From e5478166dffb51fa64e76cdbb5c24421f22f2d43 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Fri, 11 Jul 2025 09:24:53 +0200 Subject: [PATCH 1/2] drm/nouveau: check ioctl command codes better nouveau_drm_ioctl() only checks the _IOC_NR() bits in the DRM_NOUVEAU_NVIF command, but ignores the type and direction bits, so any command with '7' in the low eight bits gets passed into nouveau_abi16_ioctl() instead of drm_ioctl(). Check for all the bits except the size that is handled inside of the handler. Fixes: 27111a23d01c ("drm/nouveau: expose the full object/event interfaces to userspace") Signed-off-by: Arnd Bergmann [ Fix up two checkpatch warnings and a typo. - Danilo ] Signed-off-by: Danilo Krummrich Link: https://lore.kernel.org/r/20250711072458.2665325-1-arnd@kernel.org --- drivers/gpu/drm/nouveau/nouveau_drm.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c index 1527b801f013..7bb64fcdd497 100644 --- a/drivers/gpu/drm/nouveau/nouveau_drm.c +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c @@ -1284,6 +1284,9 @@ nouveau_ioctls[] = { DRM_IOCTL_DEF_DRV(NOUVEAU_EXEC, nouveau_exec_ioctl_exec, DRM_RENDER_ALLOW), }; +#define DRM_IOCTL_NOUVEAU_NVIF _IOC(_IOC_READ | _IOC_WRITE, DRM_IOCTL_BASE, \ + DRM_COMMAND_BASE + DRM_NOUVEAU_NVIF, 0) + long nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { @@ -1297,14 +1300,10 @@ nouveau_drm_ioctl(struct file *file, unsigned int cmd, unsigned long arg) return ret; } - switch (_IOC_NR(cmd) - DRM_COMMAND_BASE) { - case DRM_NOUVEAU_NVIF: + if ((cmd & ~IOCSIZE_MASK) == DRM_IOCTL_NOUVEAU_NVIF) ret = nouveau_abi16_ioctl(filp, (void __user *)arg, _IOC_SIZE(cmd)); - break; - default: + else ret = drm_ioctl(file, cmd, arg); - break; - } pm_runtime_mark_last_busy(dev->dev); pm_runtime_put_autosuspend(dev->dev); From cb345f954eacd162601e7d07ca2f0f0a17b54ee3 Mon Sep 17 00:00:00 2001 From: Philipp Stanner Date: Wed, 9 Jul 2025 12:29:58 +0200 Subject: [PATCH 2/2] drm/panfrost: Fix scheduler workqueue bug When the GPU scheduler was ported to using a struct for its initialization parameters, it was overlooked that panfrost creates a distinct workqueue for timeout handling. The pointer to this new workqueue is not initialized to the struct, resulting in NULL being passed to the scheduler, which then uses the system_wq for timeout handling. Set the correct workqueue to the init args struct. Cc: stable@vger.kernel.org # 6.15+ Fixes: 796a9f55a8d1 ("drm/sched: Use struct for drm_sched_init() params") Reported-by: Tvrtko Ursulin Closes: https://lore.kernel.org/dri-devel/b5d0921c-7cbf-4d55-aa47-c35cd7861c02@igalia.com/ Signed-off-by: Philipp Stanner Reviewed-by: Tvrtko Ursulin Reviewed-by: Steven Price Signed-off-by: Steven Price Link: https://lore.kernel.org/r/20250709102957.100849-2-phasta@kernel.org --- drivers/gpu/drm/panfrost/panfrost_job.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/panfrost/panfrost_job.c b/drivers/gpu/drm/panfrost/panfrost_job.c index 5657106c2f7d..15e2d505550f 100644 --- a/drivers/gpu/drm/panfrost/panfrost_job.c +++ b/drivers/gpu/drm/panfrost/panfrost_job.c @@ -841,7 +841,6 @@ int panfrost_job_init(struct panfrost_device *pfdev) .num_rqs = DRM_SCHED_PRIORITY_COUNT, .credit_limit = 2, .timeout = msecs_to_jiffies(JOB_TIMEOUT_MS), - .timeout_wq = pfdev->reset.wq, .name = "pan_js", .dev = pfdev->dev, }; @@ -879,6 +878,7 @@ int panfrost_job_init(struct panfrost_device *pfdev) pfdev->reset.wq = alloc_ordered_workqueue("panfrost-reset", 0); if (!pfdev->reset.wq) return -ENOMEM; + args.timeout_wq = pfdev->reset.wq; for (j = 0; j < NUM_JOB_SLOTS; j++) { js->queue[j].fence_context = dma_fence_context_alloc(1);