Hello,
New build issue found on stable-rc/linux-5.4.y:
---
./arch/arm64/include/asm/memory.h:85:50: error: ‘KASAN_SHADOW_SCALE_SHIFT’ undeclared (first use in this function) in arch/arm64/kernel/vdso32/vgettimeofday.o (arch/arm64/kernel/vdso32/Makefile:166) [logspec:kbuild,kbuild.compiler.error]
---
- dashboard: https://d.kernelci.org/i/maestro:35fc997ccf1864d670c66eb7815463e470fe1fa9
- giturl: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
- commit HEAD: 2c0548712531f8b879edccf67949a8e5abe4e5e4
Log excerpt:
=====================================================
CC32 arch/arm64/kernel/vdso32/vgettimeofday.o
AS32 arch/arm64/kernel/vdso32/sigreturn.o
HOSTCC arch/arm64/kernel/vdso32/../../../arm/vdso/vdsomunge
In file included from ./arch/arm64/include/asm/thread_info.h:17,
from ./include/linux/thread_info.h:39,
from ./arch/arm64/include/asm/preempt.h:5,
from ./include/linux/preempt.h:78,
from ./include/linux/spinlock.h:51,
from ./include/linux/seqlock.h:36,
from ./include/linux/time.h:6,
from /tmp/kci/linux/lib/vdso/gettimeofday.c:7,
from <command-line>:
./arch/arm64/include/asm/memory.h: In function ‘kaslr_offset’:
./arch/arm64/include/asm/memory.h:85:50: error: ‘KASAN_SHADOW_SCALE_SHIFT’ undeclared (first use in this function)
85 | #define KASAN_SHADOW_END ((UL(1) << (64 - KASAN_SHADOW_SCALE_SHIFT)) \
| ^~~~~~~~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:50:34: note: in expansion of macro ‘KASAN_SHADOW_END’
50 | #define BPF_JIT_REGION_START (KASAN_SHADOW_END)
| ^~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:52:34: note: in expansion of macro ‘BPF_JIT_REGION_START’
52 | #define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE)
| ^~~~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:54:34: note: in expansion of macro ‘BPF_JIT_REGION_END’
54 | #define MODULES_VADDR (BPF_JIT_REGION_END)
| ^~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:53:34: note: in expansion of macro ‘MODULES_VADDR’
53 | #define MODULES_END (MODULES_VADDR + MODULES_VSIZE)
| ^~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:49:34: note: in expansion of macro ‘MODULES_END’
49 | #define KIMAGE_VADDR (MODULES_END)
| ^~~~~~~~~~~
./arch/arm64/include/asm/memory.h:193:31: note: in expansion of macro ‘KIMAGE_VADDR’
193 | return kimage_vaddr - KIMAGE_VADDR;
| ^~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:85:50: note: each undeclared identifier is reported only once for each function it appears in
85 | #define KASAN_SHADOW_END ((UL(1) << (64 - KASAN_SHADOW_SCALE_SHIFT)) \
| ^~~~~~~~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:50:34: note: in expansion of macro ‘KASAN_SHADOW_END’
50 | #define BPF_JIT_REGION_START (KASAN_SHADOW_END)
| ^~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:52:34: note: in expansion of macro ‘BPF_JIT_REGION_START’
52 | #define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE)
| ^~~~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:54:34: note: in expansion of macro ‘BPF_JIT_REGION_END’
54 | #define MODULES_VADDR (BPF_JIT_REGION_END)
| ^~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:53:34: note: in expansion of macro ‘MODULES_VADDR’
53 | #define MODULES_END (MODULES_VADDR + MODULES_VSIZE)
| ^~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:49:34: note: in expansion of macro ‘MODULES_END’
49 | #define KIMAGE_VADDR (MODULES_END)
| ^~~~~~~~~~~
./arch/arm64/include/asm/memory.h:193:31: note: in expansion of macro ‘KIMAGE_VADDR’
193 | return kimage_vaddr - KIMAGE_VADDR;
| ^~~~~~~~~~~~
./arch/arm64/include/asm/memory.h: In function ‘__tag_set’:
./arch/arm64/include/asm/memory.h:238:22: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
238 | u64 __addr = (u64)addr & ~__tag_shifted(0xff);
| ^
In file included from ./arch/arm64/include/asm/pgtable-hwdef.h:8,
from ./arch/arm64/include/asm/processor.h:34,
from ./arch/arm64/include/asm/elf.h:118,
from ./include/linux/elf.h:5,
from ./include/linux/elfnote.h:62,
from arch/arm64/kernel/vdso32/note.c:11:
./arch/arm64/include/asm/memory.h: In function ‘kaslr_offset’:
./arch/arm64/include/asm/memory.h:85:50: error: ‘KASAN_SHADOW_SCALE_SHIFT’ undeclared (first use in this function)
85 | #define KASAN_SHADOW_END ((UL(1) << (64 - KASAN_SHADOW_SCALE_SHIFT)) \
| ^~~~~~~~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:50:34: note: in expansion of macro ‘KASAN_SHADOW_END’
50 | #define BPF_JIT_REGION_START (KASAN_SHADOW_END)
| ^~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:52:34: note: in expansion of macro ‘BPF_JIT_REGION_START’
52 | #define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE)
| ^~~~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:54:34: note: in expansion of macro ‘BPF_JIT_REGION_END’
54 | #define MODULES_VADDR (BPF_JIT_REGION_END)
| ^~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:53:34: note: in expansion of macro ‘MODULES_VADDR’
53 | #define MODULES_END (MODULES_VADDR + MODULES_VSIZE)
| ^~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:49:34: note: in expansion of macro ‘MODULES_END’
49 | #define KIMAGE_VADDR (MODULES_END)
| ^~~~~~~~~~~
./arch/arm64/include/asm/memory.h:193:31: note: in expansion of macro ‘KIMAGE_VADDR’
193 | return kimage_vaddr - KIMAGE_VADDR;
| ^~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:85:50: note: each undeclared identifier is reported only once for each function it appears in
85 | #define KASAN_SHADOW_END ((UL(1) << (64 - KASAN_SHADOW_SCALE_SHIFT)) \
| ^~~~~~~~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:50:34: note: in expansion of macro ‘KASAN_SHADOW_END’
50 | #define BPF_JIT_REGION_START (KASAN_SHADOW_END)
| ^~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:52:34: note: in expansion of macro ‘BPF_JIT_REGION_START’
52 | #define BPF_JIT_REGION_END (BPF_JIT_REGION_START + BPF_JIT_REGION_SIZE)
| ^~~~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:54:34: note: in expansion of macro ‘BPF_JIT_REGION_END’
54 | #define MODULES_VADDR (BPF_JIT_REGION_END)
| ^~~~~~~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:53:34: note: in expansion of macro ‘MODULES_VADDR’
53 | #define MODULES_END (MODULES_VADDR + MODULES_VSIZE)
| ^~~~~~~~~~~~~
./arch/arm64/include/asm/memory.h:49:34: note: in expansion of macro ‘MODULES_END’
49 | #define KIMAGE_VADDR (MODULES_END)
| ^~~~~~~~~~~
./arch/arm64/include/asm/memory.h:193:31: note: in expansion of macro ‘KIMAGE_VADDR’
193 | return kimage_vaddr - KIMAGE_VADDR;
| ^~~~~~~~~~~~
./arch/arm64/include/asm/memory.h: In function ‘__tag_set’:
./arch/arm64/include/asm/memory.h:238:22: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
238 | u64 __addr = (u64)addr & ~__tag_shifted(0xff);
| ^
=====================================================
# Builds where the incident occurred:
## defconfig+arm64-chromebook+kcidebug+lab-setup on (arm64):
- compiler: gcc-12
- dashboard: https://d.kernelci.org/build/maestro:68dffa7e841b167e8d3e0d0c
#kernelci issue maestro:35fc997ccf1864d670c66eb7815463e470fe1fa9
Reported-by: kernelci.org bot <bot(a)kernelci.org>
--
This is an experimental report format. Please send feedback in!
Talk to us at kernelci(a)lists.linux.dev
Made with love by the KernelCI team - https://kernelci.org
The patch below does not apply to the 6.12-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y
git checkout FETCH_HEAD
git cherry-pick -x 79d10f4f21a92e459b2276a77be62c59c1502c9d
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025100327-municipal-zone-0d8a@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 79d10f4f21a92e459b2276a77be62c59c1502c9d Mon Sep 17 00:00:00 2001
From: Duoming Zhou <duoming(a)zju.edu.cn>
Date: Wed, 17 Sep 2025 17:57:42 +0800
Subject: [PATCH] media: i2c: tc358743: Fix use-after-free bugs caused by
orphan timer in probe
The state->timer is a cyclic timer that schedules work_i2c_poll and
delayed_work_enable_hotplug, while rearming itself. Using timer_delete()
fails to guarantee the timer isn't still running when destroyed, similarly
cancel_delayed_work() cannot ensure delayed_work_enable_hotplug has
terminated if already executing. During probe failure after timer
initialization, these may continue running as orphans and reference the
already-freed tc358743_state object through tc358743_irq_poll_timer.
The following is the trace captured by KASAN.
BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0
Write of size 8 at addr ffff88800ded83c8 by task swapper/1/0
...
Call Trace:
<IRQ>
dump_stack_lvl+0x55/0x70
print_report+0xcf/0x610
? __pfx_sched_balance_find_src_group+0x10/0x10
? __run_timer_base.part.0+0x7d7/0x8c0
kasan_report+0xb8/0xf0
? __run_timer_base.part.0+0x7d7/0x8c0
__run_timer_base.part.0+0x7d7/0x8c0
? rcu_sched_clock_irq+0xb06/0x27d0
? __pfx___run_timer_base.part.0+0x10/0x10
? try_to_wake_up+0xb15/0x1960
? tmigr_update_events+0x280/0x740
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
tmigr_handle_remote_up+0x603/0x7e0
? __pfx_tmigr_handle_remote_up+0x10/0x10
? sched_balance_trigger+0x98/0x9f0
? sched_tick+0x221/0x5a0
? _raw_spin_lock_irq+0x80/0xe0
? __pfx__raw_spin_lock_irq+0x10/0x10
? tick_nohz_handler+0x339/0x440
? __pfx_tmigr_handle_remote_up+0x10/0x10
__walk_groups.isra.0+0x42/0x150
tmigr_handle_remote+0x1f4/0x2e0
? __pfx_tmigr_handle_remote+0x10/0x10
? ktime_get+0x60/0x140
? lapic_next_event+0x11/0x20
? clockevents_program_event+0x1d4/0x2a0
? hrtimer_interrupt+0x322/0x780
handle_softirqs+0x16a/0x550
irq_exit_rcu+0xaf/0xe0
sysvec_apic_timer_interrupt+0x70/0x80
</IRQ>
...
Allocated by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_node_track_caller_noprof+0x198/0x430
devm_kmalloc+0x7b/0x1e0
tc358743_probe+0xb7/0x610 i2c_device_probe+0x51d/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 141:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
kasan_save_free_info+0x3a/0x60
__kasan_slab_free+0x3f/0x50
kfree+0x137/0x370
release_nodes+0xa4/0x100
devres_release_group+0x1b2/0x380
i2c_device_probe+0x694/0x880
really_probe+0x1ca/0x5c0
__driver_probe_device+0x248/0x310
driver_probe_device+0x44/0x120
__device_attach_driver+0x174/0x220
bus_for_each_drv+0x100/0x190
__device_attach+0x206/0x370
bus_probe_device+0x123/0x170
device_add+0xd25/0x1470
i2c_new_client_device+0x7a0/0xcd0
do_one_initcall+0x89/0x300
do_init_module+0x29d/0x7f0
load_module+0x4f48/0x69e0
init_module_from_file+0xe4/0x150
idempotent_init_module+0x320/0x670
__x64_sys_finit_module+0xbd/0x120
do_syscall_64+0xac/0x280
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
Replace timer_delete() with timer_delete_sync() and cancel_delayed_work()
with cancel_delayed_work_sync() to ensure proper termination of timer and
work items before resource cleanup.
This bug was initially identified through static analysis. For reproduction
and testing, I created a functional emulation of the tc358743 device via a
kernel module and introduced faults through the debugfs interface.
Fixes: 869f38ae07f7 ("media: i2c: tc358743: Fix crash in the probe error path when using polling")
Fixes: d32d98642de6 ("[media] Driver for Toshiba TC358743 HDMI to CSI-2 bridge")
Cc: stable(a)vger.kernel.org
Signed-off-by: Duoming Zhou <duoming(a)zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco(a)kernel.org>
diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index aa02a5a6ae3e..a0ca19359c43 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -2326,10 +2326,10 @@ static int tc358743_probe(struct i2c_client *client)
err_work_queues:
cec_unregister_adapter(state->cec_adap);
if (!state->i2c_client->irq) {
- timer_delete(&state->timer);
+ timer_delete_sync(&state->timer);
flush_work(&state->work_i2c_poll);
}
- cancel_delayed_work(&state->delayed_work_enable_hotplug);
+ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
mutex_destroy(&state->confctl_mutex);
err_hdl:
media_entity_cleanup(&sd->entity);
Hi,
Changes since v1:
- SHAs for Fixes tag corrected (sorry)
The size of the DSP host buffer was incorrectly defined as 2ms while
it is 4ms and the ChainDMA PCMs are using 5ms as host facing buffer.
The constraint will be set against the period time rather than the buffer
time to make sure that application will not face with xruns when the
DMA bursts to refill the host buffer.
The minimal period size will be also used by Pipewire in case of SOF
cards to set the headroom to a length which will avoid the cases when
the hw_ptr jumps over the appl_ptr because of a burst.
Iow, it will make Pipewire to keep a safe distance from the hw_ptr.
https://github.com/thesofproject/linux/issues/5284https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/740https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/2548
Regards,
Peter
---
Peter Ujfalusi (3):
ASoC: SOF: ipc4-topology: Correct the minimum host DMA buffer size
ASoC: SOF: ipc4-topology: Account for different ChainDMA host buffer
size
ASoC: SOF: Intel: hda-pcm: Place the constraint on period time instead
of buffer time
sound/soc/sof/intel/hda-pcm.c | 29 +++++++++++++++++++++--------
sound/soc/sof/ipc4-topology.c | 9 +++++++--
sound/soc/sof/ipc4-topology.h | 7 +++++--
3 files changed, 33 insertions(+), 12 deletions(-)
--
2.51.0
Hi,
With SRC in the firmware processing pipeline the FE and BE rate
can be different, the sample counters on the two side of the DSP
counts in different rate domain and they will drift apart.
The counters should be moved to the same rate domain to be
usable for delay calculation.
The ChainDMA offset value was incorrect since the host buffer size
and the trigger to start the chain is misunderstood initially.
Finally: we can have a situation when the host and link DMA channel
in HDA is not using matching channel ids.
We need to look up the link channel explicitly to make sure that we
read the LLP from the correct link.
Regards,
Peter
---
Kai Vehmanen (3):
ASoC: SOF: ipc4-pcm: fix delay calculation when DSP resamples
ASoC: SOF: ipc4-pcm: fix start offset calculation for chain DMA
ASoC: SOF: ipc4-pcm: do not report invalid delay values
Peter Ujfalusi (2):
ASoC: SOF: sof-audio: add dev_dbg_ratelimited wrapper
ASoC: SOF: Intel: Read the LLP via the associated Link DMA channel
sound/soc/sof/intel/hda-stream.c | 29 ++++++++-
sound/soc/sof/ipc4-pcm.c | 104 ++++++++++++++++++++++++-------
sound/soc/sof/ipc4-topology.c | 1 -
sound/soc/sof/ipc4-topology.h | 2 +
sound/soc/sof/sof-audio.h | 5 ++
5 files changed, 114 insertions(+), 27 deletions(-)
--
2.51.0
The patch below does not apply to the 6.12-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y
git checkout FETCH_HEAD
git cherry-pick -x 358ee50ab565f3c8ea32480e9d03127a81ba32f8
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025100328-armchair-going-304b@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 358ee50ab565f3c8ea32480e9d03127a81ba32f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= <thomas.hellstrom(a)linux.intel.com>
Date: Thu, 21 Aug 2025 16:30:45 +0200
Subject: [PATCH] drm/xe/vm: Clear the scratch_pt pointer on error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Avoid triggering a dereference of an error pointer on cleanup in
xe_vm_free_scratch() by clearing any scratch_pt error pointer.
Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com>
Fixes: 06951c2ee72d ("drm/xe: Use NULL PTEs as scratch PTEs")
Cc: Brian Welty <brian.welty(a)intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com>
Cc: Lucas De Marchi <lucas.demarchi(a)intel.com>
Cc: <stable(a)vger.kernel.org> # v6.8+
Reviewed-by: Matthew Brost <matthew.brost(a)intel.com>
Link: https://lore.kernel.org/r/20250821143045.106005-4-thomas.hellstrom@linux.in…
diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
index c86337e08a55..d3f6dc6b1779 100644
--- a/drivers/gpu/drm/xe/xe_vm.c
+++ b/drivers/gpu/drm/xe/xe_vm.c
@@ -1635,8 +1635,12 @@ static int xe_vm_create_scratch(struct xe_device *xe, struct xe_tile *tile,
for (i = MAX_HUGEPTE_LEVEL; i < vm->pt_root[id]->level; i++) {
vm->scratch_pt[id][i] = xe_pt_create(vm, tile, i);
- if (IS_ERR(vm->scratch_pt[id][i]))
- return PTR_ERR(vm->scratch_pt[id][i]);
+ if (IS_ERR(vm->scratch_pt[id][i])) {
+ int err = PTR_ERR(vm->scratch_pt[id][i]);
+
+ vm->scratch_pt[id][i] = NULL;
+ return err;
+ }
xe_pt_populate_empty(tile, vm, vm->scratch_pt[id][i]);
}
The patch below does not apply to the 6.16-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.16.y
git checkout FETCH_HEAD
git cherry-pick -x 358ee50ab565f3c8ea32480e9d03127a81ba32f8
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025100327-kindly-attic-f695@gregkh' --subject-prefix 'PATCH 6.16.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 358ee50ab565f3c8ea32480e9d03127a81ba32f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= <thomas.hellstrom(a)linux.intel.com>
Date: Thu, 21 Aug 2025 16:30:45 +0200
Subject: [PATCH] drm/xe/vm: Clear the scratch_pt pointer on error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Avoid triggering a dereference of an error pointer on cleanup in
xe_vm_free_scratch() by clearing any scratch_pt error pointer.
Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com>
Fixes: 06951c2ee72d ("drm/xe: Use NULL PTEs as scratch PTEs")
Cc: Brian Welty <brian.welty(a)intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com>
Cc: Lucas De Marchi <lucas.demarchi(a)intel.com>
Cc: <stable(a)vger.kernel.org> # v6.8+
Reviewed-by: Matthew Brost <matthew.brost(a)intel.com>
Link: https://lore.kernel.org/r/20250821143045.106005-4-thomas.hellstrom@linux.in…
diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
index c86337e08a55..d3f6dc6b1779 100644
--- a/drivers/gpu/drm/xe/xe_vm.c
+++ b/drivers/gpu/drm/xe/xe_vm.c
@@ -1635,8 +1635,12 @@ static int xe_vm_create_scratch(struct xe_device *xe, struct xe_tile *tile,
for (i = MAX_HUGEPTE_LEVEL; i < vm->pt_root[id]->level; i++) {
vm->scratch_pt[id][i] = xe_pt_create(vm, tile, i);
- if (IS_ERR(vm->scratch_pt[id][i]))
- return PTR_ERR(vm->scratch_pt[id][i]);
+ if (IS_ERR(vm->scratch_pt[id][i])) {
+ int err = PTR_ERR(vm->scratch_pt[id][i]);
+
+ vm->scratch_pt[id][i] = NULL;
+ return err;
+ }
xe_pt_populate_empty(tile, vm, vm->scratch_pt[id][i]);
}
The patch below does not apply to the 6.17-stable tree.
If someone wants it applied there, or to any other stable or longterm
tree, then please email the backport, including the original git commit
id to <stable(a)vger.kernel.org>.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.17.y
git checkout FETCH_HEAD
git cherry-pick -x 358ee50ab565f3c8ea32480e9d03127a81ba32f8
# <resolve conflicts, build, test, etc.>
git commit -s
git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2025100327-judgingly-revenue-6ef4@gregkh' --subject-prefix 'PATCH 6.17.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 358ee50ab565f3c8ea32480e9d03127a81ba32f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= <thomas.hellstrom(a)linux.intel.com>
Date: Thu, 21 Aug 2025 16:30:45 +0200
Subject: [PATCH] drm/xe/vm: Clear the scratch_pt pointer on error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Avoid triggering a dereference of an error pointer on cleanup in
xe_vm_free_scratch() by clearing any scratch_pt error pointer.
Signed-off-by: Thomas Hellström <thomas.hellstrom(a)linux.intel.com>
Fixes: 06951c2ee72d ("drm/xe: Use NULL PTEs as scratch PTEs")
Cc: Brian Welty <brian.welty(a)intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com>
Cc: Lucas De Marchi <lucas.demarchi(a)intel.com>
Cc: <stable(a)vger.kernel.org> # v6.8+
Reviewed-by: Matthew Brost <matthew.brost(a)intel.com>
Link: https://lore.kernel.org/r/20250821143045.106005-4-thomas.hellstrom@linux.in…
diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
index c86337e08a55..d3f6dc6b1779 100644
--- a/drivers/gpu/drm/xe/xe_vm.c
+++ b/drivers/gpu/drm/xe/xe_vm.c
@@ -1635,8 +1635,12 @@ static int xe_vm_create_scratch(struct xe_device *xe, struct xe_tile *tile,
for (i = MAX_HUGEPTE_LEVEL; i < vm->pt_root[id]->level; i++) {
vm->scratch_pt[id][i] = xe_pt_create(vm, tile, i);
- if (IS_ERR(vm->scratch_pt[id][i]))
- return PTR_ERR(vm->scratch_pt[id][i]);
+ if (IS_ERR(vm->scratch_pt[id][i])) {
+ int err = PTR_ERR(vm->scratch_pt[id][i]);
+
+ vm->scratch_pt[id][i] = NULL;
+ return err;
+ }
xe_pt_populate_empty(tile, vm, vm->scratch_pt[id][i]);
}