--- /dev/null
+From 2f10d4a51bbcd938f1f02f16c304ad1d54717b96 Mon Sep 17 00:00:00 2001
+From: Roman Li <roman.li@amd.com>
+Date: Wed, 13 Mar 2024 18:35:13 -0400
+Subject: drm/amd/display: Fix bounds check for dcn35 DcfClocks
+
+From: Roman Li <roman.li@amd.com>
+
+commit 2f10d4a51bbcd938f1f02f16c304ad1d54717b96 upstream.
+
+[Why]
+NumFclkLevelsEnabled is used for DcfClocks bounds check
+instead of designated NumDcfClkLevelsEnabled.
+That can cause array index out-of-bounds access.
+
+[How]
+Use designated variable for dcn35 DcfClocks bounds check.
+
+Fixes: a8edc9cc0b14 ("drm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr")
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Sun peng Li <sunpeng.li@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Roman Li <roman.li@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn35/dcn35_clk_mgr.c
+@@ -706,7 +706,7 @@ static void dcn35_clk_mgr_helper_populat
+ clock_table->NumFclkLevelsEnabled;
+ max_fclk = find_max_clk_value(clock_table->FclkClocks_Freq, num_fclk);
+
+- num_dcfclk = (clock_table->NumFclkLevelsEnabled > NUM_DCFCLK_DPM_LEVELS) ? NUM_DCFCLK_DPM_LEVELS :
++ num_dcfclk = (clock_table->NumDcfClkLevelsEnabled > NUM_DCFCLK_DPM_LEVELS) ? NUM_DCFCLK_DPM_LEVELS :
+ clock_table->NumDcfClkLevelsEnabled;
+ for (i = 0; i < num_dcfclk; i++) {
+ int j;
--- /dev/null
+From 32e39bab59934bfd3f37097d4dd85ac5eb0fd549 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Tue, 19 Mar 2024 11:24:42 +0200
+Subject: drm/i915/bios: Tolerate devdata==NULL in intel_bios_encoder_supports_dp_dual_mode()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 32e39bab59934bfd3f37097d4dd85ac5eb0fd549 upstream.
+
+If we have no VBT, or the VBT didn't declare the encoder
+in question, we won't have the 'devdata' for the encoder.
+Instead of oopsing just bail early.
+
+We won't be able to tell whether the port is DP++ or not,
+but so be it.
+
+Cc: stable@vger.kernel.org
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10464
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240319092443.15769-1-ville.syrjala@linux.intel.com
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 26410896206342c8a80d2b027923e9ee7d33b733)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_bios.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_bios.c
++++ b/drivers/gpu/drm/i915/display/intel_bios.c
+@@ -3344,6 +3344,9 @@ bool intel_bios_encoder_supports_dp_dual
+ {
+ const struct child_device_config *child = &devdata->child;
+
++ if (!devdata)
++ return false;
++
+ if (!intel_bios_encoder_supports_dp(devdata) ||
+ !intel_bios_encoder_supports_hdmi(devdata))
+ return false;
--- /dev/null
+From e41d769f1a7a1dc533c35ef7b366be3dbf432a1c Mon Sep 17 00:00:00 2001
+From: Jonathon Hall <jonathon.hall@puri.sm>
+Date: Wed, 13 Mar 2024 09:54:25 -0400
+Subject: drm/i915: Do not match JSL in ehl_combo_pll_div_frac_wa_needed()
+
+From: Jonathon Hall <jonathon.hall@puri.sm>
+
+commit e41d769f1a7a1dc533c35ef7b366be3dbf432a1c upstream.
+
+Since commit 0c65dc062611 ("drm/i915/jsl: s/JSL/JASPERLAKE for
+platform/subplatform defines"), boot freezes on a Jasper Lake tablet
+(Librem 11), usually with graphical corruption on the eDP display,
+but sometimes just a black screen. This commit was included in 6.6 and
+later.
+
+That commit was intended to refactor EHL and JSL macros, but the change
+to ehl_combo_pll_div_frac_wa_needed() started matching JSL incorrectly
+when it was only intended to match EHL.
+
+It replaced:
+ return ((IS_PLATFORM(i915, INTEL_ELKHARTLAKE) &&
+ IS_JSL_EHL_DISPLAY_STEP(i915, STEP_B0, STEP_FOREVER)) ||
+with:
+ return (((IS_ELKHARTLAKE(i915) || IS_JASPERLAKE(i915)) &&
+ IS_DISPLAY_STEP(i915, STEP_B0, STEP_FOREVER)) ||
+
+Remove IS_JASPERLAKE() to fix the regression.
+
+Signed-off-by: Jonathon Hall <jonathon.hall@puri.sm>
+Cc: stable@vger.kernel.org
+Fixes: 0c65dc062611 ("drm/i915/jsl: s/JSL/JASPERLAKE for platform/subplatform defines")
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240313135424.3731410-1-jonathon.hall@puri.sm
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 1ef48859317b2a77672dea8682df133abf9c44ed)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_dpll_mgr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_dpll_mgr.c
++++ b/drivers/gpu/drm/i915/display/intel_dpll_mgr.c
+@@ -2509,7 +2509,7 @@ static void icl_wrpll_params_populate(st
+ static bool
+ ehl_combo_pll_div_frac_wa_needed(struct drm_i915_private *i915)
+ {
+- return (((IS_ELKHARTLAKE(i915) || IS_JASPERLAKE(i915)) &&
++ return ((IS_ELKHARTLAKE(i915) &&
+ IS_DISPLAY_STEP(i915, STEP_B0, STEP_FOREVER)) ||
+ IS_TIGERLAKE(i915) || IS_ALDERLAKE_S(i915) || IS_ALDERLAKE_P(i915)) &&
+ i915->display.dpll.ref_clks.nssc == 38400;
--- /dev/null
+From f12751168f1a49ebb84b8056cf038973c53b284f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 6 Mar 2024 06:08:05 +0200
+Subject: drm/i915/dsb: Fix DSB vblank waits when using VRR
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit f12751168f1a49ebb84b8056cf038973c53b284f upstream.
+
+Looks like the undelayed vblank gets signalled exactly when
+the active period ends. That is a problem for DSB+VRR when
+we are already in vblank and expect DSB to start executing
+as soon as we send the push. Instead of starting, the DSB
+just keeps on waiting for the undelayed vblank which won't
+signal until the end of the next frame's active period,
+which is far too late.
+
+The end result is that DSB won't have even started
+executing by the time the flips/etc. have completed.
+We then wait for an extra 1ms, after which we terminate
+the DSB and report a timeout:
+[drm] *ERROR* [CRTC:80:pipe A] DSB 0 timed out waiting for idle (current head=0xfedf4000, head=0x0, tail=0x1080)
+
+To fix this let's configure DSB to use the so called VRR
+"safe window" instead of the undelayed vblank to trigger
+the DSB vblank logic, when VRR is enabled.
+
+Cc: stable@vger.kernel.org
+Fixes: 34d8311f4a1c ("drm/i915/dsb: Re-instate DSB for LUT updates")
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9927
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240306040806.21697-3-ville.syrjala@linux.intel.com
+Reviewed-by: Animesh Manna <animesh.manna@intel.com>
+(cherry picked from commit 41429d9b68367596eb3d6d5961e6295c284622a7)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_dsb.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_dsb.c
++++ b/drivers/gpu/drm/i915/display/intel_dsb.c
+@@ -340,6 +340,17 @@ static int intel_dsb_dewake_scanline(con
+ return max(0, vblank_start - intel_usecs_to_scanlines(adjusted_mode, latency));
+ }
+
++static u32 dsb_chicken(struct intel_crtc *crtc)
++{
++ if (crtc->mode_flags & I915_MODE_FLAG_VRR)
++ return DSB_CTRL_WAIT_SAFE_WINDOW |
++ DSB_CTRL_NO_WAIT_VBLANK |
++ DSB_INST_WAIT_SAFE_WINDOW |
++ DSB_INST_NO_WAIT_VBLANK;
++ else
++ return 0;
++}
++
+ static void _intel_dsb_commit(struct intel_dsb *dsb, u32 ctrl,
+ int dewake_scanline)
+ {
+@@ -361,6 +372,9 @@ static void _intel_dsb_commit(struct int
+ intel_de_write_fw(dev_priv, DSB_CTRL(pipe, dsb->id),
+ ctrl | DSB_ENABLE);
+
++ intel_de_write_fw(dev_priv, DSB_CHICKEN(pipe, dsb->id),
++ dsb_chicken(crtc));
++
+ intel_de_write_fw(dev_priv, DSB_HEAD(pipe, dsb->id),
+ intel_dsb_buffer_ggtt_offset(&dsb->dsb_buf));
+
--- /dev/null
+From 18846627ef1210dcd55d65342b055ea97a46ffff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Tue, 5 Mar 2024 10:36:59 +0200
+Subject: drm/i915/dsi: Go back to the previous INIT_OTP/DISPLAY_ON order, mostly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 18846627ef1210dcd55d65342b055ea97a46ffff upstream.
+
+Reinstate commit 88b065943cb5 ("drm/i915/dsi: Do display on
+sequence later on icl+"), for the most part. Turns out some
+machines (eg. Chuwi Minibook X) really do need that updated order.
+It is also the order the Windows driver uses.
+
+However we can't just undo the revert since that would again
+break Lenovo 82TQ. After staring at the VBT sequences for both
+machines I've concluded that the Lenovo 82TQ sequences look
+somewhat broken:
+ - INIT_OTP is not present at all
+ - what should be in INIT_OTP is found in DISPLAY_ON
+ - what should be in DISPLAY_ON is found in BACKLIGHT_ON
+ (along with the actual backlight stuff)
+
+The Chuwi Minibook X on the other hand has a full complement
+of sequences in its VBT.
+
+So let's try to deal with the broken sequences in the
+Lenovo 82TQ VBT by simply swapping the (non-existent)
+INIT_OTP sequence with the DISPLAY_ON sequence. Thus we
+execute DISPLAY_ON when intending to execute INIT_OTP,
+and execute nothing at all when intending to execute
+DISPLAY_ON. That should be 100% equivalent to the
+revert, for such broken VBTs.
+
+Cc: stable@vger.kernel.org
+Fixes: 6992eb815d08 ("Revert "drm/i915/dsi: Do display on sequence later on icl+"")
+References: https://gitlab.freedesktop.org/drm/intel/-/issues/10071
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10334
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240305083659.8396-1-ville.syrjala@linux.intel.com
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 94ae4612ea336bfc3c12b3fc68467c6711a4f39b)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/icl_dsi.c | 3 +-
+ drivers/gpu/drm/i915/display/intel_bios.c | 43 +++++++++++++++++++++++++-----
+ 2 files changed, 39 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/icl_dsi.c
++++ b/drivers/gpu/drm/i915/display/icl_dsi.c
+@@ -1155,7 +1155,6 @@ static void gen11_dsi_powerup_panel(stru
+ }
+
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_INIT_OTP);
+- intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_DISPLAY_ON);
+
+ /* ensure all panel commands dispatched before enabling transcoder */
+ wait_for_cmds_dispatched_to_panel(encoder);
+@@ -1256,6 +1255,8 @@ static void gen11_dsi_enable(struct inte
+ /* step6d: enable dsi transcoder */
+ gen11_dsi_enable_transcoder(encoder);
+
++ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_DISPLAY_ON);
++
+ /* step7: enable backlight */
+ intel_backlight_enable(crtc_state, conn_state);
+ intel_dsi_vbt_exec_sequence(intel_dsi, MIPI_SEQ_BACKLIGHT_ON);
+--- a/drivers/gpu/drm/i915/display/intel_bios.c
++++ b/drivers/gpu/drm/i915/display/intel_bios.c
+@@ -1952,16 +1952,12 @@ static int get_init_otp_deassert_fragmen
+ * these devices we split the init OTP sequence into a deassert sequence and
+ * the actual init OTP part.
+ */
+-static void fixup_mipi_sequences(struct drm_i915_private *i915,
+- struct intel_panel *panel)
++static void vlv_fixup_mipi_sequences(struct drm_i915_private *i915,
++ struct intel_panel *panel)
+ {
+ u8 *init_otp;
+ int len;
+
+- /* Limit this to VLV for now. */
+- if (!IS_VALLEYVIEW(i915))
+- return;
+-
+ /* Limit this to v1 vid-mode sequences */
+ if (panel->vbt.dsi.config->is_cmd_mode ||
+ panel->vbt.dsi.seq_version != 1)
+@@ -1997,6 +1993,41 @@ static void fixup_mipi_sequences(struct
+ panel->vbt.dsi.sequence[MIPI_SEQ_INIT_OTP] = init_otp + len - 1;
+ }
+
++/*
++ * Some machines (eg. Lenovo 82TQ) appear to have broken
++ * VBT sequences:
++ * - INIT_OTP is not present at all
++ * - what should be in INIT_OTP is in DISPLAY_ON
++ * - what should be in DISPLAY_ON is in BACKLIGHT_ON
++ * (along with the actual backlight stuff)
++ *
++ * To make those work we simply swap DISPLAY_ON and INIT_OTP.
++ *
++ * TODO: Do we need to limit this to specific machines,
++ * or examine the contents of the sequences to
++ * avoid false positives?
++ */
++static void icl_fixup_mipi_sequences(struct drm_i915_private *i915,
++ struct intel_panel *panel)
++{
++ if (!panel->vbt.dsi.sequence[MIPI_SEQ_INIT_OTP] &&
++ panel->vbt.dsi.sequence[MIPI_SEQ_DISPLAY_ON]) {
++ drm_dbg_kms(&i915->drm, "Broken VBT: Swapping INIT_OTP and DISPLAY_ON sequences\n");
++
++ swap(panel->vbt.dsi.sequence[MIPI_SEQ_INIT_OTP],
++ panel->vbt.dsi.sequence[MIPI_SEQ_DISPLAY_ON]);
++ }
++}
++
++static void fixup_mipi_sequences(struct drm_i915_private *i915,
++ struct intel_panel *panel)
++{
++ if (DISPLAY_VER(i915) >= 11)
++ icl_fixup_mipi_sequences(i915, panel);
++ else if (IS_VALLEYVIEW(i915))
++ vlv_fixup_mipi_sequences(i915, panel);
++}
++
+ static void
+ parse_mipi_sequence(struct drm_i915_private *i915,
+ struct intel_panel *panel)
--- /dev/null
+From 4a3859ea5240365d21f6053ee219bb240d520895 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Mon, 18 Mar 2024 14:58:47 +0100
+Subject: drm/i915/gt: Reset queue_priority_hint on parking
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 4a3859ea5240365d21f6053ee219bb240d520895 upstream.
+
+Originally, with strict in order execution, we could complete execution
+only when the queue was empty. Preempt-to-busy allows replacement of an
+active request that may complete before the preemption is processed by
+HW. If that happens, the request is retired from the queue, but the
+queue_priority_hint remains set, preventing direct submission until
+after the next CS interrupt is processed.
+
+This preempt-to-busy race can be triggered by the heartbeat, which will
+also act as the power-management barrier and upon completion allow us to
+idle the HW. We may process the completion of the heartbeat, and begin
+parking the engine before the CS event that restores the
+queue_priority_hint, causing us to fail the assertion that it is MIN.
+
+<3>[ 166.210729] __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))
+<0>[ 166.210781] Dumping ftrace buffer:
+<0>[ 166.210795] ---------------------------------
+...
+<0>[ 167.302811] drm_fdin-1097 2..s1. 165741070us : trace_ports: 0000:00:02.0 rcs0: promote { ccid:20 1217:2 prio 0 }
+<0>[ 167.302861] drm_fdin-1097 2d.s2. 165741072us : execlists_submission_tasklet: 0000:00:02.0 rcs0: preempting last=1217:2, prio=0, hint=2147483646
+<0>[ 167.302928] drm_fdin-1097 2d.s2. 165741072us : __i915_request_unsubmit: 0000:00:02.0 rcs0: fence 1217:2, current 0
+<0>[ 167.302992] drm_fdin-1097 2d.s2. 165741073us : __i915_request_submit: 0000:00:02.0 rcs0: fence 3:4660, current 4659
+<0>[ 167.303044] drm_fdin-1097 2d.s1. 165741076us : execlists_submission_tasklet: 0000:00:02.0 rcs0: context:3 schedule-in, ccid:40
+<0>[ 167.303095] drm_fdin-1097 2d.s1. 165741077us : trace_ports: 0000:00:02.0 rcs0: submit { ccid:40 3:4660* prio 2147483646 }
+<0>[ 167.303159] kworker/-89 11..... 165741139us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence c90:2, current 2
+<0>[ 167.303208] kworker/-89 11..... 165741148us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:c90 unpin
+<0>[ 167.303272] kworker/-89 11..... 165741159us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 1217:2, current 2
+<0>[ 167.303321] kworker/-89 11..... 165741166us : __intel_context_do_unpin: 0000:00:02.0 rcs0: context:1217 unpin
+<0>[ 167.303384] kworker/-89 11..... 165741170us : i915_request_retire.part.0: 0000:00:02.0 rcs0: fence 3:4660, current 4660
+<0>[ 167.303434] kworker/-89 11d..1. 165741172us : __intel_context_retire: 0000:00:02.0 rcs0: context:1216 retire runtime: { total:56028ns, avg:56028ns }
+<0>[ 167.303484] kworker/-89 11..... 165741198us : __engine_park: 0000:00:02.0 rcs0: parked
+<0>[ 167.303534] <idle>-0 5d.H3. 165741207us : execlists_irq_handler: 0000:00:02.0 rcs0: semaphore yield: 00000040
+<0>[ 167.303583] kworker/-89 11..... 165741397us : __intel_context_retire: 0000:00:02.0 rcs0: context:1217 retire runtime: { total:325575ns, avg:0ns }
+<0>[ 167.303756] kworker/-89 11..... 165741777us : __intel_context_retire: 0000:00:02.0 rcs0: context:c90 retire runtime: { total:0ns, avg:0ns }
+<0>[ 167.303806] kworker/-89 11..... 165742017us : __engine_park: __engine_park:283 GEM_BUG_ON(engine->sched_engine->queue_priority_hint != (-((int)(~0U >> 1)) - 1))
+<0>[ 167.303811] ---------------------------------
+<4>[ 167.304722] ------------[ cut here ]------------
+<2>[ 167.304725] kernel BUG at drivers/gpu/drm/i915/gt/intel_engine_pm.c:283!
+<4>[ 167.304731] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+<4>[ 167.304734] CPU: 11 PID: 89 Comm: kworker/11:1 Tainted: G W 6.8.0-rc2-CI_DRM_14193-gc655e0fd2804+ #1
+<4>[ 167.304736] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022
+<4>[ 167.304738] Workqueue: i915-unordered retire_work_handler [i915]
+<4>[ 167.304839] RIP: 0010:__engine_park+0x3fd/0x680 [i915]
+<4>[ 167.304937] Code: 00 48 c7 c2 b0 e5 86 a0 48 8d 3d 00 00 00 00 e8 79 48 d4 e0 bf 01 00 00 00 e8 ef 0a d4 e0 31 f6 bf 09 00 00 00 e8 03 49 c0 e0 <0f> 0b 0f 0b be 01 00 00 00 e8 f5 61 fd ff 31 c0 e9 34 fd ff ff 48
+<4>[ 167.304940] RSP: 0018:ffffc9000059fce0 EFLAGS: 00010246
+<4>[ 167.304942] RAX: 0000000000000200 RBX: 0000000000000000 RCX: 0000000000000006
+<4>[ 167.304944] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000009
+<4>[ 167.304946] RBP: ffff8881330ca1b0 R08: 0000000000000001 R09: 0000000000000001
+<4>[ 167.304947] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881330ca000
+<4>[ 167.304948] R13: ffff888110f02aa0 R14: ffff88812d1d0205 R15: ffff88811277d4f0
+<4>[ 167.304950] FS: 0000000000000000(0000) GS:ffff88844f780000(0000) knlGS:0000000000000000
+<4>[ 167.304952] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+<4>[ 167.304953] CR2: 00007fc362200c40 CR3: 000000013306e003 CR4: 0000000000770ef0
+<4>[ 167.304955] PKRU: 55555554
+<4>[ 167.304957] Call Trace:
+<4>[ 167.304958] <TASK>
+<4>[ 167.305573] ____intel_wakeref_put_last+0x1d/0x80 [i915]
+<4>[ 167.305685] i915_request_retire.part.0+0x34f/0x600 [i915]
+<4>[ 167.305800] retire_requests+0x51/0x80 [i915]
+<4>[ 167.305892] intel_gt_retire_requests_timeout+0x27f/0x700 [i915]
+<4>[ 167.305985] process_scheduled_works+0x2db/0x530
+<4>[ 167.305990] worker_thread+0x18c/0x350
+<4>[ 167.305993] kthread+0xfe/0x130
+<4>[ 167.305997] ret_from_fork+0x2c/0x50
+<4>[ 167.306001] ret_from_fork_asm+0x1b/0x30
+<4>[ 167.306004] </TASK>
+
+It is necessary for the queue_priority_hint to be lower than the next
+request submission upon waking up, as we rely on the hint to decide when
+to kick the tasklet to submit that first request.
+
+Fixes: 22b7a426bbe1 ("drm/i915/execlists: Preempt-to-busy")
+Closes: https://gitlab.freedesktop.org/drm/intel/issues/10154
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Cc: <stable@vger.kernel.org> # v5.4+
+Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240318135906.716055-2-janusz.krzysztofik@linux.intel.com
+(cherry picked from commit 98850e96cf811dc2d0a7d0af491caff9f5d49c1e)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gt/intel_engine_pm.c | 3 ---
+ drivers/gpu/drm/i915/gt/intel_execlists_submission.c | 3 +++
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gt/intel_engine_pm.c
++++ b/drivers/gpu/drm/i915/gt/intel_engine_pm.c
+@@ -279,9 +279,6 @@ static int __engine_park(struct intel_wa
+ intel_engine_park_heartbeat(engine);
+ intel_breadcrumbs_park(engine->breadcrumbs);
+
+- /* Must be reset upon idling, or we may miss the busy wakeup. */
+- GEM_BUG_ON(engine->sched_engine->queue_priority_hint != INT_MIN);
+-
+ if (engine->park)
+ engine->park(engine);
+
+--- a/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
++++ b/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
+@@ -3272,6 +3272,9 @@ static void execlists_park(struct intel_
+ {
+ cancel_timer(&engine->execlists.timer);
+ cancel_timer(&engine->execlists.preempt);
++
++ /* Reset upon idling, or we may delay the busy wakeup. */
++ WRITE_ONCE(engine->sched_engine->queue_priority_hint, INT_MIN);
+ }
+
+ static void add_to_engine(struct i915_request *rq)
--- /dev/null
+From b212b79768ccde74429f872c37618c543fa11333 Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Date: Mon, 11 Mar 2024 21:34:58 +0100
+Subject: drm/i915/hwmon: Fix locking inversion in sysfs getter
+
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+
+commit b212b79768ccde74429f872c37618c543fa11333 upstream.
+
+In i915 hwmon sysfs getter path we now take a hwmon_lock, then acquire an
+rpm wakeref. That results in lock inversion:
+
+<4> [197.079335] ======================================================
+<4> [197.085473] WARNING: possible circular locking dependency detected
+<4> [197.091611] 6.8.0-rc7-Patchwork_129026v7-gc4dc92fb1152+ #1 Not tainted
+<4> [197.098096] ------------------------------------------------------
+<4> [197.104231] prometheus-node/839 is trying to acquire lock:
+<4> [197.109680] ffffffff82764d80 (fs_reclaim){+.+.}-{0:0}, at: __kmalloc+0x9a/0x350
+<4> [197.116939]
+but task is already holding lock:
+<4> [197.122730] ffff88811b772a40 (&hwmon->hwmon_lock){+.+.}-{3:3}, at: hwm_energy+0x4b/0x100 [i915]
+<4> [197.131543]
+which lock already depends on the new lock.
+...
+<4> [197.507922] Chain exists of:
+ fs_reclaim --> >->reset.mutex --> &hwmon->hwmon_lock
+<4> [197.518528] Possible unsafe locking scenario:
+<4> [197.524411] CPU0 CPU1
+<4> [197.528916] ---- ----
+<4> [197.533418] lock(&hwmon->hwmon_lock);
+<4> [197.537237] lock(>->reset.mutex);
+<4> [197.543376] lock(&hwmon->hwmon_lock);
+<4> [197.549682] lock(fs_reclaim);
+...
+<4> [197.632548] Call Trace:
+<4> [197.634990] <TASK>
+<4> [197.637088] dump_stack_lvl+0x64/0xb0
+<4> [197.640738] check_noncircular+0x15e/0x180
+<4> [197.652968] check_prev_add+0xe9/0xce0
+<4> [197.656705] __lock_acquire+0x179f/0x2300
+<4> [197.660694] lock_acquire+0xd8/0x2d0
+<4> [197.673009] fs_reclaim_acquire+0xa1/0xd0
+<4> [197.680478] __kmalloc+0x9a/0x350
+<4> [197.689063] acpi_ns_internalize_name.part.0+0x4a/0xb0
+<4> [197.694170] acpi_ns_get_node_unlocked+0x60/0xf0
+<4> [197.720608] acpi_ns_get_node+0x3b/0x60
+<4> [197.724428] acpi_get_handle+0x57/0xb0
+<4> [197.728164] acpi_has_method+0x20/0x50
+<4> [197.731896] acpi_pci_set_power_state+0x43/0x120
+<4> [197.736485] pci_power_up+0x24/0x1c0
+<4> [197.740047] pci_pm_default_resume_early+0x9/0x30
+<4> [197.744725] pci_pm_runtime_resume+0x2d/0x90
+<4> [197.753911] __rpm_callback+0x3c/0x110
+<4> [197.762586] rpm_callback+0x58/0x70
+<4> [197.766064] rpm_resume+0x51e/0x730
+<4> [197.769542] rpm_resume+0x267/0x730
+<4> [197.773020] rpm_resume+0x267/0x730
+<4> [197.776498] rpm_resume+0x267/0x730
+<4> [197.779974] __pm_runtime_resume+0x49/0x90
+<4> [197.784055] __intel_runtime_pm_get+0x19/0xa0 [i915]
+<4> [197.789070] hwm_energy+0x55/0x100 [i915]
+<4> [197.793183] hwm_read+0x9a/0x310 [i915]
+<4> [197.797124] hwmon_attr_show+0x36/0x120
+<4> [197.800946] dev_attr_show+0x15/0x60
+<4> [197.804509] sysfs_kf_seq_show+0xb5/0x100
+
+Acquire the wakeref before the lock and hold it as long as the lock is
+also held. Follow that pattern across the whole source file where similar
+lock inversion can happen.
+
+v2: Keep hardware read under the lock so the whole operation of updating
+ energy from hardware is still atomic (Guenter),
+ - instead, acquire the rpm wakeref before the lock and hold it as long
+ as the lock is held,
+ - use the same aproach for other similar places across the i915_hwmon.c
+ source file (Rodrigo).
+
+Fixes: 1b44019a93e2 ("drm/i915/guc: Disable PL1 power limit when loading GuC firmware")
+Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: <stable@vger.kernel.org> # v6.5+
+Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240311203500.518675-2-janusz.krzysztofik@linux.intel.com
+(cherry picked from commit 71b218771426ea84c0e0148a2b7ac52c1f76e792)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_hwmon.c | 37 +++++++++++++++++++------------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_hwmon.c
++++ b/drivers/gpu/drm/i915/i915_hwmon.c
+@@ -72,12 +72,13 @@ hwm_locked_with_pm_intel_uncore_rmw(stru
+ struct intel_uncore *uncore = ddat->uncore;
+ intel_wakeref_t wakeref;
+
+- mutex_lock(&hwmon->hwmon_lock);
++ with_intel_runtime_pm(uncore->rpm, wakeref) {
++ mutex_lock(&hwmon->hwmon_lock);
+
+- with_intel_runtime_pm(uncore->rpm, wakeref)
+ intel_uncore_rmw(uncore, reg, clear, set);
+
+- mutex_unlock(&hwmon->hwmon_lock);
++ mutex_unlock(&hwmon->hwmon_lock);
++ }
+ }
+
+ /*
+@@ -136,20 +137,21 @@ hwm_energy(struct hwm_drvdata *ddat, lon
+ else
+ rgaddr = hwmon->rg.energy_status_all;
+
+- mutex_lock(&hwmon->hwmon_lock);
++ with_intel_runtime_pm(uncore->rpm, wakeref) {
++ mutex_lock(&hwmon->hwmon_lock);
+
+- with_intel_runtime_pm(uncore->rpm, wakeref)
+ reg_val = intel_uncore_read(uncore, rgaddr);
+
+- if (reg_val >= ei->reg_val_prev)
+- ei->accum_energy += reg_val - ei->reg_val_prev;
+- else
+- ei->accum_energy += UINT_MAX - ei->reg_val_prev + reg_val;
+- ei->reg_val_prev = reg_val;
++ if (reg_val >= ei->reg_val_prev)
++ ei->accum_energy += reg_val - ei->reg_val_prev;
++ else
++ ei->accum_energy += UINT_MAX - ei->reg_val_prev + reg_val;
++ ei->reg_val_prev = reg_val;
+
+- *energy = mul_u64_u32_shr(ei->accum_energy, SF_ENERGY,
+- hwmon->scl_shift_energy);
+- mutex_unlock(&hwmon->hwmon_lock);
++ *energy = mul_u64_u32_shr(ei->accum_energy, SF_ENERGY,
++ hwmon->scl_shift_energy);
++ mutex_unlock(&hwmon->hwmon_lock);
++ }
+ }
+
+ static ssize_t
+@@ -404,6 +406,7 @@ hwm_power_max_write(struct hwm_drvdata *
+
+ /* Block waiting for GuC reset to complete when needed */
+ for (;;) {
++ wakeref = intel_runtime_pm_get(ddat->uncore->rpm);
+ mutex_lock(&hwmon->hwmon_lock);
+
+ prepare_to_wait(&ddat->waitq, &wait, TASK_INTERRUPTIBLE);
+@@ -417,14 +420,13 @@ hwm_power_max_write(struct hwm_drvdata *
+ }
+
+ mutex_unlock(&hwmon->hwmon_lock);
++ intel_runtime_pm_put(ddat->uncore->rpm, wakeref);
+
+ schedule();
+ }
+ finish_wait(&ddat->waitq, &wait);
+ if (ret)
+- goto unlock;
+-
+- wakeref = intel_runtime_pm_get(ddat->uncore->rpm);
++ goto exit;
+
+ /* Disable PL1 limit and verify, because the limit cannot be disabled on all platforms */
+ if (val == PL1_DISABLE) {
+@@ -444,9 +446,8 @@ hwm_power_max_write(struct hwm_drvdata *
+ intel_uncore_rmw(ddat->uncore, hwmon->rg.pkg_rapl_limit,
+ PKG_PWR_LIM_1_EN | PKG_PWR_LIM_1, nval);
+ exit:
+- intel_runtime_pm_put(ddat->uncore->rpm, wakeref);
+-unlock:
+ mutex_unlock(&hwmon->hwmon_lock);
++ intel_runtime_pm_put(ddat->uncore->rpm, wakeref);
+ return ret;
+ }
+
--- /dev/null
+From 582dc04b0658ef3b90aeb49cbdd9747c2f1eccc3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Mon, 25 Mar 2024 19:57:38 +0200
+Subject: drm/i915: Pre-populate the cursor physical dma address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 582dc04b0658ef3b90aeb49cbdd9747c2f1eccc3 upstream.
+
+Calling i915_gem_object_get_dma_address() from the vblank
+evade critical section triggers might_sleep().
+
+While we know that we've already pinned the framebuffer
+and thus i915_gem_object_get_dma_address() will in fact
+not sleep in this case, it seems reasonable to keep the
+unconditional might_sleep() for maximum coverage.
+
+So let's instead pre-populate the dma address during
+fb pinning, which all happens before we enter the
+vblank evade critical section.
+
+We can use u32 for the dma address as this class of
+hardware doesn't support >32bit addresses.
+
+Cc: stable@vger.kernel.org
+Fixes: 0225a90981c8 ("drm/i915: Make cursor plane registers unlocked")
+Reported-by: Borislav Petkov <bp@alien8.de>
+Closes: https://lore.kernel.org/intel-gfx/20240227100342.GAZd2zfmYcPS_SndtO@fat_crate.local/
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240325175738.3440-1-ville.syrjala@linux.intel.com
+Tested-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Chaitanya Kumar Borah <chaitanya.kumar.borah@intel.com>
+(cherry picked from commit c1289a5c3594cf04caa94ebf0edeb50c62009f1f)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_cursor.c | 4 +---
+ drivers/gpu/drm/i915/display/intel_display_types.h | 1 +
+ drivers/gpu/drm/i915/display/intel_fb_pin.c | 10 ++++++++++
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_cursor.c
++++ b/drivers/gpu/drm/i915/display/intel_cursor.c
+@@ -35,12 +35,10 @@ static u32 intel_cursor_base(const struc
+ {
+ struct drm_i915_private *dev_priv =
+ to_i915(plane_state->uapi.plane->dev);
+- const struct drm_framebuffer *fb = plane_state->hw.fb;
+- struct drm_i915_gem_object *obj = intel_fb_obj(fb);
+ u32 base;
+
+ if (DISPLAY_INFO(dev_priv)->cursor_needs_physical)
+- base = i915_gem_object_get_dma_address(obj, 0);
++ base = plane_state->phys_dma_addr;
+ else
+ base = intel_plane_ggtt_offset(plane_state);
+
+--- a/drivers/gpu/drm/i915/display/intel_display_types.h
++++ b/drivers/gpu/drm/i915/display/intel_display_types.h
+@@ -719,6 +719,7 @@ struct intel_plane_state {
+ #define PLANE_HAS_FENCE BIT(0)
+
+ struct intel_fb_view view;
++ u32 phys_dma_addr; /* for cursor_needs_physical */
+
+ /* Plane pxp decryption state */
+ bool decrypt;
+--- a/drivers/gpu/drm/i915/display/intel_fb_pin.c
++++ b/drivers/gpu/drm/i915/display/intel_fb_pin.c
+@@ -255,6 +255,16 @@ int intel_plane_pin_fb(struct intel_plan
+ return PTR_ERR(vma);
+
+ plane_state->ggtt_vma = vma;
++
++ /*
++ * Pre-populate the dma address before we enter the vblank
++ * evade critical section as i915_gem_object_get_dma_address()
++ * will trigger might_sleep() even if it won't actually sleep,
++ * which is the case when the fb has already been pinned.
++ */
++ if (phys_cursor)
++ plane_state->phys_dma_addr =
++ i915_gem_object_get_dma_address(intel_fb_obj(fb), 0);
+ } else {
+ struct intel_framebuffer *intel_fb = to_intel_framebuffer(fb);
+
--- /dev/null
+From 0e45882ca829b26b915162e8e86dbb1095768e9e Mon Sep 17 00:00:00 2001
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Date: Tue, 5 Mar 2024 15:35:06 +0100
+Subject: drm/i915/vma: Fix UAF on destroy against retire race
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+
+commit 0e45882ca829b26b915162e8e86dbb1095768e9e upstream.
+
+Object debugging tools were sporadically reporting illegal attempts to
+free a still active i915 VMA object when parking a GT believed to be idle.
+
+[161.359441] ODEBUG: free active (active state 0) object: ffff88811643b958 object type: i915_active hint: __i915_vma_active+0x0/0x50 [i915]
+[161.360082] WARNING: CPU: 5 PID: 276 at lib/debugobjects.c:514 debug_print_object+0x80/0xb0
+...
+[161.360304] CPU: 5 PID: 276 Comm: kworker/5:2 Not tainted 6.5.0-rc1-CI_DRM_13375-g003f860e5577+ #1
+[161.360314] Hardware name: Intel Corporation Rocket Lake Client Platform/RocketLake S UDIMM 6L RVP, BIOS RKLSFWI1.R00.3173.A03.2204210138 04/21/2022
+[161.360322] Workqueue: i915-unordered __intel_wakeref_put_work [i915]
+[161.360592] RIP: 0010:debug_print_object+0x80/0xb0
+...
+[161.361347] debug_object_free+0xeb/0x110
+[161.361362] i915_active_fini+0x14/0x130 [i915]
+[161.361866] release_references+0xfe/0x1f0 [i915]
+[161.362543] i915_vma_parked+0x1db/0x380 [i915]
+[161.363129] __gt_park+0x121/0x230 [i915]
+[161.363515] ____intel_wakeref_put_last+0x1f/0x70 [i915]
+
+That has been tracked down to be happening when another thread is
+deactivating the VMA inside __active_retire() helper, after the VMA's
+active counter has been already decremented to 0, but before deactivation
+of the VMA's object is reported to the object debugging tool.
+
+We could prevent from that race by serializing i915_active_fini() with
+__active_retire() via ref->tree_lock, but that wouldn't stop the VMA from
+being used, e.g. from __i915_vma_retire() called at the end of
+__active_retire(), after that VMA has been already freed by a concurrent
+i915_vma_destroy() on return from the i915_active_fini(). Then, we should
+rather fix the issue at the VMA level, not in i915_active.
+
+Since __i915_vma_parked() is called from __gt_park() on last put of the
+GT's wakeref, the issue could be addressed by holding the GT wakeref long
+enough for __active_retire() to complete before that wakeref is released
+and the GT parked.
+
+I believe the issue was introduced by commit d93939730347 ("drm/i915:
+Remove the vma refcount") which moved a call to i915_active_fini() from
+a dropped i915_vma_release(), called on last put of the removed VMA kref,
+to i915_vma_parked() processing path called on last put of a GT wakeref.
+However, its visibility to the object debugging tool was suppressed by a
+bug in i915_active that was fixed two weeks later with commit e92eb246feb9
+("drm/i915/active: Fix missing debug object activation").
+
+A VMA associated with a request doesn't acquire a GT wakeref by itself.
+Instead, it depends on a wakeref held directly by the request's active
+intel_context for a GT associated with its VM, and indirectly on that
+intel_context's engine wakeref if the engine belongs to the same GT as the
+VMA's VM. Those wakerefs are released asynchronously to VMA deactivation.
+
+Fix the issue by getting a wakeref for the VMA's GT when activating it,
+and putting that wakeref only after the VMA is deactivated. However,
+exclude global GTT from that processing path, otherwise the GPU never goes
+idle. Since __i915_vma_retire() may be called from atomic contexts, use
+async variant of wakeref put. Also, to avoid circular locking dependency,
+take care of acquiring the wakeref before VM mutex when both are needed.
+
+v7: Add inline comments with justifications for:
+ - using untracked variants of intel_gt_pm_get/put() (Nirmoy),
+ - using async variant of _put(),
+ - not getting the wakeref in case of a global GTT,
+ - always getting the first wakeref outside vm->mutex.
+v6: Since __i915_vma_active/retire() callbacks are not serialized, storing
+ a wakeref tracking handle inside struct i915_vma is not safe, and
+ there is no other good place for that. Use untracked variants of
+ intel_gt_pm_get/put_async().
+v5: Replace "tile" with "GT" across commit description (Rodrigo),
+ - avoid mentioning multi-GT case in commit description (Rodrigo),
+ - explain why we need to take a temporary wakeref unconditionally inside
+ i915_vma_pin_ww() (Rodrigo).
+v4: Refresh on top of commit 5e4e06e4087e ("drm/i915: Track gt pm
+ wakerefs") (Andi),
+ - for more easy backporting, split out removal of former insufficient
+ workarounds and move them to separate patches (Nirmoy).
+ - clean up commit message and description a bit.
+v3: Identify root cause more precisely, and a commit to blame,
+ - identify and drop former workarounds,
+ - update commit message and description.
+v2: Get the wakeref before VM mutex to avoid circular locking dependency,
+ - drop questionable Fixes: tag.
+
+Fixes: d93939730347 ("drm/i915: Remove the vma refcount")
+Closes: https://gitlab.freedesktop.org/drm/intel/issues/8875
+Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
+Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Cc: Nirmoy Das <nirmoy.das@intel.com>
+Cc: Andi Shyti <andi.shyti@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: stable@vger.kernel.org # v5.19+
+Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240305143747.335367-6-janusz.krzysztofik@linux.intel.com
+(cherry picked from commit f3c71b2ded5c4367144a810ef25f998fd1d6c381)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/i915_vma.c | 50 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 43 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/i915/i915_vma.c
++++ b/drivers/gpu/drm/i915/i915_vma.c
+@@ -34,6 +34,7 @@
+ #include "gt/intel_engine.h"
+ #include "gt/intel_engine_heartbeat.h"
+ #include "gt/intel_gt.h"
++#include "gt/intel_gt_pm.h"
+ #include "gt/intel_gt_requests.h"
+ #include "gt/intel_tlb.h"
+
+@@ -103,12 +104,42 @@ static inline struct i915_vma *active_to
+
+ static int __i915_vma_active(struct i915_active *ref)
+ {
+- return i915_vma_tryget(active_to_vma(ref)) ? 0 : -ENOENT;
++ struct i915_vma *vma = active_to_vma(ref);
++
++ if (!i915_vma_tryget(vma))
++ return -ENOENT;
++
++ /*
++ * Exclude global GTT VMA from holding a GT wakeref
++ * while active, otherwise GPU never goes idle.
++ */
++ if (!i915_vma_is_ggtt(vma)) {
++ /*
++ * Since we and our _retire() counterpart can be
++ * called asynchronously, storing a wakeref tracking
++ * handle inside struct i915_vma is not safe, and
++ * there is no other good place for that. Hence,
++ * use untracked variants of intel_gt_pm_get/put().
++ */
++ intel_gt_pm_get_untracked(vma->vm->gt);
++ }
++
++ return 0;
+ }
+
+ static void __i915_vma_retire(struct i915_active *ref)
+ {
+- i915_vma_put(active_to_vma(ref));
++ struct i915_vma *vma = active_to_vma(ref);
++
++ if (!i915_vma_is_ggtt(vma)) {
++ /*
++ * Since we can be called from atomic contexts,
++ * use an async variant of intel_gt_pm_put().
++ */
++ intel_gt_pm_put_async_untracked(vma->vm->gt);
++ }
++
++ i915_vma_put(vma);
+ }
+
+ static struct i915_vma *
+@@ -1404,7 +1435,7 @@ int i915_vma_pin_ww(struct i915_vma *vma
+ struct i915_vma_work *work = NULL;
+ struct dma_fence *moving = NULL;
+ struct i915_vma_resource *vma_res = NULL;
+- intel_wakeref_t wakeref = 0;
++ intel_wakeref_t wakeref;
+ unsigned int bound;
+ int err;
+
+@@ -1424,8 +1455,14 @@ int i915_vma_pin_ww(struct i915_vma *vma
+ if (err)
+ return err;
+
+- if (flags & PIN_GLOBAL)
+- wakeref = intel_runtime_pm_get(&vma->vm->i915->runtime_pm);
++ /*
++ * In case of a global GTT, we must hold a runtime-pm wakeref
++ * while global PTEs are updated. In other cases, we hold
++ * the rpm reference while the VMA is active. Since runtime
++ * resume may require allocations, which are forbidden inside
++ * vm->mutex, get the first rpm wakeref outside of the mutex.
++ */
++ wakeref = intel_runtime_pm_get(&vma->vm->i915->runtime_pm);
+
+ if (flags & vma->vm->bind_async_flags) {
+ /* lock VM */
+@@ -1561,8 +1598,7 @@ err_fence:
+ if (work)
+ dma_fence_work_commit_imm(&work->base);
+ err_rpm:
+- if (wakeref)
+- intel_runtime_pm_put(&vma->vm->i915->runtime_pm, wakeref);
++ intel_runtime_pm_put(&vma->vm->i915->runtime_pm, wakeref);
+
+ if (moving)
+ dma_fence_put(moving);
--- /dev/null
+From f7d3b9277ff7eb8e84e6f8554d1c2dd78278a572 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 6 Mar 2024 06:08:04 +0200
+Subject: drm/i915/vrr: Generate VRR "safe window" for DSB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit f7d3b9277ff7eb8e84e6f8554d1c2dd78278a572 upstream.
+
+Looks like TRANS_CHICKEN bit 31 means something totally different
+depending on the platform:
+TGL: generate VRR "safe window" for DSB
+ADL/DG2: make TRANS_SET_CONTEXT_LATENCY effective with VRR
+
+So far we've only set this on ADL/DG2, but when using DSB+VRR
+we also need to set it on TGL.
+
+And a quick test on MTL says it doesn't need this bit for either
+of those purposes, even though it's still documented as valid
+in bspec.
+
+Cc: stable@vger.kernel.org
+Fixes: 34d8311f4a1c ("drm/i915/dsb: Re-instate DSB for LUT updates")
+Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9927
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240306040806.21697-2-ville.syrjala@linux.intel.com
+Reviewed-by: Animesh Manna <animesh.manna@intel.com>
+(cherry picked from commit 810e4519a1b34b5a0ff0eab32e5b184f533c5ee9)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_vrr.c | 7 ++++---
+ drivers/gpu/drm/i915/i915_reg.h | 2 +-
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_vrr.c
++++ b/drivers/gpu/drm/i915/display/intel_vrr.c
+@@ -187,10 +187,11 @@ void intel_vrr_set_transcoder_timings(co
+ enum transcoder cpu_transcoder = crtc_state->cpu_transcoder;
+
+ /*
+- * TRANS_SET_CONTEXT_LATENCY with VRR enabled
+- * requires this chicken bit on ADL/DG2.
++ * This bit seems to have two meanings depending on the platform:
++ * TGL: generate VRR "safe window" for DSB vblank waits
++ * ADL/DG2: make TRANS_SET_CONTEXT_LATENCY effective with VRR
+ */
+- if (DISPLAY_VER(dev_priv) == 13)
++ if (IS_DISPLAY_VER(dev_priv, 12, 13))
+ intel_de_rmw(dev_priv, CHICKEN_TRANS(cpu_transcoder),
+ 0, PIPE_VBLANK_WITH_DELAY);
+
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -4597,7 +4597,7 @@
+ #define MTL_CHICKEN_TRANS(trans) _MMIO_TRANS((trans), \
+ _MTL_CHICKEN_TRANS_A, \
+ _MTL_CHICKEN_TRANS_B)
+-#define PIPE_VBLANK_WITH_DELAY REG_BIT(31) /* ADL/DG2 */
++#define PIPE_VBLANK_WITH_DELAY REG_BIT(31) /* tgl+ */
+ #define SKL_UNMASK_VBL_TO_PIPE_IN_SRD REG_BIT(30) /* skl+ */
+ #define HSW_FRAME_START_DELAY_MASK REG_GENMASK(28, 27)
+ #define HSW_FRAME_START_DELAY(x) REG_FIELD_PREP(HSW_FRAME_START_DELAY_MASK, x)
drm-amdgpu-fix-deadlock-while-reading-mqd-from-debugfs.patch
drm-amd-display-remove-mpc-rate-control-logic-from-dcn30-and-above.patch
drm-amd-display-set-dcn351-bb-and-ip-the-same-as-dcn35.patch
+drm-i915-hwmon-fix-locking-inversion-in-sysfs-getter.patch
+drm-i915-vma-fix-uaf-on-destroy-against-retire-race.patch
+drm-i915-bios-tolerate-devdata-null-in-intel_bios_encoder_supports_dp_dual_mode.patch
+drm-i915-vrr-generate-vrr-safe-window-for-dsb.patch
+drm-i915-dsi-go-back-to-the-previous-init_otp-display_on-order-mostly.patch
+drm-i915-dsb-fix-dsb-vblank-waits-when-using-vrr.patch
+drm-i915-do-not-match-jsl-in-ehl_combo_pll_div_frac_wa_needed.patch
+drm-i915-pre-populate-the-cursor-physical-dma-address.patch
+drm-i915-gt-reset-queue_priority_hint-on-parking.patch
+drm-amd-display-fix-bounds-check-for-dcn35-dcfclocks.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
