t10_pi_ref_tag() and ext_pi_ref_tag() are identical except for the final
truncation of the ref tag to 32 or 48 bits. Factor out a helper
full_pi_ref_tag() to return the untruncated ref tag and use it in
t10_pi_ref_tag() and ext_pi_ref_tag().
There is only a collection of bugfixes this time around, with no notable
changes to the core. Some of the more noteworthy bugfixes listed below.
- Enable die erase on MT35XU02GCBA. We knew this flash needed this fixup
since 7f77c561e227 ("mtd: spi-nor: micron-st: add TODO for fixing
mt35xu02gcba") but did not add it due to lack of hardware to test on.
- Fix locking on some Winbond w25q series flashes.
- Fix Auto Address Increment (AAI) writes on SST that flashes that start
on odd address. The write enable latch needs to be set again after the
single byte program.
drm/amdgpu: drop userq fence driver refs out of fence process()
amdgpu_userq_wait_ioctl() takes extra references on waited-on fence
drivers and stores them in waitq->fence_drv_xa. When a new userq fence is
created, those references are transferred into userq_fence->fence_drv_array
so they can be released when the fence completes.
However, those inherited references are currently only dropped from
amdgpu_userq_fence_driver_process(). If a fence never reaches that path,
such as it is already signaled when created, so we need to explicitly release
those fences in that case.
Cc: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Prike Liang <Prike.Liang@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: unpin and unref doorbell and wptr outside mutex
In amdgpu_userq_destroy once unmap_helpder is called within mutex
there is no need to hold mutex.
This helps in avoiding a deadlock between doorbell and wptr ww mutex
and we could unpin and unref these bos outside mutex safely.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: use pm_runtime_resume_and_get and fix err handling
Use pm_runtime_resume_and_get instead of pm_runtime_get_sync as it
return error but put the reference in the function itself.
In goto statements we need to drop the pm reference too.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Acked-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: unmap_helper dont return the queue state
We check for return value of amdgpu_userq_unmap_helper and
compare it against the queue->state which is logically
wrong and we should just check for failure and do the needfull.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: unmap is to be called before freeing doorbell/wptr bo
Unmap the queue after freeing doorbell and wptr memory is completely
wrong. Any operation on the queue needs the doorbell and wptr to be
valid and hence fixing the ordering.
Also since we are using amdgpu_bo_reserve in non interruptrable mode
so there is no need to check for its return values.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: hold root bo lock in caller of input_va_validate
Caller should hold the reservation lock for root.bo in func
amdgpu_userq_input_va_validate.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: caller to take reserv lock for vas_list_cleanup
In function amdgpu_userq_buffer_vas_list_cleanup, remove the
reservation lock for vm and caller should make sure it's taken
before locking userq_mutex.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: create_mqd does not need userq_mutex
Reshuffle the code to run create_mqd outside the mutex.
code here is mostly setting up software structure init
before actually registering the userqueue in the xa and
to the driver.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: dont lock root bo with userq_mutex held
Do not hold reservation lock for root bo if userq_mutex
is already held in the call flow this cause a lock
issue with ttm_bo_delayed_delete.
Its better to lock the vm->root.bo first and then go ahead
with userq_mutex so userq_mutex threads dont get stuck until
the reservation lock is held.
In this case it helps in the function amdgpu_userq_buffer_vas_mapped
for each queue during restore_all.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: fix kerneldoc for amdgpu_userq_ensure_ev_fence
Move the comment for the caller to the definition for
amdgpu_userq_ensure_ev_fence in kerneldoc format.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: clean the VA mapping list for failed queue creation
If the queue creation failed during mapping of the important VA's
like queue_va, rptr_va and wptr_va. These needs to be cleaned
as queue destroy will not be called for such queues as user never
get call to creation failure.
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Acked-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/userq: avoid uneccessary locking in amdgpu_userq_create
Reorganise code to avoid holding mutex userq_mutex while
also trying to grab exec lock ww_mutex where its not needed
for function amdgpu_userq_input_va_validate
Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Fix ISM teardown crash from NULL dc dereference
The Idle State Manager (ISM) uses delayed work to apply display idle
optimizations later, instead of immediately. This helps avoid rapid idle
transitions that can hurt power or performance.
A crash was seen during driver teardown. The system boots normally and
the driver loads successfully. Later, when the GPU is being stopped, the
log shows:
GDB resolved dc_allow_idle_optimizations_internal+0xa6 to:
struct dc_state *context = dc->current_state;
The matching disassembly showed:
mov %rdi, %r12
mov 0x690(%r12), %r13
where r12 holds the dc pointer. A GDB layout dump of struct dc showed:
/* 1680 | 8 */ struct dc_state *current_state;
Since 1680 decimal is 0x690, this confirms that current_state is at
offset 0x690. The faulting access was effectively:
dc + 0x690
which indicates that dc was NULL at the time of dereference.
This shows that ISM work can still run during teardown after dc has
been cleared.
ISM is not expected to run after dc is destroyed. Fix this by disabling
ISM under dc_lock in amdgpu_dm_fini() before dc_destroy(), ensuring no
further ISM work runs after dc teardown.
Also add ASSERT(dm->dc) in amdgpu_dm_ism_commit_event() to enforce this
invariant, and ASSERT(mutex_is_locked(&dm->dc_lock)) in
amdgpu_dm_ism_disable() to clarify the locking requirement.
Fixes: 754003486c3c ("drm/amd/display: Add Idle state manager(ISM)") Suggested-by: Leo Li <sunpeng.li@amd.com> Cc: Ray Wu <ray.wu@amd.com> Cc: Roman Li <roman.li@amd.com> Cc: Alex Hung <alex.hung@amd.com> Cc: Tom Chung <chiahsuan.chung@amd.com> Cc: Harry Wentland <harry.wentland@amd.com> Cc: Aurabindo Pillai <aurabindo.pillai@amd.com> Cc: Mario Limonciello (AMD) <superm1@kernel.org> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Reviewed-by: Leo Li <sunpeng.li@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Move dml2_destroy to non-FPU compilation unit
On PREEMPT_RT kernels, vfree() can sleep because spin_lock is
converted to rt_mutex. dml2_destroy() calls vfree() while inside
an FPU-guarded region (preempt_count=2), which is illegal.
dml2_wrapper_fpu.c is compiled with CC_FLAGS_FPU which defines
_LINUX_FPU_COMPILATION_UNIT, making DC_RUN_WITH_PREEMPTION_ENABLED()
resolve to a no-op. This prevents the macro from cycling FPU
context off/on around vfree().
Move dml2_destroy() to dml2_wrapper.c (non-FPU compilation unit)
where DC_RUN_WITH_PREEMPTION_ENABLED() properly cycles DC_FP_END/
DC_FP_START around vfree(). This pairs it with dml2_allocate_memory()
which already lives there.
[How]
Add wrapper function to guard fpu properly for dcn21/dcn31/dcn315/dcn316.
Fixes: 3539437f354b ("drm/amd/display: Move FPU Guards From DML To DC - Part 1") Reviewed-by: Dillon Varone <dillon.varone@amd.com> Reviewed-by: Rafal Ostrowski <rafal.ostrowski@amd.com> Signed-off-by: Wayne Lin <Wayne.Lin@amd.com> Signed-off-by: Chenyu Chen <chen-yu.chen@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: Clear cached EDID pointer after drm_edid_free()
The driver stores EDID in amdgpu_connector->edid and uses it as a cache.
amdgpu_connector_get_edid() checks this pointer. If it is not NULL, it
assumes EDID is already present and does not read it again.
In some detect paths, the driver frees the EDID using drm_edid_free(),
but does not set the pointer to NULL. Because of this, the pointer still
looks valid even though the memory is already freed.
Later, when amdgpu_connector_get_edid() is called, it returns early and
does not read a new EDID. This can lead to using a freed pointer.
Fix this by setting amdgpu_connector->edid = NULL after drm_edid_free().
This makes sure the driver reads a fresh EDID and does not use invalid
memory.
Fixes: 71036457ad85 ("drm/amdgpu/amdgpu_connectors: remove amdgpu_connector_free_edid") Reported-by: Dan Carpenter <error27@gmail.com> Cc: Joshua Peisach <jpeisach@ubuntu.com> Cc: Alex Deucher <alexander.deucher@amd.com> Cc: Christian König <christian.koenig@amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Reviewed-by: Joshua Peisach <jpeisach@ubuntu.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
New:
- Add p-state schedule admissibility flags and frame-time utility
Fixes:
- Fixed incorrect math_mod() result due to wrong variable in fmod implementation (Cc: stable)
- Use overlay cursor when a color pipeline is active to avoid incorrect rendering
Cleanups:
- Add const qualifiers to watermark params struct
- Fix narrowing-conversion compiler warnings
Signed-off-by: Taimur Hassan <Syed.Hassan@amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com> Reviewed-by: Alex Hung <alex.hung@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Wenjing Liu [Thu, 26 Mar 2026 21:39:28 +0000 (17:39 -0400)]
drm/amd/display: add pstate schedule admissibility flags and frame-time utility
[Why]
Core needs to track pstate schedule admissibility for different global
change scenarios (fclk, temp read, PPT) and requires a reusable way to compute
per-stream frame time from timing parameters.
[How]
Extend dml2_core_internal_mode_support_info with:
fclk_pstate_schedule_admissible
temp_read_pstate_schedule_admissible
ppt_pstate_schedule_admissible
Add dummy_double_array[3][DML2_MAX_PLANES] to
dml2_core_calcs_mode_support_locals.
Introduce dml2_core_utils_get_frame_time_us() in dml2_core_utils.c and export
it in dml2_core_utils.h to compute frame time in microseconds from stream
timing (vline time * (vactive + vblank)).
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Signed-off-by: Wenjing Liu <wenjing.liu@amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Alex Hung [Wed, 25 Mar 2026 02:03:25 +0000 (20:03 -0600)]
drm/amd/display: Use overlay cursor when color pipeline is active
Force overlay cursor mode when an underlying plane has a non-bypassed
color pipeline to avoid incorrect cursor transformation.
Reviewed-by: Sun peng (Leo) Li <sunpeng.li@amd.com> Signed-off-by: Alex Hung <alex.hung@amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[Why] Implicit conversions from wider integer types to byte-sized fields
were generating compiler warnings. These warnings hide intentional protocol
/storage boundaries and reduce signal quality during builds. Making
conversion intent explicit improves readability and warning hygiene
without changing behavior.
[How] Added explicit, type-safe casts at intentional narrow-storage
boundaries. Kept data models & runtime logic unchanged, only clarifying
conversion intent.
Functionality and behavior is unchanged; only type intent is explicit.
Aligned warning cleanup with existing coding standards for explicit
boundary conversions.
Reviewed-by: Aric Cyr <aric.cyr@amd.com> Signed-off-by: Gaghik Khachatrian <gaghik.khachatrian@amd.com> Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Ray Wu [Tue, 7 Apr 2026 08:24:39 +0000 (16:24 +0800)]
drm/amd/display: fix NULL ptr deref in ISM delayed work
dc_destroy() sets dm->dc to NULL before amdgpu_dm_ism_fini() is called,
leaving a window where in-flight ISM delayed work dereferences the stale
pointer. Call amdgpu_dm_ism_fini() in amdgpu_dm_fini() before dc_destroy().
Fixes: 754003486c3c ("drm/amd/display: Add Idle state manager(ISM)") Reviewed-by: Leo Li <sunpeng.li@amd.com> Signed-off-by: Ray Wu <ray.wu@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Add missing description for do_mccs parameter in
amdgpu_dm_update_freesync_caps.
Fixes the below with gcc W=1:
../display/amdgpu_dm/amdgpu_dm.c:13269 function parameter 'do_mccs' not described in 'amdgpu_dm_update_freesync_caps'
Fixes: 8dc88c6a5948 ("drm/amd/display: Avoid to do MCCS transaction if unnecessary") Cc: Harry Wentland <harry.wentland@amd.com> Cc: Wayne Lin <Wayne.Lin@amd.com> Cc: Roman Li <roman.li@amd.com> Cc: Alex Hung <alex.hung@amd.com> Cc: Tom Chung <chiahsuan.chung@amd.com> Cc: Aurabindo Pillai <aurabindo.pillai@amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Reviewed-by: Alex Hung <alex.hung@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Roman Li [Thu, 9 Apr 2026 17:37:36 +0000 (13:37 -0400)]
drm/amd/display: Remove redundant includes from DC
[Why]
The explicit include of linux/array_size.h in Display Core (DC) is
redundant. The ARRAY_SIZE macro is already provided by dm_services.h
(via os_types.h) which DC includes.
[How]
Remove the unnecessary #include <linux/array_size.h> from
dc_hw_sequencer.c and dce_clock_source.c.
Fixes: 2d2366176445 ("drm/amd/display: Replace inline NUM_ELEMENTS macro with ARRAY_SIZE") CC: Linus Probert <linus.probert@gmail.com> Signed-off-by: Roman Li <Roman.Li@amd.com> Reviewed-by: Alex Hung <alex.hung@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Taimur Hassan [Fri, 27 Mar 2026 23:54:22 +0000 (18:54 -0500)]
drm/amd/display: Promote DC to 3.2.377
This version brings along the following updates:
- Enable sink freesync via MCCS with pcon whitelist adjustments
- Rework YCbCr422 DSC policy
- Update DML2.1 parameters
- Fix coding style issues and compiler warnings
Reviewed-by: Leo Li <sunpeng.li@amd.com> Signed-off-by: Taimur Hassan <Syed.Hassan@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Chuanyu Tseng [Sat, 28 Mar 2026 00:13:49 +0000 (08:13 +0800)]
drm/amd/display: Fix coding style issue
[Why & How]
Function logic should put after variable declare section, so let's move it.
Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com> Signed-off-by: Chuanyu Tseng <Chuanyu.Tseng@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[Why/How]
UrgLatency value is passed in twice to the prefetch calculations.
Once through the UrgentLatency term and once through the Turg term.
Only Turg is used in the prefetch calculation so remove the unused UrgentLatency parameter
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Signed-off-by: Zheng, Austin <Austin.Zheng@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[Why]
The MinTTU policy in DML2.1 does not guarantee that we support p-state
in blank. This is a delta vs dml2 and earlier revisions as the prefetch
mode override has been removed in favor of a more configurable pstate
optimizer.
[How]
Split off DCN42 with its own PMO helpers so that we can use a simpler
strategy of only allowing the mode if we support p-state in vblank and
if vactive has enough latency hiding.
The actual hookup to use these helpers in the PMO factory will be
done in a later patch to satisfy build system requirements.
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: move memory latency update to dml for dcn42
Memory latencies are soc specific and should be part of dml soc
bounding box. This change removes them from clk_mgr and has
latency update happen based on memory type when dml socbb is being
updated.
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> Reviewed-by: Charlene Liu <charlene.liu@amd.com> Signed-off-by: Dmytro Laktyushkin <dmytro.laktyushkin@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Fix implicit narrowing conversions in modules
[Why]: Implicit narrowing of wider integer types (unsigned int, uint64_t)
into narrower fields (uint8_t, uint16_t, unsigned short) has potential
truncation issues.
[How]: For each warning site, added ASSERT(<value> <= 0xFFFF/0xFF) for
debug-mode bounds verification followed by an explicit cast. Typed
intermediate variables introduced where needed for clarity.
No functional change intended.
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Signed-off-by: Gaghik Khachatrian <gaghik.khachatrian@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Signed-off-by: Dmytro Laktyushkin <dmytro.laktyushkin@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Pass min page size from SOC BB to dml2_1 plane config
[Why]
Like dml2_0 this isn't guaranteed to be constant for every ASIC.
This can cause corruption or underflow for linear surfaces due to a
wrong PTE_ROW_HEIGHT_LINEAR value if not correctly specified.
[How]
Like dml2_0 pass in the SOC bb into the plane configuration population
functions.
Set both GPUVM and HostVM page sizes in the overrides.
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Correct MALL parameters for DCN42 soc bb
[Why & How]
The MALL and DCC parameters were copied and pasted from a previous ASIC
but the correct value per HW specification should all be 0.
If not correct this can impact urgent bandwidth calculation and PMO.
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Fix HostVMMinPageSize unit mismatch in DML2.1
[Why]
This was found back on DML2 but was missed when creating DML2.1.
The bottom layer calculation (CalculateHostVMDynamicLevels) expects
a value in bytes, not KB, but we pass in the value in KB (eg. 4).
This causes an extra page table level to be required in the prefetch
bytes which can be significant overhead - preventing some modes
from being supported that should otherwise be.
[How]
Correct the units by multiplying the input and override values by 1024.
Reviewed-by: Austin Zheng <austin.zheng@amd.com> Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Wayne Lin [Wed, 11 Mar 2026 08:11:57 +0000 (16:11 +0800)]
drm/amd/display: Avoid to do MCCS transaction if unnecessary
We don't have to do MCCS/DDCCI transactions with sink side every time by calling
get_modes(). Limit it to be operated when hotplug occurs.
Reviewed-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Wayne Lin <Wayne.Lin@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Wayne Lin [Fri, 6 Mar 2026 08:32:36 +0000 (16:32 +0800)]
drm/amd/display: Enable sink freesync via MCCS
If sink like HDMI indicates supporting freesync via MCCS,
explicitly to send vcp set command on sink to enable freesync.
Reviewed-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Wayne Lin <Wayne.Lin@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Wayne Lin [Tue, 3 Mar 2026 05:55:42 +0000 (13:55 +0800)]
drm/amd/display: Read sink freesync support via mccs
If EDID AMD VSDB declares that sink supports MCCS method for freesync
usage, send mccs request to understand sink freesync current supporting
state.
If sink supports freesync but user toggles OSD to turn off it, disable
freesync.
If HDMI sink doesn't support MCCS method for freesync usage, disable
freesync as well.
Reviewed-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Wayne Lin <Wayne.Lin@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Wayne Lin [Tue, 3 Mar 2026 08:00:24 +0000 (16:00 +0800)]
drm/amd/display: Parse freesync mccs vcp code
[Why & How]
DMUB supports to parse freesynce mccs vcp code now. Store it for
later freesync mccs manipulation.
Reviewed-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Wayne Lin <Wayne.Lin@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Wayne Lin [Thu, 5 Mar 2026 09:07:16 +0000 (17:07 +0800)]
drm/amd/display: Adjust freesync pcon whitelist
Add more freesync supported pcon ID into the whitelist.
Reviewed-by: Harry Wentland <harry.wentland@amd.com> Signed-off-by: Wayne Lin <Wayne.Lin@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
George Shen [Mon, 23 Mar 2026 21:15:16 +0000 (17:15 -0400)]
drm/amd/display: Remove unnecessary Freesync w/a from DCN32
[Why/How]
A workaround was previously used for certain Freesync cases that would
override the vstartup_start value from DML to position the SDP
correctly. This is no longer needed in DCN32 and above, so remove the
workaround.
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Signed-off-by: George Shen <george.shen@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Relja Vojvodic [Fri, 20 Mar 2026 19:40:25 +0000 (15:40 -0400)]
drm/amd/display: Rework YCbCr422 DSC policy
- Reworked YCbCr4:2:2 Native/Simple policy decision making with DSC
enabled based on DSC caps and stream signal type
Reviewed-by: Wenjing Liu <wenjing.liu@amd.com> Signed-off-by: Relja Vojvodic <Relja.Vojvodic@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Charlene Liu [Sat, 28 Feb 2026 02:17:37 +0000 (21:17 -0500)]
drm/amd/display: update dcn42 bounding box
[why]
update according hw spec.
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Signed-off-by: Charlene Liu <Charlene.Liu@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
bpf, arm32: Reject BPF-to-BPF calls and callbacks in the JIT
The ARM32 BPF JIT does not support BPF-to-BPF function calls
(BPF_PSEUDO_CALL) or callbacks (BPF_PSEUDO_FUNC), but it does
not reject them either.
When a program with subprograms is loaded (e.g. libxdp's XDP
dispatcher uses __noinline__ subprograms, or any program using
callbacks like bpf_loop or bpf_for_each_map_elem), the verifier
invokes bpf_jit_subprogs() which calls bpf_int_jit_compile()
for each subprogram.
For BPF_PSEUDO_CALL, since ARM32 does not reject it, the JIT
silently emits code using the wrong address computation:
func = __bpf_call_base + imm
where imm is a pc-relative subprogram offset, producing a bogus
function pointer.
For BPF_PSEUDO_FUNC, the ldimm64 handler ignores src_reg and
loads the immediate as a normal 64-bit value without error.
In both cases, build_body() reports success and a JIT image is
allocated. ARM32 lacks the jit_data/extra_pass mechanism needed
for the second JIT pass in bpf_jit_subprogs(). On the second
pass, bpf_int_jit_compile() performs a full fresh compilation,
allocating a new JIT binary and overwriting prog->bpf_func. The
first allocation is never freed. bpf_jit_subprogs() then detects
the function pointer changed and aborts with -ENOTSUPP, but the
original JIT binary has already been leaked. Each program
load/unload cycle leaks one JIT binary allocation, as reported
by kmemleak:
Fix this by rejecting both BPF_PSEUDO_CALL in the BPF_CALL
handler and BPF_PSEUDO_FUNC in the BPF_LD_IMM64 handler, falling
through to the existing 'notyet' path. This causes build_body()
to fail before any JIT binary is allocated, so
bpf_int_jit_compile() returns the original program unjitted.
bpf_jit_subprogs() then sees !prog->jited and cleanly falls
back to the interpreter with no leak.
Acked-by: Daniel Borkmann <daniel@iogearbox.net> Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs") Reported-by: Jonas Rebmann <jre@pengutronix.de> Closes: https://lore.kernel.org/bpf/b63e9174-7a3d-4e22-8294-16df07a4af89@pengutronix.de Tested-by: Jonas Rebmann <jre@pengutronix.de> Signed-off-by: Puranjay Mohan <puranjay@kernel.org> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com> Link: https://lore.kernel.org/r/20260417143353.838911-1-puranjay@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org>
bpf: Dissociate struct_ops program with map if map_update fails
Currently, when bpf_struct_ops_map_update_elem() fails, the programs'
st_ops_assoc will remain set. They may become dangling pointers if the
map is freed later, but they will never be dereferenced since the
struct_ops attachment did not succeed. However, if one of the programs
is subsequently attached as part of another struct_ops map, its
st_ops_assoc will be poisoned even though its old st_ops_assoc was stale
from a failed attachment.
Fix the spurious poisoned st_ops_assoc by dissociating struct_ops
programs with a map if the attachment fails. Move
bpf_prog_assoc_struct_ops() to after *plink++ to make sure
bpf_prog_disassoc_struct_ops() will not miss a program when iterating
st_map->links.
Note that, dissociating a program from a map requires some attention as
it must not reset a poisoned st_ops_assoc or a st_ops_assoc pointing to
another map. The former is already guarded in
bpf_prog_disassoc_struct_ops(). The latter also will not happen since
st_ops_assoc of programs in st_map->links are set by
bpf_prog_assoc_struct_ops(), which can only be poisoned or pointing to
the current map.
cgroup/cpuset: record DL BW alloc CPU for attach rollback
cpuset_can_attach() allocates DL bandwidth only when migrating
deadline tasks to a disjoint CPU mask, but cpuset_cancel_attach()
rolls back based only on nr_migrate_dl_tasks. This makes the DL
bandwidth alloc/free paths asymmetric: rollback can call dl_bw_free()
even when no dl_bw_alloc() was done.
Rollback also needs to undo the reservation against the same CPU/root
domain that was charged. Record the CPU used by dl_bw_alloc() and use
that state in cpuset_cancel_attach(). If no allocation happened,
dl_bw_cpu stays at -1 and rollback skips dl_bw_free(). If allocation
did happen, bandwidth is returned to the same CPU/root domain.
Successful attach paths are unchanged. This only fixes failed attach
rollback accounting.
Fixes: 2ef269ef1ac0 ("cgroup/cpuset: Free DL BW in case can_attach() fails") Signed-off-by: Guopeng Zhang <zhangguopeng@kylinos.cn> Reviewed-by: Waiman Long <longman@redhat.com> Signed-off-by: Tejun Heo <tj@kernel.org>
Roman Li [Wed, 1 Apr 2026 21:38:26 +0000 (17:38 -0400)]
drm/amd/display: Drop unused tiling formats from dml2
Remove unused legacy tiling format support from dml2.
Legacy asics don't use dml2.
Fixes: e56e3cff2a1b ("drm/amd/display: Sync dcn42 with DC 3.2.373") Reviewed-by: Leo Li <sunpeng.li@amd.com> Signed-off-by: Roman Li <Roman.Li@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Fix unused parameters warnings in dml2_0
[Why] Resolve warnings by marking unused parameters explicitly.
[How] Keep parameter names in signatures and add a line with
'(void)param;' inside the function body
Preserved function signatures and avoids breaking code paths that
may reference the parameter under conditional compilation.
Reviewed-by: Dillon Varone <dillon.varone@amd.com> Reviewed-by: Clayton King <clayton.king@amd.com> Signed-off-by: Gaghik Khachatrian <gaghik.khachatrian@amd.com> Signed-off-by: Roman Li <roman.li@amd.com> Tested-by: Dan Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/mes_v12_1: Fix iterator reuse in mes_v12_1_test_ring()
This code waits for the MES self-test to complete by repeatedly checking
a register or memory value until it becomes valid or a timeout occurs.
The fix ensures the timeout counter works correctly by not reusing the
same variable inside another loop.
mes_v12_1_test_ring() uses 'i' as the outer timeout loop counter, but
reuses the same variable for the inner XCC scan in cooperative mode.
This makes the timeout counter ambiguous and can lead to incorrect
timeout handling. It also triggers a Smatch warning about reusing the
outer loop iterator.
Fix this by introducing a separate iterator for the inner XCC loop so
that 'i' continues to represent only the timeout wait duration.
drivers/gpu/drm/amd/amdgpu/mes_v12_1.c
2069 atomic64_set((atomic64_t *)wptr_cpu_addr, wptr);
2070 WDOORBELL64(doorbell_idx, wptr);
2071
2072 for (i = 0; i < adev->usec_timeout; i++) {
i is counting usec
2073 if (queue_type == AMDGPU_RING_TYPE_SDMA) {
2074 tmp = le32_to_cpu(*cpu_ptr);
2075 } else {
2076 if (!adev->mes.enable_coop_mode) {
2077 tmp = RREG32_SOC15(GC, GET_INST(GC, xcc_id),
2078 regSCRATCH_REG0);
2079 } else {
--> 2080 for (i = 0; i < num_xcc; i++) {
and then re-used to count something else
Fixes: 44e5195fa3d4 ("drm/amdgpu/mes_v12_1: add mes self test") Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Cc: Jack Xiao <Jack.Xiao@amd.com> Cc: Hawking Zhang <Hawking.Zhang@amd.com> Cc: Christian König <christian.koenig@amd.com> Cc: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Reviewed-by: Jack Xiao <Jack.Xiao@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Yang Wang [Fri, 3 Apr 2026 03:30:22 +0000 (23:30 -0400)]
drm/amd/pm: add read arg support to smu_cmn_update_table
Extend the smu_cmn_update_table function to support reading a 32-bit return
argument from the SMU firmware during table transfer operations.
- Rename the original function to smu_cmn_update_table_read_arg
- Add a uint32_t *read_arg output parameter to capture firmware response
- Pass the read_arg pointer to the SMU message command
- Keep full backward compatibility using a macro wrapper for the old API
This allows the driver to retrieve status codes, results, or configuration
feedback from the SMU firmware after table data transfer.
No functional changes for existing users of the original smu_cmn_update_table()
API.
Signed-off-by: Yang Wang <kevinyang.wang@amd.com> Reviewed-by: Lijo Lazar <lijo.lazar@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Alex Deucher [Thu, 26 Mar 2026 17:50:03 +0000 (13:50 -0400)]
drm/amdgpu/sdma7.1: add support for disable_kq
Plumb in support for disabling kernel queues and make it
the default. For testing, kernel queues can be re-enabled
by setting amdgpu.user_queue=0. Kernel queues are still
created for use by the kernel driver for memory management,
etc., just not user submissions.
Reviewed-by: Prike Liang <Prike.Liang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/pm: Fix mode2 reset ACK handling on aldebaran v2
aldebaran_mode2_reset() sends a mode2 reset message and waits for
an acknowledgment from the SMU.
The current ACK handling is incorrect.
The wait loop runs only when ret is -ETIME. But after a successful
async send, ret is 0. Because of this, the loop is skipped and the
code does not wait for the reset acknowledgment.
Also, the code checks for ret != 1 after calling
smu_msg_wait_response(). However, smu_msg_wait_response() returns
0 on success and negative error codes on failure. So checking
against 1 is wrong.
Return -EOPNOTSUPP when the firmware does not support this reset
message.
Fix this by setting ret to -ETIME before entering the wait loop,
checking for ret != 0 after getting the SMU response, and returning
-EOPNOTSUPP when the firmware does not support the message.
v2:
- Update ACK check to use ret != 0 instead of ret != 1, since
smu_msg_wait_response() returns 0 on success (Feifei)
- Remove unnecessary handling for ret == 0
Fixes: e42569d02acb ("drm/amd/pm: Modify mode2 msg sequence on aldebaran") Reported-by: Dan Carpenter <error27@gmail.com> Cc: Feifei Xu <Feifei.Xu@amd.com> Cc: Lijo Lazar <lijo.lazar@amd.com> Cc: Hawking Zhang <Hawking.Zhang@amd.com> Cc: Alex Deucher <alexander.deucher@amd.com> Cc: Christian König <christian.koenig@amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Reviewed-by: Feifei Xu <Feifei.Xu@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amd/pm: smu7: Remove stale error check in smu7_hwmgr_backend_init
smu7_hwmgr_backend_init() is responsible for initializing the SMU7 power
management backend. It allocates and sets up the backend structure,
initializes voltage tables, configures dependency tables, and prepares
platform-specific power and clock parameters.
The function follows a typical pattern where each initialization step
returns a status in "result", and failures are handled via a common
"goto fail" path that performs cleanup.
Commit 2c21648bb814 ("drm/amd/pm/smu7: Remove non-functional SMU7
voltage dependency on DAL") removed a function call in this
initialization sequence, but left behind the corresponding error check.
As a result, "result" is checked twice without being updated in between:
result = smu7_init_voltage_dependency_on_display_clock_table(hwmgr);
if (result)
goto fail;
...
if (result)
goto fail;
The second check is redundant and unreachable for any new failure, since
no operation modifies "result" between the two checks. This triggers a
Smatch warning about a duplicate zero check and reduces code clarity.
Remove the stale error check to keep the control flow correct and
readable.
Fixes: 9f49e3d4cb86 ("drm/amd/pm/smu7: Remove non-functional SMU7 voltage dependency on DAL") Reported-by: Dan Carpenter <error27@gmail.com> Cc: Timur Kristóf <timur.kristof@gmail.com> Cc: Christian König <christian.koenig@amd.com> Cc: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com> Reviewed-by: Timur Kristóf <timur.kristof@gmail.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Xiang Liu [Thu, 9 Apr 2026 09:10:21 +0000 (17:10 +0800)]
drm/amdgpu: fix CPER ring header parsing
amdgpu_cper_ring_get_ent_sz() parses CPER headers directly from the
circular ring buffer to determine the current entry size. When the ring
is full and the write pointer lands near the end of the buffer, the
header can wrap across the ring boundary.
The existing code treats the 4-byte CPER signature as a C string and
uses strcmp() on in-ring binary data, then reads record_length through a
direct struct pointer cast. Both assumptions are unsafe for wrapped
entries and can read past the end of the ring mapping.
Fix the parser by comparing the signature as raw bytes and by copying
the header into a local buffer before reading record_length, handling
wraparound explicitly in both cases. This avoids out-of-bounds reads in
amdgpu_cper_ring_get_ent_sz() when the CPER ring is full or the current
entry starts at the tail of the ring.
Signed-off-by: Xiang Liu <xiang.liu@amd.com> Reviewed-by: Tao Zhou <tao.zhou1@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: fix heap buffer overflow in amdgpu_coredump ring dump
The off variable in the ring content dump loop tracks a byte offset
accumulated from ring->ring_size (which is in bytes), but it is used
as an index into u32 *rings_dw. C pointer arithmetic on a u32 pointer
automatically multiplies the index by sizeof(u32) = 4, so the actual
byte address accessed is:
&rings_dw[off] == (char *)rings_dw + off * 4
This means off is effectively quadrupled, causing a 4x overshoot.
Concrete example -- two rings, each ring_size = 8 192 bytes (8 KB):
Ring 0: off = 0
memcpy(&rings_dw[0], ring0->ring, 8192)
-> writes bytes 0 .. 8 191 OK
off += ring->ring_size -> off = 8 192 (BUG)
Ring 1: off = 8 192
memcpy(&rings_dw[8192], ring1->ring, 8192)
-> actual byte offset = 8 192 * 4 = 32 768
-> writes bytes 32 768 .. 40 959
-> but buffer is only 16 384 bytes! OVERFLOW
With the fix (off += ring->ring_size / 4):
Ring 0: off = 0
memcpy(&rings_dw[0], ring0->ring, 8192) OK
off += 8 192 / 4 -> off = 2 048
Ring 1: off = 2 048
memcpy(&rings_dw[2048], ring1->ring, 8192)
-> byte offset = 2 048 * 4 = 8 192
-> writes bytes 8 192 .. 16 383 OK
KASAN catches the overflow as a slab-use-after-free when the write
lands on a quarantined slab object:
BUG: KASAN: slab-use-after-free in amdgpu_coredump+0x775/0x13c0 [amdgpu]
Write of size 8192 at addr ffff8890b2400000 by task kworker/u128:1/329
Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]
Call Trace:
__asan_memcpy+0x3c/0x60
amdgpu_coredump+0x775/0x13c0 [amdgpu]
amdgpu_job_timedout+0xdb5/0x1420 [amdgpu]
The corrupted object was a 4 KB drm_exec buffer from a completed
amdgpu_cs_ioctl -- the ring dump memcpy overshot into this freed
slab region.
Fix by accumulating off in dword units (ring->ring_size / 4) so the
u32* indexing produces the correct byte address. The reader in
amdgpu_devcoredump_format() already consumes the stored offset as a
dword index (rings_dw[off + j / 4]), so no change is needed there.
Fixes: eea85914d15b ("drm/amdgpu: save ring content before resetting the device") Cc: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com> Cc: Christian König <christian.koenig@amd.com> Cc: Alex Deucher <alexander.deucher@amd.com> Cc: Jesse Zhang <jesse.zhang@amd.com> Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com> Acked-by: Christian König <christian.koenig@amd.com> Reviewed-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: fix NULL pointer dereference in amdgpu_devcoredump_format
A race condition in the devcoredump code causes a NULL pointer
dereference in amdgpu_devcoredump_format() when multiple GPU resets
occur in quick succession.
The sequence of events:
1. First reset calls amdgpu_coredump(), creates coredump1, sets
adev->coredump = coredump1, and queues the deferred work.
2. The deferred work begins executing (work_pending() returns false
since the work is now running, not just queued).
3. A second reset calls amdgpu_coredump(). work_pending() returns
false because the work is running, so amdgpu_coredump() proceeds:
creates coredump2, overwrites adev->coredump = coredump2, and
re-queues the deferred work with queue_work().
4. The first deferred work finishes and unconditionally sets
adev->coredump = NULL, destroying the reference to coredump2.
5. The re-queued deferred work starts and reads
adev->coredump = NULL. It then passes this NULL into
amdgpu_devcoredump_format() which dereferences coredump->adev
(offset 0 in the struct), triggering:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:amdgpu_devcoredump_format+0xa6/0x36b0 [amdgpu]
This was observed during the amd_deadlock IGT test where multiple
subtests trigger rapid ring resets. The dmesg log shows four
coredumps created within 120ms (at 102.377s, 104.424s, 104.492s,
and 104.497s), with the crash occurring 13ms after the last one.
Fix this with two changes:
- Replace work_pending() with work_busy() in amdgpu_coredump() to
also reject new coredumps while the deferred work is executing,
not just when it is queued. This closes the main race window.
- Add a defensive NULL check for adev->coredump at the start of
amdgpu_devcoredump_deferred_work() to prevent the crash if the
race still occurs (work_busy() is advisory, not a full barrier).
v2: Drop the job->pasid NULL guard -- that fix was independently
submitted and merged as commit 4c1f0a162da5 ("drm/amdgpu: add
job->pasid in check as amdgpu_job could be NULL") by Sunil
Khatri, reviewed by Christian König. Integrate with that
patch as suggested by Christian.
Fixes: 4bbba79a7f1d ("drm/amdgpu: move devcoredump generation to a worker") Cc: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com> Cc: Christian König <christian.koenig@amd.com> Cc: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com> Reviewed-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Fixes: 32ab301b89b3 ("drm/amdgpu: store ib info for devcoredump") Signed-off-by: Sunil Khatri <sunil.khatri@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Amir Shetaia [Fri, 10 Apr 2026 14:38:13 +0000 (10:38 -0400)]
drm/amdkfd: Clear VRAM on allocation to prevent stale data exposure
KFD VRAM allocations set AMDGPU_GEM_CREATE_VRAM_WIPE_ON_RELEASE
but not AMDGPU_GEM_CREATE_VRAM_CLEARED, leaving freshly allocated
VRAM with stale data from prior use observable by compute kernels.
The GEM ioctl path already sets VRAM_CLEARED for all userspace
allocations via amdgpu_gem_create_ioctl() and
amdgpu_mode_dumb_create(). The KFD path was missing this flag,
allowing stale page table remnants to leak into user buffers.
This causes crashes in RCCL P2P transport where non-zero data in
ptrExchange/head/tail fields corrupts the protocol handshake.
Signed-off-by: Amir Shetaia <Amir.Shetaia@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org
During GPU reset, the application could still run CPU page table updates. Each commit called
amdgpu_device_flush_hdp(), which on SR-IOV sends work through the KIQ ring.
That can advance sync_seq while the GPU is being reset,
leaving fence writeback out of sync and causing amdgpu_fence_emit_polling()
to time out on later KIQ use.
Fix:
amdgpu_vm_cpu_commit():
Reset will flush HDP anyway, the HDP flush in amdgpu_vm_cpu_commit() can be skipped
when a reset is ongoging.
Take reset_domain->sem with down_read_trylock() before amdgpu_device_flush_hdp().
If the reset path holds the write lock, skip the HDP flush so no HDP-related HW
access (including KIQ) runs during reset; state is re-established after reset.
Signed-off-by: Chenglei Xie <Chenglei.Xie@amd.com> Reviewed-by: Christian König <christian.koenig@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org
drm/amdgpu: Remove sys file compute_partition_mem_alloc_mode at module unload
Module reload would fail when create sys file that was not removed during
module unload.
Fixes: e0e9792ea2d4 ("drm/amdgpu: add an option to allow gpu partition allocate all available memory") Signed-off-by: Xiaogang Chen <xiaogang.chen@amd.com> Reviewed-by: Philip Yang <philip.yang@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Yang Wang [Fri, 3 Apr 2026 02:44:29 +0000 (22:44 -0400)]
drm/amd/pm: fix incorrect FeatureCtrlMask setting on smu v14.0.x
OverDriveTable.FanMinimumPwm and FeatureCtrlMask.PP_OD_FEATURE_FAN_LEGACY_BIT
have a hard dependency.
Invalid handling of this dependency leads to disabled thermal monitoring
and temperature boundary validation.
v2: squash in typo fix (Yang)
Fixes: 9710b84e2a6a ("drm/amd/pm: add overdrive support on smu v14.0.2/3") Cc: stable@vger.kernel.org Signed-off-by: Yang Wang <kevinyang.wang@amd.com> Acked-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Merge tag 'for-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply
Pull power supply and reset updates from Sebastian Reichel:
"Power-supply drivers:
- S2MU005: new battery fuel gauge driver
- macsmc-power: new driver for Apple Silicon
- qcom_battmgr: Add support for Glymur and Kaanapali
- max17042: add support for max77759
- qcom_smbx: allow disabling charging
- bd71828: add input current limit support
- multiple drivers: use new device managed workqueue allocation
function
- misc small cleanups and fixes
Reset core:
- Expose sysfs for registered reboot_modes
Reset drivers
- misc small cleanups and fixes"
* tag 'for-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: (36 commits)
power: supply: qcom_smbx: allow disabling charging
power: reset: drop unneeded dependencies on OF_GPIO
power: supply: bd71828: add input current limit property
dt-bindings: power: reset: cortina,gemini-power-controller: convert to DT schema
power: supply: add support for S2MU005 battery fuel gauge device
dt-bindings: power: supply: document Samsung S2MU005 battery fuel gauge
power: reset: reboot-mode: fix -Wformat-security warning
power: supply: ipaq_micro: Simplify with devm
power: supply: mt6370: Simplify with devm_alloc_ordered_workqueue()
power: supply: max77705: Free allocated workqueue and fix removal order
power: supply: max77705: Drop duplicated IRQ error message
power: supply: cw2015: Free allocated workqueue
power: reset: keystone: Use register_sys_off_handler(SYS_OFF_MODE_RESTART)
power: supply: twl4030_madc: Drop unused header includes
power: supply: bq24190: Avoid rescheduling after cancelling work
power: supply: axp288_charger: Simplify returns of dev_err_probe()
power: supply: axp288_charger: Do not cancel work before initializing it
power: supply: cpcap-battery: pass static battery cell data from device tree
dt-bindings: power: supply: cpcap-battery: document monitored-battery property
power: supply: qcom_battmgr: Add support for Glymur and Kaanapali
...
Merge tag 'hsi-for-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-hsi
Pull HSI updates from Sebastian Reichel:
- use flexible array member for hsi_port in hsi_controller
- misc small fixes
* tag 'hsi-for-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-hsi:
HSI: omap_ssi_port: remove depends on ARM
HSI: omap_ssi_port: remove set but unused variables
HSI: cmt_speech: fix wrong printf format
HSI: omap_ssi_port: remove null check from FAM
hsi: hsi_core: use kzalloc_flex
Merge tag 'hid-for-linus-2026041601' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
Pull HID updates from Jiri Kosina:
"Core:
- fixed handling of 0-sized reports (Dmitry Torokhov)
- convert core code to __free() (Dmitry Torokhov)
- support for multiple batteries per HID device (Lucas Zampieri)
Drivers:
- support for rumble effects in winwing driver (Ivan Gorinov)
- new support for a variety of Sony Rock Band and Sony DJ Hero
Turntable devices (Rosalie Wanders)
- new driver for Lenovo Legion Go / S devices (Derek J. Clark)
- power management improvements to intel-thc-hid driver (Even Xu)
... other assorted cleanups, fixes and device-specific quirks"
* tag 'hid-for-linus-2026041601' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: (73 commits)
HID: core: clamp report_size in s32ton() to avoid undefined shift
HID: logitech-dj: fix wrong detection of bad DJ_SHORT output report
HID: logitech-hidpp: fix race condition when accessing stale stack pointer
HID: winwing: Enable rumble effects
HID: core: do not allow parsing 0-sized reports
HID: usbhid: refactor endpoint lookup
HID: huawei: fix CD30 keyboard report descriptor issue
HID: playstation: validate num_touch_reports in DualShock 4 reports
HID: drop 'default !EXPERT' from tristate symbols
HID: usbhid: fix deadlock in hid_post_reset()
HID: apple: ensure the keyboard backlight is off if suspending
HID: quirks: Set ALWAYS_POLL for LOGITECH_BOLT_RECEIVER
HID: alps: fix NULL pointer dereference in alps_raw_event()
HID: logitech-dj: Prevent REPORT_ID_DJ_SHORT related user initiated OOB write
HID: logitech-dj: Standardise hid_report_enum variable nomenclature
HID: sony: update module description
HID: logitech-hidpp: Check bounds when deleting force-feedback effects
HID: sony: add battery status support for Rock Band 4 PS5 guitars
HID: sony: fix style issues
HID: quirks: update hid-sony supported devices
...
Merge tag 'dma-mapping-7.1-2026-04-16' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux
Pull dma-mapping updates from Marek Szyprowski:
- added support for batched cache sync, what improves performance of
dma_map/unmap_sg() operations on ARM64 architecture (Barry Song)
- introduced DMA_ATTR_CC_SHARED attribute for explicitly shared memory
used in confidential computing (Jiri Pirko)
- refactored spaghetti-like code in drivers/of/of_reserved_mem.c and
its clients (Marek Szyprowski, shared branch with device-tree updates
to avoid merge conflicts)
- prepared Contiguous Memory Allocator related code for making dma-buf
drivers modularized (Maxime Ripard)
- added support for benchmarking dma_map_sg() calls to tools/dma
utility (Qinxin Xia)
* tag 'dma-mapping-7.1-2026-04-16' of git://git.kernel.org/pub/scm/linux/kernel/git/mszyprowski/linux: (24 commits)
dma-buf: heaps: system: document system_cc_shared heap
dma-buf: heaps: system: add system_cc_shared heap for explicitly shared memory
dma-mapping: introduce DMA_ATTR_CC_SHARED for shared memory
mm: cma: Export cma_alloc(), cma_release() and cma_get_name()
dma: contiguous: Export dev_get_cma_area()
dma: contiguous: Make dma_contiguous_default_area static
dma: contiguous: Make dev_get_cma_area() a proper function
dma: contiguous: Turn heap registration logic around
of: reserved_mem: rework fdt_init_reserved_mem_node()
of: reserved_mem: clarify fdt_scan_reserved_mem*() functions
of: reserved_mem: rearrange code a bit
of: reserved_mem: replace CMA quirks by generic methods
of: reserved_mem: switch to ops based OF_DECLARE()
of: reserved_mem: use -ENODEV instead of -ENOENT
of: reserved_mem: remove fdt node from the structure
dma-mapping: fix false kernel-doc comment marker
dma-mapping: Support batch mode for dma_direct_{map,unmap}_sg
dma-mapping: Separate DMA sync issuing and completion waiting
arm64: Provide dcache_inval_poc_nosync helper
arm64: Provide dcache_clean_poc_nosync helper
...
Mark Brown [Fri, 17 Apr 2026 16:57:50 +0000 (17:57 +0100)]
selftests: Fix duplicated test number reporting
Commit 2964f6b816c2 ("selftests: Use ktap helpers for runner.sh") converted
the prints in runner.sh to use the relevant helpers from ktap_helpers.sh,
not modifying any of the strings printed in the process. This included
converting all the result reports to use the relevant ktap_test_ function.
Since the output was originally KTAP compliant the strings reported for
test names now include test numbers:
ok 59 59 selftests: arm64: syscall-abi
instead of the expected format:
ok 59 selftests: arm64: syscall-abi
which causes result parsers to interpret the second number as part of the
test name.
Given the use of the helpers the tracking of test numbers by runner.sh is
now redundant, remove it entirely to restore the expected output format.
cgroup/rdma: fix integer overflow in rdmacg_try_charge()
The expression `rpool->resources[index].usage + 1` is computed in int
arithmetic before being assigned to s64 variable `new`. When usage equals
INT_MAX (the default "max" value), the addition overflows to INT_MIN.
This negative value then passes the `new > max` check incorrectly,
allowing a charge that should be rejected and corrupting usage to
negative.
Fix by casting usage to s64 before the addition so the arithmetic is
done in 64-bit.
sched/psi: fix race between file release and pressure write
A potential race condition exists between pressure write and cgroup file
release regarding the priv member of struct kernfs_open_file, which
triggers the uaf reported in [1].
Consider the following scenario involving execution on two separate CPUs:
The cgroup_rmdir() is protected by the cgroup_mutex, it also safeguards
the memory deallocation of of->priv performed within cgroup_file_release().
However, the operations involving of->priv executed within pressure_write()
are not entirely covered by the protection of cgroup_mutex. Consequently,
if the code in pressure_write(), specifically the section handling the
ctx variable executes after cgroup_file_release() has completed, a uaf
vulnerability involving of->priv is triggered.
Therefore, the issue can be resolved by extending the scope of the
cgroup_mutex lock within pressure_write() to encompass all code paths
involving of->priv, thereby properly synchronizing the race condition
occurring between cgroup_file_release() and pressure_write().
And, if an live kn lock can be successfully acquired while executing
the pressure write operation, it indicates that the cgroup deletion
process has not yet reached its final stage; consequently, the priv
pointer within open_file cannot be NULL. Therefore, the operation to
retrieve the ctx value must be moved to a point *after* the live kn
lock has been successfully acquired.
In another situation, specifically after entering cgroup_kn_lock_live()
but before acquiring cgroup_mutex, there exists a different class of
race condition:
... acquires cgroup_mutex
ctx = of->priv; // may now be NULL
if (ctx->psi.trigger) // NULL dereference
Consequently, there is a possibility that of->priv is NULL, the pressure
write needs to check for this.
Now that the scope of the cgroup_mutex has been expanded, the original
explicit cgroup_get/put operations are no longer necessary, this is
because acquiring/releasing the live kn lock inherently executes a
cgroup get/put operation.
Merge tag 'phy-for-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy
Pull phy updates from Vinod Koul:
"New Support:
- Qualcomm Eliza QMP UFS PHY
- Canaan K230 USB 2.0 PHY driver
- Mediatek mt8167 dsi-phy
- Eswin EIC7700 SATA PHY driver
Updates:
- Sorted subsytem Makefile/Kconfig and some kernel-doc udpates"
* tag 'phy-for-7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy:
dt-bindings: phy: qcom,sc8280xp-qmp-ufs-phy: document the Eliza QMP UFS PHY
phy: qcom: m31-eusb2: clear PLL_EN during init
phy: eswin: Create eswin directory and add EIC7700 SATA PHY driver
dt-bindings: phy: eswin: Document the EIC7700 SoC SATA PHY
phy: apple: apple: Use local variable for ioremap return value
phy: qcom: qmp-usbc: Simplify check for non-NULL pointer
phy: marvell: mmp3-hsic: Avoid re-casting __iomem
phy: apple: atc: Make atcphy_dwc3_reset_ops variable static
dt-bindings: phy: mediatek,dsi-phy: Add support for mt8167
phy: usb: Add driver for Canaan K230 USB 2.0 PHY
dt-bindings: phy: Add Canaan K230 USB PHY
phy: phy-mtk-tphy: Update names and format of kernel-doc comments
phy: Sort the subsystem Kconfig
phy: Sort the subsystem Makefile
phy: move spacemit pcie driver to its subfolder
Merge tag 'soundwire-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire
Pull soundwire updates from Vinod Koul:
- Core: DP prepare polling for avoiding interrupt deadlock
- AMD clock init and bandwidth refactoring
- Intel more codecs to wake list, clear message on before signaling
waiting thread
* tag 'soundwire-7.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/soundwire:
soundwire: intel_auxdevice: Add cs42l49 to wake_capable_list
soundwire: cadence: Clear message complete before signaling waiting thread
soundwire: Intel: test bus.bpt_stream before assigning it
soundwire: bus: demote UNATTACHED state warnings to dev_dbg()
soundwire: stream: Poll for DP prepare to avoid interrupt deadlock
soundwire: amd: refactor bandwidth calculation logic
soundwire: amd: add clock init control function
soundwire: intel_auxdevice: Add CS47L47 to wake_capable_list
soundwire: slave: Don't register devices that are disabled in ACPI
soundwire: sdw.h: repair names and format of kernel-doc comments
Merge tag 'trace-latency-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing latency update from Steven Rostedt:
- Add TIMERLAT_ALIGN osnoise option
Add a timer alignment option for timerlat that makes it work like the
cyclictest -A option. timelat creates threads to test the latency of
the kernel. The alignment option will have these threads trigger at
the alignment offsets from each other. Instead of having each thread
wake up at the exact same time, if the alignment is set to "20" each
thread will wake up at 20 microseconds from the previous one.
* tag 'trace-latency-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
tracing/osnoise: Add option to align tlat threads
Ben Horgan [Tue, 14 Apr 2026 13:27:56 +0000 (14:27 +0100)]
arm_mpam: resctrl: Fix the check for no monitor components found
Dan Carpenter reports that, in mpam_resctrl_alloc_domain(), any_mon_comp is
used in an 'if' condition when it may be uninitialized. Initialize it to
NULL so that the check behaves correctly when no monitor components are
found.
Reported-by: Dan Carpenter <error27@gmail.com> Fixes: 264c285999fc ("arm_mpam: resctrl: Add monitor initialisation and domain boilerplate") Signed-off-by: Ben Horgan <ben.horgan@arm.com> Reviewed-by: Gavin Shan <gshan@redhat.com> Signed-off-by: James Morse <james.morse@arm.com>
arm_mpam: resctrl: Fix MBA CDP alloc_capable handling on unmount
The code to set MBA's alloc_capable to true appears to be trying to
restore alloc_capable on unmount. This can never work because
resctrl_arch_set_cdp_enabled() is never invoked with RDT_RESOURCE_MBA
as the rid parameter. Consequently,
mpam_resctrl_controls[RDT_RESOURCE_MBA].cdp_enabled always remains false.
The alloc_capable setting in resctrl_arch_set_cdp_enabled() is to
re-enable MBA if the caller opts in to separate control values using
CDP for this resource. This doesn't happen today.
Add a comment to describe this.
However a bug remains where MBA allocation is permanently disabled after
the mount with CDP option. Remounting without CDP cannot restore the MBA
partition capability.
Add a check to re-enable MBA when CDP is disabled, which happens on
unmount.
Fixes: 6789fb99282c ("arm_mpam: resctrl: Add CDP emulation") Signed-off-by: Zeng Heng <zengheng4@huawei.com>
[ morse: Added comment for existing code, added hunk to fix this bug from
Ben H ] Reviewed-by: James Morse <james.morse@arm.com> Signed-off-by: James Morse <james.morse@arm.com>
Merge tag 'trace-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull tracing updates from Steven Rostedt:
- Fix printf format warning for bprintf
sunrpc uses a trace_printk() that triggers a printf warning during
the compile. Move the __printf() attribute around for when debugging
is not enabled the warning will go away
- Remove redundant check for EVENT_FILE_FL_FREED in
event_filter_write()
The FREED flag is checked in the call to event_file_file() and then
checked again right afterward, which is unneeded
- Clean up event_file_file() and event_file_data() helpers
These helper functions played a different role in the past, but now
with eventfs, the READ_ONCE() isn't needed. Simplify the code a bit
and also add a warning to event_file_data() if the file or its data
is not present
- Remove updating file->private_data in tracing open
All access to the file private data is handled by the helper
functions, which do not use file->private_data. Stop updating it on
open
- Show ENUM names in function arguments via BTF in function tracing
When showing the function arguments when func-args option is set for
function tracing, if one of the arguments is found to be an enum,
show the name of the enum instead of its number
- Add new trace_call__##name() API for tracepoints
Tracepoints are enabled via static_branch() blocks, where when not
enabled, there's only a nop that is in the code where the execution
will just skip over it. When tracing is enabled, the nop is converted
to a direct jump to the tracepoint code. Sometimes more calculations
are required to be performed to update the parameters of the
tracepoint. In this case, trace_##name##_enabled() is called which is
a static_branch() that gets enabled only when the tracepoint is
enabled. This allows the extra calculations to also be skipped by the
nop:
if (trace_foo_enabled()) {
x = bar();
trace_foo(x);
}
Where the x=bar() is only performed when foo is enabled. The problem
with this approach is that there's now two static_branch() calls. One
for checking if the tracepoint is enabled, and then again to know if
the tracepoint should be called. The second one is redundant
Introduce trace_call__foo() that will call the foo() tracepoint
directly without doing a static_branch():
if (trace_foo_enabled()) {
x = bar();
trace_call__foo();
}
- Update various locations to use the new trace_call__##name() API
- Move snapshot code out of trace.c
Cleaning up trace.c to not be a "dump all", move the snapshot code
out of it and into a new trace_snapshot.c file
- Clean up some "%*.s" to "%*s"
- Allow boot kernel command line options to be called multiple times
The ipi_raise target_cpus field is defined as a __bitmask(). There is
now a __cpumask() field definition. Update the field to use that
- Have hist_field_name() use a snprintf() and not a series of strcat()
It's safer to use snprintf() that a series of strcat()
- Fix tracepoint regfunc balancing
A tracepoint can define a "reg" and "unreg" function that gets called
before the tracepoint is enabled, and after it is disabled
respectively. But on error, after the "reg" func is called and the
tracepoint is not enabled, the "unreg" function is not called to tear
down what the "reg" function performed
- Fix output that shows what histograms are enabled
Event variables are displayed incorrectly in the histogram output
Instead of "sched.sched_wakeup.$var", it is showing
"$sched.sched_wakeup.var" where the '$' is in the incorrect location
- Some other simple cleanups
* tag 'trace-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: (24 commits)
selftests/ftrace: Add test case for fully-qualified variable references
tracing: Fix fully-qualified variable reference printing in histograms
tracepoint: balance regfunc() on func_add() failure in tracepoint_add_func()
tracing: Rebuild full_name on each hist_field_name() call
tracing: Report ipi_raise target CPUs as cpumask
tracing: Remove duplicate latency_fsnotify() stub
tracing: Preserve repeated trace_trigger boot parameters
tracing: Append repeated boot-time tracing parameters
tracing: Remove spurious default precision from show_event_trigger/filter formats
cpufreq: Use trace_call__##name() at guarded tracepoint call sites
tracing: Remove tracing_alloc_snapshot() when snapshot isn't defined
tracing: Move snapshot code out of trace.c and into trace_snapshot.c
mm: damon: Use trace_call__##name() at guarded tracepoint call sites
btrfs: Use trace_call__##name() at guarded tracepoint call sites
spi: Use trace_call__##name() at guarded tracepoint call sites
i2c: Use trace_call__##name() at guarded tracepoint call sites
kernel: Use trace_call__##name() at guarded tracepoint call sites
tracepoint: Add trace_call__##name() API
tracing: trace_mmap.h: fix a kernel-doc warning
tracing: Pretty-print enum parameters in function arguments
...
Merge tag 'bootconfig-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
Pull bootconfig updates from Masami Hiramatsu:
"Minor fixes for handling errors:
- fix off-by-one in xbc_verify_tree() next node check
- increment xbc_node_num after node init succeeds
- validate child node index in xbc_verify_tree()
Code cleanups (mainly type/attribute changes):
- clean up comment typos and bracing
- drop redundant memset of xbc_nodes
- replace linux/kernel.h with specific includes
- narrow flag parameter type from uint32_t to uint16_t
- constify xbc_calc_checksum() data parameter
- fix signed comparison in xbc_node_get_data()
- use size_t for strlen result in xbc_node_match_prefix()
- use signed type for offset in xbc_init_node()
- use size_t for key length tracking in xbc_verify_tree()
- change xbc_node_index() return type to uint16_t"
* tag 'bootconfig-v7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
lib/bootconfig: change xbc_node_index() return type to uint16_t
lib/bootconfig: use size_t for key length tracking in xbc_verify_tree()
lib/bootconfig: use signed type for offset in xbc_init_node()
lib/bootconfig: use size_t for strlen result in xbc_node_match_prefix()
lib/bootconfig: fix signed comparison in xbc_node_get_data()
lib/bootconfig: validate child node index in xbc_verify_tree()
lib/bootconfig: replace linux/kernel.h with specific includes
bootconfig: constify xbc_calc_checksum() data parameter
lib/bootconfig: drop redundant memset of xbc_nodes
lib/bootconfig: increment xbc_node_num after node init succeeds
lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check
lib/bootconfig: narrow flag parameter type from uint32_t to uint16_t
lib/bootconfig: clean up comment typos and bracing
Cássio Gabriel [Fri, 17 Apr 2026 13:41:33 +0000 (10:41 -0300)]
ALSA: caiaq: Fix control_put() result and cache rollback
control_put() always returns 1 and updates cdev->control_state[]
before sending the USB command. It also ignores transport errors
from usb_bulk_msg(), snd_usb_caiaq_send_command(), and
snd_usb_caiaq_send_command_bank().
That breaks the ALSA .put() contract and can leave control_get()
reporting a cached value the device never accepted.
Return 0 for unchanged values, propagate transport failures,
and restore the cached byte when the write fails.
Merge tag 'alpha-for-v7.1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/lindholm/alpha
Pull alpha updates from Magnus Lindholm:
"One fix to silence pgprot_modify() compiler warnings, and one patch
adding SECCOMP/SECCOMP_FILTER support together with the syscall and
ptrace fixes needed for it"
* tag 'alpha-for-v7.1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/lindholm/alpha:
alpha: Define pgprot_modify to silence tautological comparison warnings
alpha: add support for SECCOMP and SECCOMP_FILTER
Michael Margolin [Thu, 16 Apr 2026 20:14:08 +0000 (20:14 +0000)]
RDMA/core: Fix user CQ creation for drivers without create_cq
CQ creation is failing for drivers that only implement create_user_cq
(e.g. EFA), when buffer isn't provided by userspace. This because of a
leftover check that requires create_cq existence in such case.
Remove the create_cq existence check from the no-buffer path. The
buffer is optional and drivers that handle their own memory should work
through create_user_cq regardless.
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull kvm updates from Paolo Bonzini:
"Arm:
- Add support for tracing in the standalone EL2 hypervisor code,
which should help both debugging and performance analysis. This
uses the new infrastructure for 'remote' trace buffers that can be
exposed by non-kernel entities such as firmware, and which came
through the tracing tree
- Add support for GICv5 Per Processor Interrupts (PPIs), as the
starting point for supporting the new GIC architecture in KVM
- Finally add support for pKVM protected guests, where pages are
unmapped from the host as they are faulted into the guest and can
be shared back from the guest using pKVM hypercalls. Protected
guests are created using a new machine type identifier. As the
elusive guestmem has not yet delivered on its promises, anonymous
memory is also supported
This is only a first step towards full isolation from the host; for
example, the CPU register state and DMA accesses are not yet
isolated. Because this does not really yet bring fully what it
promises, it is hidden behind CONFIG_ARM_PKVM_GUEST +
'kvm-arm.mode=protected', and also triggers TAINT_USER when a VM is
created. Caveat emptor
- Rework the dreaded user_mem_abort() function to make it more
maintainable, reducing the amount of state being exposed to the
various helpers and rendering a substantial amount of state
immutable
- Expand the Stage-2 page table dumper to support NV shadow page
tables on a per-VM basis
- Tidy up the pKVM PSCI proxy code to be slightly less hard to
follow
- Fix both SPE and TRBE in non-VHE configurations so that they do not
generate spurious, out of context table walks that ultimately lead
to very bad HW lockups
- A small set of patches fixing the Stage-2 MMU freeing in error
cases
- Tighten-up accepted SMC immediate value to be only #0 for host
SMCCC calls
- The usual cleanups and other selftest churn
LoongArch:
- Use CSR_CRMD_PLV for kvm_arch_vcpu_in_kernel()
- Add DMSINTC irqchip in kernel support
RISC-V:
- Fix steal time shared memory alignment checks
- Fix vector context allocation leak
- Fix array out-of-bounds in pmu_ctr_read() and pmu_fw_ctr_read_hi()
- Fix double-free of sdata in kvm_pmu_clear_snapshot_area()
- Fix integer overflow in kvm_pmu_validate_counter_mask()
- Fix shift-out-of-bounds in make_xfence_request()
- Fix lost write protection on huge pages during dirty logging
- Split huge pages during fault handling for dirty logging
- Skip CSR restore if VCPU is reloaded on the same core
- Implement kvm_arch_has_default_irqchip() for KVM selftests
- Factored-out ISA checks into separate sources
- Added hideleg to struct kvm_vcpu_config
- Factored-out VCPU config into separate sources
- Support configuration of per-VM HGATP mode from KVM user space
s390:
- Support for ESA (31-bit) guests inside nested hypervisors
- Remove restriction on memslot alignment, which is not needed
anymore with the new gmap code
- Fix LPSW/E to update the bear (which of course is the breaking
event address register)
x86:
- Shut up various UBSAN warnings on reading module parameter before
they were initialized
- Don't zero-allocate page tables that are used for splitting
hugepages in the TDP MMU, as KVM is guaranteed to set all SPTEs in
the page table and thus write all bytes
- As an optimization, bail early when trying to unsync 4KiB mappings
if the target gfn can just be mapped with a 2MiB hugepage
x86 generic:
- Copy single-chunk MMIO write values into struct kvm_vcpu (more
precisely struct kvm_mmio_fragment) to fix use-after-free stack
bugs where KVM would dereference stack pointer after an exit to
userspace
- Clean up and comment the emulated MMIO code to try to make it
easier to maintain (not necessarily "easy", but "easier")
- Move VMXON+VMXOFF and EFER.SVME toggling out of KVM (not *all* of
VMX and SVM enabling) as it is needed for trusted I/O
- Advertise support for AVX512 Bit Matrix Multiply (BMM) instructions
- Immediately fail the build if a required #define is missing in one
of KVM's headers that is included multiple times
- Reject SET_GUEST_DEBUG with -EBUSY if there's an already injected
exception, mostly to prevent syzkaller from abusing the uAPI to
trigger WARNs, but also because it can help prevent userspace from
unintentionally crashing the VM
- Exempt SMM from CPUID faulting on Intel, as per the spec
- Misc hardening and cleanup changes
x86 (AMD):
- Fix and optimize IRQ window inhibit handling for AVIC; make it
per-vCPU so that KVM doesn't prematurely re-enable AVIC if multiple
vCPUs have to-be-injected IRQs
- Clean up and optimize the OSVW handling, avoiding a bug in which
KVM would overwrite state when enabling virtualization on multiple
CPUs in parallel. This should not be a problem because OSVW should
usually be the same for all CPUs
- Drop a WARN in KVM_MEMORY_ENCRYPT_REG_REGION where KVM complains
about a "too large" size based purely on user input
- Clean up and harden the pinning code for KVM_MEMORY_ENCRYPT_REG_REGION
- Disallow synchronizing a VMSA of an already-launched/encrypted
vCPU, as doing so for an SNP guest will crash the host due to an
RMP violation page fault
- Overhaul KVM's APIs for detecting SEV+ guests so that VM-scoped
queries are required to hold kvm->lock, and enforce it by lockdep.
Fix various bugs where sev_guest() was not ensured to be stable for
the whole duration of a function or ioctl
- Convert a pile of kvm->lock SEV code to guard()
- Play nicer with userspace that does not enable
KVM_CAP_EXCEPTION_PAYLOAD, for which KVM needs to set CR2 and DR6
as a response to ioctls such as KVM_GET_VCPU_EVENTS (even if the
payload would end up in EXITINFO2 rather than CR2, for example).
Only set CR2 and DR6 when consumption of the payload is imminent,
but on the other hand force delivery of the payload in all paths
where userspace retrieves CR2 or DR6
- Use vcpu->arch.cr2 when updating vmcb12's CR2 on nested #VMEXIT
instead of vmcb02->save.cr2. The value is out of sync after a
save/restore or after a #PF is injected into L2
- Fix a class of nSVM bugs where some fields written by the CPU are
not synchronized from vmcb02 to cached vmcb12 after VMRUN, and so
are not up-to-date when saved by KVM_GET_NESTED_STATE
- Fix a class of bugs where the ordering between KVM_SET_NESTED_STATE
and KVM_SET_{S}REGS could cause vmcb02 to be incorrectly
initialized after save+restore
- Add a variety of missing nSVM consistency checks
- Fix several bugs where KVM failed to correctly update VMCB fields
on nested #VMEXIT
- Fix several bugs where KVM failed to correctly synthesize #UD or
#GP for SVM-related instructions
- Add support for save+restore of virtualized LBRs (on SVM)
- Refactor various helpers and macros to improve clarity and
(hopefully) make the code easier to maintain
- Aggressively sanitize fields when copying from vmcb12, to guard
against unintentionally allowing L1 to utilize yet-to-be-defined
features
- Fix several bugs where KVM botched rAX legality checks when
emulating SVM instructions. There are remaining issues in that KVM
doesn't handle size prefix overrides for 64-bit guests
- Fail emulation of VMRUN/VMLOAD/VMSAVE if mapping vmcb12 fails
instead of somewhat arbitrarily synthesizing #GP (i.e. don't double
down on AMD's architectural but sketchy behavior of generating #GP
for "unsupported" addresses)
- Cache all used vmcb12 fields to further harden against TOCTOU bugs
x86 (Intel):
- Drop obsolete branch hint prefixes from the VMX instruction macros
- Use ASM_INPUT_RM() in __vmcs_writel() to coerce clang into using a
register input when appropriate
- Code cleanups
guest_memfd:
- Don't mark guest_memfd folios as accessed, as guest_memfd doesn't
support reclaim, the memory is unevictable, and there is no storage
to write back to
LoongArch selftests:
- Add KVM PMU test cases
s390 selftests:
- Enable more memory selftests
x86 selftests:
- Add support for Hygon CPUs in KVM selftests
- Fix a bug in the MSR test where it would get false failures on
AMD/Hygon CPUs with exactly one of RDPID or RDTSCP
- Add an MADV_COLLAPSE testcase for guest_memfd as a regression test
for a bug where the kernel would attempt to collapse guest_memfd
folios against KVM's will"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (373 commits)
KVM: x86: use inlines instead of macros for is_sev_*guest
x86/virt: Treat SVM as unsupported when running as an SEV+ guest
KVM: SEV: Goto an existing error label if charging misc_cg for an ASID fails
KVM: SVM: Move lock-protected allocation of SEV ASID into a separate helper
KVM: SEV: use mutex guard in snp_handle_guest_req()
KVM: SEV: use mutex guard in sev_mem_enc_unregister_region()
KVM: SEV: use mutex guard in sev_mem_enc_ioctl()
KVM: SEV: use mutex guard in snp_launch_update()
KVM: SEV: Assert that kvm->lock is held when querying SEV+ support
KVM: SEV: Document that checking for SEV+ guests when reclaiming memory is "safe"
KVM: SEV: Hide "struct kvm_sev_info" behind CONFIG_KVM_AMD_SEV=y
KVM: SEV: WARN on unhandled VM type when initializing VM
KVM: LoongArch: selftests: Add PMU overflow interrupt test
KVM: LoongArch: selftests: Add basic PMU event counting test
KVM: LoongArch: selftests: Add cpucfg read/write helpers
LoongArch: KVM: Add DMSINTC inject msi to vCPU
LoongArch: KVM: Add DMSINTC device support
LoongArch: KVM: Make vcpu_is_preempted() as a macro rather than function
LoongArch: KVM: Move host CSR_GSTAT save and restore in context switch
LoongArch: KVM: Move host CSR_EENTRY save and restore in context switch
...
drm/panel: visionox-rm69299: Make use of prepare_prev_first
The DSI link must be powered up to let panel driver to talk to the panel
during prepare() callback execution. Set the prepare_prev_first flag to
guarantee this.
Fixes: 9e15123eca79 ("drm/msm/dsi: Stop unconditionally powering up DSI hosts at modeset") Signed-off-by: Guido Günther <agx@sigxcpu.org> Signed-off-by: David Heidelberg <david@ixit.cz> Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> Reviewed-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Douglas Anderson <dianders@chromium.org> Link: https://patch.msgid.link/20260417-axolotl-display-v2-1-8ce5341e46c2@ixit.cz
Guangshuo Li [Wed, 15 Apr 2026 17:05:15 +0000 (01:05 +0800)]
parisc: led: fix reference leak on failed device registration
When platform_device_register() fails in startup_leds(), the embedded
struct device in platform_leds has already been initialized by
device_initialize(), but the failure path only reports the error and
does not drop the device reference for the current platform device:
projects / thirdparty / kernel / linux.git / log
