From 13e23c34c8d02235174f8f274132b9c7f7f77c8b Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 28 Sep 2025 19:36:05 -0400 Subject: [PATCH] Fixes for all trees Signed-off-by: Sasha Levin --- ...x-incorrect-boolean-values-in-af_alg.patch | 48 ++++ queue-5.10/series | 1 + ...sallow-concurrent-writes-in-af_alg_s.patch | 83 +++++++ ...x-incorrect-boolean-values-in-af_alg.patch | 48 ++++ queue-5.15/series | 2 + ...c-enable-extended-cat-error-reportin.patch | 230 ++++++++++++++++++ ...-drm-xe-guc-set-rcs-ccs-yield-policy.patch | 222 +++++++++++++++++ queue-6.16/series | 3 + ...fix-slab-out-of-bounds-in-_parse_int.patch | 74 ++++++ 9 files changed, 711 insertions(+) create mode 100644 queue-5.10/crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch create mode 100644 queue-5.15/crypto-af_alg-disallow-concurrent-writes-in-af_alg_s.patch create mode 100644 queue-5.15/crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch create mode 100644 queue-6.16/revert-drm-xe-guc-enable-extended-cat-error-reportin.patch create mode 100644 queue-6.16/revert-drm-xe-guc-set-rcs-ccs-yield-policy.patch create mode 100644 queue-6.16/tracing-osnoise-fix-slab-out-of-bounds-in-_parse_int.patch diff --git a/queue-5.10/crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch b/queue-5.10/crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch new file mode 100644 index 0000000000..0e84b9d2ac --- /dev/null +++ b/queue-5.10/crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch @@ -0,0 +1,48 @@ +From 11f7dcc1e1586e77e7a84eca6d5092d46fff4045 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Sep 2025 13:18:22 -0700 +Subject: crypto: af_alg - Fix incorrect boolean values in af_alg_ctx + +From: Eric Biggers + +[ Upstream commit d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb ] + +Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in +af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of +type u32. + +However, some assignments to these fields, specifically 'more' and +'merge', assign values greater than 1. These relied on C's implicit +conversion to bool, such that zero becomes false and nonzero becomes +true. + +With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken +instead, resulting in 0 being assigned in some cases when 1 was intended. + +Fix this by restoring the bool type. + +Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/crypto/if_alg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h +index 1424200fe88cf..9af84cad92e93 100644 +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -152,7 +152,7 @@ struct af_alg_ctx { + size_t used; + atomic_t rcvused; + +- u32 more:1, ++ bool more:1, + merge:1, + enc:1, + write:1, +-- +2.51.0 + diff --git a/queue-5.10/series b/queue-5.10/series index 4b2297e23e..5b0e6c3141 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -106,3 +106,4 @@ nexthop-emit-a-notification-when-a-single-nexthop-is.patch nexthop-forbid-fdb-status-change-while-nexthop-is-in.patch selftests-fib_nexthops-fix-creation-of-non-fdb-nexth.patch drm-gma500-fix-null-dereference-in-hdmi-teardown.patch +crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch diff --git a/queue-5.15/crypto-af_alg-disallow-concurrent-writes-in-af_alg_s.patch b/queue-5.15/crypto-af_alg-disallow-concurrent-writes-in-af_alg_s.patch new file mode 100644 index 0000000000..baa481536a --- /dev/null +++ b/queue-5.15/crypto-af_alg-disallow-concurrent-writes-in-af_alg_s.patch @@ -0,0 +1,83 @@ +From a0ddff2135c35bacd4f0c6c927d5d3188e14dfb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 17:20:59 +0800 +Subject: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg + +From: Herbert Xu + +[ Upstream commit 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 ] + +Issuing two writes to the same af_alg socket is bogus as the +data will be interleaved in an unpredictable fashion. Furthermore, +concurrent writes may create inconsistencies in the internal +socket state. + +Disallow this by adding a new ctx->write field that indiciates +exclusive ownership for writing. + +Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") +Reported-by: Muhammad Alifa Ramdhan +Reported-by: Bing-Jhong Billy Jheng +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/af_alg.c | 7 +++++++ + include/crypto/if_alg.h | 10 ++++++---- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/crypto/af_alg.c b/crypto/af_alg.c +index aa93501e27b95..24c273f53e90a 100644 +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -862,6 +862,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, + } + + lock_sock(sk); ++ if (ctx->write) { ++ release_sock(sk); ++ return -EBUSY; ++ } ++ ctx->write = true; ++ + if (ctx->init && !ctx->more) { + if (ctx->used) { + err = -EINVAL; +@@ -969,6 +975,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, + + unlock: + af_alg_data_wakeup(sk); ++ ctx->write = false; + release_sock(sk); + + return copied ?: err; +diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h +index a406e281ae571..1424200fe88cf 100644 +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -136,6 +136,7 @@ struct af_alg_async_req { + * SG? + * @enc: Cryptographic operation to be performed when + * recvmsg is invoked. ++ * @write: True if we are in the middle of a write. + * @init: True if metadata has been sent. + * @len: Length of memory allocated for this data structure. + * @inflight: Non-zero when AIO requests are in flight. +@@ -151,10 +152,11 @@ struct af_alg_ctx { + size_t used; + atomic_t rcvused; + +- bool more; +- bool merge; +- bool enc; +- bool init; ++ u32 more:1, ++ merge:1, ++ enc:1, ++ write:1, ++ init:1; + + unsigned int len; + +-- +2.51.0 + diff --git a/queue-5.15/crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch b/queue-5.15/crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch new file mode 100644 index 0000000000..d7bcb016b2 --- /dev/null +++ b/queue-5.15/crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch @@ -0,0 +1,48 @@ +From b8b54273ecac70294fde1c39531eec4b52ccb6f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Sep 2025 13:18:22 -0700 +Subject: crypto: af_alg - Fix incorrect boolean values in af_alg_ctx + +From: Eric Biggers + +[ Upstream commit d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb ] + +Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in +af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of +type u32. + +However, some assignments to these fields, specifically 'more' and +'merge', assign values greater than 1. These relied on C's implicit +conversion to bool, such that zero becomes false and nonzero becomes +true. + +With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken +instead, resulting in 0 being assigned in some cases when 1 was intended. + +Fix this by restoring the bool type. + +Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/crypto/if_alg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h +index 1424200fe88cf..9af84cad92e93 100644 +--- a/include/crypto/if_alg.h ++++ b/include/crypto/if_alg.h +@@ -152,7 +152,7 @@ struct af_alg_ctx { + size_t used; + atomic_t rcvused; + +- u32 more:1, ++ bool more:1, + merge:1, + enc:1, + write:1, +-- +2.51.0 + diff --git a/queue-5.15/series b/queue-5.15/series index a29e74766f..45c90eee78 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -133,3 +133,5 @@ net-dsa-lantiq_gswip-do-also-enable-or-disable-cpu-p.patch net-dsa-lantiq_gswip-move-gswip_add_single_port_br-c.patch net-dsa-lantiq_gswip-suppress-einval-errors-for-brid.patch drm-gma500-fix-null-dereference-in-hdmi-teardown.patch +crypto-af_alg-disallow-concurrent-writes-in-af_alg_s.patch +crypto-af_alg-fix-incorrect-boolean-values-in-af_alg.patch diff --git a/queue-6.16/revert-drm-xe-guc-enable-extended-cat-error-reportin.patch b/queue-6.16/revert-drm-xe-guc-enable-extended-cat-error-reportin.patch new file mode 100644 index 0000000000..13046b8bec --- /dev/null +++ b/queue-6.16/revert-drm-xe-guc-enable-extended-cat-error-reportin.patch @@ -0,0 +1,230 @@ +From b134ca709d940e6128a4f58db107ed8fbd24db5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Sep 2025 11:43:00 -0400 +Subject: Revert "drm/xe/guc: Enable extended CAT error reporting" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This reverts commit a7ffcea8631af91479cab10aa7fbfd0722f01d9a. + +Reported-by: Iyán Méndez Veiga +Link: https://lore.kernel.org/stable/aNlW7ekiC0dNPxU3@laps/T/#t +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/abi/guc_actions_abi.h | 4 -- + drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 15 ------- + drivers/gpu/drm/xe/xe_guc.c | 56 ------------------------ + drivers/gpu/drm/xe/xe_guc.h | 1 - + drivers/gpu/drm/xe/xe_guc_submit.c | 21 ++------- + drivers/gpu/drm/xe/xe_uc.c | 4 -- + 6 files changed, 3 insertions(+), 98 deletions(-) + +diff --git a/drivers/gpu/drm/xe/abi/guc_actions_abi.h b/drivers/gpu/drm/xe/abi/guc_actions_abi.h +index b55d4cfb483a1..448afb86e05c7 100644 +--- a/drivers/gpu/drm/xe/abi/guc_actions_abi.h ++++ b/drivers/gpu/drm/xe/abi/guc_actions_abi.h +@@ -142,7 +142,6 @@ enum xe_guc_action { + XE_GUC_ACTION_SET_ENG_UTIL_BUFF = 0x550A, + XE_GUC_ACTION_SET_DEVICE_ENGINE_ACTIVITY_BUFFER = 0x550C, + XE_GUC_ACTION_SET_FUNCTION_ENGINE_ACTIVITY_BUFFER = 0x550D, +- XE_GUC_ACTION_OPT_IN_FEATURE_KLV = 0x550E, + XE_GUC_ACTION_NOTIFY_MEMORY_CAT_ERROR = 0x6000, + XE_GUC_ACTION_REPORT_PAGE_FAULT_REQ_DESC = 0x6002, + XE_GUC_ACTION_PAGE_FAULT_RES_DESC = 0x6003, +@@ -241,7 +240,4 @@ enum xe_guc_g2g_type { + #define XE_G2G_DEREGISTER_TILE REG_GENMASK(15, 12) + #define XE_G2G_DEREGISTER_TYPE REG_GENMASK(11, 8) + +-/* invalid type for XE_GUC_ACTION_NOTIFY_MEMORY_CAT_ERROR */ +-#define XE_GUC_CAT_ERR_TYPE_INVALID 0xdeadbeef +- + #endif +diff --git a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h +index 5b2502bec2dcc..7de8f827281fc 100644 +--- a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h ++++ b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h +@@ -16,7 +16,6 @@ + * +===+=======+==============================================================+ + * | 0 | 31:16 | **KEY** - KLV key identifier | + * | | | - `GuC Self Config KLVs`_ | +- * | | | - `GuC Opt In Feature KLVs`_ | + * | | | - `GuC VGT Policy KLVs`_ | + * | | | - `GuC VF Configuration KLVs`_ | + * | | | | +@@ -125,20 +124,6 @@ enum { + GUC_CONTEXT_POLICIES_KLV_NUM_IDS = 5, + }; + +-/** +- * DOC: GuC Opt In Feature KLVs +- * +- * `GuC KLV`_ keys available for use with OPT_IN_FEATURE_KLV +- * +- * _`GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE` : 0x4001 +- * Adds an extra dword to the XE_GUC_ACTION_NOTIFY_MEMORY_CAT_ERROR G2H +- * containing the type of the CAT error. On HW that does not support +- * reporting the CAT error type, the extra dword is set to 0xdeadbeef. +- */ +- +-#define GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE_KEY 0x4001 +-#define GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE_LEN 0u +- + /** + * DOC: GuC VGT Policy KLVs + * +diff --git a/drivers/gpu/drm/xe/xe_guc.c b/drivers/gpu/drm/xe/xe_guc.c +index 2efc0298e1a4c..bac5471a1a780 100644 +--- a/drivers/gpu/drm/xe/xe_guc.c ++++ b/drivers/gpu/drm/xe/xe_guc.c +@@ -29,7 +29,6 @@ + #include "xe_guc_db_mgr.h" + #include "xe_guc_engine_activity.h" + #include "xe_guc_hwconfig.h" +-#include "xe_guc_klv_helpers.h" + #include "xe_guc_log.h" + #include "xe_guc_pc.h" + #include "xe_guc_relay.h" +@@ -571,57 +570,6 @@ static int guc_g2g_start(struct xe_guc *guc) + return err; + } + +-static int __guc_opt_in_features_enable(struct xe_guc *guc, u64 addr, u32 num_dwords) +-{ +- u32 action[] = { +- XE_GUC_ACTION_OPT_IN_FEATURE_KLV, +- lower_32_bits(addr), +- upper_32_bits(addr), +- num_dwords +- }; +- +- return xe_guc_ct_send_block(&guc->ct, action, ARRAY_SIZE(action)); +-} +- +-#define OPT_IN_MAX_DWORDS 16 +-int xe_guc_opt_in_features_enable(struct xe_guc *guc) +-{ +- struct xe_device *xe = guc_to_xe(guc); +- CLASS(xe_guc_buf, buf)(&guc->buf, OPT_IN_MAX_DWORDS); +- u32 count = 0; +- u32 *klvs; +- int ret; +- +- if (!xe_guc_buf_is_valid(buf)) +- return -ENOBUFS; +- +- klvs = xe_guc_buf_cpu_ptr(buf); +- +- /* +- * The extra CAT error type opt-in was added in GuC v70.17.0, which maps +- * to compatibility version v1.7.0. +- * Note that the GuC allows enabling this KLV even on platforms that do +- * not support the extra type; in such case the returned type variable +- * will be set to a known invalid value which we can check against. +- */ +- if (GUC_SUBMIT_VER(guc) >= MAKE_GUC_VER(1, 7, 0)) +- klvs[count++] = PREP_GUC_KLV_TAG(OPT_IN_FEATURE_EXT_CAT_ERR_TYPE); +- +- if (count) { +- xe_assert(xe, count <= OPT_IN_MAX_DWORDS); +- +- ret = __guc_opt_in_features_enable(guc, xe_guc_buf_flush(buf), count); +- if (ret < 0) { +- xe_gt_err(guc_to_gt(guc), +- "failed to enable GuC opt-in features: %pe\n", +- ERR_PTR(ret)); +- return ret; +- } +- } +- +- return 0; +-} +- + static void guc_fini_hw(void *arg) + { + struct xe_guc *guc = arg; +@@ -815,10 +763,6 @@ int xe_guc_post_load_init(struct xe_guc *guc) + + xe_guc_ads_populate_post_load(&guc->ads); + +- ret = xe_guc_opt_in_features_enable(guc); +- if (ret) +- return ret; +- + if (xe_guc_g2g_wanted(guc_to_xe(guc))) { + ret = guc_g2g_start(guc); + if (ret) +diff --git a/drivers/gpu/drm/xe/xe_guc.h b/drivers/gpu/drm/xe/xe_guc.h +index 4a66575f017d2..58338be445585 100644 +--- a/drivers/gpu/drm/xe/xe_guc.h ++++ b/drivers/gpu/drm/xe/xe_guc.h +@@ -33,7 +33,6 @@ int xe_guc_reset(struct xe_guc *guc); + int xe_guc_upload(struct xe_guc *guc); + int xe_guc_min_load_for_hwconfig(struct xe_guc *guc); + int xe_guc_enable_communication(struct xe_guc *guc); +-int xe_guc_opt_in_features_enable(struct xe_guc *guc); + int xe_guc_suspend(struct xe_guc *guc); + void xe_guc_notify(struct xe_guc *guc); + int xe_guc_auth_huc(struct xe_guc *guc, u32 rsa_addr); +diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c +index e670dcb0f0932..45a21af126927 100644 +--- a/drivers/gpu/drm/xe/xe_guc_submit.c ++++ b/drivers/gpu/drm/xe/xe_guc_submit.c +@@ -2088,16 +2088,12 @@ int xe_guc_exec_queue_memory_cat_error_handler(struct xe_guc *guc, u32 *msg, + struct xe_gt *gt = guc_to_gt(guc); + struct xe_exec_queue *q; + u32 guc_id; +- u32 type = XE_GUC_CAT_ERR_TYPE_INVALID; + +- if (unlikely(!len || len > 2)) ++ if (unlikely(len < 1)) + return -EPROTO; + + guc_id = msg[0]; + +- if (len == 2) +- type = msg[1]; +- + if (guc_id == GUC_ID_UNKNOWN) { + /* + * GuC uses GUC_ID_UNKNOWN if it can not map the CAT fault to any PF/VF +@@ -2111,19 +2107,8 @@ int xe_guc_exec_queue_memory_cat_error_handler(struct xe_guc *guc, u32 *msg, + if (unlikely(!q)) + return -EPROTO; + +- /* +- * The type is HW-defined and changes based on platform, so we don't +- * decode it in the kernel and only check if it is valid. +- * See bspec 54047 and 72187 for details. +- */ +- if (type != XE_GUC_CAT_ERR_TYPE_INVALID) +- xe_gt_dbg(gt, +- "Engine memory CAT error [%u]: class=%s, logical_mask: 0x%x, guc_id=%d", +- type, xe_hw_engine_class_to_str(q->class), q->logical_mask, guc_id); +- else +- xe_gt_dbg(gt, +- "Engine memory CAT error: class=%s, logical_mask: 0x%x, guc_id=%d", +- xe_hw_engine_class_to_str(q->class), q->logical_mask, guc_id); ++ xe_gt_dbg(gt, "Engine memory cat error: engine_class=%s, logical_mask: 0x%x, guc_id=%d", ++ xe_hw_engine_class_to_str(q->class), q->logical_mask, guc_id); + + trace_xe_exec_queue_memory_cat_error(q); + +diff --git a/drivers/gpu/drm/xe/xe_uc.c b/drivers/gpu/drm/xe/xe_uc.c +index 5c45b0f072a4c..3a8751a8b92dd 100644 +--- a/drivers/gpu/drm/xe/xe_uc.c ++++ b/drivers/gpu/drm/xe/xe_uc.c +@@ -165,10 +165,6 @@ static int vf_uc_init_hw(struct xe_uc *uc) + + uc->guc.submission_state.enabled = true; + +- err = xe_guc_opt_in_features_enable(&uc->guc); +- if (err) +- return err; +- + err = xe_gt_record_default_lrcs(uc_to_gt(uc)); + if (err) + return err; +-- +2.51.0 + diff --git a/queue-6.16/revert-drm-xe-guc-set-rcs-ccs-yield-policy.patch b/queue-6.16/revert-drm-xe-guc-set-rcs-ccs-yield-policy.patch new file mode 100644 index 0000000000..262d899bbc --- /dev/null +++ b/queue-6.16/revert-drm-xe-guc-set-rcs-ccs-yield-policy.patch @@ -0,0 +1,222 @@ +From 70df422cf4da503ae2d7f4b0bba8498b230be42c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Sep 2025 11:41:33 -0400 +Subject: Revert "drm/xe/guc: Set RCS/CCS yield policy" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This reverts commit dd1a415dcfd5984bf83abd804c3cd9e0ff9dde30. + +Reported-by: Iyán Méndez Veiga +Link: https://lore.kernel.org/stable/aNlW7ekiC0dNPxU3@laps/T/#t +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/xe/abi/guc_actions_abi.h | 1 - + drivers/gpu/drm/xe/abi/guc_klvs_abi.h | 25 --------- + drivers/gpu/drm/xe/xe_gt.c | 3 +- + drivers/gpu/drm/xe/xe_guc.c | 6 ++- + drivers/gpu/drm/xe/xe_guc_submit.c | 66 ------------------------ + drivers/gpu/drm/xe/xe_guc_submit.h | 2 - + 6 files changed, 5 insertions(+), 98 deletions(-) + +diff --git a/drivers/gpu/drm/xe/abi/guc_actions_abi.h b/drivers/gpu/drm/xe/abi/guc_actions_abi.h +index 4d9896e14649c..b55d4cfb483a1 100644 +--- a/drivers/gpu/drm/xe/abi/guc_actions_abi.h ++++ b/drivers/gpu/drm/xe/abi/guc_actions_abi.h +@@ -117,7 +117,6 @@ enum xe_guc_action { + XE_GUC_ACTION_ENTER_S_STATE = 0x501, + XE_GUC_ACTION_EXIT_S_STATE = 0x502, + XE_GUC_ACTION_GLOBAL_SCHED_POLICY_CHANGE = 0x506, +- XE_GUC_ACTION_UPDATE_SCHEDULING_POLICIES_KLV = 0x509, + XE_GUC_ACTION_SCHED_CONTEXT = 0x1000, + XE_GUC_ACTION_SCHED_CONTEXT_MODE_SET = 0x1001, + XE_GUC_ACTION_SCHED_CONTEXT_MODE_DONE = 0x1002, +diff --git a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h +index 89034bc97ec5a..5b2502bec2dcc 100644 +--- a/drivers/gpu/drm/xe/abi/guc_klvs_abi.h ++++ b/drivers/gpu/drm/xe/abi/guc_klvs_abi.h +@@ -17,7 +17,6 @@ + * | 0 | 31:16 | **KEY** - KLV key identifier | + * | | | - `GuC Self Config KLVs`_ | + * | | | - `GuC Opt In Feature KLVs`_ | +- * | | | - `GuC Scheduling Policies KLVs`_ | + * | | | - `GuC VGT Policy KLVs`_ | + * | | | - `GuC VF Configuration KLVs`_ | + * | | | | +@@ -140,30 +139,6 @@ enum { + #define GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE_KEY 0x4001 + #define GUC_KLV_OPT_IN_FEATURE_EXT_CAT_ERR_TYPE_LEN 0u + +-/** +- * DOC: GuC Scheduling Policies KLVs +- * +- * `GuC KLV`_ keys available for use with UPDATE_SCHEDULING_POLICIES_KLV. +- * +- * _`GUC_KLV_SCHEDULING_POLICIES_RENDER_COMPUTE_YIELD` : 0x1001 +- * Some platforms do not allow concurrent execution of RCS and CCS +- * workloads from different address spaces. By default, the GuC prioritizes +- * RCS submissions over CCS ones, which can lead to CCS workloads being +- * significantly (or completely) starved of execution time. This KLV allows +- * the driver to specify a quantum (in ms) and a ratio (percentage value +- * between 0 and 100), and the GuC will prioritize the CCS for that +- * percentage of each quantum. For example, specifying 100ms and 30% will +- * make the GuC prioritize the CCS for 30ms of every 100ms. +- * Note that this does not necessarly mean that RCS and CCS engines will +- * only be active for their percentage of the quantum, as the restriction +- * only kicks in if both classes are fully busy with non-compatible address +- * spaces; i.e., if one engine is idle or running the same address space, +- * a pending job on the other engine will still be submitted to the HW no +- * matter what the ratio is +- */ +-#define GUC_KLV_SCHEDULING_POLICIES_RENDER_COMPUTE_YIELD_KEY 0x1001 +-#define GUC_KLV_SCHEDULING_POLICIES_RENDER_COMPUTE_YIELD_LEN 2u +- + /** + * DOC: GuC VGT Policy KLVs + * +diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c +index eaf7569a7c1d1..e3517ce2e18c1 100644 +--- a/drivers/gpu/drm/xe/xe_gt.c ++++ b/drivers/gpu/drm/xe/xe_gt.c +@@ -41,7 +41,6 @@ + #include "xe_gt_topology.h" + #include "xe_guc_exec_queue_types.h" + #include "xe_guc_pc.h" +-#include "xe_guc_submit.h" + #include "xe_hw_fence.h" + #include "xe_hw_engine_class_sysfs.h" + #include "xe_irq.h" +@@ -98,7 +97,7 @@ void xe_gt_sanitize(struct xe_gt *gt) + * FIXME: if xe_uc_sanitize is called here, on TGL driver will not + * reload + */ +- xe_guc_submit_disable(>->uc.guc); ++ gt->uc.guc.submission_state.enabled = false; + } + + static void xe_gt_enable_host_l2_vram(struct xe_gt *gt) +diff --git a/drivers/gpu/drm/xe/xe_guc.c b/drivers/gpu/drm/xe/xe_guc.c +index b9d21fdaad48b..2efc0298e1a4c 100644 +--- a/drivers/gpu/drm/xe/xe_guc.c ++++ b/drivers/gpu/drm/xe/xe_guc.c +@@ -825,7 +825,9 @@ int xe_guc_post_load_init(struct xe_guc *guc) + return ret; + } + +- return xe_guc_submit_enable(guc); ++ guc->submission_state.enabled = true; ++ ++ return 0; + } + + int xe_guc_reset(struct xe_guc *guc) +@@ -1519,7 +1521,7 @@ void xe_guc_sanitize(struct xe_guc *guc) + { + xe_uc_fw_sanitize(&guc->fw); + xe_guc_ct_disable(&guc->ct); +- xe_guc_submit_disable(guc); ++ guc->submission_state.enabled = false; + } + + int xe_guc_reset_prepare(struct xe_guc *guc) +diff --git a/drivers/gpu/drm/xe/xe_guc_submit.c b/drivers/gpu/drm/xe/xe_guc_submit.c +index 18ddbb7b98a15..e670dcb0f0932 100644 +--- a/drivers/gpu/drm/xe/xe_guc_submit.c ++++ b/drivers/gpu/drm/xe/xe_guc_submit.c +@@ -32,7 +32,6 @@ + #include "xe_guc_ct.h" + #include "xe_guc_exec_queue_types.h" + #include "xe_guc_id_mgr.h" +-#include "xe_guc_klv_helpers.h" + #include "xe_guc_submit_types.h" + #include "xe_hw_engine.h" + #include "xe_hw_fence.h" +@@ -317,71 +316,6 @@ int xe_guc_submit_init(struct xe_guc *guc, unsigned int num_ids) + return drmm_add_action_or_reset(&xe->drm, guc_submit_fini, guc); + } + +-/* +- * Given that we want to guarantee enough RCS throughput to avoid missing +- * frames, we set the yield policy to 20% of each 80ms interval. +- */ +-#define RC_YIELD_DURATION 80 /* in ms */ +-#define RC_YIELD_RATIO 20 /* in percent */ +-static u32 *emit_render_compute_yield_klv(u32 *emit) +-{ +- *emit++ = PREP_GUC_KLV_TAG(SCHEDULING_POLICIES_RENDER_COMPUTE_YIELD); +- *emit++ = RC_YIELD_DURATION; +- *emit++ = RC_YIELD_RATIO; +- +- return emit; +-} +- +-#define SCHEDULING_POLICY_MAX_DWORDS 16 +-static int guc_init_global_schedule_policy(struct xe_guc *guc) +-{ +- u32 data[SCHEDULING_POLICY_MAX_DWORDS]; +- u32 *emit = data; +- u32 count = 0; +- int ret; +- +- if (GUC_SUBMIT_VER(guc) < MAKE_GUC_VER(1, 1, 0)) +- return 0; +- +- *emit++ = XE_GUC_ACTION_UPDATE_SCHEDULING_POLICIES_KLV; +- +- if (CCS_MASK(guc_to_gt(guc))) +- emit = emit_render_compute_yield_klv(emit); +- +- count = emit - data; +- if (count > 1) { +- xe_assert(guc_to_xe(guc), count <= SCHEDULING_POLICY_MAX_DWORDS); +- +- ret = xe_guc_ct_send_block(&guc->ct, data, count); +- if (ret < 0) { +- xe_gt_err(guc_to_gt(guc), +- "failed to enable GuC sheduling policies: %pe\n", +- ERR_PTR(ret)); +- return ret; +- } +- } +- +- return 0; +-} +- +-int xe_guc_submit_enable(struct xe_guc *guc) +-{ +- int ret; +- +- ret = guc_init_global_schedule_policy(guc); +- if (ret) +- return ret; +- +- guc->submission_state.enabled = true; +- +- return 0; +-} +- +-void xe_guc_submit_disable(struct xe_guc *guc) +-{ +- guc->submission_state.enabled = false; +-} +- + static void __release_guc_id(struct xe_guc *guc, struct xe_exec_queue *q, u32 xa_count) + { + int i; +diff --git a/drivers/gpu/drm/xe/xe_guc_submit.h b/drivers/gpu/drm/xe/xe_guc_submit.h +index 0d126b807c104..9b71a986c6ca6 100644 +--- a/drivers/gpu/drm/xe/xe_guc_submit.h ++++ b/drivers/gpu/drm/xe/xe_guc_submit.h +@@ -13,8 +13,6 @@ struct xe_exec_queue; + struct xe_guc; + + int xe_guc_submit_init(struct xe_guc *guc, unsigned int num_ids); +-int xe_guc_submit_enable(struct xe_guc *guc); +-void xe_guc_submit_disable(struct xe_guc *guc); + + int xe_guc_submit_reset_prepare(struct xe_guc *guc); + void xe_guc_submit_reset_wait(struct xe_guc *guc); +-- +2.51.0 + diff --git a/queue-6.16/series b/queue-6.16/series index 7b1c74c97c..e5a1ca9f50 100644 --- a/queue-6.16/series +++ b/queue-6.16/series @@ -94,3 +94,6 @@ futex-use-correct-exit-on-failure-from-futex_hash_al.patch drm-panthor-defer-scheduler-entitiy-destruction-to-q.patch platform-x86-lg-laptop-fix-wmab-call-in-fan_mode_sto.patch smb-client-fix-wrong-index-reference-in-smb2_compoun.patch +revert-drm-xe-guc-set-rcs-ccs-yield-policy.patch +revert-drm-xe-guc-enable-extended-cat-error-reportin.patch +tracing-osnoise-fix-slab-out-of-bounds-in-_parse_int.patch diff --git a/queue-6.16/tracing-osnoise-fix-slab-out-of-bounds-in-_parse_int.patch b/queue-6.16/tracing-osnoise-fix-slab-out-of-bounds-in-_parse_int.patch new file mode 100644 index 0000000000..46134011e4 --- /dev/null +++ b/queue-6.16/tracing-osnoise-fix-slab-out-of-bounds-in-_parse_int.patch @@ -0,0 +1,74 @@ +From b206097d2a7202c318311ccbe17dc82baec7992a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Sep 2025 14:39:48 +0800 +Subject: tracing/osnoise: Fix slab-out-of-bounds in _parse_integer_limit() + +From: Wang Liang + +[ Upstream commit a2501032de0d1bc7971b2e43c03da534ac10ee9b ] + +When config osnoise cpus by write() syscall, the following KASAN splat may +be observed: + +BUG: KASAN: slab-out-of-bounds in _parse_integer_limit+0x103/0x130 +Read of size 1 at addr ffff88810121e3a1 by task test/447 +CPU: 1 UID: 0 PID: 447 Comm: test Not tainted 6.17.0-rc6-dirty #288 PREEMPT(voluntary) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_report+0xcb/0x610 + kasan_report+0xb8/0xf0 + _parse_integer_limit+0x103/0x130 + bitmap_parselist+0x16d/0x6f0 + osnoise_cpus_write+0x116/0x2d0 + vfs_write+0x21e/0xcc0 + ksys_write+0xee/0x1c0 + do_syscall_64+0xa8/0x2a0 + entry_SYSCALL_64_after_hwframe+0x77/0x7f + + +This issue can be reproduced by below code: + +const char *cpulist = "1"; +int fd=open("/sys/kernel/debug/tracing/osnoise/cpus", O_WRONLY); +write(fd, cpulist, strlen(cpulist)); + +Function bitmap_parselist() was called to parse cpulist, it require that +the parameter 'buf' must be terminated with a '\0' or '\n'. Fix this issue +by adding a '\0' to 'buf' in osnoise_cpus_write(). + +Cc: +Cc: +Cc: +Link: https://lore.kernel.org/20250916063948.3154627-1-wangliang74@huawei.com +Fixes: 17f89102fe23 ("tracing/osnoise: Allow arbitrarily long CPU string") +Signed-off-by: Wang Liang +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_osnoise.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c +index 337bc0eb5d71b..dc734867f0fc4 100644 +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -2325,12 +2325,13 @@ osnoise_cpus_write(struct file *filp, const char __user *ubuf, size_t count, + if (count < 1) + return 0; + +- buf = kmalloc(count, GFP_KERNEL); ++ buf = kmalloc(count + 1, GFP_KERNEL); + if (!buf) + return -ENOMEM; + + if (copy_from_user(buf, ubuf, count)) + return -EFAULT; ++ buf[count] = '\0'; + + if (!zalloc_cpumask_var(&osnoise_cpumask_new, GFP_KERNEL)) + return -ENOMEM; +-- +2.51.0 + -- 2.47.3