lwn.git/drivers/gpu/drm, branch master

drm/gem: fix race between change_handle and handle_delete

2026-05-29T21:01:39+00:00

drm_gem_change_handle_ioctl leaves the old handle live in the IDR during the window between spin_unlock(table_lock) and the final spin_lock(table_lock). A concurrent drm_gem_handle_delete on the old handle succeeds in this window, decrements handle_count to 0, and frees the GEM object while the new handle's IDR entry still references it. NULL the old handle's IDR entry before dropping table_lock so that any concurrent GEM_CLOSE on the old handle sees NULL and returns -EINVAL. Restore the old entry on the prime-bookkeeping error path. Fixes: 5e28b7b94408 ("drm: Set old handle to NULL before prime swap in change_handle") Signed-off-by: Zhenghang Xiao Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie Link: https://patch.msgid.link/20260526085313.26791-1-kipreyyy@gmail.com

Merge tag 'drm-misc-fixes-2026-05-29' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes

2026-05-29T20:40:28+00:00

Short summary of fixes pull: amdxdna: - require IOMMU on AIE2 dumb-buffer: - prevent overflows in dumb-buffer creation dma-buf: - fix UAF in dma_buf_fd() tracepoint hyperv: - improve protocol validation ivpu: - test write offset in debugfs rocket: - fix UAF in bo creation Signed-off-by: Dave Airlie From: Thomas Zimmermann Link: https://patch.msgid.link/20260529070009.GA313534@linux.fritz.box

drm: prevent integer overflows in dumb buffer creation helpers

2026-05-29T06:30:47+00:00

Fix integer overflow issues in the dumb buffer creation path: 1. drm_mode_create_dumb() does not bound width, height, or bpp before passing them to driver callbacks. Downstream helpers (e.g. drm_gem_dma_dumb_create_internal) perform pitch/size alignment in u32 arithmetic that can overflow for extreme values. Add hard limits: width and height < 8192, bpp <= 32. No legitimate software rendering use case exceeds these. 2. drm_mode_align_dumb() uses roundup(pitch, hw_pitch_align) without checking for overflow. If pitch is near U32_MAX, roundup() wraps to a small value, making subsequent check_mul_overflow() pass with a much smaller pitch than intended. Add an overflow check after roundup. 3. drm_mode_align_dumb() uses ALIGN(size, hw_size_align) which only works correctly for power-of-two alignment values. Replace with roundup() which works for any alignment. Suggested-by: Thomas Zimmermann Signed-off-by: Rajat Gupta Signed-off-by: Thomas Zimmermann

Merge tag 'amd-drm-fixes-7.1-2026-05-28' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

2026-05-29T01:55:26+00:00

amd-drm-fixes-7.1-2026-05-28: amdgpu: - GEM_OP warning fix - GEM_OP locking fix - Userq fixes - DCN 2.1 refclk fix - SI fix - HMM fixes amdkfd: - svm_range_set_attr locking fix - CRIU restore fix - KFD debugger fix Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patch.msgid.link/20260528211843.893681-1-alexander.deucher@amd.com

Merge tag 'drm-xe-fixes-2026-05-28' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes

2026-05-29T01:28:58+00:00

- Restore IDLEDLY regiter on engine reset (Bala) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patch.msgid.link/ahhBUt8fDqjB-mQq@intel.com

drm/amdgpu: fix calling VM invalidation in amdgpu_hmm_invalidate_gfx

2026-05-27T16:06:26+00:00

Otherwise we don't invalidate page tables on next CS. Signed-off-by: Christian König Reviewed-by: Vitaly Prosyak Tested-by: Vitaly Prosyak Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit b6444d1bcbc34f6f2a31a3aab3059be082f3683e) Cc: stable@vger.kernel.org

drm/amdgpu: fix amdgpu_hmm_range_get_pages

2026-05-27T16:02:23+00:00

The notifier sequence must only be read once or otherwise we could work with invalid pages. While at it also fix the coding style, e.g. drop the pre-initialized return value and use the common define for 2G range. Signed-off-by: Christian König Reviewed-by: Vitaly Prosyak Tested-by: Vitaly Prosyak Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit c08972f555945cda57b0adb72272a37910153390) Cc: stable@vger.kernel.org

drm/amdgpu/userq: use array instead of list for userq_vas

2026-05-27T16:01:42+00:00

Use arrays instead of list for userq_vas since we have fixed no of bos. Also, we dont have to worry to free that memory later since this array would be free along with queue only. Signed-off-by: Sunil Khatri Reviewed-by: Christian König Signed-off-by: Alex Deucher (cherry picked from commit ef7dc711a664b0c548ecfdf13a00436b7446b8e7)

drm/amdgpu/userq: move mqd_destroy to later stage to keep core obj valid

2026-05-27T16:01:35+00:00

mqd_destroy cleans up queue core objects like mqd and fw_object which are needed for any pending fence to signal properly. Signed-off-by: Sunil Khatri Reviewed-by: Christian König Signed-off-by: Alex Deucher (cherry picked from commit 4ad65d610096498c8e265615aba42b3c47441bb5)

drm/amdkfd: fix a vulnerability of integer overflow in kfd debugger

2026-05-27T16:01:13+00:00

get_queue_ids() computes array_size = num_queues * sizeof(uint32_t), which could overflow on 32-bit size_t build. using array_size() instead, it saturates to SIZE_MAX on overflow. Signed-off-by: Eric Huang Acked-by: Alex Deucher Signed-off-by: Alex Deucher (cherry picked from commit 2d57a0475f085c08b49312dfd8edcb461845f285) Cc: stable@vger.kernel.org