summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
3 daysfutex/requeue: Revert "Prevent NULL pointer dereference in remove_waiter() ↵Sebastian Andrzej Siewior
on self-deadlock"" The commit cited below should not have been merged. It attemted to fix an existing problem ansd thereby introduced new problems by keeping the pi_state in state Q_REQUEUE_PI_IN_PROGRESS and leaking it. Based on the commit description the intention was to handle the case when task_blocks_on_rt_mutex() returns -EDEADLK and the following remove_waiter() dereferences the NULL pointer in waiter->task. That is already handled by Davidlohr in commit 40a25d59e85b3 ("locking/rtmutex: Skip remove_waiter() when waiter is not enqueued") and requires no further acting. Revert the commit breaking the "waiter == owner" case again. Fixes: 74e144274af39 ("futex/requeue: Prevent NULL pointer dereference in remove_waiter() on self-deadlock") Reported-by: Michael Bommarito <michael.bommarito@gmail.com> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Thomas Gleixner <tglx@kernel.org> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20260701131150.0Ijhq4Dw@linutronix.de Closes: https://lore.kernel.org/all/20260629020049.2082397-1-michael.bommarito@gmail.com
3 daysASoC: rsnd: src: Add missing scu_supply clock to suspend/resumeJohn Madieu
scu_supply is enabled alongside scu and scu_x2 during normal SRC operation, but rsnd_src_suspend() and rsnd_src_resume() only disable and re-enable scu and scu_x2. The supply clock is left enabled across a system suspend and its prepare/enable refcount becomes unbalanced after a suspend/resume cycle. Disable scu_supply in rsnd_src_suspend() and re-enable it in rsnd_src_resume() so the SRC clocks are managed consistently across system PM transitions. Fixes: ef19ecf042b4 ("ASoC: rsnd: Add system suspend/resume support") Signed-off-by: John Madieu <john.madieu.xa@bp.renesas.com> Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Link: https://patch.msgid.link/20260630175329.4145703-1-john.madieu.xa@bp.renesas.com Signed-off-by: Mark Brown <broonie@kernel.org>
3 daysMerge tag 'net-7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from netfilter and batman-adv. Current release - new code bugs: - netfilter: cthelper: cap to maximum number of expectation per master Previous releases - regressions: - netpoll: fix a use-after-free on shutdown path - tcp: restore RCU grace period in tcp_ao_destroy_sock - ipv6: fix NULL deref in fib6_walk_continiue() on multi-batch dump - batman-adv: dat: ensure accessible eth_hdr proto field - eth: - virtio_net: disable cb when NAPI is busy-polled - lan743x: Initialize eth_syslock spinlock before use Previous releases - always broken: - netfilter: - nft_set_pipapo: don't leak bad clone into future transaction - sched: - sch_teql: Introduce slaves_lock to avoid race condition and UAF - replace direct dequeue call with peek and qdisc_dequeue_peeked - sctp: add INIT verification after cookie unpacking - tipc: fix out-of-bounds read in broadcast Gap ACK blocks - seg6: validate SRH length before reading fixed fields - eth: - mlx5e: fix use-after-free of metadata_dst on RX SC delete - enetc: check the number of BDs needed for xdp_frame - fbnic: don't cache shinfo across skb realloc" * tag 'net-7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits) net/mlx5: HWS, fix matcher leak on resize target setup failure net/sched: hhf: clear heavy-hitter state on reset net/sched: dualpi2: clear stale classification on filter miss net/sched: act_bpf: use rcu_dereference_bh() to read the filter selftests: drv-net: tso: don't touch dangerous feature bits cxgb4: Fix decode strings dump for T6 adapters virtio_net: disable cb when NAPI is busy-polled sctp: fix addr_wq_timer race in sctp_free_addr_wq() selftests: net: bump default cmd() timeout to 20 seconds bridge: stp: Fix a potential use-after-free when deleting a bridge net/sched: sch_teql: Introduce slaves_lock to avoid race condition and UAF net: gianfar: dispose irq mappings on probe failure and device removal net: lan743x: Initialize eth_syslock spinlock before use net: libwx: fix VMDQ mask for 1-queue mode net: airoha: fix max receive size configuration fsl/fman: Free init resources on KeyGen failure in fman_init() netfilter: nftables: restrict checkum update offset netfilter: nftables: restrict linklayer and network header writes netfilter: nfnetlink_queue: restrict writes to network header netfilter: nft_fib: reject fib expression on the netdev egress hook ...
3 daysMerge tag 'hwmon-for-v7.2-rc2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: - adm1275: Detect coefficient overflow, and prevent reading uninitialized stack - aspeed-g6-pwm-tach: Guard fan RPM calculation against divide-by-zero - asus_atk0110: Check package count before accessing element - ltc4283: fix malformed table docs build error - occ: Unregister sysfs devices outside occ lock to avoid lockdep warning - pmbus core: Fix passing events to regulator core, and honor vrm_version in pmbus_data2reg_vid() - w83627hf: Remove VID sysfs files on error and remove - w83793: remove vrm sysfs file on probe failure - Various: Add missing 'select REGMAP_I2C' to Kconfig * tag 'hwmon-for-v7.2-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (aspeed-g6-pwm-tach) Guard fan RPM calculation against divide-by-zero hwmon: (pmbus) Fix passing events to regulator core hwmon: adm1275: Detect coefficient overflow hwmon: adm1275: Prevent reading uninitialized stack hwmon: (max6697) add missing 'select REGMAP_I2C' to Kconfig hwmon: (ltc2992) add missing 'select REGMAP_I2C' to Kconfig hwmon: (max1619) add missing 'select REGMAP' to Kconfig hwmon: (w83627hf) remove VID sysfs files on error and remove hwmon: (w83793) remove vrm sysfs file on probe failure hwmon: (asus_atk0110) Check package count before accessing element docs: hwmon: ltc4283: fix malformed table docs build error hwmon: (pmbus/core) honor vrm_version in pmbus_data2reg_vid() hwmon: (occ) unregister sysfs devices outside occ lock
3 daysMerge tag 'mfd-fixes-7.2' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd Pull MFD fix from Lee Jones: - Add MFD mailing list to MAINTAINERS * tag 'mfd-fixes-7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: MAINTAINERS: Add a mailing list entry to MFD
3 dayss390/monwriter: Reject buffer reuse with different data lengthGerald Schaefer
When data buffers are reused, e.g. for interval sample records, the first record determines the data length, and the size of the buffer for user copy. Current monwriter code does not check if the data length was changed for subsequent records, which also would never happen for valid user programs. However, a malicious user could change the data length, resulting in out of bounds user copy to the kernel buffer, and memory corruption. By default, the monwriter misc device is created with root-only permissions, so practical impact is typically low. Fix this by checking for changed data length and rejecting such records. Cc: stable@vger.kernel.org Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com> Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com> Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
3 dayscifs: Fix missing credit release on failure in cifs_issue_read()David Howells
Fix missing release of credits in the failure path in cifs_issue_read() lest retrying the subreq just overwrites the credits value. Fixes: 69c3c023af25 ("cifs: Implement netfslib hooks") Link: https://sashiko.dev/#/patchset/20260608145432.681865-1-dhowells%40redhat.com Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org> cc: linux-cifs@vger.kernel.org cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysuprobes/x86: Use proper mm_struct in __in_uprobe_trampolineJiri Olsa
In the unregister path we use __in_uprobe_trampoline check with current->mm for the VMA lookup, which is wrong, because we are in the tracer context, not the traced process. Add mm_struct pointer argument to __in_uprobe_trampoline and changing related callers to pass proper mm_struct pointer. Fixes: ba2bfc97b462 ("uprobes/x86: Add support to optimize uprobes") Reported-by: syzbot+61ce80689253f42e6d80@syzkaller.appspotmail.com Signed-off-by: Jiri Olsa <jolsa@kernel.org> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Reviewed-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Andrii Nakryiko <andrii@kernel.org> Tested-by: syzbot+61ce80689253f42e6d80@syzkaller.appspotmail.com Link: https://patch.msgid.link/20260701111337.53943-2-jolsa@kernel.org
4 daysselftests/x86: Add shadow stack uprobe CALL testDavid Windsor
Add coverage for entry uprobes installed on CALL instructions while user shadow stack is enabled. The test puts an entry uprobe on a helper whose first instruction is a relative CALL, then verifies that the call/return sequence completes without SIGSEGV. This catches regressions where x86 uprobe CALL emulation updates the regular user stack but leaves the CET shadow stack stale. Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://patch.msgid.link/b957039191118c5eba97d01d80c494b859f115a6.1782777969.git.dwindsor@gmail.com
4 daysx86/uprobes: Keep shadow stack in sync for emulated CALLsDavid Windsor
Uprobe CALL emulation updates the normal user stack, but not the CET user shadow stack. The subsequent RET then sees a stale shadow stack entry and raises #CP. Update the relative CALL emulation and XOL CALL fixup paths to keep the shadow stack in sync. Fixes: 488af8ea7131 ("x86/shstk: Wire in shadow stack interface") Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Jiri Olsa <jolsa@kernel.org> Tested-by: Jiri Olsa <jolsa@kernel.org> Link: https://patch.msgid.link/8b5b1c7407b98f31664ad7b6a6faf20d2d4a6cad.1782777969.git.dwindsor@gmail.com
4 daysperf/core: Detach event groups during remove_on_execTaeyang Lee
perf_event_remove_on_exec() removes events by calling perf_event_exit_event(). For top-level events, this removes the event from the context with DETACH_EXIT only. This can leave inconsistent group state when a removed event is a group leader and the group contains siblings without remove_on_exec. If the group was active, the surviving siblings can remain active and attached to the removed leader's sibling list, but are no longer represented by a valid group leader on the PMU context active lists. A later close of the removed leader uses DETACH_GROUP and can promote the still-active siblings from this stale group state. The next schedule-in can then add an already-linked active_list entry again, corrupting the PMU context active list. With DEBUG_LIST enabled, this is caught as a list_add double-add in merge_sched_in(). Fix this by detaching group relationships when remove_on_exec removes an event. This preserves the existing task-exit and revoke behavior, while ensuring surviving siblings are ungrouped before the removed event leaves the context. Fixes: 2e498d0a74e5 ("perf: Add support for event removal on exec") Signed-off-by: Taeyang Lee <0wn@theori.io> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Link: https://patch.msgid.link/ai65GgZcC0LAlWLG@Taeyangs-MacBook-Pro.local
4 daysdrm/xe/oa: Fix offset alignment for MERT WHITELIST_OA_MERT_MMIO_TRGAshutosh Dixit
'head' argument for WHITELIST_OA_MERT_MMIO_TRG was previously wrong (not multiple of 16). Fix this. Fixes: ec02e49f21bc ("drm/xe/rtp: Whitelist OAMERT MMIO trigger registers") Cc: stable@vger.kernel.org Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Link: https://patch.msgid.link/20260629172634.1100983-1-ashutosh.dixit@intel.com (cherry picked from commit f6c23e4589bdc69a5d2f79aed5c5bddd5d406cbe) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/pt: prevent invalid cursor access for purged BOsMatthew Auld
During a page table walk for binding, xe_pt_stage_bind() explicitly skips initializing the xe_res_cursor for purged BOs, treating them similarly to NULL VMAs by only setting the cursor size. However, xe_pt_hugepte_possible() and xe_pt_scan_64K() did not check if the BO was purged before attempting to walk the cursor using xe_res_dma() and xe_res_next(). Because the cursor was left uninitialized for purged BOs, this falls through and triggers warnings like: WARNING: drivers/gpu/drm/xe/xe_res_cursor.h:274 at xe_res_next Fix this by explicitly checking if the BO is purged in both xe_pt_hugepte_possible() and xe_pt_scan_64K(), returning early just as we do for NULL VMAs, avoiding the invalid cursor accesses entirely. As a precaution, also zero-initialize the cursor in xe_pt_stage_bind() to ensure we don't pass garbage data into the page table walkers if we ever hit a similar edge case in the future. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/8418 Fixes: ad9843aac91a ("drm/xe/madvise: Implement purgeable buffer object support") Assisted-by: Copilot:gemini-3.1-pro-preview Reported-by: Matthew Schwartz <matthew.schwartz@linux.dev> Signed-off-by: Matthew Auld <matthew.auld@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Arvind Yadav <arvind.yadav@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Tested-by: Matthew Schwartz <matthew.schwartz@linux.dev> Link: https://patch.msgid.link/20260625152054.450125-8-matthew.auld@intel.com (cherry picked from commit 4c7b9c6ece32440e5a435a92076d049450cd2d2e) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe: fix NPD in bo_meminfo()Matthew Auld
When a buffer object is purged, its ttm.resource is set to NULL via the TTM pipeline gutting flow. However, the BO remains in the client's object list until userspace explicitly closes the GEM handle. If memory stats are queried during this time, accessing bo->ttm.resource->mem_type will result in a NULL pointer dereference. Fix this by safely skipping purged BOs in bo_meminfo, as they no longer consume any memory. User is getting NPD on device resume, and possible theory is that in bo_move(), if we need to evict something to SYSTEM to save the CCS state, but the BO is marked as dontneed, this won't trigger a move but will nuke the pages, leaving us with a NULL bo resource. And the meminfo() doesn't look ready to handle a NULL resource. v2 (Sashiko): - There could potentially be other cases where we might end up with a NULL resource, so make this a general NULL check for now. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/8419 Fixes: ad9843aac91a ("drm/xe/madvise: Implement purgeable buffer object support") Assisted-by: Copilot:gemini-3.1-pro-preview Reported-by: Matthew Schwartz <matthew.schwartz@linux.dev> Signed-off-by: Matthew Auld <matthew.auld@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Arvind Yadav <arvind.yadav@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Tested-by: Matthew Schwartz <matthew.schwartz@linux.dev> Link: https://patch.msgid.link/20260625152054.450125-6-matthew.auld@intel.com (cherry picked from commit c9a8e7daa0afe3161111e27fd92176e608c7f186) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/pf: Don't attempt to process FAST_REQ or EVENT relaysMichal Wajdeczko
Currently defined VF/PF relay actions use regular REQUEST messages only and the PF shouldn't attempt to handle FAST_REQUEST nor EVENT messages as this would result in breaking the VFPF ABI protocol and also might trigger an assert on the PF side. Fixes: 98e62805921c ("drm/xe/pf: Add SR-IOV GuC Relay PF services") Signed-off-by: Michal Wajdeczko <michal.wajdeczko@intel.com> Reviewed-by: Michał Winiarski <michal.winiarski@intel.com> Link: https://patch.msgid.link/20260527183735.22616-1-michal.wajdeczko@intel.com (cherry picked from commit 1714d360fc5ae2e0886a69e979095d9c7ff3568a) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/hw_engine: Fix double-free of managed BO in error pathShuicheng Lin
The error path in hw_engine_init() explicitly frees a BO allocated with xe_managed_bo_create_pin_map() via xe_bo_unpin_map_no_vm(). Since the managed BO already has a devm cleanup action registered, this causes a double-free when devm unwinds during probe failure. Remove the explicit free and let devm handle it, consistent with all other xe_managed_bo_create_pin_map() callers. Fixes: 0e1a47fcabc8 ("drm/xe: Add a helper for DRM device-lifetime BO create") Assisted-by: Claude:claude-opus-4.6 Reviewed-by: Zongyao Bai <zongyao.bai@intel.com> Link: https://patch.msgid.link/20260626210631.3887291-1-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com> (cherry picked from commit e459a3bdeb117be496d7f229e2ea1f6c9fe4080b) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/userptr: Drop bogus static from finish in force_invalidateShuicheng Lin
The local "finish" pointer in xe_vma_userptr_force_invalidate() is unconditionally written before each read, so the static storage class serves no purpose. Worse, it makes the variable a process-wide shared slot: the function's per-VM asserts do not exclude concurrent callers on different VMs, so two such callers can race on the slot and take the wrong if (finish) branch. The function is gated by CONFIG_DRM_XE_USERPTR_INVAL_INJECT (developer/test option, default n), so production builds are unaffected. Drop the static. Fixes: 18c4e536959e ("drm/xe/userptr: Convert invalidation to two-pass MMU notifier") Assisted-by: Claude:claude-opus-4.7 Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Zongyao Bai <zongyao.bai@intel.com> Link: https://patch.msgid.link/20260625224452.3243231-1-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com> (cherry picked from commit ed382e3b07fae51a09d7290485bff0592f6b168b) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/userptr: Hold notifier_lock for write on inject test pathShuicheng Lin
When CONFIG_DRM_XE_USERPTR_INVAL_INJECT=y, xe_pt_svm_userptr_pre_commit() runs vma_check_userptr() with the svm notifier_lock taken for read. The test injection causes vma_check_userptr() to call xe_vma_userptr_force_invalidate(), which feeds into xe_vma_userptr_do_inval() with drm_gpusvm_ctx.in_notifier=true. That flag tells drm_gpusvm_unmap_pages() the caller already holds notifier_lock for write and only asserts the mode. Because the caller actually holds it for read, the assertion fires: WARNING: drivers/gpu/drm/drm_gpusvm.c:1669 at \ drm_gpusvm_unmap_pages+0xd4/0x130 [drm_gpusvm_helper] Call Trace: xe_vma_userptr_do_inval+0x40d/0xfd0 [xe] xe_vma_userptr_invalidate_pass1+0x3e6/0x8d0 [xe] xe_vma_userptr_force_invalidate+0xde/0x290 [xe] vma_check_userptr.constprop.0+0x1c6/0x220 [xe] xe_pt_svm_userptr_pre_commit+0x6a3/0xc60 [xe] ... xe_vm_bind_ioctl+0x3a0a/0x4480 [xe] Acquire notifier_lock for write in pre-commit when the inject Kconfig is enabled, via new helpers xe_pt_svm_userptr_notifier_lock()/_unlock(). Rename xe_svm_assert_held_read() to xe_svm_assert_held_read_or_inject_write() so it asserts the correct mode under each build configuration. Production builds (CONFIG_DRM_XE_USERPTR_INVAL_INJECT=n) keep the existing read-mode behavior bit-for-bit. Fixes: 9e9787414882 ("drm/xe/userptr: replace xe_hmm with gpusvm") Assisted-by: Claude:claude-opus-4.7 Cc: Matthew Auld <matthew.auld@intel.com> Cc: Zongyao Bai <zongyao.bai@intel.com> Reviewed-by: Matthew Brost <matthew.brost@intel.com> Link: https://patch.msgid.link/20260625215615.3016892-1-shuicheng.lin@intel.com Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com> (cherry picked from commit 80ccbd97ffee8ad2e73167d826fe7be548364365) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/display: skip FORCE_WC and vm_bound check for external dma-bufsMatthew Auld
Currently, xe_display_bo_framebuffer_init() unconditionally attempts to apply XE_BO_FLAG_FORCE_WC to the buffer and rejects the FB creation with -EINVAL if the BO is already VM_BINDed. However, for imported dma-bufs (ttm_bo_type_sg), this check doesn't seem to make much sense since CPU caching policy is entirely controlled by the exporter. Plus there is no place to set this flag, in the first place. Also this is not rejected if not yet vm_binded, but that seems arbitrary since setting or not setting FORCE_WC should a noop either way, at this stage, and whether it is currently VM_BINDed makes no difference. Currently if we run an app and offload rendering to an external dGPU, like NV or another xe device, the dma-buf passed back to the compositor (igpu) will be an actual external import from xe pov, and it will be missing FORCE_WC, and if the compositor side did a VM_BIND before turning into it into an fb the whole thing gets rejected. So it looks like we either need to reject outright, no matter what, or this usecase is valid and we need to loosen the restriction for sg buffers. Proposing here to loosen the restriction. Assisted-by: Gemini:gemini-3.1-pro-preview Link: https://gitlab.freedesktop.org/drm/xe/kernel/-/work_items/7919 Fixes: 44e694958b95 ("drm/xe/display: Implement display support") Signed-off-by: Matthew Auld <matthew.auld@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Maarten Lankhorst <dev@lankhorst.se> Cc: <stable@vger.kernel.org> # v6.12+ Reviewed-by: Maarten Lankhorst <dev@lankhorst.se> Link: https://patch.msgid.link/20260612170501.550816-2-matthew.auld@intel.com (cherry picked from commit 3e493f88c84088ccd7b53cdd23ac5c875c9a60dd) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe: Return error on non-migratable faults requiring devmemMatthew Brost
Non-migratable faults that require devmem incorrectly jump to the 'out' label, which squashes the error code intended to be returned to the upper layers. Fix this by returning -EACCES instead. Reported-by: Sashiko <sashiko-bot@kernel.org> Fixes: 4208fac3dce5 ("drm/xe: Add more SVM GT stats") Cc: stable@vger.kernel.org Signed-off-by: Matthew Brost <matthew.brost@intel.com> Reviewed-by: Francois Dugast <francois.dugast@intel.com> Link: https://patch.msgid.link/20260617135101.1245574-1-matthew.brost@intel.com (cherry picked from commit c4508edb2c723de93717272488ea65b165637eac) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/rtp: Ensure locking/ref counting for OA whitelistsAshutosh Dixit
Since multiple OA streams might be open in parallel on a gt, ensure that proper locking is in place. Also ensure that OA registers are whitelisted when the first OA stream is open and de-whitelisted after the last OA stream is closed. Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Link: https://patch.msgid.link/20260615224227.34880-10-ashutosh.dixit@intel.com (cherry picked from commit 645f1a2589bd4782e25490e5ecc05b7043c36cbf) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/oa: (De-)whitelist OA registers on OA stream open/releaseAshutosh Dixit
Whitelist OA registers on stream open and de-whitelist on stream close/release. Whitelisting is only done when 'stream->sample' is true. 'stream->sample' is only true when (a) xe_observation_paranoid is set to false by system admin, or (b) the process is perfmon_capable(). This therefore enforces the OA register whitelisting security requirements. Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Link: https://patch.msgid.link/20260615224227.34880-9-ashutosh.dixit@intel.com (cherry picked from commit f8e6874f46f19a6a2a0f24a81689f90641bb402a) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/rtp: (De-)whitelist OA registers for all hwe's for a gtAshutosh Dixit
Whitelist or de-whitelist OA registers for all hwe's on the gt on which the OA stream is opened. This simplifies the case where an oa unit has 0 attached hwe's (but which monitors OA events on the associated GT). Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Link: https://patch.msgid.link/20260615224227.34880-8-ashutosh.dixit@intel.com (cherry picked from commit 6f73bf8fffa728aa5d5ee143ba318fa0744113a2) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/rtp: Toggle 'deny' bit to (de-)whitelist OA regsAshutosh Dixit
Whitelist or de-whitelist OA registers by setting or resetting the 'deny' bit in OA nonpriv registers and writing new register values to HW. Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Link: https://patch.msgid.link/20260615224227.34880-7-ashutosh.dixit@intel.com (cherry picked from commit aeaa7d2bb017272ab9e18759fe00bf758cd3299f) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/rtp: Save OA nonpriv registers to register save/restore listsAshutosh Dixit
Now we can save OA whitelisting nonpriv registers to register save/restore lists. OA nonpriv registers are saved to both hwe->oa_sr as well as hwe->reg_sr. During probe, resume and gt-reset flows KMD will apply hwe->reg_sr, ensuring OA registers are de-whitelisted after these events. For engine-reset, hwe->reg_sr is registered with GuC and GuC will apply these registers, ensuring OA registers are de-whitelisted after engine resets. hwe->oa_sr is used for whitelisting or de-whitelisting OA registers during OA operation, by toggling the 'deny' bit on oa stream open/close. Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Link: https://patch.msgid.link/20260615224227.34880-6-ashutosh.dixit@intel.com (cherry picked from commit 3a3c3e56db2923daaf1a5353cd6463a4cdaf4ffa) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/rtp: Generalize whitelist_apply_to_hweAshutosh Dixit
Generalize whitelist_apply_to_hwe to construct both non-OA and OA whitelist nonpriv registers. Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Link: https://patch.msgid.link/20260615224227.34880-5-ashutosh.dixit@intel.com (cherry picked from commit c3ff77d7235ccef7a0883c2fd981f70ef3aafd21) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/rtp: Keep track of non-OA nonpriv slotsAshutosh Dixit
In order to dynamically whitelist/dewhitelist OA registers on OA stream open/close, we need to keep track of nonpriv slots occupied by non-OA register whitelists. Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Link: https://patch.msgid.link/20260615224227.34880-4-ashutosh.dixit@intel.com (cherry picked from commit 15739920b71ef3c56868973b4e7e3164a793d09d) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/rtp: Maintain OA whitelists separatelyAshutosh Dixit
OA registers are dynamically whitelisted (and again dewhitelisted) on OA stream open/close. Maintaining OA whitelists separately from non-OA register whitlists simplifies this management of OA register whitelisting/dewhitelisting. Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com> Reviewed-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com> Link: https://patch.msgid.link/20260615224227.34880-3-ashutosh.dixit@intel.com (cherry picked from commit c478244a9e2d14b3f1f92e8bd293919e554622a5) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/xe/rtp: Fix build error with clang < 21 and non-const initializersThomas Hellström
Clang < 21 treats const-qualified compound literals at function scope as having static storage duration, which requires all initializer elements to be compile-time constants. When xe_hw_engine.c initializes a local struct xe_rtp_table_sr using XE_RTP_TABLE_SR(), the compound literals in XE_RTP_TABLE_SR end up containing runtime values (e.g. blit_cctl_val derived from gt->mocs.uc_index), triggering: xe_hw_engine.c:361: error: initializer element is not a compile-time constant xe_hw_engine.c:416: error: initializer element is not a compile-time constant ARRAY_SIZE() cannot be used as a replacement because it expands through __must_be_array() -> __BUILD_BUG_ON_ZERO_MSG() -> _Static_assert inside sizeof(struct{}), which clang < 21 also rejects in the same context. Replace ARRAY_SIZE() with an open-coded sizeof(arr)/sizeof(elem) in XE_RTP_TABLE_SR and XE_RTP_TABLE to avoid both issues. Fixes: e23fafb8594e ("drm/xe/rtp: Add struct types for RTP tables") Cc: Matt Roper <matthew.d.roper@intel.com> Cc: Gustavo Sousa <gustavo.sousa@intel.com> Cc: Violet Monti <violet.monti@intel.com> Cc: Matthew Brost <matthew.brost@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Rodrigo Vivi <rodrigo.vivi@intel.com> Cc: Ashutosh Dixit <ashutosh.dixit@intel.com> Cc: intel-xe@lists.freedesktop.org Reported-by: Mark Brown <broonie@kernel.org> Closes: https://lore.kernel.org/intel-xe/bfb0dee8-b243-47ba-a89d-71472b0d51c5@sirena.org.uk/ Assisted-by: GitHub_Copilot:claude-sonnet-4.6 Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com> Reviewed-by: Gustavo Sousa <gustavo.sousa@intel.com> Link: https://patch.msgid.link/20260605093305.110598-1-thomas.hellstrom@linux.intel.com (cherry picked from commit a57011eff45e7265dc42a7adad68b84605d8f828) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysdrm/imagination: Fix user array stride in pvr_set_uobj_array()Shuvam Pandey
pvr_set_uobj_array() copies an array of kernel objects to a userspace array whose element size is described by out->stride. When out->stride is different from the kernel object size, the slow path advances the userspace pointer by the kernel object size and the kernel pointer by the userspace stride. This reverses the intended layout. For larger userspace strides, later copies read from the wrong kernel addresses. For smaller userspace strides, later copies are written at the wrong userspace offsets. The padding clear is also done only for the first element instead of the padding area for each element. Advance the userspace pointer by out->stride and the kernel pointer by obj_size, and clear per-element padding while the current userspace pointer is still available. Fixes: f99f5f3ea7ef ("drm/imagination: Add GPU ID parsing and firmware loading") Cc: stable@vger.kernel.org # v6.8+ Reviewed-by: Alessio Belle <alessio.belle@imgtec.com> Signed-off-by: Shuvam Pandey <shuvampandey1@gmail.com> Link: https://patch.msgid.link/6a456012.eb165e5c.113c2a.b71d@mx.google.com Signed-off-by: Alessio Belle <alessio.belle@imgtec.com>
4 daysdrm/imagination: Fix returned size for DRM_IOCTL_PVR_DEV_QUERYBrajesh Gupta
For a few subtypes of DRM_IOCTL_PVR_DEV_QUERY, driver was overriding the returned size unconditionally. This would have resulted in increase of reported size beyond the amount of data returned to userspace when args->size < size of query structure. Updated behaviour matches with the description of drm_pvr_ioctl_dev_query_args.size and written byte length. None of the structures of DRM_IOCTL_PVR_DEV_QUERY changed after addition, so change will not break any compatibility with earlier version. Fixes: f99f5f3ea7ef ("drm/imagination: Add GPU ID parsing and firmware loading") Fixes: ff5f643de0bf ("drm/imagination: Add GEM and VM related code") Signed-off-by: Brajesh Gupta <brajesh.gupta@imgtec.com> Reviewed-by: Alessio Belle <alessio.belle@imgtec.com> Link: https://patch.msgid.link/20260701-b4-b4-query-v2-1-a1b491387875@imgtec.com Signed-off-by: Alessio Belle <alessio.belle@imgtec.com>
4 daysdrm/imagination: Fix double call to drm_sched_entity_fini()Brajesh Gupta
Call sequence of double call: pvr_context_destroy   pvr_context_kill_queues     pvr_queue_kill       drm_sched_entity_destroy         drm_sched_entity_fini // here   pvr_context_put     kref_put(..., pvr_context_release)       pvr_context_destroy_queues         pvr_queue_destroy           drm_sched_entity_fini // here Call to drm_sched_entity_destroy() from pvr_context_kill_queues() calls drm_sched_entity_flush() + drm_sched_entity_fini(). drm_sched_entity_flush() ensures all pending jobs are completed and drm_sched_entity_fini() ensures no further submission is allowed as per expectation from pvr_context_kill_queues(). Double call to drm_sched_entity_fini() is misuse of the API so keep call only in pvr_context_create() failure path. Stack trace for issue with addition of refcounting for DRM entity stats in commit fd177135f0e6 ("drm/sched: Account entity GPU time"): [ 789.490527] ------------[ cut here ]------------ [ 789.490559] refcount_t: underflow; use-after-free. [ 789.490657] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xf4/0x144, CPU#0: kworker/u16:1/440 [ 789.490695] Modules linked in: powervr drm_gpuvm drm_exec gpu_sched drm_shmem_helper xhci_plat_hcd xhci_hcd dwc3 usbcore usb_common snd_soc_simple_card snd_soc_simple_card_utils sa2ul sha512 sha256 dwc3_am62 sha1 authenc rti_wdt libsha512 at24 sch_fq_codel fuse dm_mod ipv6 [ 789.490798] CPU: 0 UID: 0 PID: 440 Comm: kworker/u16:1 Not tainted 7.0.0-rc7-02049-g5e2c0700091b #22 PREEMPT [ 789.490809] Hardware name: Texas Instruments AM625 SK (DT) [ 789.490815] Workqueue: powervr-sched pvr_queue_fence_release_work [powervr] [ 789.490868] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 789.490876] pc : refcount_warn_saturate+0xf4/0x144 [ 789.490884] lr : refcount_warn_saturate+0xf4/0x144 [ 789.490892] sp : ffff8000822cbcc0 [ 789.490895] x29: ffff8000822cbcc0 x28: 0000000000000000 x27: 0000000000000000 [ 789.490909] x26: 0000000000000000 x25: ffff800081b1e338 x24: ffff000004541405 [ 789.490922] x23: ffff000004bea950 x22: ffff00000042e400 x21: ffff000007123e30 [ 789.490935] x20: ffff000007123000 x19: ffff000007a80d50 x18: fffffffffffe7768 [ 789.490948] x17: 74736574202c6e6f x16: 697461746e656d65 x15: ffff800081b269f0 [ 789.490962] x14: 0000000000000030 x13: ffff800081b26a70 x12: 0000000000000211 [ 789.490975] x11: 00000000000000c0 x10: 0000000000000b50 x9 : ffff8000822cbb30 [ 789.490988] x8 : ffff0000014e7bb0 x7 : ffff00007725e780 x6 : 0000000372a05f49 [ 789.491001] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000010 [ 789.491013] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000014e7000 [ 789.491027] Call trace: [ 789.491032] refcount_warn_saturate+0xf4/0x144 (P) [ 789.491043] drm_sched_entity_fini+0x164/0x18c [gpu_sched] [ 789.491081] pvr_queue_destroy+0x64/0x134 [powervr] [ 789.491110] pvr_context_destroy_queues+0x34/0x64 [powervr] [ 789.491138] pvr_context_release+0x70/0xac [powervr] [ 789.491166] pvr_context_put.part.0+0x5c/0x7c [powervr] [ 789.491193] pvr_context_put+0x14/0x24 [powervr] [ 789.491221] pvr_queue_fence_release_work+0x20/0x38 [powervr] [ 789.491249] process_one_work+0x160/0x4c4 [ 789.491264] worker_thread+0x188/0x310 [ 789.491276] kthread+0x130/0x13c [ 789.491287] ret_from_fork+0x10/0x20 [ 789.491300] ---[ end trace 0000000000000000 ]--- Fixes: eaf01ee5ba28 ("drm/imagination: Implement job submission and scheduling") Cc: stable@vger.kernel.org Signed-off-by: Brajesh Gupta <brajesh.gupta@imgtec.com> Reviewed-by: Alessio Belle <alessio.belle@imgtec.com> Link: https://patch.msgid.link/20260630-b4-sched_fix-v7-1-71aa39c62627@imgtec.com Signed-off-by: Alessio Belle <alessio.belle@imgtec.com>
4 daysMerge tag 'batadv-net-pullrequest-20260630' of https://git.open-mesh.org/batadvPaolo Abeni
Simon Wunderlich says: ==================== Here are some batman-adv bugfix, all by Sven Eckelmann: - fix pointers after potential skb reallocs (5 patches) - dat: ensure accessible eth_hdr proto field * tag 'batadv-net-pullrequest-20260630' of https://git.open-mesh.org/batadv: batman-adv: dat: ensure accessible eth_hdr proto field batman-adv: bla: reacquire gw address after skb realloc batman-adv: dat: acquire ARP hw source only after skb realloc batman-adv: gw: acquire ethernet header only after skb realloc batman-adv: access unicast_ttvn skb->data only after skb realloc batman-adv: retrieve ethhdr after potential skb realloc on RX ==================== Link: https://patch.msgid.link/20260630134430.85786-1-sw@simonwunderlich.de Signed-off-by: Paolo Abeni <pabeni@redhat.com>
4 daysMAINTAINERS: Add a mailing list entry to MFDLee Jones
This is to be included by all contributors and will be leaned on for Sashiko's "reply to author" support. Signed-off-by: Lee Jones <lee@kernel.org>
4 daysnet/mlx5: HWS, fix matcher leak on resize target setup failureDawei Feng
hws_bwc_matcher_move() allocates a replacement matcher before setting it as the resize target. If mlx5hws_matcher_resize_set_target() fails, the replacement matcher is not attached anywhere and is leaked. Fix the leak by destroying the replacement matcher before returning from the resize-target failure path. The bug was first flagged by an experimental analysis tool we are developing for kernel memory-management bugs while analyzing v6.13-rc1. The tool is still under development and is not yet publicly available. Manual inspection confirms that the bug is still present in v7.1.1. An x86_64 allyesconfig build showed no new warnings. As we do not have a mlx5 HWS-capable device to test with, no runtime testing was able to be performed. Fixes: 2111bb970c78 ("net/mlx5: HWS, added backward-compatible API handling") Cc: stable@vger.kernel.org Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn> Reviewed-by: Yevgeny Kliteynik <kliteyn@nvidia.com> Acked-by: Tariq Toukan <tariqt@nvidia.com> Link: https://patch.msgid.link/20260629064049.3852759-1-dawei.feng@seu.edu.cn Signed-off-by: Paolo Abeni <pabeni@redhat.com>
4 daysx86/Xen: correct commentary and parameter naming of xen_exchange_memory()Jan Beulich
As documented in comments in struct xen_memory_exchange, the input to the hypercall is a set of MFNs which are to be removed from the domain, plus a set of PFNs where the newly allocated MFNs are to appear. Present comment and parameter naming don't correctly reflect that. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Juergen Gross <jgross@suse.com> Signed-off-by: Juergen Gross <jgross@suse.com> Message-ID: <7e0c8795-cc60-4b78-8601-6a999739467a@suse.com>
4 dayscifs: update internal module version numberSteve French
to 2.60 Signed-off-by: Steve French <stfrench@microsoft.com>
4 dayssmb: client: use unaligned reads in parse_posix_ctxt()Zihan Xi
The server controls create-context DataOffset, so the POSIX context data pointer may be misaligned on strict-alignment architectures. Use get_unaligned_le32() when reading nlink, reparse_tag, and mode. Fixes: 69dda3059e7a ("cifs: add SMB2_open() arg to return POSIX data") Cc: stable@vger.kernel.org Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
4 dayssmb: client: harden POSIX SID length parsingZihan Xi
posix_info_sid_size() reads sid[1] to obtain the subauthority count, but its existing boundary check still accepts buffers with only one remaining byte. Require two bytes before reading sid[1] so all client paths that reuse the helper reject truncated POSIX SIDs safely. Fixes: 349e13ad30b4 ("cifs: add smb2 POSIX info level") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Assisted-by: Codex:gpt-5.4 Signed-off-by: Zihan Xi <xizh2024@lzu.edu.cn> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Steve French <stfrench@microsoft.com>
4 daysMerge tag 'bootconfig-fixes-v7.2-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull bootconfig fix from Masami Hiramatsu: - bootconfig: Fix NULL-pointer arithmetic Fix undefined pointer arithmetic in xbc_snprint_cmdline() when probing the buffer length with NULL and size 0. Track the written length as a size_t instead to prevent build-time UBSan/FORTIFY_SOURCE failures. * tag 'bootconfig-fixes-v7.2-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: bootconfig: fix NULL-pointer arithmetic in xbc_snprint_cmdline()
4 daysaccel/amdxdna: Fix use-after-free in debug BO command handlingLizhi Hou
When a debug BO command completes, job->drv_cmd may already have been freed. Accessing it from aie2_sched_drvcmd_resp_handler() can result in a use-after-free and memory corruption. Fix this by introducing reference counting for drv_cmd objects and transferring ownership to the job while it is in flight. This ensures that the command remains valid until the completion handler finishes processing it. Fixes: 7ea046838021 ("accel/amdxdna: Support firmware debug buffer") Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org> Signed-off-by: Lizhi Hou <lizhi.hou@amd.com> Link: https://patch.msgid.link/20260701155556.663541-1-lizhi.hou@amd.com
4 daysx86,fs/resctrl: Prevent out-of-bounds access while offlining CPU when SNC ↵Reinette Chatre
enabled The architecture updates the cpu_mask in a domain's header to track which online CPUs are associated with the domain. When this mask becomes empty the architecture initiates offline of the domain that includes calling on resctrl fs to offline the domain. If it is a monitoring domain in which LLC occupancy is tracked resctrl fs forces the limbo handler to clear all busy RMID state associated with the domain. The limbo handler always reads the current event value associated with a busy RMID irrespective of it being checked as part of regular "is it still busy" check or whether it will be forced released anyway. When reading an RMID on a system with SNC enabled the "logical RMID" is converted to the "physical RMID" and this conversion requires the NUMA node ID of the resctrl monitoring domain that is in turn determined by querying the NUMA node ID of any CPU belonging to the monitoring domain. When the monitoring domain is going offline its cpu_mask is empty causing the NUMA node ID query via cpu_to_node() to be done with "nr_cpu_ids" as argument resulting in an out-of-bounds access. Refactor the limbo handler to skip reading the RMID when the RMID will just be forced to no longer be dirty in the domain anyway. Add a safety check to the architecture's RMID reader to protect against this scenario. Fixes: e13db55b5a0d ("x86/resctrl: Introduce snc_nodes_per_l3_cache") Closes: https://sashiko.dev/#/patchset/cover.1780456704.git.reinette.chatre%40intel.com?part=9 Reported-by: Sashiko <sashiko-bot@kernel.org> Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Cc: <stable@kernel.org> Link: https://patch.msgid.link/16137433df42f85013b2f7a53626795cbd6637b9.1781029125.git.reinette.chatre@intel.com
4 daysdrm/xe/rtp: Add struct types for RTP tablesGustavo Sousa
We currently have a mixture of styles for our RTP tables with respect of how we define the number of entries: * xe_rtp_process_to_sr() expects to receive the number of entries as arguments; * xe_rtp_process() expects the array to have a sentinel at the end of the array; * in xe_rtp_test.c, even though xe_rtp_process_to_sr() does not require a sentinel value, we need to rely on that technique to be able to count xe_rtp_entry_sr entries because simply using ARRAY_SIZE() is not possible. The style used by xe_rtp_process_to_sr() makes it hard to share the tables with other compilation units (e.g. kunit tests), since the number of entries is calculated with ARRAY_SIZE(), which is done at compile time. Since we use the size of the tables to create some bitmasks, using a sentinel style doesn't seem great either. A way to reconcile things into a single style is to have a struct type that would hold the entries array and the number of entries. Since we have xe_rtp_entry and xe_rtp_entry_sr, we would have one type for each. The advantage of the proposed approach is that now we have a nice way to share the tables directly to kunit tests with information about their size. v6: - Removed sentinels that are not needed v5: - Removed added code from conflict resolution issues v4: - Removed conflicts with main branch v3: - No changes v2: - Add compatibility with new xe_rtp_table_sr format for "bad-mcr-reg-forced-to-regular" and "bad-regular-reg-forced-to-mcr" Fixes: 828a8eaf37c3 ("drm/xe/oa: Add MMIO trigger support") Cc: stable@vger.kernel.org # v6.12+ Reviewed-by: Matt Roper <matthew.d.roper@intel.com> Signed-off-by: Gustavo Sousa <gustavo.sousa@intel.com> Signed-off-by: Violet Monti <violet.monti@intel.com> Link: https://patch.msgid.link/20260601200947.2032784-7-violet.monti@intel.com Signed-off-by: Matt Roper <matthew.d.roper@intel.com> (cherry picked from commit 5ff004fdc7377905f2fe5264b8829d35e14608b8) Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
4 daysASoC: codecs: tas675x: misc bugfixes and minor changesMark Brown
Sen Wang <sen@ti.com> says: Few miscellaneous bug fixes after the initial merge of TAS675x driver, of which includes: - Adding READ_ONCE for all concurrent read params - Corrected kcontrol bits for temperature range - Corrected conversion notes in the driver documentation Link: https://patch.msgid.link/20260630183126.2588322-1-sen@ti.com
4 daysDocumentation: sound: tas675x: Fix temperature range and impedance documentationSen Wang
Two corrections against the TRM (SLOU589A): - Corrected channel temperature range - Corrected conversion formula for global temperature Fixes: ba46edca354e ("Documentation: sound: Add TAS675x codec mixer controls documentation") Signed-off-by: Sen Wang <sen@ti.com> Link: https://patch.msgid.link/20260630183126.2588322-4-sen@ti.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysASoC: codecs: tas675x: Fix CHx temperature range register bit fieldsSen Wang
The initial merged patch mixed up the bits for temp reg with LDG report, now fixing to the right bits according to TRM (SLOU589A). Fixes: 133c81f84471 ("ASoC: codecs: Add TAS67524 quad-channel audio amplifier driver") Signed-off-by: Sen Wang <sen@ti.com> Link: https://patch.msgid.link/20260630183126.2588322-3-sen@ti.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysASoC: codecs: tas675x: use READ_ONCE for params to be used concurrentlySen Wang
active_playback_dais and active_capture_dais are written atomically via set_bit()/clear_bit() and can be read concurrently from the fault_check_work delayed work handler. fault_check_work already uses READ_ONCE; extend the same guard to all other reads in tas675x_hw_params() and tas675x_mute_stream(). Fixes: 133c81f84471 ("ASoC: codecs: Add TAS67524 quad-channel audio amplifier driver") Signed-off-by: Sen Wang <sen@ti.com> Link: https://patch.msgid.link/20260630183126.2588322-2-sen@ti.com Signed-off-by: Mark Brown <broonie@kernel.org>
4 daysdrm/amdgpu/jpeg: fix jpeg_v4_0_3_is_idle detectionBoyuan Zhang
jpeg_v4_0_3_is_idle() initializes ret to false and then accumulates ring idle status using &=. Since false & condition always remains false, the function can never report the JPEG block as idle. Initialize ret to true so the function returns true only when all JPEG rings report RB_JOB_DONE. Signed-off-by: Boyuan Zhang <boyuan.zhang@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit e9df8e9d04e0593d17ddb069f3b7958991cd18c9) Cc: stable@vger.kernel.org
4 daysdrm/amdgpu: Fix kernel panic during driver load failureHarish Kasiviswanathan
Avoid kernel panic if MES init fails during driver load. The KIQ ring is falsely marked as ready as ASICs that use MES, KIQ is owned by MES. BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:gfx_v12_1_wait_reg_mem+0x5a/0x1f0 [amdgpu] Call Trace: gfx_v12_1_ring_emit_reg_write_reg_wait+0x1f/0x30 [amdgpu] amdgpu_gmc_fw_reg_write_reg_wait+0xb2/0x190 [amdgpu] amdgpu_gmc_flush_gpu_tlb+0x1cc/0x230 [amdgpu] amdgpu_gart_invalidate_tlb+0x81/0xa0 [amdgpu] amdgpu_gart_unbind+0x72/0x90 [amdgpu] amdgpu_ttm_backend_unbind+0xa4/0xb0 [amdgpu] amdgpu_ttm_tt_unpopulate+0x13/0xd0 [amdgpu] amdttm_tt_unpopulate+0x29/0x70 [amdttm] ttm_bo_put+0x1eb/0x360 [amdttm] amdgpu_bo_free_kernel+0xf9/0x1f0 [amdgpu] amdgpu_ih_ring_fini+0x5a/0x90 [amdgpu] amdgpu_irq_fini_hw+0x58/0x80 [amdgpu] amdgpu_device_fini_hw+0x4e0/0x5b0 [amdgpu] amdgpu_driver_load_kms+0x60/0xa0 [amdgpu] amdgpu_pci_probe+0x28e/0x6d0 [amdgpu] pci_device_probe+0x19f/0x220 really_probe+0x1ed/0x340 driver_probe_device+0x1e/0x80 __driver_attach+0xd3/0x1a0 bus_for_each_dev+0x68/0xa0 bus_add_driver+0x19f/0x270 driver_register+0x5d/0xf0 do_one_initcall+0xac/0x200 do_init_module+0x1ec/0x280 __se_sys_finit_module+0x2de/0x310 do_syscall_64+0x6a/0x250 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com> Reviewed-by: Kent Russell <kent.russell@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 4623b958dd6da0f4c3026afdf330626a09ecb0f0) Cc: stable@vger.kernel.org
4 daysdrm/amd/display: detect_link_and_local_sink: DP alt mode timeout path leaks ↵WenTao Liang
prev_sink reference prev_sink is unconditionally retained via dc_sink_retain at function entry, but the DP alt mode timeout path inside SIGNAL_TYPE_DISPLAY_PORT returns false without releasing prev_sink. All other return paths in the function correctly call dc_sink_release(prev_sink), making this the only missing cleanup. Fixes: 54618888d1ea ("drm/amd/display: break down dc_link.c") Signed-off-by: WenTao Liang <vulab@iscas.ac.cn> Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org> Link: https://patch.msgid.link/20260626124555.36910-1-vulab@iscas.ac.cn Signed-off-by: Mario Limonciello <mario.limonciello@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> (cherry picked from commit 45510cf662dcf46b5d8926d454f338809f107b9d) Cc: stable@vger.kernel.org