From 86a6aef0f9af8a2f2d24e7d87ace23279eb58ee9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 27 Nov 2025 14:28:41 +0100 Subject: [PATCH] 6.12-stable patches added patches: drm-amd-display-avoid-reset-dtbclk-at-clock-init.patch drm-amd-display-disable-dpp-rcg-before-dpp-clk-enable.patch drm-amd-display-insert-dccg-log-for-easy-debug.patch drm-amd-display-prevent-gating-dtbclk-before-it-is-properly-latched.patch drm-i915-dp_mst-disable-panel-replay.patch maple_tree-fix-tracepoint-string-pointers.patch mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch tty-vt-fix-up-incorrect-backport-to-stable-releases.patch xfs-fix-out-of-bounds-memory-read-error-in-symlink-repair.patch xfs-replace-strncpy-with-memcpy.patch --- ...lay-avoid-reset-dtbclk-at-clock-init.patch | 83 ++++++ ...isable-dpp-rcg-before-dpp-clk-enable.patch | 243 ++++++++++++++++++ ...splay-insert-dccg-log-for-easy-debug.patch | 145 +++++++++++ ...dtbclk-before-it-is-properly-latched.patch | 74 ++++++ ...drm-i915-dp_mst-disable-panel-replay.patch | 46 ++++ ..._tree-fix-tracepoint-string-pointers.patch | 174 +++++++++++++ ...fix-a-race-in-mptcp_pm_del_add_timer.patch | 198 ++++++++++++++ queue-6.12/series | 11 + ...ackport-in-cfids_invalidation_worker.patch | 30 +++ ...ncorrect-backport-to-stable-releases.patch | 34 +++ ...-memory-read-error-in-symlink-repair.patch | 92 +++++++ .../xfs-replace-strncpy-with-memcpy.patch | 41 +++ 12 files changed, 1171 insertions(+) create mode 100644 queue-6.12/drm-amd-display-avoid-reset-dtbclk-at-clock-init.patch create mode 100644 queue-6.12/drm-amd-display-disable-dpp-rcg-before-dpp-clk-enable.patch create mode 100644 queue-6.12/drm-amd-display-insert-dccg-log-for-easy-debug.patch create mode 100644 queue-6.12/drm-amd-display-prevent-gating-dtbclk-before-it-is-properly-latched.patch create mode 100644 queue-6.12/drm-i915-dp_mst-disable-panel-replay.patch create mode 100644 queue-6.12/maple_tree-fix-tracepoint-string-pointers.patch create mode 100644 queue-6.12/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch create mode 100644 queue-6.12/smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch create mode 100644 queue-6.12/tty-vt-fix-up-incorrect-backport-to-stable-releases.patch create mode 100644 queue-6.12/xfs-fix-out-of-bounds-memory-read-error-in-symlink-repair.patch create mode 100644 queue-6.12/xfs-replace-strncpy-with-memcpy.patch diff --git a/queue-6.12/drm-amd-display-avoid-reset-dtbclk-at-clock-init.patch b/queue-6.12/drm-amd-display-avoid-reset-dtbclk-at-clock-init.patch new file mode 100644 index 0000000000..4183b78c4f --- /dev/null +++ b/queue-6.12/drm-amd-display-avoid-reset-dtbclk-at-clock-init.patch @@ -0,0 +1,83 @@ +From stable+bounces-196914-greg=kroah.com@vger.kernel.org Tue Nov 25 15:51:39 2025 +From: Sasha Levin +Date: Tue, 25 Nov 2025 09:51:28 -0500 +Subject: drm/amd/display: avoid reset DTBCLK at clock init +To: stable@vger.kernel.org +Cc: Charlene Liu , Nicholas Kazlauskas , Martin Leung , Ausef Yousof , Tom Chung , Daniel Wheeler , Alex Deucher , Sasha Levin +Message-ID: <20251125145131.660280-1-sashal@kernel.org> + +From: Charlene Liu + +[ Upstream commit 0ae47e971b9add8f7b8f8d55ac5f407f6f346758 ] + +[why & how] +this is to init to HW real DTBCLK. +and use real HW DTBCLK status to update internal logic state + +Reviewed-by: Nicholas Kazlauskas +Reviewed-by: Martin Leung +Signed-off-by: Charlene Liu +Signed-off-by: Ausef Yousof +Signed-off-by: Tom Chung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Stable-dep-of: cfa0904a35fd ("drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 18 +++++++---- + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c +@@ -393,6 +393,7 @@ void dcn35_update_clocks(struct clk_mgr + if (clk_mgr_base->clks.dtbclk_en && !new_clocks->dtbclk_en) { + if (clk_mgr->base.ctx->dc->config.allow_0_dtb_clk) + dcn35_smu_set_dtbclk(clk_mgr, false); ++ + clk_mgr_base->clks.dtbclk_en = new_clocks->dtbclk_en; + } + /* check that we're not already in lower */ +@@ -410,11 +411,17 @@ void dcn35_update_clocks(struct clk_mgr + } + + if (!clk_mgr_base->clks.dtbclk_en && new_clocks->dtbclk_en) { +- dcn35_smu_set_dtbclk(clk_mgr, true); +- clk_mgr_base->clks.dtbclk_en = new_clocks->dtbclk_en; ++ int actual_dtbclk = 0; + + dcn35_update_clocks_update_dtb_dto(clk_mgr, context, new_clocks->ref_dtbclk_khz); +- clk_mgr_base->clks.ref_dtbclk_khz = new_clocks->ref_dtbclk_khz; ++ dcn35_smu_set_dtbclk(clk_mgr, true); ++ ++ actual_dtbclk = REG_READ(CLK1_CLK4_CURRENT_CNT); ++ ++ if (actual_dtbclk) { ++ clk_mgr_base->clks.ref_dtbclk_khz = new_clocks->ref_dtbclk_khz; ++ clk_mgr_base->clks.dtbclk_en = new_clocks->dtbclk_en; ++ } + } + + /* check that we're not already in D0 */ +@@ -581,12 +588,10 @@ static bool dcn35_is_spll_ssc_enabled(st + + static void init_clk_states(struct clk_mgr *clk_mgr) + { +- struct clk_mgr_internal *clk_mgr_int = TO_CLK_MGR_INTERNAL(clk_mgr); + uint32_t ref_dtbclk = clk_mgr->clks.ref_dtbclk_khz; ++ + memset(&(clk_mgr->clks), 0, sizeof(struct dc_clocks)); + +- if (clk_mgr_int->smu_ver >= SMU_VER_THRESHOLD) +- clk_mgr->clks.dtbclk_en = true; // request DTBCLK disable on first commit + clk_mgr->clks.ref_dtbclk_khz = ref_dtbclk; // restore ref_dtbclk + clk_mgr->clks.p_state_change_support = true; + clk_mgr->clks.prev_p_state_change_support = true; +@@ -597,6 +602,7 @@ static void init_clk_states(struct clk_m + void dcn35_init_clocks(struct clk_mgr *clk_mgr) + { + struct clk_mgr_internal *clk_mgr_int = TO_CLK_MGR_INTERNAL(clk_mgr); ++ + init_clk_states(clk_mgr); + + // to adjust dp_dto reference clock if ssc is enable otherwise to apply dprefclk diff --git a/queue-6.12/drm-amd-display-disable-dpp-rcg-before-dpp-clk-enable.patch b/queue-6.12/drm-amd-display-disable-dpp-rcg-before-dpp-clk-enable.patch new file mode 100644 index 0000000000..c91a71289b --- /dev/null +++ b/queue-6.12/drm-amd-display-disable-dpp-rcg-before-dpp-clk-enable.patch @@ -0,0 +1,243 @@ +From stable+bounces-196915-greg=kroah.com@vger.kernel.org Tue Nov 25 15:54:28 2025 +From: Sasha Levin +Date: Tue, 25 Nov 2025 09:51:29 -0500 +Subject: drm/amd/display: disable DPP RCG before DPP CLK enable +To: stable@vger.kernel.org +Cc: Charlene Liu , Hansen Dsouza , Ray Wu , Daniel Wheeler , Alex Deucher , Sasha Levin +Message-ID: <20251125145131.660280-2-sashal@kernel.org> + +From: Charlene Liu + +[ Upstream commit 1bcd679209420305a86833bc357d50021909edaf ] + +[why] +DPP CLK enable needs to disable DPPCLK RCG first. +The DPPCLK_en in dccg should always be enabled when the corresponding +pipe is enabled. + +Reviewed-by: Hansen Dsouza +Signed-off-by: Charlene Liu +Signed-off-by: Ray Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Stable-dep-of: cfa0904a35fd ("drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 38 ++++++++++------ + drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c | 21 +++++--- + 2 files changed, 38 insertions(+), 21 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c ++++ b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c +@@ -391,6 +391,7 @@ static void dccg35_set_dppclk_rcg(struct + + struct dcn_dccg *dccg_dcn = TO_DCN_DCCG(dccg); + ++ + if (!dccg->ctx->dc->debug.root_clock_optimization.bits.dpp && enable) + return; + +@@ -411,6 +412,8 @@ static void dccg35_set_dppclk_rcg(struct + BREAK_TO_DEBUGGER(); + break; + } ++ //DC_LOG_DEBUG("%s: inst(%d) DPPCLK rcg_disable: %d\n", __func__, inst, enable ? 0 : 1); ++ + } + + static void dccg35_set_dpstreamclk_rcg( +@@ -1112,30 +1115,24 @@ static void dcn35_set_dppclk_enable(stru + { + struct dcn_dccg *dccg_dcn = TO_DCN_DCCG(dccg); + ++ + switch (dpp_inst) { + case 0: + REG_UPDATE(DPPCLK_CTRL, DPPCLK0_EN, enable); +- if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) +- REG_UPDATE(DCCG_GATE_DISABLE_CNTL6, DPPCLK0_ROOT_GATE_DISABLE, enable); + break; + case 1: + REG_UPDATE(DPPCLK_CTRL, DPPCLK1_EN, enable); +- if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) +- REG_UPDATE(DCCG_GATE_DISABLE_CNTL6, DPPCLK1_ROOT_GATE_DISABLE, enable); + break; + case 2: + REG_UPDATE(DPPCLK_CTRL, DPPCLK2_EN, enable); +- if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) +- REG_UPDATE(DCCG_GATE_DISABLE_CNTL6, DPPCLK2_ROOT_GATE_DISABLE, enable); + break; + case 3: + REG_UPDATE(DPPCLK_CTRL, DPPCLK3_EN, enable); +- if (dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) +- REG_UPDATE(DCCG_GATE_DISABLE_CNTL6, DPPCLK3_ROOT_GATE_DISABLE, enable); + break; + default: + break; + } ++ //DC_LOG_DEBUG("%s: dpp_inst(%d) DPPCLK_EN = %d\n", __func__, dpp_inst, enable); + + } + +@@ -1163,14 +1160,18 @@ static void dccg35_update_dpp_dto(struct + ASSERT(false); + phase = 0xff; + } ++ dccg35_set_dppclk_rcg(dccg, dpp_inst, false); + + REG_SET_2(DPPCLK_DTO_PARAM[dpp_inst], 0, + DPPCLK0_DTO_PHASE, phase, + DPPCLK0_DTO_MODULO, modulo); + + dcn35_set_dppclk_enable(dccg, dpp_inst, true); +- } else ++ } else { + dcn35_set_dppclk_enable(dccg, dpp_inst, false); ++ /*we have this in hwss: disable_plane*/ ++ //dccg35_set_dppclk_rcg(dccg, dpp_inst, true); ++ } + dccg->pipe_dppclk_khz[dpp_inst] = req_dppclk; + } + +@@ -1182,6 +1183,7 @@ static void dccg35_set_dppclk_root_clock + if (!dccg->ctx->dc->debug.root_clock_optimization.bits.dpp) + return; + ++ + switch (dpp_inst) { + case 0: + REG_UPDATE(DCCG_GATE_DISABLE_CNTL6, DPPCLK0_ROOT_GATE_DISABLE, enable); +@@ -1198,6 +1200,8 @@ static void dccg35_set_dppclk_root_clock + default: + break; + } ++ //DC_LOG_DEBUG("%s: dpp_inst(%d) rcg: %d\n", __func__, dpp_inst, enable); ++ + } + + static void dccg35_get_pixel_rate_div( +@@ -1521,28 +1525,30 @@ static void dccg35_set_physymclk_root_cl + switch (phy_inst) { + case 0: + REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, +- PHYASYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); ++ PHYASYMCLK_ROOT_GATE_DISABLE, enable ? 0 : 1); + break; + case 1: + REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, +- PHYBSYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); ++ PHYBSYMCLK_ROOT_GATE_DISABLE, enable ? 0 : 1); + break; + case 2: + REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, +- PHYCSYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); ++ PHYCSYMCLK_ROOT_GATE_DISABLE, enable ? 0 : 1); + break; + case 3: + REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, +- PHYDSYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); ++ PHYDSYMCLK_ROOT_GATE_DISABLE, enable ? 0 : 1); + break; + case 4: + REG_UPDATE(DCCG_GATE_DISABLE_CNTL2, +- PHYESYMCLK_ROOT_GATE_DISABLE, enable ? 1 : 0); ++ PHYESYMCLK_ROOT_GATE_DISABLE, enable ? 0 : 1); + break; + default: + BREAK_TO_DEBUGGER(); + return; + } ++ //DC_LOG_DEBUG("%s: dpp_inst(%d) PHYESYMCLK_ROOT_GATE_DISABLE:\n", __func__, phy_inst, enable ? 0 : 1); ++ + } + + static void dccg35_set_physymclk( +@@ -1643,6 +1649,8 @@ static void dccg35_dpp_root_clock_contro + return; + + if (clock_on) { ++ dccg35_set_dppclk_rcg(dccg, dpp_inst, false); ++ + /* turn off the DTO and leave phase/modulo at max */ + dcn35_set_dppclk_enable(dccg, dpp_inst, 1); + REG_SET_2(DPPCLK_DTO_PARAM[dpp_inst], 0, +@@ -1654,6 +1662,8 @@ static void dccg35_dpp_root_clock_contro + REG_SET_2(DPPCLK_DTO_PARAM[dpp_inst], 0, + DPPCLK0_DTO_PHASE, 0, + DPPCLK0_DTO_MODULO, 1); ++ /*we have this in hwss: disable_plane*/ ++ //dccg35_set_dppclk_rcg(dccg, dpp_inst, true); + } + + dccg->dpp_clock_gated[dpp_inst] = !clock_on; +--- a/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/hwss/dcn35/dcn35_hwseq.c +@@ -241,11 +241,6 @@ void dcn35_init_hw(struct dc *dc) + dc->res_pool->hubbub->funcs->allow_self_refresh_control(dc->res_pool->hubbub, + !dc->res_pool->hubbub->ctx->dc->debug.disable_stutter); + } +- if (res_pool->dccg->funcs->dccg_root_gate_disable_control) { +- for (i = 0; i < res_pool->pipe_count; i++) +- res_pool->dccg->funcs->dccg_root_gate_disable_control(res_pool->dccg, i, 0); +- } +- + for (i = 0; i < res_pool->audio_count; i++) { + struct audio *audio = res_pool->audios[i]; + +@@ -885,12 +880,18 @@ void dcn35_init_pipes(struct dc *dc, str + void dcn35_enable_plane(struct dc *dc, struct pipe_ctx *pipe_ctx, + struct dc_state *context) + { ++ struct dpp *dpp = pipe_ctx->plane_res.dpp; ++ struct dccg *dccg = dc->res_pool->dccg; ++ ++ + /* enable DCFCLK current DCHUB */ + pipe_ctx->plane_res.hubp->funcs->hubp_clk_cntl(pipe_ctx->plane_res.hubp, true); + + /* initialize HUBP on power up */ + pipe_ctx->plane_res.hubp->funcs->hubp_init(pipe_ctx->plane_res.hubp); +- ++ /*make sure DPPCLK is on*/ ++ dccg->funcs->dccg_root_gate_disable_control(dccg, dpp->inst, true); ++ dpp->funcs->dpp_dppclk_control(dpp, false, true); + /* make sure OPP_PIPE_CLOCK_EN = 1 */ + pipe_ctx->stream_res.opp->funcs->opp_pipe_clock_control( + pipe_ctx->stream_res.opp, +@@ -907,6 +908,7 @@ void dcn35_enable_plane(struct dc *dc, s + // Program system aperture settings + pipe_ctx->plane_res.hubp->funcs->hubp_set_vm_system_aperture_settings(pipe_ctx->plane_res.hubp, &apt); + } ++ //DC_LOG_DEBUG("%s: dpp_inst(%d) =\n", __func__, dpp->inst); + + if (!pipe_ctx->top_pipe + && pipe_ctx->plane_state +@@ -922,6 +924,8 @@ void dcn35_plane_atomic_disable(struct d + { + struct hubp *hubp = pipe_ctx->plane_res.hubp; + struct dpp *dpp = pipe_ctx->plane_res.dpp; ++ struct dccg *dccg = dc->res_pool->dccg; ++ + + dc->hwss.wait_for_mpcc_disconnect(dc, dc->res_pool, pipe_ctx); + +@@ -939,7 +943,8 @@ void dcn35_plane_atomic_disable(struct d + hubp->funcs->hubp_clk_cntl(hubp, false); + + dpp->funcs->dpp_dppclk_control(dpp, false, false); +-/*to do, need to support both case*/ ++ dccg->funcs->dccg_root_gate_disable_control(dccg, dpp->inst, false); ++ + hubp->power_gated = true; + + hubp->funcs->hubp_reset(hubp); +@@ -951,6 +956,8 @@ void dcn35_plane_atomic_disable(struct d + pipe_ctx->top_pipe = NULL; + pipe_ctx->bottom_pipe = NULL; + pipe_ctx->plane_state = NULL; ++ //DC_LOG_DEBUG("%s: dpp_inst(%d)=\n", __func__, dpp->inst); ++ + } + + void dcn35_disable_plane(struct dc *dc, struct dc_state *state, struct pipe_ctx *pipe_ctx) diff --git a/queue-6.12/drm-amd-display-insert-dccg-log-for-easy-debug.patch b/queue-6.12/drm-amd-display-insert-dccg-log-for-easy-debug.patch new file mode 100644 index 0000000000..aef12a8ec5 --- /dev/null +++ b/queue-6.12/drm-amd-display-insert-dccg-log-for-easy-debug.patch @@ -0,0 +1,145 @@ +From stable+bounces-196916-greg=kroah.com@vger.kernel.org Tue Nov 25 15:55:36 2025 +From: Sasha Levin +Date: Tue, 25 Nov 2025 09:51:30 -0500 +Subject: drm/amd/display: Insert dccg log for easy debug +To: stable@vger.kernel.org +Cc: Charlene Liu , "Ovidiu (Ovi) Bunea" , Yihan Zhu , Ivan Lipski , Dan Wheeler , Alex Deucher , Sasha Levin +Message-ID: <20251125145131.660280-3-sashal@kernel.org> + +From: Charlene Liu + +[ Upstream commit 35bcc9168f3ce6416cbf3f776758be0937f84cb3 ] + +[why] +Log for sequence tracking + +Reviewed-by: Ovidiu (Ovi) Bunea +Reviewed-by: Yihan Zhu +Signed-off-by: Charlene Liu +Signed-off-by: Ivan Lipski +Tested-by: Dan Wheeler +Signed-off-by: Alex Deucher +Stable-dep-of: cfa0904a35fd ("drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 24 ++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c ++++ b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c +@@ -39,6 +39,7 @@ + + #define CTX \ + dccg_dcn->base.ctx ++#include "logger_types.h" + #define DC_LOGGER \ + dccg->ctx->logger + +@@ -1132,7 +1133,7 @@ static void dcn35_set_dppclk_enable(stru + default: + break; + } +- //DC_LOG_DEBUG("%s: dpp_inst(%d) DPPCLK_EN = %d\n", __func__, dpp_inst, enable); ++ DC_LOG_DEBUG("%s: dpp_inst(%d) DPPCLK_EN = %d\n", __func__, dpp_inst, enable); + + } + +@@ -1400,6 +1401,10 @@ static void dccg35_set_dtbclk_dto( + * PIPEx_DTO_SRC_SEL should not be programmed during DTBCLK update since OTG may still be on, and the + * programming is handled in program_pix_clk() regardless, so it can be removed from here. + */ ++ DC_LOG_DEBUG("%s: OTG%d DTBCLK DTO enabled: pixclk_khz=%d, ref_dtbclk_khz=%d, req_dtbclk_khz=%d, phase=%d, modulo=%d\n", ++ __func__, params->otg_inst, params->pixclk_khz, ++ params->ref_dtbclk_khz, req_dtbclk_khz, phase, modulo); ++ + } else { + switch (params->otg_inst) { + case 0: +@@ -1425,6 +1430,8 @@ static void dccg35_set_dtbclk_dto( + + REG_WRITE(DTBCLK_DTO_MODULO[params->otg_inst], 0); + REG_WRITE(DTBCLK_DTO_PHASE[params->otg_inst], 0); ++ ++ DC_LOG_DEBUG("%s: OTG%d DTBCLK DTO disabled\n", __func__, params->otg_inst); + } + } + +@@ -1469,6 +1476,8 @@ static void dccg35_set_dpstreamclk( + BREAK_TO_DEBUGGER(); + return; + } ++ DC_LOG_DEBUG("%s: dp_hpo_inst(%d) DPSTREAMCLK_EN = %d, DPSTREAMCLK_SRC_SEL = %d\n", ++ __func__, dp_hpo_inst, (src == REFCLK) ? 0 : 1, otg_inst); + } + + +@@ -1508,6 +1517,8 @@ static void dccg35_set_dpstreamclk_root_ + BREAK_TO_DEBUGGER(); + return; + } ++ DC_LOG_DEBUG("%s: dp_hpo_inst(%d) DPSTREAMCLK_ROOT_GATE_DISABLE = %d\n", ++ __func__, dp_hpo_inst, enable ? 1 : 0); + } + + +@@ -1547,7 +1558,7 @@ static void dccg35_set_physymclk_root_cl + BREAK_TO_DEBUGGER(); + return; + } +- //DC_LOG_DEBUG("%s: dpp_inst(%d) PHYESYMCLK_ROOT_GATE_DISABLE:\n", __func__, phy_inst, enable ? 0 : 1); ++ DC_LOG_DEBUG("%s: dpp_inst(%d) PHYESYMCLK_ROOT_GATE_DISABLE: %d\n", __func__, phy_inst, enable ? 0 : 1); + + } + +@@ -1620,6 +1631,8 @@ static void dccg35_set_physymclk( + BREAK_TO_DEBUGGER(); + return; + } ++ DC_LOG_DEBUG("%s: phy_inst(%d) PHYxSYMCLK_EN = %d, PHYxSYMCLK_SRC_SEL = %d\n", ++ __func__, phy_inst, force_enable ? 1 : 0, clk_src); + } + + static void dccg35_set_valid_pixel_rate( +@@ -1667,6 +1680,7 @@ static void dccg35_dpp_root_clock_contro + } + + dccg->dpp_clock_gated[dpp_inst] = !clock_on; ++ DC_LOG_DEBUG("%s: dpp_inst(%d) clock_on = %d\n", __func__, dpp_inst, clock_on); + } + + static void dccg35_disable_symclk32_se( +@@ -1725,6 +1739,7 @@ static void dccg35_disable_symclk32_se( + BREAK_TO_DEBUGGER(); + return; + } ++ + } + + static void dccg35_init_cb(struct dccg *dccg) +@@ -1732,7 +1747,6 @@ static void dccg35_init_cb(struct dccg * + (void)dccg; + /* Any RCG should be done when driver enter low power mode*/ + } +- + void dccg35_init(struct dccg *dccg) + { + int otg_inst; +@@ -1747,6 +1761,8 @@ void dccg35_init(struct dccg *dccg) + for (otg_inst = 0; otg_inst < 2; otg_inst++) { + dccg31_disable_symclk32_le(dccg, otg_inst); + dccg31_set_symclk32_le_root_clock_gating(dccg, otg_inst, false); ++ DC_LOG_DEBUG("%s: OTG%d SYMCLK32_LE disabled and root clock gating disabled\n", ++ __func__, otg_inst); + } + + // if (dccg->ctx->dc->debug.root_clock_optimization.bits.symclk32_se) +@@ -1759,6 +1775,8 @@ void dccg35_init(struct dccg *dccg) + dccg35_set_dpstreamclk(dccg, REFCLK, otg_inst, + otg_inst); + dccg35_set_dpstreamclk_root_clock_gating(dccg, otg_inst, false); ++ DC_LOG_DEBUG("%s: OTG%d DPSTREAMCLK disabled and root clock gating disabled\n", ++ __func__, otg_inst); + } + + /* diff --git a/queue-6.12/drm-amd-display-prevent-gating-dtbclk-before-it-is-properly-latched.patch b/queue-6.12/drm-amd-display-prevent-gating-dtbclk-before-it-is-properly-latched.patch new file mode 100644 index 0000000000..0b510bf36e --- /dev/null +++ b/queue-6.12/drm-amd-display-prevent-gating-dtbclk-before-it-is-properly-latched.patch @@ -0,0 +1,74 @@ +From stable+bounces-196917-greg=kroah.com@vger.kernel.org Tue Nov 25 15:51:43 2025 +From: Sasha Levin +Date: Tue, 25 Nov 2025 09:51:31 -0500 +Subject: drm/amd/display: Prevent Gating DTBCLK before It Is Properly Latched +To: stable@vger.kernel.org +Cc: Fangzhi Zuo , Charlene Liu , Aurabindo Pillai , Roman Li , Dan Wheeler , Alex Deucher , Sasha Levin +Message-ID: <20251125145131.660280-4-sashal@kernel.org> + +From: Fangzhi Zuo + +[ Upstream commit cfa0904a35fd0231f4d05da0190f0a22ed881cce ] + +[why] +1. With allow_0_dtb_clk enabled, the time required to latch DTBCLK to 600 MHz +depends on the SMU. If DTBCLK is not latched to 600 MHz before set_mode completes, +gating DTBCLK causes the DP2 sink to lose its clock source. + +2. The existing DTBCLK gating sequence ungates DTBCLK based on both pix_clk and ref_dtbclk, +but gates DTBCLK when either pix_clk or ref_dtbclk is zero. +pix_clk can be zero outside the set_mode sequence before DTBCLK is properly latched, +which can lead to DTBCLK being gated by mistake. + +[how] +Consider both pixel_clk and ref_dtbclk when determining when it is safe to gate DTBCLK; +this is more accurate. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4701 +Fixes: 5949e7c4890c ("drm/amd/display: Enable Dynamic DTBCLK Switch") +Reviewed-by: Charlene Liu +Reviewed-by: Aurabindo Pillai +Signed-off-by: Fangzhi Zuo +Signed-off-by: Roman Li +Tested-by: Dan Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit d04eb0c402780ca037b62a6aecf23b863545ebca) +Cc: stable@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 4 +++- + drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c +@@ -377,6 +377,8 @@ void dcn35_update_clocks(struct clk_mgr + display_count = dcn35_get_active_display_cnt_wa(dc, context, &all_active_disps); + if (new_clocks->dtbclk_en && !new_clocks->ref_dtbclk_khz) + new_clocks->ref_dtbclk_khz = 600000; ++ else if (!new_clocks->dtbclk_en && new_clocks->ref_dtbclk_khz > 590000) ++ new_clocks->ref_dtbclk_khz = 0; + + /* + * if it is safe to lower, but we are already in the lower state, we don't have to do anything +@@ -418,7 +420,7 @@ void dcn35_update_clocks(struct clk_mgr + + actual_dtbclk = REG_READ(CLK1_CLK4_CURRENT_CNT); + +- if (actual_dtbclk) { ++ if (actual_dtbclk > 590000) { + clk_mgr_base->clks.ref_dtbclk_khz = new_clocks->ref_dtbclk_khz; + clk_mgr_base->clks.dtbclk_en = new_clocks->dtbclk_en; + } +--- a/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c ++++ b/drivers/gpu/drm/amd/display/dc/dccg/dcn35/dcn35_dccg.c +@@ -1405,7 +1405,7 @@ static void dccg35_set_dtbclk_dto( + __func__, params->otg_inst, params->pixclk_khz, + params->ref_dtbclk_khz, req_dtbclk_khz, phase, modulo); + +- } else { ++ } else if (!params->ref_dtbclk_khz && !req_dtbclk_khz) { + switch (params->otg_inst) { + case 0: + REG_UPDATE(DCCG_GATE_DISABLE_CNTL5, DTBCLK_P0_GATE_DISABLE, 0); diff --git a/queue-6.12/drm-i915-dp_mst-disable-panel-replay.patch b/queue-6.12/drm-i915-dp_mst-disable-panel-replay.patch new file mode 100644 index 0000000000..b8e9fe4322 --- /dev/null +++ b/queue-6.12/drm-i915-dp_mst-disable-panel-replay.patch @@ -0,0 +1,46 @@ +From stable+bounces-196519-greg=kroah.com@vger.kernel.org Fri Nov 21 17:05:55 2025 +From: Sasha Levin +Date: Fri, 21 Nov 2025 11:05:47 -0500 +Subject: drm/i915/dp_mst: Disable Panel Replay +To: stable@vger.kernel.org +Cc: "Imre Deak" , "Jouni Högander" , "Animesh Manna" , "Rodrigo Vivi" , "Sasha Levin" +Message-ID: <20251121160547.2589081-1-sashal@kernel.org> + +From: Imre Deak + +[ Upstream commit f2687d3cc9f905505d7b510c50970176115066a2 ] + +Disable Panel Replay on MST links until it's properly implemented. For +instance the required VSC SDP is not programmed on MST and FEC is not +enabled if Panel Replay is enabled. + +Fixes: 3257e55d3ea7 ("drm/i915/panelreplay: enable/disable panel replay") +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15174 +Cc: Jouni Högander +Cc: Animesh Manna +Cc: stable@vger.kernel.org # v6.8+ +Reviewed-by: Jouni Högander +Signed-off-by: Imre Deak +Link: https://patch.msgid.link/20251107124141.911895-1-imre.deak@intel.com +(cherry picked from commit e109f644b871df8440c886a69cdce971ed533088) +Signed-off-by: Rodrigo Vivi +[ placed MST check at function start since DPCD read was moved to caller ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_psr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -591,6 +591,10 @@ static void _panel_replay_init_dpcd(stru + { + struct intel_display *display = to_intel_display(intel_dp); + ++ /* TODO: Enable Panel Replay on MST once it's properly implemented. */ ++ if (intel_dp->mst_detect == DRM_DP_MST) ++ return; ++ + if (intel_dp_is_edp(intel_dp)) { + if (!intel_alpm_aux_less_wake_supported(intel_dp)) { + drm_dbg_kms(display->drm, diff --git a/queue-6.12/maple_tree-fix-tracepoint-string-pointers.patch b/queue-6.12/maple_tree-fix-tracepoint-string-pointers.patch new file mode 100644 index 0000000000..f4ce3df7ae --- /dev/null +++ b/queue-6.12/maple_tree-fix-tracepoint-string-pointers.patch @@ -0,0 +1,174 @@ +From 91a54090026f84ceffaa12ac53c99b9f162946f6 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Thu, 30 Oct 2025 16:55:05 +0100 +Subject: maple_tree: fix tracepoint string pointers + +From: Martin Kaiser + +commit 91a54090026f84ceffaa12ac53c99b9f162946f6 upstream. + +maple_tree tracepoints contain pointers to function names. Such a pointer +is saved when a tracepoint logs an event. There's no guarantee that it's +still valid when the event is parsed later and the pointer is dereferenced. + +The kernel warns about these unsafe pointers. + + event 'ma_read' has unsafe pointer field 'fn' + WARNING: kernel/trace/trace.c:3779 at ignore_event+0x1da/0x1e4 + +Mark the function names as tracepoint_string() to fix the events. + +One case that doesn't work without my patch would be trace-cmd record +to save the binary ringbuffer and trace-cmd report to parse it in +userspace. The address of __func__ can't be dereferenced from +userspace but tracepoint_string will add an entry to +/sys/kernel/tracing/printk_formats + +Link: https://lkml.kernel.org/r/20251030155537.87972-1-martin@kaiser.cx +Fixes: 54a611b60590 ("Maple Tree: add new data structure") +Signed-off-by: Martin Kaiser +Acked-by: Liam R. Howlett +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + lib/maple_tree.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +--- a/lib/maple_tree.c ++++ b/lib/maple_tree.c +@@ -64,6 +64,8 @@ + #define CREATE_TRACE_POINTS + #include + ++#define TP_FCT tracepoint_string(__func__) ++ + #define MA_ROOT_PARENT 1 + + /* +@@ -2949,7 +2951,7 @@ static inline void mas_rebalance(struct + MA_STATE(l_mas, mas->tree, mas->index, mas->last); + MA_STATE(r_mas, mas->tree, mas->index, mas->last); + +- trace_ma_op(__func__, mas); ++ trace_ma_op(TP_FCT, mas); + + /* + * Rebalancing occurs if a node is insufficient. Data is rebalanced +@@ -3314,7 +3316,7 @@ static void mas_split(struct ma_state *m + MA_STATE(prev_l_mas, mas->tree, mas->index, mas->last); + MA_STATE(prev_r_mas, mas->tree, mas->index, mas->last); + +- trace_ma_op(__func__, mas); ++ trace_ma_op(TP_FCT, mas); + mas->depth = mas_mt_height(mas); + + mast.l = &l_mas; +@@ -3487,7 +3489,7 @@ static bool mas_is_span_wr(struct ma_wr_ + return false; + } + +- trace_ma_write(__func__, wr_mas->mas, wr_mas->r_max, entry); ++ trace_ma_write(TP_FCT, wr_mas->mas, wr_mas->r_max, entry); + return true; + } + +@@ -3721,7 +3723,7 @@ static noinline void mas_wr_spanning_sto + * of data may happen. + */ + mas = wr_mas->mas; +- trace_ma_op(__func__, mas); ++ trace_ma_op(TP_FCT, mas); + + if (unlikely(!mas->index && mas->last == ULONG_MAX)) + return mas_new_root(mas, wr_mas->entry); +@@ -3858,7 +3860,7 @@ done: + } else { + memcpy(wr_mas->node, newnode, sizeof(struct maple_node)); + } +- trace_ma_write(__func__, mas, 0, wr_mas->entry); ++ trace_ma_write(TP_FCT, mas, 0, wr_mas->entry); + mas_update_gap(mas); + mas->end = new_end; + return; +@@ -3903,7 +3905,7 @@ static inline void mas_wr_slot_store(str + return; + } + +- trace_ma_write(__func__, mas, 0, wr_mas->entry); ++ trace_ma_write(TP_FCT, mas, 0, wr_mas->entry); + /* + * Only update gap when the new entry is empty or there is an empty + * entry in the original two ranges. +@@ -4024,7 +4026,7 @@ static inline void mas_wr_append(struct + mas_update_gap(mas); + + mas->end = new_end; +- trace_ma_write(__func__, mas, new_end, wr_mas->entry); ++ trace_ma_write(TP_FCT, mas, new_end, wr_mas->entry); + return; + } + +@@ -4038,7 +4040,7 @@ static void mas_wr_bnode(struct ma_wr_st + { + struct maple_big_node b_node; + +- trace_ma_write(__func__, wr_mas->mas, 0, wr_mas->entry); ++ trace_ma_write(TP_FCT, wr_mas->mas, 0, wr_mas->entry); + memset(&b_node, 0, sizeof(struct maple_big_node)); + mas_store_b_node(wr_mas, &b_node, wr_mas->offset_end); + mas_commit_b_node(wr_mas, &b_node); +@@ -5418,7 +5420,7 @@ void *mas_store(struct ma_state *mas, vo + int request; + MA_WR_STATE(wr_mas, mas, entry); + +- trace_ma_write(__func__, mas, 0, entry); ++ trace_ma_write(TP_FCT, mas, 0, entry); + #ifdef CONFIG_DEBUG_MAPLE_TREE + if (MAS_WARN_ON(mas, mas->index > mas->last)) + pr_err("Error %lX > %lX %p\n", mas->index, mas->last, entry); +@@ -5518,7 +5520,7 @@ void mas_store_prealloc(struct ma_state + } + + store: +- trace_ma_write(__func__, mas, 0, entry); ++ trace_ma_write(TP_FCT, mas, 0, entry); + mas_wr_store_entry(&wr_mas); + MAS_WR_BUG_ON(&wr_mas, mas_is_err(mas)); + mas_destroy(mas); +@@ -6320,7 +6322,7 @@ void *mtree_load(struct maple_tree *mt, + MA_STATE(mas, mt, index, index); + void *entry; + +- trace_ma_read(__func__, &mas); ++ trace_ma_read(TP_FCT, &mas); + rcu_read_lock(); + retry: + entry = mas_start(&mas); +@@ -6363,7 +6365,7 @@ int mtree_store_range(struct maple_tree + MA_STATE(mas, mt, index, last); + int ret = 0; + +- trace_ma_write(__func__, &mas, 0, entry); ++ trace_ma_write(TP_FCT, &mas, 0, entry); + if (WARN_ON_ONCE(xa_is_advanced(entry))) + return -EINVAL; + +@@ -6586,7 +6588,7 @@ void *mtree_erase(struct maple_tree *mt, + void *entry = NULL; + + MA_STATE(mas, mt, index, index); +- trace_ma_op(__func__, &mas); ++ trace_ma_op(TP_FCT, &mas); + + mtree_lock(mt); + entry = mas_erase(&mas); +@@ -6924,7 +6926,7 @@ void *mt_find(struct maple_tree *mt, uns + unsigned long copy = *index; + #endif + +- trace_ma_read(__func__, &mas); ++ trace_ma_read(TP_FCT, &mas); + + if ((*index) > max) + return NULL; diff --git a/queue-6.12/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch b/queue-6.12/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch new file mode 100644 index 0000000000..721ebfcfae --- /dev/null +++ b/queue-6.12/mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch @@ -0,0 +1,198 @@ +From stable+bounces-196823-greg=kroah.com@vger.kernel.org Mon Nov 24 23:38:54 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 17:38:44 -0500 +Subject: mptcp: fix a race in mptcp_pm_del_add_timer() +To: stable@vger.kernel.org +Cc: Eric Dumazet , syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com, Geliang Tang , "Matthieu Baerts (NGI0)" , Jakub Kicinski , Sasha Levin +Message-ID: <20251124223844.74497-1-sashal@kernel.org> + +From: Eric Dumazet + +[ Upstream commit 426358d9be7ce3518966422f87b96f1bad27295f ] + +mptcp_pm_del_add_timer() can call sk_stop_timer_sync(sk, &entry->add_timer) +while another might have free entry already, as reported by syzbot. + +Add RCU protection to fix this issue. + +Also change confusing add_timer variable with stop_timer boolean. + +syzbot report: + +BUG: KASAN: slab-use-after-free in __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 +Read of size 4 at addr ffff8880311e4150 by task kworker/1:1/44 + +CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 +Workqueue: events mptcp_worker +Call Trace: + + dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 + print_address_description mm/kasan/report.c:378 [inline] + print_report+0xca/0x240 mm/kasan/report.c:482 + kasan_report+0x118/0x150 mm/kasan/report.c:595 + __timer_delete_sync+0x372/0x3f0 kernel/time/timer.c:1616 + sk_stop_timer_sync+0x1b/0x90 net/core/sock.c:3631 + mptcp_pm_del_add_timer+0x283/0x310 net/mptcp/pm.c:362 + mptcp_incoming_options+0x1357/0x1f60 net/mptcp/options.c:1174 + tcp_data_queue+0xca/0x6450 net/ipv4/tcp_input.c:5361 + tcp_rcv_established+0x1335/0x2670 net/ipv4/tcp_input.c:6441 + tcp_v4_do_rcv+0x98b/0xbf0 net/ipv4/tcp_ipv4.c:1931 + tcp_v4_rcv+0x252a/0x2dc0 net/ipv4/tcp_ipv4.c:2374 + ip_protocol_deliver_rcu+0x221/0x440 net/ipv4/ip_input.c:205 + ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:239 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 + __netif_receive_skb_one_core net/core/dev.c:6079 [inline] + __netif_receive_skb+0x143/0x380 net/core/dev.c:6192 + process_backlog+0x31e/0x900 net/core/dev.c:6544 + __napi_poll+0xb6/0x540 net/core/dev.c:7594 + napi_poll net/core/dev.c:7657 [inline] + net_rx_action+0x5f7/0xda0 net/core/dev.c:7784 + handle_softirqs+0x22f/0x710 kernel/softirq.c:622 + __do_softirq kernel/softirq.c:656 [inline] + __local_bh_enable_ip+0x1a0/0x2e0 kernel/softirq.c:302 + mptcp_pm_send_ack net/mptcp/pm.c:210 [inline] + mptcp_pm_addr_send_ack+0x41f/0x500 net/mptcp/pm.c:-1 + mptcp_pm_worker+0x174/0x320 net/mptcp/pm.c:1002 + mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 + process_one_work kernel/workqueue.c:3263 [inline] + process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + + +Allocated by task 44: + kasan_save_stack mm/kasan/common.c:56 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 + poison_kmalloc_redzone mm/kasan/common.c:400 [inline] + __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417 + kasan_kmalloc include/linux/kasan.h:262 [inline] + __kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5748 + kmalloc_noprof include/linux/slab.h:957 [inline] + mptcp_pm_alloc_anno_list+0x104/0x460 net/mptcp/pm.c:385 + mptcp_pm_create_subflow_or_signal_addr+0xf9d/0x1360 net/mptcp/pm_kernel.c:355 + mptcp_pm_nl_fully_established net/mptcp/pm_kernel.c:409 [inline] + __mptcp_pm_kernel_worker+0x417/0x1ef0 net/mptcp/pm_kernel.c:1529 + mptcp_pm_worker+0x1ee/0x320 net/mptcp/pm.c:1008 + mptcp_worker+0xd5/0x1170 net/mptcp/protocol.c:2762 + process_one_work kernel/workqueue.c:3263 [inline] + process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 + worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 + kthread+0x711/0x8a0 kernel/kthread.c:463 + ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 + +Freed by task 6630: + kasan_save_stack mm/kasan/common.c:56 [inline] + kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 + __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 + kasan_save_free_info mm/kasan/kasan.h:406 [inline] + poison_slab_object mm/kasan/common.c:252 [inline] + __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 + kasan_slab_free include/linux/kasan.h:234 [inline] + slab_free_hook mm/slub.c:2523 [inline] + slab_free mm/slub.c:6611 [inline] + kfree+0x197/0x950 mm/slub.c:6818 + mptcp_remove_anno_list_by_saddr+0x2d/0x40 net/mptcp/pm.c:158 + mptcp_pm_flush_addrs_and_subflows net/mptcp/pm_kernel.c:1209 [inline] + mptcp_nl_flush_addrs_list net/mptcp/pm_kernel.c:1240 [inline] + mptcp_pm_nl_flush_addrs_doit+0x593/0xbb0 net/mptcp/pm_kernel.c:1281 + genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115 + genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] + genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210 + netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2552 + genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 + netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] + netlink_unicast+0x846/0xa10 net/netlink/af_netlink.c:1346 + netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 + sock_sendmsg_nosec net/socket.c:727 [inline] + __sock_sendmsg+0x21c/0x270 net/socket.c:742 + ____sys_sendmsg+0x508/0x820 net/socket.c:2630 + ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2684 + __sys_sendmsg net/socket.c:2716 [inline] + __do_sys_sendmsg net/socket.c:2721 [inline] + __se_sys_sendmsg net/socket.c:2719 [inline] + __x64_sys_sendmsg+0x1a1/0x260 net/socket.c:2719 + do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] + do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +Cc: stable@vger.kernel.org +Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout") +Reported-by: syzbot+2a6fbf0f0530375968df@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/691ad3c3.a70a0220.f6df1.0004.GAE@google.com +Signed-off-by: Eric Dumazet +Cc: Geliang Tang +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://patch.msgid.link/20251117100745.1913963-1-edumazet@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/pm_netlink.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/net/mptcp/pm_netlink.c ++++ b/net/mptcp/pm_netlink.c +@@ -24,6 +24,7 @@ struct mptcp_pm_add_entry { + u8 retrans_times; + struct timer_list add_timer; + struct mptcp_sock *sock; ++ struct rcu_head rcu; + }; + + struct pm_nl_pernet { +@@ -343,22 +344,27 @@ mptcp_pm_del_add_timer(struct mptcp_sock + { + struct mptcp_pm_add_entry *entry; + struct sock *sk = (struct sock *)msk; +- struct timer_list *add_timer = NULL; ++ bool stop_timer = false; ++ ++ rcu_read_lock(); + + spin_lock_bh(&msk->pm.lock); + entry = mptcp_lookup_anno_list_by_saddr(msk, addr); + if (entry && (!check_id || entry->addr.id == addr->id)) { + entry->retrans_times = ADD_ADDR_RETRANS_MAX; +- add_timer = &entry->add_timer; ++ stop_timer = true; + } + if (!check_id && entry) + list_del(&entry->list); + spin_unlock_bh(&msk->pm.lock); + +- /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */ +- if (add_timer) +- sk_stop_timer_sync(sk, add_timer); ++ /* Note: entry might have been removed by another thread. ++ * We hold rcu_read_lock() to ensure it is not freed under us. ++ */ ++ if (stop_timer) ++ sk_stop_timer_sync(sk, &entry->add_timer); + ++ rcu_read_unlock(); + return entry; + } + +@@ -414,7 +420,7 @@ void mptcp_pm_free_anno_list(struct mptc + + list_for_each_entry_safe(entry, tmp, &free_list, list) { + sk_stop_timer_sync(sk, &entry->add_timer); +- kfree(entry); ++ kfree_rcu(entry, rcu); + } + } + +@@ -1525,7 +1531,7 @@ static bool remove_anno_list_by_saddr(st + + entry = mptcp_pm_del_add_timer(msk, addr, false); + if (entry) { +- kfree(entry); ++ kfree_rcu(entry, rcu); + return true; + } + diff --git a/queue-6.12/series b/queue-6.12/series index e45dc04207..7ce6fd5b27 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -99,3 +99,14 @@ alsa-usb-audio-fix-uac2-clock-source-at-terminal-par.patch net-ethernet-ti-netcp-standardize-knav_dma_open_chan.patch tracing-tools-fix-incorrcet-short-option-in-usage-te.patch drm-amdgpu-fix-gpu-page-fault-after-hibernation-on-p.patch +smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch +tty-vt-fix-up-incorrect-backport-to-stable-releases.patch +maple_tree-fix-tracepoint-string-pointers.patch +drm-i915-dp_mst-disable-panel-replay.patch +mptcp-fix-a-race-in-mptcp_pm_del_add_timer.patch +xfs-replace-strncpy-with-memcpy.patch +xfs-fix-out-of-bounds-memory-read-error-in-symlink-repair.patch +drm-amd-display-avoid-reset-dtbclk-at-clock-init.patch +drm-amd-display-disable-dpp-rcg-before-dpp-clk-enable.patch +drm-amd-display-insert-dccg-log-for-easy-debug.patch +drm-amd-display-prevent-gating-dtbclk-before-it-is-properly-latched.patch diff --git a/queue-6.12/smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch b/queue-6.12/smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch new file mode 100644 index 0000000000..300d6f4756 --- /dev/null +++ b/queue-6.12/smb-client-fix-incomplete-backport-in-cfids_invalidation_worker.patch @@ -0,0 +1,30 @@ +From 38ef85145fd3655cd4ac16578871afdc0aa6636f Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Wed, 26 Nov 2025 10:55:53 -0300 +Subject: smb: client: fix incomplete backport in cfids_invalidation_worker() + +From: Henrique Carvalho + +The previous commit bdb596ceb4b7 ("smb: client: fix potential UAF in +smb2_close_cached_fid()") was an incomplete backport and missed one +kref_put() call in cfids_invalidation_worker() that should have been +converted to close_cached_dir(). + +Fixes: 065bd6241227 ("smb: client: fix potential UAF in smb2_close_cached_fid()")" +Signed-off-by: Henrique Carvalho +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cached_dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/smb/client/cached_dir.c ++++ b/fs/smb/client/cached_dir.c +@@ -727,7 +727,7 @@ static void cfids_invalidation_worker(st + list_for_each_entry_safe(cfid, q, &entry, entry) { + list_del(&cfid->entry); + /* Drop the ref-count acquired in invalidate_all_cached_dirs */ +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } + } + diff --git a/queue-6.12/tty-vt-fix-up-incorrect-backport-to-stable-releases.patch b/queue-6.12/tty-vt-fix-up-incorrect-backport-to-stable-releases.patch new file mode 100644 index 0000000000..46495cc36d --- /dev/null +++ b/queue-6.12/tty-vt-fix-up-incorrect-backport-to-stable-releases.patch @@ -0,0 +1,34 @@ +From jariruusu@protonmail.com Thu Nov 27 14:24:48 2025 +From: Jari Ruusu +Date: Sat, 22 Nov 2025 07:28:00 +0000 +Subject: tty/vt: fix up incorrect backport to stable releases +To: Greg Kroah-Hartman +Cc: Sasha Levin , "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Zizhi Wo +Message-ID: <8mT8aJsAQPfUnmI5mmsgbUweQAptUFDu5XqhrxPPI1DgJr7GPpbwrpQQW22Nj7fsBc5M5YKG8g0EceNQ_b3d-RPhk6RSQgGCqvaVzzWSIQw=@protonmail.com> + + +Below is a patch for 6.12.58+ and 6.17.8+ stable branches only. +Upstream does not need this. + +Signed-off-by: Jari Ruusu +Fixes: da7e8b382396 ("tty/vt: Add missing return value for VT_RESIZE in vt_ioctl()") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt_ioctl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -924,8 +924,10 @@ int vt_ioctl(struct tty_struct *tty, + if (vc) { + /* FIXME: review v tty lock */ + ret = __vc_resize(vc_cons[i].d, cc, ll, true); +- if (ret) ++ if (ret) { ++ console_unlock(); + return ret; ++ } + } + } + console_unlock(); diff --git a/queue-6.12/xfs-fix-out-of-bounds-memory-read-error-in-symlink-repair.patch b/queue-6.12/xfs-fix-out-of-bounds-memory-read-error-in-symlink-repair.patch new file mode 100644 index 0000000000..c2d3d1129a --- /dev/null +++ b/queue-6.12/xfs-fix-out-of-bounds-memory-read-error-in-symlink-repair.patch @@ -0,0 +1,92 @@ +From stable+bounces-196777-greg=kroah.com@vger.kernel.org Mon Nov 24 18:56:19 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 12:56:06 -0500 +Subject: xfs: fix out of bounds memory read error in symlink repair +To: stable@vger.kernel.org +Cc: "Darrick J. Wong" , Christoph Hellwig , Carlos Maiolino , Sasha Levin +Message-ID: <20251124175606.4173445-2-sashal@kernel.org> + +From: "Darrick J. Wong" + +[ Upstream commit 678e1cc2f482e0985a0613ab4a5bf89c497e5acc ] + +xfs/286 produced this report on my test fleet: + + ================================================================== + BUG: KFENCE: out-of-bounds read in memcpy_orig+0x54/0x110 + + Out-of-bounds read at 0xffff88843fe9e038 (184B right of kfence-#184): + memcpy_orig+0x54/0x110 + xrep_symlink_salvage_inline+0xb3/0xf0 [xfs] + xrep_symlink_salvage+0x100/0x110 [xfs] + xrep_symlink+0x2e/0x80 [xfs] + xrep_attempt+0x61/0x1f0 [xfs] + xfs_scrub_metadata+0x34f/0x5c0 [xfs] + xfs_ioc_scrubv_metadata+0x387/0x560 [xfs] + xfs_file_ioctl+0xe23/0x10e0 [xfs] + __x64_sys_ioctl+0x76/0xc0 + do_syscall_64+0x4e/0x1e0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + kfence-#184: 0xffff88843fe9df80-0xffff88843fe9dfea, size=107, cache=kmalloc-128 + + allocated by task 3470 on cpu 1 at 263329.131592s (192823.508886s ago): + xfs_init_local_fork+0x79/0xe0 [xfs] + xfs_iformat_local+0xa4/0x170 [xfs] + xfs_iformat_data_fork+0x148/0x180 [xfs] + xfs_inode_from_disk+0x2cd/0x480 [xfs] + xfs_iget+0x450/0xd60 [xfs] + xfs_bulkstat_one_int+0x6b/0x510 [xfs] + xfs_bulkstat_iwalk+0x1e/0x30 [xfs] + xfs_iwalk_ag_recs+0xdf/0x150 [xfs] + xfs_iwalk_run_callbacks+0xb9/0x190 [xfs] + xfs_iwalk_ag+0x1dc/0x2f0 [xfs] + xfs_iwalk_args.constprop.0+0x6a/0x120 [xfs] + xfs_iwalk+0xa4/0xd0 [xfs] + xfs_bulkstat+0xfa/0x170 [xfs] + xfs_ioc_fsbulkstat.isra.0+0x13a/0x230 [xfs] + xfs_file_ioctl+0xbf2/0x10e0 [xfs] + __x64_sys_ioctl+0x76/0xc0 + do_syscall_64+0x4e/0x1e0 + entry_SYSCALL_64_after_hwframe+0x4b/0x53 + + CPU: 1 UID: 0 PID: 1300113 Comm: xfs_scrub Not tainted 6.18.0-rc4-djwx #rc4 PREEMPT(lazy) 3d744dd94e92690f00a04398d2bd8631dcef1954 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-4.module+el8.8.0+21164+ed375313 04/01/2014 + ================================================================== + +On further analysis, I realized that the second parameter to min() is +not correct. xfs_ifork::if_bytes is the size of the xfs_ifork::if_data +buffer. if_bytes can be smaller than the data fork size because: + +(a) the forkoff code tries to keep the data area as large as possible +(b) for symbolic links, if_bytes is the ondisk file size + 1 +(c) forkoff is always a multiple of 8. + +Case in point: for a single-byte symlink target, forkoff will be +8 but the buffer will only be 2 bytes long. + +In other words, the logic here is wrong and we walk off the end of the +incore buffer. Fix that. + +Cc: stable@vger.kernel.org # v6.10 +Fixes: 2651923d8d8db0 ("xfs: online repair of symbolic links") +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Carlos Maiolino +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/scrub/symlink_repair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/scrub/symlink_repair.c ++++ b/fs/xfs/scrub/symlink_repair.c +@@ -184,7 +184,7 @@ xrep_symlink_salvage_inline( + sc->ip->i_disk_size == 1 && old_target[0] == '?') + return 0; + +- nr = min(XFS_SYMLINK_MAXLEN, xfs_inode_data_fork_size(ip)); ++ nr = min(XFS_SYMLINK_MAXLEN, ifp->if_bytes); + memcpy(target_buf, ifp->if_data, nr); + return nr; + } diff --git a/queue-6.12/xfs-replace-strncpy-with-memcpy.patch b/queue-6.12/xfs-replace-strncpy-with-memcpy.patch new file mode 100644 index 0000000000..ea37ecf5a3 --- /dev/null +++ b/queue-6.12/xfs-replace-strncpy-with-memcpy.patch @@ -0,0 +1,41 @@ +From stable+bounces-196778-greg=kroah.com@vger.kernel.org Mon Nov 24 18:56:18 2025 +From: Sasha Levin +Date: Mon, 24 Nov 2025 12:56:05 -0500 +Subject: xfs: Replace strncpy with memcpy +To: stable@vger.kernel.org +Cc: Marcelo Moreira , Dave Chinner , Christoph Hellwig , Carlos Maiolino , "Darrick J. Wong" , Carlos Maiolino , Sasha Levin +Message-ID: <20251124175606.4173445-1-sashal@kernel.org> + +From: Marcelo Moreira + +[ Upstream commit 33ddc796ecbd50cd6211aa9e9eddbf4567038b49 ] + +The changes modernizes the code by aligning it with current kernel best +practices. It improves code clarity and consistency, as strncpy is deprecated +as explained in Documentation/process/deprecated.rst. This change does +not alter the functionality or introduce any behavioral changes. + +Suggested-by: Dave Chinner +Reviewed-by: Christoph Hellwig +Reviewed-by: Carlos Maiolino +Signed-off-by: Marcelo Moreira +Reviewed-by: Darrick J. Wong +Signed-off-by: Carlos Maiolino +Stable-dep-of: 678e1cc2f482 ("xfs: fix out of bounds memory read error in symlink repair") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/scrub/symlink_repair.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/xfs/scrub/symlink_repair.c ++++ b/fs/xfs/scrub/symlink_repair.c +@@ -185,7 +185,7 @@ xrep_symlink_salvage_inline( + return 0; + + nr = min(XFS_SYMLINK_MAXLEN, xfs_inode_data_fork_size(ip)); +- strncpy(target_buf, ifp->if_data, nr); ++ memcpy(target_buf, ifp->if_data, nr); + return nr; + } + -- 2.47.3