kernel/linux.git/drivers/gpu/drm/v3d, branch v7.1-rc6

drm/v3d: Release indirect CSD GEM reference on CPU job free

2026-05-18T22:59:51+00:00

v3d_get_cpu_indirect_csd_params() takes a reference to the indirect BO via drm_gem_object_lookup() and stashes it in cpu_job->indirect_csd.indirect, but nothing on the CPU job teardown path ever drops that reference. Drop the extra reference in v3d_cpu_job_free(). The NULL check covers ioctl errors before the lookup ran and CPU job types other than V3D_CPU_JOB_TYPE_INDIRECT_CSD, which leave the field zero-initialised. Cc: stable@vger.kernel.org Fixes: 18b8413b25b7 ("drm/v3d: Create a CPU job extension for a indirect CSD job") Assisted-by: Claude:claude-opus-4.7 Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260515-v3d-cpu-job-leaks-v1-2-7f147cbbf935@igalia.com Signed-off-by: Maíra Canal

drm/v3d: Fix use-after-free of CPU job query arrays on error path

2026-05-18T22:59:46+00:00

The CPU job ioctl's fail label calls kvfree() on cpu_job's timestamp and performance query arrays after v3d_job_cleanup(), which drops the job's last reference and frees cpu_job. Reading cpu_job at that point is a use-after-free. Also, on the early v3d_job_init() failure path, it is a NULL dereference, since v3d_job_deallocate() zeroes the local pointer. In the success path, the arrays are released from the scheduler's .free_job callback, but on the error path, they are freed manually, as the job was never pushed to the scheduler. While the success path deals with this correctly, the fail path doesn't. On top of that, the manual kvfree() calls only free the array storage; they don't drm_syncobj_put() the per-query syncobjs that v3d_timestamp_query_info_free() and v3d_performance_query_info_free() release on the success path. So the same fail path that triggers the use-after-free also leaks one syncobj reference per query. Unify the CPU job teardown into the CPU job's kref destructor, mirroring v3d_render_job_free(). The scheduler's .free_job slot reverts to the generic v3d_sched_job_free() and the fail label drops the manual kvfree() calls, leaving a single teardown path that is reached from both the scheduler and the ioctl error path. That removes the use-after-free, the NULL dereference, and the syncobj leak by construction. Cc: stable@vger.kernel.org Fixes: 9ba0ff3e083f ("drm/v3d: Create a CPU job extension for the timestamp query job") Assisted-by: Claude:claude-opus-4.7 Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260515-v3d-cpu-job-leaks-v1-1-7f147cbbf935@igalia.com Signed-off-by: Maíra Canal

Merge tag 'drm-fixes-2026-04-24' of https://gitlab.freedesktop.org/drm/kernel

2026-04-24T18:44:52+00:00

Pull more drm fixes from Dave Airlie: "These are the regular fixes that have built up over last couple of weeks, all pretty minor and spread all over. atomic: - raise the vblank timeout to avoid it on virtual drivers - fix colorop duplication bridge: - stm_lvds: state check fix - dw-mipi-dsi: bridge reference leak fix panel: - visionx-rm69299: init fix dma-fence: - fix sparse warning dma-buf: - UAF fix panthor: - mapping fix arcgpu: - device_node reference leak fix nouveau: - memory leak in error path fix - overflow in reloc path for old hw fix hv: - Kconfig fix v3d: - infinite loop fix" * tag 'drm-fixes-2026-04-24' of https://gitlab.freedesktop.org/drm/kernel: drm/nouveau: fix u32 overflow in pushbuf reloc bounds check MAINTAINERS: split hisilicon maintenance and add Yongbang Shi for hibmc-drm matainers drm/v3d: Reject empty multisync extension to prevent infinite loop drm/panel: visionox-rm69299: Make use of prepare_prev_first drm/drm_atomic: duplicate colorop states if plane color pipeline in use drm/nouveau: fix nvkm_device leak on aperture removal failure hv: Select CONFIG_SYSFB only for CONFIG_HYPERV_VMBUS dma-fence: Silence sparse warning in dma_fence_describe drm/bridge: dw-mipi-dsi: Fix bridge leak when host attach fails drm/arcpgu: fix device node leak drm/panthor: Fix outdated function documentation drm/panthor: Extend VM locked region for remap case to be a superset dma-buf: fix UAF in dma_buf_put() tracepoint drm/bridge: stm_lvds: Do not fail atomic_check on disabled connector drm/atomic: Increase timeout in drm_atomic_helper_wait_for_vblanks()

drm/v3d: Reject empty multisync extension to prevent infinite loop

2026-04-19T22:07:29+00:00

v3d_get_extensions() walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referential extension (ext->next == &ext) with zero in_sync_count and out_sync_count, which bypasses the existing duplicate- extension guard: if (se->in_sync_count || se->out_sync_count) return -EINVAL; The guard never fires because v3d_get_multisync_post_deps() returns immediately when count is zero, leaving both fields at zero on every iteration. The result is an infinite loop in kernel context, blocking the calling thread and pegging a CPU core indefinitely. Fix this by rejecting a multisync extension where both in_sync_count and out_sync_count are zero in v3d_get_multisync_submit_deps(). An empty multisync carries no synchronization information and serves no useful purpose, so returning -EINVAL for such an extension is the correct defense against this attack vector. Fixes: e4165ae8304e ("drm/v3d: add multiple syncobjs support") Cc: stable@vger.kernel.org Signed-off-by: Ashutosh Desai Link: https://patch.msgid.link/20260415050000.3816128-1-ashutoshdesai993@gmail.com Signed-off-by: Maíra Canal

drm/v3d: Remove dedicated fence_lock

2026-03-13T21:02:32+00:00

Commit adefb2ccea1e ("drm/v3d: create a dedicated lock for dma fence") split `fence_lock` from `queue_lock` because v3d_job_update_stats() was taking `queue_lock` to protect `job->file_priv` during stats collection in the IRQ handler. Using the same lock for both DMA fence signaling and stats protection in a IRQ context caused issues on PREEMPT_RT. Since then, the stats infrastructure has been reworked: v3d_stats is now refcounted and jobs hold their own references to stats objects, so v3d_job_update_stats() no longer takes `queue_lock` at all. With the original reason for the split gone, merge `fence_lock` back into `queue_lock` to simplify the locking scheme. Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260306-v3d-reset-locking-improv-v3-6-49864fe00692@igalia.com Signed-off-by: Maíra Canal

drm/v3d: Attach per-fd reset counters to v3d_stats

2026-03-13T21:02:32+00:00

To remove the file_priv NULL-ing dance needed to check if the file descriptor is open, move the per-fd reset counter into v3d_stats, which is heap-allocated and refcounted, outliving the fd as long as jobs reference it. This change allows the removal of the last `queue_lock` usage to protect `job->file_priv` and avoids possible NULL ptr dereference issues due to lifetime mismatches. Also, to simplify locking, replace both the global and per-fd locked reset counters with atomics. Signed-off-by: Tvrtko Ursulin Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260306-v3d-reset-locking-improv-v3-5-49864fe00692@igalia.com Co-developed-by: Maíra Canal Signed-off-by: Maíra Canal

drm/v3d: Hold v3d_stats references in each job

2026-03-13T21:02:32+00:00

Have each job hold its own references to the per-fd and global stats objects. This eliminates the need for `queue_lock` protection in the stats update path, since the job's stats pointers are guaranteed to remain valid for the job's entire lifetime regardless of file descriptor closure. Signed-off-by: Tvrtko Ursulin Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260306-v3d-reset-locking-improv-v3-4-49864fe00692@igalia.com Co-developed-by: Maíra Canal Signed-off-by: Maíra Canal

drm/v3d: Refcount v3d_stats

2026-03-13T21:02:32+00:00

Convert `v3d_stats` from embedded structs to heap-allocated, refcounted objects. This decouples the stats lifetime from the containing structures (this is, `v3d_queue_state` and `v3d_file_priv`), allowing jobs to safely hold their own references to stats objects even after the file descriptor is closed. Signed-off-by: Tvrtko Ursulin Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260306-v3d-reset-locking-improv-v3-3-49864fe00692@igalia.com Co-developed-by: Maíra Canal Signed-off-by: Maíra Canal

drm/v3d: Use raw seqcount helpers instead of fighting with lockdep

2026-03-13T21:02:32+00:00

The `v3d_stats` sequence counter uses regular seqcount helpers, which carry lockdep annotations that expect a consistent IRQ context between all writers. However, lockdep is unable to detect that v3d's readers are never in IRQ or softirq context, and that for CPU job queues, even the write side never is. This led to false positive that were previously worked around by conditionally disabling local IRQs under IS_ENABLED(CONFIG_LOCKDEP). Switch to the raw seqcount helpers which skip lockdep tracking entirely. This is safe because jobs are fully serialized per queue: the next job can only be queued after the previous one has been signaled, so there is no scope for the start and update paths to race on the same seqcount. Signed-off-by: Tvrtko Ursulin Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260306-v3d-reset-locking-improv-v3-2-49864fe00692@igalia.com Co-developed-by: Maíra Canal Signed-off-by: Maíra Canal

drm/v3d: Handle error from drm_sched_entity_init()

2026-03-13T21:02:27+00:00

drm_sched_entity_init() can fail but its return value is currently being ignored in v3d_open(). Check the return value and properly unwind on failure by destroying any already-initialized scheduler entities. Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+") Reviewed-by: Iago Toral Quiroga Link: https://patch.msgid.link/20260306-v3d-reset-locking-improv-v3-1-49864fe00692@igalia.com Signed-off-by: Maíra Canal