From 79ae8510b5b81b9500370f89c619b50ca9c0990f Mon Sep 17 00:00:00 2001 From: Thomas Zimmermann Date: Tue, 9 Dec 2025 15:33:18 +0100 Subject: drm/atomic: Increase timeout in drm_atomic_helper_wait_for_vblanks() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Increase the timeout for vblank events from 100 ms to 1000 ms. This is the same fix as in commit f050da08a4ed ("drm/vblank: Increase timeout in drm_wait_one_vblank()") for another vblank timeout. After merging generic DRM vblank timers [1] and converting several DRM drivers for virtual hardware, these drivers synchronize their vblank events to the display refresh rate. This can trigger timeouts within the DRM framework. Signed-off-by: Thomas Zimmermann Link: https://lore.kernel.org/dri-devel/20250904145806.430568-1-tzimmermann@suse.de/ # [1] Reported-by: syzbot+fcede535e7eb57cf5b43@syzkaller.appspotmail.com Closes: https://lore.kernel.org/dri-devel/69381d6c.050a0220.4004e.0017.GAE@google.com/ Reviewed-by: Ville Syrjälä Fixes: 74afeb812850 ("drm/vblank: Add vblank timer") Link: https://patch.msgid.link/20251209143325.102056-1-tzimmermann@suse.de --- drivers/gpu/drm/drm_atomic_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index af02c409c2f6..75e87c0b51f7 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -1916,7 +1916,7 @@ drm_atomic_helper_wait_for_vblanks(struct drm_device *dev, ret = wait_event_timeout(*queue, state->crtcs[i].last_vblank_count != drm_crtc_vblank_count(crtc), - msecs_to_jiffies(100)); + msecs_to_jiffies(1000)); WARN(!ret, "[CRTC:%d:%s] vblank wait timed out\n", crtc->base.id, crtc->name); -- cgit v1.2.3 From eecdd4bd6e47bf0c8ff1e049771fa5bab7074c7c Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Thu, 9 Apr 2026 04:48:41 +0200 Subject: drm/bridge: stm_lvds: Do not fail atomic_check on disabled connector MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the connector is disabled, the new connector state has .crtc field set to NULL and there is nothing more to validate after that point. The .crtc field being NULL is not an error. Test for .crtc being NULL, and if it is NULL, exit early with return 0. This fixes a failure in suspend/resume path, where the connector is already disabled, but .atomic_check is called, fails, returns -EINVAL and blocks the suspend entry. Fixes: aca1cbc1c986 ("drm/stm: lvds: add new STM32 LVDS Display Interface Transmitter driver") Signed-off-by: Marek Vasut Acked-by: Raphaël Gallais-Pou Link: https://patch.msgid.link/20260409024928.344010-1-marex@nabladev.com Signed-off-by: Raphael Gallais-Pou --- drivers/gpu/drm/stm/lvds.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/stm/lvds.c b/drivers/gpu/drm/stm/lvds.c index fe38c0984b2b..25e2ba98f36a 100644 --- a/drivers/gpu/drm/stm/lvds.c +++ b/drivers/gpu/drm/stm/lvds.c @@ -897,14 +897,14 @@ static int lvds_connector_atomic_check(struct drm_connector *connector, if (!conn_state) return -EINVAL; + if (!conn_state->crtc) + return 0; + if (list_empty(&connector->modes)) { drm_dbg(connector->dev, "connector: empty modes list\n"); return -EINVAL; } - if (!conn_state->crtc) - return -EINVAL; - panel_mode = list_first_entry(&connector->modes, struct drm_display_mode, head); -- cgit v1.2.3 From 8867262d993d249309a8d3ec28ce095378cf1720 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adri=C3=A1n=20Larumbe?= Date: Wed, 8 Apr 2026 20:12:23 +0100 Subject: drm/panthor: Extend VM locked region for remap case to be a superset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the event of an sm_step_remap() that leads to a partial unmap of a transparent huge page, the new locked region required by an extended unmap might not be a superset of the original one. Then, if it leaves a portion of the initially requested one out, the ensuing map will trigger a warning. Fixes: 8e7460eac786 ("drm/panthor: Support partial unmaps of huge pages") Reviewed-by: Boris Brezillon Reviewed-by: Steven Price Reviewed-by: Liviu Dudau Link: https://patch.msgid.link/20260408191228.537625-1-adrian.larumbe@collabora.com Signed-off-by: Adrián Larumbe --- drivers/gpu/drm/panthor/panthor_mmu.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c index 41604a7aaf85..888fafc938a7 100644 --- a/drivers/gpu/drm/panthor/panthor_mmu.c +++ b/drivers/gpu/drm/panthor/panthor_mmu.c @@ -1638,6 +1638,25 @@ static int panthor_vm_lock_region(struct panthor_vm *vm, u64 start, u64 size) start + size <= vm->locked_region.start + vm->locked_region.size) return 0; + /* sm_step_remap() may need a locked region that isn't a strict superset + * of the original one because of having to extend unmap boundaries beyond + * it to deal with partial unmaps of transparent huge pages. What we want + * in those cases is to lock the union of both regions. The new region must + * always overlap with the original one, because the upper and lower unmap + * boundaries in a remap operation can only shift up or down respectively, + * but never otherwise. + */ + if (vm->locked_region.size) { + u64 end = max(vm->locked_region.start + vm->locked_region.size, + start + size); + + drm_WARN_ON_ONCE(&vm->ptdev->base, (start + size <= vm->locked_region.start) || + (start >= vm->locked_region.start + vm->locked_region.size)); + + start = min(start, vm->locked_region.start); + size = end - start; + } + mutex_lock(&ptdev->mmu->as.slots_lock); if (vm->as.id >= 0 && size) { /* Lock the region that needs to be updated */ -- cgit v1.2.3 From e0f53c2a6ab0ea49b9cfe4d9adb1282b6e463ca6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adri=C3=A1n=20Larumbe?= Date: Wed, 8 Apr 2026 20:12:24 +0100 Subject: drm/panthor: Fix outdated function documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 'vm' is no longer allowed to be NULL. Reviewed-by: Boris Brezillon Reviewed-by: Steven Price Fixes: 8a1cc07578bf ("drm/panthor: Add GEM logical block") Reviewed-by: Liviu Dudau Link: https://patch.msgid.link/20260408191228.537625-2-adrian.larumbe@collabora.com Signed-off-by: Adrián Larumbe --- drivers/gpu/drm/panthor/panthor_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/panthor/panthor_gem.c b/drivers/gpu/drm/panthor/panthor_gem.c index 4b4575dd6e90..bb14a1f3900a 100644 --- a/drivers/gpu/drm/panthor/panthor_gem.c +++ b/drivers/gpu/drm/panthor/panthor_gem.c @@ -157,7 +157,7 @@ void panthor_kernel_bo_destroy(struct panthor_kernel_bo *bo) /** * panthor_kernel_bo_create() - Create and map a GEM object to a VM * @ptdev: Device. - * @vm: VM to map the GEM to. If NULL, the kernel object is not GPU mapped. + * @vm: VM to map the GEM to. * @size: Size of the buffer object. * @bo_flags: Combination of drm_panthor_bo_flags flags. * @vm_map_flags: Combination of drm_panthor_vm_bind_op_flags (only those -- cgit v1.2.3 From ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c Mon Sep 17 00:00:00 2001 From: Luca Ceresoli Date: Thu, 2 Apr 2026 18:42:20 +0200 Subject: drm/arcpgu: fix device node leak This function gets a device_node reference via of_graph_get_remote_port_parent() and stores it in encoder_node, but never puts that reference. Add it. There used to be a of_node_put(encoder_node) but it has been removed by mistake during a rework in commit 3ea66a794fdc ("drm/arc: Inline arcpgu_drm_hdmi_init"). Fixes: 3ea66a794fdc ("drm/arc: Inline arcpgu_drm_hdmi_init") Cc: stable@vger.kernel.org Reviewed-by: Louis Chauvet Link: https://patch.msgid.link/20260402-drm-arcgpu-fix-device-node-leak-v2-1-d773cf754ae5@bootlin.com Signed-off-by: Luca Ceresoli --- drivers/gpu/drm/tiny/arcpgu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/tiny/arcpgu.c b/drivers/gpu/drm/tiny/arcpgu.c index 505888497482..c93d61ac0bb7 100644 --- a/drivers/gpu/drm/tiny/arcpgu.c +++ b/drivers/gpu/drm/tiny/arcpgu.c @@ -250,7 +250,8 @@ DEFINE_DRM_GEM_DMA_FOPS(arcpgu_drm_ops); static int arcpgu_load(struct arcpgu_drm_private *arcpgu) { struct platform_device *pdev = to_platform_device(arcpgu->drm.dev); - struct device_node *encoder_node = NULL, *endpoint_node = NULL; + struct device_node *encoder_node __free(device_node) = NULL; + struct device_node *endpoint_node = NULL; struct drm_connector *connector = NULL; struct drm_device *drm = &arcpgu->drm; int ret; -- cgit v1.2.3 From be19b43f92fae4794f271ed9e338bdbcfa725aa2 Mon Sep 17 00:00:00 2001 From: Osama Abdelkader Date: Fri, 3 Apr 2026 16:52:05 +0200 Subject: drm/bridge: dw-mipi-dsi: Fix bridge leak when host attach fails dw_mipi_dsi_host_attach() and dw_mipi_dsi2_host_attach() call drm_bridge_add() before pdata->host_ops->attach(). If attach fails, the bridge stayed registered without drm_bridge_remove(), leaking the bridge reference and leaving the device on the global bridge list. Fixes: 90910a651123 ("drm/bridge/synopsys: dsi: add ability to have glue-specific attach and detach") Fixes: 0d6d86253fef ("drm/bridge/synopsys: Add MIPI DSI2 host controller bridge") Signed-off-by: Osama Abdelkader Reviewed-by: Luca Ceresoli Link: https://patch.msgid.link/20260403145208.15890-1-osama.abdelkader@gmail.com Signed-off-by: Luca Ceresoli --- drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c | 6 +++++- drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi2.c | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c index ca4dea226f4b..ef7be20a59cd 100644 --- a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c +++ b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi.c @@ -345,10 +345,14 @@ static int dw_mipi_dsi_host_attach(struct mipi_dsi_host *host, if (pdata->host_ops && pdata->host_ops->attach) { ret = pdata->host_ops->attach(pdata->priv_data, device); if (ret < 0) - return ret; + goto err_remove_bridge; } return 0; + +err_remove_bridge: + drm_bridge_remove(&dsi->bridge); + return ret; } static int dw_mipi_dsi_host_detach(struct mipi_dsi_host *host, diff --git a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi2.c b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi2.c index e6eaf9fd0251..a4bfd3ad166d 100644 --- a/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi2.c +++ b/drivers/gpu/drm/bridge/synopsys/dw-mipi-dsi2.c @@ -540,10 +540,14 @@ static int dw_mipi_dsi2_host_attach(struct mipi_dsi_host *host, if (pdata->host_ops && pdata->host_ops->attach) { ret = pdata->host_ops->attach(pdata->priv_data, device); if (ret < 0) - return ret; + goto err_remove_bridge; } return 0; + +err_remove_bridge: + drm_bridge_remove(&dsi2->bridge); + return ret; } static int dw_mipi_dsi2_host_detach(struct mipi_dsi_host *host, -- cgit v1.2.3 From 6597ff1d8de3f583be169587efeafd8af134e138 Mon Sep 17 00:00:00 2001 From: David Carlier Date: Sat, 11 Apr 2026 07:29:38 +0100 Subject: drm/nouveau: fix nvkm_device leak on aperture removal failure When aperture_remove_conflicting_pci_devices() fails during probe, the error path returns directly without unwinding the nvkm_device that was just allocated by nvkm_device_pci_new(). This leaks both the device wrapper and the pci_enable_device() reference taken inside it. Jump to the existing fail_nvkm label so nvkm_device_del() runs and balances both. The leak was introduced when the intermediate nvkm_device_del() between detection and aperture removal was dropped in favor of creating the pci device once. Fixes: c0bfe34330b5 ("drm/nouveau: create pci device once") Cc: stable@vger.kernel.org Signed-off-by: David Carlier Link: https://patch.msgid.link/20260411062938.22925-1-devnexen@gmail.com Signed-off-by: Danilo Krummrich --- drivers/gpu/drm/nouveau/nouveau_drm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c index 915f73279302..0c23398dd4f1 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.c +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c @@ -874,7 +874,7 @@ static int nouveau_drm_probe(struct pci_dev *pdev, /* Remove conflicting drivers (vesafb, efifb etc). */ ret = aperture_remove_conflicting_pci_devices(pdev, driver_pci.name); if (ret) - return ret; + goto fail_nvkm; pci_set_master(pdev); -- cgit v1.2.3 From 6bf7969a145e13a3390143038fe82c52025aeb93 Mon Sep 17 00:00:00 2001 From: Melissa Wen Date: Wed, 18 Mar 2026 13:27:11 -0300 Subject: drm/drm_atomic: duplicate colorop states if plane color pipeline in use For suspend/resume to work correctly, do for colorop state the same we do for plane/crtc/connector states: duplicate the state of colorops in a color pipeline if it's in use by a given plane when suspending and restore cached colorop states when resuming. While at it, prevent unused-variable warning when using for_each_new_colorop_in_stage here. Fixes: 2afc3184f3b3 ("drm/plane: Add COLOR PIPELINE property") Reviewed-by: Harry Wentland Reviewed-by: Alex Hung Reviewed-by: Chaitanya Kumar Borah Signed-off-by: Melissa Wen Link: https://patch.msgid.link/20260318163629.300627-1-mwen@igalia.com Signed-off-by: Melissa Wen --- drivers/gpu/drm/drm_atomic_helper.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index 75e87c0b51f7..3e0d99d39e63 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -3751,6 +3751,13 @@ drm_atomic_helper_duplicate_state(struct drm_device *dev, err = PTR_ERR(plane_state); goto free; } + + if (plane_state->color_pipeline) { + err = drm_atomic_add_affected_colorops(state, plane); + if (err) + goto free; + } + } drm_connector_list_iter_begin(dev, &conn_iter); @@ -3856,6 +3863,8 @@ int drm_atomic_helper_commit_duplicated_state(struct drm_atomic_state *state, int i, ret; struct drm_plane *plane; struct drm_plane_state *new_plane_state; + struct drm_colorop *colorop; + struct drm_colorop_state *new_colorop_state; struct drm_connector *connector; struct drm_connector_state *new_conn_state; struct drm_crtc *crtc; @@ -3863,6 +3872,9 @@ int drm_atomic_helper_commit_duplicated_state(struct drm_atomic_state *state, state->acquire_ctx = ctx; + for_each_new_colorop_in_state(state, colorop, new_colorop_state, i) + state->colorops[i].old_state = colorop->state; + for_each_new_plane_in_state(state, plane, new_plane_state, i) state->planes[i].old_state = plane->state; -- cgit v1.2.3 From 4a92ef0c57df610ba0b2eb7f308c5472020ce8ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Guido=20G=C3=BCnther?= Date: Fri, 17 Apr 2026 08:55:42 +0200 Subject: drm/panel: visionox-rm69299: Make use of prepare_prev_first MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The DSI link must be powered up to let panel driver to talk to the panel during prepare() callback execution. Set the prepare_prev_first flag to guarantee this. Fixes: 9e15123eca79 ("drm/msm/dsi: Stop unconditionally powering up DSI hosts at modeset") Signed-off-by: Guido Günther Signed-off-by: David Heidelberg Reviewed-by: Neil Armstrong Reviewed-by: Douglas Anderson Signed-off-by: Douglas Anderson Link: https://patch.msgid.link/20260417-axolotl-display-v2-1-8ce5341e46c2@ixit.cz --- drivers/gpu/drm/panel/panel-visionox-rm69299.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/panel/panel-visionox-rm69299.c b/drivers/gpu/drm/panel/panel-visionox-rm69299.c index e5e688cf98fd..f1430370ff94 100644 --- a/drivers/gpu/drm/panel/panel-visionox-rm69299.c +++ b/drivers/gpu/drm/panel/panel-visionox-rm69299.c @@ -376,6 +376,8 @@ static int visionox_rm69299_probe(struct mipi_dsi_device *dsi) return PTR_ERR(ctx->reset_gpio); } + ctx->panel.prepare_prev_first = true; + ctx->panel.backlight = visionox_rm69299_create_backlight(ctx); if (IS_ERR(ctx->panel.backlight)) return dev_err_probe(dev, PTR_ERR(ctx->panel.backlight), -- cgit v1.2.3 From fb44d589bf3148e13452185a6e772a7efbf2d684 Mon Sep 17 00:00:00 2001 From: Ashutosh Desai Date: Wed, 15 Apr 2026 05:00:00 +0000 Subject: drm/v3d: Reject empty multisync extension to prevent infinite loop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard: if (se->in_sync_count || se->out_sync_count) return -EINVAL; The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely. Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector. Fixes: e4165ae8304e ("drm/v3d: add multiple syncobjs support") Cc: stable@vger.kernel.org Signed-off-by: Ashutosh Desai Link: https://patch.msgid.link/20260415050000.3816128-1-ashutoshdesai993@gmail.com Signed-off-by: Maíra Canal --- drivers/gpu/drm/v3d/v3d_submit.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/v3d/v3d_submit.c b/drivers/gpu/drm/v3d/v3d_submit.c index 18f2bf1fe89f..fc74351efad5 100644 --- a/drivers/gpu/drm/v3d/v3d_submit.c +++ b/drivers/gpu/drm/v3d/v3d_submit.c @@ -393,6 +393,11 @@ v3d_get_multisync_submit_deps(struct drm_file *file_priv, if (multisync.pad) return -EINVAL; + if (!multisync.in_sync_count && !multisync.out_sync_count) { + drm_dbg(&v3d->drm, "Empty multisync extension\n"); + return -EINVAL; + } + ret = v3d_get_multisync_post_deps(file_priv, se, multisync.out_sync_count, multisync.out_syncs); if (ret) -- cgit v1.2.3 From 2fc87d37be1b730a149b035f9375fdb8cc5333a5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 20 Apr 2026 21:16:09 +0200 Subject: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check nouveau_gem_pushbuf_reloc_apply() validates each relocation with if (r->reloc_bo_offset + 4 > nvbo->bo.base.size) but reloc_bo_offset is __u32 (uapi/drm/nouveau_drm.h) and the integer literal 4 promotes to unsigned int, so the addition is performed in 32 bits and wraps before the comparison against the size_t bo size. Cast to u64 so the addition happens in 64-bit arithmetic. Cc: Lyude Paul Cc: Danilo Krummrich Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie Cc: Simona Vetter Reported-by: Anthropic Cc: stable Assisted-by: gkh_clanker_t1000 Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16") Signed-off-by: Greg Kroah-Hartman [ Add Fixes: tag. - Danilo ] Signed-off-by: Danilo Krummrich --- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/gpu/drm') diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c index 82621ede42e1..20dba02d6175 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c @@ -686,7 +686,7 @@ nouveau_gem_pushbuf_reloc_apply(struct nouveau_cli *cli, } nvbo = (void *)(unsigned long)bo[r->reloc_bo_index].user_priv; - if (unlikely(r->reloc_bo_offset + 4 > + if (unlikely((u64)r->reloc_bo_offset + 4 > nvbo->bo.base.size)) { NV_PRINTK(err, cli, "reloc outside of bo\n"); ret = -EINVAL; -- cgit v1.2.3