--- /dev/null
+From cf6b604011591865ae39ac82de8978c1120d17af Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 6 May 2026 22:20:51 +0200
+Subject: batman-adv: bla: only purge non-released claims
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit cf6b604011591865ae39ac82de8978c1120d17af upstream.
+
+When batadv_bla_purge_claims() goes through the list of claims, it is only
+traversing the hash list with an rcu_read_lock(). Due to a potential
+parallel batadv_claim_put(), it can happen that it encounters a claim which
+was actually in the process of being released+freed by
+batadv_claim_release(). In this case, backbone_gw is set to NULL before the
+delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is
+then no longer allowed because it would cause a NULL-ptr derefence.
+
+To avoid this, only claims with a valid reference counter must be purged.
+All others are already taken care of.
+
+Cc: stable@kernel.org
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -1288,6 +1288,13 @@ static void batadv_bla_purge_claims(stru
+
+ rcu_read_lock();
+ hlist_for_each_entry_rcu(claim, head, hash_entry) {
++ /* only purge claims not currently in the process of being released.
++ * Such claims could otherwise have a NULL-ptr backbone_gw set because
++ * they already went through batadv_claim_release()
++ */
++ if (!kref_get_unless_zero(&claim->refcount))
++ continue;
++
+ backbone_gw = batadv_bla_claim_get_backbone_gw(claim);
+ if (now)
+ goto purge_now;
+@@ -1313,6 +1320,7 @@ purge_now:
+ claim->addr, claim->vid);
+ skip:
+ batadv_backbone_gw_put(backbone_gw);
++ batadv_claim_put(claim);
+ }
+ rcu_read_unlock();
+ }
--- /dev/null
+From 4ae1709a314060a196981b344610d023ea841e57 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 6 May 2026 22:20:50 +0200
+Subject: batman-adv: bla: prevent use-after-free when deleting claims
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 4ae1709a314060a196981b344610d023ea841e57 upstream.
+
+When batadv_bla_del_backbone_claims() removes all claims for a backbone, it
+does this by dropping the link entry in the hash list. This list entry
+itself was one of the references which need to be dropped at the same time
+via batadv_claim_put().
+
+But the batadv_claim_put() must not be done before the last access to the
+claim object in this function. Otherwise the claim might be freed already
+by the batadv_claim_release() function before the list entry was dropped.
+
+Cc: stable@kernel.org
+Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct ba
+ if (claim->backbone_gw != backbone_gw)
+ continue;
+
+- batadv_claim_put(claim);
+ hlist_del_rcu(&claim->hash_entry);
++ batadv_claim_put(claim);
+ }
+ spin_unlock_bh(list_lock);
+ }
--- /dev/null
+From ba9d20ee9076dac32c371116bacbe72480eb356c Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 6 May 2026 22:20:52 +0200
+Subject: batman-adv: bla: put backbone reference on failed claim hash insert
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit ba9d20ee9076dac32c371116bacbe72480eb356c upstream.
+
+When batadv_bla_add_claim() fails to insert a new claim into the hash, it
+leaked a reference to the backbone_gw for which the claim was intended.
+Call batadv_backbone_gw_put() on the error path to release the reference
+and avoid leaking the backbone_gw object.
+
+Cc: stable@kernel.org
+Fixes: 3db0decf1185 ("batman-adv: Fix non-atomic bla_claim::backbone_gw access")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bridge_loop_avoidance.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/batman-adv/bridge_loop_avoidance.c
++++ b/net/batman-adv/bridge_loop_avoidance.c
+@@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct
+
+ if (unlikely(hash_added != 0)) {
+ /* only local changes happened. */
++ batadv_backbone_gw_put(backbone_gw);
+ kfree(claim);
+ return;
+ }
--- /dev/null
+From 0799e5943611006b346b8813c7daf7dd5aa26bfd Mon Sep 17 00:00:00 2001
+From: Lyes Bourennani <lbourennani@fuzzinglabs.com>
+Date: Wed, 22 Apr 2026 00:20:22 +0200
+Subject: batman-adv: fix integer overflow on buff_pos
+
+From: Lyes Bourennani <lbourennani@fuzzinglabs.com>
+
+commit 0799e5943611006b346b8813c7daf7dd5aa26bfd upstream.
+
+Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size
+check is done using the int type in batadv_iv_ogm_aggr_packet whereas the
+buff_pos variable uses the s16 type. This could lead to an out-of-bound
+read.
+
+Cc: stable@vger.kernel.org
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Signed-off-by: Lyes Bourennani <lbourennani@fuzzinglabs.com>
+Signed-off-by: Alexis Pinson <apinson@fuzzinglabs.com>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(str
+ struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+ const char *fwd_str;
+ u8 packet_num;
+- s16 buff_pos;
++ int buff_pos;
+ struct batadv_ogm_packet *batadv_ogm_packet;
+ struct sk_buff *skb;
+ u8 *packet_pos;
--- /dev/null
+From 3243543592425beec83d453793e9d27caa0d8e66 Mon Sep 17 00:00:00 2001
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+Date: Mon, 27 Apr 2026 14:43:33 +0800
+Subject: batman-adv: reject new tp_meter sessions during teardown
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+commit 3243543592425beec83d453793e9d27caa0d8e66 upstream.
+
+Prevent tp_meter from starting new sender or receiver sessions after
+mesh_state has left BATADV_MESH_ACTIVE.
+
+Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Co-developed-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Luxing Yin <tr0jan@lzu.edu.cn>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/tp_meter.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/tp_meter.c
++++ b/net/batman-adv/tp_meter.c
+@@ -947,6 +947,13 @@ void batadv_tp_start(struct batadv_priv
+
+ /* look for an already existing test towards this node */
+ spin_lock_bh(&bat_priv->tp_list_lock);
++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) {
++ spin_unlock_bh(&bat_priv->tp_list_lock);
++ batadv_tp_batctl_error_notify(BATADV_TP_REASON_DST_UNREACHABLE,
++ dst, bat_priv, session_cookie);
++ return;
++ }
++
+ tp_vars = batadv_tp_list_find(bat_priv, dst);
+ if (tp_vars) {
+ spin_unlock_bh(&bat_priv->tp_list_lock);
+@@ -1329,9 +1336,12 @@ static struct batadv_tp_vars *
+ batadv_tp_init_recv(struct batadv_priv *bat_priv,
+ const struct batadv_icmp_tp_packet *icmp)
+ {
+- struct batadv_tp_vars *tp_vars;
++ struct batadv_tp_vars *tp_vars = NULL;
+
+ spin_lock_bh(&bat_priv->tp_list_lock);
++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
++ goto out_unlock;
++
+ tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig,
+ icmp->session);
+ if (tp_vars)
+@@ -1464,6 +1474,9 @@ void batadv_tp_meter_recv(struct batadv_
+ {
+ struct batadv_icmp_tp_packet *icmp;
+
++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE)
++ goto out;
++
+ icmp = (struct batadv_icmp_tp_packet *)skb->data;
+
+ switch (icmp->subtype) {
+@@ -1478,6 +1491,8 @@ void batadv_tp_meter_recv(struct batadv_
+ "Received unknown TP Metric packet type %u\n",
+ icmp->subtype);
+ }
++
++out:
+ consume_skb(skb);
+ }
+
--- /dev/null
+From f03e8583532941b07761c5429de7d50766fa3110 Mon Sep 17 00:00:00 2001
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+Date: Sun, 3 May 2026 12:28:58 +0800
+Subject: batman-adv: stop caching unowned originator pointers in BAT IV
+
+From: Jiexun Wang <wangjiexun2025@gmail.com>
+
+commit f03e8583532941b07761c5429de7d50766fa3110 upstream.
+
+BAT IV keeps the last-hop neighbor address in each neigh_node, but some
+paths also cache an originator pointer derived from a temporary lookup.
+That pointer is not owned by the neigh_node and may no longer refer to a
+live originator entry after purge handling runs.
+
+Stop storing the auxiliary originator pointer in the BAT IV neighbor
+state. When BAT IV needs the neighbor originator data, resolve it from
+the stored neighbor address and drop the reference again after use.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Cc: stable@kernel.org
+Reported-by: Yuan Tan <yuantan098@gmail.com>
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Reported-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Jiexun Wang <wangjiexun2025@gmail.com>
+Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
+[sven: avoid bonding logic for outgoing OGM]
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 83 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 59 insertions(+), 24 deletions(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -173,19 +173,12 @@ free_orig_node_hash:
+ static struct batadv_neigh_node *
+ batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface,
+ const u8 *neigh_addr,
+- struct batadv_orig_node *orig_node,
+- struct batadv_orig_node *orig_neigh)
++ struct batadv_orig_node *orig_node)
+ {
+ struct batadv_neigh_node *neigh_node;
+
+ neigh_node = batadv_neigh_node_get_or_create(orig_node,
+ hard_iface, neigh_addr);
+- if (!neigh_node)
+- goto out;
+-
+- neigh_node->orig_node = orig_neigh;
+-
+-out:
+ return neigh_node;
+ }
+
+@@ -902,6 +895,31 @@ static u8 batadv_iv_orig_ifinfo_sum(stru
+ }
+
+ /**
++ * batadv_iv_ogm_neigh_ifinfo_sum() - Get bcast_own sum for a last-hop neighbor
++ * @bat_priv: the bat priv with all the mesh interface information
++ * @neigh_node: last-hop neighbor of an originator
++ *
++ * Return: Number of replied (rebroadcasted) OGMs for the originator currently
++ * announced by the neighbor. Returns 0 if the neighbor's originator entry is
++ * not available anymore.
++ */
++static u8 batadv_iv_ogm_neigh_ifinfo_sum(struct batadv_priv *bat_priv,
++ const struct batadv_neigh_node *neigh_node)
++{
++ struct batadv_orig_node *orig_neigh;
++ u8 sum;
++
++ orig_neigh = batadv_orig_hash_find(bat_priv, neigh_node->addr);
++ if (!orig_neigh)
++ return 0;
++
++ sum = batadv_iv_orig_ifinfo_sum(orig_neigh, neigh_node->if_incoming);
++ batadv_orig_node_put(orig_neigh);
++
++ return sum;
++}
++
++/**
+ * batadv_iv_ogm_orig_update() - use OGM to update corresponding data in an
+ * originator
+ * @bat_priv: the bat priv with all the soft interface information
+@@ -970,17 +988,9 @@ batadv_iv_ogm_orig_update(struct batadv_
+ }
+
+ if (!neigh_node) {
+- struct batadv_orig_node *orig_tmp;
+-
+- orig_tmp = batadv_iv_ogm_orig_get(bat_priv, ethhdr->h_source);
+- if (!orig_tmp)
+- goto unlock;
+-
+ neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
+ ethhdr->h_source,
+- orig_node, orig_tmp);
+-
+- batadv_orig_node_put(orig_tmp);
++ orig_node);
+ if (!neigh_node)
+ goto unlock;
+ } else {
+@@ -1032,10 +1042,9 @@ batadv_iv_ogm_orig_update(struct batadv_
+ */
+ if (router_ifinfo &&
+ neigh_ifinfo->bat_iv.tq_avg == router_ifinfo->bat_iv.tq_avg) {
+- sum_orig = batadv_iv_orig_ifinfo_sum(router->orig_node,
+- router->if_incoming);
+- sum_neigh = batadv_iv_orig_ifinfo_sum(neigh_node->orig_node,
+- neigh_node->if_incoming);
++ sum_orig = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv, router);
++ sum_neigh = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv,
++ neigh_node);
+ if (sum_orig >= sum_neigh)
+ goto out;
+ }
+@@ -1101,7 +1110,6 @@ static bool batadv_iv_ogm_calc_tq(struct
+ if (!neigh_node)
+ neigh_node = batadv_iv_ogm_neigh_new(if_incoming,
+ orig_neigh_node->orig,
+- orig_neigh_node,
+ orig_neigh_node);
+
+ if (!neigh_node)
+@@ -1298,6 +1306,32 @@ out:
+ }
+
+ /**
++ * batadv_orig_to_direct_router() - get direct next hop neighbor to an orig address
++ * @bat_priv: the bat priv with all the mesh interface information
++ * @orig_addr: the originator MAC address to search the best next hop router for
++ * @if_outgoing: the interface where the OGM should be sent to
++ *
++ * Return: A neighbor node which is the best router towards the given originator
++ * address. Bonding candidates are ignored.
++ */
++static struct batadv_neigh_node *
++batadv_orig_to_direct_router(struct batadv_priv *bat_priv, u8 *orig_addr,
++ struct batadv_hard_iface *if_outgoing)
++{
++ struct batadv_neigh_node *neigh_node;
++ struct batadv_orig_node *orig_node;
++
++ orig_node = batadv_orig_hash_find(bat_priv, orig_addr);
++ if (!orig_node)
++ return NULL;
++
++ neigh_node = batadv_orig_router_get(orig_node, if_outgoing);
++ batadv_orig_node_put(orig_node);
++
++ return neigh_node;
++}
++
++/**
+ * batadv_iv_ogm_process_per_outif() - process a batman iv OGM for an outgoing
+ * interface
+ * @skb: the skb containing the OGM
+@@ -1367,8 +1401,9 @@ batadv_iv_ogm_process_per_outif(const st
+
+ router = batadv_orig_router_get(orig_node, if_outgoing);
+ if (router) {
+- router_router = batadv_orig_router_get(router->orig_node,
+- if_outgoing);
++ router_router = batadv_orig_to_direct_router(bat_priv,
++ router->addr,
++ if_outgoing);
+ router_ifinfo = batadv_neigh_ifinfo_get(router, if_outgoing);
+ }
+
--- /dev/null
+From 66085e206431ef88ce36f53c1f53d570790ccc9e Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Wed, 25 Mar 2026 08:39:19 -0400
+Subject: drm/amdgpu: Add bounds checking to ib_{get,set}_value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 66085e206431ef88ce36f53c1f53d570790ccc9e upstream.
+
+The uvd/vce/vcn code accesses the IB at predefined offsets without
+checking that the IB is large enough. Check the bounds here. The caller
+is responsible for making sure it can handle arbitrary return values.
+
+Also make the idx a uint32_t to prevent overflows causing the condition
+to fail.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h
+@@ -392,15 +392,18 @@ void amdgpu_debugfs_ring_init(struct amd
+
+ int amdgpu_ring_init_mqd(struct amdgpu_ring *ring);
+
+-static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, int idx)
++static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, uint32_t idx)
+ {
+- return ib->ptr[idx];
++ if (idx < ib->length_dw)
++ return ib->ptr[idx];
++ return 0;
+ }
+
+-static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, int idx,
++static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, uint32_t idx,
+ uint32_t value)
+ {
+- ib->ptr[idx] = value;
++ if (idx < ib->length_dw)
++ ib->ptr[idx] = value;
+ }
+
+ int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm,
--- /dev/null
+From 7bbfb2559bcec39d1a4e1182d931a2046112c352 Mon Sep 17 00:00:00 2001
+From: "John B. Moore" <jbmoore61@gmail.com>
+Date: Tue, 28 Apr 2026 11:35:12 -0500
+Subject: drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John B. Moore <jbmoore61@gmail.com>
+
+commit 7bbfb2559bcec39d1a4e1182d931a2046112c352 upstream.
+
+Remove the BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT) assertion from
+gfx_v9_0_ring_emit_fence_kiq(). The KIQ hardware supports 64-bit
+fence writes; the 32-bit writeback address constraint is an
+upper-layer convention, not a hardware limitation. The check serves
+no purpose and should not be present.
+
+Found by code inspection while investigating related BUG_ON
+assertions in the GFX and compute ring emission paths.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: John B. Moore <jbmoore61@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 1b1101a46a426bb4328116bb5273c326a2780389)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+@@ -5316,9 +5316,6 @@ static void gfx_v9_0_ring_emit_fence_kiq
+ {
+ struct amdgpu_device *adev = ring->adev;
+
+- /* we only allocate 32bit for each seq wb address */
+- BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT);
+-
+ /* write fence seq to the "addr" */
+ amdgpu_ring_write(ring, PACKET3(PACKET3_WRITE_DATA, 3));
+ amdgpu_ring_write(ring, (WRITE_DATA_ENGINE_SEL(0) |
--- /dev/null
+From 2a561b361b7681509710f3cfc3d95d54c87ac69f Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 27 Apr 2026 11:38:58 -0400
+Subject: drm/amdgpu/pm: add missing revision check for CI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 2a561b361b7681509710f3cfc3d95d54c87ac69f upstream.
+
+The ci_populate_all_memory_levels() workaround only
+applies to revision 0 SKUs.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
+Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
+Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
+Reviewed-by: Kent Russell <kent.russell@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 1db15ba8f72f400bbad8ae0ce24fafc43429d4bd)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+@@ -1327,8 +1327,9 @@ static int ci_populate_all_memory_levels
+
+ dev_id = adev->pdev->device;
+
+- if ((dpm_table->mclk_table.count >= 2)
+- && ((dev_id == 0x67B0) || (dev_id == 0x67B1))) {
++ if ((dpm_table->mclk_table.count >= 2) &&
++ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
++ (adev->pdev->revision == 0)) {
+ smu_data->smc_state_table.MemoryLevel[1].MinVddci =
+ smu_data->smc_state_table.MemoryLevel[0].MinVddci;
+ smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
--- /dev/null
+From 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 28 Apr 2026 10:42:49 -0400
+Subject: drm/amdgpu/pm: align Hawaii mclk workaround with radeon
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d upstream.
+
+Align the hawaii mclk workaround with radeon and windows.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
+Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)")
+Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
+Reviewed-by: Kent Russell <kent.russell@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 9649528b637f668c5af9f2b83ca4ad8576ae2121)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c
+@@ -1330,10 +1330,10 @@ static int ci_populate_all_memory_levels
+ if ((dpm_table->mclk_table.count >= 2) &&
+ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) &&
+ (adev->pdev->revision == 0)) {
+- smu_data->smc_state_table.MemoryLevel[1].MinVddci =
+- smu_data->smc_state_table.MemoryLevel[0].MinVddci;
+- smu_data->smc_state_table.MemoryLevel[1].MinMvdd =
+- smu_data->smc_state_table.MemoryLevel[0].MinMvdd;
++ smu_data->smc_state_table.MemoryLevel[1].MinVddc =
++ smu_data->smc_state_table.MemoryLevel[0].MinVddc;
++ smu_data->smc_state_table.MemoryLevel[1].MinVddcPhases =
++ smu_data->smc_state_table.MemoryLevel[0].MinVddcPhases;
+ }
+ smu_data->smc_state_table.MemoryLevel[0].ActivityLevel = 0x1F;
+ CONVERT_FROM_HOST_TO_SMC_US(smu_data->smc_state_table.MemoryLevel[0].ActivityLevel);
--- /dev/null
+From 78d2e624fa073c14970aa097adcf3ea31c157a66 Mon Sep 17 00:00:00 2001
+From: "John B. Moore" <jbmoore61@gmail.com>
+Date: Mon, 27 Apr 2026 16:06:28 -0500
+Subject: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John B. Moore <jbmoore61@gmail.com>
+
+commit 78d2e624fa073c14970aa097adcf3ea31c157a66 upstream.
+
+sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions
+that verify fence writeback addresses are dword-aligned. These
+assertions can be reached from unprivileged userspace via crafted
+DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a
+scheduler worker thread.
+
+Replace both BUG_ON() calls with WARN_ON() to log the condition without
+crashing the kernel. A misaligned fence address at this point indicates
+a driver bug, but crashing the kernel is never the correct response when
+the assertion is reachable from userspace.
+
+The CS IOCTL path is the correct place to filter invalid submissions;
+the ring emission callback is too late to do anything about it.
+
+Fixes: 2130f89ced2c ("drm/amdgpu: add SDMA v4.0 implementation (v2)")
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: John B. Moore <jbmoore61@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c
+@@ -884,7 +884,7 @@ static void sdma_v4_0_ring_emit_fence(st
+ /* write the fence */
+ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
+ /* zero in first two bits */
+- BUG_ON(addr & 0x3);
++ WARN_ON(addr & 0x3);
+ amdgpu_ring_write(ring, lower_32_bits(addr));
+ amdgpu_ring_write(ring, upper_32_bits(addr));
+ amdgpu_ring_write(ring, lower_32_bits(seq));
+@@ -894,7 +894,7 @@ static void sdma_v4_0_ring_emit_fence(st
+ addr += 4;
+ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE));
+ /* zero in first two bits */
+- BUG_ON(addr & 0x3);
++ WARN_ON(addr & 0x3);
+ amdgpu_ring_write(ring, lower_32_bits(addr));
+ amdgpu_ring_write(ring, upper_32_bits(addr));
+ amdgpu_ring_write(ring, upper_32_bits(seq));
--- /dev/null
+From de2a02cc28d6d5d37db07d00a9a684c754a5fd74 Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Mon, 30 Mar 2026 15:01:27 -0400
+Subject: drm/amdgpu/vce: Prevent partial address patches
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit de2a02cc28d6d5d37db07d00a9a684c754a5fd74 upstream.
+
+In the case that only one of lo/hi is valid, the patching could result
+in a bad address written to in FW.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+@@ -658,6 +658,9 @@ static int amdgpu_vce_cs_reloc(struct am
+ uint64_t addr;
+ int r;
+
++ if (lo >= ib->length_dw || hi >= ib->length_dw)
++ return -EINVAL;
++
+ if (index == 0xffffffff)
+ index = 0;
+
--- /dev/null
+From b193019860d61e92da395eae2011f2f6716b182f Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Tue, 24 Mar 2026 16:25:56 -0400
+Subject: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit b193019860d61e92da395eae2011f2f6716b182f upstream.
+
+Check bounds against the end of the BO whenever we access the msg.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c
+@@ -1781,7 +1781,7 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ {
+ struct ttm_operation_ctx ctx = { false, false };
+ struct amdgpu_bo_va_mapping *map;
+- uint32_t *msg, num_buffers;
++ uint32_t *msg, num_buffers, len_dw;
+ struct amdgpu_bo *bo;
+ uint64_t start, end;
+ unsigned int i;
+@@ -1802,6 +1802,11 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ return -EINVAL;
+ }
+
++ if (end - addr < 16) {
++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
++ return -EINVAL;
++ }
++
+ bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
+ amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
+ r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
+@@ -1818,8 +1823,8 @@ static int vcn_v3_0_dec_msg(struct amdgp
+
+ msg = ptr + addr - start;
+
+- /* Check length */
+ if (msg[1] > end - addr) {
++ DRM_ERROR("VCN message header does not fit in BO!\n");
+ r = -EINVAL;
+ goto out;
+ }
+@@ -1827,7 +1832,16 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ if (msg[3] != RDECODE_MSG_CREATE)
+ goto out;
+
++ len_dw = msg[1] / 4;
+ num_buffers = msg[2];
++
++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
++ DRM_ERROR("VCN message has too many buffers!\n");
++ r = -EINVAL;
++ goto out;
++ }
++
+ for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ uint32_t offset, size, *create;
+
+@@ -1837,14 +1851,15 @@ static int vcn_v3_0_dec_msg(struct amdgp
+ offset = msg[1];
+ size = msg[2];
+
+- if (offset + size > end) {
++ if (size < 4 || offset + size > end - addr) {
++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ r = -EINVAL;
+ goto out;
+ }
+
+ create = ptr + addr + offset - start;
+
+- /* H246, HEVC and VP9 can run on any instance */
++ /* H264, HEVC and VP9 can run on any instance */
+ if (create[0] == 0x7 || create[0] == 0x10 || create[0] == 0x11)
+ continue;
+
--- /dev/null
+From 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 Mon Sep 17 00:00:00 2001
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+Date: Wed, 25 Mar 2026 09:09:27 -0400
+Subject: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benjamin Cheng <benjamin.cheng@amd.com>
+
+commit 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 upstream.
+
+Check bounds against the end of the BO whenever we access the msg.
+
+Signed-off-by: Benjamin Cheng <benjamin.cheng@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Ruijing Dong <ruijing.dong@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c
+@@ -1612,7 +1612,7 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ {
+ struct ttm_operation_ctx ctx = { false, false };
+ struct amdgpu_bo_va_mapping *map;
+- uint32_t *msg, num_buffers;
++ uint32_t *msg, num_buffers, len_dw;
+ struct amdgpu_bo *bo;
+ uint64_t start, end;
+ unsigned int i;
+@@ -1633,6 +1633,11 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ return -EINVAL;
+ }
+
++ if (end - addr < 16) {
++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n");
++ return -EINVAL;
++ }
++
+ bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED;
+ amdgpu_bo_placement_from_domain(bo, bo->allowed_domains);
+ r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx);
+@@ -1649,8 +1654,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
+
+ msg = ptr + addr - start;
+
+- /* Check length */
+ if (msg[1] > end - addr) {
++ DRM_ERROR("VCN message header does not fit in BO!\n");
+ r = -EINVAL;
+ goto out;
+ }
+@@ -1658,7 +1663,16 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ if (msg[3] != RDECODE_MSG_CREATE)
+ goto out;
+
++ len_dw = msg[1] / 4;
+ num_buffers = msg[2];
++
++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */
++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) {
++ DRM_ERROR("VCN message has too many buffers!\n");
++ r = -EINVAL;
++ goto out;
++ }
++
+ for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) {
+ uint32_t offset, size, *create;
+
+@@ -1668,7 +1682,8 @@ static int vcn_v4_0_dec_msg(struct amdgp
+ offset = msg[1];
+ size = msg[2];
+
+- if (offset + size > end) {
++ if (size < 4 || offset + size > end - addr) {
++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n");
+ r = -EINVAL;
+ goto out;
+ }
--- /dev/null
+From e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 Mon Sep 17 00:00:00 2001
+From: Philip Yang <Philip.Yang@amd.com>
+Date: Mon, 27 Apr 2026 09:30:23 -0400
+Subject: drm/amdgpu: zero-initialize GART table on allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philip Yang <Philip.Yang@amd.com>
+
+commit e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 upstream.
+
+GART TLB is flushed after unmapping but not after mapping. Since
+amdgpu_bo_create_kernel() does not zero-initialize the buffer, when a
+single PTE is written the TLB may speculatively load other uninitialized
+entries from the same cacheline. Those garbage entries can appear valid,
+and a subsequent write to another PTE in the same cacheline may cause the
+GPU to use a stale garbage PTE from the TLB.
+
+Fix this by calling memset_io() to zero-initialize the GART table with
+gart_pte_flags immediately after allocation.
+
+Using AMDGPU_GEM_CREATE_VRAM_CLEARED, SDMA-based clear will not work
+since SDMA needs GART to be initialized to work.
+
+Suggested-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Philip Yang <Philip.Yang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit d9af8263b82b6eaa60c5718e0c6631c5037e4b24)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c
+@@ -114,12 +114,19 @@ void amdgpu_gart_dummy_page_fini(struct
+ */
+ int amdgpu_gart_table_vram_alloc(struct amdgpu_device *adev)
+ {
++ int r;
++
+ if (adev->gart.bo != NULL)
+ return 0;
+
+- return amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
+- AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
+- NULL, (void *)&adev->gart.ptr);
++ r = amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE,
++ AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo,
++ NULL, (void *)&adev->gart.ptr);
++ if (r)
++ return r;
++
++ memset_io(adev->gart.ptr, adev->gart.gart_pte_flags, adev->gart.table_size);
++ return 0;
+ }
+
+ /**
--- /dev/null
+From 045e0ff208f0838a246c10204105126611b267a1 Mon Sep 17 00:00:00 2001
+From: Alysa Liu <Alysa.Liu@amd.com>
+Date: Tue, 21 Apr 2026 10:18:28 -0400
+Subject: drm/amdkfd: validate SVM ioctl nattr against buffer size
+
+From: Alysa Liu <Alysa.Liu@amd.com>
+
+commit 045e0ff208f0838a246c10204105126611b267a1 upstream.
+
+Validate nattr field against the buffer size, preventing
+out-of-bounds buffer access via user-controlled attribute count.
+
+Reviewed-by: Amir Shetaia <Amir.Shetaia@amd.com>
+Signed-off-by: Alysa Liu <Alysa.Liu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 26 ++++++++++++++++++++++++--
+ drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 3 +++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -26,6 +26,7 @@
+ #include <linux/err.h>
+ #include <linux/fs.h>
+ #include <linux/file.h>
++#include <linux/overflow.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <linux/uaccess.h>
+@@ -1614,6 +1615,16 @@ static int kfd_ioctl_smi_events(struct f
+ return kfd_smi_event_open(pdd->dev, &args->anon_fd);
+ }
+
++static int kfd_ioctl_svm_validate(void *kdata, unsigned int usize)
++{
++ struct kfd_ioctl_svm_args *args = kdata;
++ size_t expected = struct_size(args, attrs, args->nattr);
++
++ if (expected == SIZE_MAX || usize < expected)
++ return -EINVAL;
++ return 0;
++}
++
+ #if IS_ENABLED(CONFIG_HSA_AMD_SVM)
+
+ static int kfd_ioctl_set_xnack_mode(struct file *filep,
+@@ -2672,7 +2683,11 @@ static int kfd_ioctl_criu(struct file *f
+
+ #define AMDKFD_IOCTL_DEF(ioctl, _func, _flags) \
+ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
+- .cmd_drv = 0, .name = #ioctl}
++ .validate = NULL, .cmd_drv = 0, .name = #ioctl}
++
++#define AMDKFD_IOCTL_DEF_V(ioctl, _func, _validate, _flags) \
++ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \
++ .validate = _validate, .cmd_drv = 0, .name = #ioctl}
+
+ /** Ioctl table */
+ static const struct amdkfd_ioctl_desc amdkfd_ioctls[] = {
+@@ -2769,7 +2784,8 @@ static const struct amdkfd_ioctl_desc am
+ AMDKFD_IOCTL_DEF(AMDKFD_IOC_SMI_EVENTS,
+ kfd_ioctl_smi_events, 0),
+
+- AMDKFD_IOCTL_DEF(AMDKFD_IOC_SVM, kfd_ioctl_svm, 0),
++ AMDKFD_IOCTL_DEF_V(AMDKFD_IOC_SVM, kfd_ioctl_svm,
++ kfd_ioctl_svm_validate, 0),
+
+ AMDKFD_IOCTL_DEF(AMDKFD_IOC_SET_XNACK_MODE,
+ kfd_ioctl_set_xnack_mode, 0),
+@@ -2882,6 +2898,12 @@ static long kfd_ioctl(struct file *filep
+ memset(kdata, 0, usize);
+ }
+
++ if (ioctl->validate) {
++ retcode = ioctl->validate(kdata, usize);
++ if (retcode)
++ goto err_i1;
++ }
++
+ retcode = func(filep, process, kdata);
+
+ if (cmd & IOC_OUT)
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h
+@@ -924,10 +924,13 @@ extern struct srcu_struct kfd_processes_
+ typedef int amdkfd_ioctl_t(struct file *filep, struct kfd_process *p,
+ void *data);
+
++typedef int amdkfd_ioctl_validate_t(void *kdata, unsigned int usize);
++
+ struct amdkfd_ioctl_desc {
+ unsigned int cmd;
+ int flags;
+ amdkfd_ioctl_t *func;
++ amdkfd_ioctl_validate_t *validate;
+ unsigned int cmd_drv;
+ const char *name;
+ };
--- /dev/null
+From 3d4c2268bd7243c3780fe32bf24ff876da272acf Mon Sep 17 00:00:00 2001
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Date: Mon, 20 Apr 2026 01:36:37 +0000
+Subject: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs()
+
+From: Ashutosh Desai <ashutoshdesai993@gmail.com>
+
+commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream.
+
+drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions
+using plain integer division:
+
+ unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
+ unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
+
+However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses
+drm_format_info_plane_width/height() which round up dimensions via
+DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object
+size check for certain pixel format and dimension combinations.
+
+For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the
+GEM size validation path sees height=0 instead of height=1. The
+expression (height - 1) then wraps to UINT_MAX as an unsigned int,
+causing min_size to overflow and wrap back to a small value. A tiny
+GEM object therefore passes the size guard, yet when the GPU accesses
+the chroma plane it will read or write memory beyond the object's
+bounds.
+
+Fix by replacing the open-coded divisions with drm_format_info_plane_width()
+and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match
+the calculation already used in framebuffer_check().
+
+Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library")
+Cc: stable@vger.kernel.org # v4.14+
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c
++++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c
+@@ -166,8 +166,8 @@ int drm_gem_fb_init_with_funcs(struct dr
+ }
+
+ for (i = 0; i < info->num_planes; i++) {
+- unsigned int width = mode_cmd->width / (i ? info->hsub : 1);
+- unsigned int height = mode_cmd->height / (i ? info->vsub : 1);
++ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i);
++ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i);
+ unsigned int min_size;
+
+ objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]);
--- /dev/null
+From 17223816498f7b117d138d18eb0eba63604dc74e Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Mon, 27 Apr 2026 11:40:25 -0400
+Subject: drm/radeon: add missing revision check for CI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 17223816498f7b117d138d18eb0eba63604dc74e upstream.
+
+The memory level workarounds only apply to revision 0 SKUs.
+
+Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816
+Fixes: 127e056e2a82 ("drm/radeon: fix mclk vddc configuration for cards for hawaii")
+Fixes: 21b8a369046f ("drm/radeon: fix dram timing for certain hawaii boards")
+Fixes: 90b2fee35cb9 ("drm/radeon: fix dpm mc init for certain hawaii boards")
+Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
+Reviewed-by: Kent Russell <kent.russell@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 4d8dcc14311515077062b5740f39f427075de5c9)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/ci_dpm.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/ci_dpm.c
++++ b/drivers/gpu/drm/radeon/ci_dpm.c
+@@ -2466,7 +2466,8 @@ static void ci_register_patching_mc_arb(
+
+ if (patch &&
+ ((rdev->pdev->device == 0x67B0) ||
+- (rdev->pdev->device == 0x67B1))) {
++ (rdev->pdev->device == 0x67B1)) &&
++ (rdev->pdev->revision == 0)) {
+ if ((memory_clock > 100000) && (memory_clock <= 125000)) {
+ tmp2 = (((0x31 * engine_clock) / 125000) - 1) & 0xff;
+ *dram_timimg2 &= ~0x00ff0000;
+@@ -3307,7 +3308,8 @@ static int ci_populate_all_memory_levels
+ pi->smc_state_table.MemoryLevel[0].EnabledForActivity = 1;
+
+ if ((dpm_table->mclk_table.count >= 2) &&
+- ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1))) {
++ ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1)) &&
++ (rdev->pdev->revision == 0)) {
+ pi->smc_state_table.MemoryLevel[1].MinVddc =
+ pi->smc_state_table.MemoryLevel[0].MinVddc;
+ pi->smc_state_table.MemoryLevel[1].MinVddcPhases =
+@@ -4504,7 +4506,8 @@ static int ci_register_patching_mc_seq(s
+
+ if (patch &&
+ ((rdev->pdev->device == 0x67B0) ||
+- (rdev->pdev->device == 0x67B1))) {
++ (rdev->pdev->device == 0x67B1)) &&
++ (rdev->pdev->revision == 0)) {
+ for (i = 0; i < table->last; i++) {
+ if (table->last >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE)
+ return -EINVAL;
--- /dev/null
+From abb5f36771cc4c05899b34000829a787572a8817 Mon Sep 17 00:00:00 2001
+From: Ben Morris <bmorris@anthropic.com>
+Date: Thu, 7 May 2026 17:14:55 -0700
+Subject: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL
+
+From: Ben Morris <bmorris@anthropic.com>
+
+commit abb5f36771cc4c05899b34000829a787572a8817 upstream.
+
+The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with
+list_for_each_entry_safe(), which caches the next entry in @tmp before
+the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may
+drop the socket lock inside sctp_wait_for_sndbuf().
+
+While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the
+association cached in @tmp, migrating it to a new endpoint via
+sctp_sock_migrate() (list_del_init() + list_add_tail() to
+newep->asocs), and optionally close the new socket which frees the
+association via kfree_rcu(). The cached @tmp can also be freed by a
+network ABORT for that association, processed in softirq while the
+lock is dropped.
+
+sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock
+via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing
+revalidates @tmp. After a successful return, the iterator advances to
+the stale @tmp, yielding either a use-after-free (if the peeled socket
+was closed) or a list-walk onto the new endpoint's list head (type
+confusion of &newep->asocs as a struct sctp_association *).
+
+Both are reachable from CapEff=0; the type-confusion path gives
+controlled indirect call via the outqueue.sched->init_sid pointer.
+
+Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc()
+returns. @asoc is known to still be on ep->asocs at that point: the
+only callers that list_del an association from ep->asocs are
+sctp_association_free() (which sets asoc->base.dead) and
+sctp_assoc_migrate() (which changes asoc->base.sk), and
+sctp_wait_for_sndbuf() checks both under the lock before any
+successful return; a tripped check propagates as err < 0 and the loop
+bails before the re-derive.
+
+The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the
+loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so
+the @tmp cached by list_for_each_entry_safe() still covers the
+lock-held free that ba59fb027307 ("sctp: walk the list of asoc
+safely") was added for.
+
+Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ben Morris <bmorris@anthropic.com>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sctp/socket.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1984,6 +1984,15 @@ static int sctp_sendmsg(struct sock *sk,
+ goto out_unlock;
+
+ iov_iter_revert(&msg->msg_iter, err);
++
++ /* sctp_sendmsg_to_asoc() may have released the socket
++ * lock (sctp_wait_for_sndbuf), during which other
++ * associations on ep->asocs could have been peeled
++ * off or freed. @asoc itself is revalidated by the
++ * base.dead and base.sk checks in sctp_wait_for_sndbuf,
++ * so re-derive the cached cursor from it.
++ */
++ tmp = list_next_entry(asoc, asocs);
+ }
+
+ goto out_unlock;
media-i2c-ov08d10-fix-image-vertical-start-setting.patch
media-omap3isp-drop-the-use-count-of-v4l2-pipeline.patch
spi-mtk-nor-fix-controller-deregistration.patch
+spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch
+spi-orion-fix-clock-imbalance-on-registration-failure.patch
+spi-mpc52xx-fix-use-after-free-on-unbind.patch
+drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch
+drm-amdgpu-vce-prevent-partial-address-patches.patch
+drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch
+drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch
+drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch
+drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch
+drm-radeon-add-missing-revision-check-for-ci.patch
+drm-amdgpu-zero-initialize-gart-table-on-allocation.patch
+drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch
+drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch
+drm-amdgpu-pm-add-missing-revision-check-for-ci.patch
+drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch
+sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch
+batman-adv-fix-integer-overflow-on-buff_pos.patch
+batman-adv-reject-new-tp_meter-sessions-during-teardown.patch
+batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch
+batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch
+batman-adv-bla-only-purge-non-released-claims.patch
+batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch
--- /dev/null
+From a1d50a37d3b1df84f536a982f692371039df4a48 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 14:56:32 +0200
+Subject: spi: imx: fix runtime pm leak on probe deferral
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a1d50a37d3b1df84f536a982f692371039df4a48 upstream.
+
+Make sure to balance the runtime PM usage count before returning on
+probe failure (e.g. probe deferral) so that the controller can be
+suspended when a driver is later bound.
+
+Fixes: 43b6bf406cd0 ("spi: imx: fix runtime pm support for !CONFIG_PM")
+Cc: stable@vger.kernel.org # 5.10
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421125632.1537235-1-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-imx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/spi/spi-imx.c
++++ b/drivers/spi/spi-imx.c
+@@ -1867,6 +1867,7 @@ out_register_controller:
+ out_runtime_pm_put:
+ pm_runtime_dont_use_autosuspend(spi_imx->dev);
+ pm_runtime_disable(spi_imx->dev);
++ pm_runtime_put_noidle(spi_imx->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+
+ clk_disable_unprepare(spi_imx->clk_ipg);
--- /dev/null
+From 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Apr 2026 15:43:15 +0200
+Subject: spi: mpc52xx: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 upstream.
+
+The state machine work is scheduled by the interrupt handler and
+therefore needs to be cancelled after disabling interrupts to avoid a
+potential use-after-free.
+
+Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove")
+Cc: stable@vger.kernel.org
+Cc: Pei Xiao <xiaopei01@kylinos.cn>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-mpc52xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-mpc52xx.c
++++ b/drivers/spi/spi-mpc52xx.c
+@@ -519,10 +519,11 @@ static int mpc52xx_spi_remove(struct pla
+ struct mpc52xx_spi *ms = spi_master_get_devdata(master);
+ int i;
+
+- cancel_work_sync(&ms->work);
+ free_irq(ms->irq0, ms);
+ free_irq(ms->irq1, ms);
+
++ cancel_work_sync(&ms->work);
++
+ for (i = 0; i < ms->gpio_cs_count; i++)
+ gpiod_put(ms->gpio_cs[i]);
+
--- /dev/null
+From 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 21 Apr 2026 15:02:10 +0200
+Subject: spi: orion: fix clock imbalance on registration failure
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 upstream.
+
+Make sure that the controller is not runtime suspended before disabling
+clocks on probe failure.
+
+Also restore the autosuspend setting.
+
+Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support")
+Cc: stable@vger.kernel.org # 3.17
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://patch.msgid.link/20260421130211.1537628-3-johan@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-orion.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/spi/spi-orion.c
++++ b/drivers/spi/spi-orion.c
+@@ -780,6 +780,7 @@ static int orion_spi_probe(struct platfo
+ pm_runtime_set_active(&pdev->dev);
+ pm_runtime_use_autosuspend(&pdev->dev);
+ pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT);
++ pm_runtime_get_noresume(&pdev->dev);
+ pm_runtime_enable(&pdev->dev);
+
+ status = orion_spi_reset(spi);
+@@ -791,10 +792,15 @@ static int orion_spi_probe(struct platfo
+ if (status < 0)
+ goto out_rel_pm;
+
++ pm_runtime_put_autosuspend(&pdev->dev);
++
+ return status;
+
+ out_rel_pm:
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
++ pm_runtime_set_suspended(&pdev->dev);
++ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ out_rel_axi_clk:
+ clk_disable_unprepare(spi->axi_clk);
+ out_rel_clk:
projects / thirdparty / kernel / stable-queue.git / commitdiff
