drm-bridge-implement-generic-dp-hpd-bridge.patch
soc-qcom-pmic-glink-switch-to-drm_aux_hpd_bridge.patch
drm-bridge-aux-hpd-separate-allocation-and-registrat.patch
-soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
dt-bindings-dma-fsl-edma-add-fsl-edma.h-to-prevent-h.patch
dmaengine-fsl-edma-utilize-common-dt-binding-header-.patch
dmaengine-fsl-edma-correct-max_segment_size-setting.patch
+++ /dev/null
-From 67a4099fba7bfae3544f7d85c0fb4e9e47c744b9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 17 Feb 2024 16:02:25 +0100
-Subject: soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free
-
-From: Johan Hovold <johan+linaro@kernel.org>
-
-[ Upstream commit b979f2d50a099f3402418d7ff5f26c3952fb08bb ]
-
-A recent DRM series purporting to simplify support for "transparent
-bridges" and handling of probe deferrals ironically exposed a
-use-after-free issue on pmic_glink_altmode probe deferral.
-
-This has manifested itself as the display subsystem occasionally failing
-to initialise and NULL-pointer dereferences during boot of machines like
-the Lenovo ThinkPad X13s.
-
-Specifically, the dp-hpd bridge is currently registered before all
-resources have been acquired which means that it can also be
-deregistered on probe deferrals.
-
-In the meantime there is a race window where the new aux bridge driver
-(or PHY driver previously) may have looked up the dp-hpd bridge and
-stored a (non-reference-counted) pointer to the bridge which is about to
-be deallocated.
-
-When the display controller is later initialised, this triggers a
-use-after-free when attaching the bridges:
-
- dp -> aux -> dp-hpd (freed)
-
-which may, for example, result in the freed bridge failing to attach:
-
- [drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16
-
-or a NULL-pointer dereference:
-
- Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
- ...
- Call trace:
- drm_bridge_attach+0x70/0x1a8 [drm]
- drm_aux_bridge_attach+0x24/0x38 [aux_bridge]
- drm_bridge_attach+0x80/0x1a8 [drm]
- dp_bridge_init+0xa8/0x15c [msm]
- msm_dp_modeset_init+0x28/0xc4 [msm]
-
-The DRM bridge implementation is clearly fragile and implicitly built on
-the assumption that bridges may never go away. In this case, the fix is
-to move the bridge registration in the pmic_glink_altmode driver to
-after all resources have been looked up.
-
-Incidentally, with the new dp-hpd bridge implementation, which registers
-child devices, this is also a requirement due to a long-standing issue
-in driver core that can otherwise lead to a probe deferral loop (see
-commit fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")).
-
-[DB: slightly fixed commit message by adding the word 'commit']
-Fixes: 080b4e24852b ("soc: qcom: pmic_glink: Introduce altmode support")
-Fixes: 2bcca96abfbf ("soc: qcom: pmic-glink: switch to DRM_AUX_HPD_BRIDGE")
-Cc: <stable@vger.kernel.org> # 6.3
-Cc: Bjorn Andersson <andersson@kernel.org>
-Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
-Reviewed-by: Bjorn Andersson <andersson@kernel.org>
-Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Link: https://patchwork.freedesktop.org/patch/msgid/20240217150228.5788-4-johan+linaro@kernel.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/soc/qcom/pmic_glink_altmode.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/soc/qcom/pmic_glink_altmode.c b/drivers/soc/qcom/pmic_glink_altmode.c
-index c07cddecc85e9..0b869de665101 100644
---- a/drivers/soc/qcom/pmic_glink_altmode.c
-+++ b/drivers/soc/qcom/pmic_glink_altmode.c
-@@ -76,7 +76,7 @@ struct pmic_glink_altmode_port {
-
- struct work_struct work;
-
-- struct device *bridge;
-+ struct auxiliary_device *bridge;
-
- enum typec_orientation orientation;
- u16 svid;
-@@ -230,7 +230,7 @@ static void pmic_glink_altmode_worker(struct work_struct *work)
- else
- pmic_glink_altmode_enable_usb(altmode, alt_port);
-
-- drm_aux_hpd_bridge_notify(alt_port->bridge,
-+ drm_aux_hpd_bridge_notify(&alt_port->bridge->dev,
- alt_port->hpd_state ?
- connector_status_connected :
- connector_status_disconnected);
-@@ -454,7 +454,7 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
- alt_port->index = port;
- INIT_WORK(&alt_port->work, pmic_glink_altmode_worker);
-
-- alt_port->bridge = drm_dp_hpd_bridge_register(dev, to_of_node(fwnode));
-+ alt_port->bridge = devm_drm_dp_hpd_bridge_alloc(dev, to_of_node(fwnode));
- if (IS_ERR(alt_port->bridge)) {
- fwnode_handle_put(fwnode);
- return PTR_ERR(alt_port->bridge);
-@@ -510,6 +510,16 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
- }
- }
-
-+ for (port = 0; port < ARRAY_SIZE(altmode->ports); port++) {
-+ alt_port = &altmode->ports[port];
-+ if (!alt_port->bridge)
-+ continue;
-+
-+ ret = devm_drm_dp_hpd_bridge_add(dev, alt_port->bridge);
-+ if (ret)
-+ return ret;
-+ }
-+
- altmode->client = devm_pmic_glink_register_client(dev,
- altmode->owner_id,
- pmic_glink_altmode_callback,
---
-2.43.0
-
drm-bridge-implement-generic-dp-hpd-bridge.patch
soc-qcom-pmic-glink-switch-to-drm_aux_hpd_bridge.patch
drm-bridge-aux-hpd-separate-allocation-and-registrat.patch
-soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
dt-bindings-dma-fsl-edma-add-fsl-edma.h-to-prevent-h.patch
dmaengine-fsl-edma-utilize-common-dt-binding-header-.patch
dmaengine-fsl-edma-correct-max_segment_size-setting.patch
+++ /dev/null
-From 34ffd4992df436d6a57996dbb04e9105b44c6a9f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 17 Feb 2024 16:02:25 +0100
-Subject: soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free
-
-From: Johan Hovold <johan+linaro@kernel.org>
-
-[ Upstream commit b979f2d50a099f3402418d7ff5f26c3952fb08bb ]
-
-A recent DRM series purporting to simplify support for "transparent
-bridges" and handling of probe deferrals ironically exposed a
-use-after-free issue on pmic_glink_altmode probe deferral.
-
-This has manifested itself as the display subsystem occasionally failing
-to initialise and NULL-pointer dereferences during boot of machines like
-the Lenovo ThinkPad X13s.
-
-Specifically, the dp-hpd bridge is currently registered before all
-resources have been acquired which means that it can also be
-deregistered on probe deferrals.
-
-In the meantime there is a race window where the new aux bridge driver
-(or PHY driver previously) may have looked up the dp-hpd bridge and
-stored a (non-reference-counted) pointer to the bridge which is about to
-be deallocated.
-
-When the display controller is later initialised, this triggers a
-use-after-free when attaching the bridges:
-
- dp -> aux -> dp-hpd (freed)
-
-which may, for example, result in the freed bridge failing to attach:
-
- [drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16
-
-or a NULL-pointer dereference:
-
- Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
- ...
- Call trace:
- drm_bridge_attach+0x70/0x1a8 [drm]
- drm_aux_bridge_attach+0x24/0x38 [aux_bridge]
- drm_bridge_attach+0x80/0x1a8 [drm]
- dp_bridge_init+0xa8/0x15c [msm]
- msm_dp_modeset_init+0x28/0xc4 [msm]
-
-The DRM bridge implementation is clearly fragile and implicitly built on
-the assumption that bridges may never go away. In this case, the fix is
-to move the bridge registration in the pmic_glink_altmode driver to
-after all resources have been looked up.
-
-Incidentally, with the new dp-hpd bridge implementation, which registers
-child devices, this is also a requirement due to a long-standing issue
-in driver core that can otherwise lead to a probe deferral loop (see
-commit fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")).
-
-[DB: slightly fixed commit message by adding the word 'commit']
-Fixes: 080b4e24852b ("soc: qcom: pmic_glink: Introduce altmode support")
-Fixes: 2bcca96abfbf ("soc: qcom: pmic-glink: switch to DRM_AUX_HPD_BRIDGE")
-Cc: <stable@vger.kernel.org> # 6.3
-Cc: Bjorn Andersson <andersson@kernel.org>
-Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
-Reviewed-by: Bjorn Andersson <andersson@kernel.org>
-Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Link: https://patchwork.freedesktop.org/patch/msgid/20240217150228.5788-4-johan+linaro@kernel.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/soc/qcom/pmic_glink_altmode.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/soc/qcom/pmic_glink_altmode.c b/drivers/soc/qcom/pmic_glink_altmode.c
-index 1539ccb7a346d..e1d32e1b79902 100644
---- a/drivers/soc/qcom/pmic_glink_altmode.c
-+++ b/drivers/soc/qcom/pmic_glink_altmode.c
-@@ -76,7 +76,7 @@ struct pmic_glink_altmode_port {
-
- struct work_struct work;
-
-- struct device *bridge;
-+ struct auxiliary_device *bridge;
-
- enum typec_orientation orientation;
- u16 svid;
-@@ -230,7 +230,7 @@ static void pmic_glink_altmode_worker(struct work_struct *work)
- else
- pmic_glink_altmode_enable_usb(altmode, alt_port);
-
-- drm_aux_hpd_bridge_notify(alt_port->bridge,
-+ drm_aux_hpd_bridge_notify(&alt_port->bridge->dev,
- alt_port->hpd_state ?
- connector_status_connected :
- connector_status_disconnected);
-@@ -454,7 +454,7 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
- alt_port->index = port;
- INIT_WORK(&alt_port->work, pmic_glink_altmode_worker);
-
-- alt_port->bridge = drm_dp_hpd_bridge_register(dev, to_of_node(fwnode));
-+ alt_port->bridge = devm_drm_dp_hpd_bridge_alloc(dev, to_of_node(fwnode));
- if (IS_ERR(alt_port->bridge)) {
- fwnode_handle_put(fwnode);
- return PTR_ERR(alt_port->bridge);
-@@ -510,6 +510,16 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
- }
- }
-
-+ for (port = 0; port < ARRAY_SIZE(altmode->ports); port++) {
-+ alt_port = &altmode->ports[port];
-+ if (!alt_port->bridge)
-+ continue;
-+
-+ ret = devm_drm_dp_hpd_bridge_add(dev, alt_port->bridge);
-+ if (ret)
-+ return ret;
-+ }
-+
- altmode->client = devm_pmic_glink_register_client(dev,
- altmode->owner_id,
- pmic_glink_altmode_callback,
---
-2.43.0
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
