From: Greg Kroah-Hartman Date: Mon, 3 Nov 2025 01:16:06 +0000 (+0900) Subject: 6.17-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=027331f10919269d6a6fa381edfb7d9f5ddbb70f;p=thirdparty%2Fkernel%2Fstable-queue.git 6.17-stable patches added patches: acpi-fan-use-acpi-handle-when-retrieving-_fst.patch block-fix-op_is_zone_mgmt-to-handle-req_op_zone_reset_all.patch block-make-req_op_zone_open-a-write-operation.patch dma-fence-fix-safe-access-wrapper-to-call-timeline-name-method.patch drm-amd-check-that-vpe-has-reached-dpm0-in-idle-handler.patch drm-amd-display-add-hdr-workaround-for-a-specific-edp.patch drm-amd-display-don-t-program-blndgam_mem_pwr_force-when-cm-low-power-is-disabled-on-dcn30.patch drm-amd-display-fix-incorrect-return-of-vblank-enable-on-unconfigured-crtc.patch drm-ast-clear-preserved-bits-from-register-output-value.patch drm-i915-dmc-clear-hrr-evt_ctl-htp-to-zero-on-adl-s.patch drm-mediatek-fix-device-use-after-free-on-unbind.patch drm-nouveau-fix-race-in-nouveau_sched_fini.patch drm-sched-avoid-killing-parent-entity-on-child-sigkill.patch drm-sched-fix-race-in-drm_sched_entity_select_rq.patch drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch drm-xe-do-not-wake-device-during-a-gt-reset.patch kbuild-align-modinfo-section-for-secureboot-authenticode-edk2-compat.patch perf-x86-intel-fix-kasan-global-out-of-bounds-warning.patch regmap-irq-correct-documentation-of-wake_invert-flag.patch regmap-slimbus-fix-bus_context-pointer-in-regmap-init-calls.patch s390-disable-arch_want_optimize_hugetlb_vmemmap.patch s390-mm-fix-memory-leak-in-add_marker-when-kvrealloc-fails.patch s390-pci-avoid-deadlock-between-pci-error-recovery-and-mlx5-crdump.patch --- diff --git a/queue-6.17/acpi-fan-use-acpi-handle-when-retrieving-_fst.patch b/queue-6.17/acpi-fan-use-acpi-handle-when-retrieving-_fst.patch new file mode 100644 index 0000000000..4b19aa059d --- /dev/null +++ b/queue-6.17/acpi-fan-use-acpi-handle-when-retrieving-_fst.patch @@ -0,0 +1,145 @@ +From 58764259ebe0c9efd569194444629f6b26f86583 Mon Sep 17 00:00:00 2001 +From: Armin Wolf +Date: Wed, 8 Oct 2025 01:41:44 +0200 +Subject: ACPI: fan: Use ACPI handle when retrieving _FST + +From: Armin Wolf + +commit 58764259ebe0c9efd569194444629f6b26f86583 upstream. + +Usage of the ACPI device should be phased out in the future, as +the driver itself is now using the platform bus. + +Replace any usage of struct acpi_device in acpi_fan_get_fst() to +allow users to drop usage of struct acpi_device. + +Also extend the integer check to all three package elements. + +Signed-off-by: Armin Wolf +Link: https://patch.msgid.link/20251007234149.2769-2-W_Armin@gmx.de +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/fan.h | 3 ++- + drivers/acpi/fan_attr.c | 2 +- + drivers/acpi/fan_core.c | 34 ++++++++++++++++++++++------------ + drivers/acpi/fan_hwmon.c | 3 +-- + 4 files changed, 26 insertions(+), 16 deletions(-) + +--- a/drivers/acpi/fan.h ++++ b/drivers/acpi/fan.h +@@ -49,6 +49,7 @@ struct acpi_fan_fst { + }; + + struct acpi_fan { ++ acpi_handle handle; + bool acpi4; + bool has_fst; + struct acpi_fan_fif fif; +@@ -59,7 +60,7 @@ struct acpi_fan { + struct device_attribute fine_grain_control; + }; + +-int acpi_fan_get_fst(struct acpi_device *device, struct acpi_fan_fst *fst); ++int acpi_fan_get_fst(acpi_handle handle, struct acpi_fan_fst *fst); + int acpi_fan_create_attributes(struct acpi_device *device); + void acpi_fan_delete_attributes(struct acpi_device *device); + +--- a/drivers/acpi/fan_attr.c ++++ b/drivers/acpi/fan_attr.c +@@ -55,7 +55,7 @@ static ssize_t show_fan_speed(struct dev + struct acpi_fan_fst fst; + int status; + +- status = acpi_fan_get_fst(acpi_dev, &fst); ++ status = acpi_fan_get_fst(acpi_dev->handle, &fst); + if (status) + return status; + +--- a/drivers/acpi/fan_core.c ++++ b/drivers/acpi/fan_core.c +@@ -44,25 +44,30 @@ static int fan_get_max_state(struct ther + return 0; + } + +-int acpi_fan_get_fst(struct acpi_device *device, struct acpi_fan_fst *fst) ++int acpi_fan_get_fst(acpi_handle handle, struct acpi_fan_fst *fst) + { + struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; + union acpi_object *obj; + acpi_status status; + int ret = 0; + +- status = acpi_evaluate_object(device->handle, "_FST", NULL, &buffer); +- if (ACPI_FAILURE(status)) { +- dev_err(&device->dev, "Get fan state failed\n"); +- return -ENODEV; +- } ++ status = acpi_evaluate_object(handle, "_FST", NULL, &buffer); ++ if (ACPI_FAILURE(status)) ++ return -EIO; + + obj = buffer.pointer; +- if (!obj || obj->type != ACPI_TYPE_PACKAGE || +- obj->package.count != 3 || +- obj->package.elements[1].type != ACPI_TYPE_INTEGER) { +- dev_err(&device->dev, "Invalid _FST data\n"); +- ret = -EINVAL; ++ if (!obj) ++ return -ENODATA; ++ ++ if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count != 3) { ++ ret = -EPROTO; ++ goto err; ++ } ++ ++ if (obj->package.elements[0].type != ACPI_TYPE_INTEGER || ++ obj->package.elements[1].type != ACPI_TYPE_INTEGER || ++ obj->package.elements[2].type != ACPI_TYPE_INTEGER) { ++ ret = -EPROTO; + goto err; + } + +@@ -81,7 +86,7 @@ static int fan_get_state_acpi4(struct ac + struct acpi_fan_fst fst; + int status, i; + +- status = acpi_fan_get_fst(device, &fst); ++ status = acpi_fan_get_fst(device->handle, &fst); + if (status) + return status; + +@@ -323,11 +328,16 @@ static int acpi_fan_probe(struct platfor + struct acpi_device *device = ACPI_COMPANION(&pdev->dev); + char *name; + ++ if (!device) ++ return -ENODEV; ++ + fan = devm_kzalloc(&pdev->dev, sizeof(*fan), GFP_KERNEL); + if (!fan) { + dev_err(&device->dev, "No memory for fan\n"); + return -ENOMEM; + } ++ ++ fan->handle = device->handle; + device->driver_data = fan; + platform_set_drvdata(pdev, fan); + +--- a/drivers/acpi/fan_hwmon.c ++++ b/drivers/acpi/fan_hwmon.c +@@ -93,13 +93,12 @@ static umode_t acpi_fan_hwmon_is_visible + static int acpi_fan_hwmon_read(struct device *dev, enum hwmon_sensor_types type, u32 attr, + int channel, long *val) + { +- struct acpi_device *adev = to_acpi_device(dev->parent); + struct acpi_fan *fan = dev_get_drvdata(dev); + struct acpi_fan_fps *fps; + struct acpi_fan_fst fst; + int ret; + +- ret = acpi_fan_get_fst(adev, &fst); ++ ret = acpi_fan_get_fst(fan->handle, &fst); + if (ret < 0) + return ret; + diff --git a/queue-6.17/block-fix-op_is_zone_mgmt-to-handle-req_op_zone_reset_all.patch b/queue-6.17/block-fix-op_is_zone_mgmt-to-handle-req_op_zone_reset_all.patch new file mode 100644 index 0000000000..8d0888b341 --- /dev/null +++ b/queue-6.17/block-fix-op_is_zone_mgmt-to-handle-req_op_zone_reset_all.patch @@ -0,0 +1,40 @@ +From 12a1c9353c47c0fb3464eba2d78cdf649dee1cf7 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 27 Oct 2025 09:27:32 +0900 +Subject: block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL + +From: Damien Le Moal + +commit 12a1c9353c47c0fb3464eba2d78cdf649dee1cf7 upstream. + +REQ_OP_ZONE_RESET_ALL is a zone management request. Fix +op_is_zone_mgmt() to return true for that operation, like it already +does for REQ_OP_ZONE_RESET. + +While no problems were reported without this fix, this change allows +strengthening checks in various block device drivers (scsi sd, +virtioblk, DM) where op_is_zone_mgmt() is used to verify that a zone +management command is not being issued to a regular block device. + +Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/blk_types.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -480,6 +480,7 @@ static inline bool op_is_zone_mgmt(enum + { + switch (op & REQ_OP_MASK) { + case REQ_OP_ZONE_RESET: ++ case REQ_OP_ZONE_RESET_ALL: + case REQ_OP_ZONE_OPEN: + case REQ_OP_ZONE_CLOSE: + case REQ_OP_ZONE_FINISH: diff --git a/queue-6.17/block-make-req_op_zone_open-a-write-operation.patch b/queue-6.17/block-make-req_op_zone_open-a-write-operation.patch new file mode 100644 index 0000000000..2c5d945b29 --- /dev/null +++ b/queue-6.17/block-make-req_op_zone_open-a-write-operation.patch @@ -0,0 +1,58 @@ +From 19de03b312d69a7e9bacb51c806c6e3f4207376c Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 27 Oct 2025 09:27:33 +0900 +Subject: block: make REQ_OP_ZONE_OPEN a write operation + +From: Damien Le Moal + +commit 19de03b312d69a7e9bacb51c806c6e3f4207376c upstream. + +A REQ_OP_OPEN_ZONE request changes the condition of a sequential zone of +a zoned block device to the explicitly open condition +(BLK_ZONE_COND_EXP_OPEN). As such, it should be considered a write +operation. + +Change this operation code to be an odd number to reflect this. The +following operation numbers are changed to keep the numbering compact. + +No problems were reported without this change as this operation has no +data. However, this unifies the zone operation to reflect that they +modify the device state and also allows strengthening checks in the +block layer, e.g. checking if this operation is not issued against a +read-only device. + +Fixes: 6c1b1da58f8c ("block: add zone open, close and finish operations") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Christoph Hellwig +Reviewed-by: Johannes Thumshirn +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/blk_types.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/include/linux/blk_types.h ++++ b/include/linux/blk_types.h +@@ -343,15 +343,15 @@ enum req_op { + /* write the zero filled sector many times */ + REQ_OP_WRITE_ZEROES = (__force blk_opf_t)9, + /* Open a zone */ +- REQ_OP_ZONE_OPEN = (__force blk_opf_t)10, ++ REQ_OP_ZONE_OPEN = (__force blk_opf_t)11, + /* Close a zone */ +- REQ_OP_ZONE_CLOSE = (__force blk_opf_t)11, ++ REQ_OP_ZONE_CLOSE = (__force blk_opf_t)13, + /* Transition a zone to full */ +- REQ_OP_ZONE_FINISH = (__force blk_opf_t)13, ++ REQ_OP_ZONE_FINISH = (__force blk_opf_t)15, + /* reset a zone write pointer */ +- REQ_OP_ZONE_RESET = (__force blk_opf_t)15, ++ REQ_OP_ZONE_RESET = (__force blk_opf_t)17, + /* reset all the zone present on the device */ +- REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)17, ++ REQ_OP_ZONE_RESET_ALL = (__force blk_opf_t)19, + + /* Driver private requests */ + REQ_OP_DRV_IN = (__force blk_opf_t)34, diff --git a/queue-6.17/dma-fence-fix-safe-access-wrapper-to-call-timeline-name-method.patch b/queue-6.17/dma-fence-fix-safe-access-wrapper-to-call-timeline-name-method.patch new file mode 100644 index 0000000000..83e16d3de2 --- /dev/null +++ b/queue-6.17/dma-fence-fix-safe-access-wrapper-to-call-timeline-name-method.patch @@ -0,0 +1,40 @@ +From 033559473dd3b55558b535aa37b8848c207b5cbb Mon Sep 17 00:00:00 2001 +From: Akash Goel +Date: Tue, 21 Oct 2025 17:09:51 +0100 +Subject: dma-fence: Fix safe access wrapper to call timeline name method + +From: Akash Goel + +commit 033559473dd3b55558b535aa37b8848c207b5cbb upstream. + +This commit fixes the wrapper function dma_fence_timeline_name(), that +was added for safe access, to actually call the timeline name method of +dma_fence_ops. + +Cc: # v6.17+ +Signed-off-by: Akash Goel +Fixes: 506aa8b02a8d ("dma-fence: Add safe access helpers and document the rules") +Reviewed-by: Tvrtko Ursulin +Signed-off-by: Tvrtko Ursulin +Link: https://lore.kernel.org/r/20251021160951.1415603-1-akash.goel@arm.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/dma-fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c +index 3f78c56b58dc..39e6f93dc310 100644 +--- a/drivers/dma-buf/dma-fence.c ++++ b/drivers/dma-buf/dma-fence.c +@@ -1141,7 +1141,7 @@ const char __rcu *dma_fence_timeline_name(struct dma_fence *fence) + "RCU protection is required for safe access to returned string"); + + if (!test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags)) +- return fence->ops->get_driver_name(fence); ++ return fence->ops->get_timeline_name(fence); + else + return "signaled-timeline"; + } +-- +2.51.2 + diff --git a/queue-6.17/drm-amd-check-that-vpe-has-reached-dpm0-in-idle-handler.patch b/queue-6.17/drm-amd-check-that-vpe-has-reached-dpm0-in-idle-handler.patch new file mode 100644 index 0000000000..5cd8c5707a --- /dev/null +++ b/queue-6.17/drm-amd-check-that-vpe-has-reached-dpm0-in-idle-handler.patch @@ -0,0 +1,92 @@ +From ba10f8d92a2c026b1052b4c0fa2cd7538838c965 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 16 Oct 2025 13:55:27 -0500 +Subject: drm/amd: Check that VPE has reached DPM0 in idle handler + +From: Mario Limonciello + +commit ba10f8d92a2c026b1052b4c0fa2cd7538838c965 upstream. + +[Why] +Newer VPE microcode has functionality that will decrease DPM level +only when a workload has run for 2 or more seconds. If VPE is turned +off before this DPM decrease and the PMFW doesn't reset it when +power gating VPE, the SOC can get stuck with a higher DPM level. + +This can happen from amdgpu's ring buffer test because it's a short +quick workload for VPE and VPE is turned off after 1s. + +[How] +In idle handler besides checking fences are drained check PMFW version +to determine if it will reset DPM when power gating VPE. If PMFW will +not do this, then check VPE DPM level. If it is not DPM0 reschedule +delayed work again until it is. + +v2: squash in return fix (Alex) + +Cc: Peyton.Lee@amd.com +Reported-by: Sultan Alsawaf +Reviewed-by: Sultan Alsawaf +Tested-by: Sultan Alsawaf +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4615 +Reviewed-by: Lijo Lazar +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 3ac635367eb589bee8edcc722f812a89970e14b7) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c | 34 ++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vpe.c +@@ -322,6 +322,26 @@ static int vpe_early_init(struct amdgpu_ + return 0; + } + ++static bool vpe_need_dpm0_at_power_down(struct amdgpu_device *adev) ++{ ++ switch (amdgpu_ip_version(adev, VPE_HWIP, 0)) { ++ case IP_VERSION(6, 1, 1): ++ return adev->pm.fw_version < 0x0a640500; ++ default: ++ return false; ++ } ++} ++ ++static int vpe_get_dpm_level(struct amdgpu_device *adev) ++{ ++ struct amdgpu_vpe *vpe = &adev->vpe; ++ ++ if (!adev->pm.dpm_enabled) ++ return 0; ++ ++ return RREG32(vpe_get_reg_offset(vpe, 0, vpe->regs.dpm_request_lv)); ++} ++ + static void vpe_idle_work_handler(struct work_struct *work) + { + struct amdgpu_device *adev = +@@ -329,11 +349,17 @@ static void vpe_idle_work_handler(struct + unsigned int fences = 0; + + fences += amdgpu_fence_count_emitted(&adev->vpe.ring); ++ if (fences) ++ goto reschedule; ++ ++ if (vpe_need_dpm0_at_power_down(adev) && vpe_get_dpm_level(adev) != 0) ++ goto reschedule; ++ ++ amdgpu_device_ip_set_powergating_state(adev, AMD_IP_BLOCK_TYPE_VPE, AMD_PG_STATE_GATE); ++ return; + +- if (fences == 0) +- amdgpu_device_ip_set_powergating_state(adev, AMD_IP_BLOCK_TYPE_VPE, AMD_PG_STATE_GATE); +- else +- schedule_delayed_work(&adev->vpe.idle_work, VPE_IDLE_TIMEOUT); ++reschedule: ++ schedule_delayed_work(&adev->vpe.idle_work, VPE_IDLE_TIMEOUT); + } + + static int vpe_common_init(struct amdgpu_vpe *vpe) diff --git a/queue-6.17/drm-amd-display-add-hdr-workaround-for-a-specific-edp.patch b/queue-6.17/drm-amd-display-add-hdr-workaround-for-a-specific-edp.patch new file mode 100644 index 0000000000..a10ff5e64c --- /dev/null +++ b/queue-6.17/drm-amd-display-add-hdr-workaround-for-a-specific-edp.patch @@ -0,0 +1,39 @@ +From 7d08c3b1731014dd1cfd0bf8b0cb1cef9dfd191e Mon Sep 17 00:00:00 2001 +From: Alex Hung +Date: Thu, 16 Oct 2025 20:08:10 -0600 +Subject: drm/amd/display: Add HDR workaround for a specific eDP + +From: Alex Hung + +commit 7d08c3b1731014dd1cfd0bf8b0cb1cef9dfd191e upstream. + +[WHY & HOW] +Some eDP panels suffer from flicking when HDR is enabled in KDE or +Gnome. + +This add another quirk to worksaround to skip VSC that is incompatible +with an eDP panel. + +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/4452 +Reviewed-by: Aurabindo Pillai +Signed-off-by: Alex Hung +Signed-off-by: Wayne Lin +Tested-by: Dan Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 99441824bec63549a076cd86631d138ec9a0c71c) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c +@@ -82,6 +82,7 @@ static void apply_edid_quirks(struct drm + edid_caps->panel_patch.remove_sink_ext_caps = true; + break; + case drm_edid_encode_panel_id('S', 'D', 'C', 0x4154): ++ case drm_edid_encode_panel_id('S', 'D', 'C', 0x4171): + drm_dbg_driver(dev, "Disabling VSC on monitor with panel id %X\n", panel_id); + edid_caps->panel_patch.disable_colorimetry = true; + break; diff --git a/queue-6.17/drm-amd-display-don-t-program-blndgam_mem_pwr_force-when-cm-low-power-is-disabled-on-dcn30.patch b/queue-6.17/drm-amd-display-don-t-program-blndgam_mem_pwr_force-when-cm-low-power-is-disabled-on-dcn30.patch new file mode 100644 index 0000000000..fecf4488df --- /dev/null +++ b/queue-6.17/drm-amd-display-don-t-program-blndgam_mem_pwr_force-when-cm-low-power-is-disabled-on-dcn30.patch @@ -0,0 +1,56 @@ +From 382bd6a792836875da555fe9a2b51222b813fed1 Mon Sep 17 00:00:00 2001 +From: Matthew Schwartz +Date: Mon, 20 Oct 2025 16:09:34 -0700 +Subject: drm/amd/display: Don't program BLNDGAM_MEM_PWR_FORCE when CM low-power is disabled on DCN30 + +From: Matthew Schwartz + +commit 382bd6a792836875da555fe9a2b51222b813fed1 upstream. + +Before commit 33056a97ae5e ("drm/amd/display: Remove double checks for +`debug.enable_mem_low_power.bits.cm`"), dpp3_program_blnd_lut(NULL) +checked the low-power debug flag before calling +dpp3_power_on_blnd_lut(false). + +After commit 33056a97ae5e ("drm/amd/display: Remove double checks for +`debug.enable_mem_low_power.bits.cm`"), dpp3_program_blnd_lut(NULL) +unconditionally calls dpp3_power_on_blnd_lut(false). The BLNDGAM power +helper writes BLNDGAM_MEM_PWR_FORCE when CM low-power is disabled, causing +immediate SRAM power toggles instead of deferring at vupdate. This can +disrupt atomic color/LUT sequencing during transitions between +direct scanout and composition within gamescope's DRM backend on +Steam Deck OLED. + +To fix this, leave the BLNDGAM power state unchanged when low-power is +disabled, matching dpp3_power_on_hdr3dlut and dpp3_power_on_shaper. + +Fixes: 33056a97ae5e ("drm/amd/display: Remove double checks for `debug.enable_mem_low_power.bits.cm`") +Signed-off-by: Matthew Schwartz +Reviewed-by: Harry Wentland +Reviewed-by: Mario Limonciello +Signed-off-by: Mario Limonciello +Signed-off-by: Alex Deucher +(cherry picked from commit 13ff4f63fcddfc84ec8632f1443936b00aa26725) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c b/drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c +index 09be2a90cc79..4f569cd8a5d6 100644 +--- a/drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c ++++ b/drivers/gpu/drm/amd/display/dc/dpp/dcn30/dcn30_dpp.c +@@ -578,9 +578,6 @@ static void dpp3_power_on_blnd_lut( + dpp_base->ctx->dc->optimized_required = true; + dpp_base->deferred_reg_writes.bits.disable_blnd_lut = true; + } +- } else { +- REG_SET(CM_MEM_PWR_CTRL, 0, +- BLNDGAM_MEM_PWR_FORCE, power_on == true ? 0 : 1); + } + } + +-- +2.51.2 + diff --git a/queue-6.17/drm-amd-display-fix-incorrect-return-of-vblank-enable-on-unconfigured-crtc.patch b/queue-6.17/drm-amd-display-fix-incorrect-return-of-vblank-enable-on-unconfigured-crtc.patch new file mode 100644 index 0000000000..35469420f6 --- /dev/null +++ b/queue-6.17/drm-amd-display-fix-incorrect-return-of-vblank-enable-on-unconfigured-crtc.patch @@ -0,0 +1,53 @@ +From b3656b355b5522cef1b52a7469010009c98156db Mon Sep 17 00:00:00 2001 +From: Ivan Lipski +Date: Wed, 17 Sep 2025 11:00:02 -0400 +Subject: drm/amd/display: Fix incorrect return of vblank enable on unconfigured crtc + +From: Ivan Lipski + +commit b3656b355b5522cef1b52a7469010009c98156db upstream. + +[Why&How] +Return -EINVAL when userspace asks us to enable vblank on a crtc that is +not yet enabled. + +Suggested-by: Aurabindo Pillai +Reviewed-by: Aurabindo Pillai +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/1856 +Signed-off-by: Ivan Lipski +Signed-off-by: Wayne Lin +Tested-by: Dan Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit cb57b8cdb072dc37723b6906da1c37ff9cbc2da4) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +@@ -293,8 +293,12 @@ static inline int amdgpu_dm_crtc_set_vbl + int irq_type; + int rc = 0; + +- if (acrtc->otg_inst == -1) +- goto skip; ++ if (enable && !acrtc->base.enabled) { ++ drm_dbg_vbl(crtc->dev, ++ "Reject vblank enable on unconfigured CRTC %d (enabled=%d)\n", ++ acrtc->crtc_id, acrtc->base.enabled); ++ return -EINVAL; ++ } + + irq_type = amdgpu_display_crtc_idx_to_irq_type(adev, acrtc->crtc_id); + +@@ -375,7 +379,7 @@ static inline int amdgpu_dm_crtc_set_vbl + return rc; + } + #endif +-skip: ++ + if (amdgpu_in_reset(adev)) + return 0; + diff --git a/queue-6.17/drm-ast-clear-preserved-bits-from-register-output-value.patch b/queue-6.17/drm-ast-clear-preserved-bits-from-register-output-value.patch new file mode 100644 index 0000000000..8db3f5b5cd --- /dev/null +++ b/queue-6.17/drm-ast-clear-preserved-bits-from-register-output-value.patch @@ -0,0 +1,59 @@ +From a9fb41b5def8e1e0103d5fd1453787993587281e Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Fri, 24 Oct 2025 09:35:53 +0200 +Subject: drm/ast: Clear preserved bits from register output value + +From: Thomas Zimmermann + +commit a9fb41b5def8e1e0103d5fd1453787993587281e upstream. + +Preserve the I/O register bits in __ast_write8_i_masked() as specified +by preserve_mask. Accidentally OR-ing the output value into these will +overwrite the register's previous settings. + +Fixes display output on the AST2300, where the screen can go blank at +boot. The driver's original commit 312fec1405dd ("drm: Initial KMS +driver for AST (ASpeed Technologies) 2000 series (v2)") already added +the broken code. Commit 6f719373b943 ("drm/ast: Blank with VGACR17 sync +enable, always clear VGACRB6 sync off") triggered the bug. + +Signed-off-by: Thomas Zimmermann +Reported-by: Peter Schneider +Closes: https://lore.kernel.org/dri-devel/a40caf8e-58ad-4f9c-af7f-54f6f69c29bb@googlemail.com/ +Tested-by: Peter Schneider +Reviewed-by: Jocelyn Falempe +Fixes: 6f719373b943 ("drm/ast: Blank with VGACR17 sync enable, always clear VGACRB6 sync off") +Fixes: 312fec1405dd ("drm: Initial KMS driver for AST (ASpeed Technologies) 2000 series (v2)") +Cc: Thomas Zimmermann +Cc: Nick Bowler +Cc: Douglas Anderson +Cc: Dave Airlie +Cc: Jocelyn Falempe +Cc: dri-devel@lists.freedesktop.org +Cc: # v3.5+ +Link: https://patch.msgid.link/20251024073626.129032-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_drv.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/ast/ast_drv.h ++++ b/drivers/gpu/drm/ast/ast_drv.h +@@ -284,13 +284,13 @@ static inline void __ast_write8_i(void _ + __ast_write8(addr, reg + 1, val); + } + +-static inline void __ast_write8_i_masked(void __iomem *addr, u32 reg, u8 index, u8 read_mask, ++static inline void __ast_write8_i_masked(void __iomem *addr, u32 reg, u8 index, u8 preserve_mask, + u8 val) + { +- u8 tmp = __ast_read8_i_masked(addr, reg, index, read_mask); ++ u8 tmp = __ast_read8_i_masked(addr, reg, index, preserve_mask); + +- tmp |= val; +- __ast_write8_i(addr, reg, index, tmp); ++ val &= ~preserve_mask; ++ __ast_write8_i(addr, reg, index, tmp | val); + } + + static inline u32 ast_read32(struct ast_device *ast, u32 reg) diff --git a/queue-6.17/drm-i915-dmc-clear-hrr-evt_ctl-htp-to-zero-on-adl-s.patch b/queue-6.17/drm-i915-dmc-clear-hrr-evt_ctl-htp-to-zero-on-adl-s.patch new file mode 100644 index 0000000000..506d83d4fc --- /dev/null +++ b/queue-6.17/drm-i915-dmc-clear-hrr-evt_ctl-htp-to-zero-on-adl-s.patch @@ -0,0 +1,121 @@ +From dc8aa0cb87a7836b59422cc02d969c8df849ee39 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 22 Oct 2025 13:07:16 +0300 +Subject: drm/i915/dmc: Clear HRR EVT_CTL/HTP to zero on ADL-S +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit dc8aa0cb87a7836b59422cc02d969c8df849ee39 upstream. + +On ADL-S the main DMC HRR event DMC_EVT_CTL/HTP are never +restored to their previous values during DC6 exit. This +angers assert_dmc_loaded(), and basically makes the HRR +handler unusable because we don't rewrite EVT_HTP when +enabling DMC events. + +Let's just clear the HRR EVT_CTL/HTP to zero from the +beginnning so that the expected value matches the post-DC6 +reality. + +I suppose if we ever had actual use for HRR we'd have to both, +reject HRR+PSR, and reprogram EVT_HTP when enabling the event. +But for now we don't care about HRR so keeping both registers +zeroed is fine. + +Cc: stable@vger.kernel.org +Tested-by: Petr Vorel +Fixes: 43175c92d403 ("drm/i915/dmc: Assert DMC is loaded harder") +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15153 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20251022100718.24803-2-ville.syrjala@linux.intel.com +Reviewed-by: Petr Vorel +Reviewed-by: Imre Deak +Tested-by: Imre Deak +(cherry picked from commit 4df3b340ff6e9f499735d8b52b96a9257fde3918) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/display/intel_dmc.c | 55 +++++++++++++++++++++++- + 1 file changed, 54 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_dmc.c b/drivers/gpu/drm/i915/display/intel_dmc.c +index 77a0199f9ea5..4a4cace1f879 100644 +--- a/drivers/gpu/drm/i915/display/intel_dmc.c ++++ b/drivers/gpu/drm/i915/display/intel_dmc.c +@@ -546,6 +546,36 @@ static bool is_event_handler(struct intel_display *display, + REG_FIELD_GET(DMC_EVT_CTL_EVENT_ID_MASK, data) == event_id; + } + ++static bool fixup_dmc_evt(struct intel_display *display, ++ enum intel_dmc_id dmc_id, ++ i915_reg_t reg_ctl, u32 *data_ctl, ++ i915_reg_t reg_htp, u32 *data_htp) ++{ ++ if (!is_dmc_evt_ctl_reg(display, dmc_id, reg_ctl)) ++ return false; ++ ++ if (!is_dmc_evt_htp_reg(display, dmc_id, reg_htp)) ++ return false; ++ ++ /* make sure reg_ctl and reg_htp are for the same event */ ++ if (i915_mmio_reg_offset(reg_ctl) - i915_mmio_reg_offset(DMC_EVT_CTL(display, dmc_id, 0)) != ++ i915_mmio_reg_offset(reg_htp) - i915_mmio_reg_offset(DMC_EVT_HTP(display, dmc_id, 0))) ++ return false; ++ ++ /* ++ * On ADL-S the HRR event handler is not restored after DC6. ++ * Clear it to zero from the beginning to avoid mismatches later. ++ */ ++ if (display->platform.alderlake_s && dmc_id == DMC_FW_MAIN && ++ is_event_handler(display, dmc_id, MAINDMC_EVENT_VBLANK_A, reg_ctl, *data_ctl)) { ++ *data_ctl = 0; ++ *data_htp = 0; ++ return true; ++ } ++ ++ return false; ++} ++ + static bool disable_dmc_evt(struct intel_display *display, + enum intel_dmc_id dmc_id, + i915_reg_t reg, u32 data) +@@ -1064,9 +1094,32 @@ static u32 parse_dmc_fw_header(struct intel_dmc *dmc, + for (i = 0; i < mmio_count; i++) { + dmc_info->mmioaddr[i] = _MMIO(mmioaddr[i]); + dmc_info->mmiodata[i] = mmiodata[i]; ++ } + ++ for (i = 0; i < mmio_count - 1; i++) { ++ u32 orig_mmiodata[2] = { ++ dmc_info->mmiodata[i], ++ dmc_info->mmiodata[i+1], ++ }; ++ ++ if (!fixup_dmc_evt(display, dmc_id, ++ dmc_info->mmioaddr[i], &dmc_info->mmiodata[i], ++ dmc_info->mmioaddr[i+1], &dmc_info->mmiodata[i+1])) ++ continue; ++ ++ drm_dbg_kms(display->drm, ++ " mmio[%d]: 0x%x = 0x%x->0x%x (EVT_CTL)\n", ++ i, i915_mmio_reg_offset(dmc_info->mmioaddr[i]), ++ orig_mmiodata[0], dmc_info->mmiodata[i]); ++ drm_dbg_kms(display->drm, ++ " mmio[%d]: 0x%x = 0x%x->0x%x (EVT_HTP)\n", ++ i+1, i915_mmio_reg_offset(dmc_info->mmioaddr[i+1]), ++ orig_mmiodata[1], dmc_info->mmiodata[i+1]); ++ } ++ ++ for (i = 0; i < mmio_count; i++) { + drm_dbg_kms(display->drm, " mmio[%d]: 0x%x = 0x%x%s%s\n", +- i, mmioaddr[i], mmiodata[i], ++ i, i915_mmio_reg_offset(dmc_info->mmioaddr[i]), dmc_info->mmiodata[i], + is_dmc_evt_ctl_reg(display, dmc_id, dmc_info->mmioaddr[i]) ? " (EVT_CTL)" : + is_dmc_evt_htp_reg(display, dmc_id, dmc_info->mmioaddr[i]) ? " (EVT_HTP)" : "", + disable_dmc_evt(display, dmc_id, dmc_info->mmioaddr[i], +-- +2.51.2 + diff --git a/queue-6.17/drm-mediatek-fix-device-use-after-free-on-unbind.patch b/queue-6.17/drm-mediatek-fix-device-use-after-free-on-unbind.patch new file mode 100644 index 0000000000..8d9b64cab9 --- /dev/null +++ b/queue-6.17/drm-mediatek-fix-device-use-after-free-on-unbind.patch @@ -0,0 +1,74 @@ +From 926d002e6d7e2f1fd5c1b53cf6208153ee7d380d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Oct 2025 11:39:37 +0200 +Subject: drm/mediatek: Fix device use-after-free on unbind + +From: Johan Hovold + +commit 926d002e6d7e2f1fd5c1b53cf6208153ee7d380d upstream. + +A recent change fixed device reference leaks when looking up drm +platform device driver data during bind() but failed to remove a partial +fix which had been added by commit 80805b62ea5b ("drm/mediatek: Fix +kobject put for component sub-drivers"). + +This results in a reference imbalance on component bind() failures and +on unbind() which could lead to a user-after-free. + +Make sure to only drop the references after retrieving the driver data +by effectively reverting the previous partial fix. + +Note that holding a reference to a device does not prevent its driver +data from going away so there is no point in keeping the reference. + +Fixes: 1f403699c40f ("drm/mediatek: Fix device/node reference count leaks in mtk_drm_get_all_drm_priv") +Reported-by: Sjoerd Simons +Closes: https://lore.kernel.org/r/20251003-mtk-drm-refcount-v1-1-3b3f2813b0db@collabora.com +Cc: stable@vger.kernel.org +Cc: Ma Ke +Cc: AngeloGioacchino Del Regno +Signed-off-by: Johan Hovold +Reviewed-by: AngeloGioacchino Del Regno +Reviewed-by: Sjoerd Simons +Tested-by: Sjoerd Simons +Tested-by: Ritesh Raj Sarraf +Reviewed-by: CK Hu +Link: https://patchwork.kernel.org/project/dri-devel/patch/20251006093937.27869-1-johan@kernel.org/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 10 ---------- + 1 file changed, 10 deletions(-) + +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -686,10 +686,6 @@ err_free: + for (i = 0; i < private->data->mmsys_dev_num; i++) + private->all_drm_private[i]->drm = NULL; + err_put_dev: +- for (i = 0; i < private->data->mmsys_dev_num; i++) { +- /* For device_find_child in mtk_drm_get_all_priv() */ +- put_device(private->all_drm_private[i]->dev); +- } + put_device(private->mutex_dev); + return ret; + } +@@ -697,18 +693,12 @@ err_put_dev: + static void mtk_drm_unbind(struct device *dev) + { + struct mtk_drm_private *private = dev_get_drvdata(dev); +- int i; + + /* for multi mmsys dev, unregister drm dev in mmsys master */ + if (private->drm_master) { + drm_dev_unregister(private->drm); + mtk_drm_kms_deinit(private->drm); + drm_dev_put(private->drm); +- +- for (i = 0; i < private->data->mmsys_dev_num; i++) { +- /* For device_find_child in mtk_drm_get_all_priv() */ +- put_device(private->all_drm_private[i]->dev); +- } + put_device(private->mutex_dev); + } + private->mtk_drm_bound = false; diff --git a/queue-6.17/drm-nouveau-fix-race-in-nouveau_sched_fini.patch b/queue-6.17/drm-nouveau-fix-race-in-nouveau_sched_fini.patch new file mode 100644 index 0000000000..48dd79d788 --- /dev/null +++ b/queue-6.17/drm-nouveau-fix-race-in-nouveau_sched_fini.patch @@ -0,0 +1,56 @@ +From e0023c8a74028739643aa14bd201c41a99866ca4 Mon Sep 17 00:00:00 2001 +From: Philipp Stanner +Date: Fri, 24 Oct 2025 18:12:22 +0200 +Subject: drm/nouveau: Fix race in nouveau_sched_fini() + +From: Philipp Stanner + +commit e0023c8a74028739643aa14bd201c41a99866ca4 upstream. + +nouveau_sched_fini() uses a memory barrier before wait_event(). +wait_event(), however, is a macro which expands to a loop which might +check the passed condition several times. The barrier would only take +effect for the first check. + +Replace the barrier with a function which takes the spinlock. + +Cc: stable@vger.kernel.org # v6.8+ +Fixes: 5f03a507b29e ("drm/nouveau: implement 1:1 scheduler - entity relationship") +Acked-by: Danilo Krummrich +Signed-off-by: Philipp Stanner +Link: https://patch.msgid.link/20251024161221.196155-2-phasta@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_sched.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_sched.c ++++ b/drivers/gpu/drm/nouveau/nouveau_sched.c +@@ -482,6 +482,17 @@ nouveau_sched_create(struct nouveau_sche + return 0; + } + ++static bool ++nouveau_sched_job_list_empty(struct nouveau_sched *sched) ++{ ++ bool empty; ++ ++ spin_lock(&sched->job.list.lock); ++ empty = list_empty(&sched->job.list.head); ++ spin_unlock(&sched->job.list.lock); ++ ++ return empty; ++} + + static void + nouveau_sched_fini(struct nouveau_sched *sched) +@@ -489,8 +500,7 @@ nouveau_sched_fini(struct nouveau_sched + struct drm_gpu_scheduler *drm_sched = &sched->base; + struct drm_sched_entity *entity = &sched->entity; + +- rmb(); /* for list_empty to work without lock */ +- wait_event(sched->job.wq, list_empty(&sched->job.list.head)); ++ wait_event(sched->job.wq, nouveau_sched_job_list_empty(sched)); + + drm_sched_entity_fini(entity); + drm_sched_fini(drm_sched); diff --git a/queue-6.17/drm-sched-avoid-killing-parent-entity-on-child-sigkill.patch b/queue-6.17/drm-sched-avoid-killing-parent-entity-on-child-sigkill.patch new file mode 100644 index 0000000000..8a725c4214 --- /dev/null +++ b/queue-6.17/drm-sched-avoid-killing-parent-entity-on-child-sigkill.patch @@ -0,0 +1,55 @@ +From 9e8b3201c7302d5b522ba3535630bed21cc03c27 Mon Sep 17 00:00:00 2001 +From: David Rosca +Date: Wed, 15 Oct 2025 16:01:28 +0200 +Subject: drm/sched: avoid killing parent entity on child SIGKILL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Rosca + +commit 9e8b3201c7302d5b522ba3535630bed21cc03c27 upstream. + +The DRM scheduler tracks who last uses an entity and when that process +is killed blocks all further submissions to that entity. + +The problem is that we didn't track who initially created an entity, so +when a process accidently leaked its file descriptor to a child and +that child got killed, we killed the parent's entities. + +Avoid that and instead initialize the entities last user on entity +creation. This also allows to drop the extra NULL check. + +Signed-off-by: David Rosca +Signed-off-by: Christian König +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4568 +Reviewed-by: Alex Deucher +CC: stable@vger.kernel.org +Acked-by: Philipp Stanner +Link: https://lore.kernel.org/r/20251015140128.1470-1-christian.koenig@amd.com +Signed-off-by: Philipp Stanner +Link: https://patch.msgid.link/20251015140128.1470-1-christian.koenig@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -70,6 +70,7 @@ int drm_sched_entity_init(struct drm_sch + entity->guilty = guilty; + entity->num_sched_list = num_sched_list; + entity->priority = priority; ++ entity->last_user = current->group_leader; + /* + * It's perfectly valid to initialize an entity without having a valid + * scheduler attached. It's just not valid to use the scheduler before it +@@ -302,7 +303,7 @@ long drm_sched_entity_flush(struct drm_s + + /* For killed process disable any more IBs enqueue right now */ + last_user = cmpxchg(&entity->last_user, current->group_leader, NULL); +- if ((!last_user || last_user == current->group_leader) && ++ if (last_user == current->group_leader && + (current->flags & PF_EXITING) && (current->exit_code == SIGKILL)) + drm_sched_entity_kill(entity); + diff --git a/queue-6.17/drm-sched-fix-race-in-drm_sched_entity_select_rq.patch b/queue-6.17/drm-sched-fix-race-in-drm_sched_entity_select_rq.patch new file mode 100644 index 0000000000..2bd308877b --- /dev/null +++ b/queue-6.17/drm-sched-fix-race-in-drm_sched_entity_select_rq.patch @@ -0,0 +1,39 @@ +From d25e3a610bae03bffc5c14b5d944a5d0cd844678 Mon Sep 17 00:00:00 2001 +From: Philipp Stanner +Date: Wed, 22 Oct 2025 08:34:03 +0200 +Subject: drm/sched: Fix race in drm_sched_entity_select_rq() + +From: Philipp Stanner + +commit d25e3a610bae03bffc5c14b5d944a5d0cd844678 upstream. + +In a past bug fix it was forgotten that entity access must be protected +by the entity lock. That's a data race and potentially UB. + +Move the spin_unlock() to the appropriate position. + +Cc: stable@vger.kernel.org # v5.13+ +Fixes: ac4eb83ab255 ("drm/sched: select new rq even if there is only one v3") +Reviewed-by: Tvrtko Ursulin +Signed-off-by: Philipp Stanner +Link: https://patch.msgid.link/20251022063402.87318-2-phasta@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -553,10 +553,11 @@ void drm_sched_entity_select_rq(struct d + drm_sched_rq_remove_entity(entity->rq, entity); + entity->rq = rq; + } +- spin_unlock(&entity->lock); + + if (entity->num_sched_list == 1) + entity->sched_list = NULL; ++ ++ spin_unlock(&entity->lock); + } + + /** diff --git a/queue-6.17/drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch b/queue-6.17/drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch new file mode 100644 index 0000000000..1fa393914a --- /dev/null +++ b/queue-6.17/drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch @@ -0,0 +1,52 @@ +From 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Fri, 17 Oct 2025 11:13:36 +0200 +Subject: drm/sysfb: Do not dereference NULL pointer in plane reset + +From: Thomas Zimmermann + +commit 14e02ed3876f4ab0ed6d3f41972175f8b8df3d70 upstream. + +The plane state in __drm_gem_reset_shadow_plane() can be NULL. Do not +deref that pointer, but forward NULL to the other plane-reset helpers. +Clears plane->state to NULL. + +v2: +- fix typo in commit description (Javier) + +Signed-off-by: Thomas Zimmermann +Fixes: b71565022031 ("drm/gem: Export implementation of shadow-plane helpers") +Reported-by: Dan Carpenter +Closes: https://lore.kernel.org/dri-devel/aPIDAsHIUHp_qSW4@stanley.mountain/ +Cc: Thomas Zimmermann +Cc: Melissa Wen +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: David Airlie +Cc: Simona Vetter +Cc: dri-devel@lists.freedesktop.org +Cc: # v5.15+ +Reviewed-by: Javier Martinez Canillas +Link: https://patch.msgid.link/20251017091407.58488-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_gem_atomic_helper.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/drm_gem_atomic_helper.c ++++ b/drivers/gpu/drm/drm_gem_atomic_helper.c +@@ -310,8 +310,12 @@ EXPORT_SYMBOL(drm_gem_destroy_shadow_pla + void __drm_gem_reset_shadow_plane(struct drm_plane *plane, + struct drm_shadow_plane_state *shadow_plane_state) + { +- __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base); +- drm_format_conv_state_init(&shadow_plane_state->fmtcnv_state); ++ if (shadow_plane_state) { ++ __drm_atomic_helper_plane_reset(plane, &shadow_plane_state->base); ++ drm_format_conv_state_init(&shadow_plane_state->fmtcnv_state); ++ } else { ++ __drm_atomic_helper_plane_reset(plane, NULL); ++ } + } + EXPORT_SYMBOL(__drm_gem_reset_shadow_plane); + diff --git a/queue-6.17/drm-xe-do-not-wake-device-during-a-gt-reset.patch b/queue-6.17/drm-xe-do-not-wake-device-during-a-gt-reset.patch new file mode 100644 index 0000000000..5329aad5b7 --- /dev/null +++ b/queue-6.17/drm-xe-do-not-wake-device-during-a-gt-reset.patch @@ -0,0 +1,72 @@ +From b3fbda1a630a9439c885b2a5dc5230cc49a87e9e Mon Sep 17 00:00:00 2001 +From: Matthew Brost +Date: Tue, 21 Oct 2025 17:55:37 -0700 +Subject: drm/xe: Do not wake device during a GT reset + +From: Matthew Brost + +commit b3fbda1a630a9439c885b2a5dc5230cc49a87e9e upstream. + +Waking the device during a GT reset can lead to unintended memory +allocation, which is not allowed since GT resets occur in the reclaim +path. Prevent this by holding a PM reference while a reset is in flight. + +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Cc: stable@vger.kernel.org +Signed-off-by: Matthew Brost +Reviewed-by: Matthew Auld +Link: https://lore.kernel.org/r/20251022005538.828980-3-matthew.brost@intel.com +(cherry picked from commit 480b358e7d8ef69fd8f1b0cad6e07c7d70a36ee4) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_gt.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_gt.c ++++ b/drivers/gpu/drm/xe/xe_gt.c +@@ -810,17 +810,19 @@ static int gt_reset(struct xe_gt *gt) + unsigned int fw_ref; + int err; + +- if (xe_device_wedged(gt_to_xe(gt))) +- return -ECANCELED; ++ if (xe_device_wedged(gt_to_xe(gt))) { ++ err = -ECANCELED; ++ goto err_pm_put; ++ } + + /* We only support GT resets with GuC submission */ +- if (!xe_device_uc_enabled(gt_to_xe(gt))) +- return -ENODEV; ++ if (!xe_device_uc_enabled(gt_to_xe(gt))) { ++ err = -ENODEV; ++ goto err_pm_put; ++ } + + xe_gt_info(gt, "reset started\n"); + +- xe_pm_runtime_get(gt_to_xe(gt)); +- + if (xe_fault_inject_gt_reset()) { + err = -ECANCELED; + goto err_fail; +@@ -867,6 +869,7 @@ err_fail: + xe_gt_err(gt, "reset failed (%pe)\n", ERR_PTR(err)); + + xe_device_declare_wedged(gt_to_xe(gt)); ++err_pm_put: + xe_pm_runtime_put(gt_to_xe(gt)); + + return err; +@@ -888,7 +891,9 @@ void xe_gt_reset_async(struct xe_gt *gt) + return; + + xe_gt_info(gt, "reset queued\n"); +- queue_work(gt->ordered_wq, >->reset.worker); ++ xe_pm_runtime_get_noresume(gt_to_xe(gt)); ++ if (!queue_work(gt->ordered_wq, >->reset.worker)) ++ xe_pm_runtime_put(gt_to_xe(gt)); + } + + void xe_gt_suspend_prepare(struct xe_gt *gt) diff --git a/queue-6.17/kbuild-align-modinfo-section-for-secureboot-authenticode-edk2-compat.patch b/queue-6.17/kbuild-align-modinfo-section-for-secureboot-authenticode-edk2-compat.patch new file mode 100644 index 0000000000..bf28463a54 --- /dev/null +++ b/queue-6.17/kbuild-align-modinfo-section-for-secureboot-authenticode-edk2-compat.patch @@ -0,0 +1,60 @@ +From d50f21091358b2b29dc06c2061106cdb0f030d03 Mon Sep 17 00:00:00 2001 +From: Dimitri John Ledkov +Date: Sun, 26 Oct 2025 20:21:00 +0000 +Subject: kbuild: align modinfo section for Secureboot Authenticode EDK2 compat + +From: Dimitri John Ledkov + +commit d50f21091358b2b29dc06c2061106cdb0f030d03 upstream. + +Previously linker scripts would always generate vmlinuz that has sections +aligned. And thus padded (correct Authenticode calculation) and unpadded +calculation would be same. As in https://github.com/rhboot/pesign userspace +tool would produce the same authenticode digest for both of the following +commands: + + pesign --padding --hash --in ./arch/x86_64/boot/bzImage + pesign --nopadding --hash --in ./arch/x86_64/boot/bzImage + +The commit 3e86e4d74c04 ("kbuild: keep .modinfo section in +vmlinux.unstripped") added .modinfo section of variable length. Depending +on kernel configuration it may or may not be aligned. + +All userspace signing tooling correctly pads such section to calculation +spec compliant authenticode digest. + +However, if bzImage is not further processed and is attempted to be loaded +directly by EDK2 firmware, it calculates unpadded Authenticode digest and +fails to correct accept/reject such kernel builds even when propoer +Authenticode values are enrolled in db/dbx. One can say EDK2 requires +aligned/padded kernels in Secureboot. + +Thus add ALIGN(8) to the .modinfo section, to esure kernels irrespective of +modinfo contents can be loaded by all existing EDK2 firmware builds. + +Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped") +Cc: stable@vger.kernel.org +Signed-off-by: Dimitri John Ledkov +Link: https://patch.msgid.link/20251026202100.679989-1-dimitri.ledkov@surgut.co.uk +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/vmlinux.lds.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h +index 8a9a2e732a65..e04d56a5332e 100644 +--- a/include/asm-generic/vmlinux.lds.h ++++ b/include/asm-generic/vmlinux.lds.h +@@ -832,7 +832,7 @@ defined(CONFIG_AUTOFDO_CLANG) || defined(CONFIG_PROPELLER_CLANG) + + /* Required sections not related to debugging. */ + #define ELF_DETAILS \ +- .modinfo : { *(.modinfo) } \ ++ .modinfo : { *(.modinfo) . = ALIGN(8); } \ + .comment 0 : { *(.comment) } \ + .symtab 0 : { *(.symtab) } \ + .strtab 0 : { *(.strtab) } \ +-- +2.51.2 + diff --git a/queue-6.17/perf-x86-intel-fix-kasan-global-out-of-bounds-warning.patch b/queue-6.17/perf-x86-intel-fix-kasan-global-out-of-bounds-warning.patch new file mode 100644 index 0000000000..ad3e6049e8 --- /dev/null +++ b/queue-6.17/perf-x86-intel-fix-kasan-global-out-of-bounds-warning.patch @@ -0,0 +1,57 @@ +From 0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251 Mon Sep 17 00:00:00 2001 +From: Dapeng Mi +Date: Tue, 28 Oct 2025 14:42:14 +0800 +Subject: perf/x86/intel: Fix KASAN global-out-of-bounds warning + +From: Dapeng Mi + +commit 0ba6502ce167fc3d598c08c2cc3b4ed7ca5aa251 upstream. + +When running "perf mem record" command on CWF, the below KASAN +global-out-of-bounds warning is seen. + + ================================================================== + BUG: KASAN: global-out-of-bounds in cmt_latency_data+0x176/0x1b0 + Read of size 4 at addr ffffffffb721d000 by task dtlb/9850 + + Call Trace: + + kasan_report+0xb8/0xf0 + cmt_latency_data+0x176/0x1b0 + setup_arch_pebs_sample_data+0xf49/0x2560 + intel_pmu_drain_arch_pebs+0x577/0xb00 + handle_pmi_common+0x6c4/0xc80 + +The issue is caused by below code in __grt_latency_data(). The code +tries to access x86_hybrid_pmu structure which doesn't exist on +non-hybrid platform like CWF. + + WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big) + +So add is_hybrid() check before calling this WARN_ON_ONCE to fix the +global-out-of-bounds access issue. + +Fixes: 090262439f66 ("perf/x86/intel: Rename model-specific pebs_latency_data functions") +Reported-by: Xudong Hao +Signed-off-by: Dapeng Mi +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Zide Chen +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/20251028064214.1451968-1-dapeng1.mi@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/ds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -317,7 +317,8 @@ static u64 __grt_latency_data(struct per + { + u64 val; + +- WARN_ON_ONCE(hybrid_pmu(event->pmu)->pmu_type == hybrid_big); ++ WARN_ON_ONCE(is_hybrid() && ++ hybrid_pmu(event->pmu)->pmu_type == hybrid_big); + + dse &= PERF_PEBS_DATA_SOURCE_GRT_MASK; + val = hybrid_var(event->pmu, pebs_data_source)[dse]; diff --git a/queue-6.17/regmap-irq-correct-documentation-of-wake_invert-flag.patch b/queue-6.17/regmap-irq-correct-documentation-of-wake_invert-flag.patch new file mode 100644 index 0000000000..ada2a93833 --- /dev/null +++ b/queue-6.17/regmap-irq-correct-documentation-of-wake_invert-flag.patch @@ -0,0 +1,34 @@ +From 48cbf50531d8eca15b8a811717afdebb8677de9b Mon Sep 17 00:00:00 2001 +From: Shawn Guo +Date: Fri, 24 Oct 2025 16:23:44 +0800 +Subject: regmap: irq: Correct documentation of wake_invert flag + +From: Shawn Guo + +commit 48cbf50531d8eca15b8a811717afdebb8677de9b upstream. + +Per commit 9442490a0286 ("regmap: irq: Support wake IRQ mask inversion") +the wake_invert flag is to support enable register, so cleared bits are +wake disabled. + +Fixes: 68622bdfefb9 ("regmap: irq: document mask/wake_invert flags") +Cc: stable@vger.kernel.org +Signed-off-by: Shawn Guo +Link: https://patch.msgid.link/20251024082344.2188895-1-shawnguo2@yeah.net +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/regmap.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/regmap.h ++++ b/include/linux/regmap.h +@@ -1643,7 +1643,7 @@ struct regmap_irq_chip_data; + * @status_invert: Inverted status register: cleared bits are active interrupts. + * @status_is_level: Status register is actuall signal level: Xor status + * register with previous value to get active interrupts. +- * @wake_invert: Inverted wake register: cleared bits are wake enabled. ++ * @wake_invert: Inverted wake register: cleared bits are wake disabled. + * @type_in_mask: Use the mask registers for controlling irq type. Use this if + * the hardware provides separate bits for rising/falling edge + * or low/high level interrupts and they should be combined into diff --git a/queue-6.17/regmap-slimbus-fix-bus_context-pointer-in-regmap-init-calls.patch b/queue-6.17/regmap-slimbus-fix-bus_context-pointer-in-regmap-init-calls.patch new file mode 100644 index 0000000000..d7c56186bf --- /dev/null +++ b/queue-6.17/regmap-slimbus-fix-bus_context-pointer-in-regmap-init-calls.patch @@ -0,0 +1,98 @@ +From 434f7349a1f00618a620b316f091bd13a12bc8d2 Mon Sep 17 00:00:00 2001 +From: Alexey Klimov +Date: Wed, 22 Oct 2025 21:10:12 +0100 +Subject: regmap: slimbus: fix bus_context pointer in regmap init calls + +From: Alexey Klimov + +commit 434f7349a1f00618a620b316f091bd13a12bc8d2 upstream. + +Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in +wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap. +That commit breaks audio playback, for instance, on sdm845 Thundercomm +Dragonboard 845c board: + + Unable to handle kernel paging request at virtual address ffff8000847cbad4 + ... + CPU: 5 UID: 0 PID: 776 Comm: aplay Not tainted 6.18.0-rc1-00028-g7ea30958b305 #11 PREEMPT + Hardware name: Thundercomm Dragonboard 845c (DT) + ... + Call trace: + slim_xfer_msg+0x24/0x1ac [slimbus] (P) + slim_read+0x48/0x74 [slimbus] + regmap_slimbus_read+0x18/0x24 [regmap_slimbus] + _regmap_raw_read+0xe8/0x174 + _regmap_bus_read+0x44/0x80 + _regmap_read+0x60/0xd8 + _regmap_update_bits+0xf4/0x140 + _regmap_select_page+0xa8/0x124 + _regmap_raw_write_impl+0x3b8/0x65c + _regmap_bus_raw_write+0x60/0x80 + _regmap_write+0x58/0xc0 + regmap_write+0x4c/0x80 + wcd934x_hw_params+0x494/0x8b8 [snd_soc_wcd934x] + snd_soc_dai_hw_params+0x3c/0x7c [snd_soc_core] + __soc_pcm_hw_params+0x22c/0x634 [snd_soc_core] + dpcm_be_dai_hw_params+0x1d4/0x38c [snd_soc_core] + dpcm_fe_dai_hw_params+0x9c/0x17c [snd_soc_core] + snd_pcm_hw_params+0x124/0x464 [snd_pcm] + snd_pcm_common_ioctl+0x110c/0x1820 [snd_pcm] + snd_pcm_ioctl+0x34/0x4c [snd_pcm] + __arm64_sys_ioctl+0xac/0x104 + invoke_syscall+0x48/0x104 + el0_svc_common.constprop.0+0x40/0xe0 + do_el0_svc+0x1c/0x28 + el0_svc+0x34/0xec + el0t_64_sync_handler+0xa0/0xf0 + el0t_64_sync+0x198/0x19c + +The __devm_regmap_init_slimbus() started to be used instead of +__regmap_init_slimbus() after the commit mentioned above and turns out +the incorrect bus_context pointer (3rd argument) was used in +__devm_regmap_init_slimbus(). It should be just "slimbus" (which is equal +to &slimbus->dev). Correct it. The wcd934x codec seems to be the only or +the first user of devm_regmap_init_slimbus() but we should fix it till +the point where __devm_regmap_init_slimbus() was introduced therefore +two "Fixes" tags. + +While at this, also correct the same argument in __regmap_init_slimbus(). + +Fixes: 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") +Fixes: 7d6f7fb053ad ("regmap: add SLIMbus support") +Cc: stable@vger.kernel.org +Cc: Dmitry Baryshkov +Cc: Ma Ke +Cc: Steev Klimaszewski +Cc: Srinivas Kandagatla +Reviewed-by: Abel Vesa +Signed-off-by: Alexey Klimov +Reviewed-by: Dmitry Baryshkov +Link: https://patch.msgid.link/20251022201013.1740211-1-alexey.klimov@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap-slimbus.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/base/regmap/regmap-slimbus.c ++++ b/drivers/base/regmap/regmap-slimbus.c +@@ -48,8 +48,7 @@ struct regmap *__regmap_init_slimbus(str + if (IS_ERR(bus)) + return ERR_CAST(bus); + +- return __regmap_init(&slimbus->dev, bus, &slimbus->dev, config, +- lock_key, lock_name); ++ return __regmap_init(&slimbus->dev, bus, slimbus, config, lock_key, lock_name); + } + EXPORT_SYMBOL_GPL(__regmap_init_slimbus); + +@@ -63,8 +62,7 @@ struct regmap *__devm_regmap_init_slimbu + if (IS_ERR(bus)) + return ERR_CAST(bus); + +- return __devm_regmap_init(&slimbus->dev, bus, &slimbus, config, +- lock_key, lock_name); ++ return __devm_regmap_init(&slimbus->dev, bus, slimbus, config, lock_key, lock_name); + } + EXPORT_SYMBOL_GPL(__devm_regmap_init_slimbus); + diff --git a/queue-6.17/s390-disable-arch_want_optimize_hugetlb_vmemmap.patch b/queue-6.17/s390-disable-arch_want_optimize_hugetlb_vmemmap.patch new file mode 100644 index 0000000000..24799f2f87 --- /dev/null +++ b/queue-6.17/s390-disable-arch_want_optimize_hugetlb_vmemmap.patch @@ -0,0 +1,52 @@ +From 64e2f60f355e556337fcffe80b9bcff1b22c9c42 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 30 Oct 2025 15:55:05 +0100 +Subject: s390: Disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP + +From: Heiko Carstens + +commit 64e2f60f355e556337fcffe80b9bcff1b22c9c42 upstream. + +As reported by Luiz Capitulino enabling HVO on s390 leads to reproducible +crashes. The problem is that kernel page tables are modified without +flushing corresponding TLB entries. + +Even if it looks like the empty flush_tlb_all() implementation on s390 is +the problem, it is actually a different problem: on s390 it is not allowed +to replace an active/valid page table entry with another valid page table +entry without the detour over an invalid entry. A direct replacement may +lead to random crashes and/or data corruption. + +In order to invalidate an entry special instructions have to be used +(e.g. ipte or idte). Alternatively there are also special instructions +available which allow to replace a valid entry with a different valid +entry (e.g. crdte or cspg). + +Given that the HVO code currently does not provide the hooks to allow for +an implementation which is compliant with the s390 architecture +requirements, disable ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP again, which is +basically a revert of the original patch which enabled it. + +Reported-by: Luiz Capitulino +Closes: https://lore.kernel.org/all/20251028153930.37107-1-luizcap@redhat.com/ +Fixes: 00a34d5a99c0 ("s390: select ARCH_WANT_HUGETLB_PAGE_OPTIMIZE_VMEMMAP") +Cc: stable@vger.kernel.org +Tested-by: Luiz Capitulino +Reviewed-by: Gerald Schaefer +Reviewed-by: David Hildenbrand +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -151,7 +151,6 @@ config S390 + select ARCH_WANT_IRQS_OFF_ACTIVATE_MM + select ARCH_WANT_KERNEL_PMD_MKWRITE + select ARCH_WANT_LD_ORPHAN_WARN +- select ARCH_WANT_OPTIMIZE_HUGETLB_VMEMMAP + select ARCH_WANTS_THP_SWAP + select BUILDTIME_TABLE_SORT + select CLONE_BACKWARDS2 diff --git a/queue-6.17/s390-mm-fix-memory-leak-in-add_marker-when-kvrealloc-fails.patch b/queue-6.17/s390-mm-fix-memory-leak-in-add_marker-when-kvrealloc-fails.patch new file mode 100644 index 0000000000..94095e7a13 --- /dev/null +++ b/queue-6.17/s390-mm-fix-memory-leak-in-add_marker-when-kvrealloc-fails.patch @@ -0,0 +1,69 @@ +From 07ad45e06b4039adf96882aefcb1d3299fb7c305 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 27 Oct 2025 23:08:38 +0800 +Subject: s390/mm: Fix memory leak in add_marker() when kvrealloc() fails + +From: Miaoqian Lin + +commit 07ad45e06b4039adf96882aefcb1d3299fb7c305 upstream. + +The function has a memory leak when kvrealloc() fails. +The function directly assigns NULL to the markers pointer, losing the +reference to the previously allocated memory. This causes kvfree() in +pt_dump_init() to free NULL instead of the leaked memory. + +Fix by: +1. Using kvrealloc() uniformly for all allocations +2. Using a temporary variable to preserve the original pointer until + allocation succeeds +3. Removing the error path that sets markers_cnt=0 to keep + consistency between markers and markers_cnt + +Found via static analysis and this is similar to commit 42378a9ca553 +("bpf, verifier: Fix memory leak in array reallocation for stack state") + +Fixes: d0e7915d2ad3 ("s390/mm/ptdump: Generate address marker array dynamically") +Cc: stable@vger.kernel.org +Signed-off-by: Miaoqian Lin +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/dump_pagetables.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +--- a/arch/s390/mm/dump_pagetables.c ++++ b/arch/s390/mm/dump_pagetables.c +@@ -291,16 +291,14 @@ static int ptdump_cmp(const void *a, con + + static int add_marker(unsigned long start, unsigned long end, const char *name) + { +- size_t oldsize, newsize; ++ struct addr_marker *new; ++ size_t newsize; + +- oldsize = markers_cnt * sizeof(*markers); +- newsize = oldsize + 2 * sizeof(*markers); +- if (!oldsize) +- markers = kvmalloc(newsize, GFP_KERNEL); +- else +- markers = kvrealloc(markers, newsize, GFP_KERNEL); +- if (!markers) +- goto error; ++ newsize = (markers_cnt + 2) * sizeof(*markers); ++ new = kvrealloc(markers, newsize, GFP_KERNEL); ++ if (!new) ++ return -ENOMEM; ++ markers = new; + markers[markers_cnt].is_start = 1; + markers[markers_cnt].start_address = start; + markers[markers_cnt].size = end - start; +@@ -312,9 +310,6 @@ static int add_marker(unsigned long star + markers[markers_cnt].name = name; + markers_cnt++; + return 0; +-error: +- markers_cnt = 0; +- return -ENOMEM; + } + + static int pt_dump_init(void) diff --git a/queue-6.17/s390-pci-avoid-deadlock-between-pci-error-recovery-and-mlx5-crdump.patch b/queue-6.17/s390-pci-avoid-deadlock-between-pci-error-recovery-and-mlx5-crdump.patch new file mode 100644 index 0000000000..64a7388ec3 --- /dev/null +++ b/queue-6.17/s390-pci-avoid-deadlock-between-pci-error-recovery-and-mlx5-crdump.patch @@ -0,0 +1,115 @@ +From 0fd20f65df6aa430454a0deed8f43efa91c54835 Mon Sep 17 00:00:00 2001 +From: Gerd Bayer +Date: Thu, 16 Oct 2025 11:27:03 +0200 +Subject: s390/pci: Avoid deadlock between PCI error recovery and mlx5 crdump + +From: Gerd Bayer + +commit 0fd20f65df6aa430454a0deed8f43efa91c54835 upstream. + +Do not block PCI config accesses through pci_cfg_access_lock() when +executing the s390 variant of PCI error recovery: Acquire just +device_lock() instead of pci_dev_lock() as powerpc's EEH and +generig PCI AER processing do. + +During error recovery testing a pair of tasks was reported to be hung: + +mlx5_core 0000:00:00.1: mlx5_health_try_recover:338:(pid 5553): health recovery flow aborted, PCI reads still not working +INFO: task kmcheck:72 blocked for more than 122 seconds. + Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:kmcheck state:D stack:0 pid:72 tgid:72 ppid:2 flags:0x00000000 +Call Trace: + [<000000065256f030>] __schedule+0x2a0/0x590 + [<000000065256f356>] schedule+0x36/0xe0 + [<000000065256f572>] schedule_preempt_disabled+0x22/0x30 + [<0000000652570a94>] __mutex_lock.constprop.0+0x484/0x8a8 + [<000003ff800673a4>] mlx5_unload_one+0x34/0x58 [mlx5_core] + [<000003ff8006745c>] mlx5_pci_err_detected+0x94/0x140 [mlx5_core] + [<0000000652556c5a>] zpci_event_attempt_error_recovery+0xf2/0x398 + [<0000000651b9184a>] __zpci_event_error+0x23a/0x2c0 +INFO: task kworker/u1664:6:1514 blocked for more than 122 seconds. + Not tainted 5.14.0-570.12.1.bringup7.el9.s390x #1 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:kworker/u1664:6 state:D stack:0 pid:1514 tgid:1514 ppid:2 flags:0x00000000 +Workqueue: mlx5_health0000:00:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] +Call Trace: + [<000000065256f030>] __schedule+0x2a0/0x590 + [<000000065256f356>] schedule+0x36/0xe0 + [<0000000652172e28>] pci_wait_cfg+0x80/0xe8 + [<0000000652172f94>] pci_cfg_access_lock+0x74/0x88 + [<000003ff800916b6>] mlx5_vsc_gw_lock+0x36/0x178 [mlx5_core] + [<000003ff80098824>] mlx5_crdump_collect+0x34/0x1c8 [mlx5_core] + [<000003ff80074b62>] mlx5_fw_fatal_reporter_dump+0x6a/0xe8 [mlx5_core] + [<0000000652512242>] devlink_health_do_dump.part.0+0x82/0x168 + [<0000000652513212>] devlink_health_report+0x19a/0x230 + [<000003ff80075a12>] mlx5_fw_fatal_reporter_err_work+0xba/0x1b0 [mlx5_core] + +No kernel log of the exact same error with an upstream kernel is +available - but the very same deadlock situation can be constructed there, +too: + +- task: kmcheck + mlx5_unload_one() tries to acquire devlink lock while the PCI error + recovery code has set pdev->block_cfg_access by way of + pci_cfg_access_lock() +- task: kworker + mlx5_crdump_collect() tries to set block_cfg_access through + pci_cfg_access_lock() while devlink_health_report() had acquired + the devlink lock. + +A similar deadlock situation can be reproduced by requesting a +crdump with + > devlink health dump show pci/ reporter fw_fatal + +while PCI error recovery is executed on the same physical function +by mlx5_core's pci_error_handlers. On s390 this can be injected with + > zpcictl --reset-fw + +Tests with this patch failed to reproduce that second deadlock situation, +the devlink command is rejected with "kernel answers: Permission denied" - +and we get a kernel log message of: + +mlx5_core 1ed0:00:00.1: mlx5_crdump_collect:50:(pid 254382): crdump: failed to lock vsc gw err -5 + +because the config read of VSC_SEMAPHORE is rejected by the underlying +hardware. + +Two prior attempts to address this issue have been discussed and +ultimately rejected [see link], with the primary argument that s390's +implementation of PCI error recovery is imposing restrictions that +neither powerpc's EEH nor PCI AER handling need. Tests show that PCI +error recovery on s390 is running to completion even without blocking +access to PCI config space. + +Link: https://lore.kernel.org/all/20251007144826.2825134-1-gbayer@linux.ibm.com/ +Cc: stable@vger.kernel.org +Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery") +Reviewed-by: Niklas Schnelle +Signed-off-by: Gerd Bayer +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/pci/pci_event.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/pci/pci_event.c ++++ b/arch/s390/pci/pci_event.c +@@ -187,7 +187,7 @@ static pci_ers_result_t zpci_event_attem + * is unbound or probed and that userspace can't access its + * configuration space while we perform recovery. + */ +- pci_dev_lock(pdev); ++ device_lock(&pdev->dev); + if (pdev->error_state == pci_channel_io_perm_failure) { + ers_res = PCI_ERS_RESULT_DISCONNECT; + goto out_unlock; +@@ -254,7 +254,7 @@ static pci_ers_result_t zpci_event_attem + if (driver->err_handler->resume) + driver->err_handler->resume(pdev); + out_unlock: +- pci_dev_unlock(pdev); ++ device_unlock(&pdev->dev); + zpci_report_status(zdev, "recovery", status_str); + + return ers_res; diff --git a/queue-6.17/series b/queue-6.17/series index 8b7a893086..c2380537e6 100644 --- a/queue-6.17/series +++ b/queue-6.17/series @@ -84,3 +84,26 @@ drm-amd-pm-powerplay-smumgr-fix-pciebootlinklevel-va.patch-25933 drm-amdgpu-fix-spdx-headers-on-amdgpu_cper.c-h.patch drm-amdgpu-fix-spdx-header-on-amd_cper.h.patch drm-amdgpu-fix-spdx-header-on-irqsrcs_vcn_5_0.h.patch +acpi-fan-use-acpi-handle-when-retrieving-_fst.patch +block-fix-op_is_zone_mgmt-to-handle-req_op_zone_reset_all.patch +block-make-req_op_zone_open-a-write-operation.patch +dma-fence-fix-safe-access-wrapper-to-call-timeline-name-method.patch +kbuild-align-modinfo-section-for-secureboot-authenticode-edk2-compat.patch +perf-x86-intel-fix-kasan-global-out-of-bounds-warning.patch +regmap-slimbus-fix-bus_context-pointer-in-regmap-init-calls.patch +regmap-irq-correct-documentation-of-wake_invert-flag.patch +s390-pci-avoid-deadlock-between-pci-error-recovery-and-mlx5-crdump.patch +s390-disable-arch_want_optimize_hugetlb_vmemmap.patch +s390-mm-fix-memory-leak-in-add_marker-when-kvrealloc-fails.patch +drm-xe-do-not-wake-device-during-a-gt-reset.patch +drm-sysfb-do-not-dereference-null-pointer-in-plane-reset.patch +drm-sched-avoid-killing-parent-entity-on-child-sigkill.patch +drm-sched-fix-race-in-drm_sched_entity_select_rq.patch +drm-nouveau-fix-race-in-nouveau_sched_fini.patch +drm-mediatek-fix-device-use-after-free-on-unbind.patch +drm-i915-dmc-clear-hrr-evt_ctl-htp-to-zero-on-adl-s.patch +drm-ast-clear-preserved-bits-from-register-output-value.patch +drm-amd-check-that-vpe-has-reached-dpm0-in-idle-handler.patch +drm-amd-display-fix-incorrect-return-of-vblank-enable-on-unconfigured-crtc.patch +drm-amd-display-don-t-program-blndgam_mem_pwr_force-when-cm-low-power-is-disabled-on-dcn30.patch +drm-amd-display-add-hdr-workaround-for-a-specific-edp.patch