From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 17 Sep 2025 08:45:25 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.153~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4b5d8443b2a52e0e0f9e26f6781aeddc51400fcd;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch
	drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch
	soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
	soc-qcom-mdt_loader-fix-error-return-values-in-mdt_header_valid.patch
---

diff --git a/queue-6.1/drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch b/queue-6.1/drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch
new file mode 100644
index 0000000000..020c733700
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch
@@ -0,0 +1,46 @@
+From stable+bounces-179596-greg=kroah.com@vger.kernel.org Mon Sep 15 04:31:35 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Sep 2025 22:31:27 -0400
+Subject: drm/amdgpu: fix a memory leak in fence cleanup when unloading
+To: stable@vger.kernel.org
+Cc: "Alex Deucher" <alexander.deucher@amd.com>, "Lin.Cao" <lincao12@amd.com>, "Vitaly Prosyak" <vitaly.prosyak@amd.com>, "Christian König" <christian.koenig@amd.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250915023127.376435-1-sashal@kernel.org>
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 7838fb5f119191403560eca2e23613380c0e425e ]
+
+Commit b61badd20b44 ("drm/amdgpu: fix usage slab after free")
+reordered when amdgpu_fence_driver_sw_fini() was called after
+that patch, amdgpu_fence_driver_sw_fini() effectively became
+a no-op as the sched entities we never freed because the
+ring pointers were already set to NULL.  Remove the NULL
+setting.
+
+Reported-by: Lin.Cao <lincao12@amd.com>
+Cc: Vitaly Prosyak <vitaly.prosyak@amd.com>
+Cc: Christian KÃ¶nig <christian.koenig@amd.com>
+Fixes: b61badd20b44 ("drm/amdgpu: fix usage slab after free")
+Reviewed-by: Christian KÃ¶nig <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit a525fa37aac36c4591cc8b07ae8957862415fbd5)
+Cc: stable@vger.kernel.org
+[ Adapt to conditional check ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c |    3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+@@ -368,9 +368,6 @@ void amdgpu_ring_fini(struct amdgpu_ring
+ 	dma_fence_put(ring->vmid_wait);
+ 	ring->vmid_wait = NULL;
+ 	ring->me = 0;
+-
+-	if (!ring->is_mes_queue)
+-		ring->adev->rings[ring->idx] = NULL;
+ }
+ 
+ /**
diff --git a/queue-6.1/drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch b/queue-6.1/drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch
new file mode 100644
index 0000000000..67127c0807
--- /dev/null
+++ b/queue-6.1/drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch
@@ -0,0 +1,59 @@
+From stable+bounces-179587-greg=kroah.com@vger.kernel.org Sun Sep 14 22:17:09 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Sep 2025 16:17:00 -0400
+Subject: drm/i915/power: fix size for for_each_set_bit() in abox iteration
+To: stable@vger.kernel.org
+Cc: "Jani Nikula" <jani.nikula@intel.com>, "Ville Syrjälä" <ville.syrjala@linux.intel.com>, "Matt Roper" <matthew.d.roper@intel.com>, "Tvrtko Ursulin" <tursulin@ursulin.net>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250914201700.200541-1-sashal@kernel.org>
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+[ Upstream commit cfa7b7659757f8d0fc4914429efa90d0d2577dd7 ]
+
+for_each_set_bit() expects size to be in bits, not bytes. The abox mask
+iteration uses bytes, but it works by coincidence, because the local
+variable holding the mask is unsigned long, and the mask only ever has
+bit 2 as the highest bit. Using a smaller type could lead to subtle and
+very hard to track bugs.
+
+Fixes: 62afef2811e4 ("drm/i915/rkl: RKL uses ABOX0 for pixel transfers")
+Cc: Ville SyrjÃ¤lÃ¤ <ville.syrjala@linux.intel.com>
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: stable@vger.kernel.org # v5.9+
+Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
+Link: https://lore.kernel.org/r/20250905104149.1144751-1-jani.nikula@intel.com
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 7ea3baa6efe4bb93d11e1c0e6528b1468d7debf6)
+Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
+[ adapted struct intel_display *display parameters to struct drm_i915_private *dev_priv ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_display_power.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_display_power.c
++++ b/drivers/gpu/drm/i915/display/intel_display_power.c
+@@ -1122,7 +1122,7 @@ static void icl_mbus_init(struct drm_i91
+ 	if (DISPLAY_VER(dev_priv) == 12)
+ 		abox_regs |= BIT(0);
+ 
+-	for_each_set_bit(i, &abox_regs, sizeof(abox_regs))
++	for_each_set_bit(i, &abox_regs, BITS_PER_TYPE(abox_regs))
+ 		intel_de_rmw(dev_priv, MBUS_ABOX_CTL(i), mask, val);
+ }
+ 
+@@ -1587,11 +1587,11 @@ static void tgl_bw_buddy_init(struct drm
+ 	if (table[config].page_mask == 0) {
+ 		drm_dbg(&dev_priv->drm,
+ 			"Unknown memory configuration; disabling address buddy logic.\n");
+-		for_each_set_bit(i, &abox_mask, sizeof(abox_mask))
++		for_each_set_bit(i, &abox_mask, BITS_PER_TYPE(abox_mask))
+ 			intel_de_write(dev_priv, BW_BUDDY_CTL(i),
+ 				       BW_BUDDY_DISABLE);
+ 	} else {
+-		for_each_set_bit(i, &abox_mask, sizeof(abox_mask)) {
++		for_each_set_bit(i, &abox_mask, BITS_PER_TYPE(abox_mask)) {
+ 			intel_de_write(dev_priv, BW_BUDDY_PAGE_MASK(i),
+ 				       table[config].page_mask);
+ 
diff --git a/queue-6.1/series b/queue-6.1/series
index 629689fd99..06c0f3904a 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -72,3 +72,7 @@ dmaengine-qcom-bam_dma-fix-dt-error-handling-for-num-channels-ees.patch
 dmaengine-dw-dmamux-fix-device-reference-leak-in-rzn1_dmamux_route_allocate.patch
 phy-tegra-xusb-fix-device-and-of-node-leak-at-probe.patch
 phy-ti-pipe3-fix-device-leak-at-unbind.patch
+drm-amdgpu-fix-a-memory-leak-in-fence-cleanup-when-unloading.patch
+drm-i915-power-fix-size-for-for_each_set_bit-in-abox-iteration.patch
+soc-qcom-mdt_loader-fix-error-return-values-in-mdt_header_valid.patch
+soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
diff --git a/queue-6.1/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch b/queue-6.1/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
new file mode 100644
index 0000000000..e665871f1d
--- /dev/null
+++ b/queue-6.1/soc-qcom-mdt_loader-deal-with-zero-e_shentsize.patch
@@ -0,0 +1,56 @@
+From 25daf9af0ac1bf12490b723b5efaf8dcc85980bc Mon Sep 17 00:00:00 2001
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Date: Wed, 30 Jul 2025 15:51:51 -0500
+Subject: soc: qcom: mdt_loader: Deal with zero e_shentsize
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+commit 25daf9af0ac1bf12490b723b5efaf8dcc85980bc upstream.
+
+Firmware that doesn't provide section headers leave both e_shentsize and
+e_shnum 0, which obvious isn't compatible with the newly introduced
+stricter checks.
+
+Make the section-related checks conditional on either of these values
+being non-zero.
+
+Fixes: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header")
+Reported-by: Val Packett <val@packett.cool>
+Closes: https://lore.kernel.org/all/ece307c3-7d65-440f-babd-88cf9705b908@packett.cool/
+Reported-by: Neil Armstrong <neil.armstrong@linaro.org>
+Closes: https://lore.kernel.org/all/aec9cd03-6fc2-4dc8-b937-8b7cf7bf4128@linaro.org/
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Fixes: 9f35ab0e53cc ("soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()")
+Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on SM8650-QRD
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250730-mdt-loader-shentsize-zero-v1-1-04f43186229c@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Cc: Yongqin Liu <yongqin.liu@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -38,12 +38,14 @@ static bool mdt_header_valid(const struc
+ 	if (phend > fw->size)
+ 		return false;
+ 
+-	if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
+-		return false;
++	if (ehdr->e_shentsize || ehdr->e_shnum) {
++		if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
++			return false;
+ 
+-	shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
+-	if (shend > fw->size)
+-		return false;
++		shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
++		if (shend > fw->size)
++			return false;
++	}
+ 
+ 	return true;
+ }
diff --git a/queue-6.1/soc-qcom-mdt_loader-fix-error-return-values-in-mdt_header_valid.patch b/queue-6.1/soc-qcom-mdt_loader-fix-error-return-values-in-mdt_header_valid.patch
new file mode 100644
index 0000000000..6dbee15938
--- /dev/null
+++ b/queue-6.1/soc-qcom-mdt_loader-fix-error-return-values-in-mdt_header_valid.patch
@@ -0,0 +1,43 @@
+From 9f35ab0e53ccbea57bb9cbad8065e0406d516195 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Wed, 25 Jun 2025 10:22:41 -0500
+Subject: soc: qcom: mdt_loader: Fix error return values in mdt_header_valid()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 9f35ab0e53ccbea57bb9cbad8065e0406d516195 upstream.
+
+This function is supposed to return true for valid headers and false for
+invalid.  In a couple places it returns -EINVAL instead which means the
+invalid headers are counted as true.  Change it to return false.
+
+Fixes: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/db57c01c-bdcc-4a0f-95db-b0f2784ea91f@sabinyo.mountain
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Cc: Yongqin Liu <yongqin.liu@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -32,14 +32,14 @@ static bool mdt_header_valid(const struc
+ 		return false;
+ 
+ 	if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
+-		return -EINVAL;
++		return false;
+ 
+ 	phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
+ 	if (phend > fw->size)
+ 		return false;
+ 
+ 	if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
+-		return -EINVAL;
++		return false;
+ 
+ 	shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
+ 	if (shend > fw->size)