From: Greg Kroah-Hartman Date: Fri, 15 May 2026 08:54:52 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.10.256~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d1871f1d136939d1b432d449483bf4a2e6373a29;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: batman-adv-bla-only-purge-non-released-claims.patch batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch batman-adv-fix-integer-overflow-on-buff_pos.patch batman-adv-reject-new-tp_meter-sessions-during-teardown.patch batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch drm-amdgpu-pm-add-missing-revision-check-for-ci.patch drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch drm-amdgpu-vce-prevent-partial-address-patches.patch drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch drm-amdgpu-zero-initialize-gart-table-on-allocation.patch drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch drm-radeon-add-missing-revision-check-for-ci.patch sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch spi-mpc52xx-fix-use-after-free-on-unbind.patch spi-orion-fix-clock-imbalance-on-registration-failure.patch --- diff --git a/queue-6.1/batman-adv-bla-only-purge-non-released-claims.patch b/queue-6.1/batman-adv-bla-only-purge-non-released-claims.patch new file mode 100644 index 0000000000..869978ca97 --- /dev/null +++ b/queue-6.1/batman-adv-bla-only-purge-non-released-claims.patch @@ -0,0 +1,52 @@ +From cf6b604011591865ae39ac82de8978c1120d17af Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 6 May 2026 22:20:51 +0200 +Subject: batman-adv: bla: only purge non-released claims + +From: Sven Eckelmann + +commit cf6b604011591865ae39ac82de8978c1120d17af upstream. + +When batadv_bla_purge_claims() goes through the list of claims, it is only +traversing the hash list with an rcu_read_lock(). Due to a potential +parallel batadv_claim_put(), it can happen that it encounters a claim which +was actually in the process of being released+freed by +batadv_claim_release(). In this case, backbone_gw is set to NULL before the +delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is +then no longer allowed because it would cause a NULL-ptr derefence. + +To avoid this, only claims with a valid reference counter must be purged. +All others are already taken care of. + +Cc: stable@kernel.org +Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1288,6 +1288,13 @@ static void batadv_bla_purge_claims(stru + + rcu_read_lock(); + hlist_for_each_entry_rcu(claim, head, hash_entry) { ++ /* only purge claims not currently in the process of being released. ++ * Such claims could otherwise have a NULL-ptr backbone_gw set because ++ * they already went through batadv_claim_release() ++ */ ++ if (!kref_get_unless_zero(&claim->refcount)) ++ continue; ++ + backbone_gw = batadv_bla_claim_get_backbone_gw(claim); + if (now) + goto purge_now; +@@ -1313,6 +1320,7 @@ purge_now: + claim->addr, claim->vid); + skip: + batadv_backbone_gw_put(backbone_gw); ++ batadv_claim_put(claim); + } + rcu_read_unlock(); + } diff --git a/queue-6.1/batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch b/queue-6.1/batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch new file mode 100644 index 0000000000..f637ef1bc1 --- /dev/null +++ b/queue-6.1/batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch @@ -0,0 +1,38 @@ +From 4ae1709a314060a196981b344610d023ea841e57 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 6 May 2026 22:20:50 +0200 +Subject: batman-adv: bla: prevent use-after-free when deleting claims + +From: Sven Eckelmann + +commit 4ae1709a314060a196981b344610d023ea841e57 upstream. + +When batadv_bla_del_backbone_claims() removes all claims for a backbone, it +does this by dropping the link entry in the hash list. This list entry +itself was one of the references which need to be dropped at the same time +via batadv_claim_put(). + +But the batadv_claim_put() must not be done before the last access to the +claim object in this function. Otherwise the claim might be freed already +by the batadv_claim_release() function before the list entry was dropped. + +Cc: stable@kernel.org +Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct ba + if (claim->backbone_gw != backbone_gw) + continue; + +- batadv_claim_put(claim); + hlist_del_rcu(&claim->hash_entry); ++ batadv_claim_put(claim); + } + spin_unlock_bh(list_lock); + } diff --git a/queue-6.1/batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch b/queue-6.1/batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch new file mode 100644 index 0000000000..7ebe6debe2 --- /dev/null +++ b/queue-6.1/batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch @@ -0,0 +1,32 @@ +From ba9d20ee9076dac32c371116bacbe72480eb356c Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 6 May 2026 22:20:52 +0200 +Subject: batman-adv: bla: put backbone reference on failed claim hash insert + +From: Sven Eckelmann + +commit ba9d20ee9076dac32c371116bacbe72480eb356c upstream. + +When batadv_bla_add_claim() fails to insert a new claim into the hash, it +leaked a reference to the backbone_gw for which the claim was intended. +Call batadv_backbone_gw_put() on the error path to release the reference +and avoid leaking the backbone_gw object. + +Cc: stable@kernel.org +Fixes: 3db0decf1185 ("batman-adv: Fix non-atomic bla_claim::backbone_gw access") +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct + + if (unlikely(hash_added != 0)) { + /* only local changes happened. */ ++ batadv_backbone_gw_put(backbone_gw); + kfree(claim); + return; + } diff --git a/queue-6.1/batman-adv-fix-integer-overflow-on-buff_pos.patch b/queue-6.1/batman-adv-fix-integer-overflow-on-buff_pos.patch new file mode 100644 index 0000000000..c979437610 --- /dev/null +++ b/queue-6.1/batman-adv-fix-integer-overflow-on-buff_pos.patch @@ -0,0 +1,35 @@ +From 0799e5943611006b346b8813c7daf7dd5aa26bfd Mon Sep 17 00:00:00 2001 +From: Lyes Bourennani +Date: Wed, 22 Apr 2026 00:20:22 +0200 +Subject: batman-adv: fix integer overflow on buff_pos + +From: Lyes Bourennani + +commit 0799e5943611006b346b8813c7daf7dd5aa26bfd upstream. + +Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size +check is done using the int type in batadv_iv_ogm_aggr_packet whereas the +buff_pos variable uses the s16 type. This could lead to an out-of-bound +read. + +Cc: stable@vger.kernel.org +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Signed-off-by: Lyes Bourennani +Signed-off-by: Alexis Pinson +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(str + struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface); + const char *fwd_str; + u8 packet_num; +- s16 buff_pos; ++ int buff_pos; + struct batadv_ogm_packet *batadv_ogm_packet; + struct sk_buff *skb; + u8 *packet_pos; diff --git a/queue-6.1/batman-adv-reject-new-tp_meter-sessions-during-teardown.patch b/queue-6.1/batman-adv-reject-new-tp_meter-sessions-during-teardown.patch new file mode 100644 index 0000000000..d4c370b56d --- /dev/null +++ b/queue-6.1/batman-adv-reject-new-tp_meter-sessions-during-teardown.patch @@ -0,0 +1,77 @@ +From 3243543592425beec83d453793e9d27caa0d8e66 Mon Sep 17 00:00:00 2001 +From: Jiexun Wang +Date: Mon, 27 Apr 2026 14:43:33 +0800 +Subject: batman-adv: reject new tp_meter sessions during teardown + +From: Jiexun Wang + +commit 3243543592425beec83d453793e9d27caa0d8e66 upstream. + +Prevent tp_meter from starting new sender or receiver sessions after +mesh_state has left BATADV_MESH_ACTIVE. + +Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Co-developed-by: Luxing Yin +Signed-off-by: Luxing Yin +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/tp_meter.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/tp_meter.c ++++ b/net/batman-adv/tp_meter.c +@@ -947,6 +947,13 @@ void batadv_tp_start(struct batadv_priv + + /* look for an already existing test towards this node */ + spin_lock_bh(&bat_priv->tp_list_lock); ++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) { ++ spin_unlock_bh(&bat_priv->tp_list_lock); ++ batadv_tp_batctl_error_notify(BATADV_TP_REASON_DST_UNREACHABLE, ++ dst, bat_priv, session_cookie); ++ return; ++ } ++ + tp_vars = batadv_tp_list_find(bat_priv, dst); + if (tp_vars) { + spin_unlock_bh(&bat_priv->tp_list_lock); +@@ -1329,9 +1336,12 @@ static struct batadv_tp_vars * + batadv_tp_init_recv(struct batadv_priv *bat_priv, + const struct batadv_icmp_tp_packet *icmp) + { +- struct batadv_tp_vars *tp_vars; ++ struct batadv_tp_vars *tp_vars = NULL; + + spin_lock_bh(&bat_priv->tp_list_lock); ++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) ++ goto out_unlock; ++ + tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig, + icmp->session); + if (tp_vars) +@@ -1464,6 +1474,9 @@ void batadv_tp_meter_recv(struct batadv_ + { + struct batadv_icmp_tp_packet *icmp; + ++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) ++ goto out; ++ + icmp = (struct batadv_icmp_tp_packet *)skb->data; + + switch (icmp->subtype) { +@@ -1478,6 +1491,8 @@ void batadv_tp_meter_recv(struct batadv_ + "Received unknown TP Metric packet type %u\n", + icmp->subtype); + } ++ ++out: + consume_skb(skb); + } + diff --git a/queue-6.1/batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch b/queue-6.1/batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch new file mode 100644 index 0000000000..6c2320d47d --- /dev/null +++ b/queue-6.1/batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch @@ -0,0 +1,174 @@ +From f03e8583532941b07761c5429de7d50766fa3110 Mon Sep 17 00:00:00 2001 +From: Jiexun Wang +Date: Sun, 3 May 2026 12:28:58 +0800 +Subject: batman-adv: stop caching unowned originator pointers in BAT IV + +From: Jiexun Wang + +commit f03e8583532941b07761c5429de7d50766fa3110 upstream. + +BAT IV keeps the last-hop neighbor address in each neigh_node, but some +paths also cache an originator pointer derived from a temporary lookup. +That pointer is not owned by the neigh_node and may no longer refer to a +live originator entry after purge handling runs. + +Stop storing the auxiliary originator pointer in the BAT IV neighbor +state. When BAT IV needs the neighbor originator data, resolve it from +the stored neighbor address and drop the reference again after use. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +[sven: avoid bonding logic for outgoing OGM] +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 83 +++++++++++++++++++++++++++++++------------- + 1 file changed, 59 insertions(+), 24 deletions(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -173,19 +173,12 @@ free_orig_node_hash: + static struct batadv_neigh_node * + batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface, + const u8 *neigh_addr, +- struct batadv_orig_node *orig_node, +- struct batadv_orig_node *orig_neigh) ++ struct batadv_orig_node *orig_node) + { + struct batadv_neigh_node *neigh_node; + + neigh_node = batadv_neigh_node_get_or_create(orig_node, + hard_iface, neigh_addr); +- if (!neigh_node) +- goto out; +- +- neigh_node->orig_node = orig_neigh; +- +-out: + return neigh_node; + } + +@@ -902,6 +895,31 @@ static u8 batadv_iv_orig_ifinfo_sum(stru + } + + /** ++ * batadv_iv_ogm_neigh_ifinfo_sum() - Get bcast_own sum for a last-hop neighbor ++ * @bat_priv: the bat priv with all the mesh interface information ++ * @neigh_node: last-hop neighbor of an originator ++ * ++ * Return: Number of replied (rebroadcasted) OGMs for the originator currently ++ * announced by the neighbor. Returns 0 if the neighbor's originator entry is ++ * not available anymore. ++ */ ++static u8 batadv_iv_ogm_neigh_ifinfo_sum(struct batadv_priv *bat_priv, ++ const struct batadv_neigh_node *neigh_node) ++{ ++ struct batadv_orig_node *orig_neigh; ++ u8 sum; ++ ++ orig_neigh = batadv_orig_hash_find(bat_priv, neigh_node->addr); ++ if (!orig_neigh) ++ return 0; ++ ++ sum = batadv_iv_orig_ifinfo_sum(orig_neigh, neigh_node->if_incoming); ++ batadv_orig_node_put(orig_neigh); ++ ++ return sum; ++} ++ ++/** + * batadv_iv_ogm_orig_update() - use OGM to update corresponding data in an + * originator + * @bat_priv: the bat priv with all the soft interface information +@@ -970,17 +988,9 @@ batadv_iv_ogm_orig_update(struct batadv_ + } + + if (!neigh_node) { +- struct batadv_orig_node *orig_tmp; +- +- orig_tmp = batadv_iv_ogm_orig_get(bat_priv, ethhdr->h_source); +- if (!orig_tmp) +- goto unlock; +- + neigh_node = batadv_iv_ogm_neigh_new(if_incoming, + ethhdr->h_source, +- orig_node, orig_tmp); +- +- batadv_orig_node_put(orig_tmp); ++ orig_node); + if (!neigh_node) + goto unlock; + } else { +@@ -1032,10 +1042,9 @@ batadv_iv_ogm_orig_update(struct batadv_ + */ + if (router_ifinfo && + neigh_ifinfo->bat_iv.tq_avg == router_ifinfo->bat_iv.tq_avg) { +- sum_orig = batadv_iv_orig_ifinfo_sum(router->orig_node, +- router->if_incoming); +- sum_neigh = batadv_iv_orig_ifinfo_sum(neigh_node->orig_node, +- neigh_node->if_incoming); ++ sum_orig = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv, router); ++ sum_neigh = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv, ++ neigh_node); + if (sum_orig >= sum_neigh) + goto out; + } +@@ -1101,7 +1110,6 @@ static bool batadv_iv_ogm_calc_tq(struct + if (!neigh_node) + neigh_node = batadv_iv_ogm_neigh_new(if_incoming, + orig_neigh_node->orig, +- orig_neigh_node, + orig_neigh_node); + + if (!neigh_node) +@@ -1298,6 +1306,32 @@ out: + } + + /** ++ * batadv_orig_to_direct_router() - get direct next hop neighbor to an orig address ++ * @bat_priv: the bat priv with all the mesh interface information ++ * @orig_addr: the originator MAC address to search the best next hop router for ++ * @if_outgoing: the interface where the OGM should be sent to ++ * ++ * Return: A neighbor node which is the best router towards the given originator ++ * address. Bonding candidates are ignored. ++ */ ++static struct batadv_neigh_node * ++batadv_orig_to_direct_router(struct batadv_priv *bat_priv, u8 *orig_addr, ++ struct batadv_hard_iface *if_outgoing) ++{ ++ struct batadv_neigh_node *neigh_node; ++ struct batadv_orig_node *orig_node; ++ ++ orig_node = batadv_orig_hash_find(bat_priv, orig_addr); ++ if (!orig_node) ++ return NULL; ++ ++ neigh_node = batadv_orig_router_get(orig_node, if_outgoing); ++ batadv_orig_node_put(orig_node); ++ ++ return neigh_node; ++} ++ ++/** + * batadv_iv_ogm_process_per_outif() - process a batman iv OGM for an outgoing + * interface + * @skb: the skb containing the OGM +@@ -1367,8 +1401,9 @@ batadv_iv_ogm_process_per_outif(const st + + router = batadv_orig_router_get(orig_node, if_outgoing); + if (router) { +- router_router = batadv_orig_router_get(router->orig_node, +- if_outgoing); ++ router_router = batadv_orig_to_direct_router(bat_priv, ++ router->addr, ++ if_outgoing); + router_ifinfo = batadv_neigh_ifinfo_get(router, if_outgoing); + } + diff --git a/queue-6.1/drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch b/queue-6.1/drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch new file mode 100644 index 0000000000..bb47223656 --- /dev/null +++ b/queue-6.1/drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch @@ -0,0 +1,54 @@ +From 66085e206431ef88ce36f53c1f53d570790ccc9e Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Wed, 25 Mar 2026 08:39:19 -0400 +Subject: drm/amdgpu: Add bounds checking to ib_{get,set}_value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Cheng + +commit 66085e206431ef88ce36f53c1f53d570790ccc9e upstream. + +The uvd/vce/vcn code accesses the IB at predefined offsets without +checking that the IB is large enough. Check the bounds here. The caller +is responsible for making sure it can handle arbitrary return values. + +Also make the idx a uint32_t to prevent overflows causing the condition +to fail. + +Signed-off-by: Benjamin Cheng +Reviewed-by: Christian König +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h +@@ -392,15 +392,18 @@ void amdgpu_debugfs_ring_init(struct amd + + int amdgpu_ring_init_mqd(struct amdgpu_ring *ring); + +-static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, int idx) ++static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, uint32_t idx) + { +- return ib->ptr[idx]; ++ if (idx < ib->length_dw) ++ return ib->ptr[idx]; ++ return 0; + } + +-static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, int idx, ++static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, uint32_t idx, + uint32_t value) + { +- ib->ptr[idx] = value; ++ if (idx < ib->length_dw) ++ ib->ptr[idx] = value; + } + + int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm, diff --git a/queue-6.1/drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch b/queue-6.1/drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch new file mode 100644 index 0000000000..2086d26a02 --- /dev/null +++ b/queue-6.1/drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch @@ -0,0 +1,43 @@ +From 7bbfb2559bcec39d1a4e1182d931a2046112c352 Mon Sep 17 00:00:00 2001 +From: "John B. Moore" +Date: Tue, 28 Apr 2026 11:35:12 -0500 +Subject: drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John B. Moore + +commit 7bbfb2559bcec39d1a4e1182d931a2046112c352 upstream. + +Remove the BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT) assertion from +gfx_v9_0_ring_emit_fence_kiq(). The KIQ hardware supports 64-bit +fence writes; the 32-bit writeback address constraint is an +upper-layer convention, not a hardware limitation. The check serves +no purpose and should not be present. + +Found by code inspection while investigating related BUG_ON +assertions in the GFX and compute ring emission paths. + +Reviewed-by: Christian König +Signed-off-by: John B. Moore +Signed-off-by: Alex Deucher +(cherry picked from commit 1b1101a46a426bb4328116bb5273c326a2780389) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -5316,9 +5316,6 @@ static void gfx_v9_0_ring_emit_fence_kiq + { + struct amdgpu_device *adev = ring->adev; + +- /* we only allocate 32bit for each seq wb address */ +- BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT); +- + /* write fence seq to the "addr" */ + amdgpu_ring_write(ring, PACKET3(PACKET3_WRITE_DATA, 3)); + amdgpu_ring_write(ring, (WRITE_DATA_ENGINE_SEL(0) | diff --git a/queue-6.1/drm-amdgpu-pm-add-missing-revision-check-for-ci.patch b/queue-6.1/drm-amdgpu-pm-add-missing-revision-check-for-ci.patch new file mode 100644 index 0000000000..7f91a1e184 --- /dev/null +++ b/queue-6.1/drm-amdgpu-pm-add-missing-revision-check-for-ci.patch @@ -0,0 +1,41 @@ +From 2a561b361b7681509710f3cfc3d95d54c87ac69f Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 27 Apr 2026 11:38:58 -0400 +Subject: drm/amdgpu/pm: add missing revision check for CI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 2a561b361b7681509710f3cfc3d95d54c87ac69f upstream. + +The ci_populate_all_memory_levels() workaround only +applies to revision 0 SKUs. + +Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816 +Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)") +Reviewed-by: Timur Kristóf +Reviewed-by: Kent Russell +Signed-off-by: Alex Deucher +(cherry picked from commit 1db15ba8f72f400bbad8ae0ce24fafc43429d4bd) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c +@@ -1327,8 +1327,9 @@ static int ci_populate_all_memory_levels + + dev_id = adev->pdev->device; + +- if ((dpm_table->mclk_table.count >= 2) +- && ((dev_id == 0x67B0) || (dev_id == 0x67B1))) { ++ if ((dpm_table->mclk_table.count >= 2) && ++ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) && ++ (adev->pdev->revision == 0)) { + smu_data->smc_state_table.MemoryLevel[1].MinVddci = + smu_data->smc_state_table.MemoryLevel[0].MinVddci; + smu_data->smc_state_table.MemoryLevel[1].MinMvdd = diff --git a/queue-6.1/drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch b/queue-6.1/drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch new file mode 100644 index 0000000000..a89f5704e4 --- /dev/null +++ b/queue-6.1/drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch @@ -0,0 +1,43 @@ +From 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 28 Apr 2026 10:42:49 -0400 +Subject: drm/amdgpu/pm: align Hawaii mclk workaround with radeon +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d upstream. + +Align the hawaii mclk workaround with radeon and windows. + +Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816 +Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)") +Reviewed-by: Timur Kristóf +Reviewed-by: Kent Russell +Signed-off-by: Alex Deucher +(cherry picked from commit 9649528b637f668c5af9f2b83ca4ad8576ae2121) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c +@@ -1330,10 +1330,10 @@ static int ci_populate_all_memory_levels + if ((dpm_table->mclk_table.count >= 2) && + ((dev_id == 0x67B0) || (dev_id == 0x67B1)) && + (adev->pdev->revision == 0)) { +- smu_data->smc_state_table.MemoryLevel[1].MinVddci = +- smu_data->smc_state_table.MemoryLevel[0].MinVddci; +- smu_data->smc_state_table.MemoryLevel[1].MinMvdd = +- smu_data->smc_state_table.MemoryLevel[0].MinMvdd; ++ smu_data->smc_state_table.MemoryLevel[1].MinVddc = ++ smu_data->smc_state_table.MemoryLevel[0].MinVddc; ++ smu_data->smc_state_table.MemoryLevel[1].MinVddcPhases = ++ smu_data->smc_state_table.MemoryLevel[0].MinVddcPhases; + } + smu_data->smc_state_table.MemoryLevel[0].ActivityLevel = 0x1F; + CONVERT_FROM_HOST_TO_SMC_US(smu_data->smc_state_table.MemoryLevel[0].ActivityLevel); diff --git a/queue-6.1/drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch b/queue-6.1/drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch new file mode 100644 index 0000000000..1ed61bfe32 --- /dev/null +++ b/queue-6.1/drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch @@ -0,0 +1,57 @@ +From 78d2e624fa073c14970aa097adcf3ea31c157a66 Mon Sep 17 00:00:00 2001 +From: "John B. Moore" +Date: Mon, 27 Apr 2026 16:06:28 -0500 +Subject: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John B. Moore + +commit 78d2e624fa073c14970aa097adcf3ea31c157a66 upstream. + +sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions +that verify fence writeback addresses are dword-aligned. These +assertions can be reached from unprivileged userspace via crafted +DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a +scheduler worker thread. + +Replace both BUG_ON() calls with WARN_ON() to log the condition without +crashing the kernel. A misaligned fence address at this point indicates +a driver bug, but crashing the kernel is never the correct response when +the assertion is reachable from userspace. + +The CS IOCTL path is the correct place to filter invalid submissions; +the ring emission callback is too late to do anything about it. + +Fixes: 2130f89ced2c ("drm/amdgpu: add SDMA v4.0 implementation (v2)") +Reviewed-by: Christian König +Signed-off-by: John B. Moore +Signed-off-by: Alex Deucher +(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -884,7 +884,7 @@ static void sdma_v4_0_ring_emit_fence(st + /* write the fence */ + amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE)); + /* zero in first two bits */ +- BUG_ON(addr & 0x3); ++ WARN_ON(addr & 0x3); + amdgpu_ring_write(ring, lower_32_bits(addr)); + amdgpu_ring_write(ring, upper_32_bits(addr)); + amdgpu_ring_write(ring, lower_32_bits(seq)); +@@ -894,7 +894,7 @@ static void sdma_v4_0_ring_emit_fence(st + addr += 4; + amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE)); + /* zero in first two bits */ +- BUG_ON(addr & 0x3); ++ WARN_ON(addr & 0x3); + amdgpu_ring_write(ring, lower_32_bits(addr)); + amdgpu_ring_write(ring, upper_32_bits(addr)); + amdgpu_ring_write(ring, upper_32_bits(seq)); diff --git a/queue-6.1/drm-amdgpu-vce-prevent-partial-address-patches.patch b/queue-6.1/drm-amdgpu-vce-prevent-partial-address-patches.patch new file mode 100644 index 0000000000..06b8b49b85 --- /dev/null +++ b/queue-6.1/drm-amdgpu-vce-prevent-partial-address-patches.patch @@ -0,0 +1,33 @@ +From de2a02cc28d6d5d37db07d00a9a684c754a5fd74 Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Mon, 30 Mar 2026 15:01:27 -0400 +Subject: drm/amdgpu/vce: Prevent partial address patches + +From: Benjamin Cheng + +commit de2a02cc28d6d5d37db07d00a9a684c754a5fd74 upstream. + +In the case that only one of lo/hi is valid, the patching could result +in a bad address written to in FW. + +Signed-off-by: Benjamin Cheng +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +@@ -658,6 +658,9 @@ static int amdgpu_vce_cs_reloc(struct am + uint64_t addr; + int r; + ++ if (lo >= ib->length_dw || hi >= ib->length_dw) ++ return -EINVAL; ++ + if (index == 0xffffffff) + index = 0; + diff --git a/queue-6.1/drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch b/queue-6.1/drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch new file mode 100644 index 0000000000..a8fba2c048 --- /dev/null +++ b/queue-6.1/drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch @@ -0,0 +1,92 @@ +From b193019860d61e92da395eae2011f2f6716b182f Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Tue, 24 Mar 2026 16:25:56 -0400 +Subject: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Cheng + +commit b193019860d61e92da395eae2011f2f6716b182f upstream. + +Check bounds against the end of the BO whenever we access the msg. + +Signed-off-by: Benjamin Cheng +Reviewed-by: Christian König +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c +@@ -1781,7 +1781,7 @@ static int vcn_v3_0_dec_msg(struct amdgp + { + struct ttm_operation_ctx ctx = { false, false }; + struct amdgpu_bo_va_mapping *map; +- uint32_t *msg, num_buffers; ++ uint32_t *msg, num_buffers, len_dw; + struct amdgpu_bo *bo; + uint64_t start, end; + unsigned int i; +@@ -1802,6 +1802,11 @@ static int vcn_v3_0_dec_msg(struct amdgp + return -EINVAL; + } + ++ if (end - addr < 16) { ++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n"); ++ return -EINVAL; ++ } ++ + bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED; + amdgpu_bo_placement_from_domain(bo, bo->allowed_domains); + r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx); +@@ -1818,8 +1823,8 @@ static int vcn_v3_0_dec_msg(struct amdgp + + msg = ptr + addr - start; + +- /* Check length */ + if (msg[1] > end - addr) { ++ DRM_ERROR("VCN message header does not fit in BO!\n"); + r = -EINVAL; + goto out; + } +@@ -1827,7 +1832,16 @@ static int vcn_v3_0_dec_msg(struct amdgp + if (msg[3] != RDECODE_MSG_CREATE) + goto out; + ++ len_dw = msg[1] / 4; + num_buffers = msg[2]; ++ ++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */ ++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) { ++ DRM_ERROR("VCN message has too many buffers!\n"); ++ r = -EINVAL; ++ goto out; ++ } ++ + for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) { + uint32_t offset, size, *create; + +@@ -1837,14 +1851,15 @@ static int vcn_v3_0_dec_msg(struct amdgp + offset = msg[1]; + size = msg[2]; + +- if (offset + size > end) { ++ if (size < 4 || offset + size > end - addr) { ++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n"); + r = -EINVAL; + goto out; + } + + create = ptr + addr + offset - start; + +- /* H246, HEVC and VP9 can run on any instance */ ++ /* H264, HEVC and VP9 can run on any instance */ + if (create[0] == 0x7 || create[0] == 0x10 || create[0] == 0x11) + continue; + diff --git a/queue-6.1/drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch b/queue-6.1/drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch new file mode 100644 index 0000000000..8dbd816488 --- /dev/null +++ b/queue-6.1/drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch @@ -0,0 +1,84 @@ +From 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Wed, 25 Mar 2026 09:09:27 -0400 +Subject: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Cheng + +commit 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 upstream. + +Check bounds against the end of the BO whenever we access the msg. + +Signed-off-by: Benjamin Cheng +Reviewed-by: Christian König +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c +@@ -1612,7 +1612,7 @@ static int vcn_v4_0_dec_msg(struct amdgp + { + struct ttm_operation_ctx ctx = { false, false }; + struct amdgpu_bo_va_mapping *map; +- uint32_t *msg, num_buffers; ++ uint32_t *msg, num_buffers, len_dw; + struct amdgpu_bo *bo; + uint64_t start, end; + unsigned int i; +@@ -1633,6 +1633,11 @@ static int vcn_v4_0_dec_msg(struct amdgp + return -EINVAL; + } + ++ if (end - addr < 16) { ++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n"); ++ return -EINVAL; ++ } ++ + bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED; + amdgpu_bo_placement_from_domain(bo, bo->allowed_domains); + r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx); +@@ -1649,8 +1654,8 @@ static int vcn_v4_0_dec_msg(struct amdgp + + msg = ptr + addr - start; + +- /* Check length */ + if (msg[1] > end - addr) { ++ DRM_ERROR("VCN message header does not fit in BO!\n"); + r = -EINVAL; + goto out; + } +@@ -1658,7 +1663,16 @@ static int vcn_v4_0_dec_msg(struct amdgp + if (msg[3] != RDECODE_MSG_CREATE) + goto out; + ++ len_dw = msg[1] / 4; + num_buffers = msg[2]; ++ ++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */ ++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) { ++ DRM_ERROR("VCN message has too many buffers!\n"); ++ r = -EINVAL; ++ goto out; ++ } ++ + for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) { + uint32_t offset, size, *create; + +@@ -1668,7 +1682,8 @@ static int vcn_v4_0_dec_msg(struct amdgp + offset = msg[1]; + size = msg[2]; + +- if (offset + size > end) { ++ if (size < 4 || offset + size > end - addr) { ++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n"); + r = -EINVAL; + goto out; + } diff --git a/queue-6.1/drm-amdgpu-zero-initialize-gart-table-on-allocation.patch b/queue-6.1/drm-amdgpu-zero-initialize-gart-table-on-allocation.patch new file mode 100644 index 0000000000..fb90da7740 --- /dev/null +++ b/queue-6.1/drm-amdgpu-zero-initialize-gart-table-on-allocation.patch @@ -0,0 +1,61 @@ +From e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 Mon Sep 17 00:00:00 2001 +From: Philip Yang +Date: Mon, 27 Apr 2026 09:30:23 -0400 +Subject: drm/amdgpu: zero-initialize GART table on allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Philip Yang + +commit e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 upstream. + +GART TLB is flushed after unmapping but not after mapping. Since +amdgpu_bo_create_kernel() does not zero-initialize the buffer, when a +single PTE is written the TLB may speculatively load other uninitialized +entries from the same cacheline. Those garbage entries can appear valid, +and a subsequent write to another PTE in the same cacheline may cause the +GPU to use a stale garbage PTE from the TLB. + +Fix this by calling memset_io() to zero-initialize the GART table with +gart_pte_flags immediately after allocation. + +Using AMDGPU_GEM_CREATE_VRAM_CLEARED, SDMA-based clear will not work +since SDMA needs GART to be initialized to work. + +Suggested-by: Felix Kuehling +Signed-off-by: Philip Yang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit d9af8263b82b6eaa60c5718e0c6631c5037e4b24) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c +@@ -114,12 +114,19 @@ void amdgpu_gart_dummy_page_fini(struct + */ + int amdgpu_gart_table_vram_alloc(struct amdgpu_device *adev) + { ++ int r; ++ + if (adev->gart.bo != NULL) + return 0; + +- return amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE, +- AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo, +- NULL, (void *)&adev->gart.ptr); ++ r = amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE, ++ AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo, ++ NULL, (void *)&adev->gart.ptr); ++ if (r) ++ return r; ++ ++ memset_io(adev->gart.ptr, adev->gart.gart_pte_flags, adev->gart.table_size); ++ return 0; + } + + /** diff --git a/queue-6.1/drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch b/queue-6.1/drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch new file mode 100644 index 0000000000..5e21828d0a --- /dev/null +++ b/queue-6.1/drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch @@ -0,0 +1,102 @@ +From 045e0ff208f0838a246c10204105126611b267a1 Mon Sep 17 00:00:00 2001 +From: Alysa Liu +Date: Tue, 21 Apr 2026 10:18:28 -0400 +Subject: drm/amdkfd: validate SVM ioctl nattr against buffer size + +From: Alysa Liu + +commit 045e0ff208f0838a246c10204105126611b267a1 upstream. + +Validate nattr field against the buffer size, preventing +out-of-bounds buffer access via user-controlled attribute count. + +Reviewed-by: Amir Shetaia +Signed-off-by: Alysa Liu +Signed-off-by: Alex Deucher +(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 26 ++++++++++++++++++++++++-- + drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 3 +++ + 2 files changed, 27 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1614,6 +1615,16 @@ static int kfd_ioctl_smi_events(struct f + return kfd_smi_event_open(pdd->dev, &args->anon_fd); + } + ++static int kfd_ioctl_svm_validate(void *kdata, unsigned int usize) ++{ ++ struct kfd_ioctl_svm_args *args = kdata; ++ size_t expected = struct_size(args, attrs, args->nattr); ++ ++ if (expected == SIZE_MAX || usize < expected) ++ return -EINVAL; ++ return 0; ++} ++ + #if IS_ENABLED(CONFIG_HSA_AMD_SVM) + + static int kfd_ioctl_set_xnack_mode(struct file *filep, +@@ -2672,7 +2683,11 @@ static int kfd_ioctl_criu(struct file *f + + #define AMDKFD_IOCTL_DEF(ioctl, _func, _flags) \ + [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \ +- .cmd_drv = 0, .name = #ioctl} ++ .validate = NULL, .cmd_drv = 0, .name = #ioctl} ++ ++#define AMDKFD_IOCTL_DEF_V(ioctl, _func, _validate, _flags) \ ++ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \ ++ .validate = _validate, .cmd_drv = 0, .name = #ioctl} + + /** Ioctl table */ + static const struct amdkfd_ioctl_desc amdkfd_ioctls[] = { +@@ -2769,7 +2784,8 @@ static const struct amdkfd_ioctl_desc am + AMDKFD_IOCTL_DEF(AMDKFD_IOC_SMI_EVENTS, + kfd_ioctl_smi_events, 0), + +- AMDKFD_IOCTL_DEF(AMDKFD_IOC_SVM, kfd_ioctl_svm, 0), ++ AMDKFD_IOCTL_DEF_V(AMDKFD_IOC_SVM, kfd_ioctl_svm, ++ kfd_ioctl_svm_validate, 0), + + AMDKFD_IOCTL_DEF(AMDKFD_IOC_SET_XNACK_MODE, + kfd_ioctl_set_xnack_mode, 0), +@@ -2882,6 +2898,12 @@ static long kfd_ioctl(struct file *filep + memset(kdata, 0, usize); + } + ++ if (ioctl->validate) { ++ retcode = ioctl->validate(kdata, usize); ++ if (retcode) ++ goto err_i1; ++ } ++ + retcode = func(filep, process, kdata); + + if (cmd & IOC_OUT) +--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +@@ -924,10 +924,13 @@ extern struct srcu_struct kfd_processes_ + typedef int amdkfd_ioctl_t(struct file *filep, struct kfd_process *p, + void *data); + ++typedef int amdkfd_ioctl_validate_t(void *kdata, unsigned int usize); ++ + struct amdkfd_ioctl_desc { + unsigned int cmd; + int flags; + amdkfd_ioctl_t *func; ++ amdkfd_ioctl_validate_t *validate; + unsigned int cmd_drv; + const char *name; + }; diff --git a/queue-6.1/drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch b/queue-6.1/drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch new file mode 100644 index 0000000000..157fe815b0 --- /dev/null +++ b/queue-6.1/drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch @@ -0,0 +1,56 @@ +From 3d4c2268bd7243c3780fe32bf24ff876da272acf Mon Sep 17 00:00:00 2001 +From: Ashutosh Desai +Date: Mon, 20 Apr 2026 01:36:37 +0000 +Subject: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() + +From: Ashutosh Desai + +commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream. + +drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions +using plain integer division: + + unsigned int width = mode_cmd->width / (i ? info->hsub : 1); + unsigned int height = mode_cmd->height / (i ? info->vsub : 1); + +However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses +drm_format_info_plane_width/height() which round up dimensions via +DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object +size check for certain pixel format and dimension combinations. + +For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the +GEM size validation path sees height=0 instead of height=1. The +expression (height - 1) then wraps to UINT_MAX as an unsigned int, +causing min_size to overflow and wrap back to a small value. A tiny +GEM object therefore passes the size guard, yet when the GPU accesses +the chroma plane it will read or write memory beyond the object's +bounds. + +Fix by replacing the open-coded divisions with drm_format_info_plane_width() +and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match +the calculation already used in framebuffer_check(). + +Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library") +Cc: stable@vger.kernel.org # v4.14+ +Reviewed-by: Thomas Zimmermann +Signed-off-by: Ashutosh Desai +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c ++++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c +@@ -166,8 +166,8 @@ int drm_gem_fb_init_with_funcs(struct dr + } + + for (i = 0; i < info->num_planes; i++) { +- unsigned int width = mode_cmd->width / (i ? info->hsub : 1); +- unsigned int height = mode_cmd->height / (i ? info->vsub : 1); ++ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i); ++ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i); + unsigned int min_size; + + objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]); diff --git a/queue-6.1/drm-radeon-add-missing-revision-check-for-ci.patch b/queue-6.1/drm-radeon-add-missing-revision-check-for-ci.patch new file mode 100644 index 0000000000..ecd46e1b2e --- /dev/null +++ b/queue-6.1/drm-radeon-add-missing-revision-check-for-ci.patch @@ -0,0 +1,60 @@ +From 17223816498f7b117d138d18eb0eba63604dc74e Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 27 Apr 2026 11:40:25 -0400 +Subject: drm/radeon: add missing revision check for CI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 17223816498f7b117d138d18eb0eba63604dc74e upstream. + +The memory level workarounds only apply to revision 0 SKUs. + +Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816 +Fixes: 127e056e2a82 ("drm/radeon: fix mclk vddc configuration for cards for hawaii") +Fixes: 21b8a369046f ("drm/radeon: fix dram timing for certain hawaii boards") +Fixes: 90b2fee35cb9 ("drm/radeon: fix dpm mc init for certain hawaii boards") +Reviewed-by: Timur Kristóf +Reviewed-by: Kent Russell +Signed-off-by: Alex Deucher +(cherry picked from commit 4d8dcc14311515077062b5740f39f427075de5c9) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/ci_dpm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -2466,7 +2466,8 @@ static void ci_register_patching_mc_arb( + + if (patch && + ((rdev->pdev->device == 0x67B0) || +- (rdev->pdev->device == 0x67B1))) { ++ (rdev->pdev->device == 0x67B1)) && ++ (rdev->pdev->revision == 0)) { + if ((memory_clock > 100000) && (memory_clock <= 125000)) { + tmp2 = (((0x31 * engine_clock) / 125000) - 1) & 0xff; + *dram_timimg2 &= ~0x00ff0000; +@@ -3307,7 +3308,8 @@ static int ci_populate_all_memory_levels + pi->smc_state_table.MemoryLevel[0].EnabledForActivity = 1; + + if ((dpm_table->mclk_table.count >= 2) && +- ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1))) { ++ ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1)) && ++ (rdev->pdev->revision == 0)) { + pi->smc_state_table.MemoryLevel[1].MinVddc = + pi->smc_state_table.MemoryLevel[0].MinVddc; + pi->smc_state_table.MemoryLevel[1].MinVddcPhases = +@@ -4504,7 +4506,8 @@ static int ci_register_patching_mc_seq(s + + if (patch && + ((rdev->pdev->device == 0x67B0) || +- (rdev->pdev->device == 0x67B1))) { ++ (rdev->pdev->device == 0x67B1)) && ++ (rdev->pdev->revision == 0)) { + for (i = 0; i < table->last; i++) { + if (table->last >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; diff --git a/queue-6.1/sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch b/queue-6.1/sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch new file mode 100644 index 0000000000..6b19960352 --- /dev/null +++ b/queue-6.1/sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch @@ -0,0 +1,76 @@ +From abb5f36771cc4c05899b34000829a787572a8817 Mon Sep 17 00:00:00 2001 +From: Ben Morris +Date: Thu, 7 May 2026 17:14:55 -0700 +Subject: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL + +From: Ben Morris + +commit abb5f36771cc4c05899b34000829a787572a8817 upstream. + +The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with +list_for_each_entry_safe(), which caches the next entry in @tmp before +the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may +drop the socket lock inside sctp_wait_for_sndbuf(). + +While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the +association cached in @tmp, migrating it to a new endpoint via +sctp_sock_migrate() (list_del_init() + list_add_tail() to +newep->asocs), and optionally close the new socket which frees the +association via kfree_rcu(). The cached @tmp can also be freed by a +network ABORT for that association, processed in softirq while the +lock is dropped. + +sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock +via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing +revalidates @tmp. After a successful return, the iterator advances to +the stale @tmp, yielding either a use-after-free (if the peeled socket +was closed) or a list-walk onto the new endpoint's list head (type +confusion of &newep->asocs as a struct sctp_association *). + +Both are reachable from CapEff=0; the type-confusion path gives +controlled indirect call via the outqueue.sched->init_sid pointer. + +Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() +returns. @asoc is known to still be on ep->asocs at that point: the +only callers that list_del an association from ep->asocs are +sctp_association_free() (which sets asoc->base.dead) and +sctp_assoc_migrate() (which changes asoc->base.sk), and +sctp_wait_for_sndbuf() checks both under the lock before any +successful return; a tripped check propagates as err < 0 and the loop +bails before the re-derive. + +The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the +loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so +the @tmp cached by list_for_each_entry_safe() still covers the +lock-held free that ba59fb027307 ("sctp: walk the list of asoc +safely") was added for. + +Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") +Cc: stable@vger.kernel.org +Signed-off-by: Ben Morris +Acked-by: Xin Long +Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1984,6 +1984,15 @@ static int sctp_sendmsg(struct sock *sk, + goto out_unlock; + + iov_iter_revert(&msg->msg_iter, err); ++ ++ /* sctp_sendmsg_to_asoc() may have released the socket ++ * lock (sctp_wait_for_sndbuf), during which other ++ * associations on ep->asocs could have been peeled ++ * off or freed. @asoc itself is revalidated by the ++ * base.dead and base.sk checks in sctp_wait_for_sndbuf, ++ * so re-derive the cached cursor from it. ++ */ ++ tmp = list_next_entry(asoc, asocs); + } + + goto out_unlock; diff --git a/queue-6.1/series b/queue-6.1/series index e89f305c84..afafa1d54c 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -404,3 +404,25 @@ media-i2c-imx412-assert-reset-gpio-during-probe.patch media-i2c-ov08d10-fix-image-vertical-start-setting.patch media-omap3isp-drop-the-use-count-of-v4l2-pipeline.patch spi-mtk-nor-fix-controller-deregistration.patch +spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch +spi-orion-fix-clock-imbalance-on-registration-failure.patch +spi-mpc52xx-fix-use-after-free-on-unbind.patch +drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch +drm-amdgpu-vce-prevent-partial-address-patches.patch +drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch +drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch +drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch +drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch +drm-radeon-add-missing-revision-check-for-ci.patch +drm-amdgpu-zero-initialize-gart-table-on-allocation.patch +drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch +drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch +drm-amdgpu-pm-add-missing-revision-check-for-ci.patch +drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch +sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch +batman-adv-fix-integer-overflow-on-buff_pos.patch +batman-adv-reject-new-tp_meter-sessions-during-teardown.patch +batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch +batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch +batman-adv-bla-only-purge-non-released-claims.patch +batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch diff --git a/queue-6.1/spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch b/queue-6.1/spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch new file mode 100644 index 0000000000..2ace96c0b5 --- /dev/null +++ b/queue-6.1/spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch @@ -0,0 +1,34 @@ +From a1d50a37d3b1df84f536a982f692371039df4a48 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 21 Apr 2026 14:56:32 +0200 +Subject: spi: imx: fix runtime pm leak on probe deferral + +From: Johan Hovold + +commit a1d50a37d3b1df84f536a982f692371039df4a48 upstream. + +Make sure to balance the runtime PM usage count before returning on +probe failure (e.g. probe deferral) so that the controller can be +suspended when a driver is later bound. + +Fixes: 43b6bf406cd0 ("spi: imx: fix runtime pm support for !CONFIG_PM") +Cc: stable@vger.kernel.org # 5.10 +Cc: Sascha Hauer +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260421125632.1537235-1-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-imx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1867,6 +1867,7 @@ out_register_controller: + out_runtime_pm_put: + pm_runtime_dont_use_autosuspend(spi_imx->dev); + pm_runtime_disable(spi_imx->dev); ++ pm_runtime_put_noidle(spi_imx->dev); + pm_runtime_set_suspended(&pdev->dev); + + clk_disable_unprepare(spi_imx->clk_ipg); diff --git a/queue-6.1/spi-mpc52xx-fix-use-after-free-on-unbind.patch b/queue-6.1/spi-mpc52xx-fix-use-after-free-on-unbind.patch new file mode 100644 index 0000000000..1df67d02b5 --- /dev/null +++ b/queue-6.1/spi-mpc52xx-fix-use-after-free-on-unbind.patch @@ -0,0 +1,39 @@ +From 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Apr 2026 15:43:15 +0200 +Subject: spi: mpc52xx: fix use-after-free on unbind + +From: Johan Hovold + +commit 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 upstream. + +The state machine work is scheduled by the interrupt handler and +therefore needs to be cancelled after disabling interrupts to avoid a +potential use-after-free. + +Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove") +Cc: stable@vger.kernel.org +Cc: Pei Xiao +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mpc52xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-mpc52xx.c ++++ b/drivers/spi/spi-mpc52xx.c +@@ -519,10 +519,11 @@ static int mpc52xx_spi_remove(struct pla + struct mpc52xx_spi *ms = spi_master_get_devdata(master); + int i; + +- cancel_work_sync(&ms->work); + free_irq(ms->irq0, ms); + free_irq(ms->irq1, ms); + ++ cancel_work_sync(&ms->work); ++ + for (i = 0; i < ms->gpio_cs_count; i++) + gpiod_put(ms->gpio_cs[i]); + diff --git a/queue-6.1/spi-orion-fix-clock-imbalance-on-registration-failure.patch b/queue-6.1/spi-orion-fix-clock-imbalance-on-registration-failure.patch new file mode 100644 index 0000000000..ac015ee5e5 --- /dev/null +++ b/queue-6.1/spi-orion-fix-clock-imbalance-on-registration-failure.patch @@ -0,0 +1,51 @@ +From 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 21 Apr 2026 15:02:10 +0200 +Subject: spi: orion: fix clock imbalance on registration failure + +From: Johan Hovold + +commit 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 upstream. + +Make sure that the controller is not runtime suspended before disabling +clocks on probe failure. + +Also restore the autosuspend setting. + +Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support") +Cc: stable@vger.kernel.org # 3.17 +Cc: Russell King +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260421130211.1537628-3-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-orion.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/spi/spi-orion.c ++++ b/drivers/spi/spi-orion.c +@@ -780,6 +780,7 @@ static int orion_spi_probe(struct platfo + pm_runtime_set_active(&pdev->dev); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); ++ pm_runtime_get_noresume(&pdev->dev); + pm_runtime_enable(&pdev->dev); + + status = orion_spi_reset(spi); +@@ -791,10 +792,15 @@ static int orion_spi_probe(struct platfo + if (status < 0) + goto out_rel_pm; + ++ pm_runtime_put_autosuspend(&pdev->dev); ++ + return status; + + out_rel_pm: + pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); ++ pm_runtime_dont_use_autosuspend(&pdev->dev); + out_rel_axi_clk: + clk_disable_unprepare(spi->axi_clk); + out_rel_clk: