--- /dev/null
+From 15c2990e0f0108b9c3752d7072a97d45d4283aea Mon Sep 17 00:00:00 2001
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Date: Mon, 27 May 2024 20:15:21 +0530
+Subject: drm/amd/display: Add null checks for 'stream' and 'plane' before dereferencing
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+commit 15c2990e0f0108b9c3752d7072a97d45d4283aea upstream.
+
+This commit adds null checks for the 'stream' and 'plane' variables in
+the dcn30_apply_idle_power_optimizations function. These variables were
+previously assumed to be null at line 922, but they were used later in
+the code without checking if they were null. This could potentially lead
+to a null pointer dereference, which would cause a crash.
+
+The null checks ensure that 'stream' and 'plane' are not null before
+they are used, preventing potential crashes.
+
+Fixes the below static smatch checker:
+drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:938 dcn30_apply_idle_power_optimizations() error: we previously assumed 'stream' could be null (see line 922)
+drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:940 dcn30_apply_idle_power_optimizations() error: we previously assumed 'plane' could be null (see line 922)
+
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Cc: Bhawanpreet Lakha <Bhawanpreet.Lakha@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Hersen Wu <hersenxs.wu@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Zhi Yang <Zhi.Yang@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c
+@@ -784,6 +784,9 @@ bool dcn30_apply_idle_power_optimization
+ stream = dc->current_state->streams[0];
+ plane = (stream ? dc->current_state->stream_status[0].plane_states[0] : NULL);
+
++ if (!stream || !plane)
++ return false;
++
+ if (stream && plane) {
+ cursor_cache_enable = stream->cursor_position.enable &&
+ plane->address.grph.cursor_cache_addr.quad_part;
--- /dev/null
+From 63de35a8fcfca59ae8750d469a7eb220c7557baf Mon Sep 17 00:00:00 2001
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Date: Wed, 25 Sep 2024 20:04:15 +0530
+Subject: drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+commit 63de35a8fcfca59ae8750d469a7eb220c7557baf upstream.
+
+An issue was identified in the dcn21_link_encoder_create function where
+an out-of-bounds access could occur when the hpd_source index was used
+to reference the link_enc_hpd_regs array. This array has a fixed size
+and the index was not being checked against the array's bounds before
+accessing it.
+
+This fix adds a conditional check to ensure that the hpd_source index is
+within the valid range of the link_enc_hpd_regs array. If the index is
+out of bounds, the function now returns NULL to prevent undefined
+behavior.
+
+References:
+
+[ 65.920507] ------------[ cut here ]------------
+[ 65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29
+[ 65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]'
+[ 65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G OE 6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13
+[ 65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020
+[ 65.920527] Call Trace:
+[ 65.920529] <TASK>
+[ 65.920532] dump_stack_lvl+0x48/0x70
+[ 65.920541] dump_stack+0x10/0x20
+[ 65.920543] __ubsan_handle_out_of_bounds+0xa2/0xe0
+[ 65.920549] dcn21_link_encoder_create+0xd9/0x140 [amdgpu]
+[ 65.921009] link_create+0x6d3/0xed0 [amdgpu]
+[ 65.921355] create_links+0x18a/0x4e0 [amdgpu]
+[ 65.921679] dc_create+0x360/0x720 [amdgpu]
+[ 65.921999] ? dmi_matches+0xa0/0x220
+[ 65.922004] amdgpu_dm_init+0x2b6/0x2c90 [amdgpu]
+[ 65.922342] ? console_unlock+0x77/0x120
+[ 65.922348] ? dev_printk_emit+0x86/0xb0
+[ 65.922354] dm_hw_init+0x15/0x40 [amdgpu]
+[ 65.922686] amdgpu_device_init+0x26a8/0x33a0 [amdgpu]
+[ 65.922921] amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu]
+[ 65.923087] amdgpu_pci_probe+0x1b7/0x630 [amdgpu]
+[ 65.923087] local_pci_probe+0x4b/0xb0
+[ 65.923087] pci_device_probe+0xc8/0x280
+[ 65.923087] really_probe+0x187/0x300
+[ 65.923087] __driver_probe_device+0x85/0x130
+[ 65.923087] driver_probe_device+0x24/0x110
+[ 65.923087] __driver_attach+0xac/0x1d0
+[ 65.923087] ? __pfx___driver_attach+0x10/0x10
+[ 65.923087] bus_for_each_dev+0x7d/0xd0
+[ 65.923087] driver_attach+0x1e/0x30
+[ 65.923087] bus_add_driver+0xf2/0x200
+[ 65.923087] driver_register+0x64/0x130
+[ 65.923087] ? __pfx_amdgpu_init+0x10/0x10 [amdgpu]
+[ 65.923087] __pci_register_driver+0x61/0x70
+[ 65.923087] amdgpu_init+0x7d/0xff0 [amdgpu]
+[ 65.923087] do_one_initcall+0x49/0x310
+[ 65.923087] ? kmalloc_trace+0x136/0x360
+[ 65.923087] do_init_module+0x6a/0x270
+[ 65.923087] load_module+0x1fce/0x23a0
+[ 65.923087] init_module_from_file+0x9c/0xe0
+[ 65.923087] ? init_module_from_file+0x9c/0xe0
+[ 65.923087] idempotent_init_module+0x179/0x230
+[ 65.923087] __x64_sys_finit_module+0x5d/0xa0
+[ 65.923087] do_syscall_64+0x76/0x120
+[ 65.923087] entry_SYSCALL_64_after_hwframe+0x6e/0x76
+[ 65.923087] RIP: 0033:0x7f2d80f1e88d
+[ 65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48
+[ 65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d
+[ 65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f
+[ 65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002
+[ 65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480
+[ 65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0
+[ 65.923087] </TASK>
+[ 65.923927] ---[ end trace ]---
+
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Roman Li <roman.li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+@@ -1852,7 +1852,7 @@ static struct link_encoder *dcn21_link_e
+ kzalloc(sizeof(struct dcn21_link_encoder), GFP_KERNEL);
+ int link_regs_id;
+
+- if (!enc21)
++ if (!enc21 || enc_init_data->hpd_source >= ARRAY_SIZE(link_enc_hpd_regs))
+ return NULL;
+
+ link_regs_id =
--- /dev/null
+From cf8b16857db702ceb8d52f9219a4613363e2b1cf Mon Sep 17 00:00:00 2001
+From: Hersen Wu <hersenxs.wu@amd.com>
+Date: Wed, 24 Apr 2024 16:15:15 -0400
+Subject: drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+commit cf8b16857db702ceb8d52f9219a4613363e2b1cf upstream.
+
+[Why]
+Coverity report OVERRUN warning. There are
+only max_links elements within dc->links. link
+count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31.
+
+[How]
+Make sure link count less than max_links.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[Minor conflict resolved due to code context change. And the macro MAX_LINKS
+ is introduced by Commit 60df5628144b ("drm/amd/display: handle invalid
+ connector indices") after 6.10. So here we still use the original array
+ length MAX_PIPES * 2]
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -4321,17 +4321,17 @@ static int amdgpu_dm_initialize_drm_devi
+ }
+ #endif
+
++ if (link_cnt > (MAX_PIPES * 2)) {
++ DRM_ERROR(
++ "KMS: Cannot support more than %d display indexes\n",
++ MAX_PIPES * 2);
++ goto fail;
++ }
++
+ /* loops over all connectors on the board */
+ for (i = 0; i < link_cnt; i++) {
+ struct dc_link *link = NULL;
+
+- if (i > AMDGPU_DM_MAX_DISPLAY_INDEX) {
+- DRM_ERROR(
+- "KMS: Cannot support more than %d display indexes\n",
+- AMDGPU_DM_MAX_DISPLAY_INDEX);
+- continue;
+- }
+-
+ aconnector = kzalloc(sizeof(*aconnector), GFP_KERNEL);
+ if (!aconnector)
+ goto fail;
--- /dev/null
+From b61badd20b443eabe132314669bb51a263982e5c Mon Sep 17 00:00:00 2001
+From: Vitaly Prosyak <vitaly.prosyak@amd.com>
+Date: Mon, 11 Nov 2024 17:24:08 -0500
+Subject: drm/amdgpu: fix usage slab after free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Vitaly Prosyak <vitaly.prosyak@amd.com>
+
+commit b61badd20b443eabe132314669bb51a263982e5c upstream.
+
+[ +0.000021] BUG: KASAN: slab-use-after-free in drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]
+[ +0.000027] Read of size 8 at addr ffff8881b8605f88 by task amd_pci_unplug/2147
+
+[ +0.000023] CPU: 6 PID: 2147 Comm: amd_pci_unplug Not tainted 6.10.0+ #1
+[ +0.000016] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020
+[ +0.000016] Call Trace:
+[ +0.000008] <TASK>
+[ +0.000009] dump_stack_lvl+0x76/0xa0
+[ +0.000017] print_report+0xce/0x5f0
+[ +0.000017] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]
+[ +0.000019] ? srso_return_thunk+0x5/0x5f
+[ +0.000015] ? kasan_complete_mode_report_info+0x72/0x200
+[ +0.000016] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]
+[ +0.000019] kasan_report+0xbe/0x110
+[ +0.000015] ? drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]
+[ +0.000023] __asan_report_load8_noabort+0x14/0x30
+[ +0.000014] drm_sched_entity_flush+0x6cb/0x7a0 [gpu_sched]
+[ +0.000020] ? srso_return_thunk+0x5/0x5f
+[ +0.000013] ? __kasan_check_write+0x14/0x30
+[ +0.000016] ? __pfx_drm_sched_entity_flush+0x10/0x10 [gpu_sched]
+[ +0.000020] ? srso_return_thunk+0x5/0x5f
+[ +0.000013] ? __kasan_check_write+0x14/0x30
+[ +0.000013] ? srso_return_thunk+0x5/0x5f
+[ +0.000013] ? enable_work+0x124/0x220
+[ +0.000015] ? __pfx_enable_work+0x10/0x10
+[ +0.000013] ? srso_return_thunk+0x5/0x5f
+[ +0.000014] ? free_large_kmalloc+0x85/0xf0
+[ +0.000016] drm_sched_entity_destroy+0x18/0x30 [gpu_sched]
+[ +0.000020] amdgpu_vce_sw_fini+0x55/0x170 [amdgpu]
+[ +0.000735] ? __kasan_check_read+0x11/0x20
+[ +0.000016] vce_v4_0_sw_fini+0x80/0x110 [amdgpu]
+[ +0.000726] amdgpu_device_fini_sw+0x331/0xfc0 [amdgpu]
+[ +0.000679] ? mutex_unlock+0x80/0xe0
+[ +0.000017] ? __pfx_amdgpu_device_fini_sw+0x10/0x10 [amdgpu]
+[ +0.000662] ? srso_return_thunk+0x5/0x5f
+[ +0.000014] ? __kasan_check_write+0x14/0x30
+[ +0.000013] ? srso_return_thunk+0x5/0x5f
+[ +0.000013] ? mutex_unlock+0x80/0xe0
+[ +0.000016] amdgpu_driver_release_kms+0x16/0x80 [amdgpu]
+[ +0.000663] drm_minor_release+0xc9/0x140 [drm]
+[ +0.000081] drm_release+0x1fd/0x390 [drm]
+[ +0.000082] __fput+0x36c/0xad0
+[ +0.000018] __fput_sync+0x3c/0x50
+[ +0.000014] __x64_sys_close+0x7d/0xe0
+[ +0.000014] x64_sys_call+0x1bc6/0x2680
+[ +0.000014] do_syscall_64+0x70/0x130
+[ +0.000014] ? srso_return_thunk+0x5/0x5f
+[ +0.000014] ? irqentry_exit_to_user_mode+0x60/0x190
+[ +0.000015] ? srso_return_thunk+0x5/0x5f
+[ +0.000014] ? irqentry_exit+0x43/0x50
+[ +0.000012] ? srso_return_thunk+0x5/0x5f
+[ +0.000013] ? exc_page_fault+0x7c/0x110
+[ +0.000015] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ +0.000014] RIP: 0033:0x7ffff7b14f67
+[ +0.000013] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff
+[ +0.000026] RSP: 002b:00007fffffffe378 EFLAGS: 00000246 ORIG_RAX: 0000000000000003
+[ +0.000019] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffff7b14f67
+[ +0.000014] RDX: 0000000000000000 RSI: 00007ffff7f6f47a RDI: 0000000000000003
+[ +0.000014] RBP: 00007fffffffe3a0 R08: 0000555555569890 R09: 0000000000000000
+[ +0.000014] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffffffe5c8
+[ +0.000013] R13: 00005555555552a9 R14: 0000555555557d48 R15: 00007ffff7ffd040
+[ +0.000020] </TASK>
+
+[ +0.000016] Allocated by task 383 on cpu 7 at 26.880319s:
+[ +0.000014] kasan_save_stack+0x28/0x60
+[ +0.000008] kasan_save_track+0x18/0x70
+[ +0.000007] kasan_save_alloc_info+0x38/0x60
+[ +0.000007] __kasan_kmalloc+0xc1/0xd0
+[ +0.000007] kmalloc_trace_noprof+0x180/0x380
+[ +0.000007] drm_sched_init+0x411/0xec0 [gpu_sched]
+[ +0.000012] amdgpu_device_init+0x695f/0xa610 [amdgpu]
+[ +0.000658] amdgpu_driver_load_kms+0x1a/0x120 [amdgpu]
+[ +0.000662] amdgpu_pci_probe+0x361/0xf30 [amdgpu]
+[ +0.000651] local_pci_probe+0xe7/0x1b0
+[ +0.000009] pci_device_probe+0x248/0x890
+[ +0.000008] really_probe+0x1fd/0x950
+[ +0.000008] __driver_probe_device+0x307/0x410
+[ +0.000007] driver_probe_device+0x4e/0x150
+[ +0.000007] __driver_attach+0x223/0x510
+[ +0.000006] bus_for_each_dev+0x102/0x1a0
+[ +0.000007] driver_attach+0x3d/0x60
+[ +0.000006] bus_add_driver+0x2ac/0x5f0
+[ +0.000006] driver_register+0x13d/0x490
+[ +0.000008] __pci_register_driver+0x1ee/0x2b0
+[ +0.000007] llc_sap_close+0xb0/0x160 [llc]
+[ +0.000009] do_one_initcall+0x9c/0x3e0
+[ +0.000008] do_init_module+0x241/0x760
+[ +0.000008] load_module+0x51ac/0x6c30
+[ +0.000006] __do_sys_init_module+0x234/0x270
+[ +0.000007] __x64_sys_init_module+0x73/0xc0
+[ +0.000006] x64_sys_call+0xe3/0x2680
+[ +0.000006] do_syscall_64+0x70/0x130
+[ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+[ +0.000015] Freed by task 2147 on cpu 6 at 160.507651s:
+[ +0.000013] kasan_save_stack+0x28/0x60
+[ +0.000007] kasan_save_track+0x18/0x70
+[ +0.000007] kasan_save_free_info+0x3b/0x60
+[ +0.000007] poison_slab_object+0x115/0x1c0
+[ +0.000007] __kasan_slab_free+0x34/0x60
+[ +0.000007] kfree+0xfa/0x2f0
+[ +0.000007] drm_sched_fini+0x19d/0x410 [gpu_sched]
+[ +0.000012] amdgpu_fence_driver_sw_fini+0xc4/0x2f0 [amdgpu]
+[ +0.000662] amdgpu_device_fini_sw+0x77/0xfc0 [amdgpu]
+[ +0.000653] amdgpu_driver_release_kms+0x16/0x80 [amdgpu]
+[ +0.000655] drm_minor_release+0xc9/0x140 [drm]
+[ +0.000071] drm_release+0x1fd/0x390 [drm]
+[ +0.000071] __fput+0x36c/0xad0
+[ +0.000008] __fput_sync+0x3c/0x50
+[ +0.000007] __x64_sys_close+0x7d/0xe0
+[ +0.000007] x64_sys_call+0x1bc6/0x2680
+[ +0.000007] do_syscall_64+0x70/0x130
+[ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+[ +0.000014] The buggy address belongs to the object at ffff8881b8605f80
+ which belongs to the cache kmalloc-64 of size 64
+[ +0.000020] The buggy address is located 8 bytes inside of
+ freed 64-byte region [ffff8881b8605f80, ffff8881b8605fc0)
+
+[ +0.000028] The buggy address belongs to the physical page:
+[ +0.000011] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b8605
+[ +0.000008] anon flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
+[ +0.000007] page_type: 0xffffefff(slab)
+[ +0.000009] raw: 0017ffffc0000000 ffff8881000428c0 0000000000000000 dead000000000001
+[ +0.000006] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000
+[ +0.000006] page dumped because: kasan: bad access detected
+
+[ +0.000012] Memory state around the buggy address:
+[ +0.000011] ffff8881b8605e80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ +0.000015] ffff8881b8605f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
+[ +0.000015] >ffff8881b8605f80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+[ +0.000013] ^
+[ +0.000011] ffff8881b8606000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc
+[ +0.000014] ffff8881b8606080: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb
+[ +0.000013] ==================================================================
+
+The issue reproduced on VG20 during the IGT pci_unplug test.
+The root cause of the issue is that the function drm_sched_fini is called before drm_sched_entity_kill.
+In drm_sched_fini, the drm_sched_rq structure is freed, but this structure is later accessed by
+each entity within the run queue, leading to invalid memory access.
+To resolve this, the order of cleanup calls is updated:
+
+ Before:
+ amdgpu_fence_driver_sw_fini
+ amdgpu_device_ip_fini
+
+ After:
+ amdgpu_device_ip_fini
+ amdgpu_fence_driver_sw_fini
+
+This updated order ensures that all entities in the IPs are cleaned up first, followed by proper
+cleanup of the schedulers.
+
+Additional Investigation:
+
+During debugging, another issue was identified in the amdgpu_vce_sw_fini function. The vce.vcpu_bo
+buffer must be freed only as the final step in the cleanup process to prevent any premature
+access during earlier cleanup stages.
+
+v2: Using Christian suggestion call drm_sched_entity_destroy before drm_sched_fini.
+
+Cc: Christian König <christian.koenig@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+[Minor context change fixed.]
+Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -4008,8 +4008,8 @@ void amdgpu_device_fini_hw(struct amdgpu
+
+ void amdgpu_device_fini_sw(struct amdgpu_device *adev)
+ {
+- amdgpu_fence_driver_sw_fini(adev);
+ amdgpu_device_ip_fini(adev);
++ amdgpu_fence_driver_sw_fini(adev);
+ release_firmware(adev->firmware.gpu_info_fw);
+ adev->firmware.gpu_info_fw = NULL;
+ adev->accel_working = false;
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+@@ -220,15 +220,15 @@ int amdgpu_vce_sw_fini(struct amdgpu_dev
+
+ drm_sched_entity_destroy(&adev->vce.entity);
+
+- amdgpu_bo_free_kernel(&adev->vce.vcpu_bo, &adev->vce.gpu_addr,
+- (void **)&adev->vce.cpu_addr);
+-
+ for (i = 0; i < adev->vce.num_rings; i++)
+ amdgpu_ring_fini(&adev->vce.ring[i]);
+
+ release_firmware(adev->vce.fw);
+ mutex_destroy(&adev->vce.idle_mutex);
+
++ amdgpu_bo_free_kernel(&adev->vce.vcpu_bo, &adev->vce.gpu_addr,
++ (void **)&adev->vce.cpu_addr);
++
+ return 0;
+ }
+
--- /dev/null
+From 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Tue, 18 Mar 2025 17:14:37 +0100
+Subject: landlock: Add the errata interface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 15383a0d63dbcd63dc7e8d9ec1bf3a0f7ebf64ac upstream.
+
+Some fixes may require user space to check if they are applied on the
+running kernel before using a specific feature. For instance, this
+applies when a restriction was previously too restrictive and is now
+getting relaxed (e.g. for compatibility reasons). However, non-visible
+changes for legitimate use (e.g. security fixes) do not require an
+erratum.
+
+Because fixes are backported down to a specific Landlock ABI, we need a
+way to avoid cherry-pick conflicts. The solution is to only update a
+file related to the lower ABI impacted by this issue. All the ABI files
+are then used to create a bitmask of fixes.
+
+The new errata interface is similar to the one used to get the supported
+Landlock ABI version, but it returns a bitmask instead because the order
+of fixes may not match the order of versions, and not all fixes may
+apply to all versions.
+
+The actual errata will come with dedicated commits. The description is
+not actually used in the code but serves as documentation.
+
+Create the landlock_abi_version symbol and use its value to check errata
+consistency.
+
+Update test_base's create_ruleset_checks_ordering tests and add errata
+tests.
+
+This commit is backportable down to the first version of Landlock.
+
+Fixes: 3532b0b4352c ("landlock: Enable user space to infer supported features")
+Cc: Günther Noack <gnoack@google.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250318161443.279194-3-mic@digikod.net
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/landlock.h | 2
+ security/landlock/errata.h | 87 +++++++++++++++++++++++++++
+ security/landlock/setup.c | 30 +++++++++
+ security/landlock/setup.h | 3
+ security/landlock/syscalls.c | 22 +++++-
+ tools/testing/selftests/landlock/base_test.c | 46 +++++++++++++-
+ 6 files changed, 185 insertions(+), 5 deletions(-)
+ create mode 100644 security/landlock/errata.h
+
+--- a/include/uapi/linux/landlock.h
++++ b/include/uapi/linux/landlock.h
+@@ -32,9 +32,11 @@ struct landlock_ruleset_attr {
+ *
+ * - %LANDLOCK_CREATE_RULESET_VERSION: Get the highest supported Landlock ABI
+ * version.
++ * - %LANDLOCK_CREATE_RULESET_ERRATA: Get a bitmask of fixed issues.
+ */
+ /* clang-format off */
+ #define LANDLOCK_CREATE_RULESET_VERSION (1U << 0)
++#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
+ /* clang-format on */
+
+ /**
+--- /dev/null
++++ b/security/landlock/errata.h
+@@ -0,0 +1,87 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++/*
++ * Landlock - Errata information
++ *
++ * Copyright © 2025 Microsoft Corporation
++ */
++
++#ifndef _SECURITY_LANDLOCK_ERRATA_H
++#define _SECURITY_LANDLOCK_ERRATA_H
++
++#include <linux/init.h>
++
++struct landlock_erratum {
++ const int abi;
++ const u8 number;
++};
++
++/* clang-format off */
++#define LANDLOCK_ERRATUM(NUMBER) \
++ { \
++ .abi = LANDLOCK_ERRATA_ABI, \
++ .number = NUMBER, \
++ },
++/* clang-format on */
++
++/*
++ * Some fixes may require user space to check if they are applied on the running
++ * kernel before using a specific feature. For instance, this applies when a
++ * restriction was previously too restrictive and is now getting relaxed (for
++ * compatibility or semantic reasons). However, non-visible changes for
++ * legitimate use (e.g. security fixes) do not require an erratum.
++ */
++static const struct landlock_erratum landlock_errata_init[] __initconst = {
++
++/*
++ * Only Sparse may not implement __has_include. If a compiler does not
++ * implement __has_include, a warning will be printed at boot time (see
++ * setup.c).
++ */
++#ifdef __has_include
++
++#define LANDLOCK_ERRATA_ABI 1
++#if __has_include("errata/abi-1.h")
++#include "errata/abi-1.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
++#define LANDLOCK_ERRATA_ABI 2
++#if __has_include("errata/abi-2.h")
++#include "errata/abi-2.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
++#define LANDLOCK_ERRATA_ABI 3
++#if __has_include("errata/abi-3.h")
++#include "errata/abi-3.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
++#define LANDLOCK_ERRATA_ABI 4
++#if __has_include("errata/abi-4.h")
++#include "errata/abi-4.h"
++#endif
++#undef LANDLOCK_ERRATA_ABI
++
++/*
++ * For each new erratum, we need to include all the ABI files up to the impacted
++ * ABI to make all potential future intermediate errata easy to backport.
++ *
++ * If such change involves more than one ABI addition, then it must be in a
++ * dedicated commit with the same Fixes tag as used for the actual fix.
++ *
++ * Each commit creating a new security/landlock/errata/abi-*.h file must have a
++ * Depends-on tag to reference the commit that previously added the line to
++ * include this new file, except if the original Fixes tag is enough.
++ *
++ * Each erratum must be documented in its related ABI file, and a dedicated
++ * commit must update Documentation/userspace-api/landlock.rst to include this
++ * erratum. This commit will not be backported.
++ */
++
++#endif
++
++ {}
++};
++
++#endif /* _SECURITY_LANDLOCK_ERRATA_H */
+--- a/security/landlock/setup.c
++++ b/security/landlock/setup.c
+@@ -6,11 +6,13 @@
+ * Copyright © 2018-2020 ANSSI
+ */
+
++#include <linux/bits.h>
+ #include <linux/init.h>
+ #include <linux/lsm_hooks.h>
+
+ #include "common.h"
+ #include "cred.h"
++#include "errata.h"
+ #include "fs.h"
+ #include "ptrace.h"
+ #include "setup.h"
+@@ -23,8 +25,36 @@ struct lsm_blob_sizes landlock_blob_size
+ .lbs_superblock = sizeof(struct landlock_superblock_security),
+ };
+
++int landlock_errata __ro_after_init;
++
++static void __init compute_errata(void)
++{
++ size_t i;
++
++#ifndef __has_include
++ /*
++ * This is a safeguard to make sure the compiler implements
++ * __has_include (see errata.h).
++ */
++ WARN_ON_ONCE(1);
++ return;
++#endif
++
++ for (i = 0; landlock_errata_init[i].number; i++) {
++ const int prev_errata = landlock_errata;
++
++ if (WARN_ON_ONCE(landlock_errata_init[i].abi >
++ landlock_abi_version))
++ continue;
++
++ landlock_errata |= BIT(landlock_errata_init[i].number - 1);
++ WARN_ON_ONCE(prev_errata == landlock_errata);
++ }
++}
++
+ static int __init landlock_init(void)
+ {
++ compute_errata();
+ landlock_add_cred_hooks();
+ landlock_add_ptrace_hooks();
+ landlock_add_fs_hooks();
+--- a/security/landlock/setup.h
++++ b/security/landlock/setup.h
+@@ -11,7 +11,10 @@
+
+ #include <linux/lsm_hooks.h>
+
++extern const int landlock_abi_version;
++
+ extern bool landlock_initialized;
++extern int landlock_errata;
+
+ extern struct lsm_blob_sizes landlock_blob_sizes;
+
+--- a/security/landlock/syscalls.c
++++ b/security/landlock/syscalls.c
+@@ -150,7 +150,9 @@ static const struct file_operations rule
+ * the new ruleset.
+ * @size: Size of the pointed &struct landlock_ruleset_attr (needed for
+ * backward and forward compatibility).
+- * @flags: Supported value: %LANDLOCK_CREATE_RULESET_VERSION.
++ * @flags: Supported value:
++ * - %LANDLOCK_CREATE_RULESET_VERSION
++ * - %LANDLOCK_CREATE_RULESET_ERRATA
+ *
+ * This system call enables to create a new Landlock ruleset, and returns the
+ * related file descriptor on success.
+@@ -159,6 +161,10 @@ static const struct file_operations rule
+ * 0, then the returned value is the highest supported Landlock ABI version
+ * (starting at 1).
+ *
++ * If @flags is %LANDLOCK_CREATE_RULESET_ERRATA and @attr is NULL and @size is
++ * 0, then the returned value is a bitmask of fixed issues for the current
++ * Landlock ABI version.
++ *
+ * Possible returned errors are:
+ *
+ * - EOPNOTSUPP: Landlock is supported by the kernel but disabled at boot time;
+@@ -181,9 +187,15 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
+ return -EOPNOTSUPP;
+
+ if (flags) {
+- if ((flags == LANDLOCK_CREATE_RULESET_VERSION) && !attr &&
+- !size)
+- return LANDLOCK_ABI_VERSION;
++ if (attr || size)
++ return -EINVAL;
++
++ if (flags == LANDLOCK_CREATE_RULESET_VERSION)
++ return landlock_abi_version;
++
++ if (flags == LANDLOCK_CREATE_RULESET_ERRATA)
++ return landlock_errata;
++
+ return -EINVAL;
+ }
+
+@@ -213,6 +225,8 @@ SYSCALL_DEFINE3(landlock_create_ruleset,
+ return ruleset_fd;
+ }
+
++const int landlock_abi_version = LANDLOCK_ABI_VERSION;
++
+ /*
+ * Returns an owned ruleset from a FD. It is thus needed to call
+ * landlock_put_ruleset() on the return value.
+--- a/tools/testing/selftests/landlock/base_test.c
++++ b/tools/testing/selftests/landlock/base_test.c
+@@ -98,10 +98,54 @@ TEST(abi_version)
+ ASSERT_EQ(EINVAL, errno);
+ }
+
++/*
++ * Old source trees might not have the set of Kselftest fixes related to kernel
++ * UAPI headers.
++ */
++#ifndef LANDLOCK_CREATE_RULESET_ERRATA
++#define LANDLOCK_CREATE_RULESET_ERRATA (1U << 1)
++#endif
++
++TEST(errata)
++{
++ const struct landlock_ruleset_attr ruleset_attr = {
++ .handled_access_fs = LANDLOCK_ACCESS_FS_READ_FILE,
++ };
++ int errata;
++
++ errata = landlock_create_ruleset(NULL, 0,
++ LANDLOCK_CREATE_RULESET_ERRATA);
++ /* The errata bitmask will not be backported to tests. */
++ ASSERT_LE(0, errata);
++ TH_LOG("errata: 0x%x", errata);
++
++ ASSERT_EQ(-1, landlock_create_ruleset(&ruleset_attr, 0,
++ LANDLOCK_CREATE_RULESET_ERRATA));
++ ASSERT_EQ(EINVAL, errno);
++
++ ASSERT_EQ(-1, landlock_create_ruleset(NULL, sizeof(ruleset_attr),
++ LANDLOCK_CREATE_RULESET_ERRATA));
++ ASSERT_EQ(EINVAL, errno);
++
++ ASSERT_EQ(-1,
++ landlock_create_ruleset(&ruleset_attr, sizeof(ruleset_attr),
++ LANDLOCK_CREATE_RULESET_ERRATA));
++ ASSERT_EQ(EINVAL, errno);
++
++ ASSERT_EQ(-1, landlock_create_ruleset(
++ NULL, 0,
++ LANDLOCK_CREATE_RULESET_VERSION |
++ LANDLOCK_CREATE_RULESET_ERRATA));
++ ASSERT_EQ(-1, landlock_create_ruleset(NULL, 0,
++ LANDLOCK_CREATE_RULESET_ERRATA |
++ 1 << 31));
++ ASSERT_EQ(EINVAL, errno);
++}
++
+ /* Tests ordering of syscall argument checks. */
+ TEST(create_ruleset_checks_ordering)
+ {
+- const int last_flag = LANDLOCK_CREATE_RULESET_VERSION;
++ const int last_flag = LANDLOCK_CREATE_RULESET_ERRATA;
+ const int invalid_flag = last_flag << 1;
+ int ruleset_fd;
+ const struct landlock_ruleset_attr ruleset_attr = {
phy-tegra-xusb-fix-return-value-of-tegra_xusb_find_port_node-function.patch
wifi-ath10k-avoid-null-pointer-error-during-sdio-remove.patch
xen-swiotlb-relax-alignment-requirements.patch
+drm-amd-display-stop-amdgpu_dm-initialize-when-link-nums-greater-than-max_links.patch
+drm-amd-display-fix-out-of-bounds-access-in-dcn21_link_encoder_create.patch
+drm-amd-display-add-null-checks-for-stream-and-plane-before-dereferencing.patch
+drm-amdgpu-fix-usage-slab-after-free.patch
+landlock-add-the-errata-interface.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
