--- /dev/null
+From 139e99d58e373bd11f085766e681d21d34d0b097 Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Thu, 6 Mar 2025 11:29:20 -0600
+Subject: drm/amd/display: Add HP Probook 445 and 465 to the quirk list for eDP on DP1
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 139e99d58e373bd11f085766e681d21d34d0b097 upstream.
+
+[Why]
+HP Probook 445 and 465 has DP0 and DP1 swapped.
+
+[How]
+Add HP Probook 445 and 465 to DP0/DP1 swap quirk list.
+
+Cc: stable@vger.kernel.org
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3995
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Roman Li <roman.li@amd.com>
+Tested-by: Anson Tsao <anson.tsao@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -1704,6 +1704,20 @@ static const struct dmi_system_id dmi_qu
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP EliteBook 665 16 inch G11 Notebook PC"),
+ },
+ },
++ {
++ .callback = edp0_on_dp1_callback,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP ProBook 445 14 inch G11 Notebook PC"),
++ },
++ },
++ {
++ .callback = edp0_on_dp1_callback,
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "HP ProBook 465 16 inch G11 Notebook PC"),
++ },
++ },
+ {}
+ /* TODO: refactor this from a fixed table to a dynamic option */
+ };
--- /dev/null
+From 69a46ce1f15b4391c128d581f6936750f9bfa052 Mon Sep 17 00:00:00 2001
+From: Tom Chung <chiahsuan.chung@amd.com>
+Date: Wed, 19 Mar 2025 16:31:31 +0800
+Subject: drm/amd/display: Do not enable Replay and PSR while VRR is on in amdgpu_dm_commit_planes()
+
+From: Tom Chung <chiahsuan.chung@amd.com>
+
+commit 69a46ce1f15b4391c128d581f6936750f9bfa052 upstream.
+
+[Why]
+Replay and PSR will cause some video corruption while VRR is enabled.
+
+[How]
+Do not enable the Replay and PSR while VRR is active in
+amdgpu_dm_enable_self_refresh().
+
+Fixes: 67edb81d6e9a ("drm/amd/display: Disable replay and psr while VRR is enabled")
+Reviewed-by: Sun peng Li <sunpeng.li@amd.com>
+Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Fangzhi Zuo <jerry.zuo@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
+index 36a830a7440f..87058271b00c 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c
+@@ -113,6 +113,7 @@ bool amdgpu_dm_crtc_vrr_active(const struct dm_crtc_state *dm_state)
+ *
+ * Panel Replay and PSR SU
+ * - Enable when:
++ * - VRR is disabled
+ * - vblank counter is disabled
+ * - entry is allowed: usermode demonstrates an adequate number of fast
+ * commits)
+@@ -131,19 +132,20 @@ static void amdgpu_dm_crtc_set_panel_sr_feature(
+ bool is_sr_active = (link->replay_settings.replay_allow_active ||
+ link->psr_settings.psr_allow_active);
+ bool is_crc_window_active = false;
++ bool vrr_active = amdgpu_dm_crtc_vrr_active_irq(vblank_work->acrtc);
+
+ #ifdef CONFIG_DRM_AMD_SECURE_DISPLAY
+ is_crc_window_active =
+ amdgpu_dm_crc_window_is_activated(&vblank_work->acrtc->base);
+ #endif
+
+- if (link->replay_settings.replay_feature_enabled &&
++ if (link->replay_settings.replay_feature_enabled && !vrr_active &&
+ allow_sr_entry && !is_sr_active && !is_crc_window_active) {
+ amdgpu_dm_replay_enable(vblank_work->stream, true);
+ } else if (vblank_enabled) {
+ if (link->psr_settings.psr_version < DC_PSR_VERSION_SU_1 && is_sr_active)
+ amdgpu_dm_psr_disable(vblank_work->stream, false);
+- } else if (link->psr_settings.psr_feature_enabled &&
++ } else if (link->psr_settings.psr_feature_enabled && !vrr_active &&
+ allow_sr_entry && !is_sr_active && !is_crc_window_active) {
+
+ struct amdgpu_dm_connector *aconn =
+--
+2.49.0
+
--- /dev/null
+From 4408b59eeacfea777aae397177f49748cadde5ce Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Thu, 27 Mar 2025 17:53:32 +0800
+Subject: drm/amd/display: Protect FPU in dml21_copy()
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 4408b59eeacfea777aae397177f49748cadde5ce upstream.
+
+Commit 7da55c27e76749b9 ("drm/amd/display: Remove incorrect FP context
+start") removes the FP context protection of dml2_create(), and it said
+"All the DC_FP_START/END should be used before call anything from DML2".
+
+However, dml21_copy() are not protected from their callers, causing such
+errors:
+
+ do_fpu invoked from kernel context![#1]:
+ CPU: 0 UID: 0 PID: 240 Comm: kworker/0:5 Not tainted 6.14.0-rc6+ #1
+ Workqueue: events work_for_cpu_fn
+ pc ffff80000318bd2c ra ffff80000315750c tp 9000000105910000 sp 9000000105913810
+ a0 0000000000000000 a1 0000000000000002 a2 900000013140d728 a3 900000013140d720
+ a4 0000000000000000 a5 9000000131592d98 a6 0000000000017ae8 a7 00000000001312d0
+ t0 9000000130751ff0 t1 ffff800003790000 t2 ffff800003790000 t3 9000000131592e28
+ t4 000000000004c6a8 t5 00000000001b7740 t6 0000000000023e38 t7 0000000000249f00
+ t8 0000000000000002 u0 0000000000000000 s9 900000012b010000 s0 9000000131400000
+ s1 9000000130751fd8 s2 ffff800003408000 s3 9000000130752c78 s4 9000000131592da8
+ s5 9000000131592120 s6 9000000130751ff0 s7 9000000131592e28 s8 9000000131400008
+ ra: ffff80000315750c dml2_top_soc15_initialize_instance+0x20c/0x300 [amdgpu]
+ ERA: ffff80000318bd2c mcg_dcn4_build_min_clock_table+0x14c/0x600 [amdgpu]
+ CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
+ PRMD: 00000004 (PPLV0 +PIE -PWE)
+ EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
+ ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
+ ESTAT: 000f0000 [FPD] (IS= ECode=15 EsubCode=0)
+ PRID: 0014d010 (Loongson-64bit, Loongson-3C6000/S)
+ Process kworker/0:5 (pid: 240, threadinfo=00000000f1700428, task=0000000020d2e962)
+ Stack : 0000000000000000 0000000000000000 0000000000000000 9000000130751fd8
+ 9000000131400000 ffff8000031574e0 9000000130751ff0 0000000000000000
+ 9000000131592e28 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+ 0000000000000000 0000000000000000 0000000000000000 f9175936df5d7fd2
+ 900000012b00ff08 900000012b000000 ffff800003409000 ffff8000034a1780
+ 90000001019634c0 900000012b000010 90000001307beeb8 90000001306b0000
+ 0000000000000001 ffff8000031942b4 9000000130780000 90000001306c0000
+ 9000000130780000 ffff8000031c276c 900000012b044bd0 ffff800003408000
+ ...
+ Call Trace:
+ [<ffff80000318bd2c>] mcg_dcn4_build_min_clock_table+0x14c/0x600 [amdgpu]
+ [<ffff800003157508>] dml2_top_soc15_initialize_instance+0x208/0x300 [amdgpu]
+ [<ffff8000031942b0>] dml21_create_copy+0x30/0x60 [amdgpu]
+ [<ffff8000031c2768>] dc_state_create_copy+0x68/0xe0 [amdgpu]
+ [<ffff800002e98ea0>] amdgpu_dm_init+0x8c0/0x2060 [amdgpu]
+ [<ffff800002e9a658>] dm_hw_init+0x18/0x60 [amdgpu]
+ [<ffff800002b0a738>] amdgpu_device_init+0x1938/0x27e0 [amdgpu]
+ [<ffff800002b0ce80>] amdgpu_driver_load_kms+0x20/0xa0 [amdgpu]
+ [<ffff800002b008f0>] amdgpu_pci_probe+0x1b0/0x580 [amdgpu]
+ [<9000000003c7eae4>] local_pci_probe+0x44/0xc0
+ [<90000000032f2b18>] work_for_cpu_fn+0x18/0x40
+ [<90000000032f5da0>] process_one_work+0x160/0x300
+ [<90000000032f6718>] worker_thread+0x318/0x440
+ [<9000000003301b8c>] kthread+0x12c/0x220
+ [<90000000032b1484>] ret_from_kernel_thread+0x8/0xa4
+
+Unfortunately, protecting dml21_copy() out of DML2 causes "sleeping
+function called from invalid context", so protect them with DC_FP_START()
+and DC_FP_END() inside.
+
+Fixes: 7da55c27e767 ("drm/amd/display: Remove incorrect FP context start")
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c
++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c
+@@ -425,8 +425,12 @@ void dml21_copy(struct dml2_context *dst
+
+ dst_dml_ctx->v21.mode_programming.programming = dst_dml2_programming;
+
++ DC_FP_START();
++
+ /* need to initialize copied instance for internal references to be correct */
+ dml2_initialize_instance(&dst_dml_ctx->v21.dml_init);
++
++ DC_FP_END();
+ }
+
+ bool dml21_create_copy(struct dml2_context **dst_dml_ctx,
--- /dev/null
+From afcdf51d97cd58dd7a2e0aa8acbaea5108fa6826 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Thu, 27 Mar 2025 17:53:33 +0800
+Subject: drm/amd/display: Protect FPU in dml2_init()/dml21_init()
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit afcdf51d97cd58dd7a2e0aa8acbaea5108fa6826 upstream.
+
+Commit 7da55c27e76749b9 ("drm/amd/display: Remove incorrect FP context
+start") removes the FP context protection of dml2_create(), and it said
+"All the DC_FP_START/END should be used before call anything from DML2".
+
+However, dml2_init()/dml21_init() are not protected from their callers,
+causing such errors:
+
+ do_fpu invoked from kernel context![#1]:
+ CPU: 0 UID: 0 PID: 239 Comm: kworker/0:5 Not tainted 6.14.0-rc6+ #2
+ Workqueue: events work_for_cpu_fn
+ pc ffff80000319de80 ra ffff80000319de5c tp 900000010575c000 sp 900000010575f840
+ a0 0000000000000000 a1 900000012f210130 a2 900000012f000000 a3 ffff80000357e268
+ a4 ffff80000357e260 a5 900000012ea52cf0 a6 0000000400000004 a7 0000012c00001388
+ t0 00001900000015e0 t1 ffff80000379d000 t2 0000000010624dd3 t3 0000006400000014
+ t4 00000000000003e8 t5 0000005000000018 t6 0000000000000020 t7 0000000f00000064
+ t8 000000000000002f u0 5f5e9200f8901912 s9 900000012d380010 s0 900000012ea51fd8
+ s1 900000012f000000 s2 9000000109296000 s3 0000000000000001 s4 0000000000001fd8
+ s5 0000000000000001 s6 ffff800003415000 s7 900000012d390000 s8 ffff800003211f80
+ ra: ffff80000319de5c dml21_apply_soc_bb_overrides+0x3c/0x960 [amdgpu]
+ ERA: ffff80000319de80 dml21_apply_soc_bb_overrides+0x60/0x960 [amdgpu]
+ CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
+ PRMD: 00000004 (PPLV0 +PIE -PWE)
+ EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
+ ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
+ ESTAT: 000f0000 [FPD] (IS= ECode=15 EsubCode=0)
+ PRID: 0014d010 (Loongson-64bit, Loongson-3C6000/S)
+ Process kworker/0:5 (pid: 239, threadinfo=00000000927eadc6, task=000000008fd31682)
+ Stack : 00040dc000003164 0000000000000001 900000012f210130 900000012eabeeb8
+ 900000012f000000 ffff80000319fe48 900000012f210000 900000012f210130
+ 900000012f000000 900000012eabeeb8 0000000000000001 ffff8000031a0064
+ 900000010575f9f0 900000012f210130 900000012eac0000 900000012ea80000
+ 900000012f000000 ffff8000031cefc4 900000010575f9f0 ffff8000035859c0
+ ffff800003414000 900000010575fa78 900000012f000000 ffff8000031b4c50
+ 0000000000000000 9000000101c9d700 9000000109c40000 5f5e9200f8901912
+ 900000012d3c4bd0 900000012d3c5000 ffff8000034aed18 900000012d380010
+ 900000012d3c4bd0 ffff800003414000 900000012d380000 ffff800002ea49dc
+ 0000000000000001 900000012d3c6000 00000000ffffe423 0000000000010000
+ ...
+ Call Trace:
+ [<ffff80000319de80>] dml21_apply_soc_bb_overrides+0x60/0x960 [amdgpu]
+ [<ffff80000319fe44>] dml21_init+0xa4/0x280 [amdgpu]
+ [<ffff8000031a0060>] dml21_create+0x40/0x80 [amdgpu]
+ [<ffff8000031cefc0>] dc_state_create+0x100/0x160 [amdgpu]
+ [<ffff8000031b4c4c>] dc_create+0x44c/0x640 [amdgpu]
+ [<ffff800002ea49d8>] amdgpu_dm_init+0x3f8/0x2060 [amdgpu]
+ [<ffff800002ea6658>] dm_hw_init+0x18/0x60 [amdgpu]
+ [<ffff800002b16738>] amdgpu_device_init+0x1938/0x27e0 [amdgpu]
+ [<ffff800002b18e80>] amdgpu_driver_load_kms+0x20/0xa0 [amdgpu]
+ [<ffff800002b0c8f0>] amdgpu_pci_probe+0x1b0/0x580 [amdgpu]
+ [<900000000448eae4>] local_pci_probe+0x44/0xc0
+ [<9000000003b02b18>] work_for_cpu_fn+0x18/0x40
+ [<9000000003b05da0>] process_one_work+0x160/0x300
+ [<9000000003b06718>] worker_thread+0x318/0x440
+ [<9000000003b11b8c>] kthread+0x12c/0x220
+ [<9000000003ac1484>] ret_from_kernel_thread+0x8/0xa4
+
+Unfortunately, protecting dml2_init()/dml21_init() out of DML2 causes
+"sleeping function called from invalid context", so protect them with
+DC_FP_START() and DC_FP_END() inside.
+
+Fixes: 7da55c27e767 ("drm/amd/display: Remove incorrect FP context start")
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 4 ++++
+ drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c
++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c
+@@ -87,6 +87,8 @@ static void dml21_init(const struct dc *
+ /* Store configuration options */
+ (*dml_ctx)->config = *config;
+
++ DC_FP_START();
++
+ /*Initialize SOCBB and DCNIP params */
+ dml21_initialize_soc_bb_params(&(*dml_ctx)->v21.dml_init, config, in_dc);
+ dml21_initialize_ip_params(&(*dml_ctx)->v21.dml_init, config, in_dc);
+@@ -97,6 +99,8 @@ static void dml21_init(const struct dc *
+
+ /*Initialize DML21 instance */
+ dml2_initialize_instance(&(*dml_ctx)->v21.dml_init);
++
++ DC_FP_END();
+ }
+
+ bool dml21_create(const struct dc *in_dc, struct dml2_context **dml_ctx, const struct dml2_configuration_options *config)
+--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
+@@ -784,11 +784,15 @@ static void dml2_init(const struct dc *i
+ break;
+ }
+
++ DC_FP_START();
++
+ initialize_dml2_ip_params(*dml2, in_dc, &(*dml2)->v20.dml_core_ctx.ip);
+
+ initialize_dml2_soc_bbox(*dml2, in_dc, &(*dml2)->v20.dml_core_ctx.soc);
+
+ initialize_dml2_soc_states(*dml2, in_dc, &(*dml2)->v20.dml_core_ctx.soc, &(*dml2)->v20.dml_core_ctx.states);
++
++ DC_FP_END();
+ }
+
+ bool dml2_create(const struct dc *in_dc, const struct dml2_configuration_options *config, struct dml2_context **dml2)
--- /dev/null
+From 366e77cd4923c3aa45341e15dcaf3377af9b042f Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Thu, 27 Mar 2025 17:53:34 +0800
+Subject: drm/amd/display: Protect FPU in dml2_validate()/dml21_validate()
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 366e77cd4923c3aa45341e15dcaf3377af9b042f upstream.
+
+Commit 7da55c27e76749b9 ("drm/amd/display: Remove incorrect FP context
+start") removes the FP context protection of dml2_create(), and it said
+"All the DC_FP_START/END should be used before call anything from DML2".
+
+However, dml2_validate()/dml21_validate() are not protected from their
+callers, causing such errors:
+
+ do_fpu invoked from kernel context![#1]:
+ CPU: 10 UID: 0 PID: 331 Comm: kworker/10:1H Not tainted 6.14.0-rc6+ #4
+ Workqueue: events_highpri dm_irq_work_func [amdgpu]
+ pc ffff800003191eb0 ra ffff800003191e60 tp 9000000107a94000 sp 9000000107a975b0
+ a0 9000000140ce4910 a1 0000000000000000 a2 9000000140ce49b0 a3 9000000140ce49a8
+ a4 9000000140ce49a8 a5 0000000100000000 a6 0000000000000001 a7 9000000107a97660
+ t0 ffff800003790000 t1 9000000140ce5000 t2 0000000000000001 t3 0000000000000000
+ t4 0000000000000004 t5 0000000000000000 t6 0000000000000000 t7 0000000000000000
+ t8 0000000100000000 u0 ffff8000031a3b9c s9 9000000130bc0000 s0 9000000132400000
+ s1 9000000140ec0000 s2 9000000132400000 s3 9000000140ce0000 s4 90000000057f8b88
+ s5 9000000140ec0000 s6 9000000140ce4910 s7 0000000000000001 s8 9000000130d45010
+ ra: ffff800003191e60 dml21_map_dc_state_into_dml_display_cfg+0x40/0x1140 [amdgpu]
+ ERA: ffff800003191eb0 dml21_map_dc_state_into_dml_display_cfg+0x90/0x1140 [amdgpu]
+ CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
+ PRMD: 00000004 (PPLV0 +PIE -PWE)
+ EUEN: 00000000 (-FPE -SXE -ASXE -BTE)
+ ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
+ ESTAT: 000f0000 [FPD] (IS= ECode=15 EsubCode=0)
+ PRID: 0014d010 (Loongson-64bit, Loongson-3C6000/S)
+ Process kworker/10:1H (pid: 331, threadinfo=000000007bf9ddb0, task=00000000cc4ab9f3)
+ Stack : 0000000100000000 0000043800000780 0000000100000001 0000000100000001
+ 0000000000000000 0000078000000000 0000000000000438 0000078000000000
+ 0000000000000438 0000078000000000 0000000000000438 0000000100000000
+ 0000000100000000 0000000100000000 0000000100000000 0000000100000000
+ 0000000000000001 9000000140ec0000 9000000132400000 9000000132400000
+ ffff800003408000 ffff800003408000 9000000132400000 9000000140ce0000
+ 9000000140ce0000 ffff800003193850 0000000000000001 9000000140ec0000
+ 9000000132400000 9000000140ec0860 9000000140ec0738 0000000000000001
+ 90000001405e8000 9000000130bc0000 9000000140ec02a8 ffff8000031b5db8
+ 0000000000000000 0000043800000780 0000000000000003 ffff8000031b79cc
+ ...
+ Call Trace:
+ [<ffff800003191eb0>] dml21_map_dc_state_into_dml_display_cfg+0x90/0x1140 [amdgpu]
+ [<ffff80000319384c>] dml21_validate+0xcc/0x520 [amdgpu]
+ [<ffff8000031b8948>] dc_validate_global_state+0x2e8/0x460 [amdgpu]
+ [<ffff800002e94034>] create_validate_stream_for_sink+0x3d4/0x420 [amdgpu]
+ [<ffff800002e940e4>] amdgpu_dm_connector_mode_valid+0x64/0x240 [amdgpu]
+ [<900000000441d6b8>] drm_connector_mode_valid+0x38/0x80
+ [<900000000441d824>] __drm_helper_update_and_validate+0x124/0x3e0
+ [<900000000441ddc0>] drm_helper_probe_single_connector_modes+0x2e0/0x620
+ [<90000000044050dc>] drm_client_modeset_probe+0x23c/0x1780
+ [<9000000004420384>] __drm_fb_helper_initial_config_and_unlock+0x44/0x5a0
+ [<9000000004403acc>] drm_client_dev_hotplug+0xcc/0x140
+ [<ffff800002e9ab50>] handle_hpd_irq_helper+0x1b0/0x1e0 [amdgpu]
+ [<90000000038f5da0>] process_one_work+0x160/0x300
+ [<90000000038f6718>] worker_thread+0x318/0x440
+ [<9000000003901b8c>] kthread+0x12c/0x220
+ [<90000000038b1484>] ret_from_kernel_thread+0x8/0xa4
+
+Unfortunately, protecting dml2_validate()/dml21_validate() out of DML2
+causes "sleeping function called from invalid context", so protect them
+with DC_FP_START() and DC_FP_END() inside.
+
+Fixes: 7da55c27e767 ("drm/amd/display: Remove incorrect FP context start")
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Tested-by: Dongyan Qian <qiandongyan@loongson.cn>
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 9 +++++++--
+ drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 5 +++++
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c
++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c
+@@ -277,11 +277,16 @@ bool dml21_validate(const struct dc *in_
+ {
+ bool out = false;
+
++ DC_FP_START();
++
+ /* Use dml_validate_only for fast_validate path */
+- if (fast_validate) {
++ if (fast_validate)
+ out = dml21_check_mode_support(in_dc, context, dml_ctx);
+- } else
++ else
+ out = dml21_mode_check_and_programming(in_dc, context, dml_ctx);
++
++ DC_FP_END();
++
+ return out;
+ }
+
+--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c
+@@ -734,11 +734,16 @@ bool dml2_validate(const struct dc *in_d
+ return out;
+ }
+
++ DC_FP_START();
++
+ /* Use dml_validate_only for fast_validate path */
+ if (fast_validate)
+ out = dml2_validate_only(context);
+ else
+ out = dml2_validate_and_build_resource(in_dc, context);
++
++ DC_FP_END();
++
+ return out;
+ }
+
--- /dev/null
+From c0dd8a9253fadfb8e5357217d085f1989da4ef0a Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Mon, 7 Apr 2025 15:18:25 +0100
+Subject: drm/amdgpu/dma_buf: fix page_link check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit c0dd8a9253fadfb8e5357217d085f1989da4ef0a upstream.
+
+The page_link lower bits of the first sg could contain something like
+SG_END, if we are mapping a single VRAM page or contiguous blob which
+fits into one sg entry. Rather pull out the struct page, and use that in
+our check to know if we mapped struct pages vs VRAM.
+
+Fixes: f44ffd677fb3 ("drm/amdgpu: add support for exporting VRAM using DMA-buf v3")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: amd-gfx@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c
+@@ -181,7 +181,7 @@ static void amdgpu_dma_buf_unmap(struct
+ struct sg_table *sgt,
+ enum dma_data_direction dir)
+ {
+- if (sgt->sgl->page_link) {
++ if (sg_page(sgt->sgl)) {
+ dma_unmap_sgtable(attach->dev, sgt, dir, 0);
+ sg_free_table(sgt);
+ kfree(sgt);
--- /dev/null
+From e7afa85a0d0eba5bf2c0a446ff622ebdbc9812d6 Mon Sep 17 00:00:00 2001
+From: ZhenGuo Yin <zhenguo.yin@amd.com>
+Date: Tue, 8 Apr 2025 16:18:28 +0800
+Subject: drm/amdgpu: fix warning of drm_mm_clean
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: ZhenGuo Yin <zhenguo.yin@amd.com>
+
+commit e7afa85a0d0eba5bf2c0a446ff622ebdbc9812d6 upstream.
+
+Kernel doorbell BOs needs to be freed before ttm_fini.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4145
+Fixes: 54c30d2a8def ("drm/amdgpu: create kernel doorbell pages")
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: ZhenGuo Yin <zhenguo.yin@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 39938a8ed979e398faa3791a47e282c82bcc6f04)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -3322,6 +3322,7 @@ static int amdgpu_device_ip_fini(struct
+ amdgpu_device_mem_scratch_fini(adev);
+ amdgpu_ib_pool_fini(adev);
+ amdgpu_seq64_fini(adev);
++ amdgpu_doorbell_fini(adev);
+ }
+
+ r = adev->ip_blocks[i].version->funcs->sw_fini((void *)adev);
+@@ -4670,7 +4671,6 @@ void amdgpu_device_fini_sw(struct amdgpu
+
+ iounmap(adev->rmmio);
+ adev->rmmio = NULL;
+- amdgpu_doorbell_fini(adev);
+ drm_dev_exit(idx);
+ }
+
--- /dev/null
+From a755906fb2b8370c43e91ba437ae1b3e228e8b02 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Thu, 20 Mar 2025 14:46:18 +0100
+Subject: drm/amdgpu: immediately use GTT for new allocations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit a755906fb2b8370c43e91ba437ae1b3e228e8b02 upstream.
+
+Only use GTT as a fallback if we already have a backing store. This
+prevents evictions when an application constantly allocates and frees new
+memory.
+
+Partially fixes
+https://gitlab.freedesktop.org/drm/amd/-/issues/3844#note_2833985.
+
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Fixes: 216c1282dde3 ("drm/amdgpu: use GTT only as fallback for VRAM|GTT")
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+@@ -161,8 +161,8 @@ void amdgpu_bo_placement_from_domain(str
+ * When GTT is just an alternative to VRAM make sure that we
+ * only use it as fallback and still try to fill up VRAM first.
+ */
+- if (domain & abo->preferred_domains & AMDGPU_GEM_DOMAIN_VRAM &&
+- !(adev->flags & AMD_IS_APU))
++ if (abo->tbo.resource && !(adev->flags & AMD_IS_APU) &&
++ domain & abo->preferred_domains & AMDGPU_GEM_DOMAIN_VRAM)
+ places[c].flags |= TTM_PL_FLAG_FALLBACK;
+ c++;
+ }
--- /dev/null
+From b71a2bb0ce07f40f92f59ed7f283068e41b10075 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 27 Mar 2025 17:33:49 -0400
+Subject: drm/amdgpu/mes11: optimize MES pipe FW version fetching
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit b71a2bb0ce07f40f92f59ed7f283068e41b10075 upstream.
+
+Don't fetch it again if we already have it. It seems the
+registers don't reliably have the value at resume in some
+cases.
+
+Fixes: 028c3fb37e70 ("drm/amdgpu/mes11: initiate mes v11 support")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4083
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
+@@ -859,6 +859,10 @@ static void mes_v11_0_get_fw_version(str
+ {
+ int pipe;
+
++ /* return early if we have already fetched these */
++ if (adev->mes.sched_version && adev->mes.kiq_version)
++ return;
++
+ /* get MES scheduler/KIQ versions */
+ mutex_lock(&adev->srbm_mutex);
+
--- /dev/null
+From 2e43ae7dd71cd9bb0d1bce1d3306bf77523feb81 Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Thu, 27 Mar 2025 14:47:39 +0200
+Subject: drm/i915/gvt: fix unterminated-string-initialization warning
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit 2e43ae7dd71cd9bb0d1bce1d3306bf77523feb81 upstream.
+
+Initializing const char opregion_signature[16] = OPREGION_SIGNATURE
+(which is "IntelGraphicsMem") drops the NUL termination of the
+string. This is intentional, but the compiler doesn't know this.
+
+Switch to initializing header->signature directly from the string
+litaral, with sizeof destination rather than source. We don't treat the
+signature as a string other than for initialization; it's really just a
+blob of binary data.
+
+Add a static assert for good measure to cross-check the sizes.
+
+Reported-by: Kees Cook <kees@kernel.org>
+Closes: https://lore.kernel.org/r/20250310222355.work.417-kees@kernel.org
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13934
+Tested-by: Nicolas Chauvet <kwizart@gmail.com>
+Tested-by: Damian Tometzki <damian@riscv-rocks.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Zhenyu Wang <zhenyuw.linux@gmail.com>
+Link: https://lore.kernel.org/r/20250327124739.2609656-1-jani.nikula@intel.com
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 4f8207469094bd04aad952258ceb9ff4c77b6bfa)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gvt/opregion.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gvt/opregion.c
++++ b/drivers/gpu/drm/i915/gvt/opregion.c
+@@ -222,7 +222,6 @@ int intel_vgpu_init_opregion(struct inte
+ u8 *buf;
+ struct opregion_header *header;
+ struct vbt v;
+- const char opregion_signature[16] = OPREGION_SIGNATURE;
+
+ gvt_dbg_core("init vgpu%d opregion\n", vgpu->id);
+ vgpu_opregion(vgpu)->va = (void *)__get_free_pages(GFP_KERNEL |
+@@ -236,8 +235,10 @@ int intel_vgpu_init_opregion(struct inte
+ /* emulated opregion with VBT mailbox only */
+ buf = (u8 *)vgpu_opregion(vgpu)->va;
+ header = (struct opregion_header *)buf;
+- memcpy(header->signature, opregion_signature,
+- sizeof(opregion_signature));
++
++ static_assert(sizeof(header->signature) == sizeof(OPREGION_SIGNATURE) - 1);
++ memcpy(header->signature, OPREGION_SIGNATURE, sizeof(header->signature));
++
+ header->size = 0x8;
+ header->opregion_ver = 0x02000000;
+ header->mboxes = MBOX_VBT;
--- /dev/null
+From a5b230e7f3a55bd8bd8d012eec75a4b7baa671d5 Mon Sep 17 00:00:00 2001
+From: Brendan King <Brendan.King@imgtec.com>
+Date: Tue, 18 Mar 2025 14:55:55 +0000
+Subject: drm/imagination: fix firmware memory leaks
+
+From: Brendan King <Brendan.King@imgtec.com>
+
+commit a5b230e7f3a55bd8bd8d012eec75a4b7baa671d5 upstream.
+
+Free the memory used to hold the results of firmware image processing
+when the module is unloaded.
+
+Fix the related issue of the same memory being leaked if processing
+of the firmware image fails during module load.
+
+Ensure all firmware GEM objects are destroyed if firmware image
+processing fails.
+
+Fixes memory leaks on powervr module unload detected by Kmemleak:
+
+unreferenced object 0xffff000042e20000 (size 94208):
+ comm "modprobe", pid 470, jiffies 4295277154
+ hex dump (first 32 bytes):
+ 02 ae 7f ed bf 45 84 00 3c 5b 1f ed 9f 45 45 05 .....E..<[...EE.
+ d5 4f 5d 14 6c 00 3d 23 30 d0 3a 4a 66 0e 48 c8 .O].l.=#0.:Jf.H.
+ backtrace (crc dd329dec):
+ kmemleak_alloc+0x30/0x40
+ ___kmalloc_large_node+0x140/0x188
+ __kmalloc_large_node_noprof+0x2c/0x13c
+ __kmalloc_noprof+0x48/0x4c0
+ pvr_fw_init+0xaa4/0x1f50 [powervr]
+
+unreferenced object 0xffff000042d20000 (size 20480):
+ comm "modprobe", pid 470, jiffies 4295277154
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 09 00 00 00 0b 00 00 00 ................
+ 00 00 00 00 00 00 00 00 07 00 00 00 08 00 00 00 ................
+ backtrace (crc 395b02e3):
+ kmemleak_alloc+0x30/0x40
+ ___kmalloc_large_node+0x140/0x188
+ __kmalloc_large_node_noprof+0x2c/0x13c
+ __kmalloc_noprof+0x48/0x4c0
+ pvr_fw_init+0xb0c/0x1f50 [powervr]
+
+Cc: stable@vger.kernel.org
+Fixes: cc1aeedb98ad ("drm/imagination: Implement firmware infrastructure and META FW support")
+Signed-off-by: Brendan King <brendan.king@imgtec.com>
+Reviewed-by: Matt Coster <matt.coster@imgtec.com>
+Link: https://lore.kernel.org/r/20250318-ddkopsrc-1339-firmware-related-memory-leak-on-module-unload-v1-1-155337c57bb4@imgtec.com
+Signed-off-by: Matt Coster <matt.coster@imgtec.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/imagination/pvr_fw.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/imagination/pvr_fw.c
++++ b/drivers/gpu/drm/imagination/pvr_fw.c
+@@ -732,7 +732,7 @@ pvr_fw_process(struct pvr_device *pvr_de
+ fw_mem->core_data, fw_mem->core_code_alloc_size);
+
+ if (err)
+- goto err_free_fw_core_data_obj;
++ goto err_free_kdata;
+
+ memcpy(fw_code_ptr, fw_mem->code, fw_mem->code_alloc_size);
+ memcpy(fw_data_ptr, fw_mem->data, fw_mem->data_alloc_size);
+@@ -742,10 +742,14 @@ pvr_fw_process(struct pvr_device *pvr_de
+ memcpy(fw_core_data_ptr, fw_mem->core_data, fw_mem->core_data_alloc_size);
+
+ /* We're finished with the firmware section memory on the CPU, unmap. */
+- if (fw_core_data_ptr)
++ if (fw_core_data_ptr) {
+ pvr_fw_object_vunmap(fw_mem->core_data_obj);
+- if (fw_core_code_ptr)
++ fw_core_data_ptr = NULL;
++ }
++ if (fw_core_code_ptr) {
+ pvr_fw_object_vunmap(fw_mem->core_code_obj);
++ fw_core_code_ptr = NULL;
++ }
+ pvr_fw_object_vunmap(fw_mem->data_obj);
+ fw_data_ptr = NULL;
+ pvr_fw_object_vunmap(fw_mem->code_obj);
+@@ -753,7 +757,7 @@ pvr_fw_process(struct pvr_device *pvr_de
+
+ err = pvr_fw_create_fwif_connection_ctl(pvr_dev);
+ if (err)
+- goto err_free_fw_core_data_obj;
++ goto err_free_kdata;
+
+ return 0;
+
+@@ -763,13 +767,16 @@ err_free_kdata:
+ kfree(fw_mem->data);
+ kfree(fw_mem->code);
+
+-err_free_fw_core_data_obj:
+ if (fw_core_data_ptr)
+- pvr_fw_object_unmap_and_destroy(fw_mem->core_data_obj);
++ pvr_fw_object_vunmap(fw_mem->core_data_obj);
++ if (fw_mem->core_data_obj)
++ pvr_fw_object_destroy(fw_mem->core_data_obj);
+
+ err_free_fw_core_code_obj:
+ if (fw_core_code_ptr)
+- pvr_fw_object_unmap_and_destroy(fw_mem->core_code_obj);
++ pvr_fw_object_vunmap(fw_mem->core_code_obj);
++ if (fw_mem->core_code_obj)
++ pvr_fw_object_destroy(fw_mem->core_code_obj);
+
+ err_free_fw_data_obj:
+ if (fw_data_ptr)
+@@ -836,6 +843,12 @@ pvr_fw_cleanup(struct pvr_device *pvr_de
+ struct pvr_fw_mem *fw_mem = &pvr_dev->fw_dev.mem;
+
+ pvr_fw_fini_fwif_connection_ctl(pvr_dev);
++
++ kfree(fw_mem->core_data);
++ kfree(fw_mem->core_code);
++ kfree(fw_mem->data);
++ kfree(fw_mem->code);
++
+ if (fw_mem->core_code_obj)
+ pvr_fw_object_destroy(fw_mem->core_code_obj);
+ if (fw_mem->core_data_obj)
--- /dev/null
+From 4ba2abe154ef68f9612eee9d6fbfe53a1736b064 Mon Sep 17 00:00:00 2001
+From: Brendan King <Brendan.King@imgtec.com>
+Date: Tue, 18 Mar 2025 14:53:13 +0000
+Subject: drm/imagination: take paired job reference
+
+From: Brendan King <Brendan.King@imgtec.com>
+
+commit 4ba2abe154ef68f9612eee9d6fbfe53a1736b064 upstream.
+
+For paired jobs, have the fragment job take a reference on the
+geometry job, so that the geometry job cannot be freed until
+the fragment job has finished with it.
+
+The geometry job structure is accessed when the fragment job is being
+prepared by the GPU scheduler. Taking the reference prevents the
+geometry job being freed until the fragment job no longer requires it.
+
+Fixes a use after free bug detected by KASAN:
+
+[ 124.256386] BUG: KASAN: slab-use-after-free in pvr_queue_prepare_job+0x108/0x868 [powervr]
+[ 124.264893] Read of size 1 at addr ffff0000084cb960 by task kworker/u16:4/63
+
+Cc: stable@vger.kernel.org
+Fixes: eaf01ee5ba28 ("drm/imagination: Implement job submission and scheduling")
+Signed-off-by: Brendan King <brendan.king@imgtec.com>
+Reviewed-by: Matt Coster <matt.coster@imgtec.com>
+Link: https://lore.kernel.org/r/20250318-ddkopsrc-1337-use-after-free-in-pvr_queue_prepare_job-v1-1-80fb30d044a6@imgtec.com
+Signed-off-by: Matt Coster <matt.coster@imgtec.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/imagination/pvr_job.c | 7 +++++++
+ drivers/gpu/drm/imagination/pvr_queue.c | 4 ++++
+ 2 files changed, 11 insertions(+)
+
+--- a/drivers/gpu/drm/imagination/pvr_job.c
++++ b/drivers/gpu/drm/imagination/pvr_job.c
+@@ -684,6 +684,13 @@ pvr_jobs_link_geom_frag(struct pvr_job_d
+ geom_job->paired_job = frag_job;
+ frag_job->paired_job = geom_job;
+
++ /* The geometry job pvr_job structure is used when the fragment
++ * job is being prepared by the GPU scheduler. Have the fragment
++ * job hold a reference on the geometry job to prevent it being
++ * freed until the fragment job has finished with it.
++ */
++ pvr_job_get(geom_job);
++
+ /* Skip the fragment job we just paired to the geometry job. */
+ i++;
+ }
+--- a/drivers/gpu/drm/imagination/pvr_queue.c
++++ b/drivers/gpu/drm/imagination/pvr_queue.c
+@@ -866,6 +866,10 @@ static void pvr_queue_free_job(struct dr
+ struct pvr_job *job = container_of(sched_job, struct pvr_job, base);
+
+ drm_sched_job_cleanup(sched_job);
++
++ if (job->type == DRM_PVR_JOB_TYPE_FRAGMENT && job->paired_job)
++ pvr_job_put(job->paired_job);
++
+ job->paired_job = NULL;
+ pvr_job_put(job);
+ }
--- /dev/null
+From 76c332d119f9048c6e16b52359f401510f18b2ff Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Wed, 16 Apr 2025 10:38:05 +0200
+Subject: drm/mgag200: Fix value in <VBLKSTR> register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 76c332d119f9048c6e16b52359f401510f18b2ff upstream.
+
+Fix an off-by-one error when setting the vblanking start in
+<VBLKSTR>. Commit d6460bd52c27 ("drm/mgag200: Add dedicated
+variables for blanking fields") switched the value from
+crtc_vdisplay to crtc_vblank_start, which DRM helpers copy
+from the former. The commit missed to subtract one though.
+
+Reported-by: Wakko Warner <wakko@animx.eu.org>
+Closes: https://lore.kernel.org/dri-devel/CAMwc25rKPKooaSp85zDq2eh-9q4UPZD=RqSDBRp1fAagDnmRmA@mail.gmail.com/
+Reported-by: Сергей <afmerlord@gmail.com>
+Closes: https://lore.kernel.org/all/5b193b75-40b1-4342-a16a-ae9fc62f245a@gmail.com/
+Closes: https://bbs.archlinux.org/viewtopic.php?id=303819
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: d6460bd52c27 ("drm/mgag200: Add dedicated variables for blanking fields")
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v6.12+
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Tested-by: Wakko Warner <wakko@animx.eu.org>
+Link: https://lore.kernel.org/r/20250416083847.51764-1-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mgag200/mgag200_mode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
+@@ -223,7 +223,7 @@ void mgag200_set_mode_regs(struct mga_de
+ vsyncstr = mode->crtc_vsync_start - 1;
+ vsyncend = mode->crtc_vsync_end - 1;
+ vtotal = mode->crtc_vtotal - 2;
+- vblkstr = mode->crtc_vblank_start;
++ vblkstr = mode->crtc_vblank_start - 1;
+ vblkend = vtotal + 1;
+
+ linecomp = vdispend;
--- /dev/null
+From 8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3 Mon Sep 17 00:00:00 2001
+From: Chris Bainbridge <chris.bainbridge@gmail.com>
+Date: Wed, 26 Mar 2025 12:52:10 +0000
+Subject: drm/nouveau: prime: fix ttm_bo_delayed_delete oops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chris Bainbridge <chris.bainbridge@gmail.com>
+
+commit 8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3 upstream.
+
+Fix an oops in ttm_bo_delayed_delete which results from dererencing a
+dangling pointer:
+
+Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP
+CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216
+Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024
+Workqueue: ttm ttm_bo_delayed_delete [ttm]
+RIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290
+Code: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b
+RSP: 0018:ffffbf9383473d60 EFLAGS: 00010202
+RAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b
+R13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc
+FS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ ? __die_body.cold+0x19/0x26
+ ? die_addr+0x3d/0x70
+ ? exc_general_protection+0x159/0x460
+ ? asm_exc_general_protection+0x27/0x30
+ ? dma_resv_iter_first_unlocked+0x55/0x290
+ dma_resv_wait_timeout+0x56/0x100
+ ttm_bo_delayed_delete+0x69/0xb0 [ttm]
+ process_one_work+0x217/0x5c0
+ worker_thread+0x1c8/0x3d0
+ ? apply_wqattrs_cleanup.part.0+0xc0/0xc0
+ kthread+0x10b/0x240
+ ? kthreads_online_cpu+0x140/0x140
+ ret_from_fork+0x40/0x70
+ ? kthreads_online_cpu+0x140/0x140
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+The cause of this is:
+
+- drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the
+ reference to the shared dma_buf. The reference count is 0, so the
+ dma_buf is destroyed, which in turn decrements the corresponding
+ amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed -
+ calling drm_gem_object_release then dma_resv_fini (which destroys the
+ reservation object), then finally freeing the amdgpu_bo.
+
+- nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory
+ formerly allocated to the amdgpu_bo.
+
+- nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls
+ ttm_bo_release, which schedules ttm_bo_delayed_delete.
+
+- ttm_bo_delayed_delete runs and dereferences the dangling resv pointer,
+ resulting in a general protection fault.
+
+Fix this by moving the drm_prime_gem_destroy call from
+nouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will
+be run after ttm_bo_delayed_delete.
+
+Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
+Suggested-by: Christian König <christian.koenig@amd.com>
+Fixes: 22b33e8ed0e3 ("nouveau: add PRIME support")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3937
+Cc: Stable@vger.kernel.org
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/Z-P4epVK8k7tFZ7C@debian.local
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_bo.c | 3 +++
+ drivers/gpu/drm/nouveau/nouveau_gem.c | 3 ---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_bo.c
++++ b/drivers/gpu/drm/nouveau/nouveau_bo.c
+@@ -144,6 +144,9 @@ nouveau_bo_del_ttm(struct ttm_buffer_obj
+ nouveau_bo_del_io_reserve_lru(bo);
+ nv10_bo_put_tile_region(dev, nvbo->tile, NULL);
+
++ if (bo->base.import_attach)
++ drm_prime_gem_destroy(&bo->base, bo->sg);
++
+ /*
+ * If nouveau_bo_new() allocated this buffer, the GEM object was never
+ * initialized, so don't attempt to release it.
+--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
+@@ -87,9 +87,6 @@ nouveau_gem_object_del(struct drm_gem_ob
+ return;
+ }
+
+- if (gem->import_attach)
+- drm_prime_gem_destroy(gem, nvbo->bo.sg);
+-
+ ttm_bo_put(&nvbo->bo);
+
+ pm_runtime_mark_last_busy(dev);
--- /dev/null
+From 7fb6afa9125fc111478615e24231943c4f76cc2e Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eb@emlix.com>
+Date: Wed, 15 Jan 2025 09:58:59 +0100
+Subject: drm/sti: remove duplicate object names
+
+From: Rolf Eike Beer <eb@emlix.com>
+
+commit 7fb6afa9125fc111478615e24231943c4f76cc2e upstream.
+
+When merging 2 drivers common object files were not deduplicated.
+
+Fixes: dcec16efd677 ("drm/sti: Build monolithic driver")
+Cc: stable@kernel.org
+Signed-off-by: Rolf Eike Beer <eb@emlix.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/1920148.tdWV9SEqCh@devpool47.emlix.com
+Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/sti/Makefile | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/gpu/drm/sti/Makefile
++++ b/drivers/gpu/drm/sti/Makefile
+@@ -7,8 +7,6 @@ sti-drm-y := \
+ sti_compositor.o \
+ sti_crtc.o \
+ sti_plane.o \
+- sti_crtc.o \
+- sti_plane.o \
+ sti_hdmi.o \
+ sti_hdmi_tx3g4c28phy.o \
+ sti_dvo.o \
--- /dev/null
+From 25583ad42d091819157832e894179200ba8b54ee Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Thu, 10 Apr 2025 17:27:17 +0100
+Subject: drm/xe/dma_buf: stop relying on placement in unmap
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit 25583ad42d091819157832e894179200ba8b54ee upstream.
+
+The is_vram() is checking the current placement, however if we consider
+exported VRAM with dynamic dma-buf, it looks possible for the xe driver
+to async evict the memory, notifying the importer, however importer does
+not have to call unmap_attachment() immediately, but rather just as
+"soon as possible", like when the dma-resv idles. Following from this we
+would then pipeline the move, attaching the fence to the manager, and
+then update the current placement. But when the unmap_attachment() runs
+at some later point we might see that is_vram() is now false, and take
+the complete wrong path when dma-unmapping the sg, leading to
+explosions.
+
+To fix this check if the sgl was mapping a struct page.
+
+v2:
+ - The attachment can be mapped multiple times it seems, so we can't
+ really rely on encoding something in the attachment->priv. Instead
+ see if the page_link has an encoded struct page. For vram we expect
+ this to be NULL.
+
+Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4563
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: <stable@vger.kernel.org> # v6.8+
+Acked-by: Christian König <christian.koenig@amd.com>
+Link: https://lore.kernel.org/r/20250410162716.159403-2-matthew.auld@intel.com
+(cherry picked from commit d755887f8e5a2a18e15e6632a5193e5feea18499)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_dma_buf.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_dma_buf.c
++++ b/drivers/gpu/drm/xe/xe_dma_buf.c
+@@ -145,10 +145,7 @@ static void xe_dma_buf_unmap(struct dma_
+ struct sg_table *sgt,
+ enum dma_data_direction dir)
+ {
+- struct dma_buf *dma_buf = attach->dmabuf;
+- struct xe_bo *bo = gem_to_xe_bo(dma_buf->priv);
+-
+- if (!xe_bo_is_vram(bo)) {
++ if (sg_page(sgt->sgl)) {
+ dma_unmap_sgtable(attach->dev, sgt, dir, 0);
+ sg_free_table(sgt);
+ kfree(sgt);
--- /dev/null
+From 7bcfeddb36b77f9fe3b010bb0b282b7618420bba Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= <thomas.hellstrom@linux.intel.com>
+Date: Wed, 26 Mar 2025 16:16:34 +0100
+Subject: drm/xe: Fix an out-of-bounds shift when invalidating TLB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+
+commit 7bcfeddb36b77f9fe3b010bb0b282b7618420bba upstream.
+
+When the size of the range invalidated is larger than
+rounddown_pow_of_two(ULONG_MAX),
+The function macro roundup_pow_of_two(length) will hit an out-of-bounds
+shift [1].
+
+Use a full TLB invalidation for such cases.
+v2:
+- Use a define for the range size limit over which we use a full
+ TLB invalidation. (Lucas)
+- Use a better calculation of the limit.
+
+[1]:
+[ 39.202421] ------------[ cut here ]------------
+[ 39.202657] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
+[ 39.202673] shift exponent 64 is too large for 64-bit type 'long unsigned int'
+[ 39.202688] CPU: 8 UID: 0 PID: 3129 Comm: xe_exec_system_ Tainted: G U 6.14.0+ #10
+[ 39.202690] Tainted: [U]=USER
+[ 39.202690] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023
+[ 39.202691] Call Trace:
+[ 39.202692] <TASK>
+[ 39.202695] dump_stack_lvl+0x6e/0xa0
+[ 39.202699] ubsan_epilogue+0x5/0x30
+[ 39.202701] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe6
+[ 39.202705] xe_gt_tlb_invalidation_range.cold+0x1d/0x3a [xe]
+[ 39.202800] ? find_held_lock+0x2b/0x80
+[ 39.202803] ? mark_held_locks+0x40/0x70
+[ 39.202806] xe_svm_invalidate+0x459/0x700 [xe]
+[ 39.202897] drm_gpusvm_notifier_invalidate+0x4d/0x70 [drm_gpusvm]
+[ 39.202900] __mmu_notifier_release+0x1f5/0x270
+[ 39.202905] exit_mmap+0x40e/0x450
+[ 39.202912] __mmput+0x45/0x110
+[ 39.202914] exit_mm+0xc5/0x130
+[ 39.202916] do_exit+0x21c/0x500
+[ 39.202918] ? lockdep_hardirqs_on_prepare+0xdb/0x190
+[ 39.202920] do_group_exit+0x36/0xa0
+[ 39.202922] get_signal+0x8f8/0x900
+[ 39.202926] arch_do_signal_or_restart+0x35/0x100
+[ 39.202930] syscall_exit_to_user_mode+0x1fc/0x290
+[ 39.202932] do_syscall_64+0xa1/0x180
+[ 39.202934] ? do_user_addr_fault+0x59f/0x8a0
+[ 39.202937] ? lock_release+0xd2/0x2a0
+[ 39.202939] ? do_user_addr_fault+0x5a9/0x8a0
+[ 39.202942] ? trace_hardirqs_off+0x4b/0xc0
+[ 39.202944] ? clear_bhb_loop+0x25/0x80
+[ 39.202946] ? clear_bhb_loop+0x25/0x80
+[ 39.202947] ? clear_bhb_loop+0x25/0x80
+[ 39.202950] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 39.202952] RIP: 0033:0x7fa945e543e1
+[ 39.202961] Code: Unable to access opcode bytes at 0x7fa945e543b7.
+[ 39.202962] RSP: 002b:00007ffca8fb4170 EFLAGS: 00000293
+[ 39.202963] RAX: 000000000000003d RBX: 0000000000000000 RCX: 00007fa945e543e3
+[ 39.202964] RDX: 0000000000000000 RSI: 00007ffca8fb41ac RDI: 00000000ffffffff
+[ 39.202964] RBP: 00007ffca8fb4190 R08: 0000000000000000 R09: 00007fa945f600a0
+[ 39.202965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
+[ 39.202966] R13: 00007fa9460dd310 R14: 00007ffca8fb41ac R15: 0000000000000000
+[ 39.202970] </TASK>
+[ 39.202970] ---[ end trace ]---
+
+Fixes: 332dd0116c82 ("drm/xe: Add range based TLB invalidations")
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: <stable@vger.kernel.org> # v6.8+
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com> #v1
+Link: https://lore.kernel.org/r/20250326151634.36916-1-thomas.hellstrom@linux.intel.com
+(cherry picked from commit b88f48f86500bc0b44b4f73ac66d500a40d320ad)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c
++++ b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c
+@@ -310,6 +310,13 @@ int xe_gt_tlb_invalidation_ggtt(struct x
+ return 0;
+ }
+
++/*
++ * Ensure that roundup_pow_of_two(length) doesn't overflow.
++ * Note that roundup_pow_of_two() operates on unsigned long,
++ * not on u64.
++ */
++#define MAX_RANGE_TLB_INVALIDATION_LENGTH (rounddown_pow_of_two(ULONG_MAX))
++
+ /**
+ * xe_gt_tlb_invalidation_range - Issue a TLB invalidation on this GT for an
+ * address range
+@@ -334,6 +341,7 @@ int xe_gt_tlb_invalidation_range(struct
+ struct xe_device *xe = gt_to_xe(gt);
+ #define MAX_TLB_INVALIDATION_LEN 7
+ u32 action[MAX_TLB_INVALIDATION_LEN];
++ u64 length = end - start;
+ int len = 0;
+
+ xe_gt_assert(gt, fence);
+@@ -346,11 +354,11 @@ int xe_gt_tlb_invalidation_range(struct
+
+ action[len++] = XE_GUC_ACTION_TLB_INVALIDATION;
+ action[len++] = 0; /* seqno, replaced in send_tlb_invalidation */
+- if (!xe->info.has_range_tlb_invalidation) {
++ if (!xe->info.has_range_tlb_invalidation ||
++ length > MAX_RANGE_TLB_INVALIDATION_LENGTH) {
+ action[len++] = MAKE_INVAL_OP(XE_GUC_TLB_INVAL_FULL);
+ } else {
+ u64 orig_start = start;
+- u64 length = end - start;
+ u64 align;
+
+ if (length < SZ_4K)
--- /dev/null
+From 6405f5b70b1c240ffddef01c7a140498f47d4fe7 Mon Sep 17 00:00:00 2001
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+Date: Wed, 9 Apr 2025 21:59:34 -0700
+Subject: drm/xe: Set LRC addresses before guc load
+
+From: Lucas De Marchi <lucas.demarchi@intel.com>
+
+commit 6405f5b70b1c240ffddef01c7a140498f47d4fe7 upstream.
+
+The metadata saved in the ADS is read by GuC when it's initialized.
+Saving the addresses to the LRCs when they are populated is too late as
+GuC will keep using the old ones.
+
+This was causing GuC to use the RCS LRC for any engine class. It's not a
+big problem on a Linux-only scenario since the they are used by GuC only
+on media engines when the watchdog is triggered. However, in a
+virtualization scenario with Windows as the VF, it causes the wrong LRCs
+to be loaded as the watchdog is used for all engines.
+
+Fix it by letting guc_golden_lrc_init() initialize the metadata, like
+other *_init() functions, and later guc_golden_lrc_populate() to copy
+the LRCs to the right places. The former is called before the second GuC
+load, while the latter is called after LRCs have been recorded.
+
+Cc: Chee Yin Wong <chee.yin.wong@intel.com>
+Cc: John Harrison <john.c.harrison@intel.com>
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Cc: <stable@vger.kernel.org> # v6.11+
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Tested-by: Chee Yin Wong <chee.yin.wong@intel.com>
+Link: https://lore.kernel.org/r/20250409-fix-guc-ads-v1-1-494135f7a5d0@intel.com
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+(cherry picked from commit c31a0b6402d15b530514eee9925adfcb8cfbb1c9)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_guc_ads.c | 75 ++++++++++++++++++++++++----------------
+ 1 file changed, 45 insertions(+), 30 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_guc_ads.c
++++ b/drivers/gpu/drm/xe/xe_guc_ads.c
+@@ -483,24 +483,52 @@ static void fill_engine_enable_masks(str
+ engine_enable_mask(gt, XE_ENGINE_CLASS_OTHER));
+ }
+
+-static void guc_prep_golden_lrc_null(struct xe_guc_ads *ads)
++/*
++ * Write the offsets corresponding to the golden LRCs. The actual data is
++ * populated later by guc_golden_lrc_populate()
++ */
++static void guc_golden_lrc_init(struct xe_guc_ads *ads)
+ {
+ struct xe_device *xe = ads_to_xe(ads);
++ struct xe_gt *gt = ads_to_gt(ads);
+ struct iosys_map info_map = IOSYS_MAP_INIT_OFFSET(ads_to_map(ads),
+ offsetof(struct __guc_ads_blob, system_info));
+- u8 guc_class;
++ size_t alloc_size, real_size;
++ u32 addr_ggtt, offset;
++ int class;
++
++ offset = guc_ads_golden_lrc_offset(ads);
++ addr_ggtt = xe_bo_ggtt_addr(ads->bo) + offset;
++
++ for (class = 0; class < XE_ENGINE_CLASS_MAX; ++class) {
++ u8 guc_class;
++
++ guc_class = xe_engine_class_to_guc_class(class);
+
+- for (guc_class = 0; guc_class <= GUC_MAX_ENGINE_CLASSES; ++guc_class) {
+ if (!info_map_read(xe, &info_map,
+ engine_enabled_masks[guc_class]))
+ continue;
+
++ real_size = xe_gt_lrc_size(gt, class);
++ alloc_size = PAGE_ALIGN(real_size);
++
++ /*
++ * This interface is slightly confusing. We need to pass the
++ * base address of the full golden context and the size of just
++ * the engine state, which is the section of the context image
++ * that starts after the execlists LRC registers. This is
++ * required to allow the GuC to restore just the engine state
++ * when a watchdog reset occurs.
++ * We calculate the engine state size by removing the size of
++ * what comes before it in the context image (which is identical
++ * on all engines).
++ */
+ ads_blob_write(ads, ads.eng_state_size[guc_class],
+- guc_ads_golden_lrc_size(ads) -
+- xe_lrc_skip_size(xe));
++ real_size - xe_lrc_skip_size(xe));
+ ads_blob_write(ads, ads.golden_context_lrca[guc_class],
+- xe_bo_ggtt_addr(ads->bo) +
+- guc_ads_golden_lrc_offset(ads));
++ addr_ggtt);
++
++ addr_ggtt += alloc_size;
+ }
+ }
+
+@@ -710,7 +738,7 @@ void xe_guc_ads_populate_minimal(struct
+
+ xe_map_memset(ads_to_xe(ads), ads_to_map(ads), 0, 0, ads->bo->size);
+ guc_policies_init(ads);
+- guc_prep_golden_lrc_null(ads);
++ guc_golden_lrc_init(ads);
+ guc_mapping_table_init_invalid(gt, &info_map);
+ guc_doorbell_init(ads);
+
+@@ -736,7 +764,7 @@ void xe_guc_ads_populate(struct xe_guc_a
+ guc_policies_init(ads);
+ fill_engine_enable_masks(gt, &info_map);
+ guc_mmio_reg_state_init(ads);
+- guc_prep_golden_lrc_null(ads);
++ guc_golden_lrc_init(ads);
+ guc_mapping_table_init(gt, &info_map);
+ guc_capture_list_init(ads);
+ guc_doorbell_init(ads);
+@@ -756,18 +784,22 @@ void xe_guc_ads_populate(struct xe_guc_a
+ guc_ads_private_data_offset(ads));
+ }
+
+-static void guc_populate_golden_lrc(struct xe_guc_ads *ads)
++/*
++ * After the golden LRC's are recorded for each engine class by the first
++ * submission, copy them to the ADS, as initialized earlier by
++ * guc_golden_lrc_init().
++ */
++static void guc_golden_lrc_populate(struct xe_guc_ads *ads)
+ {
+ struct xe_device *xe = ads_to_xe(ads);
+ struct xe_gt *gt = ads_to_gt(ads);
+ struct iosys_map info_map = IOSYS_MAP_INIT_OFFSET(ads_to_map(ads),
+ offsetof(struct __guc_ads_blob, system_info));
+ size_t total_size = 0, alloc_size, real_size;
+- u32 addr_ggtt, offset;
++ u32 offset;
+ int class;
+
+ offset = guc_ads_golden_lrc_offset(ads);
+- addr_ggtt = xe_bo_ggtt_addr(ads->bo) + offset;
+
+ for (class = 0; class < XE_ENGINE_CLASS_MAX; ++class) {
+ u8 guc_class;
+@@ -784,26 +816,9 @@ static void guc_populate_golden_lrc(stru
+ alloc_size = PAGE_ALIGN(real_size);
+ total_size += alloc_size;
+
+- /*
+- * This interface is slightly confusing. We need to pass the
+- * base address of the full golden context and the size of just
+- * the engine state, which is the section of the context image
+- * that starts after the execlists LRC registers. This is
+- * required to allow the GuC to restore just the engine state
+- * when a watchdog reset occurs.
+- * We calculate the engine state size by removing the size of
+- * what comes before it in the context image (which is identical
+- * on all engines).
+- */
+- ads_blob_write(ads, ads.eng_state_size[guc_class],
+- real_size - xe_lrc_skip_size(xe));
+- ads_blob_write(ads, ads.golden_context_lrca[guc_class],
+- addr_ggtt);
+-
+ xe_map_memcpy_to(xe, ads_to_map(ads), offset,
+ gt->default_lrc[class], real_size);
+
+- addr_ggtt += alloc_size;
+ offset += alloc_size;
+ }
+
+@@ -812,7 +827,7 @@ static void guc_populate_golden_lrc(stru
+
+ void xe_guc_ads_populate_post_load(struct xe_guc_ads *ads)
+ {
+- guc_populate_golden_lrc(ads);
++ guc_golden_lrc_populate(ads);
+ }
+
+ static int guc_ads_action_update_policies(struct xe_guc_ads *ads, u32 policy_offset)
--- /dev/null
+From 2577b202458cddff85cc154b1fe7f313e0d1f418 Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Mon, 14 Apr 2025 14:25:40 +0100
+Subject: drm/xe/userptr: fix notifier vs folio deadlock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit 2577b202458cddff85cc154b1fe7f313e0d1f418 upstream.
+
+User is reporting what smells like notifier vs folio deadlock, where
+migrate_pages_batch() on core kernel side is holding folio lock(s) and
+then interacting with the mappings of it, however those mappings are
+tied to some userptr, which means calling into the notifier callback and
+grabbing the notifier lock. With perfect timing it looks possible that
+the pages we pulled from the hmm fault can get sniped by
+migrate_pages_batch() at the same time that we are holding the notifier
+lock to mark the pages as accessed/dirty, but at this point we also want
+to grab the folio locks(s) to mark them as dirty, but if they are
+contended from notifier/migrate_pages_batch side then we deadlock since
+folio lock won't be dropped until we drop the notifier lock.
+
+Fortunately the mark_page_accessed/dirty is not really needed in the
+first place it seems and should have already been done by hmm fault, so
+just remove it.
+
+Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4765
+Fixes: 0a98219bcc96 ("drm/xe/hmm: Don't dereference struct page pointers without notifier lock")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: <stable@vger.kernel.org> # v6.10+
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://lore.kernel.org/r/20250414132539.26654-2-matthew.auld@intel.com
+(cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_hmm.c | 24 ------------------------
+ 1 file changed, 24 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_hmm.c
++++ b/drivers/gpu/drm/xe/xe_hmm.c
+@@ -19,29 +19,6 @@ static u64 xe_npages_in_range(unsigned l
+ return (end - start) >> PAGE_SHIFT;
+ }
+
+-/**
+- * xe_mark_range_accessed() - mark a range is accessed, so core mm
+- * have such information for memory eviction or write back to
+- * hard disk
+- * @range: the range to mark
+- * @write: if write to this range, we mark pages in this range
+- * as dirty
+- */
+-static void xe_mark_range_accessed(struct hmm_range *range, bool write)
+-{
+- struct page *page;
+- u64 i, npages;
+-
+- npages = xe_npages_in_range(range->start, range->end);
+- for (i = 0; i < npages; i++) {
+- page = hmm_pfn_to_page(range->hmm_pfns[i]);
+- if (write)
+- set_page_dirty_lock(page);
+-
+- mark_page_accessed(page);
+- }
+-}
+-
+ static int xe_alloc_sg(struct xe_device *xe, struct sg_table *st,
+ struct hmm_range *range, struct rw_semaphore *notifier_sem)
+ {
+@@ -331,7 +308,6 @@ int xe_hmm_userptr_populate_range(struct
+ if (ret)
+ goto out_unlock;
+
+- xe_mark_range_accessed(&hmm_range, write);
+ userptr->sg = &userptr->sgt;
+ xe_hmm_userptr_set_mapped(uvma);
+ userptr->notifier_seq = hmm_range.notifier_seq;
drm-i915-vrr-add-vrr.vsync_-start-end-in-vrr_params_changed.patch
drm-xe-use-local-fence-in-error-path-of-xe_migrate_clear.patch
drm-amd-display-add-hp-elitebook-645-to-the-quirk-list-for-edp-on-dp1.patch
+drm-amd-display-protect-fpu-in-dml2_validate-dml21_validate.patch
+drm-amd-display-protect-fpu-in-dml21_copy.patch
+drm-amdgpu-mes11-optimize-mes-pipe-fw-version-fetching.patch
+drm-amdgpu-dma_buf-fix-page_link-check.patch
+drm-nouveau-prime-fix-ttm_bo_delayed_delete-oops.patch
+drm-imagination-fix-firmware-memory-leaks.patch
+drm-imagination-take-paired-job-reference.patch
+drm-sti-remove-duplicate-object-names.patch
+drm-xe-fix-an-out-of-bounds-shift-when-invalidating-tlb.patch
+drm-i915-gvt-fix-unterminated-string-initialization-warning.patch
+drm-amdgpu-immediately-use-gtt-for-new-allocations.patch
+drm-amd-display-do-not-enable-replay-and-psr-while-vrr-is-on-in-amdgpu_dm_commit_planes.patch
+drm-amd-display-protect-fpu-in-dml2_init-dml21_init.patch
+drm-amd-display-add-hp-probook-445-and-465-to-the-quirk-list-for-edp-on-dp1.patch
+drm-xe-dma_buf-stop-relying-on-placement-in-unmap.patch
+drm-xe-userptr-fix-notifier-vs-folio-deadlock.patch
+drm-xe-set-lrc-addresses-before-guc-load.patch
+drm-amdgpu-fix-warning-of-drm_mm_clean.patch
+drm-mgag200-fix-value-in-vblkstr-register.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
