From: Greg Kroah-Hartman Date: Tue, 22 Apr 2025 06:35:10 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.1.135~112 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9b980afbf166363786bec16d9e653c05c90cdd31;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: drm-amd-display-add-hp-probook-445-and-465-to-the-quirk-list-for-edp-on-dp1.patch drm-amd-display-do-not-enable-replay-and-psr-while-vrr-is-on-in-amdgpu_dm_commit_planes.patch drm-amd-display-protect-fpu-in-dml21_copy.patch drm-amd-display-protect-fpu-in-dml2_init-dml21_init.patch drm-amd-display-protect-fpu-in-dml2_validate-dml21_validate.patch drm-amdgpu-dma_buf-fix-page_link-check.patch drm-amdgpu-fix-warning-of-drm_mm_clean.patch drm-amdgpu-immediately-use-gtt-for-new-allocations.patch drm-amdgpu-mes11-optimize-mes-pipe-fw-version-fetching.patch drm-i915-gvt-fix-unterminated-string-initialization-warning.patch drm-imagination-fix-firmware-memory-leaks.patch drm-imagination-take-paired-job-reference.patch drm-mgag200-fix-value-in-vblkstr-register.patch drm-nouveau-prime-fix-ttm_bo_delayed_delete-oops.patch drm-sti-remove-duplicate-object-names.patch drm-xe-dma_buf-stop-relying-on-placement-in-unmap.patch drm-xe-fix-an-out-of-bounds-shift-when-invalidating-tlb.patch drm-xe-set-lrc-addresses-before-guc-load.patch drm-xe-userptr-fix-notifier-vs-folio-deadlock.patch --- diff --git a/queue-6.12/drm-amd-display-add-hp-probook-445-and-465-to-the-quirk-list-for-edp-on-dp1.patch b/queue-6.12/drm-amd-display-add-hp-probook-445-and-465-to-the-quirk-list-for-edp-on-dp1.patch new file mode 100644 index 0000000000..25c6180519 --- /dev/null +++ b/queue-6.12/drm-amd-display-add-hp-probook-445-and-465-to-the-quirk-list-for-edp-on-dp1.patch @@ -0,0 +1,51 @@ +From 139e99d58e373bd11f085766e681d21d34d0b097 Mon Sep 17 00:00:00 2001 +From: Mario Limonciello +Date: Thu, 6 Mar 2025 11:29:20 -0600 +Subject: drm/amd/display: Add HP Probook 445 and 465 to the quirk list for eDP on DP1 + +From: Mario Limonciello + +commit 139e99d58e373bd11f085766e681d21d34d0b097 upstream. + +[Why] +HP Probook 445 and 465 has DP0 and DP1 swapped. + +[How] +Add HP Probook 445 and 465 to DP0/DP1 swap quirk list. + +Cc: stable@vger.kernel.org +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3995 +Reviewed-by: Alex Hung +Signed-off-by: Mario Limonciello +Signed-off-by: Roman Li +Tested-by: Anson Tsao +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1704,6 +1704,20 @@ static const struct dmi_system_id dmi_qu + DMI_MATCH(DMI_PRODUCT_NAME, "HP EliteBook 665 16 inch G11 Notebook PC"), + }, + }, ++ { ++ .callback = edp0_on_dp1_callback, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP ProBook 445 14 inch G11 Notebook PC"), ++ }, ++ }, ++ { ++ .callback = edp0_on_dp1_callback, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "HP"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP ProBook 465 16 inch G11 Notebook PC"), ++ }, ++ }, + {} + /* TODO: refactor this from a fixed table to a dynamic option */ + }; diff --git a/queue-6.12/drm-amd-display-do-not-enable-replay-and-psr-while-vrr-is-on-in-amdgpu_dm_commit_planes.patch b/queue-6.12/drm-amd-display-do-not-enable-replay-and-psr-while-vrr-is-on-in-amdgpu_dm_commit_planes.patch new file mode 100644 index 0000000000..6d073562de --- /dev/null +++ b/queue-6.12/drm-amd-display-do-not-enable-replay-and-psr-while-vrr-is-on-in-amdgpu_dm_commit_planes.patch @@ -0,0 +1,66 @@ +From 69a46ce1f15b4391c128d581f6936750f9bfa052 Mon Sep 17 00:00:00 2001 +From: Tom Chung +Date: Wed, 19 Mar 2025 16:31:31 +0800 +Subject: drm/amd/display: Do not enable Replay and PSR while VRR is on in amdgpu_dm_commit_planes() + +From: Tom Chung + +commit 69a46ce1f15b4391c128d581f6936750f9bfa052 upstream. + +[Why] +Replay and PSR will cause some video corruption while VRR is enabled. + +[How] +Do not enable the Replay and PSR while VRR is active in +amdgpu_dm_enable_self_refresh(). + +Fixes: 67edb81d6e9a ("drm/amd/display: Disable replay and psr while VRR is enabled") +Reviewed-by: Sun peng Li +Signed-off-by: Tom Chung +Signed-off-by: Fangzhi Zuo +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +index 36a830a7440f..87058271b00c 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_crtc.c +@@ -113,6 +113,7 @@ bool amdgpu_dm_crtc_vrr_active(const struct dm_crtc_state *dm_state) + * + * Panel Replay and PSR SU + * - Enable when: ++ * - VRR is disabled + * - vblank counter is disabled + * - entry is allowed: usermode demonstrates an adequate number of fast + * commits) +@@ -131,19 +132,20 @@ static void amdgpu_dm_crtc_set_panel_sr_feature( + bool is_sr_active = (link->replay_settings.replay_allow_active || + link->psr_settings.psr_allow_active); + bool is_crc_window_active = false; ++ bool vrr_active = amdgpu_dm_crtc_vrr_active_irq(vblank_work->acrtc); + + #ifdef CONFIG_DRM_AMD_SECURE_DISPLAY + is_crc_window_active = + amdgpu_dm_crc_window_is_activated(&vblank_work->acrtc->base); + #endif + +- if (link->replay_settings.replay_feature_enabled && ++ if (link->replay_settings.replay_feature_enabled && !vrr_active && + allow_sr_entry && !is_sr_active && !is_crc_window_active) { + amdgpu_dm_replay_enable(vblank_work->stream, true); + } else if (vblank_enabled) { + if (link->psr_settings.psr_version < DC_PSR_VERSION_SU_1 && is_sr_active) + amdgpu_dm_psr_disable(vblank_work->stream, false); +- } else if (link->psr_settings.psr_feature_enabled && ++ } else if (link->psr_settings.psr_feature_enabled && !vrr_active && + allow_sr_entry && !is_sr_active && !is_crc_window_active) { + + struct amdgpu_dm_connector *aconn = +-- +2.49.0 + diff --git a/queue-6.12/drm-amd-display-protect-fpu-in-dml21_copy.patch b/queue-6.12/drm-amd-display-protect-fpu-in-dml21_copy.patch new file mode 100644 index 0000000000..c7583c3af8 --- /dev/null +++ b/queue-6.12/drm-amd-display-protect-fpu-in-dml21_copy.patch @@ -0,0 +1,94 @@ +From 4408b59eeacfea777aae397177f49748cadde5ce Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 27 Mar 2025 17:53:32 +0800 +Subject: drm/amd/display: Protect FPU in dml21_copy() + +From: Huacai Chen + +commit 4408b59eeacfea777aae397177f49748cadde5ce upstream. + +Commit 7da55c27e76749b9 ("drm/amd/display: Remove incorrect FP context +start") removes the FP context protection of dml2_create(), and it said +"All the DC_FP_START/END should be used before call anything from DML2". + +However, dml21_copy() are not protected from their callers, causing such +errors: + + do_fpu invoked from kernel context![#1]: + CPU: 0 UID: 0 PID: 240 Comm: kworker/0:5 Not tainted 6.14.0-rc6+ #1 + Workqueue: events work_for_cpu_fn + pc ffff80000318bd2c ra ffff80000315750c tp 9000000105910000 sp 9000000105913810 + a0 0000000000000000 a1 0000000000000002 a2 900000013140d728 a3 900000013140d720 + a4 0000000000000000 a5 9000000131592d98 a6 0000000000017ae8 a7 00000000001312d0 + t0 9000000130751ff0 t1 ffff800003790000 t2 ffff800003790000 t3 9000000131592e28 + t4 000000000004c6a8 t5 00000000001b7740 t6 0000000000023e38 t7 0000000000249f00 + t8 0000000000000002 u0 0000000000000000 s9 900000012b010000 s0 9000000131400000 + s1 9000000130751fd8 s2 ffff800003408000 s3 9000000130752c78 s4 9000000131592da8 + s5 9000000131592120 s6 9000000130751ff0 s7 9000000131592e28 s8 9000000131400008 + ra: ffff80000315750c dml2_top_soc15_initialize_instance+0x20c/0x300 [amdgpu] + ERA: ffff80000318bd2c mcg_dcn4_build_min_clock_table+0x14c/0x600 [amdgpu] + CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) + PRMD: 00000004 (PPLV0 +PIE -PWE) + EUEN: 00000000 (-FPE -SXE -ASXE -BTE) + ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) + ESTAT: 000f0000 [FPD] (IS= ECode=15 EsubCode=0) + PRID: 0014d010 (Loongson-64bit, Loongson-3C6000/S) + Process kworker/0:5 (pid: 240, threadinfo=00000000f1700428, task=0000000020d2e962) + Stack : 0000000000000000 0000000000000000 0000000000000000 9000000130751fd8 + 9000000131400000 ffff8000031574e0 9000000130751ff0 0000000000000000 + 9000000131592e28 0000000000000000 0000000000000000 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 f9175936df5d7fd2 + 900000012b00ff08 900000012b000000 ffff800003409000 ffff8000034a1780 + 90000001019634c0 900000012b000010 90000001307beeb8 90000001306b0000 + 0000000000000001 ffff8000031942b4 9000000130780000 90000001306c0000 + 9000000130780000 ffff8000031c276c 900000012b044bd0 ffff800003408000 + ... + Call Trace: + [] mcg_dcn4_build_min_clock_table+0x14c/0x600 [amdgpu] + [] dml2_top_soc15_initialize_instance+0x208/0x300 [amdgpu] + [] dml21_create_copy+0x30/0x60 [amdgpu] + [] dc_state_create_copy+0x68/0xe0 [amdgpu] + [] amdgpu_dm_init+0x8c0/0x2060 [amdgpu] + [] dm_hw_init+0x18/0x60 [amdgpu] + [] amdgpu_device_init+0x1938/0x27e0 [amdgpu] + [] amdgpu_driver_load_kms+0x20/0xa0 [amdgpu] + [] amdgpu_pci_probe+0x1b0/0x580 [amdgpu] + [<9000000003c7eae4>] local_pci_probe+0x44/0xc0 + [<90000000032f2b18>] work_for_cpu_fn+0x18/0x40 + [<90000000032f5da0>] process_one_work+0x160/0x300 + [<90000000032f6718>] worker_thread+0x318/0x440 + [<9000000003301b8c>] kthread+0x12c/0x220 + [<90000000032b1484>] ret_from_kernel_thread+0x8/0xa4 + +Unfortunately, protecting dml21_copy() out of DML2 causes "sleeping +function called from invalid context", so protect them with DC_FP_START() +and DC_FP_END() inside. + +Fixes: 7da55c27e767 ("drm/amd/display: Remove incorrect FP context start") +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Reviewed-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c +@@ -425,8 +425,12 @@ void dml21_copy(struct dml2_context *dst + + dst_dml_ctx->v21.mode_programming.programming = dst_dml2_programming; + ++ DC_FP_START(); ++ + /* need to initialize copied instance for internal references to be correct */ + dml2_initialize_instance(&dst_dml_ctx->v21.dml_init); ++ ++ DC_FP_END(); + } + + bool dml21_create_copy(struct dml2_context **dst_dml_ctx, diff --git a/queue-6.12/drm-amd-display-protect-fpu-in-dml2_init-dml21_init.patch b/queue-6.12/drm-amd-display-protect-fpu-in-dml2_init-dml21_init.patch new file mode 100644 index 0000000000..78b23c62f4 --- /dev/null +++ b/queue-6.12/drm-amd-display-protect-fpu-in-dml2_init-dml21_init.patch @@ -0,0 +1,119 @@ +From afcdf51d97cd58dd7a2e0aa8acbaea5108fa6826 Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 27 Mar 2025 17:53:33 +0800 +Subject: drm/amd/display: Protect FPU in dml2_init()/dml21_init() + +From: Huacai Chen + +commit afcdf51d97cd58dd7a2e0aa8acbaea5108fa6826 upstream. + +Commit 7da55c27e76749b9 ("drm/amd/display: Remove incorrect FP context +start") removes the FP context protection of dml2_create(), and it said +"All the DC_FP_START/END should be used before call anything from DML2". + +However, dml2_init()/dml21_init() are not protected from their callers, +causing such errors: + + do_fpu invoked from kernel context![#1]: + CPU: 0 UID: 0 PID: 239 Comm: kworker/0:5 Not tainted 6.14.0-rc6+ #2 + Workqueue: events work_for_cpu_fn + pc ffff80000319de80 ra ffff80000319de5c tp 900000010575c000 sp 900000010575f840 + a0 0000000000000000 a1 900000012f210130 a2 900000012f000000 a3 ffff80000357e268 + a4 ffff80000357e260 a5 900000012ea52cf0 a6 0000000400000004 a7 0000012c00001388 + t0 00001900000015e0 t1 ffff80000379d000 t2 0000000010624dd3 t3 0000006400000014 + t4 00000000000003e8 t5 0000005000000018 t6 0000000000000020 t7 0000000f00000064 + t8 000000000000002f u0 5f5e9200f8901912 s9 900000012d380010 s0 900000012ea51fd8 + s1 900000012f000000 s2 9000000109296000 s3 0000000000000001 s4 0000000000001fd8 + s5 0000000000000001 s6 ffff800003415000 s7 900000012d390000 s8 ffff800003211f80 + ra: ffff80000319de5c dml21_apply_soc_bb_overrides+0x3c/0x960 [amdgpu] + ERA: ffff80000319de80 dml21_apply_soc_bb_overrides+0x60/0x960 [amdgpu] + CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) + PRMD: 00000004 (PPLV0 +PIE -PWE) + EUEN: 00000000 (-FPE -SXE -ASXE -BTE) + ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) + ESTAT: 000f0000 [FPD] (IS= ECode=15 EsubCode=0) + PRID: 0014d010 (Loongson-64bit, Loongson-3C6000/S) + Process kworker/0:5 (pid: 239, threadinfo=00000000927eadc6, task=000000008fd31682) + Stack : 00040dc000003164 0000000000000001 900000012f210130 900000012eabeeb8 + 900000012f000000 ffff80000319fe48 900000012f210000 900000012f210130 + 900000012f000000 900000012eabeeb8 0000000000000001 ffff8000031a0064 + 900000010575f9f0 900000012f210130 900000012eac0000 900000012ea80000 + 900000012f000000 ffff8000031cefc4 900000010575f9f0 ffff8000035859c0 + ffff800003414000 900000010575fa78 900000012f000000 ffff8000031b4c50 + 0000000000000000 9000000101c9d700 9000000109c40000 5f5e9200f8901912 + 900000012d3c4bd0 900000012d3c5000 ffff8000034aed18 900000012d380010 + 900000012d3c4bd0 ffff800003414000 900000012d380000 ffff800002ea49dc + 0000000000000001 900000012d3c6000 00000000ffffe423 0000000000010000 + ... + Call Trace: + [] dml21_apply_soc_bb_overrides+0x60/0x960 [amdgpu] + [] dml21_init+0xa4/0x280 [amdgpu] + [] dml21_create+0x40/0x80 [amdgpu] + [] dc_state_create+0x100/0x160 [amdgpu] + [] dc_create+0x44c/0x640 [amdgpu] + [] amdgpu_dm_init+0x3f8/0x2060 [amdgpu] + [] dm_hw_init+0x18/0x60 [amdgpu] + [] amdgpu_device_init+0x1938/0x27e0 [amdgpu] + [] amdgpu_driver_load_kms+0x20/0xa0 [amdgpu] + [] amdgpu_pci_probe+0x1b0/0x580 [amdgpu] + [<900000000448eae4>] local_pci_probe+0x44/0xc0 + [<9000000003b02b18>] work_for_cpu_fn+0x18/0x40 + [<9000000003b05da0>] process_one_work+0x160/0x300 + [<9000000003b06718>] worker_thread+0x318/0x440 + [<9000000003b11b8c>] kthread+0x12c/0x220 + [<9000000003ac1484>] ret_from_kernel_thread+0x8/0xa4 + +Unfortunately, protecting dml2_init()/dml21_init() out of DML2 causes +"sleeping function called from invalid context", so protect them with +DC_FP_START() and DC_FP_END() inside. + +Fixes: 7da55c27e767 ("drm/amd/display: Remove incorrect FP context start") +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Reviewed-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 4 ++++ + drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c +@@ -87,6 +87,8 @@ static void dml21_init(const struct dc * + /* Store configuration options */ + (*dml_ctx)->config = *config; + ++ DC_FP_START(); ++ + /*Initialize SOCBB and DCNIP params */ + dml21_initialize_soc_bb_params(&(*dml_ctx)->v21.dml_init, config, in_dc); + dml21_initialize_ip_params(&(*dml_ctx)->v21.dml_init, config, in_dc); +@@ -97,6 +99,8 @@ static void dml21_init(const struct dc * + + /*Initialize DML21 instance */ + dml2_initialize_instance(&(*dml_ctx)->v21.dml_init); ++ ++ DC_FP_END(); + } + + bool dml21_create(const struct dc *in_dc, struct dml2_context **dml_ctx, const struct dml2_configuration_options *config) +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c +@@ -784,11 +784,15 @@ static void dml2_init(const struct dc *i + break; + } + ++ DC_FP_START(); ++ + initialize_dml2_ip_params(*dml2, in_dc, &(*dml2)->v20.dml_core_ctx.ip); + + initialize_dml2_soc_bbox(*dml2, in_dc, &(*dml2)->v20.dml_core_ctx.soc); + + initialize_dml2_soc_states(*dml2, in_dc, &(*dml2)->v20.dml_core_ctx.soc, &(*dml2)->v20.dml_core_ctx.states); ++ ++ DC_FP_END(); + } + + bool dml2_create(const struct dc *in_dc, const struct dml2_configuration_options *config, struct dml2_context **dml2) diff --git a/queue-6.12/drm-amd-display-protect-fpu-in-dml2_validate-dml21_validate.patch b/queue-6.12/drm-amd-display-protect-fpu-in-dml2_validate-dml21_validate.patch new file mode 100644 index 0000000000..245993d7d8 --- /dev/null +++ b/queue-6.12/drm-amd-display-protect-fpu-in-dml2_validate-dml21_validate.patch @@ -0,0 +1,122 @@ +From 366e77cd4923c3aa45341e15dcaf3377af9b042f Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Thu, 27 Mar 2025 17:53:34 +0800 +Subject: drm/amd/display: Protect FPU in dml2_validate()/dml21_validate() + +From: Huacai Chen + +commit 366e77cd4923c3aa45341e15dcaf3377af9b042f upstream. + +Commit 7da55c27e76749b9 ("drm/amd/display: Remove incorrect FP context +start") removes the FP context protection of dml2_create(), and it said +"All the DC_FP_START/END should be used before call anything from DML2". + +However, dml2_validate()/dml21_validate() are not protected from their +callers, causing such errors: + + do_fpu invoked from kernel context![#1]: + CPU: 10 UID: 0 PID: 331 Comm: kworker/10:1H Not tainted 6.14.0-rc6+ #4 + Workqueue: events_highpri dm_irq_work_func [amdgpu] + pc ffff800003191eb0 ra ffff800003191e60 tp 9000000107a94000 sp 9000000107a975b0 + a0 9000000140ce4910 a1 0000000000000000 a2 9000000140ce49b0 a3 9000000140ce49a8 + a4 9000000140ce49a8 a5 0000000100000000 a6 0000000000000001 a7 9000000107a97660 + t0 ffff800003790000 t1 9000000140ce5000 t2 0000000000000001 t3 0000000000000000 + t4 0000000000000004 t5 0000000000000000 t6 0000000000000000 t7 0000000000000000 + t8 0000000100000000 u0 ffff8000031a3b9c s9 9000000130bc0000 s0 9000000132400000 + s1 9000000140ec0000 s2 9000000132400000 s3 9000000140ce0000 s4 90000000057f8b88 + s5 9000000140ec0000 s6 9000000140ce4910 s7 0000000000000001 s8 9000000130d45010 + ra: ffff800003191e60 dml21_map_dc_state_into_dml_display_cfg+0x40/0x1140 [amdgpu] + ERA: ffff800003191eb0 dml21_map_dc_state_into_dml_display_cfg+0x90/0x1140 [amdgpu] + CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE) + PRMD: 00000004 (PPLV0 +PIE -PWE) + EUEN: 00000000 (-FPE -SXE -ASXE -BTE) + ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7) + ESTAT: 000f0000 [FPD] (IS= ECode=15 EsubCode=0) + PRID: 0014d010 (Loongson-64bit, Loongson-3C6000/S) + Process kworker/10:1H (pid: 331, threadinfo=000000007bf9ddb0, task=00000000cc4ab9f3) + Stack : 0000000100000000 0000043800000780 0000000100000001 0000000100000001 + 0000000000000000 0000078000000000 0000000000000438 0000078000000000 + 0000000000000438 0000078000000000 0000000000000438 0000000100000000 + 0000000100000000 0000000100000000 0000000100000000 0000000100000000 + 0000000000000001 9000000140ec0000 9000000132400000 9000000132400000 + ffff800003408000 ffff800003408000 9000000132400000 9000000140ce0000 + 9000000140ce0000 ffff800003193850 0000000000000001 9000000140ec0000 + 9000000132400000 9000000140ec0860 9000000140ec0738 0000000000000001 + 90000001405e8000 9000000130bc0000 9000000140ec02a8 ffff8000031b5db8 + 0000000000000000 0000043800000780 0000000000000003 ffff8000031b79cc + ... + Call Trace: + [] dml21_map_dc_state_into_dml_display_cfg+0x90/0x1140 [amdgpu] + [] dml21_validate+0xcc/0x520 [amdgpu] + [] dc_validate_global_state+0x2e8/0x460 [amdgpu] + [] create_validate_stream_for_sink+0x3d4/0x420 [amdgpu] + [] amdgpu_dm_connector_mode_valid+0x64/0x240 [amdgpu] + [<900000000441d6b8>] drm_connector_mode_valid+0x38/0x80 + [<900000000441d824>] __drm_helper_update_and_validate+0x124/0x3e0 + [<900000000441ddc0>] drm_helper_probe_single_connector_modes+0x2e0/0x620 + [<90000000044050dc>] drm_client_modeset_probe+0x23c/0x1780 + [<9000000004420384>] __drm_fb_helper_initial_config_and_unlock+0x44/0x5a0 + [<9000000004403acc>] drm_client_dev_hotplug+0xcc/0x140 + [] handle_hpd_irq_helper+0x1b0/0x1e0 [amdgpu] + [<90000000038f5da0>] process_one_work+0x160/0x300 + [<90000000038f6718>] worker_thread+0x318/0x440 + [<9000000003901b8c>] kthread+0x12c/0x220 + [<90000000038b1484>] ret_from_kernel_thread+0x8/0xa4 + +Unfortunately, protecting dml2_validate()/dml21_validate() out of DML2 +causes "sleeping function called from invalid context", so protect them +with DC_FP_START() and DC_FP_END() inside. + +Fixes: 7da55c27e767 ("drm/amd/display: Remove incorrect FP context start") +Cc: stable@vger.kernel.org +Signed-off-by: Huacai Chen +Tested-by: Dongyan Qian +Reviewed-by: Aurabindo Pillai +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c | 9 +++++++-- + drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c | 5 +++++ + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml21/dml21_wrapper.c +@@ -277,11 +277,16 @@ bool dml21_validate(const struct dc *in_ + { + bool out = false; + ++ DC_FP_START(); ++ + /* Use dml_validate_only for fast_validate path */ +- if (fast_validate) { ++ if (fast_validate) + out = dml21_check_mode_support(in_dc, context, dml_ctx); +- } else ++ else + out = dml21_mode_check_and_programming(in_dc, context, dml_ctx); ++ ++ DC_FP_END(); ++ + return out; + } + +--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c ++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_wrapper.c +@@ -734,11 +734,16 @@ bool dml2_validate(const struct dc *in_d + return out; + } + ++ DC_FP_START(); ++ + /* Use dml_validate_only for fast_validate path */ + if (fast_validate) + out = dml2_validate_only(context); + else + out = dml2_validate_and_build_resource(in_dc, context); ++ ++ DC_FP_END(); ++ + return out; + } + diff --git a/queue-6.12/drm-amdgpu-dma_buf-fix-page_link-check.patch b/queue-6.12/drm-amdgpu-dma_buf-fix-page_link-check.patch new file mode 100644 index 0000000000..74cef6c4ec --- /dev/null +++ b/queue-6.12/drm-amdgpu-dma_buf-fix-page_link-check.patch @@ -0,0 +1,40 @@ +From c0dd8a9253fadfb8e5357217d085f1989da4ef0a Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Mon, 7 Apr 2025 15:18:25 +0100 +Subject: drm/amdgpu/dma_buf: fix page_link check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit c0dd8a9253fadfb8e5357217d085f1989da4ef0a upstream. + +The page_link lower bits of the first sg could contain something like +SG_END, if we are mapping a single VRAM page or contiguous blob which +fits into one sg entry. Rather pull out the struct page, and use that in +our check to know if we mapped struct pages vs VRAM. + +Fixes: f44ffd677fb3 ("drm/amdgpu: add support for exporting VRAM using DMA-buf v3") +Signed-off-by: Matthew Auld +Cc: Christian König +Cc: amd-gfx@lists.freedesktop.org +Cc: # v5.8+ +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c +@@ -181,7 +181,7 @@ static void amdgpu_dma_buf_unmap(struct + struct sg_table *sgt, + enum dma_data_direction dir) + { +- if (sgt->sgl->page_link) { ++ if (sg_page(sgt->sgl)) { + dma_unmap_sgtable(attach->dev, sgt, dir, 0); + sg_free_table(sgt); + kfree(sgt); diff --git a/queue-6.12/drm-amdgpu-fix-warning-of-drm_mm_clean.patch b/queue-6.12/drm-amdgpu-fix-warning-of-drm_mm_clean.patch new file mode 100644 index 0000000000..da0cc67f62 --- /dev/null +++ b/queue-6.12/drm-amdgpu-fix-warning-of-drm_mm_clean.patch @@ -0,0 +1,45 @@ +From e7afa85a0d0eba5bf2c0a446ff622ebdbc9812d6 Mon Sep 17 00:00:00 2001 +From: ZhenGuo Yin +Date: Tue, 8 Apr 2025 16:18:28 +0800 +Subject: drm/amdgpu: fix warning of drm_mm_clean +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: ZhenGuo Yin + +commit e7afa85a0d0eba5bf2c0a446ff622ebdbc9812d6 upstream. + +Kernel doorbell BOs needs to be freed before ttm_fini. + +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4145 +Fixes: 54c30d2a8def ("drm/amdgpu: create kernel doorbell pages") +Acked-by: Alex Deucher +Reviewed-by: Christian König +Signed-off-by: ZhenGuo Yin +Signed-off-by: Alex Deucher +(cherry picked from commit 39938a8ed979e398faa3791a47e282c82bcc6f04) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3322,6 +3322,7 @@ static int amdgpu_device_ip_fini(struct + amdgpu_device_mem_scratch_fini(adev); + amdgpu_ib_pool_fini(adev); + amdgpu_seq64_fini(adev); ++ amdgpu_doorbell_fini(adev); + } + + r = adev->ip_blocks[i].version->funcs->sw_fini((void *)adev); +@@ -4670,7 +4671,6 @@ void amdgpu_device_fini_sw(struct amdgpu + + iounmap(adev->rmmio); + adev->rmmio = NULL; +- amdgpu_doorbell_fini(adev); + drm_dev_exit(idx); + } + diff --git a/queue-6.12/drm-amdgpu-immediately-use-gtt-for-new-allocations.patch b/queue-6.12/drm-amdgpu-immediately-use-gtt-for-new-allocations.patch new file mode 100644 index 0000000000..be80f9d5bc --- /dev/null +++ b/queue-6.12/drm-amdgpu-immediately-use-gtt-for-new-allocations.patch @@ -0,0 +1,42 @@ +From a755906fb2b8370c43e91ba437ae1b3e228e8b02 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20K=C3=B6nig?= +Date: Thu, 20 Mar 2025 14:46:18 +0100 +Subject: drm/amdgpu: immediately use GTT for new allocations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +commit a755906fb2b8370c43e91ba437ae1b3e228e8b02 upstream. + +Only use GTT as a fallback if we already have a backing store. This +prevents evictions when an application constantly allocates and frees new +memory. + +Partially fixes +https://gitlab.freedesktop.org/drm/amd/-/issues/3844#note_2833985. + +Signed-off-by: Christian König +Fixes: 216c1282dde3 ("drm/amdgpu: use GTT only as fallback for VRAM|GTT") +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c +@@ -161,8 +161,8 @@ void amdgpu_bo_placement_from_domain(str + * When GTT is just an alternative to VRAM make sure that we + * only use it as fallback and still try to fill up VRAM first. + */ +- if (domain & abo->preferred_domains & AMDGPU_GEM_DOMAIN_VRAM && +- !(adev->flags & AMD_IS_APU)) ++ if (abo->tbo.resource && !(adev->flags & AMD_IS_APU) && ++ domain & abo->preferred_domains & AMDGPU_GEM_DOMAIN_VRAM) + places[c].flags |= TTM_PL_FLAG_FALLBACK; + c++; + } diff --git a/queue-6.12/drm-amdgpu-mes11-optimize-mes-pipe-fw-version-fetching.patch b/queue-6.12/drm-amdgpu-mes11-optimize-mes-pipe-fw-version-fetching.patch new file mode 100644 index 0000000000..1ff79845eb --- /dev/null +++ b/queue-6.12/drm-amdgpu-mes11-optimize-mes-pipe-fw-version-fetching.patch @@ -0,0 +1,36 @@ +From b71a2bb0ce07f40f92f59ed7f283068e41b10075 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 27 Mar 2025 17:33:49 -0400 +Subject: drm/amdgpu/mes11: optimize MES pipe FW version fetching + +From: Alex Deucher + +commit b71a2bb0ce07f40f92f59ed7f283068e41b10075 upstream. + +Don't fetch it again if we already have it. It seems the +registers don't reliably have the value at resume in some +cases. + +Fixes: 028c3fb37e70 ("drm/amdgpu/mes11: initiate mes v11 support") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4083 +Reviewed-by: Mario Limonciello +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c +@@ -859,6 +859,10 @@ static void mes_v11_0_get_fw_version(str + { + int pipe; + ++ /* return early if we have already fetched these */ ++ if (adev->mes.sched_version && adev->mes.kiq_version) ++ return; ++ + /* get MES scheduler/KIQ versions */ + mutex_lock(&adev->srbm_mutex); + diff --git a/queue-6.12/drm-i915-gvt-fix-unterminated-string-initialization-warning.patch b/queue-6.12/drm-i915-gvt-fix-unterminated-string-initialization-warning.patch new file mode 100644 index 0000000000..41ac8736ff --- /dev/null +++ b/queue-6.12/drm-i915-gvt-fix-unterminated-string-initialization-warning.patch @@ -0,0 +1,59 @@ +From 2e43ae7dd71cd9bb0d1bce1d3306bf77523feb81 Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Thu, 27 Mar 2025 14:47:39 +0200 +Subject: drm/i915/gvt: fix unterminated-string-initialization warning + +From: Jani Nikula + +commit 2e43ae7dd71cd9bb0d1bce1d3306bf77523feb81 upstream. + +Initializing const char opregion_signature[16] = OPREGION_SIGNATURE +(which is "IntelGraphicsMem") drops the NUL termination of the +string. This is intentional, but the compiler doesn't know this. + +Switch to initializing header->signature directly from the string +litaral, with sizeof destination rather than source. We don't treat the +signature as a string other than for initialization; it's really just a +blob of binary data. + +Add a static assert for good measure to cross-check the sizes. + +Reported-by: Kees Cook +Closes: https://lore.kernel.org/r/20250310222355.work.417-kees@kernel.org +Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13934 +Tested-by: Nicolas Chauvet +Tested-by: Damian Tometzki +Cc: stable@vger.kernel.org +Reviewed-by: Zhenyu Wang +Link: https://lore.kernel.org/r/20250327124739.2609656-1-jani.nikula@intel.com +Signed-off-by: Jani Nikula +(cherry picked from commit 4f8207469094bd04aad952258ceb9ff4c77b6bfa) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gvt/opregion.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/gvt/opregion.c ++++ b/drivers/gpu/drm/i915/gvt/opregion.c +@@ -222,7 +222,6 @@ int intel_vgpu_init_opregion(struct inte + u8 *buf; + struct opregion_header *header; + struct vbt v; +- const char opregion_signature[16] = OPREGION_SIGNATURE; + + gvt_dbg_core("init vgpu%d opregion\n", vgpu->id); + vgpu_opregion(vgpu)->va = (void *)__get_free_pages(GFP_KERNEL | +@@ -236,8 +235,10 @@ int intel_vgpu_init_opregion(struct inte + /* emulated opregion with VBT mailbox only */ + buf = (u8 *)vgpu_opregion(vgpu)->va; + header = (struct opregion_header *)buf; +- memcpy(header->signature, opregion_signature, +- sizeof(opregion_signature)); ++ ++ static_assert(sizeof(header->signature) == sizeof(OPREGION_SIGNATURE) - 1); ++ memcpy(header->signature, OPREGION_SIGNATURE, sizeof(header->signature)); ++ + header->size = 0x8; + header->opregion_ver = 0x02000000; + header->mboxes = MBOX_VBT; diff --git a/queue-6.12/drm-imagination-fix-firmware-memory-leaks.patch b/queue-6.12/drm-imagination-fix-firmware-memory-leaks.patch new file mode 100644 index 0000000000..8e178acb9d --- /dev/null +++ b/queue-6.12/drm-imagination-fix-firmware-memory-leaks.patch @@ -0,0 +1,125 @@ +From a5b230e7f3a55bd8bd8d012eec75a4b7baa671d5 Mon Sep 17 00:00:00 2001 +From: Brendan King +Date: Tue, 18 Mar 2025 14:55:55 +0000 +Subject: drm/imagination: fix firmware memory leaks + +From: Brendan King + +commit a5b230e7f3a55bd8bd8d012eec75a4b7baa671d5 upstream. + +Free the memory used to hold the results of firmware image processing +when the module is unloaded. + +Fix the related issue of the same memory being leaked if processing +of the firmware image fails during module load. + +Ensure all firmware GEM objects are destroyed if firmware image +processing fails. + +Fixes memory leaks on powervr module unload detected by Kmemleak: + +unreferenced object 0xffff000042e20000 (size 94208): + comm "modprobe", pid 470, jiffies 4295277154 + hex dump (first 32 bytes): + 02 ae 7f ed bf 45 84 00 3c 5b 1f ed 9f 45 45 05 .....E..<[...EE. + d5 4f 5d 14 6c 00 3d 23 30 d0 3a 4a 66 0e 48 c8 .O].l.=#0.:Jf.H. + backtrace (crc dd329dec): + kmemleak_alloc+0x30/0x40 + ___kmalloc_large_node+0x140/0x188 + __kmalloc_large_node_noprof+0x2c/0x13c + __kmalloc_noprof+0x48/0x4c0 + pvr_fw_init+0xaa4/0x1f50 [powervr] + +unreferenced object 0xffff000042d20000 (size 20480): + comm "modprobe", pid 470, jiffies 4295277154 + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 09 00 00 00 0b 00 00 00 ................ + 00 00 00 00 00 00 00 00 07 00 00 00 08 00 00 00 ................ + backtrace (crc 395b02e3): + kmemleak_alloc+0x30/0x40 + ___kmalloc_large_node+0x140/0x188 + __kmalloc_large_node_noprof+0x2c/0x13c + __kmalloc_noprof+0x48/0x4c0 + pvr_fw_init+0xb0c/0x1f50 [powervr] + +Cc: stable@vger.kernel.org +Fixes: cc1aeedb98ad ("drm/imagination: Implement firmware infrastructure and META FW support") +Signed-off-by: Brendan King +Reviewed-by: Matt Coster +Link: https://lore.kernel.org/r/20250318-ddkopsrc-1339-firmware-related-memory-leak-on-module-unload-v1-1-155337c57bb4@imgtec.com +Signed-off-by: Matt Coster +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imagination/pvr_fw.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/imagination/pvr_fw.c ++++ b/drivers/gpu/drm/imagination/pvr_fw.c +@@ -732,7 +732,7 @@ pvr_fw_process(struct pvr_device *pvr_de + fw_mem->core_data, fw_mem->core_code_alloc_size); + + if (err) +- goto err_free_fw_core_data_obj; ++ goto err_free_kdata; + + memcpy(fw_code_ptr, fw_mem->code, fw_mem->code_alloc_size); + memcpy(fw_data_ptr, fw_mem->data, fw_mem->data_alloc_size); +@@ -742,10 +742,14 @@ pvr_fw_process(struct pvr_device *pvr_de + memcpy(fw_core_data_ptr, fw_mem->core_data, fw_mem->core_data_alloc_size); + + /* We're finished with the firmware section memory on the CPU, unmap. */ +- if (fw_core_data_ptr) ++ if (fw_core_data_ptr) { + pvr_fw_object_vunmap(fw_mem->core_data_obj); +- if (fw_core_code_ptr) ++ fw_core_data_ptr = NULL; ++ } ++ if (fw_core_code_ptr) { + pvr_fw_object_vunmap(fw_mem->core_code_obj); ++ fw_core_code_ptr = NULL; ++ } + pvr_fw_object_vunmap(fw_mem->data_obj); + fw_data_ptr = NULL; + pvr_fw_object_vunmap(fw_mem->code_obj); +@@ -753,7 +757,7 @@ pvr_fw_process(struct pvr_device *pvr_de + + err = pvr_fw_create_fwif_connection_ctl(pvr_dev); + if (err) +- goto err_free_fw_core_data_obj; ++ goto err_free_kdata; + + return 0; + +@@ -763,13 +767,16 @@ err_free_kdata: + kfree(fw_mem->data); + kfree(fw_mem->code); + +-err_free_fw_core_data_obj: + if (fw_core_data_ptr) +- pvr_fw_object_unmap_and_destroy(fw_mem->core_data_obj); ++ pvr_fw_object_vunmap(fw_mem->core_data_obj); ++ if (fw_mem->core_data_obj) ++ pvr_fw_object_destroy(fw_mem->core_data_obj); + + err_free_fw_core_code_obj: + if (fw_core_code_ptr) +- pvr_fw_object_unmap_and_destroy(fw_mem->core_code_obj); ++ pvr_fw_object_vunmap(fw_mem->core_code_obj); ++ if (fw_mem->core_code_obj) ++ pvr_fw_object_destroy(fw_mem->core_code_obj); + + err_free_fw_data_obj: + if (fw_data_ptr) +@@ -836,6 +843,12 @@ pvr_fw_cleanup(struct pvr_device *pvr_de + struct pvr_fw_mem *fw_mem = &pvr_dev->fw_dev.mem; + + pvr_fw_fini_fwif_connection_ctl(pvr_dev); ++ ++ kfree(fw_mem->core_data); ++ kfree(fw_mem->core_code); ++ kfree(fw_mem->data); ++ kfree(fw_mem->code); ++ + if (fw_mem->core_code_obj) + pvr_fw_object_destroy(fw_mem->core_code_obj); + if (fw_mem->core_data_obj) diff --git a/queue-6.12/drm-imagination-take-paired-job-reference.patch b/queue-6.12/drm-imagination-take-paired-job-reference.patch new file mode 100644 index 0000000000..d2b57abd68 --- /dev/null +++ b/queue-6.12/drm-imagination-take-paired-job-reference.patch @@ -0,0 +1,63 @@ +From 4ba2abe154ef68f9612eee9d6fbfe53a1736b064 Mon Sep 17 00:00:00 2001 +From: Brendan King +Date: Tue, 18 Mar 2025 14:53:13 +0000 +Subject: drm/imagination: take paired job reference + +From: Brendan King + +commit 4ba2abe154ef68f9612eee9d6fbfe53a1736b064 upstream. + +For paired jobs, have the fragment job take a reference on the +geometry job, so that the geometry job cannot be freed until +the fragment job has finished with it. + +The geometry job structure is accessed when the fragment job is being +prepared by the GPU scheduler. Taking the reference prevents the +geometry job being freed until the fragment job no longer requires it. + +Fixes a use after free bug detected by KASAN: + +[ 124.256386] BUG: KASAN: slab-use-after-free in pvr_queue_prepare_job+0x108/0x868 [powervr] +[ 124.264893] Read of size 1 at addr ffff0000084cb960 by task kworker/u16:4/63 + +Cc: stable@vger.kernel.org +Fixes: eaf01ee5ba28 ("drm/imagination: Implement job submission and scheduling") +Signed-off-by: Brendan King +Reviewed-by: Matt Coster +Link: https://lore.kernel.org/r/20250318-ddkopsrc-1337-use-after-free-in-pvr_queue_prepare_job-v1-1-80fb30d044a6@imgtec.com +Signed-off-by: Matt Coster +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imagination/pvr_job.c | 7 +++++++ + drivers/gpu/drm/imagination/pvr_queue.c | 4 ++++ + 2 files changed, 11 insertions(+) + +--- a/drivers/gpu/drm/imagination/pvr_job.c ++++ b/drivers/gpu/drm/imagination/pvr_job.c +@@ -684,6 +684,13 @@ pvr_jobs_link_geom_frag(struct pvr_job_d + geom_job->paired_job = frag_job; + frag_job->paired_job = geom_job; + ++ /* The geometry job pvr_job structure is used when the fragment ++ * job is being prepared by the GPU scheduler. Have the fragment ++ * job hold a reference on the geometry job to prevent it being ++ * freed until the fragment job has finished with it. ++ */ ++ pvr_job_get(geom_job); ++ + /* Skip the fragment job we just paired to the geometry job. */ + i++; + } +--- a/drivers/gpu/drm/imagination/pvr_queue.c ++++ b/drivers/gpu/drm/imagination/pvr_queue.c +@@ -866,6 +866,10 @@ static void pvr_queue_free_job(struct dr + struct pvr_job *job = container_of(sched_job, struct pvr_job, base); + + drm_sched_job_cleanup(sched_job); ++ ++ if (job->type == DRM_PVR_JOB_TYPE_FRAGMENT && job->paired_job) ++ pvr_job_put(job->paired_job); ++ + job->paired_job = NULL; + pvr_job_put(job); + } diff --git a/queue-6.12/drm-mgag200-fix-value-in-vblkstr-register.patch b/queue-6.12/drm-mgag200-fix-value-in-vblkstr-register.patch new file mode 100644 index 0000000000..5e633fb518 --- /dev/null +++ b/queue-6.12/drm-mgag200-fix-value-in-vblkstr-register.patch @@ -0,0 +1,49 @@ +From 76c332d119f9048c6e16b52359f401510f18b2ff Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Wed, 16 Apr 2025 10:38:05 +0200 +Subject: drm/mgag200: Fix value in register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Zimmermann + +commit 76c332d119f9048c6e16b52359f401510f18b2ff upstream. + +Fix an off-by-one error when setting the vblanking start in +. Commit d6460bd52c27 ("drm/mgag200: Add dedicated +variables for blanking fields") switched the value from +crtc_vdisplay to crtc_vblank_start, which DRM helpers copy +from the former. The commit missed to subtract one though. + +Reported-by: Wakko Warner +Closes: https://lore.kernel.org/dri-devel/CAMwc25rKPKooaSp85zDq2eh-9q4UPZD=RqSDBRp1fAagDnmRmA@mail.gmail.com/ +Reported-by: Сергей +Closes: https://lore.kernel.org/all/5b193b75-40b1-4342-a16a-ae9fc62f245a@gmail.com/ +Closes: https://bbs.archlinux.org/viewtopic.php?id=303819 +Signed-off-by: Thomas Zimmermann +Fixes: d6460bd52c27 ("drm/mgag200: Add dedicated variables for blanking fields") +Cc: Thomas Zimmermann +Cc: Jocelyn Falempe +Cc: Dave Airlie +Cc: dri-devel@lists.freedesktop.org +Cc: # v6.12+ +Reviewed-by: Jocelyn Falempe +Tested-by: Wakko Warner +Link: https://lore.kernel.org/r/20250416083847.51764-1-tzimmermann@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/mgag200/mgag200_mode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/mgag200/mgag200_mode.c ++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c +@@ -223,7 +223,7 @@ void mgag200_set_mode_regs(struct mga_de + vsyncstr = mode->crtc_vsync_start - 1; + vsyncend = mode->crtc_vsync_end - 1; + vtotal = mode->crtc_vtotal - 2; +- vblkstr = mode->crtc_vblank_start; ++ vblkstr = mode->crtc_vblank_start - 1; + vblkend = vtotal + 1; + + linecomp = vdispend; diff --git a/queue-6.12/drm-nouveau-prime-fix-ttm_bo_delayed_delete-oops.patch b/queue-6.12/drm-nouveau-prime-fix-ttm_bo_delayed_delete-oops.patch new file mode 100644 index 0000000000..c338275a2d --- /dev/null +++ b/queue-6.12/drm-nouveau-prime-fix-ttm_bo_delayed_delete-oops.patch @@ -0,0 +1,109 @@ +From 8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3 Mon Sep 17 00:00:00 2001 +From: Chris Bainbridge +Date: Wed, 26 Mar 2025 12:52:10 +0000 +Subject: drm/nouveau: prime: fix ttm_bo_delayed_delete oops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Bainbridge + +commit 8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3 upstream. + +Fix an oops in ttm_bo_delayed_delete which results from dererencing a +dangling pointer: + +Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP +CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216 +Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024 +Workqueue: ttm ttm_bo_delayed_delete [ttm] +RIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290 +Code: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b +RSP: 0018:ffffbf9383473d60 EFLAGS: 00010202 +RAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b +R13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc +FS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0 +PKRU: 55555554 +Call Trace: + + ? __die_body.cold+0x19/0x26 + ? die_addr+0x3d/0x70 + ? exc_general_protection+0x159/0x460 + ? asm_exc_general_protection+0x27/0x30 + ? dma_resv_iter_first_unlocked+0x55/0x290 + dma_resv_wait_timeout+0x56/0x100 + ttm_bo_delayed_delete+0x69/0xb0 [ttm] + process_one_work+0x217/0x5c0 + worker_thread+0x1c8/0x3d0 + ? apply_wqattrs_cleanup.part.0+0xc0/0xc0 + kthread+0x10b/0x240 + ? kthreads_online_cpu+0x140/0x140 + ret_from_fork+0x40/0x70 + ? kthreads_online_cpu+0x140/0x140 + ret_from_fork_asm+0x11/0x20 + + +The cause of this is: + +- drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the + reference to the shared dma_buf. The reference count is 0, so the + dma_buf is destroyed, which in turn decrements the corresponding + amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed - + calling drm_gem_object_release then dma_resv_fini (which destroys the + reservation object), then finally freeing the amdgpu_bo. + +- nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory + formerly allocated to the amdgpu_bo. + +- nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls + ttm_bo_release, which schedules ttm_bo_delayed_delete. + +- ttm_bo_delayed_delete runs and dereferences the dangling resv pointer, + resulting in a general protection fault. + +Fix this by moving the drm_prime_gem_destroy call from +nouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will +be run after ttm_bo_delayed_delete. + +Signed-off-by: Chris Bainbridge +Suggested-by: Christian König +Fixes: 22b33e8ed0e3 ("nouveau: add PRIME support") +Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3937 +Cc: Stable@vger.kernel.org +Signed-off-by: Danilo Krummrich +Link: https://patchwork.freedesktop.org/patch/msgid/Z-P4epVK8k7tFZ7C@debian.local +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_bo.c | 3 +++ + drivers/gpu/drm/nouveau/nouveau_gem.c | 3 --- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_bo.c ++++ b/drivers/gpu/drm/nouveau/nouveau_bo.c +@@ -144,6 +144,9 @@ nouveau_bo_del_ttm(struct ttm_buffer_obj + nouveau_bo_del_io_reserve_lru(bo); + nv10_bo_put_tile_region(dev, nvbo->tile, NULL); + ++ if (bo->base.import_attach) ++ drm_prime_gem_destroy(&bo->base, bo->sg); ++ + /* + * If nouveau_bo_new() allocated this buffer, the GEM object was never + * initialized, so don't attempt to release it. +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -87,9 +87,6 @@ nouveau_gem_object_del(struct drm_gem_ob + return; + } + +- if (gem->import_attach) +- drm_prime_gem_destroy(gem, nvbo->bo.sg); +- + ttm_bo_put(&nvbo->bo); + + pm_runtime_mark_last_busy(dev); diff --git a/queue-6.12/drm-sti-remove-duplicate-object-names.patch b/queue-6.12/drm-sti-remove-duplicate-object-names.patch new file mode 100644 index 0000000000..b65733dc14 --- /dev/null +++ b/queue-6.12/drm-sti-remove-duplicate-object-names.patch @@ -0,0 +1,33 @@ +From 7fb6afa9125fc111478615e24231943c4f76cc2e Mon Sep 17 00:00:00 2001 +From: Rolf Eike Beer +Date: Wed, 15 Jan 2025 09:58:59 +0100 +Subject: drm/sti: remove duplicate object names + +From: Rolf Eike Beer + +commit 7fb6afa9125fc111478615e24231943c4f76cc2e upstream. + +When merging 2 drivers common object files were not deduplicated. + +Fixes: dcec16efd677 ("drm/sti: Build monolithic driver") +Cc: stable@kernel.org +Signed-off-by: Rolf Eike Beer +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/1920148.tdWV9SEqCh@devpool47.emlix.com +Signed-off-by: Raphael Gallais-Pou +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/sti/Makefile | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/gpu/drm/sti/Makefile ++++ b/drivers/gpu/drm/sti/Makefile +@@ -7,8 +7,6 @@ sti-drm-y := \ + sti_compositor.o \ + sti_crtc.o \ + sti_plane.o \ +- sti_crtc.o \ +- sti_plane.o \ + sti_hdmi.o \ + sti_hdmi_tx3g4c28phy.o \ + sti_dvo.o \ diff --git a/queue-6.12/drm-xe-dma_buf-stop-relying-on-placement-in-unmap.patch b/queue-6.12/drm-xe-dma_buf-stop-relying-on-placement-in-unmap.patch new file mode 100644 index 0000000000..5e26fd92b6 --- /dev/null +++ b/queue-6.12/drm-xe-dma_buf-stop-relying-on-placement-in-unmap.patch @@ -0,0 +1,60 @@ +From 25583ad42d091819157832e894179200ba8b54ee Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Thu, 10 Apr 2025 17:27:17 +0100 +Subject: drm/xe/dma_buf: stop relying on placement in unmap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit 25583ad42d091819157832e894179200ba8b54ee upstream. + +The is_vram() is checking the current placement, however if we consider +exported VRAM with dynamic dma-buf, it looks possible for the xe driver +to async evict the memory, notifying the importer, however importer does +not have to call unmap_attachment() immediately, but rather just as +"soon as possible", like when the dma-resv idles. Following from this we +would then pipeline the move, attaching the fence to the manager, and +then update the current placement. But when the unmap_attachment() runs +at some later point we might see that is_vram() is now false, and take +the complete wrong path when dma-unmapping the sg, leading to +explosions. + +To fix this check if the sgl was mapping a struct page. + +v2: + - The attachment can be mapped multiple times it seems, so we can't + really rely on encoding something in the attachment->priv. Instead + see if the page_link has an encoded struct page. For vram we expect + this to be NULL. + +Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4563 +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Signed-off-by: Matthew Auld +Cc: Thomas Hellström +Cc: Matthew Brost +Cc: # v6.8+ +Acked-by: Christian König +Link: https://lore.kernel.org/r/20250410162716.159403-2-matthew.auld@intel.com +(cherry picked from commit d755887f8e5a2a18e15e6632a5193e5feea18499) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_dma_buf.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_dma_buf.c ++++ b/drivers/gpu/drm/xe/xe_dma_buf.c +@@ -145,10 +145,7 @@ static void xe_dma_buf_unmap(struct dma_ + struct sg_table *sgt, + enum dma_data_direction dir) + { +- struct dma_buf *dma_buf = attach->dmabuf; +- struct xe_bo *bo = gem_to_xe_bo(dma_buf->priv); +- +- if (!xe_bo_is_vram(bo)) { ++ if (sg_page(sgt->sgl)) { + dma_unmap_sgtable(attach->dev, sgt, dir, 0); + sg_free_table(sgt); + kfree(sgt); diff --git a/queue-6.12/drm-xe-fix-an-out-of-bounds-shift-when-invalidating-tlb.patch b/queue-6.12/drm-xe-fix-an-out-of-bounds-shift-when-invalidating-tlb.patch new file mode 100644 index 0000000000..19e66f4454 --- /dev/null +++ b/queue-6.12/drm-xe-fix-an-out-of-bounds-shift-when-invalidating-tlb.patch @@ -0,0 +1,122 @@ +From 7bcfeddb36b77f9fe3b010bb0b282b7618420bba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= +Date: Wed, 26 Mar 2025 16:16:34 +0100 +Subject: drm/xe: Fix an out-of-bounds shift when invalidating TLB +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Hellström + +commit 7bcfeddb36b77f9fe3b010bb0b282b7618420bba upstream. + +When the size of the range invalidated is larger than +rounddown_pow_of_two(ULONG_MAX), +The function macro roundup_pow_of_two(length) will hit an out-of-bounds +shift [1]. + +Use a full TLB invalidation for such cases. +v2: +- Use a define for the range size limit over which we use a full + TLB invalidation. (Lucas) +- Use a better calculation of the limit. + +[1]: +[ 39.202421] ------------[ cut here ]------------ +[ 39.202657] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 +[ 39.202673] shift exponent 64 is too large for 64-bit type 'long unsigned int' +[ 39.202688] CPU: 8 UID: 0 PID: 3129 Comm: xe_exec_system_ Tainted: G U 6.14.0+ #10 +[ 39.202690] Tainted: [U]=USER +[ 39.202690] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023 +[ 39.202691] Call Trace: +[ 39.202692] +[ 39.202695] dump_stack_lvl+0x6e/0xa0 +[ 39.202699] ubsan_epilogue+0x5/0x30 +[ 39.202701] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe6 +[ 39.202705] xe_gt_tlb_invalidation_range.cold+0x1d/0x3a [xe] +[ 39.202800] ? find_held_lock+0x2b/0x80 +[ 39.202803] ? mark_held_locks+0x40/0x70 +[ 39.202806] xe_svm_invalidate+0x459/0x700 [xe] +[ 39.202897] drm_gpusvm_notifier_invalidate+0x4d/0x70 [drm_gpusvm] +[ 39.202900] __mmu_notifier_release+0x1f5/0x270 +[ 39.202905] exit_mmap+0x40e/0x450 +[ 39.202912] __mmput+0x45/0x110 +[ 39.202914] exit_mm+0xc5/0x130 +[ 39.202916] do_exit+0x21c/0x500 +[ 39.202918] ? lockdep_hardirqs_on_prepare+0xdb/0x190 +[ 39.202920] do_group_exit+0x36/0xa0 +[ 39.202922] get_signal+0x8f8/0x900 +[ 39.202926] arch_do_signal_or_restart+0x35/0x100 +[ 39.202930] syscall_exit_to_user_mode+0x1fc/0x290 +[ 39.202932] do_syscall_64+0xa1/0x180 +[ 39.202934] ? do_user_addr_fault+0x59f/0x8a0 +[ 39.202937] ? lock_release+0xd2/0x2a0 +[ 39.202939] ? do_user_addr_fault+0x5a9/0x8a0 +[ 39.202942] ? trace_hardirqs_off+0x4b/0xc0 +[ 39.202944] ? clear_bhb_loop+0x25/0x80 +[ 39.202946] ? clear_bhb_loop+0x25/0x80 +[ 39.202947] ? clear_bhb_loop+0x25/0x80 +[ 39.202950] entry_SYSCALL_64_after_hwframe+0x76/0x7e +[ 39.202952] RIP: 0033:0x7fa945e543e1 +[ 39.202961] Code: Unable to access opcode bytes at 0x7fa945e543b7. +[ 39.202962] RSP: 002b:00007ffca8fb4170 EFLAGS: 00000293 +[ 39.202963] RAX: 000000000000003d RBX: 0000000000000000 RCX: 00007fa945e543e3 +[ 39.202964] RDX: 0000000000000000 RSI: 00007ffca8fb41ac RDI: 00000000ffffffff +[ 39.202964] RBP: 00007ffca8fb4190 R08: 0000000000000000 R09: 00007fa945f600a0 +[ 39.202965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 +[ 39.202966] R13: 00007fa9460dd310 R14: 00007ffca8fb41ac R15: 0000000000000000 +[ 39.202970] +[ 39.202970] ---[ end trace ]--- + +Fixes: 332dd0116c82 ("drm/xe: Add range based TLB invalidations") +Cc: Matthew Brost +Cc: Rodrigo Vivi +Cc: # v6.8+ +Signed-off-by: Thomas Hellström +Reviewed-by: Lucas De Marchi #v1 +Link: https://lore.kernel.org/r/20250326151634.36916-1-thomas.hellstrom@linux.intel.com +(cherry picked from commit b88f48f86500bc0b44b4f73ac66d500a40d320ad) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c ++++ b/drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c +@@ -310,6 +310,13 @@ int xe_gt_tlb_invalidation_ggtt(struct x + return 0; + } + ++/* ++ * Ensure that roundup_pow_of_two(length) doesn't overflow. ++ * Note that roundup_pow_of_two() operates on unsigned long, ++ * not on u64. ++ */ ++#define MAX_RANGE_TLB_INVALIDATION_LENGTH (rounddown_pow_of_two(ULONG_MAX)) ++ + /** + * xe_gt_tlb_invalidation_range - Issue a TLB invalidation on this GT for an + * address range +@@ -334,6 +341,7 @@ int xe_gt_tlb_invalidation_range(struct + struct xe_device *xe = gt_to_xe(gt); + #define MAX_TLB_INVALIDATION_LEN 7 + u32 action[MAX_TLB_INVALIDATION_LEN]; ++ u64 length = end - start; + int len = 0; + + xe_gt_assert(gt, fence); +@@ -346,11 +354,11 @@ int xe_gt_tlb_invalidation_range(struct + + action[len++] = XE_GUC_ACTION_TLB_INVALIDATION; + action[len++] = 0; /* seqno, replaced in send_tlb_invalidation */ +- if (!xe->info.has_range_tlb_invalidation) { ++ if (!xe->info.has_range_tlb_invalidation || ++ length > MAX_RANGE_TLB_INVALIDATION_LENGTH) { + action[len++] = MAKE_INVAL_OP(XE_GUC_TLB_INVAL_FULL); + } else { + u64 orig_start = start; +- u64 length = end - start; + u64 align; + + if (length < SZ_4K) diff --git a/queue-6.12/drm-xe-set-lrc-addresses-before-guc-load.patch b/queue-6.12/drm-xe-set-lrc-addresses-before-guc-load.patch new file mode 100644 index 0000000000..41060bd040 --- /dev/null +++ b/queue-6.12/drm-xe-set-lrc-addresses-before-guc-load.patch @@ -0,0 +1,183 @@ +From 6405f5b70b1c240ffddef01c7a140498f47d4fe7 Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi +Date: Wed, 9 Apr 2025 21:59:34 -0700 +Subject: drm/xe: Set LRC addresses before guc load + +From: Lucas De Marchi + +commit 6405f5b70b1c240ffddef01c7a140498f47d4fe7 upstream. + +The metadata saved in the ADS is read by GuC when it's initialized. +Saving the addresses to the LRCs when they are populated is too late as +GuC will keep using the old ones. + +This was causing GuC to use the RCS LRC for any engine class. It's not a +big problem on a Linux-only scenario since the they are used by GuC only +on media engines when the watchdog is triggered. However, in a +virtualization scenario with Windows as the VF, it causes the wrong LRCs +to be loaded as the watchdog is used for all engines. + +Fix it by letting guc_golden_lrc_init() initialize the metadata, like +other *_init() functions, and later guc_golden_lrc_populate() to copy +the LRCs to the right places. The former is called before the second GuC +load, while the latter is called after LRCs have been recorded. + +Cc: Chee Yin Wong +Cc: John Harrison +Cc: Matt Roper +Cc: Matthew Brost +Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") +Cc: # v6.11+ +Reviewed-by: Matthew Brost +Tested-by: Chee Yin Wong +Link: https://lore.kernel.org/r/20250409-fix-guc-ads-v1-1-494135f7a5d0@intel.com +Signed-off-by: Lucas De Marchi +(cherry picked from commit c31a0b6402d15b530514eee9925adfcb8cfbb1c9) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_guc_ads.c | 75 ++++++++++++++++++++++++---------------- + 1 file changed, 45 insertions(+), 30 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_guc_ads.c ++++ b/drivers/gpu/drm/xe/xe_guc_ads.c +@@ -483,24 +483,52 @@ static void fill_engine_enable_masks(str + engine_enable_mask(gt, XE_ENGINE_CLASS_OTHER)); + } + +-static void guc_prep_golden_lrc_null(struct xe_guc_ads *ads) ++/* ++ * Write the offsets corresponding to the golden LRCs. The actual data is ++ * populated later by guc_golden_lrc_populate() ++ */ ++static void guc_golden_lrc_init(struct xe_guc_ads *ads) + { + struct xe_device *xe = ads_to_xe(ads); ++ struct xe_gt *gt = ads_to_gt(ads); + struct iosys_map info_map = IOSYS_MAP_INIT_OFFSET(ads_to_map(ads), + offsetof(struct __guc_ads_blob, system_info)); +- u8 guc_class; ++ size_t alloc_size, real_size; ++ u32 addr_ggtt, offset; ++ int class; ++ ++ offset = guc_ads_golden_lrc_offset(ads); ++ addr_ggtt = xe_bo_ggtt_addr(ads->bo) + offset; ++ ++ for (class = 0; class < XE_ENGINE_CLASS_MAX; ++class) { ++ u8 guc_class; ++ ++ guc_class = xe_engine_class_to_guc_class(class); + +- for (guc_class = 0; guc_class <= GUC_MAX_ENGINE_CLASSES; ++guc_class) { + if (!info_map_read(xe, &info_map, + engine_enabled_masks[guc_class])) + continue; + ++ real_size = xe_gt_lrc_size(gt, class); ++ alloc_size = PAGE_ALIGN(real_size); ++ ++ /* ++ * This interface is slightly confusing. We need to pass the ++ * base address of the full golden context and the size of just ++ * the engine state, which is the section of the context image ++ * that starts after the execlists LRC registers. This is ++ * required to allow the GuC to restore just the engine state ++ * when a watchdog reset occurs. ++ * We calculate the engine state size by removing the size of ++ * what comes before it in the context image (which is identical ++ * on all engines). ++ */ + ads_blob_write(ads, ads.eng_state_size[guc_class], +- guc_ads_golden_lrc_size(ads) - +- xe_lrc_skip_size(xe)); ++ real_size - xe_lrc_skip_size(xe)); + ads_blob_write(ads, ads.golden_context_lrca[guc_class], +- xe_bo_ggtt_addr(ads->bo) + +- guc_ads_golden_lrc_offset(ads)); ++ addr_ggtt); ++ ++ addr_ggtt += alloc_size; + } + } + +@@ -710,7 +738,7 @@ void xe_guc_ads_populate_minimal(struct + + xe_map_memset(ads_to_xe(ads), ads_to_map(ads), 0, 0, ads->bo->size); + guc_policies_init(ads); +- guc_prep_golden_lrc_null(ads); ++ guc_golden_lrc_init(ads); + guc_mapping_table_init_invalid(gt, &info_map); + guc_doorbell_init(ads); + +@@ -736,7 +764,7 @@ void xe_guc_ads_populate(struct xe_guc_a + guc_policies_init(ads); + fill_engine_enable_masks(gt, &info_map); + guc_mmio_reg_state_init(ads); +- guc_prep_golden_lrc_null(ads); ++ guc_golden_lrc_init(ads); + guc_mapping_table_init(gt, &info_map); + guc_capture_list_init(ads); + guc_doorbell_init(ads); +@@ -756,18 +784,22 @@ void xe_guc_ads_populate(struct xe_guc_a + guc_ads_private_data_offset(ads)); + } + +-static void guc_populate_golden_lrc(struct xe_guc_ads *ads) ++/* ++ * After the golden LRC's are recorded for each engine class by the first ++ * submission, copy them to the ADS, as initialized earlier by ++ * guc_golden_lrc_init(). ++ */ ++static void guc_golden_lrc_populate(struct xe_guc_ads *ads) + { + struct xe_device *xe = ads_to_xe(ads); + struct xe_gt *gt = ads_to_gt(ads); + struct iosys_map info_map = IOSYS_MAP_INIT_OFFSET(ads_to_map(ads), + offsetof(struct __guc_ads_blob, system_info)); + size_t total_size = 0, alloc_size, real_size; +- u32 addr_ggtt, offset; ++ u32 offset; + int class; + + offset = guc_ads_golden_lrc_offset(ads); +- addr_ggtt = xe_bo_ggtt_addr(ads->bo) + offset; + + for (class = 0; class < XE_ENGINE_CLASS_MAX; ++class) { + u8 guc_class; +@@ -784,26 +816,9 @@ static void guc_populate_golden_lrc(stru + alloc_size = PAGE_ALIGN(real_size); + total_size += alloc_size; + +- /* +- * This interface is slightly confusing. We need to pass the +- * base address of the full golden context and the size of just +- * the engine state, which is the section of the context image +- * that starts after the execlists LRC registers. This is +- * required to allow the GuC to restore just the engine state +- * when a watchdog reset occurs. +- * We calculate the engine state size by removing the size of +- * what comes before it in the context image (which is identical +- * on all engines). +- */ +- ads_blob_write(ads, ads.eng_state_size[guc_class], +- real_size - xe_lrc_skip_size(xe)); +- ads_blob_write(ads, ads.golden_context_lrca[guc_class], +- addr_ggtt); +- + xe_map_memcpy_to(xe, ads_to_map(ads), offset, + gt->default_lrc[class], real_size); + +- addr_ggtt += alloc_size; + offset += alloc_size; + } + +@@ -812,7 +827,7 @@ static void guc_populate_golden_lrc(stru + + void xe_guc_ads_populate_post_load(struct xe_guc_ads *ads) + { +- guc_populate_golden_lrc(ads); ++ guc_golden_lrc_populate(ads); + } + + static int guc_ads_action_update_policies(struct xe_guc_ads *ads, u32 policy_offset) diff --git a/queue-6.12/drm-xe-userptr-fix-notifier-vs-folio-deadlock.patch b/queue-6.12/drm-xe-userptr-fix-notifier-vs-folio-deadlock.patch new file mode 100644 index 0000000000..c8e82caa81 --- /dev/null +++ b/queue-6.12/drm-xe-userptr-fix-notifier-vs-folio-deadlock.patch @@ -0,0 +1,84 @@ +From 2577b202458cddff85cc154b1fe7f313e0d1f418 Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Mon, 14 Apr 2025 14:25:40 +0100 +Subject: drm/xe/userptr: fix notifier vs folio deadlock +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit 2577b202458cddff85cc154b1fe7f313e0d1f418 upstream. + +User is reporting what smells like notifier vs folio deadlock, where +migrate_pages_batch() on core kernel side is holding folio lock(s) and +then interacting with the mappings of it, however those mappings are +tied to some userptr, which means calling into the notifier callback and +grabbing the notifier lock. With perfect timing it looks possible that +the pages we pulled from the hmm fault can get sniped by +migrate_pages_batch() at the same time that we are holding the notifier +lock to mark the pages as accessed/dirty, but at this point we also want +to grab the folio locks(s) to mark them as dirty, but if they are +contended from notifier/migrate_pages_batch side then we deadlock since +folio lock won't be dropped until we drop the notifier lock. + +Fortunately the mark_page_accessed/dirty is not really needed in the +first place it seems and should have already been done by hmm fault, so +just remove it. + +Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/4765 +Fixes: 0a98219bcc96 ("drm/xe/hmm: Don't dereference struct page pointers without notifier lock") +Signed-off-by: Matthew Auld +Cc: Thomas Hellström +Cc: Matthew Brost +Cc: # v6.10+ +Reviewed-by: Thomas Hellström +Reviewed-by: Matthew Brost +Link: https://lore.kernel.org/r/20250414132539.26654-2-matthew.auld@intel.com +(cherry picked from commit bd7c0cb695e87c0e43247be8196b4919edbe0e85) +Signed-off-by: Lucas De Marchi +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_hmm.c | 24 ------------------------ + 1 file changed, 24 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_hmm.c ++++ b/drivers/gpu/drm/xe/xe_hmm.c +@@ -19,29 +19,6 @@ static u64 xe_npages_in_range(unsigned l + return (end - start) >> PAGE_SHIFT; + } + +-/** +- * xe_mark_range_accessed() - mark a range is accessed, so core mm +- * have such information for memory eviction or write back to +- * hard disk +- * @range: the range to mark +- * @write: if write to this range, we mark pages in this range +- * as dirty +- */ +-static void xe_mark_range_accessed(struct hmm_range *range, bool write) +-{ +- struct page *page; +- u64 i, npages; +- +- npages = xe_npages_in_range(range->start, range->end); +- for (i = 0; i < npages; i++) { +- page = hmm_pfn_to_page(range->hmm_pfns[i]); +- if (write) +- set_page_dirty_lock(page); +- +- mark_page_accessed(page); +- } +-} +- + static int xe_alloc_sg(struct xe_device *xe, struct sg_table *st, + struct hmm_range *range, struct rw_semaphore *notifier_sem) + { +@@ -331,7 +308,6 @@ int xe_hmm_userptr_populate_range(struct + if (ret) + goto out_unlock; + +- xe_mark_range_accessed(&hmm_range, write); + userptr->sg = &userptr->sgt; + xe_hmm_userptr_set_mapped(uvma); + userptr->notifier_seq = hmm_range.notifier_seq; diff --git a/queue-6.12/series b/queue-6.12/series index e0354294b6..04273dfd35 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -164,3 +164,22 @@ drm-amdgpu-mes12-optimize-mes-pipe-fw-version-fetching.patch drm-i915-vrr-add-vrr.vsync_-start-end-in-vrr_params_changed.patch drm-xe-use-local-fence-in-error-path-of-xe_migrate_clear.patch drm-amd-display-add-hp-elitebook-645-to-the-quirk-list-for-edp-on-dp1.patch +drm-amd-display-protect-fpu-in-dml2_validate-dml21_validate.patch +drm-amd-display-protect-fpu-in-dml21_copy.patch +drm-amdgpu-mes11-optimize-mes-pipe-fw-version-fetching.patch +drm-amdgpu-dma_buf-fix-page_link-check.patch +drm-nouveau-prime-fix-ttm_bo_delayed_delete-oops.patch +drm-imagination-fix-firmware-memory-leaks.patch +drm-imagination-take-paired-job-reference.patch +drm-sti-remove-duplicate-object-names.patch +drm-xe-fix-an-out-of-bounds-shift-when-invalidating-tlb.patch +drm-i915-gvt-fix-unterminated-string-initialization-warning.patch +drm-amdgpu-immediately-use-gtt-for-new-allocations.patch +drm-amd-display-do-not-enable-replay-and-psr-while-vrr-is-on-in-amdgpu_dm_commit_planes.patch +drm-amd-display-protect-fpu-in-dml2_init-dml21_init.patch +drm-amd-display-add-hp-probook-445-and-465-to-the-quirk-list-for-edp-on-dp1.patch +drm-xe-dma_buf-stop-relying-on-placement-in-unmap.patch +drm-xe-userptr-fix-notifier-vs-folio-deadlock.patch +drm-xe-set-lrc-addresses-before-guc-load.patch +drm-amdgpu-fix-warning-of-drm_mm_clean.patch +drm-mgag200-fix-value-in-vblkstr-register.patch