From: Greg Kroah-Hartman Date: Sat, 21 Mar 2026 06:50:14 +0000 (+0100) Subject: 6.19-stable patches X-Git-Tag: v6.1.167~69 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7ffd5dbe0fe0173838bf460c8c8466349559c601;p=thirdparty%2Fkernel%2Fstable-queue.git 6.19-stable patches added patches: drm-amd-display-wrap-dcn32_override_min_req_memclk-in-dc_fp_-start-end.patch drm-amdgpu-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch drm-amdgpu-gmc9.0-add-bounds-checking-for-cid.patch drm-amdgpu-limit-bo-list-entry-count-to-prevent-resource-exhaustion.patch drm-amdgpu-mmhub2.0-add-bounds-checking-for-cid.patch drm-amdgpu-mmhub2.3-add-bounds-checking-for-cid.patch drm-amdgpu-mmhub3.0-add-bounds-checking-for-cid.patch drm-amdgpu-mmhub3.0.1-add-bounds-checking-for-cid.patch drm-amdgpu-mmhub3.0.2-add-bounds-checking-for-cid.patch drm-amdgpu-mmhub4.1.0-add-bounds-checking-for-cid.patch drm-amdgpu-rework-how-we-handle-tlb-fences.patch drm-fix-use-after-free-on-framebuffers-and-property-blobs-when-calling-drm_dev_unplug.patch drm-i915-dmc-fix-an-unlikely-null-pointer-deference-at-probe.patch drm-i915-psr-compute-psr-entry_setup_frames-into-intel_crtc_state.patch drm-i915-psr-disable-psr-on-update_m_n-and-update_lrr.patch drm-imagination-fix-deadlock-in-soft-reset-sequence.patch drm-imagination-synchronize-interrupts-before-suspending-the-gpu.patch drm-radeon-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch drm-xe-always-kill-exec-queues-in-xe_guc_submit_pause_abort.patch drm-xe-fix-missing-runtime-pm-reference-in-ccs_mode_store.patch drm-xe-guc-ensure-ct-state-transitions-via-stop-before-disabled.patch drm-xe-oa-allow-reading-after-disabling-oa-stream.patch drm-xe-open-code-ggtt-mmio-access-protection.patch --- diff --git a/queue-6.19/drm-amd-display-wrap-dcn32_override_min_req_memclk-in-dc_fp_-start-end.patch b/queue-6.19/drm-amd-display-wrap-dcn32_override_min_req_memclk-in-dc_fp_-start-end.patch new file mode 100644 index 0000000000..6f2b1a949d --- /dev/null +++ b/queue-6.19/drm-amd-display-wrap-dcn32_override_min_req_memclk-in-dc_fp_-start-end.patch @@ -0,0 +1,41 @@ +From ebe82c6e75cfc547154d0fd843b0dd6cca3d548f Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao +Date: Fri, 6 Mar 2026 14:28:03 +0800 +Subject: drm/amd/display: Wrap dcn32_override_min_req_memclk() in DC_FP_{START, END} + +From: Xi Ruoyao + +commit ebe82c6e75cfc547154d0fd843b0dd6cca3d548f upstream. + +[Why] +The dcn32_override_min_req_memclk function is in dcn32_fpu.c, which is +compiled with CC_FLAGS_FPU into FP instructions. So when we call it we +must use DC_FP_{START,END} to save and restore the FP context, and +prepare the FP unit on architectures like LoongArch where the FP unit +isn't always on. + +Reported-by: LiarOnce +Fixes: ee7be8f3de1c ("drm/amd/display: Limit DCN32 8 channel or less parts to DPM1 for FPO") +Signed-off-by: Xi Ruoyao +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +(cherry picked from commit 25bb1d54ba3983c064361033a8ec15474fece37e) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c +@@ -1789,7 +1789,10 @@ static bool dml1_validate(struct dc *dc, + + dc->res_pool->funcs->calculate_wm_and_dlg(dc, context, pipes, pipe_cnt, vlevel); + ++ DC_FP_START(); + dcn32_override_min_req_memclk(dc, context); ++ DC_FP_END(); ++ + dcn32_override_min_req_dcfclk(dc, context); + + BW_VAL_TRACE_END_WATERMARKS(); diff --git a/queue-6.19/drm-amdgpu-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch b/queue-6.19/drm-amdgpu-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch new file mode 100644 index 0000000000..18de11f290 --- /dev/null +++ b/queue-6.19/drm-amdgpu-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch @@ -0,0 +1,35 @@ +From 9787f7da186ee8143b7b6d914cfa0b6e7fee2648 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 25 Sep 2023 10:44:07 -0400 +Subject: drm/amdgpu: apply state adjust rules to some additional HAINAN vairants + +From: Alex Deucher + +commit 9787f7da186ee8143b7b6d914cfa0b6e7fee2648 upstream. + +They need a similar workaround. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1839 +Signed-off-by: Alex Deucher +(cherry picked from commit 0de31d92a173d3d94f28051b0b80a6c98913aed4) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c ++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c +@@ -3454,9 +3454,11 @@ static void si_apply_state_adjust_rules( + if (adev->asic_type == CHIP_HAINAN) { + if ((adev->pdev->revision == 0x81) || + (adev->pdev->revision == 0xC3) || ++ (adev->pdev->device == 0x6660) || + (adev->pdev->device == 0x6664) || + (adev->pdev->device == 0x6665) || +- (adev->pdev->device == 0x6667)) { ++ (adev->pdev->device == 0x6667) || ++ (adev->pdev->device == 0x666F)) { + max_sclk = 75000; + } + if ((adev->pdev->revision == 0xC3) || diff --git a/queue-6.19/drm-amdgpu-gmc9.0-add-bounds-checking-for-cid.patch b/queue-6.19/drm-amdgpu-gmc9.0-add-bounds-checking-for-cid.patch new file mode 100644 index 0000000000..7ef3455eae --- /dev/null +++ b/queue-6.19/drm-amdgpu-gmc9.0-add-bounds-checking-for-cid.patch @@ -0,0 +1,68 @@ +From f39e1270277f4b06db0b2c6ec9405b6dd766fb13 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 16 Mar 2026 15:51:08 -0400 +Subject: drm/amdgpu/gmc9.0: add bounds checking for cid + +From: Alex Deucher + +commit f39e1270277f4b06db0b2c6ec9405b6dd766fb13 upstream. + +The value should never exceed the array size as those +are the only values the hardware is expected to return, +but add checks anyway. + +Cc: Benjamin Cheng +Reviewed-by: Benjamin Cheng +Signed-off-by: Alex Deucher +(cherry picked from commit e14d468304832bcc4a082d95849bc0a41b18ddea) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -693,28 +693,35 @@ static int gmc_v9_0_process_interrupt(st + } else { + switch (amdgpu_ip_version(adev, MMHUB_HWIP, 0)) { + case IP_VERSION(9, 0, 0): +- mmhub_cid = mmhub_client_ids_vega10[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_vega10) ? ++ mmhub_client_ids_vega10[cid][rw] : NULL; + break; + case IP_VERSION(9, 3, 0): +- mmhub_cid = mmhub_client_ids_vega12[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_vega12) ? ++ mmhub_client_ids_vega12[cid][rw] : NULL; + break; + case IP_VERSION(9, 4, 0): +- mmhub_cid = mmhub_client_ids_vega20[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_vega20) ? ++ mmhub_client_ids_vega20[cid][rw] : NULL; + break; + case IP_VERSION(9, 4, 1): +- mmhub_cid = mmhub_client_ids_arcturus[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_arcturus) ? ++ mmhub_client_ids_arcturus[cid][rw] : NULL; + break; + case IP_VERSION(9, 1, 0): + case IP_VERSION(9, 2, 0): +- mmhub_cid = mmhub_client_ids_raven[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_raven) ? ++ mmhub_client_ids_raven[cid][rw] : NULL; + break; + case IP_VERSION(1, 5, 0): + case IP_VERSION(2, 4, 0): +- mmhub_cid = mmhub_client_ids_renoir[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_renoir) ? ++ mmhub_client_ids_renoir[cid][rw] : NULL; + break; + case IP_VERSION(1, 8, 0): + case IP_VERSION(9, 4, 2): +- mmhub_cid = mmhub_client_ids_aldebaran[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_aldebaran) ? ++ mmhub_client_ids_aldebaran[cid][rw] : NULL; + break; + default: + mmhub_cid = NULL; diff --git a/queue-6.19/drm-amdgpu-limit-bo-list-entry-count-to-prevent-resource-exhaustion.patch b/queue-6.19/drm-amdgpu-limit-bo-list-entry-count-to-prevent-resource-exhaustion.patch new file mode 100644 index 0000000000..bfbbe6edd0 --- /dev/null +++ b/queue-6.19/drm-amdgpu-limit-bo-list-entry-count-to-prevent-resource-exhaustion.patch @@ -0,0 +1,56 @@ +From 6270b1a5dab94665d7adce3dc78bc9066ed28bdd Mon Sep 17 00:00:00 2001 +From: "Jesse.Zhang" +Date: Thu, 12 Mar 2026 18:06:17 +0800 +Subject: drm/amdgpu: Limit BO list entry count to prevent resource exhaustion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jesse.Zhang + +commit 6270b1a5dab94665d7adce3dc78bc9066ed28bdd upstream. + +Userspace can pass an arbitrary number of BO list entries via the +bo_number field. Although the previous multiplication overflow check +prevents out-of-bounds allocation, a large number of entries could still +cause excessive memory allocation (up to potentially gigabytes) and +unnecessarily long list processing times. + +Introduce a hard limit of 128k entries per BO list, which is more than +sufficient for any realistic use case (e.g., a single list containing all +buffers in a large scene). This prevents memory exhaustion attacks and +ensures predictable performance. + +Return -EINVAL if the requested entry count exceeds the limit + +Reviewed-by: Christian König +Suggested-by: Christian König +Signed-off-by: Jesse Zhang +Signed-off-by: Alex Deucher +(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +@@ -36,6 +36,7 @@ + + #define AMDGPU_BO_LIST_MAX_PRIORITY 32u + #define AMDGPU_BO_LIST_NUM_BUCKETS (AMDGPU_BO_LIST_MAX_PRIORITY + 1) ++#define AMDGPU_BO_LIST_MAX_ENTRIES (128 * 1024) + + static void amdgpu_bo_list_free_rcu(struct rcu_head *rcu) + { +@@ -190,6 +191,9 @@ int amdgpu_bo_create_list_entry_array(st + const uint32_t bo_number = in->bo_number; + struct drm_amdgpu_bo_list_entry *info; + ++ if (bo_number > AMDGPU_BO_LIST_MAX_ENTRIES) ++ return -EINVAL; ++ + /* copy the handle array from userspace to a kernel buffer */ + if (likely(info_size == bo_info_size)) { + info = vmemdup_array_user(uptr, bo_number, info_size); diff --git a/queue-6.19/drm-amdgpu-mmhub2.0-add-bounds-checking-for-cid.patch b/queue-6.19/drm-amdgpu-mmhub2.0-add-bounds-checking-for-cid.patch new file mode 100644 index 0000000000..6abc01e3ed --- /dev/null +++ b/queue-6.19/drm-amdgpu-mmhub2.0-add-bounds-checking-for-cid.patch @@ -0,0 +1,45 @@ +From 0b26edac4ac5535df1f63e6e8ab44c24fe1acad7 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 4 Mar 2026 17:22:43 -0500 +Subject: drm/amdgpu/mmhub2.0: add bounds checking for cid + +From: Alex Deucher + +commit 0b26edac4ac5535df1f63e6e8ab44c24fe1acad7 upstream. + +The value should never exceed the array size as those +are the only values the hardware is expected to return, +but add checks anyway. + +Reviewed-by: Benjamin Cheng +Signed-off-by: Alex Deucher +(cherry picked from commit e064cef4b53552602bb6ac90399c18f662f3cacd) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c +@@ -154,14 +154,17 @@ mmhub_v2_0_print_l2_protection_fault_sta + switch (amdgpu_ip_version(adev, MMHUB_HWIP, 0)) { + case IP_VERSION(2, 0, 0): + case IP_VERSION(2, 0, 2): +- mmhub_cid = mmhub_client_ids_navi1x[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_navi1x) ? ++ mmhub_client_ids_navi1x[cid][rw] : NULL; + break; + case IP_VERSION(2, 1, 0): + case IP_VERSION(2, 1, 1): +- mmhub_cid = mmhub_client_ids_sienna_cichlid[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_sienna_cichlid) ? ++ mmhub_client_ids_sienna_cichlid[cid][rw] : NULL; + break; + case IP_VERSION(2, 1, 2): +- mmhub_cid = mmhub_client_ids_beige_goby[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_beige_goby) ? ++ mmhub_client_ids_beige_goby[cid][rw] : NULL; + break; + default: + mmhub_cid = NULL; diff --git a/queue-6.19/drm-amdgpu-mmhub2.3-add-bounds-checking-for-cid.patch b/queue-6.19/drm-amdgpu-mmhub2.3-add-bounds-checking-for-cid.patch new file mode 100644 index 0000000000..d9b2c32cad --- /dev/null +++ b/queue-6.19/drm-amdgpu-mmhub2.3-add-bounds-checking-for-cid.patch @@ -0,0 +1,34 @@ +From a54403a534972af5d9ba5aaa3bb6ead612500ec6 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 4 Mar 2026 17:24:10 -0500 +Subject: drm/amdgpu/mmhub2.3: add bounds checking for cid + +From: Alex Deucher + +commit a54403a534972af5d9ba5aaa3bb6ead612500ec6 upstream. + +The value should never exceed the array size as those +are the only values the hardware is expected to return, +but add checks anyway. + +Reviewed-by: Benjamin Cheng +Signed-off-by: Alex Deucher +(cherry picked from commit 89cd90375c19fb45138990b70e9f4ba4806f05c4) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c +@@ -94,7 +94,8 @@ mmhub_v2_3_print_l2_protection_fault_sta + case IP_VERSION(2, 3, 0): + case IP_VERSION(2, 4, 0): + case IP_VERSION(2, 4, 1): +- mmhub_cid = mmhub_client_ids_vangogh[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_vangogh) ? ++ mmhub_client_ids_vangogh[cid][rw] : NULL; + break; + default: + mmhub_cid = NULL; diff --git a/queue-6.19/drm-amdgpu-mmhub3.0-add-bounds-checking-for-cid.patch b/queue-6.19/drm-amdgpu-mmhub3.0-add-bounds-checking-for-cid.patch new file mode 100644 index 0000000000..9d7278603f --- /dev/null +++ b/queue-6.19/drm-amdgpu-mmhub3.0-add-bounds-checking-for-cid.patch @@ -0,0 +1,34 @@ +From cdb82ecbeccb55fae75a3c956b605f7801a30db1 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 4 Mar 2026 17:25:30 -0500 +Subject: drm/amdgpu/mmhub3.0: add bounds checking for cid + +From: Alex Deucher + +commit cdb82ecbeccb55fae75a3c956b605f7801a30db1 upstream. + +The value should never exceed the array size as those +are the only values the hardware is expected to return, +but add checks anyway. + +Reviewed-by: Benjamin Cheng +Signed-off-by: Alex Deucher +(cherry picked from commit f14f27bbe2a3ed7af32d5f6eaf3f417139f45253) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c +@@ -110,7 +110,8 @@ mmhub_v3_0_print_l2_protection_fault_sta + switch (amdgpu_ip_version(adev, MMHUB_HWIP, 0)) { + case IP_VERSION(3, 0, 0): + case IP_VERSION(3, 0, 1): +- mmhub_cid = mmhub_client_ids_v3_0_0[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_v3_0_0) ? ++ mmhub_client_ids_v3_0_0[cid][rw] : NULL; + break; + default: + mmhub_cid = NULL; diff --git a/queue-6.19/drm-amdgpu-mmhub3.0.1-add-bounds-checking-for-cid.patch b/queue-6.19/drm-amdgpu-mmhub3.0.1-add-bounds-checking-for-cid.patch new file mode 100644 index 0000000000..0b07ade855 --- /dev/null +++ b/queue-6.19/drm-amdgpu-mmhub3.0.1-add-bounds-checking-for-cid.patch @@ -0,0 +1,34 @@ +From 5d4e88bcfef29569a1db224ef15e28c603666c6d Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 4 Mar 2026 17:24:35 -0500 +Subject: drm/amdgpu/mmhub3.0.1: add bounds checking for cid + +From: Alex Deucher + +commit 5d4e88bcfef29569a1db224ef15e28c603666c6d upstream. + +The value should never exceed the array size as those +are the only values the hardware is expected to return, +but add checks anyway. + +Reviewed-by: Benjamin Cheng +Signed-off-by: Alex Deucher +(cherry picked from commit 5f76083183363c4528a4aaa593f5d38c28fe7d7b) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_1.c +@@ -117,7 +117,8 @@ mmhub_v3_0_1_print_l2_protection_fault_s + + switch (amdgpu_ip_version(adev, MMHUB_HWIP, 0)) { + case IP_VERSION(3, 0, 1): +- mmhub_cid = mmhub_client_ids_v3_0_1[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_v3_0_1) ? ++ mmhub_client_ids_v3_0_1[cid][rw] : NULL; + break; + default: + mmhub_cid = NULL; diff --git a/queue-6.19/drm-amdgpu-mmhub3.0.2-add-bounds-checking-for-cid.patch b/queue-6.19/drm-amdgpu-mmhub3.0.2-add-bounds-checking-for-cid.patch new file mode 100644 index 0000000000..34b5454a05 --- /dev/null +++ b/queue-6.19/drm-amdgpu-mmhub3.0.2-add-bounds-checking-for-cid.patch @@ -0,0 +1,34 @@ +From e5e6d67b1ce9764e67aef2d0eef9911af53ad99a Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 4 Mar 2026 17:25:09 -0500 +Subject: drm/amdgpu/mmhub3.0.2: add bounds checking for cid + +From: Alex Deucher + +commit e5e6d67b1ce9764e67aef2d0eef9911af53ad99a upstream. + +The value should never exceed the array size as those +are the only values the hardware is expected to return, +but add checks anyway. + +Reviewed-by: Benjamin Cheng +Signed-off-by: Alex Deucher +(cherry picked from commit 1441f52c7f6ae6553664aa9e3e4562f6fc2fe8ea) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_2.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0_2.c +@@ -108,7 +108,8 @@ mmhub_v3_0_2_print_l2_protection_fault_s + "MMVM_L2_PROTECTION_FAULT_STATUS:0x%08X\n", + status); + +- mmhub_cid = mmhub_client_ids_v3_0_2[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_v3_0_2) ? ++ mmhub_client_ids_v3_0_2[cid][rw] : NULL; + dev_err(adev->dev, "\t Faulty UTCL2 client ID: %s (0x%x)\n", + mmhub_cid ? mmhub_cid : "unknown", cid); + dev_err(adev->dev, "\t MORE_FAULTS: 0x%lx\n", diff --git a/queue-6.19/drm-amdgpu-mmhub4.1.0-add-bounds-checking-for-cid.patch b/queue-6.19/drm-amdgpu-mmhub4.1.0-add-bounds-checking-for-cid.patch new file mode 100644 index 0000000000..87e54fed93 --- /dev/null +++ b/queue-6.19/drm-amdgpu-mmhub4.1.0-add-bounds-checking-for-cid.patch @@ -0,0 +1,34 @@ +From 3cdd405831d8cc50a5eae086403402697bb98a4a Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 4 Mar 2026 17:25:56 -0500 +Subject: drm/amdgpu/mmhub4.1.0: add bounds checking for cid + +From: Alex Deucher + +commit 3cdd405831d8cc50a5eae086403402697bb98a4a upstream. + +The value should never exceed the array size as those +are the only values the hardware is expected to return, +but add checks anyway. + +Reviewed-by: Benjamin Cheng +Signed-off-by: Alex Deucher +(cherry picked from commit 04f063d85090f5dd0c671010ce88ee49d9dcc8ed) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mmhub_v4_1_0.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v4_1_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v4_1_0.c +@@ -102,7 +102,8 @@ mmhub_v4_1_0_print_l2_protection_fault_s + status); + switch (amdgpu_ip_version(adev, MMHUB_HWIP, 0)) { + case IP_VERSION(4, 1, 0): +- mmhub_cid = mmhub_client_ids_v4_1_0[cid][rw]; ++ mmhub_cid = cid < ARRAY_SIZE(mmhub_client_ids_v4_1_0) ? ++ mmhub_client_ids_v4_1_0[cid][rw] : NULL; + break; + default: + mmhub_cid = NULL; diff --git a/queue-6.19/drm-amdgpu-rework-how-we-handle-tlb-fences.patch b/queue-6.19/drm-amdgpu-rework-how-we-handle-tlb-fences.patch new file mode 100644 index 0000000000..25468829cb --- /dev/null +++ b/queue-6.19/drm-amdgpu-rework-how-we-handle-tlb-fences.patch @@ -0,0 +1,77 @@ +From e9f58ff991dd4be13fd7a651bbf64329c090af09 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 16 Mar 2026 11:04:46 -0400 +Subject: drm/amdgpu: rework how we handle TLB fences +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit e9f58ff991dd4be13fd7a651bbf64329c090af09 upstream. + +Add a new VM flag to indicate whether or not we need +a TLB fence. Userqs (KFD or KGD) require a TLB fence. +A TLB fence is not strictly required for kernel queues, +but it shouldn't hurt. That said, enabling this +unconditionally should be fine, but it seems to tickle +some issues in KIQ/MES. Only enable them for KFD, +or when KGD userq queues are enabled (currently via module +parameter). + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4798 +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4749 +Fixes: f3854e04b708 ("drm/amdgpu: attach tlb fence to the PTs update") +Cc: Christian König +Cc: Prike Liang +Reviewed-by: Prike Liang +Signed-off-by: Alex Deucher +(cherry picked from commit 69c5fbd2b93b5ced77c6e79afe83371bca84c788) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 7 ++++++- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h | 2 ++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -1069,7 +1069,10 @@ amdgpu_vm_tlb_flush(struct amdgpu_vm_upd + } + + /* Prepare a TLB flush fence to be attached to PTs */ +- if (!params->unlocked) { ++ /* The check for need_tlb_fence should be dropped once we ++ * sort out the issues with KIQ/MES TLB invalidation timeouts. ++ */ ++ if (!params->unlocked && vm->need_tlb_fence) { + amdgpu_vm_tlb_fence_create(params->adev, vm, fence); + + /* Makes sure no PD/PT is freed before the flush */ +@@ -2602,6 +2605,7 @@ int amdgpu_vm_init(struct amdgpu_device + ttm_lru_bulk_move_init(&vm->lru_bulk_move); + + vm->is_compute_context = false; ++ vm->need_tlb_fence = amdgpu_userq_enabled(&adev->ddev); + + vm->use_cpu_for_update = !!(adev->vm_manager.vm_update_mode & + AMDGPU_VM_USE_CPU_FOR_GFX); +@@ -2739,6 +2743,7 @@ int amdgpu_vm_make_compute(struct amdgpu + dma_fence_put(vm->last_update); + vm->last_update = dma_fence_get_stub(); + vm->is_compute_context = true; ++ vm->need_tlb_fence = true; + + unreserve_bo: + amdgpu_bo_unreserve(vm->root.bo); +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.h +@@ -440,6 +440,8 @@ struct amdgpu_vm { + struct ttm_lru_bulk_move lru_bulk_move; + /* Flag to indicate if VM is used for compute */ + bool is_compute_context; ++ /* Flag to indicate if VM needs a TLB fence (KFD or KGD) */ ++ bool need_tlb_fence; + + /* Memory partition number, -1 means any partition */ + int8_t mem_id; diff --git a/queue-6.19/drm-fix-use-after-free-on-framebuffers-and-property-blobs-when-calling-drm_dev_unplug.patch b/queue-6.19/drm-fix-use-after-free-on-framebuffers-and-property-blobs-when-calling-drm_dev_unplug.patch new file mode 100644 index 0000000000..b5f4191e49 --- /dev/null +++ b/queue-6.19/drm-fix-use-after-free-on-framebuffers-and-property-blobs-when-calling-drm_dev_unplug.patch @@ -0,0 +1,235 @@ +From 6bee098b91417654703e17eb5c1822c6dfd0c01d Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Fri, 13 Mar 2026 16:17:27 +0100 +Subject: drm: Fix use-after-free on framebuffers and property blobs when calling drm_dev_unplug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maarten Lankhorst + +commit 6bee098b91417654703e17eb5c1822c6dfd0c01d upstream. + +When trying to do a rather aggressive test of igt's "xe_module_load +--r reload" with a full desktop environment and game running I noticed +a few OOPSes when dereferencing freed pointers, related to +framebuffers and property blobs after the compositor exits. + +Solve this by guarding the freeing in drm_file with drm_dev_enter/exit, +and immediately put the references from struct drm_file objects during +drm_dev_unplug(). + +Related warnings for framebuffers on the subtest: +[ 739.713076] ------------[ cut here ]------------ + WARN_ON(!list_empty(&dev->mode_config.fb_list)) +[ 739.713079] WARNING: drivers/gpu/drm/drm_mode_config.c:584 at drm_mode_config_cleanup+0x30b/0x320 [drm], CPU#12: xe_module_load/13145 +.... +[ 739.713328] Call Trace: +[ 739.713330] +[ 739.713335] ? intel_pmdemand_destroy_state+0x11/0x20 [xe] +[ 739.713574] ? intel_atomic_global_obj_cleanup+0xe4/0x1a0 [xe] +[ 739.713794] intel_display_driver_remove_noirq+0x51/0xb0 [xe] +[ 739.714041] xe_display_fini_early+0x33/0x50 [xe] +[ 739.714284] devm_action_release+0xf/0x20 +[ 739.714294] devres_release_all+0xad/0xf0 +[ 739.714301] device_unbind_cleanup+0x12/0xa0 +[ 739.714305] device_release_driver_internal+0x1b7/0x210 +[ 739.714311] device_driver_detach+0x14/0x20 +[ 739.714315] unbind_store+0xa6/0xb0 +[ 739.714319] drv_attr_store+0x21/0x30 +[ 739.714322] sysfs_kf_write+0x48/0x60 +[ 739.714328] kernfs_fop_write_iter+0x16b/0x240 +[ 739.714333] vfs_write+0x266/0x520 +[ 739.714341] ksys_write+0x72/0xe0 +[ 739.714345] __x64_sys_write+0x19/0x20 +[ 739.714347] x64_sys_call+0xa15/0xa30 +[ 739.714355] do_syscall_64+0xd8/0xab0 +[ 739.714361] entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +and + +[ 739.714459] ------------[ cut here ]------------ +[ 739.714461] xe 0000:67:00.0: [drm] drm_WARN_ON(!list_empty(&fb->filp_head)) +[ 739.714464] WARNING: drivers/gpu/drm/drm_framebuffer.c:833 at drm_framebuffer_free+0x6c/0x90 [drm], CPU#12: xe_module_load/13145 +[ 739.714715] RIP: 0010:drm_framebuffer_free+0x7a/0x90 [drm] +... +[ 739.714869] Call Trace: +[ 739.714871] +[ 739.714876] drm_mode_config_cleanup+0x26a/0x320 [drm] +[ 739.714998] ? __drm_printfn_seq_file+0x20/0x20 [drm] +[ 739.715115] ? drm_mode_config_cleanup+0x207/0x320 [drm] +[ 739.715235] intel_display_driver_remove_noirq+0x51/0xb0 [xe] +[ 739.715576] xe_display_fini_early+0x33/0x50 [xe] +[ 739.715821] devm_action_release+0xf/0x20 +[ 739.715828] devres_release_all+0xad/0xf0 +[ 739.715843] device_unbind_cleanup+0x12/0xa0 +[ 739.715850] device_release_driver_internal+0x1b7/0x210 +[ 739.715856] device_driver_detach+0x14/0x20 +[ 739.715860] unbind_store+0xa6/0xb0 +[ 739.715865] drv_attr_store+0x21/0x30 +[ 739.715868] sysfs_kf_write+0x48/0x60 +[ 739.715873] kernfs_fop_write_iter+0x16b/0x240 +[ 739.715878] vfs_write+0x266/0x520 +[ 739.715886] ksys_write+0x72/0xe0 +[ 739.715890] __x64_sys_write+0x19/0x20 +[ 739.715893] x64_sys_call+0xa15/0xa30 +[ 739.715900] do_syscall_64+0xd8/0xab0 +[ 739.715905] entry_SYSCALL_64_after_hwframe+0x4b/0x53 + +and then finally file close blows up: + +[ 743.186530] Oops: general protection fault, probably for non-canonical address 0xdead000000000122: 0000 [#1] SMP +[ 743.186535] CPU: 3 UID: 1000 PID: 3453 Comm: kwin_wayland Tainted: G W 7.0.0-rc1-valkyria+ #110 PREEMPT_{RT,(lazy)} +[ 743.186537] Tainted: [W]=WARN +[ 743.186538] Hardware name: Gigabyte Technology Co., Ltd. X299 AORUS Gaming 3/X299 AORUS Gaming 3-CF, BIOS F8n 12/06/2021 +[ 743.186539] RIP: 0010:drm_framebuffer_cleanup+0x55/0xc0 [drm] +[ 743.186588] Code: d8 72 73 0f b6 42 05 ff c3 39 c3 72 e8 49 8d bd 50 07 00 00 31 f6 e8 3a 80 d3 e1 49 8b 44 24 10 49 8d 7c 24 08 49 8b 54 24 08 <48> 3b 38 0f 85 95 7f 02 00 48 3b 7a 08 0f 85 8b 7f 02 00 48 89 42 +[ 743.186589] RSP: 0018:ffffc900085e3cf8 EFLAGS: 00010202 +[ 743.186591] RAX: dead000000000122 RBX: 0000000000000001 RCX: ffffffff8217ed03 +[ 743.186592] RDX: dead000000000100 RSI: 0000000000000000 RDI: ffff88814675ba08 +[ 743.186593] RBP: ffffc900085e3d10 R08: 0000000000000000 R09: 0000000000000000 +[ 743.186593] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88814675ba00 +[ 743.186594] R13: ffff88810d778000 R14: ffff888119f6dca0 R15: ffff88810c660bb0 +[ 743.186595] FS: 00007ff377d21280(0000) GS:ffff888cec3f8000(0000) knlGS:0000000000000000 +[ 743.186596] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 743.186596] CR2: 000055690b55e000 CR3: 0000000113586003 CR4: 00000000003706f0 +[ 743.186597] Call Trace: +[ 743.186598] +[ 743.186603] intel_user_framebuffer_destroy+0x12/0x90 [xe] +[ 743.186722] drm_framebuffer_free+0x3a/0x90 [drm] +[ 743.186750] ? trace_hardirqs_on+0x5f/0x120 +[ 743.186754] drm_mode_object_put+0x51/0x70 [drm] +[ 743.186786] drm_fb_release+0x105/0x190 [drm] +[ 743.186812] ? rt_mutex_slowunlock+0x3aa/0x410 +[ 743.186817] ? rt_spin_lock+0xea/0x1b0 +[ 743.186819] drm_file_free+0x1e0/0x2c0 [drm] +[ 743.186843] drm_release_noglobal+0x91/0xf0 [drm] +[ 743.186865] __fput+0x100/0x2e0 +[ 743.186869] fput_close_sync+0x40/0xa0 +[ 743.186870] __x64_sys_close+0x3e/0x80 +[ 743.186873] x64_sys_call+0xa07/0xa30 +[ 743.186879] do_syscall_64+0xd8/0xab0 +[ 743.186881] entry_SYSCALL_64_after_hwframe+0x4b/0x53 +[ 743.186882] RIP: 0033:0x7ff37e567732 +[ 743.186884] Code: 08 0f 85 a1 38 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 55 bf 01 00 +[ 743.186885] RSP: 002b:00007ffc818169a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 +[ 743.186886] RAX: ffffffffffffffda RBX: 00007ffc81816a30 RCX: 00007ff37e567732 +[ 743.186887] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000012 +[ 743.186888] RBP: 00007ffc818169d0 R08: 0000000000000000 R09: 0000000000000000 +[ 743.186889] R10: 0000000000000000 R11: 0000000000000246 R12: 000055d60a7996e0 +[ 743.186889] R13: 00007ffc81816a90 R14: 00007ffc81816a90 R15: 000055d60a782a30 +[ 743.186892] +[ 743.186893] Modules linked in: rfcomm snd_hrtimer xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp xt_addrtype nft_compat x_tables nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables overlay cfg80211 bnep mtd_intel_dg snd_hda_codec_intelhdmi mtd snd_hda_codec_hdmi nls_utf8 mxm_wmi intel_wmi_thunderbolt gigabyte_wmi wmi_bmof xe drm_gpuvm drm_gpusvm_helper i2c_algo_bit drm_buddy drm_ttm_helper ttm video drm_suballoc_helper gpu_sched drm_client_lib drm_exec drm_display_helper cec drm_kunit_helpers drm_kms_helper kunit x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_codec_alc882 snd_hda_codec_realtek_lib snd_hda_codec_generic snd_hda_intel snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_hda_codec snd_hwdep snd_hda_core snd_intel_dspcfg snd_soc_core snd_compress ac97_bus snd_pcm snd_seq snd_seq_device snd_timer i2c_i801 i2c_mux snd i2c_smbus btusb btrtl btbcm btmtk btintel bluetooth ecdh_generic rfkill ecc mei_me mei ioatdma dca wmi nfsd drm i2c_dev fuse nfnetlink +[ 743.186938] ---[ end trace 0000000000000000 ]--- + +And for property blobs: + +void drm_mode_config_cleanup(struct drm_device *dev) +{ +... + list_for_each_entry_safe(blob, bt, &dev->mode_config.property_blob_list, + head_global) { + drm_property_blob_put(blob); + } + +Resulting in: + +[ 371.072940] BUG: unable to handle page fault for address: 000001ffffffffff +[ 371.072944] #PF: supervisor read access in kernel mode +[ 371.072945] #PF: error_code(0x0000) - not-present page +[ 371.072947] PGD 0 P4D 0 +[ 371.072950] Oops: Oops: 0000 [#1] SMP +[ 371.072953] CPU: 0 UID: 1000 PID: 3693 Comm: kwin_wayland Not tainted 7.0.0-rc1-valkyria+ #111 PREEMPT_{RT,(lazy)} +[ 371.072956] Hardware name: Gigabyte Technology Co., Ltd. X299 AORUS Gaming 3/X299 AORUS Gaming 3-CF, BIOS F8n 12/06/2021 +[ 371.072957] RIP: 0010:drm_property_destroy_user_blobs+0x3b/0x90 [drm] +[ 371.073019] Code: 00 00 48 83 ec 10 48 8b 86 30 01 00 00 48 39 c3 74 59 48 89 c2 48 8d 48 c8 48 8b 00 4c 8d 60 c8 eb 04 4c 8d 60 c8 48 8b 71 40 <48> 39 16 0f 85 39 32 01 00 48 3b 50 08 0f 85 2f 32 01 00 48 89 70 +[ 371.073021] RSP: 0018:ffffc90006a73de8 EFLAGS: 00010293 +[ 371.073022] RAX: 000001ffffffffff RBX: ffff888118a1a930 RCX: ffff8881b92355c0 +[ 371.073024] RDX: ffff8881b92355f8 RSI: 000001ffffffffff RDI: ffff888118be4000 +[ 371.073025] RBP: ffffc90006a73e08 R08: ffff8881009b7300 R09: ffff888cecc5b000 +[ 371.073026] R10: ffffc90006a73e90 R11: 0000000000000002 R12: 000001ffffffffc7 +[ 371.073027] R13: ffff888118a1a980 R14: ffff88810b366d20 R15: ffff888118a1a970 +[ 371.073028] FS: 00007f1faccbb280(0000) GS:ffff888cec2db000(0000) knlGS:0000000000000000 +[ 371.073029] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 371.073030] CR2: 000001ffffffffff CR3: 000000010655c001 CR4: 00000000003706f0 +[ 371.073031] Call Trace: +[ 371.073033] +[ 371.073036] drm_file_free+0x1df/0x2a0 [drm] +[ 371.073077] drm_release_noglobal+0x7a/0xe0 [drm] +[ 371.073113] __fput+0xe2/0x2b0 +[ 371.073118] fput_close_sync+0x40/0xa0 +[ 371.073119] __x64_sys_close+0x3e/0x80 +[ 371.073122] x64_sys_call+0xa07/0xa30 +[ 371.073126] do_syscall_64+0xc0/0x840 +[ 371.073130] entry_SYSCALL_64_after_hwframe+0x4b/0x53 +[ 371.073132] RIP: 0033:0x7f1fb3501732 +[ 371.073133] Code: 08 0f 85 a1 38 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 55 bf 01 00 +[ 371.073135] RSP: 002b:00007ffe8e6f0278 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 +[ 371.073136] RAX: ffffffffffffffda RBX: 00007ffe8e6f0300 RCX: 00007f1fb3501732 +[ 371.073137] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000012 +[ 371.073138] RBP: 00007ffe8e6f02a0 R08: 0000000000000000 R09: 0000000000000000 +[ 371.073139] R10: 0000000000000000 R11: 0000000000000246 R12: 00005585ba46eea0 +[ 371.073140] R13: 00007ffe8e6f0360 R14: 00007ffe8e6f0360 R15: 00005585ba458a30 +[ 371.073143] +[ 371.073144] Modules linked in: rfcomm snd_hrtimer xt_addrtype xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp nft_compat x_tables nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables overlay cfg80211 bnep snd_hda_codec_intelhdmi snd_hda_codec_hdmi mtd_intel_dg mtd nls_utf8 wmi_bmof mxm_wmi gigabyte_wmi intel_wmi_thunderbolt xe drm_gpuvm drm_gpusvm_helper i2c_algo_bit drm_buddy drm_ttm_helper ttm video drm_suballoc_helper gpu_sched drm_client_lib drm_exec drm_display_helper cec drm_kunit_helpers drm_kms_helper kunit x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_codec_alc882 snd_hda_codec_realtek_lib snd_hda_codec_generic snd_hda_intel snd_soc_avs snd_soc_hda_codec snd_hda_ext_core snd_hda_codec snd_hwdep snd_hda_core snd_intel_dspcfg snd_soc_core snd_compress ac97_bus snd_pcm snd_seq snd_seq_device snd_timer i2c_i801 btusb i2c_mux i2c_smbus btrtl snd btbcm btmtk btintel bluetooth ecdh_generic rfkill ecc mei_me mei ioatdma dca wmi nfsd drm i2c_dev fuse nfnetlink +[ 371.073198] CR2: 000001ffffffffff +[ 371.073199] ---[ end trace 0000000000000000 ]--- + +Add a guard around file close, and ensure the warnings from drm_mode_config +do not trigger. Fix those by allowing an open reference to the file descriptor +and cleaning up the file linked list entry in drm_mode_config_cleanup(). + +Cc: # v4.18+ +Fixes: bee330f3d672 ("drm: Use srcu to protect drm_device.unplugged") +Cc: Thomas Hellström +Reviewed-by: Thomas Hellström +Link: https://patch.msgid.link/20260313151728.14990-4-dev@lankhorst.se +Signed-off-by: Maarten Lankhorst +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_file.c | 5 ++++- + drivers/gpu/drm/drm_mode_config.c | 9 ++++++--- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/drm_file.c ++++ b/drivers/gpu/drm/drm_file.c +@@ -233,6 +233,7 @@ static void drm_events_release(struct dr + void drm_file_free(struct drm_file *file) + { + struct drm_device *dev; ++ int idx; + + if (!file) + return; +@@ -249,9 +250,11 @@ void drm_file_free(struct drm_file *file + + drm_events_release(file); + +- if (drm_core_check_feature(dev, DRIVER_MODESET)) { ++ if (drm_core_check_feature(dev, DRIVER_MODESET) && ++ drm_dev_enter(dev, &idx)) { + drm_fb_release(file); + drm_property_destroy_user_blobs(dev, file); ++ drm_dev_exit(idx); + } + + if (drm_core_check_feature(dev, DRIVER_SYNCOBJ)) +--- a/drivers/gpu/drm/drm_mode_config.c ++++ b/drivers/gpu/drm/drm_mode_config.c +@@ -577,10 +577,13 @@ void drm_mode_config_cleanup(struct drm_ + */ + WARN_ON(!list_empty(&dev->mode_config.fb_list)); + list_for_each_entry_safe(fb, fbt, &dev->mode_config.fb_list, head) { +- struct drm_printer p = drm_dbg_printer(dev, DRM_UT_KMS, "[leaked fb]"); ++ if (list_empty(&fb->filp_head) || drm_framebuffer_read_refcount(fb) > 1) { ++ struct drm_printer p = drm_dbg_printer(dev, DRM_UT_KMS, "[leaked fb]"); + +- drm_printf(&p, "framebuffer[%u]:\n", fb->base.id); +- drm_framebuffer_print_info(&p, 1, fb); ++ drm_printf(&p, "framebuffer[%u]:\n", fb->base.id); ++ drm_framebuffer_print_info(&p, 1, fb); ++ } ++ list_del_init(&fb->filp_head); + drm_framebuffer_free(&fb->base.refcount); + } + diff --git a/queue-6.19/drm-i915-dmc-fix-an-unlikely-null-pointer-deference-at-probe.patch b/queue-6.19/drm-i915-dmc-fix-an-unlikely-null-pointer-deference-at-probe.patch new file mode 100644 index 0000000000..ea5d5c65af --- /dev/null +++ b/queue-6.19/drm-i915-dmc-fix-an-unlikely-null-pointer-deference-at-probe.patch @@ -0,0 +1,82 @@ +From ac57eb3b7d2ad649025b5a0fa207315f755ac4f6 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Mon, 9 Mar 2026 18:48:03 +0200 +Subject: drm/i915/dmc: Fix an unlikely NULL pointer deference at probe + +From: Imre Deak + +commit ac57eb3b7d2ad649025b5a0fa207315f755ac4f6 upstream. + +intel_dmc_update_dc6_allowed_count() oopses when DMC hasn't been +initialized, and dmc is thus NULL. + +That would be the case when the call path is +intel_power_domains_init_hw() -> {skl,bxt,icl}_display_core_init() -> +gen9_set_dc_state() -> intel_dmc_update_dc6_allowed_count(), as +intel_power_domains_init_hw() is called *before* intel_dmc_init(). + +However, gen9_set_dc_state() calls intel_dmc_update_dc6_allowed_count() +conditionally, depending on the current and target DC states. At probe, +the target is disabled, but if DC6 is enabled, the function is called, +and an oops follows. Apparently it's quite unlikely that DC6 is enabled +at probe, as we haven't seen this failure mode before. + +It is also strange to have DC6 enabled at boot, since that would require +the DMC firmware (loaded by BIOS); the BIOS loading the DMC firmware and +the driver stopping / reprogramming the firmware is a poorly specified +sequence and as such unlikely an intentional BIOS behaviour. It's more +likely that BIOS is leaving an unintentionally enabled DC6 HW state +behind (without actually loading the required DMC firmware for this). + +The tracking of the DC6 allowed counter only works if starting / +stopping the counter depends on the _SW_ DC6 state vs. the current _HW_ +DC6 state (since stopping the counter requires the DC5 counter captured +when the counter was started). Thus, using the HW DC6 state is incorrect +and it also leads to the above oops. Fix both issues by using the SW DC6 +state for the tracking. + +This is v2 of the fix originally sent by Jani, updated based on the +first Link: discussion below. + +Link: https://lore.kernel.org/all/3626411dc9e556452c432d0919821b76d9991217@intel.com +Link: https://lore.kernel.org/all/20260228130946.50919-2-ltao@redhat.com +Fixes: 88c1f9a4d36d ("drm/i915/dmc: Create debugfs entry for dc6 counter") +Cc: Mohammed Thasleem +Cc: Jani Nikula +Cc: Tao Liu +Cc: # v6.16+ +Tested-by: Tao Liu +Reviewed-by: Jani Nikula +Signed-off-by: Imre Deak +Link: https://patch.msgid.link/20260309164803.1918158-1-imre.deak@intel.com +(cherry picked from commit 2344b93af8eb5da5d496b4e0529d35f0f559eaf0) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_display_power_well.c | 2 +- + drivers/gpu/drm/i915/display/intel_dmc.c | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_display_power_well.c ++++ b/drivers/gpu/drm/i915/display/intel_display_power_well.c +@@ -798,7 +798,7 @@ void gen9_set_dc_state(struct intel_disp + power_domains->dc_state, val & mask); + + enable_dc6 = state & DC_STATE_EN_UPTO_DC6; +- dc6_was_enabled = val & DC_STATE_EN_UPTO_DC6; ++ dc6_was_enabled = power_domains->dc_state & DC_STATE_EN_UPTO_DC6; + if (!dc6_was_enabled && enable_dc6) + intel_dmc_update_dc6_allowed_count(display, true); + +--- a/drivers/gpu/drm/i915/display/intel_dmc.c ++++ b/drivers/gpu/drm/i915/display/intel_dmc.c +@@ -1591,8 +1591,7 @@ static bool intel_dmc_get_dc6_allowed_co + return false; + + mutex_lock(&power_domains->lock); +- dc6_enabled = intel_de_read(display, DC_STATE_EN) & +- DC_STATE_EN_UPTO_DC6; ++ dc6_enabled = power_domains->dc_state & DC_STATE_EN_UPTO_DC6; + if (dc6_enabled) + intel_dmc_update_dc6_allowed_count(display, false); + diff --git a/queue-6.19/drm-i915-psr-compute-psr-entry_setup_frames-into-intel_crtc_state.patch b/queue-6.19/drm-i915-psr-compute-psr-entry_setup_frames-into-intel_crtc_state.patch new file mode 100644 index 0000000000..01787c1068 --- /dev/null +++ b/queue-6.19/drm-i915-psr-compute-psr-entry_setup_frames-into-intel_crtc_state.patch @@ -0,0 +1,71 @@ +From 7caac659a837af9fd4cad85be851982b88859484 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jouni=20H=C3=B6gander?= +Date: Thu, 12 Mar 2026 10:37:10 +0200 +Subject: drm/i915/psr: Compute PSR entry_setup_frames into intel_crtc_state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +commit 7caac659a837af9fd4cad85be851982b88859484 upstream. + +PSR entry_setup_frames is currently computed directly into struct +intel_dp:intel_psr:entry_setup_frames. This causes a problem if mode change +gets rejected after PSR compute config: Psr_entry_setup_frames computed for +this rejected state is in intel_dp:intel_psr:entry_setup_frame. Fix this by +computing it into intel_crtc_state and copy the value into +intel_dp:intel_psr:entry_setup_frames on PSR enable. + +Fixes: 2b981d57e480 ("drm/i915/display: Support PSR entry VSC packet to be transmitted one frame earlier") +Cc: Mika Kahola +Cc: # v6.8+ +Signed-off-by: Jouni Högander +Reviewed-by: Suraj Kandpal +Link: https://patch.msgid.link/20260312083710.1593781-3-jouni.hogander@intel.com +(cherry picked from commit 8c229b4aa00262c13787982e998c61c0783285e0) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_display_types.h | 1 + + drivers/gpu/drm/i915/display/intel_psr.c | 5 +++-- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/display/intel_display_types.h ++++ b/drivers/gpu/drm/i915/display/intel_display_types.h +@@ -1160,6 +1160,7 @@ struct intel_crtc_state { + u32 dc3co_exitline; + u16 su_y_granularity; + u8 active_non_psr_pipes; ++ u8 entry_setup_frames; + const char *no_psr_reason; + + /* +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -1711,7 +1711,7 @@ static bool _psr_compute_config(struct i + entry_setup_frames = intel_psr_entry_setup_frames(intel_dp, adjusted_mode); + + if (entry_setup_frames >= 0) { +- intel_dp->psr.entry_setup_frames = entry_setup_frames; ++ crtc_state->entry_setup_frames = entry_setup_frames; + } else { + crtc_state->no_psr_reason = "PSR setup timing not met"; + drm_dbg_kms(display->drm, +@@ -1792,7 +1792,7 @@ static bool intel_psr_needs_wa_180378188 + { + struct intel_display *display = to_intel_display(intel_dp); + +- return (DISPLAY_VER(display) == 20 && intel_dp->psr.entry_setup_frames > 0 && ++ return (DISPLAY_VER(display) == 20 && crtc_state->entry_setup_frames > 0 && + !crtc_state->has_sel_update); + } + +@@ -2167,6 +2167,7 @@ static void intel_psr_enable_locked(stru + intel_dp->psr.pkg_c_latency_used = crtc_state->pkg_c_latency_used; + intel_dp->psr.io_wake_lines = crtc_state->alpm_state.io_wake_lines; + intel_dp->psr.fast_wake_lines = crtc_state->alpm_state.fast_wake_lines; ++ intel_dp->psr.entry_setup_frames = crtc_state->entry_setup_frames; + + if (!psr_interrupt_error_check(intel_dp)) + return; diff --git a/queue-6.19/drm-i915-psr-disable-psr-on-update_m_n-and-update_lrr.patch b/queue-6.19/drm-i915-psr-disable-psr-on-update_m_n-and-update_lrr.patch new file mode 100644 index 0000000000..9dec192797 --- /dev/null +++ b/queue-6.19/drm-i915-psr-disable-psr-on-update_m_n-and-update_lrr.patch @@ -0,0 +1,40 @@ +From b0a4dba7b623aa7cbc9efcc56b4af2ec8b274f3e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jouni=20H=C3=B6gander?= +Date: Thu, 12 Mar 2026 10:37:09 +0200 +Subject: drm/i915/psr: Disable PSR on update_m_n and update_lrr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +commit b0a4dba7b623aa7cbc9efcc56b4af2ec8b274f3e upstream. + +PSR/PR parameters might change based on update_m_n or update_lrr. Disable +on update_m_n and update_lrr to ensure proper parameters are taken into use +on next PSR enable in intel_psr_post_plane_update. + +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15771 +Fixes: 2bc98c6f97af ("drm/i915/alpm: Compute ALPM parameters into crtc_state->alpm_state") +Cc: # v6.19+ +Signed-off-by: Jouni Högander +Reviewed-by: Suraj Kandpal +Link: https://patch.msgid.link/20260312083710.1593781-2-jouni.hogander@intel.com +(cherry picked from commit 65852b56bfa929f99e28c96fd98b02058959da7f) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_psr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -3087,6 +3087,8 @@ void intel_psr_pre_plane_update(struct i + * - Display WA #1136: skl, bxt + */ + if (intel_crtc_needs_modeset(new_crtc_state) || ++ new_crtc_state->update_m_n || ++ new_crtc_state->update_lrr || + !new_crtc_state->has_psr || + !new_crtc_state->active_planes || + new_crtc_state->has_sel_update != psr->sel_update_enabled || diff --git a/queue-6.19/drm-imagination-fix-deadlock-in-soft-reset-sequence.patch b/queue-6.19/drm-imagination-fix-deadlock-in-soft-reset-sequence.patch new file mode 100644 index 0000000000..027d7a31db --- /dev/null +++ b/queue-6.19/drm-imagination-fix-deadlock-in-soft-reset-sequence.patch @@ -0,0 +1,46 @@ +From a55c2a5c8d680156495b7b1e2a9f5a3e313ba524 Mon Sep 17 00:00:00 2001 +From: Alessio Belle +Date: Mon, 9 Mar 2026 15:23:48 +0000 +Subject: drm/imagination: Fix deadlock in soft reset sequence + +From: Alessio Belle + +commit a55c2a5c8d680156495b7b1e2a9f5a3e313ba524 upstream. + +The soft reset sequence is currently executed from the threaded IRQ +handler, hence it cannot call disable_irq() which internally waits +for IRQ handlers, i.e. itself, to complete. + +Use disable_irq_nosync() during a soft reset instead. + +Fixes: cc1aeedb98ad ("drm/imagination: Implement firmware infrastructure and META FW support") +Cc: stable@vger.kernel.org +Signed-off-by: Alessio Belle +Reviewed-by: Matt Coster +Link: https://patch.msgid.link/20260309-fix-soft-reset-v1-1-121113be554f@imgtec.com +Signed-off-by: Matt Coster +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imagination/pvr_power.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/imagination/pvr_power.c ++++ b/drivers/gpu/drm/imagination/pvr_power.c +@@ -510,7 +510,16 @@ pvr_power_reset(struct pvr_device *pvr_d + } + + /* Disable IRQs for the duration of the reset. */ +- disable_irq(pvr_dev->irq); ++ if (hard_reset) { ++ disable_irq(pvr_dev->irq); ++ } else { ++ /* ++ * Soft reset is triggered as a response to a FW command to the Host and is ++ * processed from the threaded IRQ handler. This code cannot (nor needs to) ++ * wait for any IRQ processing to complete. ++ */ ++ disable_irq_nosync(pvr_dev->irq); ++ } + + do { + if (hard_reset) { diff --git a/queue-6.19/drm-imagination-synchronize-interrupts-before-suspending-the-gpu.patch b/queue-6.19/drm-imagination-synchronize-interrupts-before-suspending-the-gpu.patch new file mode 100644 index 0000000000..d8dc10f519 --- /dev/null +++ b/queue-6.19/drm-imagination-synchronize-interrupts-before-suspending-the-gpu.patch @@ -0,0 +1,159 @@ +From 2d7f05cddf4c268cc36256a2476946041dbdd36d Mon Sep 17 00:00:00 2001 +From: Alessio Belle +Date: Tue, 10 Mar 2026 11:41:11 +0000 +Subject: drm/imagination: Synchronize interrupts before suspending the GPU + +From: Alessio Belle + +commit 2d7f05cddf4c268cc36256a2476946041dbdd36d upstream. + +The runtime PM suspend callback doesn't know whether the IRQ handler is +in progress on a different CPU core and doesn't wait for it to finish. + +Depending on timing, the IRQ handler could be running while the GPU is +suspended, leading to kernel crashes when trying to access GPU +registers. See example signature below. + +In a power off sequence initiated by the runtime PM suspend callback, +wait for any IRQ handlers in progress on other CPU cores to finish, by +calling synchronize_irq(). + +At the same time, remove the runtime PM resume/put calls in the threaded +IRQ handler. On top of not being the right approach to begin with, and +being at the wrong place as they should have wrapped all GPU register +accesses, the driver would hit a deadlock between synchronize_irq() +being called from a runtime PM suspend callback, holding the device +power lock, and the resume callback requiring the same. + +Example crash signature on a TI AM68 SK platform: + + [ 337.241218] SError Interrupt on CPU0, code 0x00000000bf000000 -- SError + [ 337.241239] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT + [ 337.241246] Tainted: [M]=MACHINE_CHECK + [ 337.241249] Hardware name: Texas Instruments AM68 SK (DT) + [ 337.241252] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + [ 337.241256] pc : pvr_riscv_irq_pending+0xc/0x24 + [ 337.241277] lr : pvr_device_irq_thread_handler+0x64/0x310 + [ 337.241282] sp : ffff800085b0bd30 + [ 337.241284] x29: ffff800085b0bd50 x28: ffff0008070d9eab x27: ffff800083a5ce10 + [ 337.241291] x26: ffff000806e48f80 x25: ffff0008070d9eac x24: 0000000000000000 + [ 337.241296] x23: ffff0008068e9bf0 x22: ffff0008068e9bd0 x21: ffff800085b0bd30 + [ 337.241301] x20: ffff0008070d9e00 x19: ffff0008068e9000 x18: 0000000000000001 + [ 337.241305] x17: 637365645f656c70 x16: 0000000000000000 x15: ffff000b7df9ff40 + [ 337.241310] x14: 0000a585fe3c0d0e x13: 000000999704f060 x12: 000000000002771a + [ 337.241314] x11: 00000000000000c0 x10: 0000000000000af0 x9 : ffff800085b0bd00 + [ 337.241318] x8 : ffff0008071175d0 x7 : 000000000000b955 x6 : 0000000000000003 + [ 337.241323] x5 : 0000000000000000 x4 : 0000000000000002 x3 : 0000000000000000 + [ 337.241327] x2 : ffff800080e39d20 x1 : ffff800080e3fc48 x0 : 0000000000000000 + [ 337.241333] Kernel panic - not syncing: Asynchronous SError Interrupt + [ 337.241337] CPU: 0 UID: 0 PID: 112 Comm: irq/234-gpu Tainted: G M 6.17.7-B2C-00005-g9c7bbe4ea16c #2 PREEMPT + [ 337.241342] Tainted: [M]=MACHINE_CHECK + [ 337.241343] Hardware name: Texas Instruments AM68 SK (DT) + [ 337.241345] Call trace: + [ 337.241348] show_stack+0x18/0x24 (C) + [ 337.241357] dump_stack_lvl+0x60/0x80 + [ 337.241364] dump_stack+0x18/0x24 + [ 337.241368] vpanic+0x124/0x2ec + [ 337.241373] abort+0x0/0x4 + [ 337.241377] add_taint+0x0/0xbc + [ 337.241384] arm64_serror_panic+0x70/0x80 + [ 337.241389] do_serror+0x3c/0x74 + [ 337.241392] el1h_64_error_handler+0x30/0x48 + [ 337.241400] el1h_64_error+0x6c/0x70 + [ 337.241404] pvr_riscv_irq_pending+0xc/0x24 (P) + [ 337.241410] irq_thread_fn+0x2c/0xb0 + [ 337.241416] irq_thread+0x170/0x334 + [ 337.241421] kthread+0x12c/0x210 + [ 337.241428] ret_from_fork+0x10/0x20 + [ 337.241434] SMP: stopping secondary CPUs + [ 337.241451] Kernel Offset: disabled + [ 337.241453] CPU features: 0x040000,02002800,20002001,0400421b + [ 337.241456] Memory Limit: none + [ 337.457921] ---[ end Kernel panic - not syncing: Asynchronous SError Interrupt ]--- + +Fixes: cc1aeedb98ad ("drm/imagination: Implement firmware infrastructure and META FW support") +Fixes: 96822d38ff57 ("drm/imagination: Handle Rogue safety event IRQs") +Cc: stable@vger.kernel.org # see patch description, needs adjustments for < 6.16 +Signed-off-by: Alessio Belle +Reviewed-by: Matt Coster +Link: https://patch.msgid.link/20260310-drain-irqs-before-suspend-v1-1-bf4f9ed68e75@imgtec.com +Signed-off-by: Matt Coster +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imagination/pvr_device.c | 17 ----------------- + drivers/gpu/drm/imagination/pvr_power.c | 11 ++++++++--- + 2 files changed, 8 insertions(+), 20 deletions(-) + +--- a/drivers/gpu/drm/imagination/pvr_device.c ++++ b/drivers/gpu/drm/imagination/pvr_device.c +@@ -224,29 +224,12 @@ static irqreturn_t pvr_device_irq_thread + } + + if (pvr_dev->has_safety_events) { +- int err; +- +- /* +- * Ensure the GPU is powered on since some safety events (such +- * as ECC faults) can happen outside of job submissions, which +- * are otherwise the only time a power reference is held. +- */ +- err = pvr_power_get(pvr_dev); +- if (err) { +- drm_err_ratelimited(drm_dev, +- "%s: could not take power reference (%d)\n", +- __func__, err); +- return ret; +- } +- + while (pvr_device_safety_irq_pending(pvr_dev)) { + pvr_device_safety_irq_clear(pvr_dev); + pvr_device_handle_safety_events(pvr_dev); + + ret = IRQ_HANDLED; + } +- +- pvr_power_put(pvr_dev); + } + + return ret; +--- a/drivers/gpu/drm/imagination/pvr_power.c ++++ b/drivers/gpu/drm/imagination/pvr_power.c +@@ -90,7 +90,7 @@ pvr_power_request_pwr_off(struct pvr_dev + } + + static int +-pvr_power_fw_disable(struct pvr_device *pvr_dev, bool hard_reset) ++pvr_power_fw_disable(struct pvr_device *pvr_dev, bool hard_reset, bool rpm_suspend) + { + if (!hard_reset) { + int err; +@@ -106,6 +106,11 @@ pvr_power_fw_disable(struct pvr_device * + return err; + } + ++ if (rpm_suspend) { ++ /* Wait for late processing of GPU or firmware IRQs in other cores */ ++ synchronize_irq(pvr_dev->irq); ++ } ++ + return pvr_fw_stop(pvr_dev); + } + +@@ -361,7 +366,7 @@ pvr_power_device_suspend(struct device * + return -EIO; + + if (pvr_dev->fw_dev.booted) { +- err = pvr_power_fw_disable(pvr_dev, false); ++ err = pvr_power_fw_disable(pvr_dev, false, true); + if (err) + goto err_drm_dev_exit; + } +@@ -527,7 +532,7 @@ pvr_power_reset(struct pvr_device *pvr_d + queues_disabled = true; + } + +- err = pvr_power_fw_disable(pvr_dev, hard_reset); ++ err = pvr_power_fw_disable(pvr_dev, hard_reset, false); + if (!err) { + if (hard_reset) { + pvr_dev->fw_dev.booted = false; diff --git a/queue-6.19/drm-radeon-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch b/queue-6.19/drm-radeon-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch new file mode 100644 index 0000000000..9be9e367d3 --- /dev/null +++ b/queue-6.19/drm-radeon-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch @@ -0,0 +1,35 @@ +From 86650ee2241ff84207eaa298ab318533f3c21a38 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 25 Sep 2023 10:44:06 -0400 +Subject: drm/radeon: apply state adjust rules to some additional HAINAN vairants + +From: Alex Deucher + +commit 86650ee2241ff84207eaa298ab318533f3c21a38 upstream. + +They need a similar workaround. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1839 +Signed-off-by: Alex Deucher +(cherry picked from commit 87327658c848f56eac166cb382b57b83bf06c5ac) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/si_dpm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -2915,9 +2915,11 @@ static void si_apply_state_adjust_rules( + if (rdev->family == CHIP_HAINAN) { + if ((rdev->pdev->revision == 0x81) || + (rdev->pdev->revision == 0xC3) || ++ (rdev->pdev->device == 0x6660) || + (rdev->pdev->device == 0x6664) || + (rdev->pdev->device == 0x6665) || +- (rdev->pdev->device == 0x6667)) { ++ (rdev->pdev->device == 0x6667) || ++ (rdev->pdev->device == 0x666F)) { + max_sclk = 75000; + } + if ((rdev->pdev->revision == 0xC3) || diff --git a/queue-6.19/drm-xe-always-kill-exec-queues-in-xe_guc_submit_pause_abort.patch b/queue-6.19/drm-xe-always-kill-exec-queues-in-xe_guc_submit_pause_abort.patch new file mode 100644 index 0000000000..725fac0225 --- /dev/null +++ b/queue-6.19/drm-xe-always-kill-exec-queues-in-xe_guc_submit_pause_abort.patch @@ -0,0 +1,42 @@ +From 26c638d5602e329e0b26281a74c6ec69dee12f23 Mon Sep 17 00:00:00 2001 +From: Matthew Brost +Date: Tue, 10 Mar 2026 18:50:33 -0400 +Subject: drm/xe: Always kill exec queues in xe_guc_submit_pause_abort +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Brost + +commit 26c638d5602e329e0b26281a74c6ec69dee12f23 upstream. + +xe_guc_submit_pause_abort is intended to be called after something +disastrous occurs (e.g., VF migration fails, device wedging, or driver +unload) and should immediately trigger the teardown of remaining +submission state. With that, kill any remaining queues in this function. + +Fixes: 7c4b7e34c83b ("drm/xe/vf: Abort VF post migration recovery on failure") +Cc: stable@vger.kernel.org +Signed-off-by: Zhanjun Dong +Reviewed-by: Stuart Summers +Signed-off-by: Matthew Brost +Link: https://patch.msgid.link/20260310225039.1320161-2-zhanjun.dong@intel.com +(cherry picked from commit 78f3bf00be4f15daead02ba32d4737129419c902) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_guc_submit.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_guc_submit.c ++++ b/drivers/gpu/drm/xe/xe_guc_submit.c +@@ -2410,8 +2410,7 @@ void xe_guc_submit_pause_abort(struct xe + continue; + + xe_sched_submission_start(sched); +- if (exec_queue_killed_or_banned_or_wedged(q)) +- xe_guc_exec_queue_trigger_cleanup(q); ++ guc_exec_queue_kill(q); + } + mutex_unlock(&guc->submission_state.lock); + } diff --git a/queue-6.19/drm-xe-fix-missing-runtime-pm-reference-in-ccs_mode_store.patch b/queue-6.19/drm-xe-fix-missing-runtime-pm-reference-in-ccs_mode_store.patch new file mode 100644 index 0000000000..82f37db19d --- /dev/null +++ b/queue-6.19/drm-xe-fix-missing-runtime-pm-reference-in-ccs_mode_store.patch @@ -0,0 +1,67 @@ +From 65d046b2d8e0d6d855379a981869005fd6b6a41b Mon Sep 17 00:00:00 2001 +From: Sanjay Yadav +Date: Fri, 13 Mar 2026 12:46:09 +0530 +Subject: drm/xe: Fix missing runtime PM reference in ccs_mode_store +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sanjay Yadav + +commit 65d046b2d8e0d6d855379a981869005fd6b6a41b upstream. + +ccs_mode_store() calls xe_gt_reset() which internally invokes +xe_pm_runtime_get_noresume(). That function requires the caller +to already hold an outer runtime PM reference and warns if none +is held: + + [46.891177] xe 0000:03:00.0: [drm] Missing outer runtime PM protection + [46.891178] WARNING: drivers/gpu/drm/xe/xe_pm.c:885 at + xe_pm_runtime_get_noresume+0x8b/0xc0 + +Fix this by protecting xe_gt_reset() with the scope-based +guard(xe_pm_runtime)(xe), which is the preferred form when +the reference lifetime matches a single scope. + +v2: +- Use scope-based guard(xe_pm_runtime)(xe) (Shuicheng) +- Update commit message accordingly + +Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/7593 +Fixes: 480b358e7d8e ("drm/xe: Do not wake device during a GT reset") +Cc: # v6.19+ +Cc: Thomas Hellström +Cc: Matthew Brost +Cc: Rodrigo Vivi +Cc: Shuicheng Lin +Suggested-by: Matthew Auld +Signed-off-by: Sanjay Yadav +Reviewed-by: Shuicheng Lin +Reviewed-by: Matthew Auld +Signed-off-by: Matthew Auld +Link: https://patch.msgid.link/20260313071608.3459480-2-sanjay.kumar.yadav@intel.com +(cherry picked from commit 7937ea733f79b3f25e802a0c8360bf7423856f36) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_gt_ccs_mode.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/xe/xe_gt_ccs_mode.c ++++ b/drivers/gpu/drm/xe/xe_gt_ccs_mode.c +@@ -12,6 +12,7 @@ + #include "xe_gt_printk.h" + #include "xe_gt_sysfs.h" + #include "xe_mmio.h" ++#include "xe_pm.h" + #include "xe_sriov.h" + + static void __xe_gt_apply_ccs_mode(struct xe_gt *gt, u32 num_engines) +@@ -150,6 +151,7 @@ ccs_mode_store(struct device *kdev, stru + xe_gt_info(gt, "Setting compute mode to %d\n", num_engines); + gt->ccs_mode = num_engines; + xe_gt_record_user_engines(gt); ++ guard(xe_pm_runtime)(xe); + xe_gt_reset(gt); + } + diff --git a/queue-6.19/drm-xe-guc-ensure-ct-state-transitions-via-stop-before-disabled.patch b/queue-6.19/drm-xe-guc-ensure-ct-state-transitions-via-stop-before-disabled.patch new file mode 100644 index 0000000000..79c1ced755 --- /dev/null +++ b/queue-6.19/drm-xe-guc-ensure-ct-state-transitions-via-stop-before-disabled.patch @@ -0,0 +1,39 @@ +From 7838dd8367419e9fc43b79c038321cb3c04de2a2 Mon Sep 17 00:00:00 2001 +From: Zhanjun Dong +Date: Tue, 10 Mar 2026 18:50:37 -0400 +Subject: drm/xe/guc: Ensure CT state transitions via STOP before DISABLED +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhanjun Dong + +commit 7838dd8367419e9fc43b79c038321cb3c04de2a2 upstream. + +The GuC CT state transition requires moving to the STOP state before +entering the DISABLED state. Update the driver teardown sequence to make +the proper state machine transitions. + +Fixes: ee4b32220a6b ("drm/xe/guc: Add devm release action to safely tear down CT") +Cc: stable@vger.kernel.org +Signed-off-by: Zhanjun Dong +Reviewed-by: Matthew Brost +Signed-off-by: Matthew Brost +Link: https://patch.msgid.link/20260310225039.1320161-6-zhanjun.dong@intel.com +(cherry picked from commit dace8cb0032f57ea67c87b3b92ad73c89dd2db44) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_guc_ct.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/xe/xe_guc_ct.c ++++ b/drivers/gpu/drm/xe/xe_guc_ct.c +@@ -265,6 +265,7 @@ static void guc_action_disable_ct(void * + { + struct xe_guc_ct *ct = arg; + ++ xe_guc_ct_stop(ct); + guc_ct_change_state(ct, XE_GUC_CT_STATE_DISABLED); + } + diff --git a/queue-6.19/drm-xe-oa-allow-reading-after-disabling-oa-stream.patch b/queue-6.19/drm-xe-oa-allow-reading-after-disabling-oa-stream.patch new file mode 100644 index 0000000000..c3f69b6659 --- /dev/null +++ b/queue-6.19/drm-xe-oa-allow-reading-after-disabling-oa-stream.patch @@ -0,0 +1,53 @@ +From 9be6fd9fbd2032b683e51374497768af9aaa228a Mon Sep 17 00:00:00 2001 +From: Ashutosh Dixit +Date: Thu, 12 Mar 2026 22:36:30 -0700 +Subject: drm/xe/oa: Allow reading after disabling OA stream +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ashutosh Dixit + +commit 9be6fd9fbd2032b683e51374497768af9aaa228a upstream. + +Some OA data might be present in the OA buffer when OA stream is +disabled. Allow UMD's to retrieve this data, so that all data till the +point when OA stream is disabled can be retrieved. + +v2: Update tail pointer after disable (Umesh) + +Fixes: efb315d0a013 ("drm/xe/oa/uapi: Read file_operation") +Cc: stable@vger.kernel.org +Signed-off-by: Ashutosh Dixit +Reviewed-by: Umesh Nerlige Ramappa +Link: https://patch.msgid.link/20260313053630.3176100-1-ashutosh.dixit@intel.com +(cherry picked from commit 4ff57c5e8dbba23b5457be12f9709d5c016da16e) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_oa.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_oa.c ++++ b/drivers/gpu/drm/xe/xe_oa.c +@@ -543,8 +543,7 @@ static ssize_t xe_oa_read(struct file *f + size_t offset = 0; + int ret; + +- /* Can't read from disabled streams */ +- if (!stream->enabled || !stream->sample) ++ if (!stream->sample) + return -EINVAL; + + if (!(file->f_flags & O_NONBLOCK)) { +@@ -1460,6 +1459,10 @@ static void xe_oa_stream_disable(struct + + if (stream->sample) + hrtimer_cancel(&stream->poll_check_timer); ++ ++ /* Update stream->oa_buffer.tail to allow any final reports to be read */ ++ if (xe_oa_buffer_check_unlocked(stream)) ++ wake_up(&stream->poll_wq); + } + + static int xe_oa_enable_preempt_timeslice(struct xe_oa_stream *stream) diff --git a/queue-6.19/drm-xe-open-code-ggtt-mmio-access-protection.patch b/queue-6.19/drm-xe-open-code-ggtt-mmio-access-protection.patch new file mode 100644 index 0000000000..539e1ebd57 --- /dev/null +++ b/queue-6.19/drm-xe-open-code-ggtt-mmio-access-protection.patch @@ -0,0 +1,100 @@ +From 01f2557aa684e514005541e71a3d01f4cd45c170 Mon Sep 17 00:00:00 2001 +From: Matthew Brost +Date: Tue, 10 Mar 2026 18:50:39 -0400 +Subject: drm/xe: Open-code GGTT MMIO access protection +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Brost + +commit 01f2557aa684e514005541e71a3d01f4cd45c170 upstream. + +GGTT MMIO access is currently protected by hotplug (drm_dev_enter), +which works correctly when the driver loads successfully and is later +unbound or unloaded. However, if driver load fails, this protection is +insufficient because drm_dev_unplug() is never called. + +Additionally, devm release functions cannot guarantee that all BOs with +GGTT mappings are destroyed before the GGTT MMIO region is removed, as +some BOs may be freed asynchronously by worker threads. + +To address this, introduce an open-coded flag, protected by the GGTT +lock, that guards GGTT MMIO access. The flag is cleared during the +dev_fini_ggtt devm release function to ensure MMIO access is disabled +once teardown begins. + +Cc: stable@vger.kernel.org +Fixes: 919bb54e989c ("drm/xe: Fix missing runtime outer protection for ggtt_remove_node") +Reviewed-by: Zhanjun Dong +Signed-off-by: Matthew Brost +Link: https://patch.msgid.link/20260310225039.1320161-8-zhanjun.dong@intel.com +(cherry picked from commit 4f3a998a173b4325c2efd90bdadc6ccd3ad9a431) +Signed-off-by: Thomas Hellström +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_ggtt.c | 10 ++++------ + drivers/gpu/drm/xe/xe_ggtt_types.h | 5 ++++- + 2 files changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_ggtt.c ++++ b/drivers/gpu/drm/xe/xe_ggtt.c +@@ -274,6 +274,8 @@ static void dev_fini_ggtt(void *arg) + { + struct xe_ggtt *ggtt = arg; + ++ scoped_guard(mutex, &ggtt->lock) ++ ggtt->flags &= ~XE_GGTT_FLAGS_ONLINE; + drain_workqueue(ggtt->wq); + } + +@@ -332,6 +334,7 @@ int xe_ggtt_init_early(struct xe_ggtt *g + if (err) + return err; + ++ ggtt->flags |= XE_GGTT_FLAGS_ONLINE; + err = devm_add_action_or_reset(xe->drm.dev, dev_fini_ggtt, ggtt); + if (err) + return err; +@@ -365,13 +368,10 @@ static void xe_ggtt_initial_clear(struct + static void ggtt_node_remove(struct xe_ggtt_node *node) + { + struct xe_ggtt *ggtt = node->ggtt; +- struct xe_device *xe = tile_to_xe(ggtt->tile); + bool bound; +- int idx; +- +- bound = drm_dev_enter(&xe->drm, &idx); + + mutex_lock(&ggtt->lock); ++ bound = ggtt->flags & XE_GGTT_FLAGS_ONLINE; + if (bound) + xe_ggtt_clear(ggtt, node->base.start, node->base.size); + drm_mm_remove_node(&node->base); +@@ -384,8 +384,6 @@ static void ggtt_node_remove(struct xe_g + if (node->invalidate_on_remove) + xe_ggtt_invalidate(ggtt); + +- drm_dev_exit(idx); +- + free_node: + xe_ggtt_node_fini(node); + } +--- a/drivers/gpu/drm/xe/xe_ggtt_types.h ++++ b/drivers/gpu/drm/xe/xe_ggtt_types.h +@@ -25,11 +25,14 @@ struct xe_ggtt { + /** @size: Total size of this GGTT */ + u64 size; + +-#define XE_GGTT_FLAGS_64K BIT(0) ++#define XE_GGTT_FLAGS_64K BIT(0) ++#define XE_GGTT_FLAGS_ONLINE BIT(1) + /** + * @flags: Flags for this GGTT + * Acceptable flags: + * - %XE_GGTT_FLAGS_64K - if PTE size is 64K. Otherwise, regular is 4K. ++ * - %XE_GGTT_FLAGS_ONLINE - is GGTT online, protected by ggtt->lock ++ * after init + */ + unsigned int flags; + /** @scratch: Internal object allocation used as a scratch page */ diff --git a/queue-6.19/series b/queue-6.19/series index eee2ee5aaf..2e0bd9347e 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -68,3 +68,26 @@ serial-8250-add-late-synchronize_irq-to-shutdown-to-handle-dw-uart-busy.patch serial-8250_dw-ensure-busy-is-deasserted.patch serial-core-fix-infinite-loop-in-handle_tx-for-port_unknown.patch serial-uartlite-fix-pm-runtime-usage-count-underflow-on-probe.patch +drm-fix-use-after-free-on-framebuffers-and-property-blobs-when-calling-drm_dev_unplug.patch +drm-amd-display-wrap-dcn32_override_min_req_memclk-in-dc_fp_-start-end.patch +drm-amdgpu-gmc9.0-add-bounds-checking-for-cid.patch +drm-amdgpu-mmhub2.0-add-bounds-checking-for-cid.patch +drm-amdgpu-mmhub2.3-add-bounds-checking-for-cid.patch +drm-amdgpu-mmhub3.0.1-add-bounds-checking-for-cid.patch +drm-amdgpu-mmhub3.0.2-add-bounds-checking-for-cid.patch +drm-amdgpu-mmhub3.0-add-bounds-checking-for-cid.patch +drm-amdgpu-mmhub4.1.0-add-bounds-checking-for-cid.patch +drm-imagination-fix-deadlock-in-soft-reset-sequence.patch +drm-imagination-synchronize-interrupts-before-suspending-the-gpu.patch +drm-radeon-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch +drm-amdgpu-apply-state-adjust-rules-to-some-additional-hainan-vairants.patch +drm-amdgpu-limit-bo-list-entry-count-to-prevent-resource-exhaustion.patch +drm-amdgpu-rework-how-we-handle-tlb-fences.patch +drm-i915-dmc-fix-an-unlikely-null-pointer-deference-at-probe.patch +drm-i915-psr-compute-psr-entry_setup_frames-into-intel_crtc_state.patch +drm-i915-psr-disable-psr-on-update_m_n-and-update_lrr.patch +drm-xe-guc-ensure-ct-state-transitions-via-stop-before-disabled.patch +drm-xe-oa-allow-reading-after-disabling-oa-stream.patch +drm-xe-always-kill-exec-queues-in-xe_guc_submit_pause_abort.patch +drm-xe-fix-missing-runtime-pm-reference-in-ccs_mode_store.patch +drm-xe-open-code-ggtt-mmio-access-protection.patch