--- /dev/null
+From 11f7dcc1e1586e77e7a84eca6d5092d46fff4045 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Sep 2025 13:18:22 -0700
+Subject: crypto: af_alg - Fix incorrect boolean values in af_alg_ctx
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+[ Upstream commit d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb ]
+
+Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in
+af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of
+type u32.
+
+However, some assignments to these fields, specifically 'more' and
+'merge', assign values greater than 1. These relied on C's implicit
+conversion to bool, such that zero becomes false and nonzero becomes
+true.
+
+With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken
+instead, resulting in 0 being assigned in some cases when 1 was intended.
+
+Fix this by restoring the bool type.
+
+Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/crypto/if_alg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
+index 1424200fe88cf..9af84cad92e93 100644
+--- a/include/crypto/if_alg.h
++++ b/include/crypto/if_alg.h
+@@ -152,7 +152,7 @@ struct af_alg_ctx {
+ size_t used;
+ atomic_t rcvused;
+
+- u32 more:1,
++ bool more:1,
+ merge:1,
+ enc:1,
+ write:1,
+--
+2.51.0
+
nexthop-forbid-fdb-status-change-while-nexthop-is-in.patch
selftests-fib_nexthops-fix-creation-of-non-fdb-nexth.patch
drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
+crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch
--- /dev/null
+From a0ddff2135c35bacd4f0c6c927d5d3188e14dfb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Sep 2025 17:20:59 +0800
+Subject: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+[ Upstream commit 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 ]
+
+Issuing two writes to the same af_alg socket is bogus as the
+data will be interleaved in an unpredictable fashion. Furthermore,
+concurrent writes may create inconsistencies in the internal
+socket state.
+
+Disallow this by adding a new ctx->write field that indiciates
+exclusive ownership for writing.
+
+Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations")
+Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
+Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/af_alg.c | 7 +++++++
+ include/crypto/if_alg.h | 10 ++++++----
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/af_alg.c b/crypto/af_alg.c
+index aa93501e27b95..24c273f53e90a 100644
+--- a/crypto/af_alg.c
++++ b/crypto/af_alg.c
+@@ -862,6 +862,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
+ }
+
+ lock_sock(sk);
++ if (ctx->write) {
++ release_sock(sk);
++ return -EBUSY;
++ }
++ ctx->write = true;
++
+ if (ctx->init && !ctx->more) {
+ if (ctx->used) {
+ err = -EINVAL;
+@@ -969,6 +975,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
+
+ unlock:
+ af_alg_data_wakeup(sk);
++ ctx->write = false;
+ release_sock(sk);
+
+ return copied ?: err;
+diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
+index a406e281ae571..1424200fe88cf 100644
+--- a/include/crypto/if_alg.h
++++ b/include/crypto/if_alg.h
+@@ -136,6 +136,7 @@ struct af_alg_async_req {
+ * SG?
+ * @enc: Cryptographic operation to be performed when
+ * recvmsg is invoked.
++ * @write: True if we are in the middle of a write.
+ * @init: True if metadata has been sent.
+ * @len: Length of memory allocated for this data structure.
+ * @inflight: Non-zero when AIO requests are in flight.
+@@ -151,10 +152,11 @@ struct af_alg_ctx {
+ size_t used;
+ atomic_t rcvused;
+
+- bool more;
+- bool merge;
+- bool enc;
+- bool init;
++ u32 more:1,
++ merge:1,
++ enc:1,
++ write:1,
++ init:1;
+
+ unsigned int len;
+
+--
+2.51.0
+
--- /dev/null
+From b8b54273ecac70294fde1c39531eec4b52ccb6f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Sep 2025 13:18:22 -0700
+Subject: crypto: af_alg - Fix incorrect boolean values in af_alg_ctx
+
+From: Eric Biggers <ebiggers@kernel.org>
+
+[ Upstream commit d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb ]
+
+Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in
+af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of
+type u32.
+
+However, some assignments to these fields, specifically 'more' and
+'merge', assign values greater than 1. These relied on C's implicit
+conversion to bool, such that zero becomes false and nonzero becomes
+true.
+
+With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken
+instead, resulting in 0 being assigned in some cases when 1 was intended.
+
+Fix this by restoring the bool type.
+
+Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/crypto/if_alg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
+index 1424200fe88cf..9af84cad92e93 100644
+--- a/include/crypto/if_alg.h
++++ b/include/crypto/if_alg.h
+@@ -152,7 +152,7 @@ struct af_alg_ctx {
+ size_t used;
+ atomic_t rcvused;
+
+- u32 more:1,
++ bool more:1,
+ merge:1,
+ enc:1,
+ write:1,
+--
+2.51.0
+
net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch
net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch
drm-gma500-fix-null-dereference-in-hdmi-teardown.patch
+crypto-af_alg-disallow-concurrent-writes-in-af_alg_s.patch
+crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch
--- /dev/null
+From b134ca709d940e6128a4f58db107ed8fbd24db5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Sep 2025 11:43:00 -0400
+Subject: Revert "drm/xe/guc: Enable extended CAT error reporting"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit a7ffcea8631af91479cab10aa7fbfd0722f01d9a.
+
+Reported-by: Iyán Méndez Veiga <me@iyanmv.com>
+Link: https://lore.kernel.org/stable/aNlW7ekiC0dNPxU3@laps/T/#t
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/abi/guc_actions_abi.h | 4 --
+ drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 15 -------
+ drivers/gpu/drm/xe/xe_guc.c | 56 ------------------------
+ drivers/gpu/drm/xe/xe_guc.h | 1 -
+ drivers/gpu/drm/xe/xe_guc_submit.c | 21 ++-------
+ drivers/gpu/drm/xe/xe_uc.c | 4 --
+ 6 files changed, 3 insertions(+), 98 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/abi/guc_actions_abi.h b/drivers/gpu/drm/xe/abi/guc_actions_abi.h
+index b55d4cfb483a1..448afb86e05c7 100644
+--- a/drivers/gpu/drm/xe/abi/guc_actions_abi.h
++++ b/drivers/gpu/drm/xe/abi/guc_actions_abi.h
+@@ -142,7 +142,6 @@ enum xe_guc_action {
+ XE_GUC_ACTION_SET_ENG_UTIL_BUFF = 0x550A,
+ XE_GUC_ACTION_SET_DEVICE_ENGINE_ACTIVITY_BUFFER = 0x550C,
+ XE_GUC_ACTION_SET_FUNCTION_ENGINE_ACTIVITY_BUFFER = 0x550D,
+- XE_GUC_ACTION_OPT_IN_FEATURE_KLV = 0x550E,
+ XE_GUC_ACTION_NOTIFY_MEMORY_CAT_ERROR = 0x6000,
+ XE_GUC_ACTION_REPORT_PAGE_FAULT_REQ_DESC = 0x6002,
+ XE_GUC_ACTION_PAGE_FAULT_RES_DESC = 0x6003,
+@@ -241,7 +240,4 @@ enum xe_guc_g2g_type {
+ #define XE_G2G_DEREGISTER_TILE REG_GENMASK(15, 12)
+ #define XE_G2G_DEREGISTER_TYPE REG_GENMASK(11, 8)
+
+-/* invalid type for XE_GUC_ACTION_NOTIFY_MEMORY_CAT_ERROR */
+-#define XE_GUC_CAT_ERR_TYPE_INVALID 0xdeadbeef
+-
+ #endif
+diff --git a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
+index 5b2502bec2dcc..7de8f827281fc 100644
+--- a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
++++ b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
+@@ -16,7 +16,6 @@
+ * +===+=======+==============================================================+
+ * | 0 | 31:16 | **KEY** - KLV key identifier |
+ * | | | - `GuC Self Config KLVs`_ |
+- * | | | - `GuC Opt In Feature KLVs`_ |
+ * | | | - `GuC VGT Policy KLVs`_ |
+ * | | | - `GuC VF Configuration KLVs`_ |
+ * | | | |
+@@ -125,20 +124,6 @@ enum {
+ GUC_CONTEXT_POLICIES_KLV_NUM_IDS = 5,
+ };
+
+-/**
+- * DOC: GuC Opt In Feature KLVs
+- *
+- * `GuC KLV`_ keys available for use with OPT_IN_FEATURE_KLV
+- *
+- * _`GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE` : 0x4001
+- * Adds an extra dword to the XE_GUC_ACTION_NOTIFY_MEMORY_CAT_ERROR G2H
+- * containing the type of the CAT error. On HW that does not support
+- * reporting the CAT error type, the extra dword is set to 0xdeadbeef.
+- */
+-
+-#define GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE_KEY 0x4001
+-#define GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE_LEN 0u
+-
+ /**
+ * DOC: GuC VGT Policy KLVs
+ *
+diff --git a/drivers/gpu/drm/xe/xe_guc.c b/drivers/gpu/drm/xe/xe_guc.c
+index 2efc0298e1a4c..bac5471a1a780 100644
+--- a/drivers/gpu/drm/xe/xe_guc.c
++++ b/drivers/gpu/drm/xe/xe_guc.c
+@@ -29,7 +29,6 @@
+ #include "xe_guc_db_mgr.h"
+ #include "xe_guc_engine_activity.h"
+ #include "xe_guc_hwconfig.h"
+-#include "xe_guc_klv_helpers.h"
+ #include "xe_guc_log.h"
+ #include "xe_guc_pc.h"
+ #include "xe_guc_relay.h"
+@@ -571,57 +570,6 @@ static int guc_g2g_start(struct xe_guc *guc)
+ return err;
+ }
+
+-static int __guc_opt_in_features_enable(struct xe_guc *guc, u64 addr, u32 num_dwords)
+-{
+- u32 action[] = {
+- XE_GUC_ACTION_OPT_IN_FEATURE_KLV,
+- lower_32_bits(addr),
+- upper_32_bits(addr),
+- num_dwords
+- };
+-
+- return xe_guc_ct_send_block(&guc->ct, action, ARRAY_SIZE(action));
+-}
+-
+-#define OPT_IN_MAX_DWORDS 16
+-int xe_guc_opt_in_features_enable(struct xe_guc *guc)
+-{
+- struct xe_device *xe = guc_to_xe(guc);
+- CLASS(xe_guc_buf, buf)(&guc->buf, OPT_IN_MAX_DWORDS);
+- u32 count = 0;
+- u32 *klvs;
+- int ret;
+-
+- if (!xe_guc_buf_is_valid(buf))
+- return -ENOBUFS;
+-
+- klvs = xe_guc_buf_cpu_ptr(buf);
+-
+- /*
+- * The extra CAT error type opt-in was added in GuC v70.17.0, which maps
+- * to compatibility version v1.7.0.
+- * Note that the GuC allows enabling this KLV even on platforms that do
+- * not support the extra type; in such case the returned type variable
+- * will be set to a known invalid value which we can check against.
+- */
+- if (GUC_SUBMIT_VER(guc) >= MAKE_GUC_VER(1, 7, 0))
+- klvs[count++] = PREP_GUC_KLV_TAG(OPT_IN_FEATURE_EXT_CAT_ERR_TYPE);
+-
+- if (count) {
+- xe_assert(xe, count <= OPT_IN_MAX_DWORDS);
+-
+- ret = __guc_opt_in_features_enable(guc, xe_guc_buf_flush(buf), count);
+- if (ret < 0) {
+- xe_gt_err(guc_to_gt(guc),
+- "failed to enable GuC opt-in features: %pe\n",
+- ERR_PTR(ret));
+- return ret;
+- }
+- }
+-
+- return 0;
+-}
+-
+ static void guc_fini_hw(void *arg)
+ {
+ struct xe_guc *guc = arg;
+@@ -815,10 +763,6 @@ int xe_guc_post_load_init(struct xe_guc *guc)
+
+ xe_guc_ads_populate_post_load(&guc->ads);
+
+- ret = xe_guc_opt_in_features_enable(guc);
+- if (ret)
+- return ret;
+-
+ if (xe_guc_g2g_wanted(guc_to_xe(guc))) {
+ ret = guc_g2g_start(guc);
+ if (ret)
+diff --git a/drivers/gpu/drm/xe/xe_guc.h b/drivers/gpu/drm/xe/xe_guc.h
+index 4a66575f017d2..58338be445585 100644
+--- a/drivers/gpu/drm/xe/xe_guc.h
++++ b/drivers/gpu/drm/xe/xe_guc.h
+@@ -33,7 +33,6 @@ int xe_guc_reset(struct xe_guc *guc);
+ int xe_guc_upload(struct xe_guc *guc);
+ int xe_guc_min_load_for_hwconfig(struct xe_guc *guc);
+ int xe_guc_enable_communication(struct xe_guc *guc);
+-int xe_guc_opt_in_features_enable(struct xe_guc *guc);
+ int xe_guc_suspend(struct xe_guc *guc);
+ void xe_guc_notify(struct xe_guc *guc);
+ int xe_guc_auth_huc(struct xe_guc *guc, u32 rsa_addr);
+diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c
+index e670dcb0f0932..45a21af126927 100644
+--- a/drivers/gpu/drm/xe/xe_guc_submit.c
++++ b/drivers/gpu/drm/xe/xe_guc_submit.c
+@@ -2088,16 +2088,12 @@ int xe_guc_exec_queue_memory_cat_error_handler(struct xe_guc *guc, u32 *msg,
+ struct xe_gt *gt = guc_to_gt(guc);
+ struct xe_exec_queue *q;
+ u32 guc_id;
+- u32 type = XE_GUC_CAT_ERR_TYPE_INVALID;
+
+- if (unlikely(!len || len > 2))
++ if (unlikely(len < 1))
+ return -EPROTO;
+
+ guc_id = msg[0];
+
+- if (len == 2)
+- type = msg[1];
+-
+ if (guc_id == GUC_ID_UNKNOWN) {
+ /*
+ * GuC uses GUC_ID_UNKNOWN if it can not map the CAT fault to any PF/VF
+@@ -2111,19 +2107,8 @@ int xe_guc_exec_queue_memory_cat_error_handler(struct xe_guc *guc, u32 *msg,
+ if (unlikely(!q))
+ return -EPROTO;
+
+- /*
+- * The type is HW-defined and changes based on platform, so we don't
+- * decode it in the kernel and only check if it is valid.
+- * See bspec 54047 and 72187 for details.
+- */
+- if (type != XE_GUC_CAT_ERR_TYPE_INVALID)
+- xe_gt_dbg(gt,
+- "Engine memory CAT error [%u]: class=%s, logical_mask: 0x%x, guc_id=%d",
+- type, xe_hw_engine_class_to_str(q->class), q->logical_mask, guc_id);
+- else
+- xe_gt_dbg(gt,
+- "Engine memory CAT error: class=%s, logical_mask: 0x%x, guc_id=%d",
+- xe_hw_engine_class_to_str(q->class), q->logical_mask, guc_id);
++ xe_gt_dbg(gt, "Engine memory cat error: engine_class=%s, logical_mask: 0x%x, guc_id=%d",
++ xe_hw_engine_class_to_str(q->class), q->logical_mask, guc_id);
+
+ trace_xe_exec_queue_memory_cat_error(q);
+
+diff --git a/drivers/gpu/drm/xe/xe_uc.c b/drivers/gpu/drm/xe/xe_uc.c
+index 5c45b0f072a4c..3a8751a8b92dd 100644
+--- a/drivers/gpu/drm/xe/xe_uc.c
++++ b/drivers/gpu/drm/xe/xe_uc.c
+@@ -165,10 +165,6 @@ static int vf_uc_init_hw(struct xe_uc *uc)
+
+ uc->guc.submission_state.enabled = true;
+
+- err = xe_guc_opt_in_features_enable(&uc->guc);
+- if (err)
+- return err;
+-
+ err = xe_gt_record_default_lrcs(uc_to_gt(uc));
+ if (err)
+ return err;
+--
+2.51.0
+
--- /dev/null
+From 70df422cf4da503ae2d7f4b0bba8498b230be42c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Sep 2025 11:41:33 -0400
+Subject: Revert "drm/xe/guc: Set RCS/CCS yield policy"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This reverts commit dd1a415dcfd5984bf83abd804c3cd9e0ff9dde30.
+
+Reported-by: Iyán Méndez Veiga <me@iyanmv.com>
+Link: https://lore.kernel.org/stable/aNlW7ekiC0dNPxU3@laps/T/#t
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/abi/guc_actions_abi.h | 1 -
+ drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 25 ---------
+ drivers/gpu/drm/xe/xe_gt.c | 3 +-
+ drivers/gpu/drm/xe/xe_guc.c | 6 ++-
+ drivers/gpu/drm/xe/xe_guc_submit.c | 66 ------------------------
+ drivers/gpu/drm/xe/xe_guc_submit.h | 2 -
+ 6 files changed, 5 insertions(+), 98 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/abi/guc_actions_abi.h b/drivers/gpu/drm/xe/abi/guc_actions_abi.h
+index 4d9896e14649c..b55d4cfb483a1 100644
+--- a/drivers/gpu/drm/xe/abi/guc_actions_abi.h
++++ b/drivers/gpu/drm/xe/abi/guc_actions_abi.h
+@@ -117,7 +117,6 @@ enum xe_guc_action {
+ XE_GUC_ACTION_ENTER_S_STATE = 0x501,
+ XE_GUC_ACTION_EXIT_S_STATE = 0x502,
+ XE_GUC_ACTION_GLOBAL_SCHED_POLICY_CHANGE = 0x506,
+- XE_GUC_ACTION_UPDATE_SCHEDULING_POLICIES_KLV = 0x509,
+ XE_GUC_ACTION_SCHED_CONTEXT = 0x1000,
+ XE_GUC_ACTION_SCHED_CONTEXT_MODE_SET = 0x1001,
+ XE_GUC_ACTION_SCHED_CONTEXT_MODE_DONE = 0x1002,
+diff --git a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
+index 89034bc97ec5a..5b2502bec2dcc 100644
+--- a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
++++ b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h
+@@ -17,7 +17,6 @@
+ * | 0 | 31:16 | **KEY** - KLV key identifier |
+ * | | | - `GuC Self Config KLVs`_ |
+ * | | | - `GuC Opt In Feature KLVs`_ |
+- * | | | - `GuC Scheduling Policies KLVs`_ |
+ * | | | - `GuC VGT Policy KLVs`_ |
+ * | | | - `GuC VF Configuration KLVs`_ |
+ * | | | |
+@@ -140,30 +139,6 @@ enum {
+ #define GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE_KEY 0x4001
+ #define GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE_LEN 0u
+
+-/**
+- * DOC: GuC Scheduling Policies KLVs
+- *
+- * `GuC KLV`_ keys available for use with UPDATE_SCHEDULING_POLICIES_KLV.
+- *
+- * _`GUC_KLV_SCHEDULING_POLICIES_RENDER_COMPUTE_YIELD` : 0x1001
+- * Some platforms do not allow concurrent execution of RCS and CCS
+- * workloads from different address spaces. By default, the GuC prioritizes
+- * RCS submissions over CCS ones, which can lead to CCS workloads being
+- * significantly (or completely) starved of execution time. This KLV allows
+- * the driver to specify a quantum (in ms) and a ratio (percentage value
+- * between 0 and 100), and the GuC will prioritize the CCS for that
+- * percentage of each quantum. For example, specifying 100ms and 30% will
+- * make the GuC prioritize the CCS for 30ms of every 100ms.
+- * Note that this does not necessarly mean that RCS and CCS engines will
+- * only be active for their percentage of the quantum, as the restriction
+- * only kicks in if both classes are fully busy with non-compatible address
+- * spaces; i.e., if one engine is idle or running the same address space,
+- * a pending job on the other engine will still be submitted to the HW no
+- * matter what the ratio is
+- */
+-#define GUC_KLV_SCHEDULING_POLICIES_RENDER_COMPUTE_YIELD_KEY 0x1001
+-#define GUC_KLV_SCHEDULING_POLICIES_RENDER_COMPUTE_YIELD_LEN 2u
+-
+ /**
+ * DOC: GuC VGT Policy KLVs
+ *
+diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c
+index eaf7569a7c1d1..e3517ce2e18c1 100644
+--- a/drivers/gpu/drm/xe/xe_gt.c
++++ b/drivers/gpu/drm/xe/xe_gt.c
+@@ -41,7 +41,6 @@
+ #include "xe_gt_topology.h"
+ #include "xe_guc_exec_queue_types.h"
+ #include "xe_guc_pc.h"
+-#include "xe_guc_submit.h"
+ #include "xe_hw_fence.h"
+ #include "xe_hw_engine_class_sysfs.h"
+ #include "xe_irq.h"
+@@ -98,7 +97,7 @@ void xe_gt_sanitize(struct xe_gt *gt)
+ * FIXME: if xe_uc_sanitize is called here, on TGL driver will not
+ * reload
+ */
+- xe_guc_submit_disable(>->uc.guc);
++ gt->uc.guc.submission_state.enabled = false;
+ }
+
+ static void xe_gt_enable_host_l2_vram(struct xe_gt *gt)
+diff --git a/drivers/gpu/drm/xe/xe_guc.c b/drivers/gpu/drm/xe/xe_guc.c
+index b9d21fdaad48b..2efc0298e1a4c 100644
+--- a/drivers/gpu/drm/xe/xe_guc.c
++++ b/drivers/gpu/drm/xe/xe_guc.c
+@@ -825,7 +825,9 @@ int xe_guc_post_load_init(struct xe_guc *guc)
+ return ret;
+ }
+
+- return xe_guc_submit_enable(guc);
++ guc->submission_state.enabled = true;
++
++ return 0;
+ }
+
+ int xe_guc_reset(struct xe_guc *guc)
+@@ -1519,7 +1521,7 @@ void xe_guc_sanitize(struct xe_guc *guc)
+ {
+ xe_uc_fw_sanitize(&guc->fw);
+ xe_guc_ct_disable(&guc->ct);
+- xe_guc_submit_disable(guc);
++ guc->submission_state.enabled = false;
+ }
+
+ int xe_guc_reset_prepare(struct xe_guc *guc)
+diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c
+index 18ddbb7b98a15..e670dcb0f0932 100644
+--- a/drivers/gpu/drm/xe/xe_guc_submit.c
++++ b/drivers/gpu/drm/xe/xe_guc_submit.c
+@@ -32,7 +32,6 @@
+ #include "xe_guc_ct.h"
+ #include "xe_guc_exec_queue_types.h"
+ #include "xe_guc_id_mgr.h"
+-#include "xe_guc_klv_helpers.h"
+ #include "xe_guc_submit_types.h"
+ #include "xe_hw_engine.h"
+ #include "xe_hw_fence.h"
+@@ -317,71 +316,6 @@ int xe_guc_submit_init(struct xe_guc *guc, unsigned int num_ids)
+ return drmm_add_action_or_reset(&xe->drm, guc_submit_fini, guc);
+ }
+
+-/*
+- * Given that we want to guarantee enough RCS throughput to avoid missing
+- * frames, we set the yield policy to 20% of each 80ms interval.
+- */
+-#define RC_YIELD_DURATION 80 /* in ms */
+-#define RC_YIELD_RATIO 20 /* in percent */
+-static u32 *emit_render_compute_yield_klv(u32 *emit)
+-{
+- *emit++ = PREP_GUC_KLV_TAG(SCHEDULING_POLICIES_RENDER_COMPUTE_YIELD);
+- *emit++ = RC_YIELD_DURATION;
+- *emit++ = RC_YIELD_RATIO;
+-
+- return emit;
+-}
+-
+-#define SCHEDULING_POLICY_MAX_DWORDS 16
+-static int guc_init_global_schedule_policy(struct xe_guc *guc)
+-{
+- u32 data[SCHEDULING_POLICY_MAX_DWORDS];
+- u32 *emit = data;
+- u32 count = 0;
+- int ret;
+-
+- if (GUC_SUBMIT_VER(guc) < MAKE_GUC_VER(1, 1, 0))
+- return 0;
+-
+- *emit++ = XE_GUC_ACTION_UPDATE_SCHEDULING_POLICIES_KLV;
+-
+- if (CCS_MASK(guc_to_gt(guc)))
+- emit = emit_render_compute_yield_klv(emit);
+-
+- count = emit - data;
+- if (count > 1) {
+- xe_assert(guc_to_xe(guc), count <= SCHEDULING_POLICY_MAX_DWORDS);
+-
+- ret = xe_guc_ct_send_block(&guc->ct, data, count);
+- if (ret < 0) {
+- xe_gt_err(guc_to_gt(guc),
+- "failed to enable GuC sheduling policies: %pe\n",
+- ERR_PTR(ret));
+- return ret;
+- }
+- }
+-
+- return 0;
+-}
+-
+-int xe_guc_submit_enable(struct xe_guc *guc)
+-{
+- int ret;
+-
+- ret = guc_init_global_schedule_policy(guc);
+- if (ret)
+- return ret;
+-
+- guc->submission_state.enabled = true;
+-
+- return 0;
+-}
+-
+-void xe_guc_submit_disable(struct xe_guc *guc)
+-{
+- guc->submission_state.enabled = false;
+-}
+-
+ static void __release_guc_id(struct xe_guc *guc, struct xe_exec_queue *q, u32 xa_count)
+ {
+ int i;
+diff --git a/drivers/gpu/drm/xe/xe_guc_submit.h b/drivers/gpu/drm/xe/xe_guc_submit.h
+index 0d126b807c104..9b71a986c6ca6 100644
+--- a/drivers/gpu/drm/xe/xe_guc_submit.h
++++ b/drivers/gpu/drm/xe/xe_guc_submit.h
+@@ -13,8 +13,6 @@ struct xe_exec_queue;
+ struct xe_guc;
+
+ int xe_guc_submit_init(struct xe_guc *guc, unsigned int num_ids);
+-int xe_guc_submit_enable(struct xe_guc *guc);
+-void xe_guc_submit_disable(struct xe_guc *guc);
+
+ int xe_guc_submit_reset_prepare(struct xe_guc *guc);
+ void xe_guc_submit_reset_wait(struct xe_guc *guc);
+--
+2.51.0
+
drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch
platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch
smb-client-fix-wrong-index-reference-in-smb2_compoun.patch
+revert-drm-xe-guc-set-rcs-ccs-yield-policy.patch
+revert-drm-xe-guc-enable-extended-cat-error-reportin.patch
+tracing-osnoise-fix-slab-out-of-bounds-in-_parse_int.patch
--- /dev/null
+From b206097d2a7202c318311ccbe17dc82baec7992a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Sep 2025 14:39:48 +0800
+Subject: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit()
+
+From: Wang Liang <wangliang74@huawei.com>
+
+[ Upstream commit a2501032de0d1bc7971b2e43c03da534ac10ee9b ]
+
+When config osnoise cpus by write() syscall, the following KASAN splat may
+be observed:
+
+BUG: KASAN: slab-out-of-bounds in _parse_integer_limit+0x103/0x130
+Read of size 1 at addr ffff88810121e3a1 by task test/447
+CPU: 1 UID: 0 PID: 447 Comm: test Not tainted 6.17.0-rc6-dirty #288 PREEMPT(voluntary)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x55/0x70
+ print_report+0xcb/0x610
+ kasan_report+0xb8/0xf0
+ _parse_integer_limit+0x103/0x130
+ bitmap_parselist+0x16d/0x6f0
+ osnoise_cpus_write+0x116/0x2d0
+ vfs_write+0x21e/0xcc0
+ ksys_write+0xee/0x1c0
+ do_syscall_64+0xa8/0x2a0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+This issue can be reproduced by below code:
+
+const char *cpulist = "1";
+int fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY);
+write(fd, cpulist, strlen(cpulist));
+
+Function bitmap_parselist() was called to parse cpulist, it require that
+the parameter 'buf' must be terminated with a '\0' or '\n'. Fix this issue
+by adding a '\0' to 'buf' in osnoise_cpus_write().
+
+Cc: <mhiramat@kernel.org>
+Cc: <mathieu.desnoyers@efficios.com>
+Cc: <tglozar@redhat.com>
+Link: https://lore.kernel.org/20250916063948.3154627-1-wangliang74@huawei.com
+Fixes: 17f89102fe23 ("tracing/osnoise: Allow arbitrarily long CPU string")
+Signed-off-by: Wang Liang <wangliang74@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_osnoise.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c
+index 337bc0eb5d71b..dc734867f0fc4 100644
+--- a/kernel/trace/trace_osnoise.c
++++ b/kernel/trace/trace_osnoise.c
+@@ -2325,12 +2325,13 @@ osnoise_cpus_write(struct file *filp, const char __user *ubuf, size_t count,
+ if (count < 1)
+ return 0;
+
+- buf = kmalloc(count, GFP_KERNEL);
++ buf = kmalloc(count + 1, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ if (copy_from_user(buf, ubuf, count))
+ return -EFAULT;
++ buf[count] = '\0';
+
+ if (!zalloc_cpumask_var(&osnoise_cpumask_new, GFP_KERNEL))
+ return -ENOMEM;
+--
+2.51.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
