-intel-adl.patch @@ -0,0 +1,36 @@ +From d968e99488c4b08259a324a89e4ed17bf36561a4 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Fri, 24 Oct 2025 11:59:17 +0300 +Subject: scsi: ufs: ufs-pci: Set UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE for Intel ADL + +From: Adrian Hunter + +commit d968e99488c4b08259a324a89e4ed17bf36561a4 upstream. + +Link startup becomes unreliable for Intel Alder Lake based host +controllers when a 2nd DME_LINKSTARTUP is issued unnecessarily. Employ +UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE to suppress that from happening. + +Fixes: 7dc9fb47bc9a ("scsi: ufs: ufs-pci: Add support for Intel ADL") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Hunter +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20251024085918.31825-4-adrian.hunter@intel.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufshcd-pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/ufs/host/ufshcd-pci.c ++++ b/drivers/ufs/host/ufshcd-pci.c +@@ -466,7 +466,8 @@ static int ufs_intel_lkf_init(struct ufs + static int ufs_intel_adl_init(struct ufs_hba *hba) + { + hba->nop_out_timeout = 200; +- hba->quirks |= UFSHCD_QUIRK_BROKEN_AUTO_HIBERN8; ++ hba->quirks |= UFSHCD_QUIRK_BROKEN_AUTO_HIBERN8 | ++ UFSHCD_QUIRK_PERFORM_LINK_STARTUP_ONCE; + hba->caps |= UFSHCD_CAP_WB_EN; + return ufs_intel_common_init(hba); + } diff --git a/queue-6.12/series b/queue-6.12/series index 6456638919..72f5a239a3 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -540,3 +540,19 @@ lan966x-fix-sleeping-in-atomic-context.patch net-bridge-fix-use-after-free-due-to-mst-port-state-.patch net-bridge-fix-mst-static-key-usage.patch tracing-fix-memory-leaks-in-create_field_var.patch +drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch +drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch +bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch +iommufd-don-t-overflow-during-division-for-dirty-tracking.patch +parisc-avoid-crash-due-to-unaligned-access-in-unwinder.patch +rtc-rx8025-fix-incorrect-register-reference.patch +x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch +smb-client-validate-change-notify-buffer-before-copy.patch +smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch +drm-amdgpu-smu-handle-s0ix-for-vangogh.patch +drm-amd-display-fix-null-deref-in-debugfs-odm_combine_segments.patch +virtio-net-fix-received-length-check-in-big-packets.patch +lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch +scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch +scsi-ufs-ufs-pci-set-ufshcd_quirk_perform_link_startup_once-for-intel-adl.patch +scsi-ufs-core-add-a-quirk-to-suppress-link_startup_again.patch diff --git a/queue-6.12/smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch b/queue-6.12/smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch new file mode 100644 index 0000000000..87d3cc9219 --- /dev/null +++ b/queue-6.12/smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch @@ -0,0 +1,95 @@ +From 734e99623c5b65bf2c03e35978a0b980ebc3c2f8 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Mon, 3 Nov 2025 19:52:55 -0300 +Subject: smb: client: fix potential UAF in smb2_close_cached_fid() + +From: Henrique Carvalho + +commit 734e99623c5b65bf2c03e35978a0b980ebc3c2f8 upstream. + +find_or_create_cached_dir() could grab a new reference after kref_put() +had seen the refcount drop to zero but before cfid_list_lock is acquired +in smb2_close_cached_fid(), leading to use-after-free. + +Switch to kref_put_lock() so cfid_release() is called with +cfid_list_lock held, closing that gap. + +Fixes: ebe98f1447bb ("cifs: enable caching of directories for which a lease is held") +Cc: stable@vger.kernel.org +Reported-by: Jay Shin +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cached_dir.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/smb/client/cached_dir.c ++++ b/fs/smb/client/cached_dir.c +@@ -362,11 +362,11 @@ out: + * lease. Release one here, and the second below. + */ + cfid->has_lease = false; +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } + spin_unlock(&cfids->cfid_list_lock); + +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } else { + *ret_cfid = cfid; + atomic_inc(&tcon->num_remote_opens); +@@ -406,12 +406,14 @@ int open_cached_dir_by_dentry(struct cif + + static void + smb2_close_cached_fid(struct kref *ref) ++__releases(&cfid->cfids->cfid_list_lock) + { + struct cached_fid *cfid = container_of(ref, struct cached_fid, + refcount); + int rc; + +- spin_lock(&cfid->cfids->cfid_list_lock); ++ lockdep_assert_held(&cfid->cfids->cfid_list_lock); ++ + if (cfid->on_list) { + list_del(&cfid->entry); + cfid->on_list = false; +@@ -446,7 +448,7 @@ void drop_cached_dir_by_name(const unsig + spin_lock(&cfid->cfids->cfid_list_lock); + if (cfid->has_lease) { + cfid->has_lease = false; +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } + spin_unlock(&cfid->cfids->cfid_list_lock); + close_cached_dir(cfid); +@@ -455,7 +457,7 @@ void drop_cached_dir_by_name(const unsig + + void close_cached_dir(struct cached_fid *cfid) + { +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ kref_put_lock(&cfid->refcount, smb2_close_cached_fid, &cfid->cfids->cfid_list_lock); + } + + /* +@@ -566,7 +568,7 @@ cached_dir_offload_close(struct work_str + + WARN_ON(cfid->on_list); + +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cached_close); + } + +@@ -743,7 +745,7 @@ static void cfids_laundromat_worker(stru + * Drop the ref-count from above, either the lease-ref (if there + * was one) or the extra one acquired. + */ +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } + queue_delayed_work(cfid_put_wq, &cfids->laundromat_work, + dir_cache_timeout * HZ); diff --git a/queue-6.12/smb-client-validate-change-notify-buffer-before-copy.patch b/queue-6.12/smb-client-validate-change-notify-buffer-before-copy.patch new file mode 100644 index 0000000000..f34e06b0e2 --- /dev/null +++ b/queue-6.12/smb-client-validate-change-notify-buffer-before-copy.patch @@ -0,0 +1,43 @@ +From 4012abe8a78fbb8869634130024266eaef7081fe Mon Sep 17 00:00:00 2001 +From: Joshua Rogers +Date: Fri, 7 Nov 2025 00:09:37 +0800 +Subject: smb: client: validate change notify buffer before copy + +From: Joshua Rogers + +commit 4012abe8a78fbb8869634130024266eaef7081fe upstream. + +SMB2_change_notify called smb2_validate_iov() but ignored the return +code, then kmemdup()ed using server provided OutputBufferOffset/Length. + +Check the return of smb2_validate_iov() and bail out on error. + +Discovered with help from the ZeroPath security tooling. + +Signed-off-by: Joshua Rogers +Reviewed-by: Paulo Alcantara (Red Hat) +Cc: stable@vger.kernel.org +Fixes: e3e9463414f61 ("smb3: improve SMB3 change notification support") +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4074,9 +4074,12 @@ replay_again: + + smb_rsp = (struct smb2_change_notify_rsp *)rsp_iov.iov_base; + +- smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), +- le32_to_cpu(smb_rsp->OutputBufferLength), &rsp_iov, ++ rc = smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), ++ le32_to_cpu(smb_rsp->OutputBufferLength), ++ &rsp_iov, + sizeof(struct file_notify_information)); ++ if (rc) ++ goto cnotify_exit; + + *out_data = kmemdup((char *)smb_rsp + le16_to_cpu(smb_rsp->OutputBufferOffset), + le32_to_cpu(smb_rsp->OutputBufferLength), GFP_KERNEL); diff --git a/queue-6.12/virtio-net-fix-received-length-check-in-big-packets.patch b/queue-6.12/virtio-net-fix-received-length-check-in-big-packets.patch new file mode 100644 index 0000000000..b6086b0a20 --- /dev/null +++ b/queue-6.12/virtio-net-fix-received-length-check-in-big-packets.patch @@ -0,0 +1,79 @@ +From 0c716703965ffc5ef4311b65cb5d84a703784717 Mon Sep 17 00:00:00 2001 +From: Bui Quang Minh +Date: Thu, 30 Oct 2025 21:44:38 +0700 +Subject: virtio-net: fix received length check in big packets + +From: Bui Quang Minh + +commit 0c716703965ffc5ef4311b65cb5d84a703784717 upstream. + +Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length +for big packets"), when guest gso is off, the allocated size for big +packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on +negotiated MTU. The number of allocated frags for big packets is stored +in vi->big_packets_num_skbfrags. + +Because the host announced buffer length can be malicious (e.g. the host +vhost_net driver's get_rx_bufs is modified to announce incorrect +length), we need a check in virtio_net receive path. Currently, the +check is not adapted to the new change which can lead to NULL page +pointer dereference in the below while loop when receiving length that +is larger than the allocated one. + +This commit fixes the received length check corresponding to the new +change. + +Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets") +Cc: stable@vger.kernel.org +Signed-off-by: Bui Quang Minh +Reviewed-by: Xuan Zhuo +Tested-by: Lei Yang +Link: https://patch.msgid.link/20251030144438.7582-1-minhquangbui99@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -868,17 +868,6 @@ static struct sk_buff *page_to_skb(struc + goto ok; + } + +- /* +- * Verify that we can indeed put this data into a skb. +- * This is here to handle cases when the device erroneously +- * tries to receive more than is possible. This is usually +- * the case of a broken device. +- */ +- if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) { +- net_dbg_ratelimited("%s: too much data\n", skb->dev->name); +- dev_kfree_skb(skb); +- return NULL; +- } + BUG_ON(offset >= PAGE_SIZE); + while (len) { + unsigned int frag_size = min((unsigned)PAGE_SIZE - offset, len); +@@ -1928,9 +1917,19 @@ static struct sk_buff *receive_big(struc + struct virtnet_rq_stats *stats) + { + struct page *page = buf; +- struct sk_buff *skb = +- page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); ++ struct sk_buff *skb; ++ ++ /* Make sure that len does not exceed the size allocated in ++ * add_recvbuf_big. ++ */ ++ if (unlikely(len > (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE)) { ++ pr_debug("%s: rx error: len %u exceeds allocated size %lu\n", ++ dev->name, len, ++ (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE); ++ goto err; ++ } + ++ skb = page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); + u64_stats_add(&stats->bytes, len - vi->hdr_len); + if (unlikely(!skb)) + goto err; diff --git a/queue-6.12/x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch b/queue-6.12/x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch new file mode 100644 index 0000000000..b0b5f72803 --- /dev/null +++ b/queue-6.12/x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch @@ -0,0 +1,36 @@ +From d23550efc6800841b4d1639784afaebdea946ae0 Mon Sep 17 00:00:00 2001 +From: "Mario Limonciello (AMD)" +Date: Thu, 6 Nov 2025 12:28:54 -0600 +Subject: x86/microcode/AMD: Add more known models to entry sign checking + +From: Mario Limonciello (AMD) + +commit d23550efc6800841b4d1639784afaebdea946ae0 upstream. + +Two Zen5 systems are missing from need_sha_check(). Add them. + +Fixes: 50cef76d5cb0 ("x86/microcode/AMD: Load only SHA256-checksummed patches") +Signed-off-by: Mario Limonciello (AMD) +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://patch.msgid.link/20251106182904.4143757-1-superm1@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/microcode/amd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -208,10 +208,12 @@ static bool need_sha_check(u32 cur_rev) + case 0xaa001: return cur_rev <= 0xaa00116; break; + case 0xaa002: return cur_rev <= 0xaa00218; break; + case 0xb0021: return cur_rev <= 0xb002146; break; ++ case 0xb0081: return cur_rev <= 0xb008111; break; + case 0xb1010: return cur_rev <= 0xb101046; break; + case 0xb2040: return cur_rev <= 0xb204031; break; + case 0xb4040: return cur_rev <= 0xb404031; break; + case 0xb6000: return cur_rev <= 0xb600031; break; ++ case 0xb6080: return cur_rev <= 0xb608031; break; + case 0xb7000: return cur_rev <= 0xb700031; break; + default: break; + }