From: Greg Kroah-Hartman Date: Fri, 15 May 2026 08:53:16 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v5.10.256~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ecd2589b1f424f592bebb22800def8ea2f37e7ee;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: arm64-dts-ti-k3-am62a7-sk-fix-pin-name-in-comment-from-m19-to-n22.patch batman-adv-bla-only-purge-non-released-claims.patch batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch batman-adv-fix-integer-overflow-on-buff_pos.patch batman-adv-reject-new-tp_meter-sessions-during-teardown.patch batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch drm-amd-display-change-dither-policy-for-10-bpc-output-back-to-dithering.patch drm-amd-pm-fix-incorrect-featurectrlmask-setting-on-smu-v14.0.x.patch drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch drm-amdgpu-gate-vm-cpu-hdp-flush-on-reset-lock.patch drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch drm-amdgpu-pm-add-missing-revision-check-for-ci.patch drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch drm-amdgpu-use-smuio-15.0.0-offsets-for-tsc-upper-and-lower-count.patch drm-amdgpu-vce-prevent-partial-address-patches.patch drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-ib.patch drm-amdgpu-zero-initialize-gart-table-on-allocation.patch drm-amdkfd-add-upper-bound-check-for-num_of_nodes.patch drm-amdkfd-clear-vram-on-allocation-to-prevent-stale-data-exposure.patch drm-amdkfd-make-all-tlb-flushes-heavy-weight.patch drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch drm-exynos-remove-bridge-when-component_add-fails.patch drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch drm-i915-psr-init-variable-to-avoid-early-exit-from-et-alignment-loop.patch drm-msm-gem-fix-error-handling-in-msm_ioctl_gem_info_get_metadata.patch drm-panel-boe-tv101wum-nl6-restore-mode_lpm-after-sending-disable-cmds.patch drm-panel-himax-hx83102-restore-mode_lpm-after-sending-disable-cmds.patch drm-radeon-add-missing-revision-check-for-ci.patch drm-xe-bo-fix-bo-leak-on-ggtt-flag-validation-in-xe_bo_init_locked.patch drm-xe-bo-fix-bo-leak-on-unaligned-size-validation-in-xe_bo_init_locked.patch drm-xe-fix-dma-buf-attachment-leak-in-xe_gem_prime_import.patch sched_ext-use-hk_type_domain_boot-to-detect-isolcpus-domain-isolation.patch sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch spi-bcmbca-hsspi-fix-controller-deregistration.patch spi-cadence-fix-controller-deregistration.patch spi-cadence-fix-unclocked-access-on-unbind.patch spi-coldfire-qspi-fix-controller-deregistration.patch spi-fsl-fix-controller-deregistration.patch spi-img-spfi-fix-controller-deregistration.patch spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch spi-mpc52xx-fix-controller-deregistration.patch spi-mpc52xx-fix-use-after-free-on-registration-failure.patch spi-mpc52xx-fix-use-after-free-on-unbind.patch spi-mxic-fix-controller-deregistration.patch spi-npcm-pspi-fix-controller-deregistration.patch spi-orion-fix-clock-imbalance-on-registration-failure.patch spi-orion-fix-controller-deregistration.patch spi-orion-fix-runtime-pm-leak-on-unbind.patch spi-pic32-sqi-fix-controller-deregistration.patch spi-rspi-fix-controller-deregistration.patch spi-sh-hspi-fix-controller-deregistration.patch spi-sprd-fix-controller-deregistration.patch --- diff --git a/queue-6.12/arm64-dts-ti-k3-am62a7-sk-fix-pin-name-in-comment-from-m19-to-n22.patch b/queue-6.12/arm64-dts-ti-k3-am62a7-sk-fix-pin-name-in-comment-from-m19-to-n22.patch new file mode 100644 index 0000000000..52a70b628a --- /dev/null +++ b/queue-6.12/arm64-dts-ti-k3-am62a7-sk-fix-pin-name-in-comment-from-m19-to-n22.patch @@ -0,0 +1,35 @@ +From 6ee0792d83d5c690205c350825a4c30746c0e0a2 Mon Sep 17 00:00:00 2001 +From: Siddharth Vadapalli +Date: Mon, 9 Mar 2026 10:25:32 +0530 +Subject: arm64: dts: ti: k3-am62a7-sk: Fix pin name in comment from M19 to N22 + +From: Siddharth Vadapalli + +commit 6ee0792d83d5c690205c350825a4c30746c0e0a2 upstream. + +The pin for GPMC0_CLK.GPIO0_31 at address 0x000F407C is N22 and not M19. +Hence, fix the pin name in the comment to avoid confusion. + +Fixes: 8f023012eb4a ("arm64: dts: ti: k3-am62a: Enable UHS mode support for SD cards") +Cc: stable@vger.kernel.org +Signed-off-by: Siddharth Vadapalli +Reviewed-by: Andrew Davis +Reviewed-by: Bryan Brattlof +Link: https://patch.msgid.link/20260309045539.2070793-1-s-vadapalli@ti.com +Signed-off-by: Vignesh Raghavendra +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/ti/k3-am62a7-sk.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/ti/k3-am62a7-sk.dts ++++ b/arch/arm64/boot/dts/ti/k3-am62a7-sk.dts +@@ -369,7 +369,7 @@ + + vddshv_sdio_pins_default: vddshv-sdio-default-pins { + pinctrl-single,pins = < +- AM62AX_IOPAD(0x07c, PIN_OUTPUT, 7) /* (M19) GPMC0_CLK.GPIO0_31 */ ++ AM62AX_IOPAD(0x07c, PIN_OUTPUT, 7) /* (N22) GPMC0_CLK.GPIO0_31 */ + >; + }; + }; diff --git a/queue-6.12/batman-adv-bla-only-purge-non-released-claims.patch b/queue-6.12/batman-adv-bla-only-purge-non-released-claims.patch new file mode 100644 index 0000000000..869978ca97 --- /dev/null +++ b/queue-6.12/batman-adv-bla-only-purge-non-released-claims.patch @@ -0,0 +1,52 @@ +From cf6b604011591865ae39ac82de8978c1120d17af Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 6 May 2026 22:20:51 +0200 +Subject: batman-adv: bla: only purge non-released claims + +From: Sven Eckelmann + +commit cf6b604011591865ae39ac82de8978c1120d17af upstream. + +When batadv_bla_purge_claims() goes through the list of claims, it is only +traversing the hash list with an rcu_read_lock(). Due to a potential +parallel batadv_claim_put(), it can happen that it encounters a claim which +was actually in the process of being released+freed by +batadv_claim_release(). In this case, backbone_gw is set to NULL before the +delayed RCU kfree is started. Calling batadv_bla_claim_get_backbone_gw() is +then no longer allowed because it would cause a NULL-ptr derefence. + +To avoid this, only claims with a valid reference counter must be purged. +All others are already taken care of. + +Cc: stable@kernel.org +Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1288,6 +1288,13 @@ static void batadv_bla_purge_claims(stru + + rcu_read_lock(); + hlist_for_each_entry_rcu(claim, head, hash_entry) { ++ /* only purge claims not currently in the process of being released. ++ * Such claims could otherwise have a NULL-ptr backbone_gw set because ++ * they already went through batadv_claim_release() ++ */ ++ if (!kref_get_unless_zero(&claim->refcount)) ++ continue; ++ + backbone_gw = batadv_bla_claim_get_backbone_gw(claim); + if (now) + goto purge_now; +@@ -1313,6 +1320,7 @@ purge_now: + claim->addr, claim->vid); + skip: + batadv_backbone_gw_put(backbone_gw); ++ batadv_claim_put(claim); + } + rcu_read_unlock(); + } diff --git a/queue-6.12/batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch b/queue-6.12/batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch new file mode 100644 index 0000000000..f637ef1bc1 --- /dev/null +++ b/queue-6.12/batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch @@ -0,0 +1,38 @@ +From 4ae1709a314060a196981b344610d023ea841e57 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 6 May 2026 22:20:50 +0200 +Subject: batman-adv: bla: prevent use-after-free when deleting claims + +From: Sven Eckelmann + +commit 4ae1709a314060a196981b344610d023ea841e57 upstream. + +When batadv_bla_del_backbone_claims() removes all claims for a backbone, it +does this by dropping the link entry in the hash list. This list entry +itself was one of the references which need to be dropped at the same time +via batadv_claim_put(). + +But the batadv_claim_put() must not be done before the last access to the +claim object in this function. Otherwise the claim might be freed already +by the batadv_claim_release() function before the list entry was dropped. + +Cc: stable@kernel.org +Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -318,8 +318,8 @@ batadv_bla_del_backbone_claims(struct ba + if (claim->backbone_gw != backbone_gw) + continue; + +- batadv_claim_put(claim); + hlist_del_rcu(&claim->hash_entry); ++ batadv_claim_put(claim); + } + spin_unlock_bh(list_lock); + } diff --git a/queue-6.12/batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch b/queue-6.12/batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch new file mode 100644 index 0000000000..7ebe6debe2 --- /dev/null +++ b/queue-6.12/batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch @@ -0,0 +1,32 @@ +From ba9d20ee9076dac32c371116bacbe72480eb356c Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 6 May 2026 22:20:52 +0200 +Subject: batman-adv: bla: put backbone reference on failed claim hash insert + +From: Sven Eckelmann + +commit ba9d20ee9076dac32c371116bacbe72480eb356c upstream. + +When batadv_bla_add_claim() fails to insert a new claim into the hash, it +leaked a reference to the backbone_gw for which the claim was intended. +Call batadv_backbone_gw_put() on the error path to release the reference +and avoid leaking the backbone_gw object. + +Cc: stable@kernel.org +Fixes: 3db0decf1185 ("batman-adv: Fix non-atomic bla_claim::backbone_gw access") +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -723,6 +723,7 @@ static void batadv_bla_add_claim(struct + + if (unlikely(hash_added != 0)) { + /* only local changes happened. */ ++ batadv_backbone_gw_put(backbone_gw); + kfree(claim); + return; + } diff --git a/queue-6.12/batman-adv-fix-integer-overflow-on-buff_pos.patch b/queue-6.12/batman-adv-fix-integer-overflow-on-buff_pos.patch new file mode 100644 index 0000000000..236a99070e --- /dev/null +++ b/queue-6.12/batman-adv-fix-integer-overflow-on-buff_pos.patch @@ -0,0 +1,35 @@ +From 0799e5943611006b346b8813c7daf7dd5aa26bfd Mon Sep 17 00:00:00 2001 +From: Lyes Bourennani +Date: Wed, 22 Apr 2026 00:20:22 +0200 +Subject: batman-adv: fix integer overflow on buff_pos + +From: Lyes Bourennani + +commit 0799e5943611006b346b8813c7daf7dd5aa26bfd upstream. + +Fixing an integer overflow present in batadv_iv_ogm_send_to_if. The size +check is done using the int type in batadv_iv_ogm_aggr_packet whereas the +buff_pos variable uses the s16 type. This could lead to an out-of-bound +read. + +Cc: stable@vger.kernel.org +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Signed-off-by: Lyes Bourennani +Signed-off-by: Alexis Pinson +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -334,7 +334,7 @@ static void batadv_iv_ogm_send_to_if(str + struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface); + const char *fwd_str; + u8 packet_num; +- s16 buff_pos; ++ int buff_pos; + struct batadv_ogm_packet *batadv_ogm_packet; + struct sk_buff *skb; + u8 *packet_pos; diff --git a/queue-6.12/batman-adv-reject-new-tp_meter-sessions-during-teardown.patch b/queue-6.12/batman-adv-reject-new-tp_meter-sessions-during-teardown.patch new file mode 100644 index 0000000000..d4c370b56d --- /dev/null +++ b/queue-6.12/batman-adv-reject-new-tp_meter-sessions-during-teardown.patch @@ -0,0 +1,77 @@ +From 3243543592425beec83d453793e9d27caa0d8e66 Mon Sep 17 00:00:00 2001 +From: Jiexun Wang +Date: Mon, 27 Apr 2026 14:43:33 +0800 +Subject: batman-adv: reject new tp_meter sessions during teardown + +From: Jiexun Wang + +commit 3243543592425beec83d453793e9d27caa0d8e66 upstream. + +Prevent tp_meter from starting new sender or receiver sessions after +mesh_state has left BATADV_MESH_ACTIVE. + +Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Co-developed-by: Luxing Yin +Signed-off-by: Luxing Yin +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/tp_meter.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/tp_meter.c ++++ b/net/batman-adv/tp_meter.c +@@ -947,6 +947,13 @@ void batadv_tp_start(struct batadv_priv + + /* look for an already existing test towards this node */ + spin_lock_bh(&bat_priv->tp_list_lock); ++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) { ++ spin_unlock_bh(&bat_priv->tp_list_lock); ++ batadv_tp_batctl_error_notify(BATADV_TP_REASON_DST_UNREACHABLE, ++ dst, bat_priv, session_cookie); ++ return; ++ } ++ + tp_vars = batadv_tp_list_find(bat_priv, dst); + if (tp_vars) { + spin_unlock_bh(&bat_priv->tp_list_lock); +@@ -1329,9 +1336,12 @@ static struct batadv_tp_vars * + batadv_tp_init_recv(struct batadv_priv *bat_priv, + const struct batadv_icmp_tp_packet *icmp) + { +- struct batadv_tp_vars *tp_vars; ++ struct batadv_tp_vars *tp_vars = NULL; + + spin_lock_bh(&bat_priv->tp_list_lock); ++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) ++ goto out_unlock; ++ + tp_vars = batadv_tp_list_find_session(bat_priv, icmp->orig, + icmp->session); + if (tp_vars) +@@ -1464,6 +1474,9 @@ void batadv_tp_meter_recv(struct batadv_ + { + struct batadv_icmp_tp_packet *icmp; + ++ if (atomic_read(&bat_priv->mesh_state) != BATADV_MESH_ACTIVE) ++ goto out; ++ + icmp = (struct batadv_icmp_tp_packet *)skb->data; + + switch (icmp->subtype) { +@@ -1478,6 +1491,8 @@ void batadv_tp_meter_recv(struct batadv_ + "Received unknown TP Metric packet type %u\n", + icmp->subtype); + } ++ ++out: + consume_skb(skb); + } + diff --git a/queue-6.12/batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch b/queue-6.12/batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch new file mode 100644 index 0000000000..a50b1e7e81 --- /dev/null +++ b/queue-6.12/batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch @@ -0,0 +1,174 @@ +From f03e8583532941b07761c5429de7d50766fa3110 Mon Sep 17 00:00:00 2001 +From: Jiexun Wang +Date: Sun, 3 May 2026 12:28:58 +0800 +Subject: batman-adv: stop caching unowned originator pointers in BAT IV + +From: Jiexun Wang + +commit f03e8583532941b07761c5429de7d50766fa3110 upstream. + +BAT IV keeps the last-hop neighbor address in each neigh_node, but some +paths also cache an originator pointer derived from a temporary lookup. +That pointer is not owned by the neigh_node and may no longer refer to a +live originator entry after purge handling runs. + +Stop storing the auxiliary originator pointer in the BAT IV neighbor +state. When BAT IV needs the neighbor originator data, resolve it from +the stored neighbor address and drop the reference again after use. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Jiexun Wang +Signed-off-by: Ren Wei +[sven: avoid bonding logic for outgoing OGM] +Signed-off-by: Sven Eckelmann +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 83 +++++++++++++++++++++++++++++++------------- + 1 file changed, 59 insertions(+), 24 deletions(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -172,19 +172,12 @@ free_orig_node_hash: + static struct batadv_neigh_node * + batadv_iv_ogm_neigh_new(struct batadv_hard_iface *hard_iface, + const u8 *neigh_addr, +- struct batadv_orig_node *orig_node, +- struct batadv_orig_node *orig_neigh) ++ struct batadv_orig_node *orig_node) + { + struct batadv_neigh_node *neigh_node; + + neigh_node = batadv_neigh_node_get_or_create(orig_node, + hard_iface, neigh_addr); +- if (!neigh_node) +- goto out; +- +- neigh_node->orig_node = orig_neigh; +- +-out: + return neigh_node; + } + +@@ -901,6 +894,31 @@ static u8 batadv_iv_orig_ifinfo_sum(stru + } + + /** ++ * batadv_iv_ogm_neigh_ifinfo_sum() - Get bcast_own sum for a last-hop neighbor ++ * @bat_priv: the bat priv with all the mesh interface information ++ * @neigh_node: last-hop neighbor of an originator ++ * ++ * Return: Number of replied (rebroadcasted) OGMs for the originator currently ++ * announced by the neighbor. Returns 0 if the neighbor's originator entry is ++ * not available anymore. ++ */ ++static u8 batadv_iv_ogm_neigh_ifinfo_sum(struct batadv_priv *bat_priv, ++ const struct batadv_neigh_node *neigh_node) ++{ ++ struct batadv_orig_node *orig_neigh; ++ u8 sum; ++ ++ orig_neigh = batadv_orig_hash_find(bat_priv, neigh_node->addr); ++ if (!orig_neigh) ++ return 0; ++ ++ sum = batadv_iv_orig_ifinfo_sum(orig_neigh, neigh_node->if_incoming); ++ batadv_orig_node_put(orig_neigh); ++ ++ return sum; ++} ++ ++/** + * batadv_iv_ogm_orig_update() - use OGM to update corresponding data in an + * originator + * @bat_priv: the bat priv with all the soft interface information +@@ -969,17 +987,9 @@ batadv_iv_ogm_orig_update(struct batadv_ + } + + if (!neigh_node) { +- struct batadv_orig_node *orig_tmp; +- +- orig_tmp = batadv_iv_ogm_orig_get(bat_priv, ethhdr->h_source); +- if (!orig_tmp) +- goto unlock; +- + neigh_node = batadv_iv_ogm_neigh_new(if_incoming, + ethhdr->h_source, +- orig_node, orig_tmp); +- +- batadv_orig_node_put(orig_tmp); ++ orig_node); + if (!neigh_node) + goto unlock; + } else { +@@ -1031,10 +1041,9 @@ batadv_iv_ogm_orig_update(struct batadv_ + */ + if (router_ifinfo && + neigh_ifinfo->bat_iv.tq_avg == router_ifinfo->bat_iv.tq_avg) { +- sum_orig = batadv_iv_orig_ifinfo_sum(router->orig_node, +- router->if_incoming); +- sum_neigh = batadv_iv_orig_ifinfo_sum(neigh_node->orig_node, +- neigh_node->if_incoming); ++ sum_orig = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv, router); ++ sum_neigh = batadv_iv_ogm_neigh_ifinfo_sum(bat_priv, ++ neigh_node); + if (sum_orig >= sum_neigh) + goto out; + } +@@ -1100,7 +1109,6 @@ static bool batadv_iv_ogm_calc_tq(struct + if (!neigh_node) + neigh_node = batadv_iv_ogm_neigh_new(if_incoming, + orig_neigh_node->orig, +- orig_neigh_node, + orig_neigh_node); + + if (!neigh_node) +@@ -1297,6 +1305,32 @@ out: + } + + /** ++ * batadv_orig_to_direct_router() - get direct next hop neighbor to an orig address ++ * @bat_priv: the bat priv with all the mesh interface information ++ * @orig_addr: the originator MAC address to search the best next hop router for ++ * @if_outgoing: the interface where the OGM should be sent to ++ * ++ * Return: A neighbor node which is the best router towards the given originator ++ * address. Bonding candidates are ignored. ++ */ ++static struct batadv_neigh_node * ++batadv_orig_to_direct_router(struct batadv_priv *bat_priv, u8 *orig_addr, ++ struct batadv_hard_iface *if_outgoing) ++{ ++ struct batadv_neigh_node *neigh_node; ++ struct batadv_orig_node *orig_node; ++ ++ orig_node = batadv_orig_hash_find(bat_priv, orig_addr); ++ if (!orig_node) ++ return NULL; ++ ++ neigh_node = batadv_orig_router_get(orig_node, if_outgoing); ++ batadv_orig_node_put(orig_node); ++ ++ return neigh_node; ++} ++ ++/** + * batadv_iv_ogm_process_per_outif() - process a batman iv OGM for an outgoing + * interface + * @skb: the skb containing the OGM +@@ -1366,8 +1400,9 @@ batadv_iv_ogm_process_per_outif(const st + + router = batadv_orig_router_get(orig_node, if_outgoing); + if (router) { +- router_router = batadv_orig_router_get(router->orig_node, +- if_outgoing); ++ router_router = batadv_orig_to_direct_router(bat_priv, ++ router->addr, ++ if_outgoing); + router_ifinfo = batadv_neigh_ifinfo_get(router, if_outgoing); + } + diff --git a/queue-6.12/drm-amd-display-change-dither-policy-for-10-bpc-output-back-to-dithering.patch b/queue-6.12/drm-amd-display-change-dither-policy-for-10-bpc-output-back-to-dithering.patch new file mode 100644 index 0000000000..d447af7e2b --- /dev/null +++ b/queue-6.12/drm-amd-display-change-dither-policy-for-10-bpc-output-back-to-dithering.patch @@ -0,0 +1,90 @@ +From d65bfb1782304b03862c8c725fac608015dffd36 Mon Sep 17 00:00:00 2001 +From: Mario Kleiner +Date: Sat, 21 Mar 2026 06:20:33 +0100 +Subject: drm/amd/display: Change dither policy for 10 bpc output back to dithering + +From: Mario Kleiner + +commit d65bfb1782304b03862c8c725fac608015dffd36 upstream. + +Commit d5df648ec830 ("drm/amd/display: Change dither policy for 10bpc to +round") degraded display of 12 bpc color precision output to 10 bpc sinks +by switching 10 bpc output from dithering to "truncate to 10 bpc". + +I don't find the argumentation in that commit convincing, but the +consequences highly unfortunate, especially for applications that +require effective > 10 bpc precision output of > 10 bpc framebuffers. + +The argument wasn't something strong like "there are hardware design +defects or limitations which require us to work around broken dithering +to 10 bpc", or "there are some special use cases which do require +truncation to 10 bpc", but essentially "at some point in the past we +used truncation in Polaris/Vega times and it looks like it got +inadvertently changed for Navi, so let's do that again". I couldn't find +evidence for that in the git commit logs for this. The commit message also +acknowledges that using dithering "...makes some sense for FP16... +...but not for ARGB2101010 surfaces..." + +The problem with this is that it makes fp16 surfaces, and especially +rgba16 fixed point surfaces, less useful. These are now well +supported by Mesa 25.3 and later via OpenGL + EGL, Vulkan/WSI, and by +OSS AMDVLK Vulkan/WSI/display, and also by GNOME 50 mutter under Wayland, +and they used to provide more than 10 bpc effective precision at the +output. + +Even for 8 or 10 bpc surfaces, the color pipeline behind the framebuffer, +e.g., gamma tables, CTM, can be used for color correction and will +benefit from an effective > 10 bpc output precision via dithering, +retaining some precision that would get lost on the way through the +pipeline, e.g., due to non-linear gamma functions. + +Scientific apps rely on this for > 10 bpc display precision. Truncating +to 10 bpc, instead of dithering the pipeline internal 12 bpc precision +down to 10 bpc, causes a serious loss of precision. This also creates the +undesirable and slightly absurd situation that using a cheap monitor +with only 8 bpc input and display panel will yield roughly 12 bpc +precision via dithering from 12 -> 8 bpc, whereas investment into a +more expensive monitor with 10 bpc input and native 10 bpc display will +only yield 10 bpc, even if a fp16 or rgb16 framebuffer and/or a properly +set up color pipeline (gamma tables, CTM's etc. with more than 10 bpc out +precision) would allow effective 12 bpc precision output. + +Therefore this patch proposes reverting that commit and going back to +dithering down to 10 bpc, consistent with the behaviour for 6 bpc or 8 bpc +output. + +Successfully tested on AMD Polaris DCE 11.2 and Raven Ridge DCN 1.0 with +a native 10 bpc capable monitor, outputting a RGBA16 unorm framebuffer and +measuring resulting color precision with a photometer. No apparent visual +artifacts or problems were observed, and effective precision was measured +to be 12 bpc again, as expected. + +Fixes: d5df648ec830 ("drm/amd/display: Change dither policy for 10bpc to round") +Signed-off-by: Mario Kleiner +Tested-by: Mario Kleiner +Cc: stable@vger.kernel.org +Cc: Aric Cyr +Cc: Anthony Koo +Cc: Rodrigo Siqueira +Cc: Krunoslav Kovac +Cc: Alex Deucher +Reported-by: Mario Kleiner +Signed-off-by: Harry Wentland +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -4693,7 +4693,7 @@ void resource_build_bit_depth_reduction_ + option = DITHER_OPTION_SPATIAL8; + break; + case COLOR_DEPTH_101010: +- option = DITHER_OPTION_TRUN10; ++ option = DITHER_OPTION_SPATIAL10; + break; + default: + option = DITHER_OPTION_DISABLE; diff --git a/queue-6.12/drm-amd-pm-fix-incorrect-featurectrlmask-setting-on-smu-v14.0.x.patch b/queue-6.12/drm-amd-pm-fix-incorrect-featurectrlmask-setting-on-smu-v14.0.x.patch new file mode 100644 index 0000000000..613e93cbb7 --- /dev/null +++ b/queue-6.12/drm-amd-pm-fix-incorrect-featurectrlmask-setting-on-smu-v14.0.x.patch @@ -0,0 +1,73 @@ +From 504f0098ebd074ac8c0ce3471795d79f68e3d265 Mon Sep 17 00:00:00 2001 +From: Yang Wang +Date: Thu, 2 Apr 2026 22:44:29 -0400 +Subject: drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x + +From: Yang Wang + +commit 504f0098ebd074ac8c0ce3471795d79f68e3d265 upstream. + +OverDriveTable.FanMinimumPwm and FeatureCtrlMask.PP_OD_FEATURE_FAN_LEGACY_BIT +have a hard dependency. +Invalid handling of this dependency leads to disabled thermal monitoring +and temperature boundary validation. + +v2: squash in typo fix (Yang) + +Fixes: 9710b84e2a6a ("drm/amd/pm: add overdrive support on smu v14.0.2/3") +Cc: stable@vger.kernel.org +Signed-off-by: Yang Wang +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c +@@ -2424,6 +2424,7 @@ static int smu_v14_0_2_od_restore_table_ + } + od_table->OverDriveTable.FanMode = FAN_MODE_AUTO; + od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ od_table->OverDriveTable.FeatureCtrlMask &= ~BIT(PP_OD_FEATURE_FAN_LEGACY_BIT); + break; + case PP_OD_EDIT_ACOUSTIC_LIMIT: + od_table->OverDriveTable.AcousticLimitRpmThreshold = +@@ -2447,7 +2448,8 @@ static int smu_v14_0_2_od_restore_table_ + od_table->OverDriveTable.FanMinimumPwm = + boot_overdrive_table->OverDriveTable.FanMinimumPwm; + od_table->OverDriveTable.FanMode = FAN_MODE_AUTO; +- od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_LEGACY_BIT); ++ od_table->OverDriveTable.FeatureCtrlMask &= ~BIT(PP_OD_FEATURE_FAN_CURVE_BIT); + break; + default: + dev_info(adev->dev, "Invalid table index: %ld\n", input); +@@ -2617,6 +2619,7 @@ static int smu_v14_0_2_od_edit_dpm_table + od_table->OverDriveTable.FanLinearPwmPoints[input[0]] = input[2]; + od_table->OverDriveTable.FanMode = FAN_MODE_MANUAL_LINEAR; + od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ od_table->OverDriveTable.FeatureCtrlMask &= ~BIT(PP_OD_FEATURE_FAN_LEGACY_BIT); + break; + + case PP_OD_EDIT_ACOUSTIC_LIMIT: +@@ -2686,7 +2689,7 @@ static int smu_v14_0_2_od_edit_dpm_table + break; + + case PP_OD_EDIT_FAN_MINIMUM_PWM: +- if (!smu_v14_0_2_is_od_feature_supported(smu, PP_OD_FEATURE_FAN_CURVE_BIT)) { ++ if (!smu_v14_0_2_is_od_feature_supported(smu, PP_OD_FEATURE_FAN_LEGACY_BIT)) { + dev_warn(adev->dev, "Fan curve setting not supported!\n"); + return -ENOTSUPP; + } +@@ -2704,7 +2707,8 @@ static int smu_v14_0_2_od_edit_dpm_table + + od_table->OverDriveTable.FanMinimumPwm = input[0]; + od_table->OverDriveTable.FanMode = FAN_MODE_AUTO; +- od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_CURVE_BIT); ++ od_table->OverDriveTable.FeatureCtrlMask |= BIT(PP_OD_FEATURE_FAN_LEGACY_BIT); ++ od_table->OverDriveTable.FeatureCtrlMask &= ~BIT(PP_OD_FEATURE_FAN_CURVE_BIT); + break; + + case PP_OD_RESTORE_DEFAULT_TABLE: diff --git a/queue-6.12/drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch b/queue-6.12/drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch new file mode 100644 index 0000000000..6ca1252415 --- /dev/null +++ b/queue-6.12/drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch @@ -0,0 +1,54 @@ +From 66085e206431ef88ce36f53c1f53d570790ccc9e Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Wed, 25 Mar 2026 08:39:19 -0400 +Subject: drm/amdgpu: Add bounds checking to ib_{get,set}_value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Cheng + +commit 66085e206431ef88ce36f53c1f53d570790ccc9e upstream. + +The uvd/vce/vcn code accesses the IB at predefined offsets without +checking that the IB is large enough. Check the bounds here. The caller +is responsible for making sure it can handle arbitrary return values. + +Also make the idx a uint32_t to prevent overflows causing the condition +to fail. + +Signed-off-by: Benjamin Cheng +Reviewed-by: Christian König +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h +@@ -471,15 +471,18 @@ void amdgpu_debugfs_ring_init(struct amd + + int amdgpu_ring_init_mqd(struct amdgpu_ring *ring); + +-static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, int idx) ++static inline u32 amdgpu_ib_get_value(struct amdgpu_ib *ib, uint32_t idx) + { +- return ib->ptr[idx]; ++ if (idx < ib->length_dw) ++ return ib->ptr[idx]; ++ return 0; + } + +-static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, int idx, ++static inline void amdgpu_ib_set_value(struct amdgpu_ib *ib, uint32_t idx, + uint32_t value) + { +- ib->ptr[idx] = value; ++ if (idx < ib->length_dw) ++ ib->ptr[idx] = value; + } + + int amdgpu_ib_get(struct amdgpu_device *adev, struct amdgpu_vm *vm, diff --git a/queue-6.12/drm-amdgpu-gate-vm-cpu-hdp-flush-on-reset-lock.patch b/queue-6.12/drm-amdgpu-gate-vm-cpu-hdp-flush-on-reset-lock.patch new file mode 100644 index 0000000000..628fde995a --- /dev/null +++ b/queue-6.12/drm-amdgpu-gate-vm-cpu-hdp-flush-on-reset-lock.patch @@ -0,0 +1,67 @@ +From ddda81c4d7e71e41b1be91d921fd85747eddbd12 Mon Sep 17 00:00:00 2001 +From: Chenglei Xie +Date: Tue, 7 Apr 2026 10:51:24 -0400 +Subject: drm/amdgpu: gate VM CPU HDP flush on reset lock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chenglei Xie + +commit ddda81c4d7e71e41b1be91d921fd85747eddbd12 upstream. + +During GPU reset, the application could still run CPU page table updates. Each commit called +amdgpu_device_flush_hdp(), which on SR-IOV sends work through the KIQ ring. +That can advance sync_seq while the GPU is being reset, +leaving fence writeback out of sync and causing amdgpu_fence_emit_polling() +to time out on later KIQ use. + +Fix: +amdgpu_vm_cpu_commit(): + Reset will flush HDP anyway, the HDP flush in amdgpu_vm_cpu_commit() can be skipped + when a reset is ongoging. + Take reset_domain->sem with down_read_trylock() before amdgpu_device_flush_hdp(). + If the reset path holds the write lock, skip the HDP flush so no HDP-related HW + access (including KIQ) runs during reset; state is re-established after reset. + +Signed-off-by: Chenglei Xie +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm_cpu.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_cpu.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_cpu.c +@@ -21,6 +21,8 @@ + */ + + #include "amdgpu_vm.h" ++#include "amdgpu.h" ++#include "amdgpu_reset.h" + #include "amdgpu_object.h" + #include "amdgpu_trace.h" + +@@ -106,11 +108,19 @@ static int amdgpu_vm_cpu_update(struct a + static int amdgpu_vm_cpu_commit(struct amdgpu_vm_update_params *p, + struct dma_fence **fence) + { ++ struct amdgpu_device *adev = p->adev; ++ + if (p->needs_flush) + atomic64_inc(&p->vm->tlb_seq); + + mb(); +- amdgpu_device_flush_hdp(p->adev, NULL); ++ /* A reset flushed the HDP anyway, so that here can be skipped when a reset is ongoing */ ++ if (!down_read_trylock(&adev->reset_domain->sem)) ++ return 0; ++ ++ amdgpu_device_flush_hdp(adev, NULL); ++ up_read(&adev->reset_domain->sem); ++ + return 0; + } + diff --git a/queue-6.12/drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch b/queue-6.12/drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch new file mode 100644 index 0000000000..e8c2cc5b6f --- /dev/null +++ b/queue-6.12/drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch @@ -0,0 +1,43 @@ +From 7bbfb2559bcec39d1a4e1182d931a2046112c352 Mon Sep 17 00:00:00 2001 +From: "John B. Moore" +Date: Tue, 28 Apr 2026 11:35:12 -0500 +Subject: drm/amdgpu/gfx9: drop unnecessary 64-bit fence flag check in KIQ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John B. Moore + +commit 7bbfb2559bcec39d1a4e1182d931a2046112c352 upstream. + +Remove the BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT) assertion from +gfx_v9_0_ring_emit_fence_kiq(). The KIQ hardware supports 64-bit +fence writes; the 32-bit writeback address constraint is an +upper-layer convention, not a hardware limitation. The check serves +no purpose and should not be present. + +Found by code inspection while investigating related BUG_ON +assertions in the GFX and compute ring emission paths. + +Reviewed-by: Christian König +Signed-off-by: John B. Moore +Signed-off-by: Alex Deucher +(cherry picked from commit 1b1101a46a426bb4328116bb5273c326a2780389) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -5637,9 +5637,6 @@ static void gfx_v9_0_ring_emit_fence_kiq + { + struct amdgpu_device *adev = ring->adev; + +- /* we only allocate 32bit for each seq wb address */ +- BUG_ON(flags & AMDGPU_FENCE_FLAG_64BIT); +- + /* write fence seq to the "addr" */ + amdgpu_ring_write(ring, PACKET3(PACKET3_WRITE_DATA, 3)); + amdgpu_ring_write(ring, (WRITE_DATA_ENGINE_SEL(0) | diff --git a/queue-6.12/drm-amdgpu-pm-add-missing-revision-check-for-ci.patch b/queue-6.12/drm-amdgpu-pm-add-missing-revision-check-for-ci.patch new file mode 100644 index 0000000000..2784e40a04 --- /dev/null +++ b/queue-6.12/drm-amdgpu-pm-add-missing-revision-check-for-ci.patch @@ -0,0 +1,41 @@ +From 2a561b361b7681509710f3cfc3d95d54c87ac69f Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 27 Apr 2026 11:38:58 -0400 +Subject: drm/amdgpu/pm: add missing revision check for CI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 2a561b361b7681509710f3cfc3d95d54c87ac69f upstream. + +The ci_populate_all_memory_levels() workaround only +applies to revision 0 SKUs. + +Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816 +Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)") +Reviewed-by: Timur Kristóf +Reviewed-by: Kent Russell +Signed-off-by: Alex Deucher +(cherry picked from commit 1db15ba8f72f400bbad8ae0ce24fafc43429d4bd) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c +@@ -1326,8 +1326,9 @@ static int ci_populate_all_memory_levels + + dev_id = adev->pdev->device; + +- if ((dpm_table->mclk_table.count >= 2) +- && ((dev_id == 0x67B0) || (dev_id == 0x67B1))) { ++ if ((dpm_table->mclk_table.count >= 2) && ++ ((dev_id == 0x67B0) || (dev_id == 0x67B1)) && ++ (adev->pdev->revision == 0)) { + smu_data->smc_state_table.MemoryLevel[1].MinVddci = + smu_data->smc_state_table.MemoryLevel[0].MinVddci; + smu_data->smc_state_table.MemoryLevel[1].MinMvdd = diff --git a/queue-6.12/drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch b/queue-6.12/drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch new file mode 100644 index 0000000000..7d0d8ba484 --- /dev/null +++ b/queue-6.12/drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch @@ -0,0 +1,43 @@ +From 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 28 Apr 2026 10:42:49 -0400 +Subject: drm/amdgpu/pm: align Hawaii mclk workaround with radeon +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 1987c79b4fe5789dfa14423e78b5c25f6acf3e9d upstream. + +Align the hawaii mclk workaround with radeon and windows. + +Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816 +Fixes: 9f4b35411cfe ("drm/amd/powerplay: add CI asics support to smumgr (v3)") +Reviewed-by: Timur Kristóf +Reviewed-by: Kent Russell +Signed-off-by: Alex Deucher +(cherry picked from commit 9649528b637f668c5af9f2b83ca4ad8576ae2121) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/ci_smumgr.c +@@ -1329,10 +1329,10 @@ static int ci_populate_all_memory_levels + if ((dpm_table->mclk_table.count >= 2) && + ((dev_id == 0x67B0) || (dev_id == 0x67B1)) && + (adev->pdev->revision == 0)) { +- smu_data->smc_state_table.MemoryLevel[1].MinVddci = +- smu_data->smc_state_table.MemoryLevel[0].MinVddci; +- smu_data->smc_state_table.MemoryLevel[1].MinMvdd = +- smu_data->smc_state_table.MemoryLevel[0].MinMvdd; ++ smu_data->smc_state_table.MemoryLevel[1].MinVddc = ++ smu_data->smc_state_table.MemoryLevel[0].MinVddc; ++ smu_data->smc_state_table.MemoryLevel[1].MinVddcPhases = ++ smu_data->smc_state_table.MemoryLevel[0].MinVddcPhases; + } + smu_data->smc_state_table.MemoryLevel[0].ActivityLevel = 0x1F; + CONVERT_FROM_HOST_TO_SMC_US(smu_data->smc_state_table.MemoryLevel[0].ActivityLevel); diff --git a/queue-6.12/drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch b/queue-6.12/drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch new file mode 100644 index 0000000000..e084bc6455 --- /dev/null +++ b/queue-6.12/drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch @@ -0,0 +1,57 @@ +From 78d2e624fa073c14970aa097adcf3ea31c157a66 Mon Sep 17 00:00:00 2001 +From: "John B. Moore" +Date: Mon, 27 Apr 2026 16:06:28 -0500 +Subject: drm/amdgpu/sdma4: replace BUG_ON with WARN_ON in fence emission +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John B. Moore + +commit 78d2e624fa073c14970aa097adcf3ea31c157a66 upstream. + +sdma_v4_0_ring_emit_fence() contains two BUG_ON(addr & 0x3) assertions +that verify fence writeback addresses are dword-aligned. These +assertions can be reached from unprivileged userspace via crafted +DRM_IOCTL_AMDGPU_CS submissions, causing a fatal kernel panic in a +scheduler worker thread. + +Replace both BUG_ON() calls with WARN_ON() to log the condition without +crashing the kernel. A misaligned fence address at this point indicates +a driver bug, but crashing the kernel is never the correct response when +the assertion is reachable from userspace. + +The CS IOCTL path is the correct place to filter invalid submissions; +the ring emission callback is too late to do anything about it. + +Fixes: 2130f89ced2c ("drm/amdgpu: add SDMA v4.0 implementation (v2)") +Reviewed-by: Christian König +Signed-off-by: John B. Moore +Signed-off-by: Alex Deucher +(cherry picked from commit b90250bd933afd1ba94d86d6b13821997b22b18e) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_0.c +@@ -890,7 +890,7 @@ static void sdma_v4_0_ring_emit_fence(st + /* write the fence */ + amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE)); + /* zero in first two bits */ +- BUG_ON(addr & 0x3); ++ WARN_ON(addr & 0x3); + amdgpu_ring_write(ring, lower_32_bits(addr)); + amdgpu_ring_write(ring, upper_32_bits(addr)); + amdgpu_ring_write(ring, lower_32_bits(seq)); +@@ -900,7 +900,7 @@ static void sdma_v4_0_ring_emit_fence(st + addr += 4; + amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_FENCE)); + /* zero in first two bits */ +- BUG_ON(addr & 0x3); ++ WARN_ON(addr & 0x3); + amdgpu_ring_write(ring, lower_32_bits(addr)); + amdgpu_ring_write(ring, upper_32_bits(addr)); + amdgpu_ring_write(ring, upper_32_bits(seq)); diff --git a/queue-6.12/drm-amdgpu-use-smuio-15.0.0-offsets-for-tsc-upper-and-lower-count.patch b/queue-6.12/drm-amdgpu-use-smuio-15.0.0-offsets-for-tsc-upper-and-lower-count.patch new file mode 100644 index 0000000000..77c4049864 --- /dev/null +++ b/queue-6.12/drm-amdgpu-use-smuio-15.0.0-offsets-for-tsc-upper-and-lower-count.patch @@ -0,0 +1,69 @@ +From 574b3b14f7d1b329fc6e67b79328f0e6f4d4b3d4 Mon Sep 17 00:00:00 2001 +From: "Ramalingeswara Reddy, Kanala" +Date: Tue, 31 Mar 2026 17:23:22 +0530 +Subject: drm/amdgpu: Use SMUIO 15.0.0 offsets for TSC upper and lower count. + +From: Ramalingeswara Reddy, Kanala + +commit 574b3b14f7d1b329fc6e67b79328f0e6f4d4b3d4 upstream. + +Define and use regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0 and +regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0 for TSC upper and lower count. + +Acked-by: Alex Deucher +Reviewed-by: Pratik Vishwakarma +Signed-off-by: Ramalingeswara Reddy, Kanala +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c +@@ -63,6 +63,11 @@ + #define regPC_CONFIG_CNTL_1 0x194d + #define regPC_CONFIG_CNTL_1_BASE_IDX 1 + ++#define regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0 0x0030 ++#define regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0_BASE_IDX 1 ++#define regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0 0x0031 ++#define regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0_BASE_IDX 1 ++ + #define regCP_GFX_MQD_CONTROL_DEFAULT 0x00000100 + #define regCP_GFX_HQD_VMID_DEFAULT 0x00000000 + #define regCP_GFX_HQD_QUEUE_PRIORITY_DEFAULT 0x00000000 +@@ -4975,11 +4980,27 @@ static uint64_t gfx_v11_0_get_gpu_clock_ + amdgpu_gfx_off_ctrl(adev, true); + } else { + preempt_disable(); +- clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER); +- clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER); +- clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_UPPER); +- if (clock_counter_hi_pre != clock_counter_hi_after) +- clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, regGOLDEN_TSC_COUNT_LOWER); ++ if (amdgpu_ip_version(adev, SMUIO_HWIP, 0) < IP_VERSION(15, 0, 0)) { ++ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0, ++ regGOLDEN_TSC_COUNT_UPPER); ++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, ++ regGOLDEN_TSC_COUNT_LOWER); ++ clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0, ++ regGOLDEN_TSC_COUNT_UPPER); ++ if (clock_counter_hi_pre != clock_counter_hi_after) ++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, ++ regGOLDEN_TSC_COUNT_LOWER); ++ } else { ++ clock_counter_hi_pre = (uint64_t)RREG32_SOC15(SMUIO, 0, ++ regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0); ++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, ++ regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0); ++ clock_counter_hi_after = (uint64_t)RREG32_SOC15(SMUIO, 0, ++ regGOLDEN_TSC_COUNT_UPPER_smu_15_0_0); ++ if (clock_counter_hi_pre != clock_counter_hi_after) ++ clock_counter_lo = (uint64_t)RREG32_SOC15(SMUIO, 0, ++ regGOLDEN_TSC_COUNT_LOWER_smu_15_0_0); ++ } + preempt_enable(); + } + clock = clock_counter_lo | (clock_counter_hi_after << 32ULL); diff --git a/queue-6.12/drm-amdgpu-vce-prevent-partial-address-patches.patch b/queue-6.12/drm-amdgpu-vce-prevent-partial-address-patches.patch new file mode 100644 index 0000000000..560bf622f1 --- /dev/null +++ b/queue-6.12/drm-amdgpu-vce-prevent-partial-address-patches.patch @@ -0,0 +1,33 @@ +From de2a02cc28d6d5d37db07d00a9a684c754a5fd74 Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Mon, 30 Mar 2026 15:01:27 -0400 +Subject: drm/amdgpu/vce: Prevent partial address patches + +From: Benjamin Cheng + +commit de2a02cc28d6d5d37db07d00a9a684c754a5fd74 upstream. + +In the case that only one of lo/hi is valid, the patching could result +in a bad address written to in FW. + +Signed-off-by: Benjamin Cheng +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c +@@ -655,6 +655,9 @@ static int amdgpu_vce_cs_reloc(struct am + uint64_t addr; + int r; + ++ if (lo >= ib->length_dw || hi >= ib->length_dw) ++ return -EINVAL; ++ + if (index == 0xffffffff) + index = 0; + diff --git a/queue-6.12/drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch b/queue-6.12/drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch new file mode 100644 index 0000000000..e4216509fd --- /dev/null +++ b/queue-6.12/drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch @@ -0,0 +1,92 @@ +From b193019860d61e92da395eae2011f2f6716b182f Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Tue, 24 Mar 2026 16:25:56 -0400 +Subject: drm/amdgpu/vcn3: Prevent OOB reads when parsing dec msg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Cheng + +commit b193019860d61e92da395eae2011f2f6716b182f upstream. + +Check bounds against the end of the BO whenever we access the msg. + +Signed-off-by: Benjamin Cheng +Reviewed-by: Christian König +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v3_0.c +@@ -1843,7 +1843,7 @@ static int vcn_v3_0_dec_msg(struct amdgp + { + struct ttm_operation_ctx ctx = { false, false }; + struct amdgpu_bo_va_mapping *map; +- uint32_t *msg, num_buffers; ++ uint32_t *msg, num_buffers, len_dw; + struct amdgpu_bo *bo; + uint64_t start, end; + unsigned int i; +@@ -1864,6 +1864,11 @@ static int vcn_v3_0_dec_msg(struct amdgp + return -EINVAL; + } + ++ if (end - addr < 16) { ++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n"); ++ return -EINVAL; ++ } ++ + bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED; + amdgpu_bo_placement_from_domain(bo, bo->allowed_domains); + r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx); +@@ -1880,8 +1885,8 @@ static int vcn_v3_0_dec_msg(struct amdgp + + msg = ptr + addr - start; + +- /* Check length */ + if (msg[1] > end - addr) { ++ DRM_ERROR("VCN message header does not fit in BO!\n"); + r = -EINVAL; + goto out; + } +@@ -1889,7 +1894,16 @@ static int vcn_v3_0_dec_msg(struct amdgp + if (msg[3] != RDECODE_MSG_CREATE) + goto out; + ++ len_dw = msg[1] / 4; + num_buffers = msg[2]; ++ ++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */ ++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) { ++ DRM_ERROR("VCN message has too many buffers!\n"); ++ r = -EINVAL; ++ goto out; ++ } ++ + for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) { + uint32_t offset, size, *create; + +@@ -1899,14 +1913,15 @@ static int vcn_v3_0_dec_msg(struct amdgp + offset = msg[1]; + size = msg[2]; + +- if (offset + size > end) { ++ if (size < 4 || offset + size > end - addr) { ++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n"); + r = -EINVAL; + goto out; + } + + create = ptr + addr + offset - start; + +- /* H246, HEVC and VP9 can run on any instance */ ++ /* H264, HEVC and VP9 can run on any instance */ + if (create[0] == 0x7 || create[0] == 0x10 || create[0] == 0x11) + continue; + diff --git a/queue-6.12/drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch b/queue-6.12/drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch new file mode 100644 index 0000000000..4323843d8b --- /dev/null +++ b/queue-6.12/drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch @@ -0,0 +1,84 @@ +From 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Wed, 25 Mar 2026 09:09:27 -0400 +Subject: drm/amdgpu/vcn4: Prevent OOB reads when parsing dec msg +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Cheng + +commit 0a78f2bac1424deb7c9d5e09c6b8e849d8e8b648 upstream. + +Check bounds against the end of the BO whenever we access the msg. + +Signed-off-by: Benjamin Cheng +Reviewed-by: Christian König +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c +@@ -1767,7 +1767,7 @@ static int vcn_v4_0_dec_msg(struct amdgp + { + struct ttm_operation_ctx ctx = { false, false }; + struct amdgpu_bo_va_mapping *map; +- uint32_t *msg, num_buffers; ++ uint32_t *msg, num_buffers, len_dw; + struct amdgpu_bo *bo; + uint64_t start, end; + unsigned int i; +@@ -1788,6 +1788,11 @@ static int vcn_v4_0_dec_msg(struct amdgp + return -EINVAL; + } + ++ if (end - addr < 16) { ++ DRM_ERROR("VCN messages must be at least 4 DWORDs!\n"); ++ return -EINVAL; ++ } ++ + bo->flags |= AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED; + amdgpu_bo_placement_from_domain(bo, bo->allowed_domains); + r = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx); +@@ -1804,8 +1809,8 @@ static int vcn_v4_0_dec_msg(struct amdgp + + msg = ptr + addr - start; + +- /* Check length */ + if (msg[1] > end - addr) { ++ DRM_ERROR("VCN message header does not fit in BO!\n"); + r = -EINVAL; + goto out; + } +@@ -1813,7 +1818,16 @@ static int vcn_v4_0_dec_msg(struct amdgp + if (msg[3] != RDECODE_MSG_CREATE) + goto out; + ++ len_dw = msg[1] / 4; + num_buffers = msg[2]; ++ ++ /* Verify that all indices fit within the claimed length. Each index is 4 DWORDs */ ++ if (num_buffers > len_dw || 6 + num_buffers * 4 > len_dw) { ++ DRM_ERROR("VCN message has too many buffers!\n"); ++ r = -EINVAL; ++ goto out; ++ } ++ + for (i = 0, msg = &msg[6]; i < num_buffers; ++i, msg += 4) { + uint32_t offset, size, *create; + +@@ -1823,7 +1837,8 @@ static int vcn_v4_0_dec_msg(struct amdgp + offset = msg[1]; + size = msg[2]; + +- if (offset + size > end) { ++ if (size < 4 || offset + size > end - addr) { ++ DRM_ERROR("VCN message buffer exceeds BO bounds!\n"); + r = -EINVAL; + goto out; + } diff --git a/queue-6.12/drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-ib.patch b/queue-6.12/drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-ib.patch new file mode 100644 index 0000000000..37c1dc9648 --- /dev/null +++ b/queue-6.12/drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-ib.patch @@ -0,0 +1,79 @@ +From 2444eb0ec8283f4a3845eb7febad378476e1ba3c Mon Sep 17 00:00:00 2001 +From: Benjamin Cheng +Date: Tue, 24 Mar 2026 16:42:05 -0400 +Subject: drm/amdgpu/vcn4: Prevent OOB reads when parsing IB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benjamin Cheng + +commit 2444eb0ec8283f4a3845eb7febad378476e1ba3c upstream. + +Rewrite the IB parsing to use amdgpu_ib_get_value() which handles the +bounds checks. + +Signed-off-by: Benjamin Cheng +Acked-by: Christian König +Reviewed-by: Ruijing Dong +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v4_0.c +@@ -1854,9 +1854,10 @@ out: + static int vcn_v4_0_enc_find_ib_param(struct amdgpu_ib *ib, uint32_t id, int start) + { + int i; ++ uint32_t len; + +- for (i = start; i < ib->length_dw && ib->ptr[i] >= 8; i += ib->ptr[i] / 4) { +- if (ib->ptr[i + 1] == id) ++ for (i = start; (len = amdgpu_ib_get_value(ib, i)) >= 8; i += len / 4) { ++ if (amdgpu_ib_get_value(ib, i + 1) == id) + return i; + } + return -1; +@@ -1867,8 +1868,6 @@ static int vcn_v4_0_ring_patch_cs_in_pla + struct amdgpu_ib *ib) + { + struct amdgpu_ring *ring = amdgpu_job_ring(job); +- struct amdgpu_vcn_decode_buffer *decode_buffer; +- uint64_t addr; + uint32_t val; + int idx = 0, sidx; + +@@ -1879,20 +1878,22 @@ static int vcn_v4_0_ring_patch_cs_in_pla + while ((idx = vcn_v4_0_enc_find_ib_param(ib, RADEON_VCN_ENGINE_INFO, idx)) >= 0) { + val = amdgpu_ib_get_value(ib, idx + 2); /* RADEON_VCN_ENGINE_TYPE */ + if (val == RADEON_VCN_ENGINE_TYPE_DECODE) { +- decode_buffer = (struct amdgpu_vcn_decode_buffer *)&ib->ptr[idx + 6]; ++ uint32_t valid_buf_flag = amdgpu_ib_get_value(ib, idx + 6); ++ uint64_t msg_buffer_addr; + +- if (!(decode_buffer->valid_buf_flag & 0x1)) ++ if (!(valid_buf_flag & 0x1)) + return 0; + +- addr = ((u64)decode_buffer->msg_buffer_address_hi) << 32 | +- decode_buffer->msg_buffer_address_lo; +- return vcn_v4_0_dec_msg(p, job, addr); ++ msg_buffer_addr = ((u64)amdgpu_ib_get_value(ib, idx + 7)) << 32 | ++ amdgpu_ib_get_value(ib, idx + 8); ++ return vcn_v4_0_dec_msg(p, job, msg_buffer_addr); + } else if (val == RADEON_VCN_ENGINE_TYPE_ENCODE) { + sidx = vcn_v4_0_enc_find_ib_param(ib, RENCODE_IB_PARAM_SESSION_INIT, idx); +- if (sidx >= 0 && ib->ptr[sidx + 2] == RENCODE_ENCODE_STANDARD_AV1) ++ if (sidx >= 0 && ++ amdgpu_ib_get_value(ib, sidx + 2) == RENCODE_ENCODE_STANDARD_AV1) + return vcn_v4_0_limit_sched(p, job); + } +- idx += ib->ptr[idx] / 4; ++ idx += amdgpu_ib_get_value(ib, idx) / 4; + } + return 0; + } diff --git a/queue-6.12/drm-amdgpu-zero-initialize-gart-table-on-allocation.patch b/queue-6.12/drm-amdgpu-zero-initialize-gart-table-on-allocation.patch new file mode 100644 index 0000000000..7bd5811a98 --- /dev/null +++ b/queue-6.12/drm-amdgpu-zero-initialize-gart-table-on-allocation.patch @@ -0,0 +1,61 @@ +From e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 Mon Sep 17 00:00:00 2001 +From: Philip Yang +Date: Mon, 27 Apr 2026 09:30:23 -0400 +Subject: drm/amdgpu: zero-initialize GART table on allocation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Philip Yang + +commit e6c2e6c2e1fa066968a16aca1cb66cd1bdde7741 upstream. + +GART TLB is flushed after unmapping but not after mapping. Since +amdgpu_bo_create_kernel() does not zero-initialize the buffer, when a +single PTE is written the TLB may speculatively load other uninitialized +entries from the same cacheline. Those garbage entries can appear valid, +and a subsequent write to another PTE in the same cacheline may cause the +GPU to use a stale garbage PTE from the TLB. + +Fix this by calling memset_io() to zero-initialize the GART table with +gart_pte_flags immediately after allocation. + +Using AMDGPU_GEM_CREATE_VRAM_CLEARED, SDMA-based clear will not work +since SDMA needs GART to be initialized to work. + +Suggested-by: Felix Kuehling +Signed-off-by: Philip Yang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +(cherry picked from commit d9af8263b82b6eaa60c5718e0c6631c5037e4b24) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c +@@ -260,12 +260,19 @@ void amdgpu_gart_table_ram_free(struct a + */ + int amdgpu_gart_table_vram_alloc(struct amdgpu_device *adev) + { ++ int r; ++ + if (adev->gart.bo != NULL) + return 0; + +- return amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE, +- AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo, +- NULL, (void *)&adev->gart.ptr); ++ r = amdgpu_bo_create_kernel(adev, adev->gart.table_size, PAGE_SIZE, ++ AMDGPU_GEM_DOMAIN_VRAM, &adev->gart.bo, ++ NULL, (void *)&adev->gart.ptr); ++ if (r) ++ return r; ++ ++ memset_io(adev->gart.ptr, adev->gart.gart_pte_flags, adev->gart.table_size); ++ return 0; + } + + /** diff --git a/queue-6.12/drm-amdkfd-add-upper-bound-check-for-num_of_nodes.patch b/queue-6.12/drm-amdkfd-add-upper-bound-check-for-num_of_nodes.patch new file mode 100644 index 0000000000..83035d481e --- /dev/null +++ b/queue-6.12/drm-amdkfd-add-upper-bound-check-for-num_of_nodes.patch @@ -0,0 +1,66 @@ +From 74b73fa56a395d46745e4f245225963e9f8be7f1 Mon Sep 17 00:00:00 2001 +From: Alysa Liu +Date: Mon, 30 Mar 2026 10:50:07 -0400 +Subject: drm/amdkfd: Add upper bound check for num_of_nodes + +From: Alysa Liu + +commit 74b73fa56a395d46745e4f245225963e9f8be7f1 upstream. + +drm/amdkfd: Add upper bound check for num_of_nodes +in kfd_ioctl_get_process_apertures_new. + +Reviewed-by: Harish Kasiviswanathan +Signed-off-by: Alysa Liu +Signed-off-by: Alex Deucher +(cherry picked from commit 98ff46a5ea090c14d2cdb4f5b993b05d74f3949f) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 3 +++ + drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 1 + + drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 11 +++++++++++ + 3 files changed, 15 insertions(+) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -768,6 +768,9 @@ static int kfd_ioctl_get_process_apertur + goto out_unlock; + } + ++ if (args->num_of_nodes > kfd_topology_get_num_devices()) ++ return -EINVAL; ++ + /* Fill in process-aperture information for all available + * nodes, but not more than args->num_of_nodes as that is + * the amount of memory allocated by user +--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +@@ -1168,6 +1168,7 @@ static inline struct kfd_node *kfd_node_ + return NULL; + } + int kfd_topology_enum_kfd_devices(uint8_t idx, struct kfd_node **kdev); ++uint32_t kfd_topology_get_num_devices(void); + int kfd_numa_node_to_apic_id(int numa_node_id); + + /* Interrupts */ +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +@@ -2291,6 +2291,17 @@ int kfd_topology_remove_device(struct kf + return res; + } + ++uint32_t kfd_topology_get_num_devices(void) ++{ ++ uint32_t num_devices; ++ ++ down_read(&topology_lock); ++ num_devices = sys_props.num_devices; ++ up_read(&topology_lock); ++ ++ return num_devices; ++} ++ + /* kfd_topology_enum_kfd_devices - Enumerate through all devices in KFD + * topology. If GPU device is found @idx, then valid kfd_dev pointer is + * returned through @kdev diff --git a/queue-6.12/drm-amdkfd-clear-vram-on-allocation-to-prevent-stale-data-exposure.patch b/queue-6.12/drm-amdkfd-clear-vram-on-allocation-to-prevent-stale-data-exposure.patch new file mode 100644 index 0000000000..a27dc5134d --- /dev/null +++ b/queue-6.12/drm-amdkfd-clear-vram-on-allocation-to-prevent-stale-data-exposure.patch @@ -0,0 +1,45 @@ +From ad52d61d82181dbdb7f05826de38352d5e550cc2 Mon Sep 17 00:00:00 2001 +From: Amir Shetaia +Date: Fri, 10 Apr 2026 10:38:13 -0400 +Subject: drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Amir Shetaia + +commit ad52d61d82181dbdb7f05826de38352d5e550cc2 upstream. + +KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE +but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated +VRAM with stale data from prior use observable by compute kernels. + +The GEM ioctl path already sets VRAM_CLEARED for all userspace +allocations via amdgpu_gem_create_ioctl() and +amdgpu_mode_dumb_create(). The KFD path was missing this flag, +allowing stale page table remnants to leak into user buffers. + +This causes crashes in RCCL P2P transport where non-zero data in +ptrExchange/head/tail fields corrupts the protocol handshake. + +Signed-off-by: Amir Shetaia +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1737,7 +1737,8 @@ int amdgpu_amdkfd_gpuvm_alloc_memory_of_ + alloc_domain = AMDGPU_GEM_DOMAIN_GTT; + alloc_flags = 0; + } else { +- alloc_flags = AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE; ++ alloc_flags = AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE | ++ AMDGPU_GEM_CREATE_VRAM_CLEARED; + alloc_flags |= (flags & KFD_IOC_ALLOC_MEM_FLAGS_PUBLIC) ? + AMDGPU_GEM_CREATE_CPU_ACCESS_REQUIRED : 0; + diff --git a/queue-6.12/drm-amdkfd-make-all-tlb-flushes-heavy-weight.patch b/queue-6.12/drm-amdkfd-make-all-tlb-flushes-heavy-weight.patch new file mode 100644 index 0000000000..f248d45dfc --- /dev/null +++ b/queue-6.12/drm-amdkfd-make-all-tlb-flushes-heavy-weight.patch @@ -0,0 +1,113 @@ +From 9b4e3495d1bd2469bf94b74930c153c2d534ddb7 Mon Sep 17 00:00:00 2001 +From: Felix Kuehling +Date: Mon, 20 Apr 2026 11:55:57 -0400 +Subject: drm/amdkfd: Make all TLB-flushes heavy-weight + +From: Felix Kuehling + +commit 9b4e3495d1bd2469bf94b74930c153c2d534ddb7 upstream. + +With only one sequence number we cannot track the need for legacy vs +heavy-weight flushes reliably. Always use heavy-weight. + +Signed-off-by: Felix Kuehling +Reviewed-by: Philip Yang +Signed-off-by: Alex Deucher +(cherry picked from commit c1a3ff1d327820cd9a52bc1056b98681fc088949) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 4 ++-- + drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 6 +++--- + drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 6 +++--- + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 4 ++-- + 4 files changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -1346,7 +1346,7 @@ static int kfd_ioctl_map_memory_to_gpu(s + peer_pdd = kfd_process_device_data_by_id(p, devices_arr[i]); + if (WARN_ON_ONCE(!peer_pdd)) + continue; +- kfd_flush_tlb(peer_pdd, TLB_FLUSH_LEGACY); ++ kfd_flush_tlb(peer_pdd); + } + kfree(devices_arr); + +@@ -1441,7 +1441,7 @@ static int kfd_ioctl_unmap_memory_from_g + if (WARN_ON_ONCE(!peer_pdd)) + continue; + if (flush_tlb) +- kfd_flush_tlb(peer_pdd, TLB_FLUSH_HEAVYWEIGHT); ++ kfd_flush_tlb(peer_pdd); + + /* Remove dma mapping after tlb flush to avoid IO_PAGE_FAULT */ + err = amdgpu_amdkfd_gpuvm_dmaunmap_mem(mem, peer_pdd->drm_priv); +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -533,7 +533,7 @@ static int allocate_vmid(struct device_q + qpd->vmid, + qpd->page_table_base); + /* invalidate the VM context after pasid and vmid mapping is set up */ +- kfd_flush_tlb(qpd_to_pdd(qpd), TLB_FLUSH_LEGACY); ++ kfd_flush_tlb(qpd_to_pdd(qpd)); + + if (dqm->dev->kfd2kgd->set_scratch_backing_va) + dqm->dev->kfd2kgd->set_scratch_backing_va(dqm->dev->adev, +@@ -571,7 +571,7 @@ static void deallocate_vmid(struct devic + if (flush_texture_cache_nocpsch(q->device, qpd)) + dev_err(dev, "Failed to flush TC\n"); + +- kfd_flush_tlb(qpd_to_pdd(qpd), TLB_FLUSH_LEGACY); ++ kfd_flush_tlb(qpd_to_pdd(qpd)); + + /* Release the vmid mapping */ + set_pasid_vmid_mapping(dqm, 0, qpd->vmid); +@@ -1242,7 +1242,7 @@ static int restore_process_queues_nocpsc + dqm->dev->adev, + qpd->vmid, + qpd->page_table_base); +- kfd_flush_tlb(pdd, TLB_FLUSH_LEGACY); ++ kfd_flush_tlb(pdd); + } + + /* Take a safe reference to the mm_struct, which may otherwise +--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +@@ -1507,13 +1507,13 @@ void kfd_signal_reset_event(struct kfd_n + + void kfd_signal_poison_consumed_event(struct kfd_node *dev, u32 pasid); + +-static inline void kfd_flush_tlb(struct kfd_process_device *pdd, +- enum TLB_FLUSH_TYPE type) ++static inline void kfd_flush_tlb(struct kfd_process_device *pdd) + { + struct amdgpu_device *adev = pdd->dev->adev; + struct amdgpu_vm *vm = drm_priv_to_vm(pdd->drm_priv); + +- amdgpu_vm_flush_compute_tlb(adev, vm, type, pdd->dev->xcc_mask); ++ amdgpu_vm_flush_compute_tlb(adev, vm, TLB_FLUSH_HEAVYWEIGHT, ++ pdd->dev->xcc_mask); + } + + static inline bool kfd_flush_tlb_after_unmap(struct kfd_dev *dev) +--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +@@ -1382,7 +1382,7 @@ svm_range_unmap_from_gpus(struct svm_ran + if (r) + break; + } +- kfd_flush_tlb(pdd, TLB_FLUSH_HEAVYWEIGHT); ++ kfd_flush_tlb(pdd); + } + + return r; +@@ -1516,7 +1516,7 @@ svm_range_map_to_gpus(struct svm_range * + } + } + +- kfd_flush_tlb(pdd, TLB_FLUSH_LEGACY); ++ kfd_flush_tlb(pdd); + } + + return r; diff --git a/queue-6.12/drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch b/queue-6.12/drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch new file mode 100644 index 0000000000..8c3ccc89a8 --- /dev/null +++ b/queue-6.12/drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch @@ -0,0 +1,102 @@ +From 045e0ff208f0838a246c10204105126611b267a1 Mon Sep 17 00:00:00 2001 +From: Alysa Liu +Date: Tue, 21 Apr 2026 10:18:28 -0400 +Subject: drm/amdkfd: validate SVM ioctl nattr against buffer size + +From: Alysa Liu + +commit 045e0ff208f0838a246c10204105126611b267a1 upstream. + +Validate nattr field against the buffer size, preventing +out-of-bounds buffer access via user-controlled attribute count. + +Reviewed-by: Amir Shetaia +Signed-off-by: Alysa Liu +Signed-off-by: Alex Deucher +(cherry picked from commit 5eca8bfdfa456c3304ca77523718fe24254c172f) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 26 ++++++++++++++++++++++++-- + drivers/gpu/drm/amd/amdkfd/kfd_priv.h | 3 +++ + 2 files changed, 27 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1681,6 +1682,16 @@ static int kfd_ioctl_smi_events(struct f + return kfd_smi_event_open(pdd->dev, &args->anon_fd); + } + ++static int kfd_ioctl_svm_validate(void *kdata, unsigned int usize) ++{ ++ struct kfd_ioctl_svm_args *args = kdata; ++ size_t expected = struct_size(args, attrs, args->nattr); ++ ++ if (expected == SIZE_MAX || usize < expected) ++ return -EINVAL; ++ return 0; ++} ++ + #if IS_ENABLED(CONFIG_HSA_AMD_SVM) + + static int kfd_ioctl_set_xnack_mode(struct file *filep, +@@ -3129,7 +3140,11 @@ out: + + #define AMDKFD_IOCTL_DEF(ioctl, _func, _flags) \ + [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \ +- .cmd_drv = 0, .name = #ioctl} ++ .validate = NULL, .cmd_drv = 0, .name = #ioctl} ++ ++#define AMDKFD_IOCTL_DEF_V(ioctl, _func, _validate, _flags) \ ++ [_IOC_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, \ ++ .validate = _validate, .cmd_drv = 0, .name = #ioctl} + + /** Ioctl table */ + static const struct amdkfd_ioctl_desc amdkfd_ioctls[] = { +@@ -3226,7 +3241,8 @@ static const struct amdkfd_ioctl_desc am + AMDKFD_IOCTL_DEF(AMDKFD_IOC_SMI_EVENTS, + kfd_ioctl_smi_events, 0), + +- AMDKFD_IOCTL_DEF(AMDKFD_IOC_SVM, kfd_ioctl_svm, 0), ++ AMDKFD_IOCTL_DEF_V(AMDKFD_IOC_SVM, kfd_ioctl_svm, ++ kfd_ioctl_svm_validate, 0), + + AMDKFD_IOCTL_DEF(AMDKFD_IOC_SET_XNACK_MODE, + kfd_ioctl_set_xnack_mode, 0), +@@ -3348,6 +3364,12 @@ static long kfd_ioctl(struct file *filep + memset(kdata, 0, usize); + } + ++ if (ioctl->validate) { ++ retcode = ioctl->validate(kdata, usize); ++ if (retcode) ++ goto err_i1; ++ } ++ + retcode = func(filep, process, kdata); + + if (cmd & IOC_OUT) +--- a/drivers/gpu/drm/amd/amdkfd/kfd_priv.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_priv.h +@@ -1028,10 +1028,13 @@ extern struct srcu_struct kfd_processes_ + typedef int amdkfd_ioctl_t(struct file *filep, struct kfd_process *p, + void *data); + ++typedef int amdkfd_ioctl_validate_t(void *kdata, unsigned int usize); ++ + struct amdkfd_ioctl_desc { + unsigned int cmd; + int flags; + amdkfd_ioctl_t *func; ++ amdkfd_ioctl_validate_t *validate; + unsigned int cmd_drv; + const char *name; + }; diff --git a/queue-6.12/drm-exynos-remove-bridge-when-component_add-fails.patch b/queue-6.12/drm-exynos-remove-bridge-when-component_add-fails.patch new file mode 100644 index 0000000000..adc35620bc --- /dev/null +++ b/queue-6.12/drm-exynos-remove-bridge-when-component_add-fails.patch @@ -0,0 +1,55 @@ +From 26f6654a9a60eb4d241f42a0ec85412e8821480b Mon Sep 17 00:00:00 2001 +From: Osama Abdelkader +Date: Thu, 23 Apr 2026 22:06:20 +0200 +Subject: drm/exynos: remove bridge when component_add fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Osama Abdelkader + +commit 26f6654a9a60eb4d241f42a0ec85412e8821480b upstream. + +Use devm_drm_bridge_add() so the bridge is released if probe fails after +registration, and drop the manual drm_bridge_remove() in remove(). + +Check the return value of devm_drm_bridge_add(). + +Signed-off-by: Osama Abdelkader +Fixes: 576d72fbfb45 ("drm/exynos: mic: add a bridge at probe") +Cc: stable@vger.kernel.org +Reviewed-by: Raphaël Gallais-Pou +Reviewed-by: Luca Ceresoli +Link: https://patch.msgid.link/20260423200622.325076-2-osama.abdelkader@gmail.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_mic.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_mic.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_mic.c +@@ -424,7 +424,9 @@ static int exynos_mic_probe(struct platf + mic->bridge.funcs = &mic_bridge_funcs; + mic->bridge.of_node = dev->of_node; + +- drm_bridge_add(&mic->bridge); ++ ret = devm_drm_bridge_add(dev, &mic->bridge); ++ if (ret) ++ goto err; + + pm_runtime_enable(dev); + +@@ -444,12 +446,8 @@ err: + + static void exynos_mic_remove(struct platform_device *pdev) + { +- struct exynos_mic *mic = platform_get_drvdata(pdev); +- + component_del(&pdev->dev, &exynos_mic_component_ops); + pm_runtime_disable(&pdev->dev); +- +- drm_bridge_remove(&mic->bridge); + } + + static const struct of_device_id exynos_mic_of_match[] = { diff --git a/queue-6.12/drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch b/queue-6.12/drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch new file mode 100644 index 0000000000..d7dd547598 --- /dev/null +++ b/queue-6.12/drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch @@ -0,0 +1,56 @@ +From 3d4c2268bd7243c3780fe32bf24ff876da272acf Mon Sep 17 00:00:00 2001 +From: Ashutosh Desai +Date: Mon, 20 Apr 2026 01:36:37 +0000 +Subject: drm/gem: Fix inconsistent plane dimension calculation in drm_gem_fb_init_with_funcs() + +From: Ashutosh Desai + +commit 3d4c2268bd7243c3780fe32bf24ff876da272acf upstream. + +drm_gem_fb_init_with_funcs() computes sub-sampled plane dimensions +using plain integer division: + + unsigned int width = mode_cmd->width / (i ? info->hsub : 1); + unsigned int height = mode_cmd->height / (i ? info->vsub : 1); + +However, the ioctl-level framebuffer_check() in drm_framebuffer.c uses +drm_format_info_plane_width/height() which round up dimensions via +DIV_ROUND_UP(). This inconsistency corrupts the subsequent GEM object +size check for certain pixel format and dimension combinations. + +For example, with NV12 (vsub=2) and a 1-pixel-tall framebuffer the +GEM size validation path sees height=0 instead of height=1. The +expression (height - 1) then wraps to UINT_MAX as an unsigned int, +causing min_size to overflow and wrap back to a small value. A tiny +GEM object therefore passes the size guard, yet when the GPU accesses +the chroma plane it will read or write memory beyond the object's +bounds. + +Fix by replacing the open-coded divisions with drm_format_info_plane_width() +and drm_format_info_plane_height(), which use DIV_ROUND_UP() and match +the calculation already used in framebuffer_check(). + +Fixes: 4c3dbb2c312c ("drm: Add GEM backed framebuffer library") +Cc: stable@vger.kernel.org # v4.14+ +Reviewed-by: Thomas Zimmermann +Signed-off-by: Ashutosh Desai +Signed-off-by: Thomas Zimmermann +Link: https://patch.msgid.link/20260420013637.457751-1-ashutoshdesai993@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_framebuffer_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_framebuffer_helper.c ++++ b/drivers/gpu/drm/drm_gem_framebuffer_helper.c +@@ -174,8 +174,8 @@ int drm_gem_fb_init_with_funcs(struct dr + } + + for (i = 0; i < info->num_planes; i++) { +- unsigned int width = mode_cmd->width / (i ? info->hsub : 1); +- unsigned int height = mode_cmd->height / (i ? info->vsub : 1); ++ unsigned int width = drm_format_info_plane_width(info, mode_cmd->width, i); ++ unsigned int height = drm_format_info_plane_height(info, mode_cmd->height, i); + unsigned int min_size; + + objs[i] = drm_gem_object_lookup(file, mode_cmd->handles[i]); diff --git a/queue-6.12/drm-i915-psr-init-variable-to-avoid-early-exit-from-et-alignment-loop.patch b/queue-6.12/drm-i915-psr-init-variable-to-avoid-early-exit-from-et-alignment-loop.patch new file mode 100644 index 0000000000..f5c5fee976 --- /dev/null +++ b/queue-6.12/drm-i915-psr-init-variable-to-avoid-early-exit-from-et-alignment-loop.patch @@ -0,0 +1,40 @@ +From 314f6179e370988ac00dadf373a4f6166eb3db15 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jouni=20H=C3=B6gander?= +Date: Mon, 13 Apr 2026 14:23:45 +0300 +Subject: drm/i915/psr: Init variable to avoid early exit from et alignment loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +commit 314f6179e370988ac00dadf373a4f6166eb3db15 upstream. + +Uninitialized boolean variable may cause unwanted exit from et alignment +loop. Fix this by initializing it as false. + +Fixes: 1be2fca84f52 ("drm/i915/psr: Repeat Selective Update area alignment") +Cc: # v6.9+ +Signed-off-by: Jouni Högander +Reviewed-by: Nemesa Garg +Reported-by: Dan Carpenter +Reviewed-by: Andi Shyti +Link: https://patch.msgid.link/20260413112345.88853-1-jouni.hogander@intel.com +(cherry picked from commit 289678a90b8cf81e3514c9d6c667235cd39c7acf) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_psr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -2624,7 +2624,7 @@ int intel_psr2_sel_fetch_update(struct i + return ret; + + do { +- bool cursor_in_su_area; ++ bool cursor_in_su_area = false; + + /* + * Adjust su area to cover cursor fully as necessary diff --git a/queue-6.12/drm-msm-gem-fix-error-handling-in-msm_ioctl_gem_info_get_metadata.patch b/queue-6.12/drm-msm-gem-fix-error-handling-in-msm_ioctl_gem_info_get_metadata.patch new file mode 100644 index 0000000000..8ebc671a71 --- /dev/null +++ b/queue-6.12/drm-msm-gem-fix-error-handling-in-msm_ioctl_gem_info_get_metadata.patch @@ -0,0 +1,58 @@ +From 47cbfe2608314b833ad61a65827d8fb363bc2d2d Mon Sep 17 00:00:00 2001 +From: Yasuaki Torimaru +Date: Wed, 25 Mar 2026 20:46:34 +0900 +Subject: drm/msm/gem: fix error handling in msm_ioctl_gem_info_get_metadata() + +From: Yasuaki Torimaru + +commit 47cbfe2608314b833ad61a65827d8fb363bc2d2d upstream. + +msm_ioctl_gem_info_get_metadata() always returns 0 regardless of +errors. When copy_to_user() fails or the user buffer is too small, +the error code stored in ret is ignored because the function +unconditionally returns 0. This causes userspace to believe the +ioctl succeeded when it did not. + +Additionally, kmemdup() can return NULL on allocation failure, but +the return value is not checked. This leads to a NULL pointer +dereference in the subsequent copy_to_user() call. + +Add the missing NULL check for kmemdup() and return ret instead of 0. + +Note that the SET counterpart (msm_ioctl_gem_info_set_metadata) +correctly returns ret. + +Fixes: 9902cb999e4e ("drm/msm/gem: Add metadata") +Cc: stable@vger.kernel.org +Signed-off-by: Yasuaki Torimaru +Patchwork: https://patchwork.freedesktop.org/patch/714478/ +Message-ID: <20260325114635.383241-1-yasuakitorimaru@gmail.com> +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_drv.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -616,6 +616,11 @@ static int msm_ioctl_gem_info_get_metada + len = msm_obj->metadata_size; + buf = kmemdup(msm_obj->metadata, len, GFP_KERNEL); + ++ if (!buf) { ++ msm_gem_unlock(obj); ++ return -ENOMEM; ++ } ++ + msm_gem_unlock(obj); + + if (*metadata_size < len) { +@@ -628,7 +633,7 @@ static int msm_ioctl_gem_info_get_metada + + kfree(buf); + +- return 0; ++ return ret; + } + + static int msm_ioctl_gem_info(struct drm_device *dev, void *data, diff --git a/queue-6.12/drm-panel-boe-tv101wum-nl6-restore-mode_lpm-after-sending-disable-cmds.patch b/queue-6.12/drm-panel-boe-tv101wum-nl6-restore-mode_lpm-after-sending-disable-cmds.patch new file mode 100644 index 0000000000..ebc35d62e4 --- /dev/null +++ b/queue-6.12/drm-panel-boe-tv101wum-nl6-restore-mode_lpm-after-sending-disable-cmds.patch @@ -0,0 +1,43 @@ +From 570cf799e87ae805eacfab3b4ba66676b5fccdb6 Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Sun, 3 May 2026 17:17:08 +0800 +Subject: drm/panel: boe-tv101wum-nl6: restore MODE_LPM after sending disable cmds + +From: Icenowy Zheng + +commit 570cf799e87ae805eacfab3b4ba66676b5fccdb6 upstream. + +When preparing the panel, it seems that it always expects commands to be +transferred in LP mode. However, the disable function removes the +MIPI_DSI_MODE_LPM flag, and no other function re-adds it. + +As the unprepare function contains no DSI commands, re-adding the flag +just after disabling the panel should be safe. Add the code re-adding +the flag after the two commands for disabling the panel are sent. + +This fixes error messages shown in kernel log when unblanking on +mt8183-kukui-kodama-sku32 device. + +Cc: stable@vger.kernel.org +Fixes: a869b9db7adf ("drm/panel: support for boe tv101wum-nl6 wuxga dsi video mode panel") +Signed-off-by: Icenowy Zheng +Reviewed-by: Neil Armstrong +Reviewed-by: Douglas Anderson +Signed-off-by: Neil Armstrong +Link: https://patch.msgid.link/20260503091708.1079962-1-zhengxingda@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c ++++ b/drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c +@@ -1324,6 +1324,8 @@ static int boe_panel_disable(struct drm_ + mipi_dsi_dcs_set_display_off_multi(&ctx); + mipi_dsi_dcs_enter_sleep_mode_multi(&ctx); + ++ boe->dsi->mode_flags |= MIPI_DSI_MODE_LPM; ++ + mipi_dsi_msleep(&ctx, 150); + + return ctx.accum_err; diff --git a/queue-6.12/drm-panel-himax-hx83102-restore-mode_lpm-after-sending-disable-cmds.patch b/queue-6.12/drm-panel-himax-hx83102-restore-mode_lpm-after-sending-disable-cmds.patch new file mode 100644 index 0000000000..fc33b8363b --- /dev/null +++ b/queue-6.12/drm-panel-himax-hx83102-restore-mode_lpm-after-sending-disable-cmds.patch @@ -0,0 +1,43 @@ +From 2d4e80271f784aa0c7b17676e9762c7e8156be1c Mon Sep 17 00:00:00 2001 +From: Icenowy Zheng +Date: Sun, 26 Apr 2026 00:57:51 +0800 +Subject: drm/panel: himax-hx83102: restore MODE_LPM after sending disable cmds + +From: Icenowy Zheng + +commit 2d4e80271f784aa0c7b17676e9762c7e8156be1c upstream. + +When preparing the panel, it seems that it always expects commands to be +transferred in LP mode. However, the disable function removes the +MIPI_DSI_MODE_LPM flag, and no other function re-adds it. + +As the unprepare function contains no DSI commands, re-adding the flag +just after disabling the panel should be safe. Add the code re-adding +the flag after the two commands for disabling the panel are sent. + +This fixes screen unblanking (after blanking once) on +mt8188-geralt-ciri-sku1 device. + +Cc: stable@vger.kernel.org # 6.11+ +Fixes: 0ef94554dc40 ("drm/panel: himax-hx83102: Break out as separate driver") +Signed-off-by: Icenowy Zheng +Reviewed-by: Neil Armstrong +Reviewed-by: Douglas Anderson +Signed-off-by: Neil Armstrong +Link: https://patch.msgid.link/20260425165751.1716569-1-zhengxingda@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-himax-hx83102.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/panel/panel-himax-hx83102.c ++++ b/drivers/gpu/drm/panel/panel-himax-hx83102.c +@@ -479,6 +479,8 @@ static int hx83102_disable(struct drm_pa + mipi_dsi_dcs_set_display_off_multi(&dsi_ctx); + mipi_dsi_dcs_enter_sleep_mode_multi(&dsi_ctx); + ++ dsi->mode_flags |= MIPI_DSI_MODE_LPM; ++ + mipi_dsi_msleep(&dsi_ctx, 150); + + return dsi_ctx.accum_err; diff --git a/queue-6.12/drm-radeon-add-missing-revision-check-for-ci.patch b/queue-6.12/drm-radeon-add-missing-revision-check-for-ci.patch new file mode 100644 index 0000000000..dafc216e4c --- /dev/null +++ b/queue-6.12/drm-radeon-add-missing-revision-check-for-ci.patch @@ -0,0 +1,60 @@ +From 17223816498f7b117d138d18eb0eba63604dc74e Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 27 Apr 2026 11:40:25 -0400 +Subject: drm/radeon: add missing revision check for CI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 17223816498f7b117d138d18eb0eba63604dc74e upstream. + +The memory level workarounds only apply to revision 0 SKUs. + +Link: https://gitlab.freedesktop.org/drm/amd/-/work_items/1816 +Fixes: 127e056e2a82 ("drm/radeon: fix mclk vddc configuration for cards for hawaii") +Fixes: 21b8a369046f ("drm/radeon: fix dram timing for certain hawaii boards") +Fixes: 90b2fee35cb9 ("drm/radeon: fix dpm mc init for certain hawaii boards") +Reviewed-by: Timur Kristóf +Reviewed-by: Kent Russell +Signed-off-by: Alex Deucher +(cherry picked from commit 4d8dcc14311515077062b5740f39f427075de5c9) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/ci_dpm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -2461,7 +2461,8 @@ static void ci_register_patching_mc_arb( + + if (patch && + ((rdev->pdev->device == 0x67B0) || +- (rdev->pdev->device == 0x67B1))) { ++ (rdev->pdev->device == 0x67B1)) && ++ (rdev->pdev->revision == 0)) { + if ((memory_clock > 100000) && (memory_clock <= 125000)) { + tmp2 = (((0x31 * engine_clock) / 125000) - 1) & 0xff; + *dram_timimg2 &= ~0x00ff0000; +@@ -3302,7 +3303,8 @@ static int ci_populate_all_memory_levels + pi->smc_state_table.MemoryLevel[0].EnabledForActivity = 1; + + if ((dpm_table->mclk_table.count >= 2) && +- ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1))) { ++ ((rdev->pdev->device == 0x67B0) || (rdev->pdev->device == 0x67B1)) && ++ (rdev->pdev->revision == 0)) { + pi->smc_state_table.MemoryLevel[1].MinVddc = + pi->smc_state_table.MemoryLevel[0].MinVddc; + pi->smc_state_table.MemoryLevel[1].MinVddcPhases = +@@ -4499,7 +4501,8 @@ static int ci_register_patching_mc_seq(s + + if (patch && + ((rdev->pdev->device == 0x67B0) || +- (rdev->pdev->device == 0x67B1))) { ++ (rdev->pdev->device == 0x67B1)) && ++ (rdev->pdev->revision == 0)) { + for (i = 0; i < table->last; i++) { + if (table->last >= SMU7_DISCRETE_MC_REGISTER_ARRAY_SIZE) + return -EINVAL; diff --git a/queue-6.12/drm-xe-bo-fix-bo-leak-on-ggtt-flag-validation-in-xe_bo_init_locked.patch b/queue-6.12/drm-xe-bo-fix-bo-leak-on-ggtt-flag-validation-in-xe_bo_init_locked.patch new file mode 100644 index 0000000000..5d110f909a --- /dev/null +++ b/queue-6.12/drm-xe-bo-fix-bo-leak-on-ggtt-flag-validation-in-xe_bo_init_locked.patch @@ -0,0 +1,42 @@ +From 1d0adf2fd94fb0c0037c643fadd8f2cf3cffc009 Mon Sep 17 00:00:00 2001 +From: Shuicheng Lin +Date: Wed, 8 Apr 2026 17:52:53 +0000 +Subject: drm/xe/bo: Fix bo leak on GGTT flag validation in xe_bo_init_locked() + +From: Shuicheng Lin + +commit 1d0adf2fd94fb0c0037c643fadd8f2cf3cffc009 upstream. + +When XE_BO_FLAG_GGTT_ALL is set without XE_BO_FLAG_GGTT, the function +returns an error without freeing a caller-provided bo, violating the +documented contract that bo is freed on failure. + +Add xe_bo_free(bo) before returning the error. + +Fixes: 5a3b0df25d6a ("drm/xe: Allow bo mapping on multiple ggtts") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4.6 +Reviewed-by: Matthew Brost +Link: https://patch.msgid.link/20260408175255.3402838-3-shuicheng.lin@intel.com +Signed-off-by: Shuicheng Lin +(cherry picked from commit 3fbd6cf43cac7b60757f3ce3d95195d3843a902c) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_bo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/xe/xe_bo.c ++++ b/drivers/gpu/drm/xe/xe_bo.c +@@ -1312,8 +1312,10 @@ struct xe_bo *___xe_bo_create_locked(str + } + + /* XE_BO_FLAG_GGTTx requires XE_BO_FLAG_GGTT also be set */ +- if ((flags & XE_BO_FLAG_GGTT_ALL) && !(flags & XE_BO_FLAG_GGTT)) ++ if ((flags & XE_BO_FLAG_GGTT_ALL) && !(flags & XE_BO_FLAG_GGTT)) { ++ xe_bo_free(bo); + return ERR_PTR(-EINVAL); ++ } + + if (flags & (XE_BO_FLAG_VRAM_MASK | XE_BO_FLAG_STOLEN) && + !(flags & XE_BO_FLAG_IGNORE_MIN_PAGE_SIZE) && diff --git a/queue-6.12/drm-xe-bo-fix-bo-leak-on-unaligned-size-validation-in-xe_bo_init_locked.patch b/queue-6.12/drm-xe-bo-fix-bo-leak-on-unaligned-size-validation-in-xe_bo_init_locked.patch new file mode 100644 index 0000000000..600e1467e1 --- /dev/null +++ b/queue-6.12/drm-xe-bo-fix-bo-leak-on-unaligned-size-validation-in-xe_bo_init_locked.patch @@ -0,0 +1,42 @@ +From 09a8f3c1c11977a6e10c167f26dd298790b31c32 Mon Sep 17 00:00:00 2001 +From: Shuicheng Lin +Date: Wed, 8 Apr 2026 17:52:52 +0000 +Subject: drm/xe/bo: Fix bo leak on unaligned size validation in xe_bo_init_locked() + +From: Shuicheng Lin + +commit 09a8f3c1c11977a6e10c167f26dd298790b31c32 upstream. + +When type is ttm_bo_type_device and aligned_size != size, the function +returns an error without freeing a caller-provided bo, violating the +documented contract that bo is freed on failure. + +Add xe_bo_free(bo) before returning the error. + +Fixes: 4e03b584143e ("drm/xe/uapi: Reject bo creation of unaligned size") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4.6 +Reviewed-by: Matthew Brost +Link: https://patch.msgid.link/20260408175255.3402838-2-shuicheng.lin@intel.com +Signed-off-by: Shuicheng Lin +(cherry picked from commit 601c2aa087b6f21014300a3f107a08ee4dde7bdf) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_bo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/xe/xe_bo.c ++++ b/drivers/gpu/drm/xe/xe_bo.c +@@ -1334,8 +1334,10 @@ struct xe_bo *___xe_bo_create_locked(str + alignment = SZ_4K >> PAGE_SHIFT; + } + +- if (type == ttm_bo_type_device && aligned_size != size) ++ if (type == ttm_bo_type_device && aligned_size != size) { ++ xe_bo_free(bo); + return ERR_PTR(-EINVAL); ++ } + + if (!bo) { + bo = xe_bo_alloc(); diff --git a/queue-6.12/drm-xe-fix-dma-buf-attachment-leak-in-xe_gem_prime_import.patch b/queue-6.12/drm-xe-fix-dma-buf-attachment-leak-in-xe_gem_prime_import.patch new file mode 100644 index 0000000000..ee8009e530 --- /dev/null +++ b/queue-6.12/drm-xe-fix-dma-buf-attachment-leak-in-xe_gem_prime_import.patch @@ -0,0 +1,50 @@ +From 111ab678471bf1f90d078d5513bb086b70596c3c Mon Sep 17 00:00:00 2001 +From: Shuicheng Lin +Date: Wed, 8 Apr 2026 17:52:55 +0000 +Subject: drm/xe: Fix dma-buf attachment leak in xe_gem_prime_import() + +From: Shuicheng Lin + +commit 111ab678471bf1f90d078d5513bb086b70596c3c upstream. + +When xe_dma_buf_init_obj() fails, the attachment from +dma_buf_dynamic_attach() is not detached. Add dma_buf_detach() before +returning the error. Note: we cannot use goto out_err here because +xe_dma_buf_init_obj() already frees bo on failure, and out_err would +double-free it. + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Cc: stable@vger.kernel.org +Assisted-by: Claude:claude-opus-4.6 +Reviewed-by: Mattheq Brost +Link: https://patch.msgid.link/20260408175255.3402838-5-shuicheng.lin@intel.com +Signed-off-by: Shuicheng Lin +(cherry picked from commit a828eb185aac41800df8eae4b60501ccc0dbbe51) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_dma_buf.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_dma_buf.c ++++ b/drivers/gpu/drm/xe/xe_dma_buf.c +@@ -299,12 +299,15 @@ struct drm_gem_object *xe_gem_prime_impo + goto out_err; + } + +- /* Errors here will take care of freeing the bo. */ ++ /* ++ * xe_dma_buf_init_obj() takes ownership of bo on both success ++ * and failure, so we must not touch bo after this call. ++ */ + obj = xe_dma_buf_init_obj(dev, bo, dma_buf); +- if (IS_ERR(obj)) ++ if (IS_ERR(obj)) { ++ dma_buf_detach(dma_buf, attach); + return obj; +- +- ++ } + get_dma_buf(dma_buf); + obj->import_attach = attach; + return obj; diff --git a/queue-6.12/sched_ext-use-hk_type_domain_boot-to-detect-isolcpus-domain-isolation.patch b/queue-6.12/sched_ext-use-hk_type_domain_boot-to-detect-isolcpus-domain-isolation.patch new file mode 100644 index 0000000000..98a34d13a7 --- /dev/null +++ b/queue-6.12/sched_ext-use-hk_type_domain_boot-to-detect-isolcpus-domain-isolation.patch @@ -0,0 +1,76 @@ +From 6ae315d37924435516d697ea7dde0b799a5928e0 Mon Sep 17 00:00:00 2001 +From: Andrea Righi +Date: Wed, 13 May 2026 13:24:38 +0200 +Subject: sched_ext: Use HK_TYPE_DOMAIN_BOOT to detect isolcpus= domain isolation + +From: Andrea Righi + +commit 6ae315d37924435516d697ea7dde0b799a5928e0 upstream. + +scx_enable() refuses to attach a BPF scheduler when isolcpus=domain is +in effect by comparing housekeeping_cpumask(HK_TYPE_DOMAIN) against +cpu_possible_mask. + +Since commit 27c3a5967f05 ("sched/isolation: Convert housekeeping +cpumasks to rcu pointers"), HK_TYPE_DOMAIN's cpumask is RCU protected +and dereferencing it requires either RCU read lock, the cpu_hotplug +write lock, or the cpuset lock; scx_enable() holds none of these, so +booting with isolcpus=domain and attaching any BPF scheduler triggers +the following lockdep splat: + + ============================= + WARNING: suspicious RCU usage + ----------------------------- + kernel/sched/isolation.c:60 suspicious rcu_dereference_check() usage! + + 1 lock held by scx_flash/281: + #0: ffffffff8379fce0 (update_mutex){+.+.}-{4:4}, at: + bpf_struct_ops_link_create+0x134/0x1c0 + + Call Trace: + dump_stack_lvl+0x6f/0xb0 + lockdep_rcu_suspicious.cold+0x37/0x70 + housekeeping_cpumask+0xcd/0xe0 + scx_enable.isra.0+0x17/0x120 + bpf_scx_reg+0x5e/0x80 + bpf_struct_ops_link_create+0x151/0x1c0 + __sys_bpf+0x1e4b/0x33c0 + __x64_sys_bpf+0x21/0x30 + do_syscall_64+0x117/0xf80 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + +In addition, commit 03ff73510169 ("cpuset: Update HK_TYPE_DOMAIN cpumask +from cpuset") made HK_TYPE_DOMAIN include cpuset isolated partitions as +well, which means the current check also rejects BPF schedulers when a +cpuset partition is active. That contradicts the original intent of +commit 9f391f94a173 ("sched_ext: Disallow loading BPF scheduler if +isolcpus= domain isolation is in effect"), which explicitly noted that +cpuset partitions are honored through per-task cpumasks and should not +be rejected. + +Switch to housekeeping_enabled(HK_TYPE_DOMAIN_BOOT), which reads only +the housekeeping flag bit (no RCU dereference) and reflects exactly the +boot-time isolcpus= configuration that the error message refers to. + +Fixes: 27c3a5967f05 ("sched/isolation: Convert housekeeping cpumasks to rcu pointers") +Cc: stable@vger.kernel.org # v7.0+ +Signed-off-by: Andrea Righi +Signed-off-by: Tejun Heo +Acked-by: Frederic Weisbecker +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/ext.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/sched/ext.c ++++ b/kernel/sched/ext.c +@@ -5521,8 +5521,7 @@ static int scx_ops_enable(struct sched_e + static DEFINE_MUTEX(helper_mutex); + struct scx_enable_cmd cmd; + +- if (!cpumask_equal(housekeeping_cpumask(HK_TYPE_DOMAIN), +- cpu_possible_mask)) { ++ if (housekeeping_enabled(HK_TYPE_DOMAIN_BOOT)) { + pr_err("sched_ext: Not compatible with \"isolcpus=\" domain isolation\n"); + return -EINVAL; + } diff --git a/queue-6.12/sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch b/queue-6.12/sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch new file mode 100644 index 0000000000..f6ff8f967c --- /dev/null +++ b/queue-6.12/sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch @@ -0,0 +1,76 @@ +From abb5f36771cc4c05899b34000829a787572a8817 Mon Sep 17 00:00:00 2001 +From: Ben Morris +Date: Thu, 7 May 2026 17:14:55 -0700 +Subject: sctp: revalidate list cursor after sctp_sendmsg_to_asoc() in SCTP_SENDALL + +From: Ben Morris + +commit abb5f36771cc4c05899b34000829a787572a8817 upstream. + +The SCTP_SENDALL path in sctp_sendmsg() iterates ep->asocs with +list_for_each_entry_safe(), which caches the next entry in @tmp before +the loop body runs. The body calls sctp_sendmsg_to_asoc(), which may +drop the socket lock inside sctp_wait_for_sndbuf(). + +While the lock is dropped, another thread can SCTP_SOCKOPT_PEELOFF the +association cached in @tmp, migrating it to a new endpoint via +sctp_sock_migrate() (list_del_init() + list_add_tail() to +newep->asocs), and optionally close the new socket which frees the +association via kfree_rcu(). The cached @tmp can also be freed by a +network ABORT for that association, processed in softirq while the +lock is dropped. + +sctp_wait_for_sndbuf() revalidates @asoc (the current entry) on re-lock +via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing +revalidates @tmp. After a successful return, the iterator advances to +the stale @tmp, yielding either a use-after-free (if the peeled socket +was closed) or a list-walk onto the new endpoint's list head (type +confusion of &newep->asocs as a struct sctp_association *). + +Both are reachable from CapEff=0; the type-confusion path gives +controlled indirect call via the outqueue.sched->init_sid pointer. + +Fix by re-deriving @tmp from @asoc after sctp_sendmsg_to_asoc() +returns. @asoc is known to still be on ep->asocs at that point: the +only callers that list_del an association from ep->asocs are +sctp_association_free() (which sets asoc->base.dead) and +sctp_assoc_migrate() (which changes asoc->base.sk), and +sctp_wait_for_sndbuf() checks both under the lock before any +successful return; a tripped check propagates as err < 0 and the loop +bails before the re-derive. + +The SCTP_ABORT path in sctp_sendmsg_check_sflags() returns 0 and the +loop hits 'continue' before sctp_sendmsg_to_asoc() is ever called, so +the @tmp cached by list_for_each_entry_safe() still covers the +lock-held free that ba59fb027307 ("sctp: walk the list of asoc +safely") was added for. + +Fixes: 4910280503f3 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg") +Cc: stable@vger.kernel.org +Signed-off-by: Ben Morris +Acked-by: Xin Long +Link: https://patch.msgid.link/20260508001455.3137-1-joycathacker@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1986,6 +1986,15 @@ static int sctp_sendmsg(struct sock *sk, + goto out_unlock; + + iov_iter_revert(&msg->msg_iter, err); ++ ++ /* sctp_sendmsg_to_asoc() may have released the socket ++ * lock (sctp_wait_for_sndbuf), during which other ++ * associations on ep->asocs could have been peeled ++ * off or freed. @asoc itself is revalidated by the ++ * base.dead and base.sk checks in sctp_wait_for_sndbuf, ++ * so re-derive the cached cursor from it. ++ */ ++ tmp = list_next_entry(asoc, asocs); + } + + goto out_unlock; diff --git a/queue-6.12/series b/queue-6.12/series index e90470fd87..12615b93cf 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -44,3 +44,59 @@ spi-omap2-mcspi-fix-controller-deregistration.patch spi-pic32-fix-controller-deregistration.patch spi-mtk-nor-fix-controller-deregistration.patch spi-pl022-fix-controller-deregistration.patch +spi-sh-hspi-fix-controller-deregistration.patch +spi-fsl-fix-controller-deregistration.patch +spi-bcmbca-hsspi-fix-controller-deregistration.patch +spi-coldfire-qspi-fix-controller-deregistration.patch +spi-npcm-pspi-fix-controller-deregistration.patch +spi-pic32-sqi-fix-controller-deregistration.patch +spi-sprd-fix-controller-deregistration.patch +spi-rspi-fix-controller-deregistration.patch +spi-img-spfi-fix-controller-deregistration.patch +spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch +spi-mxic-fix-controller-deregistration.patch +spi-orion-fix-controller-deregistration.patch +spi-orion-fix-runtime-pm-leak-on-unbind.patch +spi-orion-fix-clock-imbalance-on-registration-failure.patch +spi-mpc52xx-fix-use-after-free-on-registration-failure.patch +spi-mpc52xx-fix-controller-deregistration.patch +spi-mpc52xx-fix-use-after-free-on-unbind.patch +spi-cadence-fix-controller-deregistration.patch +spi-cadence-fix-unclocked-access-on-unbind.patch +drm-msm-gem-fix-error-handling-in-msm_ioctl_gem_info_get_metadata.patch +drm-i915-psr-init-variable-to-avoid-early-exit-from-et-alignment-loop.patch +drm-amdkfd-clear-vram-on-allocation-to-prevent-stale-data-exposure.patch +drm-amdgpu-use-smuio-15.0.0-offsets-for-tsc-upper-and-lower-count.patch +drm-amdgpu-gate-vm-cpu-hdp-flush-on-reset-lock.patch +drm-amd-pm-fix-incorrect-featurectrlmask-setting-on-smu-v14.0.x.patch +drm-amdkfd-add-upper-bound-check-for-num_of_nodes.patch +drm-amdgpu-add-bounds-checking-to-ib_-get-set-_value.patch +drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-ib.patch +drm-amdgpu-vce-prevent-partial-address-patches.patch +drm-amdgpu-vcn4-prevent-oob-reads-when-parsing-dec-msg.patch +drm-amdgpu-vcn3-prevent-oob-reads-when-parsing-dec-msg.patch +drm-amd-display-change-dither-policy-for-10-bpc-output-back-to-dithering.patch +drm-gem-fix-inconsistent-plane-dimension-calculation-in-drm_gem_fb_init_with_funcs.patch +drm-amdkfd-validate-svm-ioctl-nattr-against-buffer-size.patch +drm-xe-bo-fix-bo-leak-on-ggtt-flag-validation-in-xe_bo_init_locked.patch +drm-xe-fix-dma-buf-attachment-leak-in-xe_gem_prime_import.patch +drm-xe-bo-fix-bo-leak-on-unaligned-size-validation-in-xe_bo_init_locked.patch +drm-radeon-add-missing-revision-check-for-ci.patch +drm-amdgpu-zero-initialize-gart-table-on-allocation.patch +drm-exynos-remove-bridge-when-component_add-fails.patch +drm-panel-himax-hx83102-restore-mode_lpm-after-sending-disable-cmds.patch +drm-amdgpu-gfx9-drop-unnecessary-64-bit-fence-flag-check-in-kiq.patch +drm-panel-boe-tv101wum-nl6-restore-mode_lpm-after-sending-disable-cmds.patch +drm-amdkfd-make-all-tlb-flushes-heavy-weight.patch +drm-amdgpu-sdma4-replace-bug_on-with-warn_on-in-fence-emission.patch +drm-amdgpu-pm-add-missing-revision-check-for-ci.patch +drm-amdgpu-pm-align-hawaii-mclk-workaround-with-radeon.patch +arm64-dts-ti-k3-am62a7-sk-fix-pin-name-in-comment-from-m19-to-n22.patch +sctp-revalidate-list-cursor-after-sctp_sendmsg_to_asoc-in-sctp_sendall.patch +batman-adv-fix-integer-overflow-on-buff_pos.patch +batman-adv-reject-new-tp_meter-sessions-during-teardown.patch +batman-adv-stop-caching-unowned-originator-pointers-in-bat-iv.patch +batman-adv-bla-prevent-use-after-free-when-deleting-claims.patch +batman-adv-bla-only-purge-non-released-claims.patch +batman-adv-bla-put-backbone-reference-on-failed-claim-hash-insert.patch +sched_ext-use-hk_type_domain_boot-to-detect-isolcpus-domain-isolation.patch diff --git a/queue-6.12/spi-bcmbca-hsspi-fix-controller-deregistration.patch b/queue-6.12/spi-bcmbca-hsspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..d9baf9b604 --- /dev/null +++ b/queue-6.12/spi-bcmbca-hsspi-fix-controller-deregistration.patch @@ -0,0 +1,49 @@ +From c3d97c3320b9a1ebbd6119857341be034f7b3efc Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 9 Apr 2026 14:04:06 +0200 +Subject: spi: bcmbca-hsspi: fix controller deregistration + +From: Johan Hovold + +commit c3d97c3320b9a1ebbd6119857341be034f7b3efc upstream. + +Make sure to deregister the controller before disabling underlying +resources like interrupts during driver unbind to allow SPI drivers to +do I/O during deregistration. + +Note that clocks were also disabled before the recent commit +e532e21a246d ("spi: bcm63xx-hsspi: Simplify clock handling with +devm_clk_get_enabled()"). + +Fixes: a38a2233f23b ("spi: bcmbca-hsspi: Add driver for newer HSSPI controller") +Cc: stable@vger.kernel.org # 6.3: deb269e0394f +Cc: stable@vger.kernel.org # 6.3 +Cc: William Zhang +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260409120419.388546-8-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcmbca-hsspi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-bcmbca-hsspi.c ++++ b/drivers/spi/spi-bcmbca-hsspi.c +@@ -550,7 +550,7 @@ static int bcmbca_hsspi_probe(struct pla + } + + /* register and we are done */ +- ret = devm_spi_register_controller(dev, host); ++ ret = spi_register_controller(host); + if (ret) + goto out_sysgroup_disable; + +@@ -572,6 +572,8 @@ static void bcmbca_hsspi_remove(struct p + struct spi_controller *host = platform_get_drvdata(pdev); + struct bcmbca_hsspi *bs = spi_controller_get_devdata(host); + ++ spi_unregister_controller(host); ++ + /* reset the hardware and block queue progress */ + __raw_writel(0, bs->regs + HSSPI_INT_MASK_REG); + clk_disable_unprepare(bs->pll_clk); diff --git a/queue-6.12/spi-cadence-fix-controller-deregistration.patch b/queue-6.12/spi-cadence-fix-controller-deregistration.patch new file mode 100644 index 0000000000..70fd20637b --- /dev/null +++ b/queue-6.12/spi-cadence-fix-controller-deregistration.patch @@ -0,0 +1,45 @@ +From 666fa7e9ca98e71c880086ca24147ae843f1ed6e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Apr 2026 15:43:12 +0200 +Subject: spi: cadence: fix controller deregistration + +From: Johan Hovold + +commit 666fa7e9ca98e71c880086ca24147ae843f1ed6e upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: c474b3866546 ("spi: Add driver for Cadence SPI controller") +Cc: stable@vger.kernel.org # 3.16 +Cc: Harini Katakam +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260414134319.978196-2-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -699,6 +699,10 @@ static void cdns_spi_remove(struct platf + struct spi_controller *ctlr = platform_get_drvdata(pdev); + struct cdns_spi *xspi = spi_controller_get_devdata(ctlr); + ++ spi_controller_get(ctlr); ++ ++ spi_unregister_controller(ctlr); ++ + cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE); + + if (!spi_controller_is_target(ctlr)) { +@@ -706,7 +710,7 @@ static void cdns_spi_remove(struct platf + pm_runtime_set_suspended(&pdev->dev); + } + +- spi_unregister_controller(ctlr); ++ spi_controller_put(ctlr); + } + + /** diff --git a/queue-6.12/spi-cadence-fix-unclocked-access-on-unbind.patch b/queue-6.12/spi-cadence-fix-unclocked-access-on-unbind.patch new file mode 100644 index 0000000000..6ba146bc43 --- /dev/null +++ b/queue-6.12/spi-cadence-fix-unclocked-access-on-unbind.patch @@ -0,0 +1,57 @@ +From 5b1689a41f02955c5361944f748a4812a6ff9307 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 21 Apr 2026 14:36:12 +0200 +Subject: spi: cadence: fix unclocked access on unbind + +From: Johan Hovold + +commit 5b1689a41f02955c5361944f748a4812a6ff9307 upstream. + +Make sure that the controller is runtime resumed before disabling it +during driver unbind to avoid unclocked register access and unbalanced +clock disable. + +Also restore the autosuspend setting. + +This issue was flagged by Sashiko when reviewing a controller +deregistration fix. + +Fixes: d36ccd9f7ea4 ("spi: cadence: Runtime pm adaptation") +Cc: stable@vger.kernel.org # 4.7 +Cc: Shubhrajyoti Datta +Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=1 +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260421123615.1533617-2-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -698,16 +698,23 @@ static void cdns_spi_remove(struct platf + { + struct spi_controller *ctlr = platform_get_drvdata(pdev); + struct cdns_spi *xspi = spi_controller_get_devdata(ctlr); ++ int ret = 0; ++ ++ if (!spi_controller_is_target(ctlr)) ++ ret = pm_runtime_get_sync(&pdev->dev); + + spi_controller_get(ctlr); + + spi_unregister_controller(ctlr); + +- cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE); ++ if (ret >= 0) ++ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE); + + if (!spi_controller_is_target(ctlr)) { + pm_runtime_disable(&pdev->dev); + pm_runtime_set_suspended(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_dont_use_autosuspend(&pdev->dev); + } + + spi_controller_put(ctlr); diff --git a/queue-6.12/spi-coldfire-qspi-fix-controller-deregistration.patch b/queue-6.12/spi-coldfire-qspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..f2a220f253 --- /dev/null +++ b/queue-6.12/spi-coldfire-qspi-fix-controller-deregistration.patch @@ -0,0 +1,55 @@ +From e7c510e192ff2a1264d999575eea39a506424264 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 9 Apr 2026 14:04:09 +0200 +Subject: spi: coldfire-qspi: fix controller deregistration + +From: Johan Hovold + +commit e7c510e192ff2a1264d999575eea39a506424264 upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks (via runtime pm) during driver unbind. + +Fixes: 34b8c6617366 ("spi: Add Freescale/Motorola Coldfire QSPI driver") +Cc: stable@vger.kernel.org # 2.6.34 +Cc: Steven King +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260409120419.388546-11-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-coldfire-qspi.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-coldfire-qspi.c ++++ b/drivers/spi/spi-coldfire-qspi.c +@@ -410,9 +410,9 @@ static int mcfqspi_probe(struct platform + platform_set_drvdata(pdev, host); + pm_runtime_enable(&pdev->dev); + +- status = devm_spi_register_controller(&pdev->dev, host); ++ status = spi_register_controller(host); + if (status) { +- dev_dbg(&pdev->dev, "devm_spi_register_controller failed\n"); ++ dev_dbg(&pdev->dev, "failed to register controller\n"); + goto fail1; + } + +@@ -436,11 +436,17 @@ static void mcfqspi_remove(struct platfo + struct spi_controller *host = platform_get_drvdata(pdev); + struct mcfqspi *mcfqspi = spi_controller_get_devdata(host); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + pm_runtime_disable(&pdev->dev); + /* disable the hardware (set the baud rate to 0) */ + mcfqspi_wr_qmr(mcfqspi, MCFQSPI_QMR_MSTR); + + mcfqspi_cs_teardown(mcfqspi); ++ ++ spi_controller_put(host); + } + + #ifdef CONFIG_PM_SLEEP diff --git a/queue-6.12/spi-fsl-fix-controller-deregistration.patch b/queue-6.12/spi-fsl-fix-controller-deregistration.patch new file mode 100644 index 0000000000..1a69da190f --- /dev/null +++ b/queue-6.12/spi-fsl-fix-controller-deregistration.patch @@ -0,0 +1,62 @@ +From 9b7abfed4c3754062d1f3ffd452e65a38667f586 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 08:47:49 +0200 +Subject: spi: fsl: fix controller deregistration + +From: Johan Hovold + +commit 9b7abfed4c3754062d1f3ffd452e65a38667f586 upstream. + +Make sure to deregister the controller before releasing underlying +resources like DMA during driver unbind. + +Fixes: 4178b6b1b595 ("spi: fsl-(e)spi: migrate to using devm_ functions to simplify cleanup") +Cc: stable@vger.kernel.org # 4.3 +Cc: Heiner Kallweit +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410064749.496888-1-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-fsl-spi.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-fsl-spi.c ++++ b/drivers/spi/spi-fsl-spi.c +@@ -614,7 +614,7 @@ static struct spi_controller *fsl_spi_pr + + mpc8xxx_spi_write_reg(®_base->mode, regval); + +- ret = devm_spi_register_controller(dev, host); ++ ret = spi_register_controller(host); + if (ret < 0) + goto err_probe; + +@@ -705,7 +705,13 @@ static void of_fsl_spi_remove(struct pla + struct spi_controller *host = platform_get_drvdata(ofdev); + struct mpc8xxx_spi *mpc8xxx_spi = spi_controller_get_devdata(host); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + fsl_spi_cpm_free(mpc8xxx_spi); ++ ++ spi_controller_put(host); + } + + static struct platform_driver of_fsl_spi_driver = { +@@ -751,7 +757,13 @@ static void plat_mpc8xxx_spi_remove(stru + struct spi_controller *host = platform_get_drvdata(pdev); + struct mpc8xxx_spi *mpc8xxx_spi = spi_controller_get_devdata(host); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + fsl_spi_cpm_free(mpc8xxx_spi); ++ ++ spi_controller_put(host); + } + + MODULE_ALIAS("platform:mpc8xxx_spi"); diff --git a/queue-6.12/spi-img-spfi-fix-controller-deregistration.patch b/queue-6.12/spi-img-spfi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..c7be9f2f2c --- /dev/null +++ b/queue-6.12/spi-img-spfi-fix-controller-deregistration.patch @@ -0,0 +1,54 @@ +From fc3a83b0d9c16b941c9028f5a8db9541dce4ddf2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 9 Apr 2026 14:04:14 +0200 +Subject: spi: img-spfi: fix controller deregistration + +From: Johan Hovold + +commit fc3a83b0d9c16b941c9028f5a8db9541dce4ddf2 upstream. + +Make sure to deregister the controller before disabling and releasing +underlying resources like clocks and DMA during driver unbind. + +Fixes: deba25800a12 ("spi: Add driver for IMG SPFI controller") +Cc: stable@vger.kernel.org # 3.19 +Cc: Andrew Bresticker +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260409120419.388546-16-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-img-spfi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-img-spfi.c ++++ b/drivers/spi/spi-img-spfi.c +@@ -644,7 +644,7 @@ static int img_spfi_probe(struct platfor + pm_runtime_set_active(spfi->dev); + pm_runtime_enable(spfi->dev); + +- ret = devm_spi_register_controller(spfi->dev, host); ++ ret = spi_register_controller(host); + if (ret) + goto disable_pm; + +@@ -670,6 +670,10 @@ static void img_spfi_remove(struct platf + struct spi_controller *host = platform_get_drvdata(pdev); + struct img_spfi *spfi = spi_controller_get_devdata(host); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + if (spfi->tx_ch) + dma_release_channel(spfi->tx_ch); + if (spfi->rx_ch) +@@ -680,6 +684,8 @@ static void img_spfi_remove(struct platf + clk_disable_unprepare(spfi->spfi_clk); + clk_disable_unprepare(spfi->sys_clk); + } ++ ++ spi_controller_put(host); + } + + #ifdef CONFIG_PM diff --git a/queue-6.12/spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch b/queue-6.12/spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch new file mode 100644 index 0000000000..17bab50d81 --- /dev/null +++ b/queue-6.12/spi-imx-fix-runtime-pm-leak-on-probe-deferral.patch @@ -0,0 +1,34 @@ +From a1d50a37d3b1df84f536a982f692371039df4a48 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 21 Apr 2026 14:56:32 +0200 +Subject: spi: imx: fix runtime pm leak on probe deferral + +From: Johan Hovold + +commit a1d50a37d3b1df84f536a982f692371039df4a48 upstream. + +Make sure to balance the runtime PM usage count before returning on +probe failure (e.g. probe deferral) so that the controller can be +suspended when a driver is later bound. + +Fixes: 43b6bf406cd0 ("spi: imx: fix runtime pm support for !CONFIG_PM") +Cc: stable@vger.kernel.org # 5.10 +Cc: Sascha Hauer +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260421125632.1537235-1-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-imx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1876,6 +1876,7 @@ out_register_controller: + out_runtime_pm_put: + pm_runtime_dont_use_autosuspend(spi_imx->dev); + pm_runtime_disable(spi_imx->dev); ++ pm_runtime_put_noidle(spi_imx->dev); + pm_runtime_set_suspended(&pdev->dev); + + clk_disable_unprepare(spi_imx->clk_ipg); diff --git a/queue-6.12/spi-mpc52xx-fix-controller-deregistration.patch b/queue-6.12/spi-mpc52xx-fix-controller-deregistration.patch new file mode 100644 index 0000000000..fdecda5d9f --- /dev/null +++ b/queue-6.12/spi-mpc52xx-fix-controller-deregistration.patch @@ -0,0 +1,44 @@ +From 0f997fdae819a8c2cc83bd4ff7d935ad76c727c9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Apr 2026 15:43:14 +0200 +Subject: spi: mpc52xx: fix controller deregistration + +From: Johan Hovold + +commit 0f997fdae819a8c2cc83bd4ff7d935ad76c727c9 upstream. + +Make sure to deregister the controller before disabling and releasing +underlying resources like interrupts and gpios during driver unbind. + +Fixes: 42bbb70980f3 ("powerpc/5200: Add mpc5200-spi (non-PSC) device driver") +Fixes: b8d4e2ce60b6 ("mpc52xx_spi: add gpio chipselect") +Cc: stable@vger.kernel.org # 2.6.33 +Cc: Grant Likely +Cc: Luotao Fu +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260414134319.978196-4-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mpc52xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-mpc52xx.c ++++ b/drivers/spi/spi-mpc52xx.c +@@ -523,6 +523,8 @@ static void mpc52xx_spi_remove(struct pl + struct mpc52xx_spi *ms = spi_controller_get_devdata(host); + int i; + ++ spi_unregister_controller(host); ++ + cancel_work_sync(&ms->work); + free_irq(ms->irq0, ms); + free_irq(ms->irq1, ms); +@@ -531,7 +533,6 @@ static void mpc52xx_spi_remove(struct pl + gpiod_put(ms->gpio_cs[i]); + + kfree(ms->gpio_cs); +- spi_unregister_controller(host); + iounmap(ms->regs); + spi_controller_put(host); + } diff --git a/queue-6.12/spi-mpc52xx-fix-use-after-free-on-registration-failure.patch b/queue-6.12/spi-mpc52xx-fix-use-after-free-on-registration-failure.patch new file mode 100644 index 0000000000..dde6980dc3 --- /dev/null +++ b/queue-6.12/spi-mpc52xx-fix-use-after-free-on-registration-failure.patch @@ -0,0 +1,40 @@ +From f62c060272b9d7423b1650b844e8e4e7b8f9f925 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 21 Apr 2026 14:58:00 +0200 +Subject: spi: mpc52xx: fix use-after-free on registration failure + +From: Johan Hovold + +commit f62c060272b9d7423b1650b844e8e4e7b8f9f925 upstream. + +Make sure to disable and free the interrupts in case controller +registration fails to avoid a potential use-after-free and resource +leak. + +This issue was flagged by Sashiko when reviewing a controller +deregistration fix. + +Fixes: 42bbb70980f3 ("powerpc/5200: Add mpc5200-spi (non-PSC) device driver") +Cc: stable@vger.kernel.org # 2.6.33 +Cc: Grant Likely +Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=3 +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260421125800.1537361-1-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mpc52xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/spi/spi-mpc52xx.c ++++ b/drivers/spi/spi-mpc52xx.c +@@ -501,6 +501,9 @@ static int mpc52xx_spi_probe(struct plat + + err_register: + dev_err(&ms->host->dev, "initialization failed\n"); ++ free_irq(ms->irq0, ms); ++ free_irq(ms->irq1, ms); ++ cancel_work_sync(&ms->work); + err_gpio: + while (i-- > 0) + gpiod_put(ms->gpio_cs[i]); diff --git a/queue-6.12/spi-mpc52xx-fix-use-after-free-on-unbind.patch b/queue-6.12/spi-mpc52xx-fix-use-after-free-on-unbind.patch new file mode 100644 index 0000000000..92937a7fcf --- /dev/null +++ b/queue-6.12/spi-mpc52xx-fix-use-after-free-on-unbind.patch @@ -0,0 +1,39 @@ +From 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Apr 2026 15:43:15 +0200 +Subject: spi: mpc52xx: fix use-after-free on unbind + +From: Johan Hovold + +commit 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 upstream. + +The state machine work is scheduled by the interrupt handler and +therefore needs to be cancelled after disabling interrupts to avoid a +potential use-after-free. + +Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove") +Cc: stable@vger.kernel.org +Cc: Pei Xiao +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mpc52xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-mpc52xx.c ++++ b/drivers/spi/spi-mpc52xx.c +@@ -525,10 +525,11 @@ static void mpc52xx_spi_remove(struct pl + + spi_unregister_controller(host); + +- cancel_work_sync(&ms->work); + free_irq(ms->irq0, ms); + free_irq(ms->irq1, ms); + ++ cancel_work_sync(&ms->work); ++ + for (i = 0; i < ms->gpio_cs_count; i++) + gpiod_put(ms->gpio_cs[i]); + diff --git a/queue-6.12/spi-mxic-fix-controller-deregistration.patch b/queue-6.12/spi-mxic-fix-controller-deregistration.patch new file mode 100644 index 0000000000..bc772c0152 --- /dev/null +++ b/queue-6.12/spi-mxic-fix-controller-deregistration.patch @@ -0,0 +1,38 @@ +From adbc595e272052181d40ec307a4c5ba98571b0fe Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Apr 2026 15:43:16 +0200 +Subject: spi: mxic: fix controller deregistration + +From: Johan Hovold + +commit adbc595e272052181d40ec307a4c5ba98571b0fe upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks (via runtime pm) during driver unbind. + +Fixes: b942d80b0a39 ("spi: Add MXIC controller driver") +Cc: stable@vger.kernel.org # 5.0: cc53711b2191 +Cc: stable@vger.kernel.org # 5.0 +Cc: Mason Yang +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260414134319.978196-6-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mxic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-mxic.c ++++ b/drivers/spi/spi-mxic.c +@@ -823,9 +823,10 @@ static void mxic_spi_remove(struct platf + struct spi_controller *host = platform_get_drvdata(pdev); + struct mxic_spi *mxic = spi_controller_get_devdata(host); + ++ spi_unregister_controller(host); ++ + pm_runtime_disable(&pdev->dev); + mxic_spi_mem_ecc_remove(mxic); +- spi_unregister_controller(host); + } + + static const struct of_device_id mxic_spi_of_ids[] = { diff --git a/queue-6.12/spi-npcm-pspi-fix-controller-deregistration.patch b/queue-6.12/spi-npcm-pspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..951932d764 --- /dev/null +++ b/queue-6.12/spi-npcm-pspi-fix-controller-deregistration.patch @@ -0,0 +1,49 @@ +From ebd81199e00e107980bf8c4d2c747ae50158f797 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:34 +0200 +Subject: spi: npcm-pspi: fix controller deregistration + +From: Johan Hovold + +commit ebd81199e00e107980bf8c4d2c747ae50158f797 upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: 2a22f1b30cee ("spi: npcm: add NPCM PSPI controller driver") +Cc: stable@vger.kernel.org # 5.0 +Cc: Tomer Maimon +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-5-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-npcm-pspi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-npcm-pspi.c ++++ b/drivers/spi/spi-npcm-pspi.c +@@ -414,7 +414,7 @@ static int npcm_pspi_probe(struct platfo + /* set to default clock rate */ + npcm_pspi_set_baudrate(priv, NPCM_PSPI_DEFAULT_CLK); + +- ret = devm_spi_register_controller(&pdev->dev, host); ++ ret = spi_register_controller(host); + if (ret) + goto out_disable_clk; + +@@ -435,8 +435,14 @@ static void npcm_pspi_remove(struct plat + struct spi_controller *host = platform_get_drvdata(pdev); + struct npcm_pspi *priv = spi_controller_get_devdata(host); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + npcm_pspi_reset_hw(priv); + clk_disable_unprepare(priv->clk); ++ ++ spi_controller_put(host); + } + + static const struct of_device_id npcm_pspi_match[] = { diff --git a/queue-6.12/spi-orion-fix-clock-imbalance-on-registration-failure.patch b/queue-6.12/spi-orion-fix-clock-imbalance-on-registration-failure.patch new file mode 100644 index 0000000000..4e49125d17 --- /dev/null +++ b/queue-6.12/spi-orion-fix-clock-imbalance-on-registration-failure.patch @@ -0,0 +1,51 @@ +From 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 21 Apr 2026 15:02:10 +0200 +Subject: spi: orion: fix clock imbalance on registration failure + +From: Johan Hovold + +commit 443cde0dc59c5d154156ac9f27a7dadef8ebc0c2 upstream. + +Make sure that the controller is not runtime suspended before disabling +clocks on probe failure. + +Also restore the autosuspend setting. + +Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support") +Cc: stable@vger.kernel.org # 3.17 +Cc: Russell King +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260421130211.1537628-3-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-orion.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/spi/spi-orion.c ++++ b/drivers/spi/spi-orion.c +@@ -774,6 +774,7 @@ static int orion_spi_probe(struct platfo + pm_runtime_set_active(&pdev->dev); + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_set_autosuspend_delay(&pdev->dev, SPI_AUTOSUSPEND_TIMEOUT); ++ pm_runtime_get_noresume(&pdev->dev); + pm_runtime_enable(&pdev->dev); + + status = orion_spi_reset(spi); +@@ -785,10 +786,15 @@ static int orion_spi_probe(struct platfo + if (status < 0) + goto out_rel_pm; + ++ pm_runtime_put_autosuspend(&pdev->dev); ++ + return status; + + out_rel_pm: + pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); ++ pm_runtime_dont_use_autosuspend(&pdev->dev); + out_rel_axi_clk: + clk_disable_unprepare(spi->axi_clk); + out: diff --git a/queue-6.12/spi-orion-fix-controller-deregistration.patch b/queue-6.12/spi-orion-fix-controller-deregistration.patch new file mode 100644 index 0000000000..595311ba4f --- /dev/null +++ b/queue-6.12/spi-orion-fix-controller-deregistration.patch @@ -0,0 +1,41 @@ +From 220f4f11104a7f83b71543ef0e48dde1da2bc5d3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Apr 2026 15:43:17 +0200 +Subject: spi: orion: fix controller deregistration + +From: Johan Hovold + +commit 220f4f11104a7f83b71543ef0e48dde1da2bc5d3 upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Fixes: 60cadec9da7b ("spi: new orion_spi driver") +Cc: stable@vger.kernel.org # 2.6.27 +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260414134319.978196-7-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-orion.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-orion.c ++++ b/drivers/spi/spi-orion.c +@@ -802,10 +802,15 @@ static void orion_spi_remove(struct plat + struct spi_controller *host = platform_get_drvdata(pdev); + struct orion_spi *spi = spi_controller_get_devdata(host); + ++ spi_controller_get(host); ++ ++ spi_unregister_controller(host); ++ + pm_runtime_get_sync(&pdev->dev); + clk_disable_unprepare(spi->axi_clk); + +- spi_unregister_controller(host); ++ spi_controller_put(host); ++ + pm_runtime_disable(&pdev->dev); + } + diff --git a/queue-6.12/spi-orion-fix-runtime-pm-leak-on-unbind.patch b/queue-6.12/spi-orion-fix-runtime-pm-leak-on-unbind.patch new file mode 100644 index 0000000000..670226e4f1 --- /dev/null +++ b/queue-6.12/spi-orion-fix-runtime-pm-leak-on-unbind.patch @@ -0,0 +1,41 @@ +From 97b17dd8266d2e26d9ee3c75a0fa34ecde6944f0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 21 Apr 2026 15:02:09 +0200 +Subject: spi: orion: fix runtime pm leak on unbind + +From: Johan Hovold + +commit 97b17dd8266d2e26d9ee3c75a0fa34ecde6944f0 upstream. + +Make sure to balance the runtime PM usage count on driver unbind so that +the controller can be suspended when a driver is rebound. + +Also restore the autosuspend setting. + +This issue was flagged by Sashiko when reviewing a controller +deregistration fix. + +Fixes: 5c6786945b4e ("spi: spi-orion: add runtime PM support") +Cc: stable@vger.kernel.org # 3.17 +Cc: Russell King +Link: https://sashiko.dev/#/patchset/20260414134319.978196-1-johan%40kernel.org?part=6 +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260421130211.1537628-2-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-orion.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/spi/spi-orion.c ++++ b/drivers/spi/spi-orion.c +@@ -812,6 +812,9 @@ static void orion_spi_remove(struct plat + spi_controller_put(host); + + pm_runtime_disable(&pdev->dev); ++ pm_runtime_put_noidle(&pdev->dev); ++ pm_runtime_set_suspended(&pdev->dev); ++ pm_runtime_dont_use_autosuspend(&pdev->dev); + } + + MODULE_ALIAS("platform:" DRIVER_NAME); diff --git a/queue-6.12/spi-pic32-sqi-fix-controller-deregistration.patch b/queue-6.12/spi-pic32-sqi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..a69327ec82 --- /dev/null +++ b/queue-6.12/spi-pic32-sqi-fix-controller-deregistration.patch @@ -0,0 +1,50 @@ +From 420df79d1a618951eb0eb4331df95c9f4f763b8b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:37 +0200 +Subject: spi: pic32-sqi: fix controller deregistration + +From: Johan Hovold + +commit 420df79d1a618951eb0eb4331df95c9f4f763b8b upstream. + +Make sure to deregister the controller before releasing underlying +resources like DMA during driver unbind. + +Fixes: 3270ac230f66 ("spi: pic32-sqi: add SPI driver for PIC32 SQI controller.") +Cc: stable@vger.kernel.org # 4.7 +Cc: Purna Chandra Mandal +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-8-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-pic32-sqi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-pic32-sqi.c ++++ b/drivers/spi/spi-pic32-sqi.c +@@ -642,7 +642,7 @@ static int pic32_sqi_probe(struct platfo + host->prepare_transfer_hardware = pic32_sqi_prepare_hardware; + host->unprepare_transfer_hardware = pic32_sqi_unprepare_hardware; + +- ret = devm_spi_register_controller(&pdev->dev, host); ++ ret = spi_register_controller(host); + if (ret) { + dev_err(&host->dev, "failed registering spi host\n"); + free_irq(sqi->irq, sqi); +@@ -665,9 +665,15 @@ static void pic32_sqi_remove(struct plat + { + struct pic32_sqi *sqi = platform_get_drvdata(pdev); + ++ spi_controller_get(sqi->host); ++ ++ spi_unregister_controller(sqi->host); ++ + /* release resources */ + free_irq(sqi->irq, sqi); + ring_desc_ring_free(sqi); ++ ++ spi_controller_put(sqi->host); + } + + static const struct of_device_id pic32_sqi_of_ids[] = { diff --git a/queue-6.12/spi-rspi-fix-controller-deregistration.patch b/queue-6.12/spi-rspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..6f5b0f7ab6 --- /dev/null +++ b/queue-6.12/spi-rspi-fix-controller-deregistration.patch @@ -0,0 +1,52 @@ +From 9944fa6726afb1e6eb7e2212764e7da0c97f2dcc Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:40 +0200 +Subject: spi: rspi: fix controller deregistration + +From: Johan Hovold + +commit 9944fa6726afb1e6eb7e2212764e7da0c97f2dcc upstream. + +Make sure to deregister the controller before releasing underlying +resources like DMA during driver unbind. + +Fixes: 9e03d05eee4c ("spi: rcar: Use devm_spi_register_master()") +Cc: stable@vger.kernel.org # 3.14 +Cc: Jingoo Han +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-11-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-rspi.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -1171,8 +1171,14 @@ static void rspi_remove(struct platform_ + { + struct rspi_data *rspi = platform_get_drvdata(pdev); + ++ spi_controller_get(rspi->ctlr); ++ ++ spi_unregister_controller(rspi->ctlr); ++ + rspi_release_dma(rspi->ctlr); + pm_runtime_disable(&pdev->dev); ++ ++ spi_controller_put(rspi->ctlr); + } + + static const struct spi_ops rspi_ops = { +@@ -1377,9 +1383,9 @@ static int rspi_probe(struct platform_de + if (ret < 0) + dev_warn(&pdev->dev, "DMA not available, using PIO\n"); + +- ret = devm_spi_register_controller(&pdev->dev, ctlr); ++ ret = spi_register_controller(ctlr); + if (ret < 0) { +- dev_err(&pdev->dev, "devm_spi_register_controller error.\n"); ++ dev_err(&pdev->dev, "failed to register controller\n"); + goto error3; + } + diff --git a/queue-6.12/spi-sh-hspi-fix-controller-deregistration.patch b/queue-6.12/spi-sh-hspi-fix-controller-deregistration.patch new file mode 100644 index 0000000000..60decff03e --- /dev/null +++ b/queue-6.12/spi-sh-hspi-fix-controller-deregistration.patch @@ -0,0 +1,52 @@ +From e63982e6392e45a6ecd68d6c317a081cc8e70143 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:42 +0200 +Subject: spi: sh-hspi: fix controller deregistration + +From: Johan Hovold + +commit e63982e6392e45a6ecd68d6c317a081cc8e70143 upstream. + +Make sure to deregister the controller before releasing underlying +resources like clocks during driver unbind. + +Fixes: 49e599b8595f ("spi: sh-hspi: control spi clock more correctly") +Cc: stable@vger.kernel.org # 3.4 +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-13-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sh-hspi.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-sh-hspi.c ++++ b/drivers/spi/spi-sh-hspi.c +@@ -258,9 +258,9 @@ static int hspi_probe(struct platform_de + ctlr->transfer_one_message = hspi_transfer_one_message; + ctlr->bits_per_word_mask = SPI_BPW_MASK(8); + +- ret = devm_spi_register_controller(&pdev->dev, ctlr); ++ ret = spi_register_controller(ctlr); + if (ret < 0) { +- dev_err(&pdev->dev, "devm_spi_register_controller error.\n"); ++ dev_err(&pdev->dev, "failed to register controller\n"); + goto error2; + } + +@@ -280,9 +280,15 @@ static void hspi_remove(struct platform_ + { + struct hspi_priv *hspi = platform_get_drvdata(pdev); + ++ spi_controller_get(hspi->ctlr); ++ ++ spi_unregister_controller(hspi->ctlr); ++ + pm_runtime_disable(&pdev->dev); + + clk_put(hspi->clk); ++ ++ spi_controller_put(hspi->ctlr); + } + + static const struct of_device_id hspi_of_match[] = { diff --git a/queue-6.12/spi-sprd-fix-controller-deregistration.patch b/queue-6.12/spi-sprd-fix-controller-deregistration.patch new file mode 100644 index 0000000000..bd4268a0f1 --- /dev/null +++ b/queue-6.12/spi-sprd-fix-controller-deregistration.patch @@ -0,0 +1,60 @@ +From 123d17dbc5f07059752fa5e616385ca29a8f935a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 10 Apr 2026 10:17:46 +0200 +Subject: spi: sprd: fix controller deregistration + +From: Johan Hovold + +commit 123d17dbc5f07059752fa5e616385ca29a8f935a upstream. + +Make sure to deregister the controller before disabling underlying +resources like clocks during driver unbind. + +Note that the controller is suspended before disabling and releasing +resources since commit de082d866cce ("spi: sprd: Add the SPI irq +function for the SPI DMA mode") which avoids issues like unclocked +accesses but prevents SPI device drivers from doing I/O during +deregistration. + +Fixes: e7d973a31c24 ("spi: sprd: Add SPI driver for Spreadtrum SC9860") +Cc: stable@vger.kernel.org # 4.20 +Cc: Lanqing Liu +Signed-off-by: Johan Hovold +Link: https://patch.msgid.link/20260410081757.503099-17-johan@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sprd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-sprd.c ++++ b/drivers/spi/spi-sprd.c +@@ -978,7 +978,7 @@ static int sprd_spi_probe(struct platfor + goto err_rpm_put; + } + +- ret = devm_spi_register_controller(&pdev->dev, sctlr); ++ ret = spi_register_controller(sctlr); + if (ret) + goto err_rpm_put; + +@@ -1010,7 +1010,9 @@ static void sprd_spi_remove(struct platf + if (ret < 0) + dev_err(ss->dev, "failed to resume SPI controller\n"); + +- spi_controller_suspend(sctlr); ++ spi_controller_get(sctlr); ++ ++ spi_unregister_controller(sctlr); + + if (ret >= 0) { + if (ss->dma.enable) +@@ -1019,6 +1021,8 @@ static void sprd_spi_remove(struct platf + } + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); ++ ++ spi_controller_put(sctlr); + } + + static int __maybe_unused sprd_spi_runtime_suspend(struct device *dev)