--- /dev/null
+From ce55101e6ba188296dbdb9506665d26f23110292 Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Fri, 15 Nov 2024 13:55:13 +0100
+Subject: drm/msm/dpu: fix x1e80100 intf_6 underrun/vsync interrupt
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit ce55101e6ba188296dbdb9506665d26f23110292 upstream.
+
+The IRQ indexes for the intf_6 underrun/vsync interrupts are swapped.
+DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16) is the actual underrun interrupt and
+DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17) is the vsync interrupt.
+
+This causes timeout errors when using the DP2 controller, e.g.
+ [dpu error]enc37 frame done timeout
+ *ERROR* irq timeout id=37, intf_mode=INTF_MODE_VIDEO intf=6 wb=-1, pp=2, intr=0
+ *ERROR* wait disable failed: id:37 intf:6 ret:-110
+
+Correct them to fix these errors and make DP2 work properly.
+
+Cc: stable@vger.kernel.org
+Fixes: e3b1f369db5a ("drm/msm/dpu: Add X1E80100 support")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/624681/
+Link: https://lore.kernel.org/r/20241115-x1e80100-dp2-fix-v1-1-727b9fe6f390@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h
++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h
+@@ -391,8 +391,8 @@ static const struct dpu_intf_cfg x1e8010
+ .type = INTF_DP,
+ .controller_id = MSM_DP_CONTROLLER_2,
+ .prog_fetch_lines_worst_case = 24,
+- .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17),
+- .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16),
++ .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16),
++ .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17),
+ }, {
+ .name = "intf_7", .id = INTF_7,
+ .base = 0x3b000, .len = 0x280,
--- /dev/null
+From d9f55e2abfb933818c772eba659a9b7ab28a44d0 Mon Sep 17 00:00:00 2001
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Date: Mon, 9 Dec 2024 12:04:24 +0200
+Subject: drm/msm/dpu1: don't choke on disabling the writeback connector
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+commit d9f55e2abfb933818c772eba659a9b7ab28a44d0 upstream.
+
+During suspend/resume process all connectors are explicitly disabled and
+then reenabled. However resume fails because of the connector_status check:
+
+[dpu error]connector not connected 3
+[drm:drm_mode_config_helper_resume [drm_kms_helper]] *ERROR* Failed to resume (-22)
+
+It doesn't make sense to check for the Writeback connected status (and
+other drivers don't perform such check), so drop the check.
+
+It wasn't a problem before the commit 71174f362d67 ("drm/msm/dpu: move
+writeback's atomic_check to dpu_writeback.c"), since encoder's
+atomic_check() is called under a different conditions that the
+connector's atomic_check() (e.g. it is not called if there is no
+connected CRTC or if the corresponding connector is not a part of the
+new state).
+
+Fixes: 71174f362d67 ("drm/msm/dpu: move writeback's atomic_check to dpu_writeback.c")
+Cc: stable@vger.kernel.org
+Reported-by: Leonard Lausen <leonard@lausen.nl>
+Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/57
+Tested-by: Leonard Lausen <leonard@lausen.nl> # on sc7180 lazor
+Tested-by: György Kurucz <me@kuruczgy.com>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Tested-by: Jessica Zhang <quic_jesszhan@quicinc.com> # Trogdor (sc7180)
+Patchwork: https://patchwork.freedesktop.org/patch/627828/
+Link: https://lore.kernel.org/r/20241209-dpu-fix-wb-v4-1-7fe93059f9e0@linaro.org
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c
+@@ -42,9 +42,6 @@ static int dpu_wb_conn_atomic_check(stru
+ if (!conn_state || !conn_state->connector) {
+ DPU_ERROR("invalid connector state\n");
+ return -EINVAL;
+- } else if (conn_state->connector->status != connector_status_connected) {
+- DPU_ERROR("connector not connected %d\n", conn_state->connector->status);
+- return -EINVAL;
+ }
+
+ crtc = conn_state->crtc;
--- /dev/null
+From 3a47f4b439beb98e955d501c609dfd12b7836d61 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 15 Nov 2024 17:50:08 +0300
+Subject: drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 3a47f4b439beb98e955d501c609dfd12b7836d61 upstream.
+
+The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32
+values that come from the user via the submit_lookup_cmds() function.
+This addition could lead to an integer wrapping bug so use size_add()
+to prevent that.
+
+Fixes: 198725337ef1 ("drm/msm: fix cmdstream size check")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/624696/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -787,8 +787,7 @@ int msm_ioctl_gem_submit(struct drm_devi
+ goto out;
+
+ if (!submit->cmd[i].size ||
+- ((submit->cmd[i].size + submit->cmd[i].offset) >
+- obj->size / 4)) {
++ (size_add(submit->cmd[i].size, submit->cmd[i].offset) > obj->size / 4)) {
+ SUBMIT_ERROR(submit, "invalid cmdstream size: %u\n", submit->cmd[i].size * 4);
+ ret = -EINVAL;
+ goto out;
--- /dev/null
+From 6389e616fae8a101ce00068f7690461ab57b29d8 Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
+Date: Tue, 17 Dec 2024 07:31:35 +0200
+Subject: drm/rcar-du: dsi: Fix PHY lock bit check
+
+From: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
+
+commit 6389e616fae8a101ce00068f7690461ab57b29d8 upstream.
+
+The driver checks for bit 16 (using CLOCKSET1_LOCK define) in CLOCKSET1
+register when waiting for the PPI clock. However, the right bit to check
+is bit 17 (CLOCKSET1_LOCK_PHY define). Not only that, but there's
+nothing in the documents for bit 16 for V3U nor V4H.
+
+So, fix the check to use bit 17, and drop the define for bit 16.
+
+Fixes: 155358310f01 ("drm: rcar-du: Add R-Car DSI driver")
+Fixes: 11696c5e8924 ("drm: Place Renesas drivers in a separate dir")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241217-rcar-gh-dsi-v5-1-e77421093c05@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c | 2 +-
+ drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h | 1 -
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c
++++ b/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c
+@@ -587,7 +587,7 @@ static int rcar_mipi_dsi_startup(struct
+ for (timeout = 10; timeout > 0; --timeout) {
+ if ((rcar_mipi_dsi_read(dsi, PPICLSR) & PPICLSR_STPST) &&
+ (rcar_mipi_dsi_read(dsi, PPIDLSR) & PPIDLSR_STPST) &&
+- (rcar_mipi_dsi_read(dsi, CLOCKSET1) & CLOCKSET1_LOCK))
++ (rcar_mipi_dsi_read(dsi, CLOCKSET1) & CLOCKSET1_LOCK_PHY))
+ break;
+
+ usleep_range(1000, 2000);
+--- a/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h
++++ b/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h
+@@ -142,7 +142,6 @@
+
+ #define CLOCKSET1 0x101c
+ #define CLOCKSET1_LOCK_PHY (1 << 17)
+-#define CLOCKSET1_LOCK (1 << 16)
+ #define CLOCKSET1_CLKSEL (1 << 8)
+ #define CLOCKSET1_CLKINSEL_EXTAL (0 << 2)
+ #define CLOCKSET1_CLKINSEL_DIG (1 << 2)
--- /dev/null
+From 361a2ebb5cad211732ec3c5d962de49b21895590 Mon Sep 17 00:00:00 2001
+From: Devarsh Thakkar <devarsht@ti.com>
+Date: Mon, 21 Oct 2024 17:07:49 +0300
+Subject: drm/tidss: Clear the interrupt status for interrupts being disabled
+
+From: Devarsh Thakkar <devarsht@ti.com>
+
+commit 361a2ebb5cad211732ec3c5d962de49b21895590 upstream.
+
+The driver does not touch the irqstatus register when it is disabling
+interrupts. This might cause an interrupt to trigger for an interrupt
+that was just disabled.
+
+To fix the issue, clear the irqstatus registers right after disabling
+the interrupts.
+
+Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem")
+Cc: stable@vger.kernel.org
+Reported-by: Jonathan Cormier <jcormier@criticallink.com>
+Closes: https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1394222/am625-issue-about-tidss-rcu_preempt-self-detected-stall-on-cpu/5424479#5424479
+Signed-off-by: Devarsh Thakkar <devarsht@ti.com>
+[Tomi: mostly rewrote the patch]
+Reviewed-by: Jonathan Cormier <jcormier@criticallink.com>
+Tested-by: Jonathan Cormier <jcormier@criticallink.com>
+Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241021-tidss-irq-fix-v1-5-82ddaec94e4a@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tidss/tidss_dispc.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/tidss/tidss_dispc.c
++++ b/drivers/gpu/drm/tidss/tidss_dispc.c
+@@ -700,7 +700,7 @@ void dispc_k2g_set_irqenable(struct disp
+ {
+ dispc_irq_t old_mask = dispc_k2g_read_irqenable(dispc);
+
+- /* clear the irqstatus for newly enabled irqs */
++ /* clear the irqstatus for irqs that will be enabled */
+ dispc_k2g_clear_irqstatus(dispc, (mask ^ old_mask) & mask);
+
+ dispc_k2g_vp_set_irqenable(dispc, 0, mask);
+@@ -708,6 +708,9 @@ void dispc_k2g_set_irqenable(struct disp
+
+ dispc_write(dispc, DISPC_IRQENABLE_SET, (1 << 0) | (1 << 7));
+
++ /* clear the irqstatus for irqs that were disabled */
++ dispc_k2g_clear_irqstatus(dispc, (mask ^ old_mask) & old_mask);
++
+ /* flush posted write */
+ dispc_k2g_read_irqenable(dispc);
+ }
+@@ -839,7 +842,7 @@ static void dispc_k3_set_irqenable(struc
+
+ old_mask = dispc_k3_read_irqenable(dispc);
+
+- /* clear the irqstatus for newly enabled irqs */
++ /* clear the irqstatus for irqs that will be enabled */
+ dispc_k3_clear_irqstatus(dispc, (old_mask ^ mask) & mask);
+
+ for (i = 0; i < dispc->feat->num_vps; ++i) {
+@@ -864,6 +867,9 @@ static void dispc_k3_set_irqenable(struc
+ if (main_disable)
+ dispc_write(dispc, DISPC_IRQENABLE_CLR, main_disable);
+
++ /* clear the irqstatus for irqs that were disabled */
++ dispc_k3_clear_irqstatus(dispc, (old_mask ^ mask) & old_mask);
++
+ /* Flush posted writes */
+ dispc_read(dispc, DISPC_IRQENABLE_SET);
+ }
--- /dev/null
+From 44b6730ab53ef04944fbaf6da0e77397531517b7 Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Date: Mon, 21 Oct 2024 17:07:45 +0300
+Subject: drm/tidss: Fix issue in irq handling causing irq-flood issue
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+commit 44b6730ab53ef04944fbaf6da0e77397531517b7 upstream.
+
+It has been observed that sometimes DSS will trigger an interrupt and
+the top level interrupt (DISPC_IRQSTATUS) is not zero, but the VP and
+VID level interrupt-statuses are zero.
+
+As the top level irqstatus is supposed to tell whether we have VP/VID
+interrupts, the thinking of the driver authors was that this particular
+case could never happen. Thus the driver only clears the DISPC_IRQSTATUS
+bits which has corresponding interrupts in VP/VID status. So when this
+issue happens, the driver will not clear DISPC_IRQSTATUS, and we get an
+interrupt flood.
+
+It is unclear why the issue happens. It could be a race issue in the
+driver, but no such race has been found. It could also be an issue with
+the HW. However a similar case can be easily triggered by manually
+writing to DISPC_IRQSTATUS_RAW. This will forcibly set a bit in the
+DISPC_IRQSTATUS and trigger an interrupt, and as the driver never clears
+the bit, we get an interrupt flood.
+
+To fix the issue, always clear DISPC_IRQSTATUS. The concern with this
+solution is that if the top level irqstatus is the one that triggers the
+interrupt, always clearing DISPC_IRQSTATUS might leave some interrupts
+unhandled if VP/VID interrupt statuses have bits set. However, testing
+shows that if any of the irqstatuses is set (i.e. even if
+DISPC_IRQSTATUS == 0, but a VID irqstatus has a bit set), we will get an
+interrupt.
+
+Co-developed-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Co-developed-by: Devarsh Thakkar <devarsht@ti.com>
+Signed-off-by: Devarsh Thakkar <devarsht@ti.com>
+Co-developed-by: Jonathan Cormier <jcormier@criticallink.com>
+Signed-off-by: Jonathan Cormier <jcormier@criticallink.com>
+Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem")
+Cc: stable@vger.kernel.org
+Tested-by: Jonathan Cormier <jcormier@criticallink.com>
+Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241021-tidss-irq-fix-v1-1-82ddaec94e4a@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tidss/tidss_dispc.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+--- a/drivers/gpu/drm/tidss/tidss_dispc.c
++++ b/drivers/gpu/drm/tidss/tidss_dispc.c
+@@ -780,24 +780,20 @@ static
+ void dispc_k3_clear_irqstatus(struct dispc_device *dispc, dispc_irq_t clearmask)
+ {
+ unsigned int i;
+- u32 top_clear = 0;
+
+ for (i = 0; i < dispc->feat->num_vps; ++i) {
+- if (clearmask & DSS_IRQ_VP_MASK(i)) {
++ if (clearmask & DSS_IRQ_VP_MASK(i))
+ dispc_k3_vp_write_irqstatus(dispc, i, clearmask);
+- top_clear |= BIT(i);
+- }
+ }
+ for (i = 0; i < dispc->feat->num_planes; ++i) {
+- if (clearmask & DSS_IRQ_PLANE_MASK(i)) {
++ if (clearmask & DSS_IRQ_PLANE_MASK(i))
+ dispc_k3_vid_write_irqstatus(dispc, i, clearmask);
+- top_clear |= BIT(4 + i);
+- }
+ }
+ if (dispc->feat->subrev == DISPC_K2G)
+ return;
+
+- dispc_write(dispc, DISPC_IRQSTATUS, top_clear);
++ /* always clear the top level irqstatus */
++ dispc_write(dispc, DISPC_IRQSTATUS, dispc_read(dispc, DISPC_IRQSTATUS));
+
+ /* Flush posted writes */
+ dispc_read(dispc, DISPC_IRQSTATUS);
--- /dev/null
+From a9a73f2661e6f625d306c9b0ef082e4593f45a21 Mon Sep 17 00:00:00 2001
+From: Devarsh Thakkar <devarsht@ti.com>
+Date: Mon, 21 Oct 2024 17:07:50 +0300
+Subject: drm/tidss: Fix race condition while handling interrupt registers
+
+From: Devarsh Thakkar <devarsht@ti.com>
+
+commit a9a73f2661e6f625d306c9b0ef082e4593f45a21 upstream.
+
+The driver has a spinlock for protecting the irq_masks field and irq
+enable registers. However, the driver misses protecting the irq status
+registers which can lead to races.
+
+Take the spinlock when accessing irqstatus too.
+
+Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem")
+Cc: stable@vger.kernel.org
+Signed-off-by: Devarsh Thakkar <devarsht@ti.com>
+[Tomi: updated the desc]
+Reviewed-by: Jonathan Cormier <jcormier@criticallink.com>
+Tested-by: Jonathan Cormier <jcormier@criticallink.com>
+Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241021-tidss-irq-fix-v1-6-82ddaec94e4a@ideasonboard.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tidss/tidss_dispc.c | 4 ++++
+ drivers/gpu/drm/tidss/tidss_irq.c | 2 ++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/gpu/drm/tidss/tidss_dispc.c
++++ b/drivers/gpu/drm/tidss/tidss_dispc.c
+@@ -2763,8 +2763,12 @@ static void dispc_init_errata(struct dis
+ */
+ static void dispc_softreset_k2g(struct dispc_device *dispc)
+ {
++ unsigned long flags;
++
++ spin_lock_irqsave(&dispc->tidss->wait_lock, flags);
+ dispc_set_irqenable(dispc, 0);
+ dispc_read_and_clear_irqstatus(dispc);
++ spin_unlock_irqrestore(&dispc->tidss->wait_lock, flags);
+
+ for (unsigned int vp_idx = 0; vp_idx < dispc->feat->num_vps; ++vp_idx)
+ VP_REG_FLD_MOD(dispc, vp_idx, DISPC_VP_CONTROL, 0, 0, 0);
+--- a/drivers/gpu/drm/tidss/tidss_irq.c
++++ b/drivers/gpu/drm/tidss/tidss_irq.c
+@@ -60,7 +60,9 @@ static irqreturn_t tidss_irq_handler(int
+ unsigned int id;
+ dispc_irq_t irqstatus;
+
++ spin_lock(&tidss->wait_lock);
+ irqstatus = dispc_read_and_clear_irqstatus(tidss->dispc);
++ spin_unlock(&tidss->wait_lock);
+
+ for (id = 0; id < tidss->num_crtcs; id++) {
+ struct drm_crtc *crtc = tidss->crtcs[id];
--- /dev/null
+From 21f1435b1e6b012a07c42f36b206d2b66fc8f13b Mon Sep 17 00:00:00 2001
+From: Christian Gmeiner <cgmeiner@igalia.com>
+Date: Mon, 18 Nov 2024 23:19:47 +0100
+Subject: drm/v3d: Stop active perfmon if it is being destroyed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian Gmeiner <cgmeiner@igalia.com>
+
+commit 21f1435b1e6b012a07c42f36b206d2b66fc8f13b upstream.
+
+If the active performance monitor (`v3d->active_perfmon`) is being
+destroyed, stop it first. Currently, the active perfmon is not
+stopped during destruction, leaving the `v3d->active_perfmon` pointer
+stale. This can lead to undefined behavior and instability.
+
+This patch ensures that the active perfmon is stopped before being
+destroyed, aligning with the behavior introduced in commit
+7d1fd3638ee3 ("drm/v3d: Stop the active perfmon before being destroyed").
+
+Cc: stable@vger.kernel.org # v5.15+
+Fixes: 26a4dc29b74a ("drm/v3d: Expose performance counters to userspace")
+Signed-off-by: Christian Gmeiner <cgmeiner@igalia.com>
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241118221948.1758130-1-christian.gmeiner@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/v3d/v3d_perfmon.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/v3d/v3d_perfmon.c
++++ b/drivers/gpu/drm/v3d/v3d_perfmon.c
+@@ -384,6 +384,7 @@ int v3d_perfmon_destroy_ioctl(struct drm
+ {
+ struct v3d_file_priv *v3d_priv = file_priv->driver_priv;
+ struct drm_v3d_perfmon_destroy *req = data;
++ struct v3d_dev *v3d = v3d_priv->v3d;
+ struct v3d_perfmon *perfmon;
+
+ mutex_lock(&v3d_priv->perfmon.lock);
+@@ -393,6 +394,10 @@ int v3d_perfmon_destroy_ioctl(struct drm
+ if (!perfmon)
+ return -EINVAL;
+
++ /* If the active perfmon is being destroyed, stop it first */
++ if (perfmon == v3d->active_perfmon)
++ v3d_perfmon_stop(v3d, perfmon, false);
++
+ v3d_perfmon_put(perfmon);
+
+ return 0;
--- /dev/null
+From 07089083a526ea19daa72a1edf9d6e209615b77c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= <thomas.hellstrom@linux.intel.com>
+Date: Mon, 23 Dec 2024 14:42:50 +0100
+Subject: drm/xe/tracing: Fix a potential TP_printk UAF
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+
+commit 07089083a526ea19daa72a1edf9d6e209615b77c upstream.
+
+The commit
+afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format")
+exposes potential UAFs in the xe_bo_move trace event.
+
+Fix those by avoiding dereferencing the
+xe_mem_type_to_name[] array at TP_printk time.
+
+Since some code refactoring has taken place, explicit backporting may
+be needed for kernels older than 6.10.
+
+Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces")
+Cc: Gustavo Sousa <gustavo.sousa@intel.com>
+Cc: Lucas De Marchi <lucas.demarchi@intel.com>
+Cc: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
+Cc: Matt Roper <matthew.d.roper@intel.com>
+Cc: "Thomas Hellström" <thomas.hellstrom@linux.intel.com>
+Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Cc: intel-xe@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v6.11+
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241223134250.14345-1-thomas.hellstrom@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_trace_bo.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_trace_bo.h
++++ b/drivers/gpu/drm/xe/xe_trace_bo.h
+@@ -55,8 +55,8 @@ TRACE_EVENT(xe_bo_move,
+ TP_STRUCT__entry(
+ __field(struct xe_bo *, bo)
+ __field(size_t, size)
+- __field(u32, new_placement)
+- __field(u32, old_placement)
++ __string(new_placement_name, xe_mem_type_to_name[new_placement])
++ __string(old_placement_name, xe_mem_type_to_name[old_placement])
+ __string(device_id, __dev_name_bo(bo))
+ __field(bool, move_lacks_source)
+ ),
+@@ -64,15 +64,15 @@ TRACE_EVENT(xe_bo_move,
+ TP_fast_assign(
+ __entry->bo = bo;
+ __entry->size = bo->size;
+- __entry->new_placement = new_placement;
+- __entry->old_placement = old_placement;
++ __assign_str(new_placement_name);
++ __assign_str(old_placement_name);
+ __assign_str(device_id);
+ __entry->move_lacks_source = move_lacks_source;
+ ),
+ TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s",
+ __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size,
+- xe_mem_type_to_name[__entry->old_placement],
+- xe_mem_type_to_name[__entry->new_placement], __get_str(device_id))
++ __get_str(old_placement_name),
++ __get_str(new_placement_name), __get_str(device_id))
+ );
+
+ DECLARE_EVENT_CLASS(xe_vma,
btrfs-rename-__get_extent_map-and-pass-btrfs_inode.patch
btrfs-fix-stale-page-cache-after-race-between-readah.patch
ipv6-mcast-add-rcu-protection-to-mld_newpack.patch
+drm-tidss-fix-issue-in-irq-handling-causing-irq-flood-issue.patch
+drm-tidss-fix-race-condition-while-handling-interrupt-registers.patch
+drm-tidss-clear-the-interrupt-status-for-interrupts-being-disabled.patch
+drm-msm-gem-prevent-integer-overflow-in-msm_ioctl_gem_submit.patch
+drm-rcar-du-dsi-fix-phy-lock-bit-check.patch
+drm-msm-dpu-fix-x1e80100-intf_6-underrun-vsync-interrupt.patch
+drm-msm-dpu1-don-t-choke-on-disabling-the-writeback-connector.patch
+drm-v3d-stop-active-perfmon-if-it-is-being-destroyed.patch
+drm-xe-tracing-fix-a-potential-tp_printk-uaf.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
