Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-6.1/apparmor-fix-possible-null-pointer-dereference.patch b/queue-6.1/apparmor-fix-possible-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..f713ef9
--- /dev/null
+++ b/queue-6.1/apparmor-fix-possible-null-pointer-dereference.patch
@@ -0,0 +1,107 @@
+From e54a3dbd542c17e86634ff17e0b924927d389ccb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 01:12:29 +0900
+Subject: apparmor: fix possible NULL pointer dereference
+
+From: Leesoo Ahn <lsahn@ooseel.net>
+
+[ Upstream commit 3dd384108d53834002be5630132ad5c3f32166ad ]
+
+profile->parent->dents[AAFS_PROF_DIR] could be NULL only if its parent is made
+from __create_missing_ancestors(..) and 'ent->old' is NULL in
+aa_replace_profiles(..).
+In that case, it must return an error code and the code, -ENOENT represents
+its state that the path of its parent is not existed yet.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000030
+PGD 0 P4D 0
+PREEMPT SMP PTI
+CPU: 4 PID: 3362 Comm: apparmor_parser Not tainted 6.8.0-24-generic #24
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+RIP: 0010:aafs_create.constprop.0+0x7f/0x130
+Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae
+RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS:  00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ ? show_regs+0x6d/0x80
+ ? __die+0x24/0x80
+ ? page_fault_oops+0x99/0x1b0
+ ? kernelmode_fixup_or_oops+0xb2/0x140
+ ? __bad_area_nosemaphore+0x1a5/0x2c0
+ ? find_vma+0x34/0x60
+ ? bad_area_nosemaphore+0x16/0x30
+ ? do_user_addr_fault+0x2a2/0x6b0
+ ? exc_page_fault+0x83/0x1b0
+ ? asm_exc_page_fault+0x27/0x30
+ ? aafs_create.constprop.0+0x7f/0x130
+ ? aafs_create.constprop.0+0x51/0x130
+ __aafs_profile_mkdir+0x3d6/0x480
+ aa_replace_profiles+0x83f/0x1270
+ policy_update+0xe3/0x180
+ profile_load+0xbc/0x150
+ ? rw_verify_area+0x47/0x140
+ vfs_write+0x100/0x480
+ ? __x64_sys_openat+0x55/0xa0
+ ? syscall_exit_to_user_mode+0x86/0x260
+ ksys_write+0x73/0x100
+ __x64_sys_write+0x19/0x30
+ x64_sys_call+0x7e/0x25c0
+ do_syscall_64+0x7f/0x180
+ entry_SYSCALL_64_after_hwframe+0x78/0x80
+RIP: 0033:0x7be9f211c574
+Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89
+RSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574
+RDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004
+RBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80
+R13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30
+ </TASK>
+Modules linked in: snd_seq_dummy snd_hrtimer qrtr snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device i2c_i801 snd_timer i2c_smbus qxl snd soundcore drm_ttm_helper lpc_ich ttm joydev input_leds serio_raw mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci libahci psmouse virtio_rng xhci_pci xhci_pci_renesas
+CR2: 0000000000000030
+---[ end trace 0000000000000000 ]---
+RIP: 0010:aafs_create.constprop.0+0x7f/0x130
+Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae
+RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+FS:  00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0
+
+Signed-off-by: Leesoo Ahn <lsahn@ooseel.net>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/apparmorfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 7160e7aa58b9..ce7b2f43c319 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -1687,6 +1687,10 @@ int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
+               struct aa_profile *p;
+               p = aa_deref_parent(profile);
+               dent = prof_dir(p);
++              if (!dent) {
++                      error = -ENOENT;
++                      goto fail2;
++              }
+               /* adding to parent that previously didn't have children */
+               dent = aafs_create_dir("profiles", dent);
+               if (IS_ERR(dent))
+-- 
+2.43.0
+

diff --git a/queue-6.1/block-remove-the-blk_flush_integrity-call-in-blk_int.patch b/queue-6.1/block-remove-the-blk_flush_integrity-call-in-blk_int.patch
new file mode 100644 (file)
index 0000000..49ddda9
--- /dev/null
+++ b/queue-6.1/block-remove-the-blk_flush_integrity-call-in-blk_int.patch
@@ -0,0 +1,44 @@
+From b17ad227f43e9d28a73daaf3f100034f5bede9fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 10:48:16 +0200
+Subject: block: remove the blk_flush_integrity call in
+ blk_integrity_unregister
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit e8bc14d116aeac8f0f133ec8d249acf4e0658da7 ]
+
+Now that there are no indirect calls for PI processing there is no
+way to dereference a NULL pointer here.  Additionally drivers now always
+freeze the queue (or in case of stacking drivers use their internal
+equivalent) around changing the integrity profile.
+
+This is effectively a revert of commit 3df49967f6f1 ("block: flush the
+integrity workqueue in blk_integrity_unregister").
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Link: https://lore.kernel.org/r/20240613084839.1044015-7-hch@lst.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-integrity.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/block/blk-integrity.c b/block/blk-integrity.c
+index 69eed260a823..e2d88611d5bf 100644
+--- a/block/blk-integrity.c
++++ b/block/blk-integrity.c
+@@ -431,8 +431,6 @@ void blk_integrity_unregister(struct gendisk *disk)
+       if (!bi->profile)
+               return;
+ 
+-      /* ensure all bios are off the integrity workqueue */
+-      blk_flush_integrity();
+       blk_queue_flag_clear(QUEUE_FLAG_STABLE_WRITES, disk->queue);
+       memset(bi, 0, sizeof(*bi));
+ }
+-- 
+2.43.0
+

diff --git a/queue-6.1/cpufreq-scmi-avoid-overflow-of-target_freq-in-fast-s.patch b/queue-6.1/cpufreq-scmi-avoid-overflow-of-target_freq-in-fast-s.patch
new file mode 100644 (file)
index 0000000..9431979
--- /dev/null
+++ b/queue-6.1/cpufreq-scmi-avoid-overflow-of-target_freq-in-fast-s.patch
@@ -0,0 +1,41 @@
+From 649c80081d351b2575438d5f16590d7b122ea954 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 May 2024 12:07:32 +0530
+Subject: cpufreq: scmi: Avoid overflow of target_freq in fast switch
+
+From: Jagadeesh Kona <quic_jkona@quicinc.com>
+
+[ Upstream commit 074cffb5020ddcaa5fafcc55655e5da6ebe8c831 ]
+
+Conversion of target_freq to HZ in scmi_cpufreq_fast_switch()
+can lead to overflow if the multiplied result is greater than
+UINT_MAX, since type of target_freq is unsigned int. Avoid this
+overflow by assigning target_freq to unsigned long variable for
+converting it to HZ.
+
+Signed-off-by: Jagadeesh Kona <quic_jkona@quicinc.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/scmi-cpufreq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c
+index 028df8a5f537..079940c69ee0 100644
+--- a/drivers/cpufreq/scmi-cpufreq.c
++++ b/drivers/cpufreq/scmi-cpufreq.c
+@@ -62,9 +62,9 @@ static unsigned int scmi_cpufreq_fast_switch(struct cpufreq_policy *policy,
+                                            unsigned int target_freq)
+ {
+       struct scmi_data *priv = policy->driver_data;
++      unsigned long freq = target_freq;
+ 
+-      if (!perf_ops->freq_set(ph, priv->domain_id,
+-                              target_freq * 1000, true))
++      if (!perf_ops->freq_set(ph, priv->domain_id, freq * 1000, true))
+               return target_freq;
+ 
+       return 0;
+-- 
+2.43.0
+

diff --git a/queue-6.1/dmaengine-altera-msgdma-properly-free-descriptor-in-.patch b/queue-6.1/dmaengine-altera-msgdma-properly-free-descriptor-in-.patch
new file mode 100644 (file)
index 0000000..99f8f4f
--- /dev/null
+++ b/queue-6.1/dmaengine-altera-msgdma-properly-free-descriptor-in-.patch
@@ -0,0 +1,55 @@
+From 9c498446ead96891d5ecbb27c644987dc449e1d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jun 2024 23:31:48 +0200
+Subject: dmaengine: altera-msgdma: properly free descriptor in
+ msgdma_free_descriptor
+
+From: Olivier Dautricourt <olivierdautricourt@gmail.com>
+
+[ Upstream commit 54e4ada1a4206f878e345ae01cf37347d803d1b1 ]
+
+Remove list_del call in msgdma_chan_desc_cleanup, this should be the role
+of msgdma_free_descriptor. In consequence replace list_add_tail with
+list_move_tail in msgdma_free_descriptor.
+
+This fixes the path:
+   msgdma_free_chan_resources -> msgdma_free_descriptors ->
+   msgdma_free_desc_list -> msgdma_free_descriptor
+
+which does not correctly free the descriptors as first nodes were not
+removed from the list.
+
+Signed-off-by: Olivier Dautricourt <olivierdautricourt@gmail.com>
+Tested-by: Olivier Dautricourt <olivierdautricourt@gmail.com>
+Link: https://lore.kernel.org/r/20240608213216.25087-3-olivierdautricourt@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/altera-msgdma.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/dma/altera-msgdma.c b/drivers/dma/altera-msgdma.c
+index 8c479a3676fc..711e3756a39a 100644
+--- a/drivers/dma/altera-msgdma.c
++++ b/drivers/dma/altera-msgdma.c
+@@ -233,7 +233,7 @@ static void msgdma_free_descriptor(struct msgdma_device *mdev,
+       struct msgdma_sw_desc *child, *next;
+ 
+       mdev->desc_free_cnt++;
+-      list_add_tail(&desc->node, &mdev->free_list);
++      list_move_tail(&desc->node, &mdev->free_list);
+       list_for_each_entry_safe(child, next, &desc->tx_list, node) {
+               mdev->desc_free_cnt++;
+               list_move_tail(&child->node, &mdev->free_list);
+@@ -588,8 +588,6 @@ static void msgdma_chan_desc_cleanup(struct msgdma_device *mdev)
+       list_for_each_entry_safe(desc, next, &mdev->done_list, node) {
+               struct dmaengine_desc_callback cb;
+ 
+-              list_del(&desc->node);
+-
+               dmaengine_desc_get_callback(&desc->async_tx, &cb);
+               if (dmaengine_desc_callback_valid(&cb)) {
+                       spin_unlock_irqrestore(&mdev->lock, irqflags);
+-- 
+2.43.0
+

diff --git a/queue-6.1/dmaengine-altera-msgdma-use-irq-variant-of-spin_lock.patch b/queue-6.1/dmaengine-altera-msgdma-use-irq-variant-of-spin_lock.patch
new file mode 100644 (file)
index 0000000..ce9ee06
--- /dev/null
+++ b/queue-6.1/dmaengine-altera-msgdma-use-irq-variant-of-spin_lock.patch
@@ -0,0 +1,51 @@
+From 2692c8d9051fc0a171dde47e6070da19d1d8666d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jun 2024 23:31:46 +0200
+Subject: dmaengine: altera-msgdma: use irq variant of spin_lock/unlock while
+ invoking callbacks
+
+From: Olivier Dautricourt <olivierdautricourt@gmail.com>
+
+[ Upstream commit 261d3a85d959841821ca0d69f9d7b0d4087661c4 ]
+
+As we first take the lock with spin_lock_irqsave in msgdma_tasklet, Lockdep
+might complain about this. Inspired by commit 9558cf4ad07e
+("dmaengine: zynqmp_dma: fix lockdep warning in tasklet")
+
+Signed-off-by: Olivier Dautricourt <olivierdautricourt@gmail.com>
+Tested-by: Olivier Dautricourt <olivierdautricourt@gmail.com>
+Suggested-by: Eric Schwarz <eas@sw-optimization.com>
+Link: https://lore.kernel.org/r/20240608213216.25087-1-olivierdautricourt@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/altera-msgdma.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/dma/altera-msgdma.c b/drivers/dma/altera-msgdma.c
+index 4153c2edb049..8c479a3676fc 100644
+--- a/drivers/dma/altera-msgdma.c
++++ b/drivers/dma/altera-msgdma.c
+@@ -583,6 +583,7 @@ static void msgdma_issue_pending(struct dma_chan *chan)
+ static void msgdma_chan_desc_cleanup(struct msgdma_device *mdev)
+ {
+       struct msgdma_sw_desc *desc, *next;
++      unsigned long irqflags;
+ 
+       list_for_each_entry_safe(desc, next, &mdev->done_list, node) {
+               struct dmaengine_desc_callback cb;
+@@ -591,9 +592,9 @@ static void msgdma_chan_desc_cleanup(struct msgdma_device *mdev)
+ 
+               dmaengine_desc_get_callback(&desc->async_tx, &cb);
+               if (dmaengine_desc_callback_valid(&cb)) {
+-                      spin_unlock(&mdev->lock);
++                      spin_unlock_irqrestore(&mdev->lock, irqflags);
+                       dmaengine_desc_callback_invoke(&cb, NULL);
+-                      spin_lock(&mdev->lock);
++                      spin_lock_irqsave(&mdev->lock, irqflags);
+               }
+ 
+               /* Run any dependencies, then free the descriptor */
+-- 
+2.43.0
+

diff --git a/queue-6.1/driver-iio-add-missing-checks-on-iio_info-s-callback.patch b/queue-6.1/driver-iio-add-missing-checks-on-iio_info-s-callback.patch
new file mode 100644 (file)
index 0000000..6f53b2e
--- /dev/null
+++ b/queue-6.1/driver-iio-add-missing-checks-on-iio_info-s-callback.patch
@@ -0,0 +1,174 @@
+From 5345a4f90f25183d18a40a2758b94ff89efd6e85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2024 11:22:46 +0200
+Subject: driver: iio: add missing checks on iio_info's callback access
+
+From: Julien Stephan <jstephan@baylibre.com>
+
+[ Upstream commit c4ec8dedca961db056ec85cb7ca8c9f7e2e92252 ]
+
+Some callbacks from iio_info structure are accessed without any check, so
+if a driver doesn't implement them trying to access the corresponding
+sysfs entries produce a kernel oops such as:
+
+[ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute
+[...]
+[ 2203.783416] Call trace:
+[ 2203.783429]  iio_read_channel_info_avail from dev_attr_show+0x18/0x48
+[ 2203.789807]  dev_attr_show from sysfs_kf_seq_show+0x90/0x120
+[ 2203.794181]  sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4
+[ 2203.798555]  seq_read_iter from vfs_read+0x238/0x2a0
+[ 2203.802236]  vfs_read from ksys_read+0xa4/0xd4
+[ 2203.805385]  ksys_read from ret_fast_syscall+0x0/0x54
+[ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0)
+[ 2203.812880] dfa0:                   00000003 b6f10f80 00000003 b6eab000 00020000 00000000
+[ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000
+[ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0
+[ 2203.830363] Code: bad PC value
+[ 2203.832695] ---[ end trace 0000000000000000 ]---
+
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Signed-off-by: Julien Stephan <jstephan@baylibre.com>
+Link: https://lore.kernel.org/r/20240530-iio-core-fix-segfault-v3-1-8b7cd2a03773@baylibre.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/industrialio-core.c  |  7 ++++++-
+ drivers/iio/industrialio-event.c |  9 +++++++++
+ drivers/iio/inkern.c             | 32 ++++++++++++++++++++++----------
+ 3 files changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
+index 135a86fc9453..162845543efe 100644
+--- a/drivers/iio/industrialio-core.c
++++ b/drivers/iio/industrialio-core.c
+@@ -767,9 +767,11 @@ static ssize_t iio_read_channel_info(struct device *dev,
+                                                       INDIO_MAX_RAW_ELEMENTS,
+                                                       vals, &val_len,
+                                                       this_attr->address);
+-      else
++      else if (indio_dev->info->read_raw)
+               ret = indio_dev->info->read_raw(indio_dev, this_attr->c,
+                                   &vals[0], &vals[1], this_attr->address);
++      else
++              return -EINVAL;
+ 
+       if (ret < 0)
+               return ret;
+@@ -851,6 +853,9 @@ static ssize_t iio_read_channel_info_avail(struct device *dev,
+       int length;
+       int type;
+ 
++      if (!indio_dev->info->read_avail)
++              return -EINVAL;
++
+       ret = indio_dev->info->read_avail(indio_dev, this_attr->c,
+                                         &vals, &type, &length,
+                                         this_attr->address);
+diff --git a/drivers/iio/industrialio-event.c b/drivers/iio/industrialio-event.c
+index 727e2ef66aa4..14658b41c9bc 100644
+--- a/drivers/iio/industrialio-event.c
++++ b/drivers/iio/industrialio-event.c
+@@ -283,6 +283,9 @@ static ssize_t iio_ev_state_store(struct device *dev,
+       if (ret < 0)
+               return ret;
+ 
++      if (!indio_dev->info->write_event_config)
++              return -EINVAL;
++
+       ret = indio_dev->info->write_event_config(indio_dev,
+               this_attr->c, iio_ev_attr_type(this_attr),
+               iio_ev_attr_dir(this_attr), val);
+@@ -298,6 +301,9 @@ static ssize_t iio_ev_state_show(struct device *dev,
+       struct iio_dev_attr *this_attr = to_iio_dev_attr(attr);
+       int val;
+ 
++      if (!indio_dev->info->read_event_config)
++              return -EINVAL;
++
+       val = indio_dev->info->read_event_config(indio_dev,
+               this_attr->c, iio_ev_attr_type(this_attr),
+               iio_ev_attr_dir(this_attr));
+@@ -316,6 +322,9 @@ static ssize_t iio_ev_value_show(struct device *dev,
+       int val, val2, val_arr[2];
+       int ret;
+ 
++      if (!indio_dev->info->read_event_value)
++              return -EINVAL;
++
+       ret = indio_dev->info->read_event_value(indio_dev,
+               this_attr->c, iio_ev_attr_type(this_attr),
+               iio_ev_attr_dir(this_attr), iio_ev_attr_info(this_attr),
+diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c
+index 872fd5c24147..bd854e92c6f8 100644
+--- a/drivers/iio/inkern.c
++++ b/drivers/iio/inkern.c
+@@ -561,6 +561,7 @@ EXPORT_SYMBOL_GPL(devm_iio_channel_get_all);
+ static int iio_channel_read(struct iio_channel *chan, int *val, int *val2,
+                           enum iio_chan_info_enum info)
+ {
++      const struct iio_info *iio_info = chan->indio_dev->info;
+       int unused;
+       int vals[INDIO_MAX_RAW_ELEMENTS];
+       int ret;
+@@ -572,15 +573,18 @@ static int iio_channel_read(struct iio_channel *chan, int *val, int *val2,
+       if (!iio_channel_has_info(chan->channel, info))
+               return -EINVAL;
+ 
+-      if (chan->indio_dev->info->read_raw_multi) {
+-              ret = chan->indio_dev->info->read_raw_multi(chan->indio_dev,
+-                                      chan->channel, INDIO_MAX_RAW_ELEMENTS,
+-                                      vals, &val_len, info);
++      if (iio_info->read_raw_multi) {
++              ret = iio_info->read_raw_multi(chan->indio_dev,
++                                             chan->channel,
++                                             INDIO_MAX_RAW_ELEMENTS,
++                                             vals, &val_len, info);
+               *val = vals[0];
+               *val2 = vals[1];
++      } else if (iio_info->read_raw) {
++              ret = iio_info->read_raw(chan->indio_dev,
++                                       chan->channel, val, val2, info);
+       } else {
+-              ret = chan->indio_dev->info->read_raw(chan->indio_dev,
+-                                      chan->channel, val, val2, info);
++              return -EINVAL;
+       }
+ 
+       return ret;
+@@ -800,11 +804,15 @@ static int iio_channel_read_avail(struct iio_channel *chan,
+                                 const int **vals, int *type, int *length,
+                                 enum iio_chan_info_enum info)
+ {
++      const struct iio_info *iio_info = chan->indio_dev->info;
++
+       if (!iio_channel_has_available(chan->channel, info))
+               return -EINVAL;
+ 
+-      return chan->indio_dev->info->read_avail(chan->indio_dev, chan->channel,
+-                                               vals, type, length, info);
++      if (iio_info->read_avail)
++              return iio_info->read_avail(chan->indio_dev, chan->channel,
++                                          vals, type, length, info);
++      return -EINVAL;
+ }
+ 
+ int iio_read_avail_channel_attribute(struct iio_channel *chan,
+@@ -935,8 +943,12 @@ EXPORT_SYMBOL_GPL(iio_get_channel_type);
+ static int iio_channel_write(struct iio_channel *chan, int val, int val2,
+                            enum iio_chan_info_enum info)
+ {
+-      return chan->indio_dev->info->write_raw(chan->indio_dev,
+-                                              chan->channel, val, val2, info);
++      const struct iio_info *iio_info = chan->indio_dev->info;
++
++      if (iio_info->write_raw)
++              return iio_info->write_raw(chan->indio_dev,
++                                         chan->channel, val, val2, info);
++      return -EINVAL;
+ }
+ 
+ int iio_write_channel_attribute(struct iio_channel *chan, int val, int val2,
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-amdgpu-check-tbo-resource-pointer.patch b/queue-6.1/drm-amd-amdgpu-check-tbo-resource-pointer.patch
new file mode 100644 (file)
index 0000000..e8c4501
--- /dev/null
+++ b/queue-6.1/drm-amd-amdgpu-check-tbo-resource-pointer.patch
@@ -0,0 +1,40 @@
+From 2f21404c56be970b11356426cd8e93d6e207c51d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 02:26:55 +0800
+Subject: drm/amd/amdgpu: Check tbo resource pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Asad Kamal <asad.kamal@amd.com>
+
+[ Upstream commit 6cd2b872643bb29bba01a8ac739138db7bd79007 ]
+
+Validate tbo resource pointer, skip if NULL
+
+Signed-off-by: Asad Kamal <asad.kamal@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 4d1c2eb63090..1319fdd37e7a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -4560,7 +4560,8 @@ static int amdgpu_device_recover_vram(struct amdgpu_device *adev)
+               shadow = vmbo->shadow;
+ 
+               /* No need to recover an evicted BO */
+-              if (shadow->tbo.resource->mem_type != TTM_PL_TT ||
++              if (!shadow->tbo.resource ||
++                  shadow->tbo.resource->mem_type != TTM_PL_TT ||
+                   shadow->tbo.resource->start == AMDGPU_BO_INVALID_OFFSET ||
+                   shadow->parent->tbo.resource->mem_type != TTM_PL_VRAM)
+                       continue;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-add-array-index-check-for-hdcp-ddc-a.patch b/queue-6.1/drm-amd-display-add-array-index-check-for-hdcp-ddc-a.patch
new file mode 100644 (file)
index 0000000..018394a
--- /dev/null
+++ b/queue-6.1/drm-amd-display-add-array-index-check-for-hdcp-ddc-a.patch
@@ -0,0 +1,95 @@
+From 1dedf379f5ac72c0f085abb2813bec5155abe12c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 10:09:31 -0400
+Subject: drm/amd/display: Add array index check for hdcp ddc access
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+[ Upstream commit 4e70c0f5251c25885c31ee84a31f99a01f7cf50e ]
+
+[Why]
+Coverity reports OVERRUN warning. Do not check if array
+index valid.
+
+[How]
+Check msg_id valid and valid array index.
+
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/display/modules/hdcp/hdcp_ddc.c   | 28 ++++++++++++++++---
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
+index 8e9caae7c955..1b2df97226a3 100644
+--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
+@@ -156,11 +156,16 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp,
+       uint32_t cur_size = 0;
+       uint32_t data_offset = 0;
+ 
+-      if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
++      if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID ||
++              msg_id >= MOD_HDCP_MESSAGE_ID_MAX)
+               return MOD_HDCP_STATUS_DDC_FAILURE;
+-      }
+ 
+       if (is_dp_hdcp(hdcp)) {
++              int num_dpcd_addrs = sizeof(hdcp_dpcd_addrs) /
++                      sizeof(hdcp_dpcd_addrs[0]);
++              if (msg_id >= num_dpcd_addrs)
++                      return MOD_HDCP_STATUS_DDC_FAILURE;
++
+               while (buf_len > 0) {
+                       cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);
+                       success = hdcp->config.ddc.funcs.read_dpcd(hdcp->config.ddc.handle,
+@@ -175,6 +180,11 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp,
+                       data_offset += cur_size;
+               }
+       } else {
++              int num_i2c_offsets = sizeof(hdcp_i2c_offsets) /
++                      sizeof(hdcp_i2c_offsets[0]);
++              if (msg_id >= num_i2c_offsets)
++                      return MOD_HDCP_STATUS_DDC_FAILURE;
++
+               success = hdcp->config.ddc.funcs.read_i2c(
+                               hdcp->config.ddc.handle,
+                               HDCP_I2C_ADDR,
+@@ -219,11 +229,16 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp,
+       uint32_t cur_size = 0;
+       uint32_t data_offset = 0;
+ 
+-      if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
++      if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID ||
++              msg_id >= MOD_HDCP_MESSAGE_ID_MAX)
+               return MOD_HDCP_STATUS_DDC_FAILURE;
+-      }
+ 
+       if (is_dp_hdcp(hdcp)) {
++              int num_dpcd_addrs = sizeof(hdcp_dpcd_addrs) /
++                      sizeof(hdcp_dpcd_addrs[0]);
++              if (msg_id >= num_dpcd_addrs)
++                      return MOD_HDCP_STATUS_DDC_FAILURE;
++
+               while (buf_len > 0) {
+                       cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);
+                       success = hdcp->config.ddc.funcs.write_dpcd(
+@@ -239,6 +254,11 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp,
+                       data_offset += cur_size;
+               }
+       } else {
++              int num_i2c_offsets = sizeof(hdcp_i2c_offsets) /
++                      sizeof(hdcp_i2c_offsets[0]);
++              if (msg_id >= num_i2c_offsets)
++                      return MOD_HDCP_STATUS_DDC_FAILURE;
++
+               hdcp->buf[0] = hdcp_i2c_offsets[msg_id];
+               memmove(&hdcp->buf[1], buf, buf_len);
+               success = hdcp->config.ddc.funcs.write_i2c(
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-added-null-check-at-start-of-dc_vali.patch b/queue-6.1/drm-amd-display-added-null-check-at-start-of-dc_vali.patch
new file mode 100644 (file)
index 0000000..32effbf
--- /dev/null
+++ b/queue-6.1/drm-amd-display-added-null-check-at-start-of-dc_vali.patch
@@ -0,0 +1,43 @@
+From 16c88d2630bb51b6d954e5219427f3cf714cd116 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 May 2024 08:51:19 -0400
+Subject: drm/amd/display: added NULL check at start of dc_validate_stream
+
+From: winstang <winstang@amd.com>
+
+[ Upstream commit 26c56049cc4f1705b498df013949427692a4b0d5 ]
+
+[Why]
+prevent invalid memory access
+
+[How]
+check if dc and stream are NULL
+
+Co-authored-by: winstang <winstang@amd.com>
+Reviewed-by: Alvin Lee <alvin.lee2@amd.com>
+Acked-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
+Signed-off-by: winstang <winstang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+index 83898e46bcad..29400db42bb2 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+@@ -3629,6 +3629,9 @@ void resource_build_bit_depth_reduction_params(struct dc_stream_state *stream,
+ 
+ enum dc_status dc_validate_stream(struct dc *dc, struct dc_stream_state *stream)
+ {
++      if (dc == NULL || stream == NULL)
++              return DC_ERROR_UNEXPECTED;
++
+       struct dc_link *link = stream->link;
+       struct timing_generator *tg = dc->res_pool->timing_generators[0];
+       enum dc_status res = DC_OK;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-assign-linear_pitch_alignment-even-f.patch b/queue-6.1/drm-amd-display-assign-linear_pitch_alignment-even-f.patch
new file mode 100644 (file)
index 0000000..5542c7c
--- /dev/null
+++ b/queue-6.1/drm-amd-display-assign-linear_pitch_alignment-even-f.patch
@@ -0,0 +1,38 @@
+From 5162c37824b59d5c6017b5f313137643640faf69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 14:42:18 -0400
+Subject: drm/amd/display: Assign linear_pitch_alignment even for VM
+
+From: Alvin Lee <alvin.lee2@amd.com>
+
+[ Upstream commit 984debc133efa05e62f5aa1a7a1dd8ca0ef041f4 ]
+
+[Description]
+Assign linear_pitch_alignment so we don't cause a divide by 0
+error in VM environments
+
+Reviewed-by: Sohaib Nadeem <sohaib.nadeem@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Alvin Lee <alvin.lee2@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
+index f415733f1a97..d7bca680805d 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
+@@ -1265,6 +1265,7 @@ struct dc *dc_create(const struct dc_init_data *init_params)
+               return NULL;
+ 
+       if (init_params->dce_environment == DCE_ENV_VIRTUAL_HW) {
++              dc->caps.linear_pitch_alignment = 64;
+               if (!dc_construct_ctx(dc, init_params))
+                       goto destruct_dc;
+       } else {
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-check-gpio_id-before-used-as-array-i.patch b/queue-6.1/drm-amd-display-check-gpio_id-before-used-as-array-i.patch
new file mode 100644 (file)
index 0000000..19a1be1
--- /dev/null
+++ b/queue-6.1/drm-amd-display-check-gpio_id-before-used-as-array-i.patch
@@ -0,0 +1,80 @@
+From e0bae28ac61614ab023009e6a34d9c027167f55e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 16:40:00 -0600
+Subject: drm/amd/display: Check gpio_id before used as array index
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit 2a5626eeb3b5eec7a36886f9556113dd93ec8ed6 ]
+
+[WHY & HOW]
+GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore
+should be checked in advance.
+
+This fixes 5 OVERRUN issues reported by Coverity.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
+index 3ede6e02c3a7..2f8ca831afa2 100644
+--- a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
++++ b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
+@@ -239,6 +239,9 @@ static bool is_pin_busy(
+       enum gpio_id id,
+       uint32_t en)
+ {
++      if (id == GPIO_ID_UNKNOWN)
++              return false;
++
+       return service->busyness[id][en];
+ }
+ 
+@@ -247,6 +250,9 @@ static void set_pin_busy(
+       enum gpio_id id,
+       uint32_t en)
+ {
++      if (id == GPIO_ID_UNKNOWN)
++              return;
++
+       service->busyness[id][en] = true;
+ }
+ 
+@@ -255,6 +261,9 @@ static void set_pin_free(
+       enum gpio_id id,
+       uint32_t en)
+ {
++      if (id == GPIO_ID_UNKNOWN)
++              return;
++
+       service->busyness[id][en] = false;
+ }
+ 
+@@ -263,7 +272,7 @@ enum gpio_result dal_gpio_service_lock(
+       enum gpio_id id,
+       uint32_t en)
+ {
+-      if (!service->busyness[id]) {
++      if (id != GPIO_ID_UNKNOWN && !service->busyness[id]) {
+               ASSERT_CRITICAL(false);
+               return GPIO_RESULT_OPEN_FAILED;
+       }
+@@ -277,7 +286,7 @@ enum gpio_result dal_gpio_service_unlock(
+       enum gpio_id id,
+       uint32_t en)
+ {
+-      if (!service->busyness[id]) {
++      if (id != GPIO_ID_UNKNOWN && !service->busyness[id]) {
+               ASSERT_CRITICAL(false);
+               return GPIO_RESULT_OPEN_FAILED;
+       }
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-check-msg_id-before-processing-trans.patch b/queue-6.1/drm-amd-display-check-msg_id-before-processing-trans.patch
new file mode 100644 (file)
index 0000000..6e74bf8
--- /dev/null
+++ b/queue-6.1/drm-amd-display-check-msg_id-before-processing-trans.patch
@@ -0,0 +1,68 @@
+From 388350d0cb8deab1bbf6f913312a5081cdee0285 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 16:47:42 -0600
+Subject: drm/amd/display: Check msg_id before processing transcation
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit fa71face755e27dc44bc296416ebdf2c67163316 ]
+
+[WHY & HOW]
+HDCP_MESSAGE_ID_INVALID (-1) is not a valid msg_id nor is it a valid
+array index, and it needs checking before used.
+
+This fixes 4 OVERRUN issues reported by Coverity.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c
+index 4233955e3c47..c9851492ec84 100644
+--- a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c
++++ b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c
+@@ -131,13 +131,21 @@ static bool hdmi_14_process_transaction(
+       const uint8_t hdcp_i2c_addr_link_primary = 0x3a; /* 0x74 >> 1*/
+       const uint8_t hdcp_i2c_addr_link_secondary = 0x3b; /* 0x76 >> 1*/
+       struct i2c_command i2c_command;
+-      uint8_t offset = hdcp_i2c_offsets[message_info->msg_id];
++      uint8_t offset;
+       struct i2c_payload i2c_payloads[] = {
+-              { true, 0, 1, &offset },
++              { true, 0, 1, 0 },
+               /* actual hdcp payload, will be filled later, zeroed for now*/
+               { 0 }
+       };
+ 
++      if (message_info->msg_id == HDCP_MESSAGE_ID_INVALID) {
++              DC_LOG_ERROR("%s: Invalid message_info msg_id - %d\n", __func__, message_info->msg_id);
++              return false;
++      }
++
++      offset = hdcp_i2c_offsets[message_info->msg_id];
++      i2c_payloads[0].data = &offset;
++
+       switch (message_info->link) {
+       case HDCP_LINK_SECONDARY:
+               i2c_payloads[0].address = hdcp_i2c_addr_link_secondary;
+@@ -311,6 +319,11 @@ static bool dp_11_process_transaction(
+       struct dc_link *link,
+       struct hdcp_protection_message *message_info)
+ {
++      if (message_info->msg_id == HDCP_MESSAGE_ID_INVALID) {
++              DC_LOG_ERROR("%s: Invalid message_info msg_id - %d\n", __func__, message_info->msg_id);
++              return false;
++      }
++
+       return dpcd_access_helper(
+               link,
+               message_info->length,
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-check-num_valid_sets-before-accessin.patch b/queue-6.1/drm-amd-display-check-num_valid_sets-before-accessin.patch
new file mode 100644 (file)
index 0000000..0e8839b
--- /dev/null
+++ b/queue-6.1/drm-amd-display-check-num_valid_sets-before-accessin.patch
@@ -0,0 +1,43 @@
+From 66b18723fa04b77d215d95ee56b07a17ff58796a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 16:22:35 -0600
+Subject: drm/amd/display: Check num_valid_sets before accessing
+ reader_wm_sets[]
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit b38a4815f79b87efb196cd5121579fc51e29a7fb ]
+
+[WHY & HOW]
+num_valid_sets needs to be checked to avoid a negative index when
+accessing reader_wm_sets[num_valid_sets - 1].
+
+This fixes an OVERRUN issue reported by Coverity.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c
+index ca6dfd2d7561..35386011c56c 100644
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c
+@@ -484,7 +484,8 @@ static void build_watermark_ranges(struct clk_bw_params *bw_params, struct pp_sm
+                       ranges->reader_wm_sets[num_valid_sets].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX;
+ 
+                       /* Modify previous watermark range to cover up to max */
+-                      ranges->reader_wm_sets[num_valid_sets - 1].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX;
++                      if (num_valid_sets > 0)
++                              ranges->reader_wm_sets[num_valid_sets - 1].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX;
+               }
+               num_valid_sets++;
+       }
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-correct-the-defined-value-for-amdgpu.patch b/queue-6.1/drm-amd-display-correct-the-defined-value-for-amdgpu.patch
new file mode 100644 (file)
index 0000000..56ed233
--- /dev/null
+++ b/queue-6.1/drm-amd-display-correct-the-defined-value-for-amdgpu.patch
@@ -0,0 +1,41 @@
+From a87f10daafb107ee678a1240c5ad8d380a255b2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 May 2024 15:33:48 +0800
+Subject: drm/amd/display: Correct the defined value for
+ AMDGPU_DMUB_NOTIFICATION_MAX
+
+From: Wayne Lin <wayne.lin@amd.com>
+
+[ Upstream commit ad28d7c3d989fc5689581664653879d664da76f0 ]
+
+[Why & How]
+It actually exposes '6' types in enum dmub_notification_type. Not 5. Using smaller
+number to create array dmub_callback & dmub_thread_offload has potential to access
+item out of array bound. Fix it.
+
+Reviewed-by: Jerry Zuo <jerry.zuo@amd.com>
+Acked-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
+Signed-off-by: Wayne Lin <wayne.lin@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+index 2c9a33c80c81..df18b4df1f2c 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h
+@@ -49,7 +49,7 @@
+ 
+ #define AMDGPU_DM_MAX_NUM_EDP 2
+ 
+-#define AMDGPU_DMUB_NOTIFICATION_MAX 5
++#define AMDGPU_DMUB_NOTIFICATION_MAX 6
+ 
+ /*
+ #include "include/amdgpu_dal_power_if.h"
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-ensure-index-calculation-will-not-ov.patch b/queue-6.1/drm-amd-display-ensure-index-calculation-will-not-ov.patch
new file mode 100644 (file)
index 0000000..9ea66db
--- /dev/null
+++ b/queue-6.1/drm-amd-display-ensure-index-calculation-will-not-ov.patch
@@ -0,0 +1,46 @@
+From ad9865a3b58697b4b9cee6c76b601879592838bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 17:08:04 -0600
+Subject: drm/amd/display: Ensure index calculation will not overflow
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit 8e2734bf444767fed787305ccdcb36a2be5301a2 ]
+
+[WHY & HOW]
+Make sure vmid0p72_idx, vnom0p8_idx and vmax0p9_idx calculation will
+never overflow and exceess array size.
+
+This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c b/drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c
+index e73f089c84bb..ebd7ed1b9a3c 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c
+@@ -1453,10 +1453,9 @@ void dcn_bw_update_from_pplib_fclks(
+       ASSERT(fclks->num_levels);
+ 
+       vmin0p65_idx = 0;
+-      vmid0p72_idx = fclks->num_levels -
+-              (fclks->num_levels > 2 ? 3 : (fclks->num_levels > 1 ? 2 : 1));
+-      vnom0p8_idx = fclks->num_levels - (fclks->num_levels > 1 ? 2 : 1);
+-      vmax0p9_idx = fclks->num_levels - 1;
++      vmid0p72_idx = fclks->num_levels > 2 ? fclks->num_levels - 3 : 0;
++      vnom0p8_idx = fclks->num_levels > 1 ? fclks->num_levels - 2 : 0;
++      vmax0p9_idx = fclks->num_levels > 0 ? fclks->num_levels - 1 : 0;
+ 
+       dc->dcn_soc->fabric_and_dram_bandwidth_vmin0p65 =
+               32 * (fclks->data[vmin0p65_idx].clocks_in_khz / 1000.0) / 1000.0;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-fix-coverity-integer_overflow-within.patch b/queue-6.1/drm-amd-display-fix-coverity-integer_overflow-within.patch
new file mode 100644 (file)
index 0000000..3fede2a
--- /dev/null
+++ b/queue-6.1/drm-amd-display-fix-coverity-integer_overflow-within.patch
@@ -0,0 +1,52 @@
+From 4369476cee060993a12d43353d6159cb7c86115c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 11:58:11 -0400
+Subject: drm/amd/display: Fix Coverity INTEGER_OVERFLOW within
+ dal_gpio_service_create
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+[ Upstream commit c6077aa66fa230d12f37fef01161ef080d13b726 ]
+
+[Why]
+For subtraction, coverity reports integer overflow
+warning message when variable type is uint32_t.
+
+[How]
+Change variable type to int32_t.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
+index 2f8ca831afa2..f2037d78f71a 100644
+--- a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
++++ b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c
+@@ -56,7 +56,7 @@ struct gpio_service *dal_gpio_service_create(
+       struct dc_context *ctx)
+ {
+       struct gpio_service *service;
+-      uint32_t index_of_id;
++      int32_t index_of_id;
+ 
+       service = kzalloc(sizeof(struct gpio_service), GFP_KERNEL);
+ 
+@@ -112,7 +112,7 @@ struct gpio_service *dal_gpio_service_create(
+       return service;
+ 
+ failure_2:
+-      while (index_of_id) {
++      while (index_of_id > 0) {
+               --index_of_id;
+               kfree(service->busyness[index_of_id]);
+       }
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-skip-inactive-planes-within-modesupp.patch b/queue-6.1/drm-amd-display-skip-inactive-planes-within-modesupp.patch
new file mode 100644 (file)
index 0000000..9d9f457
--- /dev/null
+++ b/queue-6.1/drm-amd-display-skip-inactive-planes-within-modesupp.patch
@@ -0,0 +1,48 @@
+From 73606f1d134aca3a9e056ead6e0704ffc83d683d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 16:39:37 -0400
+Subject: drm/amd/display: Skip inactive planes within
+ ModeSupportAndSystemConfiguration
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+[ Upstream commit a54f7e866cc73a4cb71b8b24bb568ba35c8969df ]
+
+[Why]
+Coverity reports Memory - illegal accesses.
+
+[How]
+Skip inactive planes.
+
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c b/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c
+index 1070cf870196..b2ad56c459ba 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c
++++ b/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c
+@@ -1099,8 +1099,13 @@ void ModeSupportAndSystemConfiguration(struct display_mode_lib *mode_lib)
+ 
+       // Total Available Pipes Support Check
+       for (k = 0; k < mode_lib->vba.NumberOfActivePlanes; ++k) {
+-              total_pipes += mode_lib->vba.DPPPerPlane[k];
+               pipe_idx = get_pipe_idx(mode_lib, k);
++              if (pipe_idx == -1) {
++                      ASSERT(0);
++                      continue; // skip inactive planes
++              }
++              total_pipes += mode_lib->vba.DPPPerPlane[k];
++
+               if (mode_lib->vba.cache_pipes[pipe_idx].clks_cfg.dppclk_mhz > 0.0)
+                       mode_lib->vba.DPPCLK[k] = mode_lib->vba.cache_pipes[pipe_idx].clks_cfg.dppclk_mhz;
+               else
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch b/queue-6.1/drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch
new file mode 100644 (file)
index 0000000..f42073c
--- /dev/null
+++ b/queue-6.1/drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch
@@ -0,0 +1,41 @@
+From fdd1339346fe93706841069d3b775b6ce59480a7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jun 2024 10:47:37 -0600
+Subject: drm/amd/display: Skip wbscl_set_scaler_filter if filter is null
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit c4d31653c03b90e51515b1380115d1aedad925dd ]
+
+Callers can pass null in filter (i.e. from returned from the function
+wbscl_get_filter_coeffs_16p) and a null check is added to ensure that is
+not the case.
+
+This fixes 4 NULL_RETURNS issues reported by Coverity.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c
+index 994fb732a7cb..a0d437f0ce2b 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c
+@@ -690,6 +690,9 @@ static void wbscl_set_scaler_filter(
+       int pair;
+       uint16_t odd_coef, even_coef;
+ 
++      if (!filter)
++              return;
++
+       for (phase = 0; phase < (NUM_PHASES / 2 + 1); phase++) {
+               for (pair = 0; pair < tap_pairs; pair++) {
+                       even_coef = filter[phase * taps + 2 * pair];
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-spinlock-before-reading-event.patch b/queue-6.1/drm-amd-display-spinlock-before-reading-event.patch
new file mode 100644 (file)
index 0000000..97eabec
--- /dev/null
+++ b/queue-6.1/drm-amd-display-spinlock-before-reading-event.patch
@@ -0,0 +1,54 @@
+From 969168507dfb130726d92b1adabeda7d5ad03111 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 10:33:47 -0600
+Subject: drm/amd/display: Spinlock before reading event
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit ae13c8a5cff92015b9a3eb7cee65ebc75859487f ]
+
+[WHY & HOW]
+A read of acrtc_attach->base.state->event was not locked so moving it
+inside the spinlock.
+
+This fixes a LOCK_EVASION issue reported by Coverity.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 1f8f0ce45c2a..0be1a1149a3f 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -8055,15 +8055,13 @@ static void amdgpu_dm_commit_planes(struct drm_atomic_state *state,
+                               bundle->stream_update.vrr_infopacket =
+                                       &acrtc_state->stream->vrr_infopacket;
+               }
+-      } else if (cursor_update && acrtc_state->active_planes > 0 &&
+-                 acrtc_attach->base.state->event) {
+-              drm_crtc_vblank_get(pcrtc);
+-
++      } else if (cursor_update && acrtc_state->active_planes > 0) {
+               spin_lock_irqsave(&pcrtc->dev->event_lock, flags);
+-
+-              acrtc_attach->event = acrtc_attach->base.state->event;
+-              acrtc_attach->base.state->event = NULL;
+-
++              if (acrtc_attach->base.state->event) {
++                      drm_crtc_vblank_get(pcrtc);
++                      acrtc_attach->event = acrtc_attach->base.state->event;
++                      acrtc_attach->base.state->event = NULL;
++              }
+               spin_unlock_irqrestore(&pcrtc->dev->event_lock, flags);
+       }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch b/queue-6.1/drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch
new file mode 100644 (file)
index 0000000..be328a2
--- /dev/null
+++ b/queue-6.1/drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch
@@ -0,0 +1,46 @@
+From cc5993223388d5ab13e068a2679d15dbdb6783e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 16:00:19 -0400
+Subject: drm/amd/display: Stop amdgpu_dm initialize when stream nums greater
+ than 6
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+[ Upstream commit 84723eb6068c50610c5c0893980d230d7afa2105 ]
+
+[Why]
+Coverity reports OVERRUN warning. Should abort amdgpu_dm
+initialize.
+
+[How]
+Return failure to amdgpu_dm_init.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Acked-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index 6189685af1fd..1f8f0ce45c2a 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -4359,7 +4359,10 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev)
+ 
+       /* There is one primary plane per CRTC */
+       primary_planes = dm->dc->caps.max_streams;
+-      ASSERT(primary_planes <= AMDGPU_MAX_PLANES);
++      if (primary_planes > AMDGPU_MAX_PLANES) {
++              DRM_ERROR("DM: Plane nums out of 6 planes\n");
++              return -EINVAL;
++      }
+ 
+       /*
+        * Initialize primary planes, implicit planes for legacy IOCTLS.
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-pm-check-negtive-return-for-table-entries.patch b/queue-6.1/drm-amd-pm-check-negtive-return-for-table-entries.patch
new file mode 100644 (file)
index 0000000..8d18342
--- /dev/null
+++ b/queue-6.1/drm-amd-pm-check-negtive-return-for-table-entries.patch
@@ -0,0 +1,61 @@
+From 7d2899d07edd853612841123b3cd57aad2cf921c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 May 2024 16:01:23 +0800
+Subject: drm/amd/pm: check negtive return for table entries
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit f76059fe14395b37ba8d997eb0381b1b9e80a939 ]
+
+Function hwmgr->hwmgr_func->get_num_of_pp_table_entries(hwmgr) returns a negative number
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Suggested-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
+index f4bd8e9357e2..18f00038d844 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c
+@@ -30,9 +30,8 @@ int psm_init_power_state_table(struct pp_hwmgr *hwmgr)
+ {
+       int result;
+       unsigned int i;
+-      unsigned int table_entries;
+       struct pp_power_state *state;
+-      int size;
++      int size, table_entries;
+ 
+       if (hwmgr->hwmgr_func->get_num_of_pp_table_entries == NULL)
+               return 0;
+@@ -40,15 +39,19 @@ int psm_init_power_state_table(struct pp_hwmgr *hwmgr)
+       if (hwmgr->hwmgr_func->get_power_state_size == NULL)
+               return 0;
+ 
+-      hwmgr->num_ps = table_entries = hwmgr->hwmgr_func->get_num_of_pp_table_entries(hwmgr);
++      table_entries = hwmgr->hwmgr_func->get_num_of_pp_table_entries(hwmgr);
+ 
+-      hwmgr->ps_size = size = hwmgr->hwmgr_func->get_power_state_size(hwmgr) +
++      size = hwmgr->hwmgr_func->get_power_state_size(hwmgr) +
+                                         sizeof(struct pp_power_state);
+ 
+-      if (table_entries == 0 || size == 0) {
++      if (table_entries <= 0 || size == 0) {
+               pr_warn("Please check whether power state management is supported on this asic\n");
++              hwmgr->num_ps = 0;
++              hwmgr->ps_size = 0;
+               return 0;
+       }
++      hwmgr->num_ps = table_entries;
++      hwmgr->ps_size = size;
+ 
+       hwmgr->ps = kcalloc(table_entries, size, GFP_KERNEL);
+       if (hwmgr->ps == NULL)
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-pm-check-specific-index-for-aldebaran.patch b/queue-6.1/drm-amd-pm-check-specific-index-for-aldebaran.patch
new file mode 100644 (file)
index 0000000..a037535
--- /dev/null
+++ b/queue-6.1/drm-amd-pm-check-specific-index-for-aldebaran.patch
@@ -0,0 +1,37 @@
+From 40800bf3b1f440daaf83c5c0eb14c1ff960aa047 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 17:13:28 +0800
+Subject: drm/amd/pm: check specific index for aldebaran
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit 0ce8ef2639c112ae203c985b758389e378630aac ]
+
+Check for specific indexes that may be invalid values.
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c
+index cd8b0ab0112a..c79bff02a31a 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c
+@@ -1939,7 +1939,8 @@ static int aldebaran_mode2_reset(struct smu_context *smu)
+ 
+       index = smu_cmn_to_asic_specific_index(smu, CMN2ASIC_MAPPING_MSG,
+                                               SMU_MSG_GfxDeviceDriverReset);
+-
++      if (index < 0 )
++              return -EINVAL;
+       mutex_lock(&smu->message_lock);
+       if (smu_version >= 0x00441400) {
+               ret = smu_cmn_send_msg_without_waiting(smu, (uint16_t)index, SMU_RESET_MODE_2);
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-pm-fix-negative-array-index-read.patch b/queue-6.1/drm-amd-pm-fix-negative-array-index-read.patch
new file mode 100644 (file)
index 0000000..7243a3f
--- /dev/null
+++ b/queue-6.1/drm-amd-pm-fix-negative-array-index-read.patch
@@ -0,0 +1,94 @@
+From 37160454e9286503fbef6a93b03439e2fc584256 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 10:23:48 +0800
+Subject: drm/amd/pm: Fix negative array index read
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit c8c19ebf7c0b202a6a2d37a52ca112432723db5f ]
+
+Avoid using the negative values
+for clk_idex as an index into an array pptable->DpmDescriptor.
+
+V2: fix clk_index return check (Tim Huang)
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c   | 27 ++++++++++++++-----
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
+index ed2112efc6c6..286f4f9bfa35 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
+@@ -1215,19 +1215,22 @@ static int navi10_get_current_clk_freq_by_table(struct smu_context *smu,
+                                          value);
+ }
+ 
+-static bool navi10_is_support_fine_grained_dpm(struct smu_context *smu, enum smu_clk_type clk_type)
++static int navi10_is_support_fine_grained_dpm(struct smu_context *smu, enum smu_clk_type clk_type)
+ {
+       PPTable_t *pptable = smu->smu_table.driver_pptable;
+       DpmDescriptor_t *dpm_desc = NULL;
+-      uint32_t clk_index = 0;
++      int clk_index = 0;
+ 
+       clk_index = smu_cmn_to_asic_specific_index(smu,
+                                                  CMN2ASIC_MAPPING_CLK,
+                                                  clk_type);
++      if (clk_index < 0)
++              return clk_index;
++
+       dpm_desc = &pptable->DpmDescriptor[clk_index];
+ 
+       /* 0 - Fine grained DPM, 1 - Discrete DPM */
+-      return dpm_desc->SnapToDiscrete == 0;
++      return dpm_desc->SnapToDiscrete == 0 ? 1 : 0;
+ }
+ 
+ static inline bool navi10_od_feature_is_supported(struct smu_11_0_overdrive_table *od_table, enum SMU_11_0_ODFEATURE_CAP cap)
+@@ -1283,7 +1286,11 @@ static int navi10_emit_clk_levels(struct smu_context *smu,
+               if (ret)
+                       return ret;
+ 
+-              if (!navi10_is_support_fine_grained_dpm(smu, clk_type)) {
++              ret = navi10_is_support_fine_grained_dpm(smu, clk_type);
++              if (ret < 0)
++                      return ret;
++
++              if (!ret) {
+                       for (i = 0; i < count; i++) {
+                               ret = smu_v11_0_get_dpm_freq_by_index(smu,
+                                                                     clk_type, i, &value);
+@@ -1492,7 +1499,11 @@ static int navi10_print_clk_levels(struct smu_context *smu,
+               if (ret)
+                       return size;
+ 
+-              if (!navi10_is_support_fine_grained_dpm(smu, clk_type)) {
++              ret = navi10_is_support_fine_grained_dpm(smu, clk_type);
++              if (ret < 0)
++                      return ret;
++
++              if (!ret) {
+                       for (i = 0; i < count; i++) {
+                               ret = smu_v11_0_get_dpm_freq_by_index(smu, clk_type, i, &value);
+                               if (ret)
+@@ -1661,7 +1672,11 @@ static int navi10_force_clk_levels(struct smu_context *smu,
+       case SMU_UCLK:
+       case SMU_FCLK:
+               /* There is only 2 levels for fine grained DPM */
+-              if (navi10_is_support_fine_grained_dpm(smu, clk_type)) {
++              ret = navi10_is_support_fine_grained_dpm(smu, clk_type);
++              if (ret < 0)
++                      return ret;
++
++              if (ret) {
+                       soft_max_level = (soft_max_level >= 1 ? 1 : 0);
+                       soft_min_level = (soft_min_level >= 1 ? 1 : 0);
+               }
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-pm-fix-the-out-of-bounds-read-warning.patch b/queue-6.1/drm-amd-pm-fix-the-out-of-bounds-read-warning.patch
new file mode 100644 (file)
index 0000000..56a6926
--- /dev/null
+++ b/queue-6.1/drm-amd-pm-fix-the-out-of-bounds-read-warning.patch
@@ -0,0 +1,39 @@
+From 2b178183a5fd750ee8fb30d3ba3cf824b37afe27 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 10:29:08 +0800
+Subject: drm/amd/pm: fix the Out-of-bounds read warning
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit 12c6967428a099bbba9dfd247bb4322a984fcc0b ]
+
+using index i - 1U may beyond element index
+for mc_data[] when i = 0.
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+index f503e61faa60..cc3b62f73394 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+@@ -73,8 +73,9 @@ static int atomctrl_retrieve_ac_timing(
+                                       j++;
+                               } else if ((table->mc_reg_address[i].uc_pre_reg_data &
+                                                       LOW_NIBBLE_MASK) == DATA_EQU_PREV) {
+-                                      table->mc_reg_table_entry[num_ranges].mc_data[i] =
+-                                              table->mc_reg_table_entry[num_ranges].mc_data[i-1];
++                                      if (i)
++                                              table->mc_reg_table_entry[num_ranges].mc_data[i] =
++                                                      table->mc_reg_table_entry[num_ranges].mc_data[i-1];
+                               }
+                       }
+                       num_ranges++;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warning-for-sm.patch b/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warning-for-sm.patch
new file mode 100644 (file)
index 0000000..ba5bc0b
--- /dev/null
+++ b/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warning-for-sm.patch
@@ -0,0 +1,87 @@
+From 66625420b1db74bf5a5a6879453fb8d0cca5ea2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 12:52:45 +0800
+Subject: drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tim Huang <Tim.Huang@amd.com>
+
+[ Upstream commit 86df36b934640866eb249a4488abb148b985a0d9 ]
+
+Clear warnings that using uninitialized value level when fails
+to get the value from SMU.
+
+Signed-off-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c   | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
+index eb744401e056..7e1197420873 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c
+@@ -584,6 +584,7 @@ static int smu8_init_uvd_limit(struct pp_hwmgr *hwmgr)
+                               hwmgr->dyn_state.uvd_clock_voltage_dependency_table;
+       unsigned long clock = 0;
+       uint32_t level;
++      int ret;
+ 
+       if (NULL == table || table->count <= 0)
+               return -EINVAL;
+@@ -591,7 +592,9 @@ static int smu8_init_uvd_limit(struct pp_hwmgr *hwmgr)
+       data->uvd_dpm.soft_min_clk = 0;
+       data->uvd_dpm.hard_min_clk = 0;
+ 
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxUvdLevel, &level);
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxUvdLevel, &level);
++      if (ret)
++              return ret;
+ 
+       if (level < table->count)
+               clock = table->entries[level].vclk;
+@@ -611,6 +614,7 @@ static int smu8_init_vce_limit(struct pp_hwmgr *hwmgr)
+                               hwmgr->dyn_state.vce_clock_voltage_dependency_table;
+       unsigned long clock = 0;
+       uint32_t level;
++      int ret;
+ 
+       if (NULL == table || table->count <= 0)
+               return -EINVAL;
+@@ -618,7 +622,9 @@ static int smu8_init_vce_limit(struct pp_hwmgr *hwmgr)
+       data->vce_dpm.soft_min_clk = 0;
+       data->vce_dpm.hard_min_clk = 0;
+ 
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxEclkLevel, &level);
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxEclkLevel, &level);
++      if (ret)
++              return ret;
+ 
+       if (level < table->count)
+               clock = table->entries[level].ecclk;
+@@ -638,6 +644,7 @@ static int smu8_init_acp_limit(struct pp_hwmgr *hwmgr)
+                               hwmgr->dyn_state.acp_clock_voltage_dependency_table;
+       unsigned long clock = 0;
+       uint32_t level;
++      int ret;
+ 
+       if (NULL == table || table->count <= 0)
+               return -EINVAL;
+@@ -645,7 +652,9 @@ static int smu8_init_acp_limit(struct pp_hwmgr *hwmgr)
+       data->acp_dpm.soft_min_clk = 0;
+       data->acp_dpm.hard_min_clk = 0;
+ 
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxAclkLevel, &level);
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxAclkLevel, &level);
++      if (ret)
++              return ret;
+ 
+       if (level < table->count)
+               clock = table->entries[level].acpclk;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warning.patch b/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warning.patch
new file mode 100644 (file)
index 0000000..5c24353
--- /dev/null
+++ b/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warning.patch
@@ -0,0 +1,37 @@
+From b01b41c2b98deff5d9766e9df3477ee3c52ca8d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Apr 2024 15:36:26 +0800
+Subject: drm/amd/pm: fix uninitialized variable warning
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit 7c836905520703dbc8b938993b6d4d718bc739f3 ]
+
+Check the return of function smum_send_msg_to_smc
+as it may fail to initialize the variable.
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+index f3668911a88f..eae4b4826f04 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+@@ -99,7 +99,7 @@ static void pp_swctf_delayed_work_handler(struct work_struct *work)
+       struct amdgpu_device *adev = hwmgr->adev;
+       struct amdgpu_dpm_thermal *range =
+                               &adev->pm.dpm.thermal;
+-      uint32_t gpu_temperature, size;
++      uint32_t gpu_temperature, size = sizeof(gpu_temperature);
+       int ret;
+ 
+       /*
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch b/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch
new file mode 100644 (file)
index 0000000..3351342
--- /dev/null
+++ b/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch
@@ -0,0 +1,180 @@
+From 0dadd8bf769e7f5b881312331a3cf872e024f384 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Apr 2024 12:41:42 +0800
+Subject: drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr
+
+From: Tim Huang <Tim.Huang@amd.com>
+
+[ Upstream commit 5fa7d540d95d97ddc021a74583f6b3da4df9c93a ]
+
+Clear warnings that using uninitialized variable when fails
+to get the valid value from SMU.
+
+Signed-off-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 46 ++++++++++++++-----
+ .../amd/pm/powerplay/smumgr/vega10_smumgr.c   |  6 ++-
+ 2 files changed, 39 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+index d2ecf0244fa5..40592cab7810 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+@@ -355,13 +355,13 @@ static int vega10_odn_initial_default_setting(struct pp_hwmgr *hwmgr)
+       return 0;
+ }
+ 
+-static void vega10_init_dpm_defaults(struct pp_hwmgr *hwmgr)
++static int vega10_init_dpm_defaults(struct pp_hwmgr *hwmgr)
+ {
+       struct vega10_hwmgr *data = hwmgr->backend;
+-      int i;
+       uint32_t sub_vendor_id, hw_revision;
+       uint32_t top32, bottom32;
+       struct amdgpu_device *adev = hwmgr->adev;
++      int ret, i;
+ 
+       vega10_initialize_power_tune_defaults(hwmgr);
+ 
+@@ -486,9 +486,12 @@ static void vega10_init_dpm_defaults(struct pp_hwmgr *hwmgr)
+       if (data->registry_data.vr0hot_enabled)
+               data->smu_features[GNLD_VR0HOT].supported = true;
+ 
+-      smum_send_msg_to_smc(hwmgr,
++      ret = smum_send_msg_to_smc(hwmgr,
+                       PPSMC_MSG_GetSmuVersion,
+                       &hwmgr->smu_version);
++      if (ret)
++              return ret;
++
+               /* ACG firmware has major version 5 */
+       if ((hwmgr->smu_version & 0xff000000) == 0x5000000)
+               data->smu_features[GNLD_ACG].supported = true;
+@@ -506,10 +509,16 @@ static void vega10_init_dpm_defaults(struct pp_hwmgr *hwmgr)
+               data->smu_features[GNLD_PCC_LIMIT].supported = true;
+ 
+       /* Get the SN to turn into a Unique ID */
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32);
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32);
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32);
++      if (ret)
++              return ret;
++
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32);
++      if (ret)
++              return ret;
+ 
+       adev->unique_id = ((uint64_t)bottom32 << 32) | top32;
++      return 0;
+ }
+ 
+ #ifdef PPLIB_VEGA10_EVV_SUPPORT
+@@ -883,7 +892,9 @@ static int vega10_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
+ 
+       vega10_set_features_platform_caps(hwmgr);
+ 
+-      vega10_init_dpm_defaults(hwmgr);
++      result = vega10_init_dpm_defaults(hwmgr);
++      if (result)
++              return result;
+ 
+ #ifdef PPLIB_VEGA10_EVV_SUPPORT
+       /* Get leakage voltage based on leakage ID. */
+@@ -3917,11 +3928,14 @@ static int vega10_get_gpu_power(struct pp_hwmgr *hwmgr,
+               uint32_t *query)
+ {
+       uint32_t value;
++      int ret;
+ 
+       if (!query)
+               return -EINVAL;
+ 
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrPkgPwr, &value);
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrPkgPwr, &value);
++      if (ret)
++              return ret;
+ 
+       /* SMC returning actual watts, keep consistent with legacy asics, low 8 bit as 8 fractional bits */
+       *query = value << 8;
+@@ -4817,14 +4831,16 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr,
+       uint32_t gen_speed, lane_width, current_gen_speed, current_lane_width;
+       PPTable_t *pptable = &(data->smc_state_table.pp_table);
+ 
+-      int i, now, size = 0, count = 0;
++      int i, ret, now,  size = 0, count = 0;
+ 
+       switch (type) {
+       case PP_SCLK:
+               if (data->registry_data.sclk_dpm_key_disabled)
+                       break;
+ 
+-              smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentGfxclkIndex, &now);
++              ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentGfxclkIndex, &now);
++              if (ret)
++                      break;
+ 
+               if (hwmgr->pp_one_vf &&
+                   (hwmgr->dpm_level == AMD_DPM_FORCED_LEVEL_PROFILE_PEAK))
+@@ -4840,7 +4856,9 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr,
+               if (data->registry_data.mclk_dpm_key_disabled)
+                       break;
+ 
+-              smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentUclkIndex, &now);
++              ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentUclkIndex, &now);
++              if (ret)
++                      break;
+ 
+               for (i = 0; i < mclk_table->count; i++)
+                       size += sprintf(buf + size, "%d: %uMhz %s\n",
+@@ -4851,7 +4869,9 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr,
+               if (data->registry_data.socclk_dpm_key_disabled)
+                       break;
+ 
+-              smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentSocclkIndex, &now);
++              ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentSocclkIndex, &now);
++              if (ret)
++                      break;
+ 
+               for (i = 0; i < soc_table->count; i++)
+                       size += sprintf(buf + size, "%d: %uMhz %s\n",
+@@ -4862,8 +4882,10 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr,
+               if (data->registry_data.dcefclk_dpm_key_disabled)
+                       break;
+ 
+-              smum_send_msg_to_smc_with_parameter(hwmgr,
++              ret = smum_send_msg_to_smc_with_parameter(hwmgr,
+                               PPSMC_MSG_GetClockFreqMHz, CLK_DCEFCLK, &now);
++              if (ret)
++                      break;
+ 
+               for (i = 0; i < dcef_table->count; i++)
+                       size += sprintf(buf + size, "%d: %uMhz %s\n",
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/vega10_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/vega10_smumgr.c
+index a70d73896649..f9c0f117725d 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/vega10_smumgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/vega10_smumgr.c
+@@ -130,13 +130,17 @@ int vega10_get_enabled_smc_features(struct pp_hwmgr *hwmgr,
+                           uint64_t *features_enabled)
+ {
+       uint32_t enabled_features;
++      int ret;
+ 
+       if (features_enabled == NULL)
+               return -EINVAL;
+ 
+-      smum_send_msg_to_smc(hwmgr,
++      ret = smum_send_msg_to_smc(hwmgr,
+                       PPSMC_MSG_GetEnabledSmuFeatures,
+                       &enabled_features);
++      if (ret)
++              return ret;
++
+       *features_enabled = enabled_features;
+ 
+       return 0;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch-4175 b/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch-4175
new file mode 100644 (file)
index 0000000..0785b60
--- /dev/null
+++ b/queue-6.1/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch-4175
@@ -0,0 +1,56 @@
+From 51e75240dcefed29cb1344f77ace585b01244736 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Apr 2024 15:42:03 +0800
+Subject: drm/amd/pm: fix uninitialized variable warnings for vangogh_ppt
+
+From: Tim Huang <Tim.Huang@amd.com>
+
+[ Upstream commit b2871de6961d24d421839fbfa4aa3008ec9170d5 ]
+
+1. Fix a issue that using uninitialized mask to get the ultimate frequency.
+2. Check return of smu_cmn_send_smc_msg_with_param to avoid using
+uninitialized variable residency.
+
+Signed-off-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+index 1b731a9c92d9..c9c0aa6376e3 100644
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c
+@@ -1003,6 +1003,18 @@ static int vangogh_get_dpm_ultimate_freq(struct smu_context *smu,
+               }
+       }
+       if (min) {
++              ret = vangogh_get_profiling_clk_mask(smu,
++                                                   AMD_DPM_FORCED_LEVEL_PROFILE_MIN_MCLK,
++                                                   NULL,
++                                                   NULL,
++                                                   &mclk_mask,
++                                                   &fclk_mask,
++                                                   &soc_mask);
++              if (ret)
++                      goto failed;
++
++              vclk_mask = dclk_mask = 0;
++
+               switch (clk_type) {
+               case SMU_UCLK:
+               case SMU_MCLK:
+@@ -2363,6 +2375,8 @@ static u32 vangogh_set_gfxoff_residency(struct smu_context *smu, bool start)
+ 
+       ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_LogGfxOffResidency,
+                                             start, &residency);
++      if (ret)
++              return ret;
+ 
+       if (!start)
+               adev->gfx.gfx_off_residency = residency;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amd-pm-fix-warning-using-uninitialized-value-of-.patch b/queue-6.1/drm-amd-pm-fix-warning-using-uninitialized-value-of-.patch
new file mode 100644 (file)
index 0000000..f6b82f2
--- /dev/null
+++ b/queue-6.1/drm-amd-pm-fix-warning-using-uninitialized-value-of-.patch
@@ -0,0 +1,41 @@
+From b88897613c4c832932b13bd670635414669a4060 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 15:26:25 +0800
+Subject: drm/amd/pm: fix warning using uninitialized value of max_vid_step
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit 17e3bea65cdc453695b2fe4ff26d25d17f5339e9 ]
+
+Check the return of pp_atomfwctrl_get_Voltage_table_v4
+as it may fail to initialize max_vid_step
+V2: change the check condition (Tim Huang)
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+index f8333410cc3e..d2ecf0244fa5 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+@@ -2575,8 +2575,11 @@ static int vega10_init_smc_table(struct pp_hwmgr *hwmgr)
+               }
+       }
+ 
+-      pp_atomfwctrl_get_voltage_table_v4(hwmgr, VOLTAGE_TYPE_VDDC,
++      result = pp_atomfwctrl_get_voltage_table_v4(hwmgr, VOLTAGE_TYPE_VDDC,
+                       VOLTAGE_OBJ_SVID2,  &voltage_table);
++      PP_ASSERT_WITH_CODE(!result,
++                      "Failed to get voltage table!",
++                      return result);
+       pp_table->MaxVidStep = voltage_table.max_vid_step;
+ 
+       pp_table->GfxDpmVoltageMode =
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-avoid-reading-vf2pf-info-size-from-fb.patch b/queue-6.1/drm-amdgpu-avoid-reading-vf2pf-info-size-from-fb.patch
new file mode 100644 (file)
index 0000000..4594eaa
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-avoid-reading-vf2pf-info-size-from-fb.patch
@@ -0,0 +1,37 @@
+From c777afbbf154d5c3d162997165554692d3d4b7ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 16:35:14 -0400
+Subject: drm/amdgpu: avoid reading vf2pf info size from FB
+
+From: Zhigang Luo <Zhigang.Luo@amd.com>
+
+[ Upstream commit 3bcc0ee14768d886cedff65da72d83d375a31a56 ]
+
+VF can't access FB when host is doing mode1 reset. Using sizeof to get
+vf2pf info size, instead of reading it from vf2pf header stored in FB.
+
+Signed-off-by: Zhigang Luo <Zhigang.Luo@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
+index 5ee9211c503c..af50e6ce39e1 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
+@@ -604,7 +604,7 @@ static int amdgpu_virt_write_vf2pf_data(struct amdgpu_device *adev)
+       vf2pf_info->dummy_page_addr = (uint64_t)adev->dummy_page_addr;
+       vf2pf_info->checksum =
+               amd_sriov_msg_checksum(
+-              vf2pf_info, vf2pf_info->header.size, 0, 0);
++              vf2pf_info, sizeof(*vf2pf_info), 0, 0);
+ 
+       return 0;
+ }
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-fix-dereference-after-null-check.patch b/queue-6.1/drm-amdgpu-fix-dereference-after-null-check.patch
new file mode 100644 (file)
index 0000000..e110998
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-dereference-after-null-check.patch
@@ -0,0 +1,35 @@
+From 3c7372cb263bbb274756234d7f96280439b51c14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 14:51:35 +0800
+Subject: drm/amdgpu: fix dereference after null check
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit b1f7810b05d1950350ac2e06992982974343e441 ]
+
+check the pointer hive before use.
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 1319fdd37e7a..1d0f6628f1d6 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -5391,7 +5391,7 @@ int amdgpu_device_gpu_recover(struct amdgpu_device *adev,
+        * to put adev in the 1st position.
+        */
+       INIT_LIST_HEAD(&device_list);
+-      if (!amdgpu_sriov_vf(adev) && (adev->gmc.xgmi.num_physical_nodes > 1)) {
++      if (!amdgpu_sriov_vf(adev) && (adev->gmc.xgmi.num_physical_nodes > 1) && hive) {
+               list_for_each_entry(tmp_adev, &hive->device_list, gmc.xgmi.head) {
+                       list_add_tail(&tmp_adev->reset_list, &device_list);
+                       if (gpu_reset_for_dev_remove && adev->shutdown)
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch b/queue-6.1/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch
new file mode 100644 (file)
index 0000000..c62952f
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch
@@ -0,0 +1,35 @@
+From 74edeb79f3cabe31b4cf1ce0c1a706872c8fec17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 May 2024 16:30:01 +0800
+Subject: drm/amdgpu: fix mc_data out-of-bounds read warning
+
+From: Tim Huang <Tim.Huang@amd.com>
+
+[ Upstream commit 51dfc0a4d609fe700750a62f41447f01b8c9ea50 ]
+
+Clear warning that read mc_data[i-1] may out-of-bounds.
+
+Signed-off-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+index 9ba4817a9148..816014ea5381 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c
+@@ -1476,6 +1476,8 @@ int amdgpu_atombios_init_mc_reg_table(struct amdgpu_device *adev,
+                                                                               (u32)le32_to_cpu(*((u32 *)reg_data + j));
+                                                                       j++;
+                                                               } else if ((reg_table->mc_reg_address[i].pre_reg_data & LOW_NIBBLE_MASK) == DATA_EQU_PREV) {
++                                                                      if (i == 0)
++                                                                              continue;
+                                                                       reg_table->mc_reg_table_entry[num_ranges].mc_data[i] =
+                                                                               reg_table->mc_reg_table_entry[num_ranges].mc_data[i - 1];
+                                                               }
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-fix-out-of-bounds-read-of-df_v1_7_channel.patch b/queue-6.1/drm-amdgpu-fix-out-of-bounds-read-of-df_v1_7_channel.patch
new file mode 100644 (file)
index 0000000..2634045
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-out-of-bounds-read-of-df_v1_7_channel.patch
@@ -0,0 +1,36 @@
+From 0d2d72e85ba5b114d9b6f3cc1f25f9e0191302d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 09:29:33 +0800
+Subject: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit d768394fa99467bcf2703bde74ddc96eeb0b71fa ]
+
+Check the fb_channel_number range to avoid the array out-of-bounds
+read error
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/df_v1_7.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/df_v1_7.c b/drivers/gpu/drm/amd/amdgpu/df_v1_7.c
+index b991609f46c1..d4909ee97cd2 100644
+--- a/drivers/gpu/drm/amd/amdgpu/df_v1_7.c
++++ b/drivers/gpu/drm/amd/amdgpu/df_v1_7.c
+@@ -70,6 +70,8 @@ static u32 df_v1_7_get_hbm_channel_number(struct amdgpu_device *adev)
+       int fb_channel_number;
+ 
+       fb_channel_number = adev->df.funcs->get_fb_channel_number(adev);
++      if (fb_channel_number >= ARRAY_SIZE(df_v1_7_channel_number))
++              fb_channel_number = 0;
+ 
+       return df_v1_7_channel_number[fb_channel_number];
+ }
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-fix-out-of-bounds-write-warning.patch b/queue-6.1/drm-amdgpu-fix-out-of-bounds-write-warning.patch
new file mode 100644 (file)
index 0000000..9114351
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-out-of-bounds-write-warning.patch
@@ -0,0 +1,40 @@
+From 8d174750dc7d248690a37e3519a8d722e6011cb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Apr 2024 14:00:17 +0800
+Subject: drm/amdgpu: Fix out-of-bounds write warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit be1684930f5262a622d40ce7a6f1423530d87f89 ]
+
+Check the ring type value to fix the out-of-bounds
+write warning
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Suggested-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+index 2001c7d27a53..cb73d06e1d38 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+@@ -324,7 +324,7 @@ int amdgpu_ring_init(struct amdgpu_device *adev, struct amdgpu_ring *ring,
+       ring->max_dw = max_dw;
+       ring->hw_prio = hw_prio;
+ 
+-      if (!ring->no_scheduler) {
++      if (!ring->no_scheduler && ring->funcs->type < AMDGPU_HW_IP_NUM) {
+               hw_ip = ring->funcs->type;
+               num_sched = &adev->gpu_sched[hw_ip][hw_prio].num_scheds;
+               adev->gpu_sched[hw_ip][hw_prio].sched[(*num_sched)++] =
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-fix-overflowed-array-index-read-warning.patch b/queue-6.1/drm-amdgpu-fix-overflowed-array-index-read-warning.patch
new file mode 100644 (file)
index 0000000..8939eca
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-overflowed-array-index-read-warning.patch
@@ -0,0 +1,41 @@
+From b734695407c1545696b029ed421b588ff3f43eaf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Apr 2024 13:15:27 +0800
+Subject: drm/amdgpu: fix overflowed array index read warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tim Huang <Tim.Huang@amd.com>
+
+[ Upstream commit ebbc2ada5c636a6a63d8316a3408753768f5aa9f ]
+
+Clear overflowed array index read warning by cast operation.
+
+Signed-off-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+index 296b2d5976af..2001c7d27a53 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+@@ -434,8 +434,9 @@ static ssize_t amdgpu_debugfs_ring_read(struct file *f, char __user *buf,
+                                       size_t size, loff_t *pos)
+ {
+       struct amdgpu_ring *ring = file_inode(f)->i_private;
+-      int r, i;
+       uint32_t value, result, early[3];
++      loff_t i;
++      int r;
+ 
+       if (*pos & 3 || size & 3)
+               return -EINVAL;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-fix-the-waring-dereferencing-hive.patch b/queue-6.1/drm-amdgpu-fix-the-waring-dereferencing-hive.patch
new file mode 100644 (file)
index 0000000..bcb94fb
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-the-waring-dereferencing-hive.patch
@@ -0,0 +1,36 @@
+From c4d966667839bbce7da99db6c017436ff07849d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 16:20:49 +0800
+Subject: drm/amdgpu: fix the waring dereferencing hive
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit 1940708ccf5aff76de4e0b399f99267c93a89193 ]
+
+Check the amdgpu_hive_info *hive that maybe is NULL.
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+index 8764ff7ed97e..f8740ad08af4 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+@@ -1297,6 +1297,9 @@ static void psp_xgmi_reflect_topology_info(struct psp_context *psp,
+       uint8_t dst_num_links = node_info.num_links;
+ 
+       hive = amdgpu_get_xgmi_hive(psp->adev);
++      if (WARN_ON(!hive))
++              return;
++
+       list_for_each_entry(mirror_adev, &hive->device_list, gmc.xgmi.head) {
+               struct psp_xgmi_topology_info *mirror_top_info;
+               int j;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch b/queue-6.1/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch
new file mode 100644 (file)
index 0000000..ef6b6a4
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch
@@ -0,0 +1,36 @@
+From 34be1d09b864fc090473e57890a6963d1ac6c857 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 May 2024 16:21:00 +0800
+Subject: drm/amdgpu: fix ucode out-of-bounds read warning
+
+From: Tim Huang <Tim.Huang@amd.com>
+
+[ Upstream commit 8944acd0f9db33e17f387fdc75d33bb473d7936f ]
+
+Clear warning that read ucode[] may out-of-bounds.
+
+Signed-off-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
+index f1a050379190..682de88cf91f 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c
+@@ -213,6 +213,9 @@ static int amdgpu_cgs_get_firmware_info(struct cgs_device *cgs_device,
+               struct amdgpu_firmware_info *ucode;
+ 
+               id = fw_type_convert(cgs_device, type);
++              if (id >= AMDGPU_UCODE_ID_MAXIMUM)
++                      return -EINVAL;
++
+               ucode = &adev->firmware.ucode[id];
+               if (ucode->fw == NULL)
+                       return -EINVAL;
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch b/queue-6.1/drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch
new file mode 100644 (file)
index 0000000..12fbf48
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch
@@ -0,0 +1,35 @@
+From 15c3867a49b387eb40fc11a12e9bae4bc9bd62c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 10:50:54 +0800
+Subject: drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit c0d6bd3cd209419cc46ac49562bef1db65d90e70 ]
+
+Assign value to clock to fix the warning below:
+"Using uninitialized value res. Field res.clock is uninitialized"
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c
+index a4d65973bf7c..80771b1480ff 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c
+@@ -100,6 +100,7 @@ struct amdgpu_afmt_acr amdgpu_afmt_acr(uint32_t clock)
+       amdgpu_afmt_calc_cts(clock, &res.cts_32khz, &res.n_32khz, 32000);
+       amdgpu_afmt_calc_cts(clock, &res.cts_44_1khz, &res.n_44_1khz, 44100);
+       amdgpu_afmt_calc_cts(clock, &res.cts_48khz, &res.n_48khz, 48000);
++      res.clock = clock;
+ 
+       return res;
+ }
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-pm-check-input-value-for-custom-profile-m.patch b/queue-6.1/drm-amdgpu-pm-check-input-value-for-custom-profile-m.patch
new file mode 100644 (file)
index 0000000..c2d1f9c
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-pm-check-input-value-for-custom-profile-m.patch
@@ -0,0 +1,65 @@
+From 96360fec94c7a09a1a2433bec82451d69c1e4548 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 May 2024 10:05:21 +0800
+Subject: drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on
+ legacy SOCs
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit df0a9bd92fbbd3fcafcb2bce6463c9228a3e6868 ]
+
+Check the input value for CUSTOM profile mode setting on legacy
+SOCs. Otherwise we may use uninitalized value of input[]
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c   | 2 +-
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 8 ++++++--
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+index 750b7527bdf8..530888c475be 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c
+@@ -5639,7 +5639,7 @@ static int smu7_set_power_profile_mode(struct pp_hwmgr *hwmgr, long *input, uint
+       mode = input[size];
+       switch (mode) {
+       case PP_SMC_POWER_PROFILE_CUSTOM:
+-              if (size < 8 && size != 0)
++              if (size != 8 && size != 0)
+                       return -EINVAL;
+               /* If only CUSTOM is passed in, use the saved values. Check
+                * that we actually have a CUSTOM profile by ensuring that
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
+index 7606db479bad..89f1ed7d08c2 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
+@@ -4095,9 +4095,11 @@ static int vega20_set_power_profile_mode(struct pp_hwmgr *hwmgr, long *input, ui
+       if (power_profile_mode == PP_SMC_POWER_PROFILE_CUSTOM) {
+               struct vega20_hwmgr *data =
+                       (struct vega20_hwmgr *)(hwmgr->backend);
+-              if (size == 0 && !data->is_custom_profile_set)
++
++              if (size != 10 && size != 0)
+                       return -EINVAL;
+-              if (size < 10 && size != 0)
++
++              if (size == 0 && !data->is_custom_profile_set)
+                       return -EINVAL;
+ 
+               result = vega20_get_activity_monitor_coeff(hwmgr,
+@@ -4159,6 +4161,8 @@ static int vega20_set_power_profile_mode(struct pp_hwmgr *hwmgr, long *input, ui
+                       activity_monitor.Fclk_PD_Data_error_coeff = input[8];
+                       activity_monitor.Fclk_PD_Data_error_rate_coeff = input[9];
+                       break;
++              default:
++                      return -EINVAL;
+               }
+ 
+               result = vega20_set_activity_monitor_coeff(hwmgr,
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-pm-check-the-return-value-of-smum_send_ms.patch b/queue-6.1/drm-amdgpu-pm-check-the-return-value-of-smum_send_ms.patch
new file mode 100644 (file)
index 0000000..9f635c1
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-pm-check-the-return-value-of-smum_send_ms.patch
@@ -0,0 +1,49 @@
+From bb0bfe293495479322b2b7e56b18bc98a4e1afc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 14:38:04 +0800
+Subject: drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit 579f0c21baec9e7506b6bb3f60f0a9b6d07693b4 ]
+
+Check the return value of smum_send_msg_to_smc, otherwise
+we might use an uninitialized variable "now"
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c
+index 86d6e88c7386..e4d524ae5a77 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c
+@@ -1036,7 +1036,9 @@ static int smu10_print_clock_levels(struct pp_hwmgr *hwmgr,
+ 
+       switch (type) {
+       case PP_SCLK:
+-              smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetGfxclkFrequency, &now);
++              ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetGfxclkFrequency, &now);
++              if (ret)
++                      return ret;
+ 
+       /* driver only know min/max gfx_clk, Add level 1 for all other gfx clks */
+               if (now == data->gfx_max_freq_limit/100)
+@@ -1057,7 +1059,9 @@ static int smu10_print_clock_levels(struct pp_hwmgr *hwmgr,
+                                       i == 2 ? "*" : "");
+               break;
+       case PP_MCLK:
+-              smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetFclkFrequency, &now);
++              ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetFclkFrequency, &now);
++              if (ret)
++                      return ret;
+ 
+               for (i = 0; i < mclk_table->count; i++)
+                       size += sprintf(buf + size, "%d: %uMhz %s\n",
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-pm-fix-uninitialized-variable-agc_btc_res.patch b/queue-6.1/drm-amdgpu-pm-fix-uninitialized-variable-agc_btc_res.patch
new file mode 100644 (file)
index 0000000..5067213
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-pm-fix-uninitialized-variable-agc_btc_res.patch
@@ -0,0 +1,50 @@
+From 988d07caf742c0d5e09bb61622736666f5faa185 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 Apr 2024 14:41:38 +0800
+Subject: drm/amdgpu/pm: Fix uninitialized variable agc_btc_response
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit df4409d8a04dd39d7f2aa0c5f528a56b99eaaa13 ]
+
+Assign an default value to agc_btc_response in failed case
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+index 40592cab7810..c4d81c0aa18e 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c
+@@ -2365,15 +2365,20 @@ static int vega10_acg_enable(struct pp_hwmgr *hwmgr)
+ {
+       struct vega10_hwmgr *data = hwmgr->backend;
+       uint32_t agc_btc_response;
++      int ret;
+ 
+       if (data->smu_features[GNLD_ACG].supported) {
+               if (0 == vega10_enable_smc_features(hwmgr, true,
+                                       data->smu_features[GNLD_DPM_PREFETCHER].smu_feature_bitmap))
+                       data->smu_features[GNLD_DPM_PREFETCHER].enabled = true;
+ 
+-              smum_send_msg_to_smc(hwmgr, PPSMC_MSG_InitializeAcg, NULL);
++              ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_InitializeAcg, NULL);
++              if (ret)
++                      return ret;
+ 
+-              smum_send_msg_to_smc(hwmgr, PPSMC_MSG_RunAcgBtc, &agc_btc_response);
++              ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_RunAcgBtc, &agc_btc_response);
++              if (ret)
++                      agc_btc_response = 0;
+ 
+               if (1 == agc_btc_response) {
+                       if (1 == data->acg_loop_state)
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-pm-fix-uninitialized-variable-warning-for.patch b/queue-6.1/drm-amdgpu-pm-fix-uninitialized-variable-warning-for.patch
new file mode 100644 (file)
index 0000000..1412310
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-pm-fix-uninitialized-variable-warning-for.patch
@@ -0,0 +1,185 @@
+From 247be05939c4094a2ed041a4674981cd7ac2afbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 17:46:08 +0800
+Subject: drm/amdgpu/pm: Fix uninitialized variable warning for smu10
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit 336c8f558d596699d3d9814a45600139b2f23f27 ]
+
+Check return value of smum_send_msg_to_smc to fix
+uninitialized variable varning
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c  | 21 +++++++++++++----
+ .../drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c | 20 ++++++++++++----
+ .../drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 23 ++++++++++++++-----
+ 3 files changed, 48 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c
+index e4d524ae5a77..4f3488f4e0d0 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c
+@@ -1554,7 +1554,10 @@ static int smu10_set_fine_grain_clk_vol(struct pp_hwmgr *hwmgr,
+               }
+ 
+               if (input[0] == 0) {
+-                      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMinGfxclkFrequency, &min_freq);
++                      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMinGfxclkFrequency, &min_freq);
++                      if (ret)
++                              return ret;
++
+                       if (input[1] < min_freq) {
+                               pr_err("Fine grain setting minimum sclk (%ld) MHz is less than the minimum allowed (%d) MHz\n",
+                                       input[1], min_freq);
+@@ -1562,7 +1565,10 @@ static int smu10_set_fine_grain_clk_vol(struct pp_hwmgr *hwmgr,
+                       }
+                       smu10_data->gfx_actual_soft_min_freq = input[1];
+               } else if (input[0] == 1) {
+-                      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxGfxclkFrequency, &max_freq);
++                      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxGfxclkFrequency, &max_freq);
++                      if (ret)
++                              return ret;
++
+                       if (input[1] > max_freq) {
+                               pr_err("Fine grain setting maximum sclk (%ld) MHz is greater than the maximum allowed (%d) MHz\n",
+                                       input[1], max_freq);
+@@ -1577,10 +1583,15 @@ static int smu10_set_fine_grain_clk_vol(struct pp_hwmgr *hwmgr,
+                       pr_err("Input parameter number not correct\n");
+                       return -EINVAL;
+               }
+-              smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMinGfxclkFrequency, &min_freq);
+-              smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxGfxclkFrequency, &max_freq);
+-
++              ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMinGfxclkFrequency, &min_freq);
++              if (ret)
++                      return ret;
+               smu10_data->gfx_actual_soft_min_freq = min_freq;
++
++              ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxGfxclkFrequency, &max_freq);
++              if (ret)
++                      return ret;
++
+               smu10_data->gfx_actual_soft_max_freq = max_freq;
+       } else if (type == PP_OD_COMMIT_DPM_TABLE) {
+               if (size != 0) {
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c
+index 1069eaaae2f8..e4948a118475 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c
+@@ -294,12 +294,12 @@ static int vega12_set_features_platform_caps(struct pp_hwmgr *hwmgr)
+       return 0;
+ }
+ 
+-static void vega12_init_dpm_defaults(struct pp_hwmgr *hwmgr)
++static int vega12_init_dpm_defaults(struct pp_hwmgr *hwmgr)
+ {
+       struct vega12_hwmgr *data = (struct vega12_hwmgr *)(hwmgr->backend);
+       struct amdgpu_device *adev = hwmgr->adev;
+       uint32_t top32, bottom32;
+-      int i;
++      int i, ret;
+ 
+       data->smu_features[GNLD_DPM_PREFETCHER].smu_feature_id =
+                       FEATURE_DPM_PREFETCHER_BIT;
+@@ -365,10 +365,16 @@ static void vega12_init_dpm_defaults(struct pp_hwmgr *hwmgr)
+       }
+ 
+       /* Get the SN to turn into a Unique ID */
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32);
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32);
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32);
++      if (ret)
++              return ret;
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32);
++      if (ret)
++              return ret;
+ 
+       adev->unique_id = ((uint64_t)bottom32 << 32) | top32;
++
++      return 0;
+ }
+ 
+ static int vega12_set_private_data_based_on_pptable(struct pp_hwmgr *hwmgr)
+@@ -411,7 +417,11 @@ static int vega12_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
+ 
+       vega12_set_features_platform_caps(hwmgr);
+ 
+-      vega12_init_dpm_defaults(hwmgr);
++      result = vega12_init_dpm_defaults(hwmgr);
++      if (result) {
++              pr_err("%s failed\n", __func__);
++              return result;
++      }
+ 
+       /* Parse pptable data read from VBIOS */
+       vega12_set_private_data_based_on_pptable(hwmgr);
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
+index ff77a3683efd..7606db479bad 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
+@@ -329,12 +329,12 @@ static int vega20_set_features_platform_caps(struct pp_hwmgr *hwmgr)
+       return 0;
+ }
+ 
+-static void vega20_init_dpm_defaults(struct pp_hwmgr *hwmgr)
++static int vega20_init_dpm_defaults(struct pp_hwmgr *hwmgr)
+ {
+       struct vega20_hwmgr *data = (struct vega20_hwmgr *)(hwmgr->backend);
+       struct amdgpu_device *adev = hwmgr->adev;
+       uint32_t top32, bottom32;
+-      int i;
++      int i, ret;
+ 
+       data->smu_features[GNLD_DPM_PREFETCHER].smu_feature_id =
+                       FEATURE_DPM_PREFETCHER_BIT;
+@@ -405,10 +405,17 @@ static void vega20_init_dpm_defaults(struct pp_hwmgr *hwmgr)
+       }
+ 
+       /* Get the SN to turn into a Unique ID */
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32);
+-      smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32);
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32);
++      if (ret)
++              return ret;
++
++      ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32);
++      if (ret)
++              return ret;
+ 
+       adev->unique_id = ((uint64_t)bottom32 << 32) | top32;
++
++      return 0;
+ }
+ 
+ static int vega20_set_private_data_based_on_pptable(struct pp_hwmgr *hwmgr)
+@@ -428,6 +435,7 @@ static int vega20_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
+ {
+       struct vega20_hwmgr *data;
+       struct amdgpu_device *adev = hwmgr->adev;
++      int result;
+ 
+       data = kzalloc(sizeof(struct vega20_hwmgr), GFP_KERNEL);
+       if (data == NULL)
+@@ -453,8 +461,11 @@ static int vega20_hwmgr_backend_init(struct pp_hwmgr *hwmgr)
+ 
+       vega20_set_features_platform_caps(hwmgr);
+ 
+-      vega20_init_dpm_defaults(hwmgr);
+-
++      result = vega20_init_dpm_defaults(hwmgr);
++      if (result) {
++              pr_err("%s failed\n", __func__);
++              return result;
++      }
+       /* Parse pptable data read from VBIOS */
+       vega20_set_private_data_based_on_pptable(hwmgr);
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-the-warning-dereferencing-obj-for-nbio_v7.patch b/queue-6.1/drm-amdgpu-the-warning-dereferencing-obj-for-nbio_v7.patch
new file mode 100644 (file)
index 0000000..22ecea7
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-the-warning-dereferencing-obj-for-nbio_v7.patch
@@ -0,0 +1,36 @@
+From 13d01ac8cf5413d120158ccfc060275c9278d270 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 May 2024 15:22:42 +0800
+Subject: drm/amdgpu: the warning dereferencing obj for nbio_v7_4
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit d190b459b2a4304307c3468ed97477b808381011 ]
+
+if ras_manager obj null, don't print NBIO err data
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Suggested-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Tim Huang <Tim.Huang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c b/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c
+index 19455a725939..7679a4cd55c0 100644
+--- a/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c
++++ b/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c
+@@ -384,7 +384,7 @@ static void nbio_v7_4_handle_ras_controller_intr_no_bifring(struct amdgpu_device
+               else
+                       WREG32_SOC15(NBIO, 0, mmBIF_DOORBELL_INT_CNTL, bif_doorbell_intr_cntl);
+ 
+-              if (!ras->disable_ras_err_cnt_harvest) {
++              if (ras && !ras->disable_ras_err_cnt_harvest && obj) {
+                       /*
+                        * clear error status after ras_controller_intr
+                        * according to hw team and count ue number
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-update-type-of-buf-size-to-u32-for-eeprom.patch b/queue-6.1/drm-amdgpu-update-type-of-buf-size-to-u32-for-eeprom.patch
new file mode 100644 (file)
index 0000000..904f690
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-update-type-of-buf-size-to-u32-for-eeprom.patch
@@ -0,0 +1,71 @@
+From e3ef92a4b9bdbb66f1ba8158413742fa0dbc85b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 May 2024 18:04:26 +0800
+Subject: drm/amdgpu: update type of buf size to u32 for eeprom functions
+
+From: Tao Zhou <tao.zhou1@amd.com>
+
+[ Upstream commit 2aadb520bfacec12527effce3566f8df55e5d08e ]
+
+Avoid overflow issue.
+
+Signed-off-by: Tao Zhou <tao.zhou1@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c | 6 +++---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h | 4 ++--
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c
+index d6c4293829aa..3e4912f1f92a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c
+@@ -179,7 +179,7 @@ static int __amdgpu_eeprom_xfer(struct i2c_adapter *i2c_adap, u32 eeprom_addr,
+  * Returns the number of bytes read/written; -errno on error.
+  */
+ static int amdgpu_eeprom_xfer(struct i2c_adapter *i2c_adap, u32 eeprom_addr,
+-                            u8 *eeprom_buf, u16 buf_size, bool read)
++                            u8 *eeprom_buf, u32 buf_size, bool read)
+ {
+       const struct i2c_adapter_quirks *quirks = i2c_adap->quirks;
+       u16 limit;
+@@ -226,7 +226,7 @@ static int amdgpu_eeprom_xfer(struct i2c_adapter *i2c_adap, u32 eeprom_addr,
+ 
+ int amdgpu_eeprom_read(struct i2c_adapter *i2c_adap,
+                      u32 eeprom_addr, u8 *eeprom_buf,
+-                     u16 bytes)
++                     u32 bytes)
+ {
+       return amdgpu_eeprom_xfer(i2c_adap, eeprom_addr, eeprom_buf, bytes,
+                                 true);
+@@ -234,7 +234,7 @@ int amdgpu_eeprom_read(struct i2c_adapter *i2c_adap,
+ 
+ int amdgpu_eeprom_write(struct i2c_adapter *i2c_adap,
+                       u32 eeprom_addr, u8 *eeprom_buf,
+-                      u16 bytes)
++                      u32 bytes)
+ {
+       return amdgpu_eeprom_xfer(i2c_adap, eeprom_addr, eeprom_buf, bytes,
+                                 false);
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h
+index 6935adb2be1f..8083b8253ef4 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h
+@@ -28,10 +28,10 @@
+ 
+ int amdgpu_eeprom_read(struct i2c_adapter *i2c_adap,
+                      u32 eeprom_addr, u8 *eeprom_buf,
+-                     u16 bytes);
++                     u32 bytes);
+ 
+ int amdgpu_eeprom_write(struct i2c_adapter *i2c_adap,
+                       u32 eeprom_addr, u8 *eeprom_buf,
+-                      u16 bytes);
++                      u32 bytes);
+ 
+ #endif
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch b/queue-6.1/drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch
new file mode 100644 (file)
index 0000000..dd7eb7d
--- /dev/null
+++ b/queue-6.1/drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch
@@ -0,0 +1,71 @@
+From 245637cfcc27d17a888b539c32c97780e138d08c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 May 2024 15:31:08 -0400
+Subject: drm/amdkfd: Reconcile the definition and use of oem_id in struct
+ kfd_topology_device
+
+From: Michael Chen <michael.chen@amd.com>
+
+[ Upstream commit 10f624ef239bd136cdcc5bbc626157a57b938a31 ]
+
+Currently oem_id is defined as uint8_t[6] and casted to uint64_t*
+in some use case. This would lead code scanner to complain about
+access beyond. Re-define it in union to enforce 8-byte size and
+alignment to avoid potential issue.
+
+Signed-off-by: Michael Chen <michael.chen@amd.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_crat.h     | 2 --
+ drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 3 +--
+ drivers/gpu/drm/amd/amdkfd/kfd_topology.h | 5 ++++-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.h b/drivers/gpu/drm/amd/amdkfd/kfd_crat.h
+index a8671061a175..bf90a6479867 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.h
+@@ -43,8 +43,6 @@
+ #define CRAT_OEMTABLEID_LENGTH        8
+ #define CRAT_RESERVED_LENGTH  6
+ 
+-#define CRAT_OEMID_64BIT_MASK ((1ULL << (CRAT_OEMID_LENGTH * 8)) - 1)
+-
+ /* Compute Unit flags */
+ #define COMPUTE_UNIT_CPU      (1 << 0)  /* Create Virtual CRAT for CPU */
+ #define COMPUTE_UNIT_GPU      (1 << 1)  /* Create Virtual CRAT for GPU */
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
+index 029916971bf6..d841200a405b 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
+@@ -972,8 +972,7 @@ static void kfd_update_system_properties(void)
+       dev = list_last_entry(&topology_device_list,
+                       struct kfd_topology_device, list);
+       if (dev) {
+-              sys_props.platform_id =
+-                      (*((uint64_t *)dev->oem_id)) & CRAT_OEMID_64BIT_MASK;
++              sys_props.platform_id = dev->oem_id64;
+               sys_props.platform_oem = *((uint64_t *)dev->oem_table_id);
+               sys_props.platform_rev = dev->oem_revision;
+       }
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.h b/drivers/gpu/drm/amd/amdkfd/kfd_topology.h
+index 19283b8b1688..00a78c2ce686 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.h
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.h
+@@ -146,7 +146,10 @@ struct kfd_topology_device {
+       struct attribute                attr_gpuid;
+       struct attribute                attr_name;
+       struct attribute                attr_props;
+-      uint8_t                         oem_id[CRAT_OEMID_LENGTH];
++      union {
++              uint8_t                         oem_id[CRAT_OEMID_LENGTH];
++              uint64_t                        oem_id64;
++      };
+       uint8_t                         oem_table_id[CRAT_OEMTABLEID_LENGTH];
+       uint32_t                        oem_revision;
+ };
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-bridge-tc358767-check-if-fully-initialized-befor.patch b/queue-6.1/drm-bridge-tc358767-check-if-fully-initialized-befor.patch
new file mode 100644 (file)
index 0000000..834a373
--- /dev/null
+++ b/queue-6.1/drm-bridge-tc358767-check-if-fully-initialized-befor.patch
@@ -0,0 +1,39 @@
+From 4707e67d1bc7257242b86bef9ca7f3cd9516cf04 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 22:33:12 +0200
+Subject: drm/bridge: tc358767: Check if fully initialized before signalling
+ HPD event via IRQ
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit 162e48cb1d84c2c966b649b8ac5c9d4f75f6d44f ]
+
+Make sure the connector is fully initialized before signalling any
+HPD events via drm_kms_helper_hotplug_event(), otherwise this may
+lead to NULL pointer dereference.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Robert Foss <rfoss@kernel.org>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240531203333.277476-1-marex@denx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/tc358767.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c
+index 926ab5c3c31a..0af2bd8706e4 100644
+--- a/drivers/gpu/drm/bridge/tc358767.c
++++ b/drivers/gpu/drm/bridge/tc358767.c
+@@ -1841,7 +1841,7 @@ static irqreturn_t tc_irq_handler(int irq, void *arg)
+               dev_err(tc->dev, "syserr %x\n", stat);
+       }
+ 
+-      if (tc->hpd_pin >= 0 && tc->bridge.dev) {
++      if (tc->hpd_pin >= 0 && tc->bridge.dev && tc->aux.drm_dev) {
+               /*
+                * H is triggered when the GPIO goes high.
+                *
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-drm-bridge-drop-conditionals-around-of_node-poin.patch b/queue-6.1/drm-drm-bridge-drop-conditionals-around-of_node-poin.patch
new file mode 100644 (file)
index 0000000..15ceb35
--- /dev/null
+++ b/queue-6.1/drm-drm-bridge-drop-conditionals-around-of_node-poin.patch
@@ -0,0 +1,47 @@
+From 46087ee8c25f3cec49067d257628b22df7c30851 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 02:00:00 +0800
+Subject: drm/drm-bridge: Drop conditionals around of_node pointers
+
+From: Sui Jingfeng <sui.jingfeng@linux.dev>
+
+[ Upstream commit ad3323a6ccb7d43bbeeaa46d5311c43d5d361fc7 ]
+
+Having conditional around the of_node pointer of the drm_bridge structure
+is not necessary, since drm_bridge structure always has the of_node as its
+member.
+
+Let's drop the conditional to get a better looks, please also note that
+this is following the already accepted commitments. see commit d8dfccde2709
+("drm/bridge: Drop conditionals around of_node pointers") for reference.
+
+Signed-off-by: Sui Jingfeng <sui.jingfeng@linux.dev>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Robert Foss <rfoss@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240507180001.1358816-1-sui.jingfeng@linux.dev
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_bridge.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c
+index f80254879804..0692a10874bc 100644
+--- a/drivers/gpu/drm/drm_bridge.c
++++ b/drivers/gpu/drm/drm_bridge.c
+@@ -311,13 +311,8 @@ int drm_bridge_attach(struct drm_encoder *encoder, struct drm_bridge *bridge,
+       bridge->encoder = NULL;
+       list_del(&bridge->chain_node);
+ 
+-#ifdef CONFIG_OF
+       DRM_ERROR("failed to attach bridge %pOF to encoder %s: %d\n",
+                 bridge->of_node, encoder->name, ret);
+-#else
+-      DRM_ERROR("failed to attach bridge to encoder %s: %d\n",
+-                encoder->name, ret);
+-#endif
+ 
+       return ret;
+ }
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-meson-plane-add-error-handling.patch b/queue-6.1/drm-meson-plane-add-error-handling.patch
new file mode 100644 (file)
index 0000000..25c7cbc
--- /dev/null
+++ b/queue-6.1/drm-meson-plane-add-error-handling.patch
@@ -0,0 +1,63 @@
+From 3e6f07da94b6efddad9a17ce0067cab77e7bef9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 03:34:05 -0800
+Subject: drm/meson: plane: Add error handling
+
+From: Haoran Liu <liuhaoran14@163.com>
+
+[ Upstream commit 3c28b239620e249b68beeca17f429e317fa6b8d4 ]
+
+This patch adds robust error handling to the meson_plane_create
+function in drivers/gpu/drm/meson/meson_plane.c. The function
+previously lacked proper handling for potential failure scenarios
+of the drm_universal_plane_init call.
+
+Signed-off-by: Haoran Liu <liuhaoran14@163.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20231129113405.33057-1-liuhaoran14@163.com
+[narmstrong: fixe the commit subject]
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231129113405.33057-1-liuhaoran14@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/meson/meson_plane.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c
+index 815dfe30492b..b43ac61201f3 100644
+--- a/drivers/gpu/drm/meson/meson_plane.c
++++ b/drivers/gpu/drm/meson/meson_plane.c
+@@ -534,6 +534,7 @@ int meson_plane_create(struct meson_drm *priv)
+       struct meson_plane *meson_plane;
+       struct drm_plane *plane;
+       const uint64_t *format_modifiers = format_modifiers_default;
++      int ret;
+ 
+       meson_plane = devm_kzalloc(priv->drm->dev, sizeof(*meson_plane),
+                                  GFP_KERNEL);
+@@ -548,12 +549,16 @@ int meson_plane_create(struct meson_drm *priv)
+       else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A))
+               format_modifiers = format_modifiers_afbc_g12a;
+ 
+-      drm_universal_plane_init(priv->drm, plane, 0xFF,
+-                               &meson_plane_funcs,
+-                               supported_drm_formats,
+-                               ARRAY_SIZE(supported_drm_formats),
+-                               format_modifiers,
+-                               DRM_PLANE_TYPE_PRIMARY, "meson_primary_plane");
++      ret = drm_universal_plane_init(priv->drm, plane, 0xFF,
++                                      &meson_plane_funcs,
++                                      supported_drm_formats,
++                                      ARRAY_SIZE(supported_drm_formats),
++                                      format_modifiers,
++                                      DRM_PLANE_TYPE_PRIMARY, "meson_primary_plane");
++      if (ret) {
++              devm_kfree(priv->drm->dev, meson_plane);
++              return ret;
++      }
+ 
+       drm_plane_helper_add(plane, &meson_plane_helper_funcs);
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/fsnotify-clear-parent_watched-flags-lazily.patch b/queue-6.1/fsnotify-clear-parent_watched-flags-lazily.patch
new file mode 100644 (file)
index 0000000..1ab0e35
--- /dev/null
+++ b/queue-6.1/fsnotify-clear-parent_watched-flags-lazily.patch
@@ -0,0 +1,208 @@
+From 8f74a0f87fe07a5e3d0db033747f10fd740f2b9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 May 2024 13:30:07 +0200
+Subject: fsnotify: clear PARENT_WATCHED flags lazily
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit 172e422ffea20a89bfdc672741c1aad6fbb5044e ]
+
+In some setups directories can have many (usually negative) dentries.
+Hence __fsnotify_update_child_dentry_flags() function can take a
+significant amount of time. Since the bulk of this function happens
+under inode->i_lock this causes a significant contention on the lock
+when we remove the watch from the directory as the
+__fsnotify_update_child_dentry_flags() call from fsnotify_recalc_mask()
+races with __fsnotify_update_child_dentry_flags() calls from
+__fsnotify_parent() happening on children. This can lead upto softlockup
+reports reported by users.
+
+Fix the problem by calling fsnotify_update_children_dentry_flags() to
+set PARENT_WATCHED flags only when parent starts watching children.
+
+When parent stops watching children, clear false positive PARENT_WATCHED
+flags lazily in __fsnotify_parent() for each accessed child.
+
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/notify/fsnotify.c             | 31 +++++++++++++++++++++----------
+ fs/notify/fsnotify.h             |  2 +-
+ fs/notify/mark.c                 | 32 +++++++++++++++++++++++++++++---
+ include/linux/fsnotify_backend.h |  8 +++++---
+ 4 files changed, 56 insertions(+), 17 deletions(-)
+
+diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c
+index 7974e91ffe13..b5d8f238fce4 100644
+--- a/fs/notify/fsnotify.c
++++ b/fs/notify/fsnotify.c
+@@ -103,17 +103,13 @@ void fsnotify_sb_delete(struct super_block *sb)
+  * parent cares.  Thus when an event happens on a child it can quickly tell
+  * if there is a need to find a parent and send the event to the parent.
+  */
+-void __fsnotify_update_child_dentry_flags(struct inode *inode)
++void fsnotify_set_children_dentry_flags(struct inode *inode)
+ {
+       struct dentry *alias;
+-      int watched;
+ 
+       if (!S_ISDIR(inode->i_mode))
+               return;
+ 
+-      /* determine if the children should tell inode about their events */
+-      watched = fsnotify_inode_watches_children(inode);
+-
+       spin_lock(&inode->i_lock);
+       /* run all of the dentries associated with this inode.  Since this is a
+        * directory, there damn well better only be one item on this list */
+@@ -129,10 +125,7 @@ void __fsnotify_update_child_dentry_flags(struct inode *inode)
+                               continue;
+ 
+                       spin_lock_nested(&child->d_lock, DENTRY_D_LOCK_NESTED);
+-                      if (watched)
+-                              child->d_flags |= DCACHE_FSNOTIFY_PARENT_WATCHED;
+-                      else
+-                              child->d_flags &= ~DCACHE_FSNOTIFY_PARENT_WATCHED;
++                      child->d_flags |= DCACHE_FSNOTIFY_PARENT_WATCHED;
+                       spin_unlock(&child->d_lock);
+               }
+               spin_unlock(&alias->d_lock);
+@@ -140,6 +133,24 @@ void __fsnotify_update_child_dentry_flags(struct inode *inode)
+       spin_unlock(&inode->i_lock);
+ }
+ 
++/*
++ * Lazily clear false positive PARENT_WATCHED flag for child whose parent had
++ * stopped watching children.
++ */
++static void fsnotify_clear_child_dentry_flag(struct inode *pinode,
++                                           struct dentry *dentry)
++{
++      spin_lock(&dentry->d_lock);
++      /*
++       * d_lock is a sufficient barrier to prevent observing a non-watched
++       * parent state from before the fsnotify_set_children_dentry_flags()
++       * or fsnotify_update_flags() call that had set PARENT_WATCHED.
++       */
++      if (!fsnotify_inode_watches_children(pinode))
++              dentry->d_flags &= ~DCACHE_FSNOTIFY_PARENT_WATCHED;
++      spin_unlock(&dentry->d_lock);
++}
++
+ /* Are inode/sb/mount interested in parent and name info with this event? */
+ static bool fsnotify_event_needs_parent(struct inode *inode, struct mount *mnt,
+                                       __u32 mask)
+@@ -208,7 +219,7 @@ int __fsnotify_parent(struct dentry *dentry, __u32 mask, const void *data,
+       p_inode = parent->d_inode;
+       p_mask = fsnotify_inode_watches_children(p_inode);
+       if (unlikely(parent_watched && !p_mask))
+-              __fsnotify_update_child_dentry_flags(p_inode);
++              fsnotify_clear_child_dentry_flag(p_inode, dentry);
+ 
+       /*
+        * Include parent/name in notification either if some notification
+diff --git a/fs/notify/fsnotify.h b/fs/notify/fsnotify.h
+index fde74eb333cc..2b4267de86e6 100644
+--- a/fs/notify/fsnotify.h
++++ b/fs/notify/fsnotify.h
+@@ -74,7 +74,7 @@ static inline void fsnotify_clear_marks_by_sb(struct super_block *sb)
+  * update the dentry->d_flags of all of inode's children to indicate if inode cares
+  * about events that happen to its children.
+  */
+-extern void __fsnotify_update_child_dentry_flags(struct inode *inode);
++extern void fsnotify_set_children_dentry_flags(struct inode *inode);
+ 
+ extern struct kmem_cache *fsnotify_mark_connector_cachep;
+ 
+diff --git a/fs/notify/mark.c b/fs/notify/mark.c
+index c74ef947447d..4be6e883d492 100644
+--- a/fs/notify/mark.c
++++ b/fs/notify/mark.c
+@@ -176,6 +176,24 @@ static void *__fsnotify_recalc_mask(struct fsnotify_mark_connector *conn)
+       return fsnotify_update_iref(conn, want_iref);
+ }
+ 
++static bool fsnotify_conn_watches_children(
++                                      struct fsnotify_mark_connector *conn)
++{
++      if (conn->type != FSNOTIFY_OBJ_TYPE_INODE)
++              return false;
++
++      return fsnotify_inode_watches_children(fsnotify_conn_inode(conn));
++}
++
++static void fsnotify_conn_set_children_dentry_flags(
++                                      struct fsnotify_mark_connector *conn)
++{
++      if (conn->type != FSNOTIFY_OBJ_TYPE_INODE)
++              return;
++
++      fsnotify_set_children_dentry_flags(fsnotify_conn_inode(conn));
++}
++
+ /*
+  * Calculate mask of events for a list of marks. The caller must make sure
+  * connector and connector->obj cannot disappear under us.  Callers achieve
+@@ -184,15 +202,23 @@ static void *__fsnotify_recalc_mask(struct fsnotify_mark_connector *conn)
+  */
+ void fsnotify_recalc_mask(struct fsnotify_mark_connector *conn)
+ {
++      bool update_children;
++
+       if (!conn)
+               return;
+ 
+       spin_lock(&conn->lock);
++      update_children = !fsnotify_conn_watches_children(conn);
+       __fsnotify_recalc_mask(conn);
++      update_children &= fsnotify_conn_watches_children(conn);
+       spin_unlock(&conn->lock);
+-      if (conn->type == FSNOTIFY_OBJ_TYPE_INODE)
+-              __fsnotify_update_child_dentry_flags(
+-                                      fsnotify_conn_inode(conn));
++      /*
++       * Set children's PARENT_WATCHED flags only if parent started watching.
++       * When parent stops watching, we clear false positive PARENT_WATCHED
++       * flags lazily in __fsnotify_parent().
++       */
++      if (update_children)
++              fsnotify_conn_set_children_dentry_flags(conn);
+ }
+ 
+ /* Free all connectors queued for freeing once SRCU period ends */
+diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
+index d7d96c806bff..096b79e4373f 100644
+--- a/include/linux/fsnotify_backend.h
++++ b/include/linux/fsnotify_backend.h
+@@ -563,12 +563,14 @@ static inline __u32 fsnotify_parent_needed_mask(__u32 mask)
+ 
+ static inline int fsnotify_inode_watches_children(struct inode *inode)
+ {
++      __u32 parent_mask = READ_ONCE(inode->i_fsnotify_mask);
++
+       /* FS_EVENT_ON_CHILD is set if the inode may care */
+-      if (!(inode->i_fsnotify_mask & FS_EVENT_ON_CHILD))
++      if (!(parent_mask & FS_EVENT_ON_CHILD))
+               return 0;
+       /* this inode might care about child events, does it care about the
+        * specific set of events that can happen on a child? */
+-      return inode->i_fsnotify_mask & FS_EVENTS_POSS_ON_CHILD;
++      return parent_mask & FS_EVENTS_POSS_ON_CHILD;
+ }
+ 
+ /*
+@@ -582,7 +584,7 @@ static inline void fsnotify_update_flags(struct dentry *dentry)
+       /*
+        * Serialisation of setting PARENT_WATCHED on the dentries is provided
+        * by d_lock. If inotify_inode_watched changes after we have taken
+-       * d_lock, the following __fsnotify_update_child_dentry_flags call will
++       * d_lock, the following fsnotify_set_children_dentry_flags call will
+        * find our entry, so it will spin until we complete here, and update
+        * us with the new state.
+        */
+-- 
+2.43.0
+

diff --git a/queue-6.1/hwmon-k10temp-check-return-value-of-amd_smn_read.patch b/queue-6.1/hwmon-k10temp-check-return-value-of-amd_smn_read.patch
new file mode 100644 (file)
index 0000000..5a72d7b
--- /dev/null
+++ b/queue-6.1/hwmon-k10temp-check-return-value-of-amd_smn_read.patch
@@ -0,0 +1,123 @@
+From 1b4dc1bf186d7f4a15affc166d0a2234ea0fff69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jun 2024 11:12:56 -0500
+Subject: hwmon: (k10temp) Check return value of amd_smn_read()
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+[ Upstream commit c2d79cc5455c891de6c93e1e0c73d806e299c54f ]
+
+Check the return value of amd_smn_read() before saving a value. This
+ensures invalid values aren't saved or used.
+
+There are three cases here with slightly different behavior:
+
+1) read_tempreg_nb_zen():
+       This is a function pointer which does not include a return code.
+       In this case, set the register value to 0 on failure. This
+       enforces Read-as-Zero behavior.
+
+2) k10temp_read_temp():
+       This function does have return codes, so return the error code
+       from the failed register read. Continued operation is not
+       necessary, since there is no valid data from the register.
+       Furthermore, if the register value was set to 0, then the
+       following operation would underflow.
+
+3) k10temp_get_ccd_support():
+       This function reads the same register from multiple CCD
+       instances in a loop. And a bitmask is formed if a specific bit
+       is set in each register instance. The loop should continue on a
+       failed register read, skipping the bit check.
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Acked-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20240606-fix-smn-bad-read-v4-3-ffde21931c3f@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/k10temp.c | 36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/hwmon/k10temp.c b/drivers/hwmon/k10temp.c
+index 43aa955ec120..74a490164034 100644
+--- a/drivers/hwmon/k10temp.c
++++ b/drivers/hwmon/k10temp.c
+@@ -153,8 +153,9 @@ static void read_tempreg_nb_f15(struct pci_dev *pdev, u32 *regval)
+ 
+ static void read_tempreg_nb_zen(struct pci_dev *pdev, u32 *regval)
+ {
+-      amd_smn_read(amd_pci_dev_to_node_id(pdev),
+-                   ZEN_REPORTED_TEMP_CTRL_BASE, regval);
++      if (amd_smn_read(amd_pci_dev_to_node_id(pdev),
++                       ZEN_REPORTED_TEMP_CTRL_BASE, regval))
++              *regval = 0;
+ }
+ 
+ static long get_raw_temp(struct k10temp_data *data)
+@@ -205,6 +206,7 @@ static int k10temp_read_temp(struct device *dev, u32 attr, int channel,
+                            long *val)
+ {
+       struct k10temp_data *data = dev_get_drvdata(dev);
++      int ret = -EOPNOTSUPP;
+       u32 regval;
+ 
+       switch (attr) {
+@@ -221,13 +223,17 @@ static int k10temp_read_temp(struct device *dev, u32 attr, int channel,
+                               *val = 0;
+                       break;
+               case 2 ... 13:          /* Tccd{1-12} */
+-                      amd_smn_read(amd_pci_dev_to_node_id(data->pdev),
+-                                   ZEN_CCD_TEMP(data->ccd_offset, channel - 2),
+-                                                &regval);
++                      ret = amd_smn_read(amd_pci_dev_to_node_id(data->pdev),
++                                         ZEN_CCD_TEMP(data->ccd_offset, channel - 2),
++                                         &regval);
++
++                      if (ret)
++                              return ret;
++
+                       *val = (regval & ZEN_CCD_TEMP_MASK) * 125 - 49000;
+                       break;
+               default:
+-                      return -EOPNOTSUPP;
++                      return ret;
+               }
+               break;
+       case hwmon_temp_max:
+@@ -243,7 +249,7 @@ static int k10temp_read_temp(struct device *dev, u32 attr, int channel,
+                       - ((regval >> 24) & 0xf)) * 500 + 52000;
+               break;
+       default:
+-              return -EOPNOTSUPP;
++              return ret;
+       }
+       return 0;
+ }
+@@ -381,8 +387,20 @@ static void k10temp_get_ccd_support(struct pci_dev *pdev,
+       int i;
+ 
+       for (i = 0; i < limit; i++) {
+-              amd_smn_read(amd_pci_dev_to_node_id(pdev),
+-                           ZEN_CCD_TEMP(data->ccd_offset, i), &regval);
++              /*
++               * Ignore inaccessible CCDs.
++               *
++               * Some systems will return a register value of 0, and the TEMP_VALID
++               * bit check below will naturally fail.
++               *
++               * Other systems will return a PCI_ERROR_RESPONSE (0xFFFFFFFF) for
++               * the register value. And this will incorrectly pass the TEMP_VALID
++               * bit check.
++               */
++              if (amd_smn_read(amd_pci_dev_to_node_id(pdev),
++                               ZEN_CCD_TEMP(data->ccd_offset, i), &regval))
++                      continue;
++
+               if (regval & ZEN_CCD_TEMP_VALID)
+                       data->show_temp |= BIT(TCCD_BIT(i));
+       }
+-- 
+2.43.0
+

diff --git a/queue-6.1/hwspinlock-introduce-hwspin_lock_bust.patch b/queue-6.1/hwspinlock-introduce-hwspin_lock_bust.patch
new file mode 100644 (file)
index 0000000..f01adea
--- /dev/null
+++ b/queue-6.1/hwspinlock-introduce-hwspin_lock_bust.patch
@@ -0,0 +1,137 @@
+From 513bce1e568f56f1b7f56c7b6bd1a3158141e43e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 May 2024 11:09:55 -0700
+Subject: hwspinlock: Introduce hwspin_lock_bust()
+
+From: Richard Maina <quic_rmaina@quicinc.com>
+
+[ Upstream commit 7c327d56597d8de1680cf24e956b704270d3d84a ]
+
+When a remoteproc crashes or goes down unexpectedly this can result in
+a state where locks held by the remoteproc will remain locked possibly
+resulting in deadlock. This new API hwspin_lock_bust() allows
+hwspinlock implementers to define a bust operation for freeing previously
+acquired hwspinlocks after verifying ownership of the acquired lock.
+
+Signed-off-by: Richard Maina <quic_rmaina@quicinc.com>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Chris Lew <quic_clew@quicinc.com>
+Link: https://lore.kernel.org/r/20240529-hwspinlock-bust-v3-1-c8b924ffa5a2@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/locking/hwspinlock.rst     | 11 ++++++++++
+ drivers/hwspinlock/hwspinlock_core.c     | 28 ++++++++++++++++++++++++
+ drivers/hwspinlock/hwspinlock_internal.h |  3 +++
+ include/linux/hwspinlock.h               |  6 +++++
+ 4 files changed, 48 insertions(+)
+
+diff --git a/Documentation/locking/hwspinlock.rst b/Documentation/locking/hwspinlock.rst
+index 6f03713b7003..2ffaa3cbd63f 100644
+--- a/Documentation/locking/hwspinlock.rst
++++ b/Documentation/locking/hwspinlock.rst
+@@ -85,6 +85,17 @@ is already free).
+ 
+ Should be called from a process context (might sleep).
+ 
++::
++
++  int hwspin_lock_bust(struct hwspinlock *hwlock, unsigned int id);
++
++After verifying the owner of the hwspinlock, release a previously acquired
++hwspinlock; returns 0 on success, or an appropriate error code on failure
++(e.g. -EOPNOTSUPP if the bust operation is not defined for the specific
++hwspinlock).
++
++Should be called from a process context (might sleep).
++
+ ::
+ 
+   int hwspin_lock_timeout(struct hwspinlock *hwlock, unsigned int timeout);
+diff --git a/drivers/hwspinlock/hwspinlock_core.c b/drivers/hwspinlock/hwspinlock_core.c
+index fd5f5c5a5244..425597151dd3 100644
+--- a/drivers/hwspinlock/hwspinlock_core.c
++++ b/drivers/hwspinlock/hwspinlock_core.c
+@@ -302,6 +302,34 @@ void __hwspin_unlock(struct hwspinlock *hwlock, int mode, unsigned long *flags)
+ }
+ EXPORT_SYMBOL_GPL(__hwspin_unlock);
+ 
++/**
++ * hwspin_lock_bust() - bust a specific hwspinlock
++ * @hwlock: a previously-acquired hwspinlock which we want to bust
++ * @id: identifier of the remote lock holder, if applicable
++ *
++ * This function will bust a hwspinlock that was previously acquired as
++ * long as the current owner of the lock matches the id given by the caller.
++ *
++ * Context: Process context.
++ *
++ * Returns: 0 on success, or -EINVAL if the hwspinlock does not exist, or
++ * the bust operation fails, and -EOPNOTSUPP if the bust operation is not
++ * defined for the hwspinlock.
++ */
++int hwspin_lock_bust(struct hwspinlock *hwlock, unsigned int id)
++{
++      if (WARN_ON(!hwlock))
++              return -EINVAL;
++
++      if (!hwlock->bank->ops->bust) {
++              pr_err("bust operation not defined\n");
++              return -EOPNOTSUPP;
++      }
++
++      return hwlock->bank->ops->bust(hwlock, id);
++}
++EXPORT_SYMBOL_GPL(hwspin_lock_bust);
++
+ /**
+  * of_hwspin_lock_simple_xlate - translate hwlock_spec to return a lock id
+  * @bank: the hwspinlock device bank
+diff --git a/drivers/hwspinlock/hwspinlock_internal.h b/drivers/hwspinlock/hwspinlock_internal.h
+index 29892767bb7a..f298fc0ee5ad 100644
+--- a/drivers/hwspinlock/hwspinlock_internal.h
++++ b/drivers/hwspinlock/hwspinlock_internal.h
+@@ -21,6 +21,8 @@ struct hwspinlock_device;
+  * @trylock: make a single attempt to take the lock. returns 0 on
+  *         failure and true on success. may _not_ sleep.
+  * @unlock:  release the lock. always succeed. may _not_ sleep.
++ * @bust:    optional, platform-specific bust handler, called by hwspinlock
++ *         core to bust a specific lock.
+  * @relax:   optional, platform-specific relax handler, called by hwspinlock
+  *         core while spinning on a lock, between two successive
+  *         invocations of @trylock. may _not_ sleep.
+@@ -28,6 +30,7 @@ struct hwspinlock_device;
+ struct hwspinlock_ops {
+       int (*trylock)(struct hwspinlock *lock);
+       void (*unlock)(struct hwspinlock *lock);
++      int (*bust)(struct hwspinlock *lock, unsigned int id);
+       void (*relax)(struct hwspinlock *lock);
+ };
+ 
+diff --git a/include/linux/hwspinlock.h b/include/linux/hwspinlock.h
+index bfe7c1f1ac6d..f0231dbc4777 100644
+--- a/include/linux/hwspinlock.h
++++ b/include/linux/hwspinlock.h
+@@ -68,6 +68,7 @@ int __hwspin_lock_timeout(struct hwspinlock *, unsigned int, int,
+ int __hwspin_trylock(struct hwspinlock *, int, unsigned long *);
+ void __hwspin_unlock(struct hwspinlock *, int, unsigned long *);
+ int of_hwspin_lock_get_id_byname(struct device_node *np, const char *name);
++int hwspin_lock_bust(struct hwspinlock *hwlock, unsigned int id);
+ int devm_hwspin_lock_free(struct device *dev, struct hwspinlock *hwlock);
+ struct hwspinlock *devm_hwspin_lock_request(struct device *dev);
+ struct hwspinlock *devm_hwspin_lock_request_specific(struct device *dev,
+@@ -127,6 +128,11 @@ void __hwspin_unlock(struct hwspinlock *hwlock, int mode, unsigned long *flags)
+ {
+ }
+ 
++static inline int hwspin_lock_bust(struct hwspinlock *hwlock, unsigned int id)
++{
++      return 0;
++}
++
+ static inline int of_hwspin_lock_get_id(struct device_node *np, int index)
+ {
+       return 0;
+-- 
+2.43.0
+

diff --git a/queue-6.1/ionic-fix-potential-irq-name-truncation.patch b/queue-6.1/ionic-fix-potential-irq-name-truncation.patch
new file mode 100644 (file)
index 0000000..6e54909
--- /dev/null
+++ b/queue-6.1/ionic-fix-potential-irq-name-truncation.patch
@@ -0,0 +1,38 @@
+From a980a4707a4414e07eacea5f7d89d2354a15768e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 May 2024 17:02:53 -0700
+Subject: ionic: fix potential irq name truncation
+
+From: Shannon Nelson <shannon.nelson@amd.com>
+
+[ Upstream commit 3eb76e71b16e8ba5277bf97617aef51f5e64dbe4 ]
+
+Address a warning about potential string truncation based on the
+string buffer sizes.  We can add some hints to the string format
+specifier to set limits on the resulting possible string to
+squelch the complaints.
+
+Signed-off-by: Shannon Nelson <shannon.nelson@amd.com>
+Link: https://lore.kernel.org/r/20240529000259.25775-2-shannon.nelson@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/pensando/ionic/ionic_lif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+index d34aea85f8a6..14865fc245da 100644
+--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+@@ -230,7 +230,7 @@ static int ionic_request_irq(struct ionic_lif *lif, struct ionic_qcq *qcq)
+               name = dev_name(dev);
+ 
+       snprintf(intr->name, sizeof(intr->name),
+-               "%s-%s-%s", IONIC_DRV_NAME, name, q->name);
++               "%.5s-%.16s-%.8s", IONIC_DRV_NAME, name, q->name);
+ 
+       return devm_request_irq(dev, intr->vector, ionic_isr,
+                               0, intr->name, &qcq->napi);
+-- 
+2.43.0
+

diff --git a/queue-6.1/media-uvcvideo-enforce-alignment-of-frame-and-interv.patch b/queue-6.1/media-uvcvideo-enforce-alignment-of-frame-and-interv.patch
new file mode 100644 (file)
index 0000000..9ea2ad3
--- /dev/null
+++ b/queue-6.1/media-uvcvideo-enforce-alignment-of-frame-and-interv.patch
@@ -0,0 +1,68 @@
+From 6d44b9d475be6bb8776d316625b552d297d9647f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Apr 2024 17:56:18 +0000
+Subject: media: uvcvideo: Enforce alignment of frame and interval
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit c8931ef55bd325052ec496f242aea7f6de47dc9c ]
+
+Struct uvc_frame and interval (u32*) are packaged together on
+streaming->formats on a single contiguous allocation.
+
+Right now they are allocated right after uvc_format, without taking into
+consideration their required alignment.
+
+This is working fine because both structures have a field with a
+pointer, but it will stop working when the sizeof() of any of those
+structs is not a multiple of the sizeof(void*).
+
+Enforce that alignment during the allocation.
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://lore.kernel.org/r/20240404-uvc-align-v2-1-9e104b0ecfbd@chromium.org
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 191db831d760..004511d918c6 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -666,16 +666,26 @@ static int uvc_parse_streaming(struct uvc_device *dev,
+               goto error;
+       }
+ 
+-      size = nformats * sizeof(*format) + nframes * sizeof(*frame)
++      /*
++       * Allocate memory for the formats, the frames and the intervals,
++       * plus any required padding to guarantee that everything has the
++       * correct alignment.
++       */
++      size = nformats * sizeof(*format);
++      size = ALIGN(size, __alignof__(*frame)) + nframes * sizeof(*frame);
++      size = ALIGN(size, __alignof__(*interval))
+            + nintervals * sizeof(*interval);
++
+       format = kzalloc(size, GFP_KERNEL);
+-      if (format == NULL) {
++      if (!format) {
+               ret = -ENOMEM;
+               goto error;
+       }
+ 
+-      frame = (struct uvc_frame *)&format[nformats];
+-      interval = (u32 *)&frame[nframes];
++      frame = (void *)format + nformats * sizeof(*format);
++      frame = PTR_ALIGN(frame, __alignof__(*frame));
++      interval = (void *)frame + nframes * sizeof(*frame);
++      interval = PTR_ALIGN(interval, __alignof__(*interval));
+ 
+       streaming->format = format;
+       streaming->nformats = 0;
+-- 
+2.43.0
+

diff --git a/queue-6.1/net-mlx5e-shampo-fix-incorrect-page-release.patch b/queue-6.1/net-mlx5e-shampo-fix-incorrect-page-release.patch
new file mode 100644 (file)
index 0000000..52a5552
--- /dev/null
+++ b/queue-6.1/net-mlx5e-shampo-fix-incorrect-page-release.patch
@@ -0,0 +1,47 @@
+From dd7fb83b4b38029fcabdcfe965435389dc2bf40d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 00:22:07 +0300
+Subject: net/mlx5e: SHAMPO, Fix incorrect page release
+
+From: Dragos Tatulea <dtatulea@nvidia.com>
+
+[ Upstream commit 70bd03b89f20b9bbe51a7f73c4950565a17a45f7 ]
+
+Under the following conditions:
+1) No skb created yet
+2) header_size == 0 (no SHAMPO header)
+3) header_index + 1 % MLX5E_SHAMPO_WQ_HEADER_PER_PAGE == 0 (this is the
+   last page fragment of a SHAMPO header page)
+
+a new skb is formed with a page that is NOT a SHAMPO header page (it
+is a regular data page). Further down in the same function
+(mlx5e_handle_rx_cqe_mpwrq_shampo()), a SHAMPO header page from
+header_index is released. This is wrong and it leads to SHAMPO header
+pages being released more than once.
+
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://lore.kernel.org/r/20240603212219.1037656-3-tariqt@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+index 97d1cfec4ec0..ccddfa49e96c 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+@@ -2141,7 +2141,8 @@ static void mlx5e_handle_rx_cqe_mpwrq_shampo(struct mlx5e_rq *rq, struct mlx5_cq
+       if (flush)
+               mlx5e_shampo_flush_skb(rq, cqe, match);
+ free_hd_entry:
+-      mlx5e_free_rx_shampo_hd_entry(rq, header_index);
++      if (likely(head_size))
++              mlx5e_free_rx_shampo_hd_entry(rq, header_index);
+ mpwrq_cqe_out:
+       if (likely(wi->consumed_strides < rq->mpwqe.num_strides))
+               return;
+-- 
+2.43.0
+

diff --git a/queue-6.1/pci-al-check-ioresource_bus-existence-during-probe.patch b/queue-6.1/pci-al-check-ioresource_bus-existence-during-probe.patch
new file mode 100644 (file)
index 0000000..1315898
--- /dev/null
+++ b/queue-6.1/pci-al-check-ioresource_bus-existence-during-probe.patch
@@ -0,0 +1,85 @@
+From 2233d08f082dcbfc83786b4099c0a0321d4d9846 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 May 2024 15:57:05 +0300
+Subject: PCI: al: Check IORESOURCE_BUS existence during probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit a9927c2cac6e9831361e43a14d91277818154e6a ]
+
+If IORESOURCE_BUS is not provided in Device Tree it will be fabricated in
+of_pci_parse_bus_range(), so NULL pointer dereference should not happen
+here.
+
+But that's hard to verify, so check for NULL anyway.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Link: https://lore.kernel.org/linux-pci/20240503125705.46055-1-amishin@t-argos.ru
+Suggested-by: Bjorn Helgaas <helgaas@kernel.org>
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+[bhelgaas: commit log]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-al.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-al.c b/drivers/pci/controller/dwc/pcie-al.c
+index b8cb77c9c4bd..3132b27bc006 100644
+--- a/drivers/pci/controller/dwc/pcie-al.c
++++ b/drivers/pci/controller/dwc/pcie-al.c
+@@ -242,18 +242,24 @@ static struct pci_ops al_child_pci_ops = {
+       .write = pci_generic_config_write,
+ };
+ 
+-static void al_pcie_config_prepare(struct al_pcie *pcie)
++static int al_pcie_config_prepare(struct al_pcie *pcie)
+ {
+       struct al_pcie_target_bus_cfg *target_bus_cfg;
+       struct dw_pcie_rp *pp = &pcie->pci->pp;
+       unsigned int ecam_bus_mask;
++      struct resource_entry *ft;
+       u32 cfg_control_offset;
++      struct resource *bus;
+       u8 subordinate_bus;
+       u8 secondary_bus;
+       u32 cfg_control;
+       u32 reg;
+-      struct resource *bus = resource_list_first_type(&pp->bridge->windows, IORESOURCE_BUS)->res;
+ 
++      ft = resource_list_first_type(&pp->bridge->windows, IORESOURCE_BUS);
++      if (!ft)
++              return -ENODEV;
++
++      bus = ft->res;
+       target_bus_cfg = &pcie->target_bus_cfg;
+ 
+       ecam_bus_mask = (pcie->ecam_size >> PCIE_ECAM_BUS_SHIFT) - 1;
+@@ -287,6 +293,8 @@ static void al_pcie_config_prepare(struct al_pcie *pcie)
+              FIELD_PREP(CFG_CONTROL_SEC_BUS_MASK, secondary_bus);
+ 
+       al_pcie_controller_writel(pcie, cfg_control_offset, reg);
++
++      return 0;
+ }
+ 
+ static int al_pcie_host_init(struct dw_pcie_rp *pp)
+@@ -305,7 +313,9 @@ static int al_pcie_host_init(struct dw_pcie_rp *pp)
+       if (rc)
+               return rc;
+ 
+-      al_pcie_config_prepare(pcie);
++      rc = al_pcie_config_prepare(pcie);
++      if (rc)
++              return rc;
+ 
+       return 0;
+ }
+-- 
+2.43.0
+

diff --git a/queue-6.1/pwm-xilinx-fix-u32-overflow-issue-in-32-bit-width-pw.patch b/queue-6.1/pwm-xilinx-fix-u32-overflow-issue-in-32-bit-width-pw.patch
new file mode 100644 (file)
index 0000000..bca71d0
--- /dev/null
+++ b/queue-6.1/pwm-xilinx-fix-u32-overflow-issue-in-32-bit-width-pw.patch
@@ -0,0 +1,59 @@
+From 16d7e505a24784b9ff0ba6e4103d4369fdcfbd90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Dec 2022 16:07:15 +0000
+Subject: pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode.
+
+From: Ken Sloat <ksloat@designlinxhs.com>
+
+[ Upstream commit 56f45266df67aa0f5b2a6881c8c4d16dbfff6b7d ]
+
+This timer HW supports 8, 16 and 32-bit timer widths. This
+driver currently uses a u32 to store the max possible value
+of the timer. However, statements perform addition of 2 in
+xilinx_pwm_apply() when calculating the period_cycles and
+duty_cycles values. Since priv->max is a u32, this will
+result in an overflow to 1 which will not only be incorrect
+but fail on range comparison. This results in making it
+impossible to set the PWM in this timer mode.
+
+There are two obvious solutions to the current problem:
+1. Cast each instance where overflow occurs to u64.
+2. Change priv->max from a u32 to a u64.
+
+Solution #1 requires more code modifications, and leaves
+opportunity to introduce similar overflows if other math
+statements are added in the future. These may also go
+undetected if running in non 32-bit timer modes.
+
+Solution #2 is the much smaller and cleaner approach and
+thus the chosen method in this patch.
+
+This was tested on a Zynq UltraScale+ with multiple
+instances of the PWM IP.
+
+Signed-off-by: Ken Sloat <ksloat@designlinxhs.com>
+Reviewed-by: Michal Simek <michal.simek@amd.com>
+Reviewed-by: Sean Anderson <sean.anderson@seco.com>
+Link: https://lore.kernel.org/r/SJ0P222MB0107490C5371B848EF04351CA1E19@SJ0P222MB0107.NAMP222.PROD.OUTLOOK.COM
+Signed-off-by: Michal Simek <michal.simek@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/clocksource/timer-xilinx.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/clocksource/timer-xilinx.h b/include/clocksource/timer-xilinx.h
+index c0f56fe6d22a..d116f18de899 100644
+--- a/include/clocksource/timer-xilinx.h
++++ b/include/clocksource/timer-xilinx.h
+@@ -41,7 +41,7 @@ struct regmap;
+ struct xilinx_timer_priv {
+       struct regmap *map;
+       struct clk *clk;
+-      u32 max;
++      u64 max;
+ };
+ 
+ /**
+-- 
+2.43.0
+

diff --git a/queue-6.1/rcu-nocb-remove-buggy-bypass-lock-contention-mitigat.patch b/queue-6.1/rcu-nocb-remove-buggy-bypass-lock-contention-mitigat.patch
new file mode 100644 (file)
index 0000000..d22311b
--- /dev/null
+++ b/queue-6.1/rcu-nocb-remove-buggy-bypass-lock-contention-mitigat.patch
@@ -0,0 +1,140 @@
+From 51563b52cca1e87de54261610946f49724c840b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Apr 2024 16:18:35 +0200
+Subject: rcu/nocb: Remove buggy bypass lock contention mitigation
+
+From: Frederic Weisbecker <frederic@kernel.org>
+
+[ Upstream commit e4f78057291608f6968a6789c5ebb3bde7d95504 ]
+
+The bypass lock contention mitigation assumes there can be at most
+2 contenders on the bypass lock, following this scheme:
+
+1) One kthread takes the bypass lock
+2) Another one spins on it and increment the contended counter
+3) A third one (a bypass enqueuer) sees the contended counter on and
+  busy loops waiting on it to decrement.
+
+However this assumption is wrong. There can be only one CPU to find the
+lock contended because call_rcu() (the bypass enqueuer) is the only
+bypass lock acquire site that may not already hold the NOCB lock
+beforehand, all the other sites must first contend on the NOCB lock.
+Therefore step 2) is impossible.
+
+The other problem is that the mitigation assumes that contenders all
+belong to the same rdp CPU, which is also impossible for a raw spinlock.
+In theory the warning could trigger if the enqueuer holds the bypass
+lock and another CPU flushes the bypass queue concurrently but this is
+prevented from all flush users:
+
+1) NOCB kthreads only flush if they successfully _tried_ to lock the
+   bypass lock. So no contention management here.
+
+2) Flush on callbacks migration happen remotely when the CPU is offline.
+   No concurrency against bypass enqueue.
+
+3) Flush on deoffloading happen either locally with IRQs disabled or
+   remotely when the CPU is not yet online. No concurrency against
+   bypass enqueue.
+
+4) Flush on barrier entrain happen either locally with IRQs disabled or
+   remotely when the CPU is offline. No concurrency against
+   bypass enqueue.
+
+For those reasons, the bypass lock contention mitigation isn't needed
+and is even wrong. Remove it but keep the warning reporting a contended
+bypass lock on a remote CPU, to keep unexpected contention awareness.
+
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/rcu/tree.h      |  1 -
+ kernel/rcu/tree_nocb.h | 32 ++++++--------------------------
+ 2 files changed, 6 insertions(+), 27 deletions(-)
+
+diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h
+index 7b702220d81c..aa16d3cd62ba 100644
+--- a/kernel/rcu/tree.h
++++ b/kernel/rcu/tree.h
+@@ -207,7 +207,6 @@ struct rcu_data {
+       struct swait_queue_head nocb_state_wq; /* For offloading state changes */
+       struct task_struct *nocb_gp_kthread;
+       raw_spinlock_t nocb_lock;       /* Guard following pair of fields. */
+-      atomic_t nocb_lock_contended;   /* Contention experienced. */
+       int nocb_defer_wakeup;          /* Defer wakeup of nocb_kthread. */
+       struct timer_list nocb_timer;   /* Enforce finite deferral. */
+       unsigned long nocb_gp_adv_time; /* Last call_rcu() CB adv (jiffies). */
+diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h
+index 0a5f0ef41484..6499eefa0660 100644
+--- a/kernel/rcu/tree_nocb.h
++++ b/kernel/rcu/tree_nocb.h
+@@ -91,8 +91,7 @@ module_param(nocb_nobypass_lim_per_jiffy, int, 0);
+ 
+ /*
+  * Acquire the specified rcu_data structure's ->nocb_bypass_lock.  If the
+- * lock isn't immediately available, increment ->nocb_lock_contended to
+- * flag the contention.
++ * lock isn't immediately available, perform minimal sanity check.
+  */
+ static void rcu_nocb_bypass_lock(struct rcu_data *rdp)
+       __acquires(&rdp->nocb_bypass_lock)
+@@ -100,29 +99,12 @@ static void rcu_nocb_bypass_lock(struct rcu_data *rdp)
+       lockdep_assert_irqs_disabled();
+       if (raw_spin_trylock(&rdp->nocb_bypass_lock))
+               return;
+-      atomic_inc(&rdp->nocb_lock_contended);
++      /*
++       * Contention expected only when local enqueue collide with
++       * remote flush from kthreads.
++       */
+       WARN_ON_ONCE(smp_processor_id() != rdp->cpu);
+-      smp_mb__after_atomic(); /* atomic_inc() before lock. */
+       raw_spin_lock(&rdp->nocb_bypass_lock);
+-      smp_mb__before_atomic(); /* atomic_dec() after lock. */
+-      atomic_dec(&rdp->nocb_lock_contended);
+-}
+-
+-/*
+- * Spinwait until the specified rcu_data structure's ->nocb_lock is
+- * not contended.  Please note that this is extremely special-purpose,
+- * relying on the fact that at most two kthreads and one CPU contend for
+- * this lock, and also that the two kthreads are guaranteed to have frequent
+- * grace-period-duration time intervals between successive acquisitions
+- * of the lock.  This allows us to use an extremely simple throttling
+- * mechanism, and further to apply it only to the CPU doing floods of
+- * call_rcu() invocations.  Don't try this at home!
+- */
+-static void rcu_nocb_wait_contended(struct rcu_data *rdp)
+-{
+-      WARN_ON_ONCE(smp_processor_id() != rdp->cpu);
+-      while (WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended)))
+-              cpu_relax();
+ }
+ 
+ /*
+@@ -452,7 +434,6 @@ static bool rcu_nocb_try_bypass(struct rcu_data *rdp, struct rcu_head *rhp,
+       }
+ 
+       // We need to use the bypass.
+-      rcu_nocb_wait_contended(rdp);
+       rcu_nocb_bypass_lock(rdp);
+       ncbs = rcu_cblist_n_cbs(&rdp->nocb_bypass);
+       rcu_segcblist_inc_len(&rdp->cblist); /* Must precede enqueue. */
+@@ -1476,12 +1457,11 @@ static void show_rcu_nocb_state(struct rcu_data *rdp)
+ 
+       sprintf(bufw, "%ld", rsclp->gp_seq[RCU_WAIT_TAIL]);
+       sprintf(bufr, "%ld", rsclp->gp_seq[RCU_NEXT_READY_TAIL]);
+-      pr_info("   CB %d^%d->%d %c%c%c%c%c%c F%ld L%ld C%d %c%c%s%c%s%c%c q%ld %c CPU %d%s\n",
++      pr_info("   CB %d^%d->%d %c%c%c%c%c F%ld L%ld C%d %c%c%s%c%s%c%c q%ld %c CPU %d%s\n",
+               rdp->cpu, rdp->nocb_gp_rdp->cpu,
+               nocb_next_rdp ? nocb_next_rdp->cpu : -1,
+               "kK"[!!rdp->nocb_cb_kthread],
+               "bB"[raw_spin_is_locked(&rdp->nocb_bypass_lock)],
+-              "cC"[!!atomic_read(&rdp->nocb_lock_contended)],
+               "lL"[raw_spin_is_locked(&rdp->nocb_lock)],
+               "sS"[!!rdp->nocb_cb_sleep],
+               ".W"[swait_active(&rdp->nocb_cb_wq)],
+-- 
+2.43.0
+

diff --git a/queue-6.1/rdma-efa-properly-handle-unexpected-aq-completions.patch b/queue-6.1/rdma-efa-properly-handle-unexpected-aq-completions.patch
new file mode 100644 (file)
index 0000000..6c5f6df
--- /dev/null
+++ b/queue-6.1/rdma-efa-properly-handle-unexpected-aq-completions.patch
@@ -0,0 +1,112 @@
+From 109cebfffbf474fff9097ffb1bbf3e28dbf7aba9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 May 2024 06:46:30 +0000
+Subject: RDMA/efa: Properly handle unexpected AQ completions
+
+From: Michael Margolin <mrgolin@amazon.com>
+
+[ Upstream commit 2d0e7ba468eae365f3c4bc9266679e1f8dd405f0 ]
+
+Do not try to handle admin command completion if it has an unexpected
+command id and print a relevant error message.
+
+Reviewed-by: Firas Jahjah <firasj@amazon.com>
+Reviewed-by: Yehuda Yitschak <yehuday@amazon.com>
+Signed-off-by: Michael Margolin <mrgolin@amazon.com>
+Link: https://lore.kernel.org/r/20240513064630.6247-1-mrgolin@amazon.com
+Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_com.c | 30 ++++++++++++++++-------------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_com.c b/drivers/infiniband/hw/efa/efa_com.c
+index 16a24a05fc2a..bafd210dd43e 100644
+--- a/drivers/infiniband/hw/efa/efa_com.c
++++ b/drivers/infiniband/hw/efa/efa_com.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0 OR BSD-2-Clause
+ /*
+- * Copyright 2018-2021 Amazon.com, Inc. or its affiliates. All rights reserved.
++ * Copyright 2018-2024 Amazon.com, Inc. or its affiliates. All rights reserved.
+  */
+ 
+ #include "efa_com.h"
+@@ -406,8 +406,8 @@ static struct efa_comp_ctx *efa_com_submit_admin_cmd(struct efa_com_admin_queue
+       return comp_ctx;
+ }
+ 
+-static void efa_com_handle_single_admin_completion(struct efa_com_admin_queue *aq,
+-                                                 struct efa_admin_acq_entry *cqe)
++static int efa_com_handle_single_admin_completion(struct efa_com_admin_queue *aq,
++                                                struct efa_admin_acq_entry *cqe)
+ {
+       struct efa_comp_ctx *comp_ctx;
+       u16 cmd_id;
+@@ -416,11 +416,11 @@ static void efa_com_handle_single_admin_completion(struct efa_com_admin_queue *a
+                        EFA_ADMIN_ACQ_COMMON_DESC_COMMAND_ID);
+ 
+       comp_ctx = efa_com_get_comp_ctx(aq, cmd_id, false);
+-      if (!comp_ctx) {
++      if (comp_ctx->status != EFA_CMD_SUBMITTED) {
+               ibdev_err(aq->efa_dev,
+-                        "comp_ctx is NULL. Changing the admin queue running state\n");
+-              clear_bit(EFA_AQ_STATE_RUNNING_BIT, &aq->state);
+-              return;
++                        "Received completion with unexpected command id[%d], sq producer: %d, sq consumer: %d, cq consumer: %d\n",
++                        cmd_id, aq->sq.pc, aq->sq.cc, aq->cq.cc);
++              return -EINVAL;
+       }
+ 
+       comp_ctx->status = EFA_CMD_COMPLETED;
+@@ -428,14 +428,17 @@ static void efa_com_handle_single_admin_completion(struct efa_com_admin_queue *a
+ 
+       if (!test_bit(EFA_AQ_STATE_POLLING_BIT, &aq->state))
+               complete(&comp_ctx->wait_event);
++
++      return 0;
+ }
+ 
+ static void efa_com_handle_admin_completion(struct efa_com_admin_queue *aq)
+ {
+       struct efa_admin_acq_entry *cqe;
+       u16 queue_size_mask;
+-      u16 comp_num = 0;
++      u16 comp_cmds = 0;
+       u8 phase;
++      int err;
+       u16 ci;
+ 
+       queue_size_mask = aq->depth - 1;
+@@ -453,10 +456,12 @@ static void efa_com_handle_admin_completion(struct efa_com_admin_queue *aq)
+                * phase bit was validated
+                */
+               dma_rmb();
+-              efa_com_handle_single_admin_completion(aq, cqe);
++              err = efa_com_handle_single_admin_completion(aq, cqe);
++              if (!err)
++                      comp_cmds++;
+ 
++              aq->cq.cc++;
+               ci++;
+-              comp_num++;
+               if (ci == aq->depth) {
+                       ci = 0;
+                       phase = !phase;
+@@ -465,10 +470,9 @@ static void efa_com_handle_admin_completion(struct efa_com_admin_queue *aq)
+               cqe = &aq->cq.entries[ci];
+       }
+ 
+-      aq->cq.cc += comp_num;
+       aq->cq.phase = phase;
+-      aq->sq.cc += comp_num;
+-      atomic64_add(comp_num, &aq->stats.completed_cmd);
++      aq->sq.cc += comp_cmds;
++      atomic64_add(comp_cmds, &aq->stats.completed_cmd);
+ }
+ 
+ static int efa_com_comp_status_to_errno(u8 comp_status)
+-- 
+2.43.0
+

diff --git a/queue-6.1/regmap-spi-fix-potential-off-by-one-when-calculating.patch b/queue-6.1/regmap-spi-fix-potential-off-by-one-when-calculating.patch
new file mode 100644 (file)
index 0000000..70522a5
--- /dev/null
+++ b/queue-6.1/regmap-spi-fix-potential-off-by-one-when-calculating.patch
@@ -0,0 +1,47 @@
+From d8f22c10e48729f9aac1e47bcc885fd52352fd25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jun 2024 23:53:15 +0300
+Subject: regmap: spi: Fix potential off-by-one when calculating reserved size
+
+From: Andy Shevchenko <andy.shevchenko@gmail.com>
+
+[ Upstream commit d4ea1d504d2701ba04412f98dc00d45a104c52ab ]
+
+If we ever meet a hardware that uses weird register bits and padding,
+we may end up in off-by-one error since x/8 + y/8 might not be equal
+to (x + y)/8 in some cases.
+
+bits    pad   x/8+y/8 (x+y)/8
+4..7    0..3    0       0 // x + y from 4 up to 7
+4..7    4..7    0       1 // x + y from 8 up to 11
+4..7    8..11   1       1 // x + y from 12 up to 15
+8..15   0..7    1       1 // x + y from 8 up to 15
+8..15   8..15   2       2 // x + y from 16 up to 23
+
+Fix this by using (x+y)/8.
+
+Signed-off-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://msgid.link/r/20240605205315.19132-1-andy.shevchenko@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/regmap/regmap-spi.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/base/regmap/regmap-spi.c b/drivers/base/regmap/regmap-spi.c
+index 37ab23a9d034..7f14c5ed1e22 100644
+--- a/drivers/base/regmap/regmap-spi.c
++++ b/drivers/base/regmap/regmap-spi.c
+@@ -122,8 +122,7 @@ static const struct regmap_bus *regmap_get_spi_bus(struct spi_device *spi,
+                       return ERR_PTR(-ENOMEM);
+ 
+               max_msg_size = spi_max_message_size(spi);
+-              reg_reserve_size = config->reg_bits / BITS_PER_BYTE
+-                               + config->pad_bits / BITS_PER_BYTE;
++              reg_reserve_size = (config->reg_bits + config->pad_bits) / BITS_PER_BYTE;
+               if (max_size + reg_reserve_size > max_msg_size)
+                       max_size -= reg_reserve_size;
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/series b/queue-6.1/series
index 92cb930b858ba4880894b0d57b841c83abc4c341..5032530c22031ce57920c54315c7d9faae36fd3d 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -29,3 +29,69 @@ selftests-mptcp-join-check-removing-id-0-endpoint.patch
 selftests-mptcp-join-no-extra-msg-if-no-counter.patch
 selftests-mptcp-join-check-re-re-adding-id-0-endp.patch
 selftests-mptcp-join-cannot-rm-sf-if-closed.patch
+drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch
+drm-amd-display-assign-linear_pitch_alignment-even-f.patch
+drm-amdgpu-fix-overflowed-array-index-read-warning.patch
+drm-amdgpu-pm-check-the-return-value-of-smum_send_ms.patch
+drm-amd-pm-fix-uninitialized-variable-warning.patch
+drm-amd-pm-fix-uninitialized-variable-warning-for-sm.patch
+drm-amd-pm-fix-warning-using-uninitialized-value-of-.patch
+drm-amd-pm-fix-negative-array-index-read.patch
+drm-amd-pm-fix-the-out-of-bounds-read-warning.patch
+drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch
+drm-amdgpu-avoid-reading-vf2pf-info-size-from-fb.patch
+drm-amd-display-check-gpio_id-before-used-as-array-i.patch
+drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch
+drm-amd-display-add-array-index-check-for-hdcp-ddc-a.patch
+drm-amd-display-check-num_valid_sets-before-accessin.patch
+drm-amd-display-check-msg_id-before-processing-trans.patch
+drm-amd-display-fix-coverity-integer_overflow-within.patch
+drm-amd-display-spinlock-before-reading-event.patch
+drm-amd-display-ensure-index-calculation-will-not-ov.patch
+drm-amd-display-skip-inactive-planes-within-modesupp.patch
+drm-amd-amdgpu-check-tbo-resource-pointer.patch
+drm-drm-bridge-drop-conditionals-around-of_node-poin.patch
+drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch-4175
+drm-amdgpu-pm-fix-uninitialized-variable-warning-for.patch
+drm-amdgpu-pm-fix-uninitialized-variable-agc_btc_res.patch
+drm-amdgpu-fix-out-of-bounds-write-warning.patch
+drm-amdgpu-fix-out-of-bounds-read-of-df_v1_7_channel.patch
+drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch
+drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch
+drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch
+apparmor-fix-possible-null-pointer-dereference.patch
+wifi-ath11k-initialize-ret-in-ath11k_qmi_load_file_t.patch
+drm-amdgpu-pm-check-input-value-for-custom-profile-m.patch
+drm-amdgpu-fix-dereference-after-null-check.patch
+drm-amdgpu-fix-the-waring-dereferencing-hive.patch
+drm-amd-pm-check-specific-index-for-aldebaran.patch
+drm-amdgpu-the-warning-dereferencing-obj-for-nbio_v7.patch
+drm-amd-pm-check-negtive-return-for-table-entries.patch
+wifi-rtw89-ser-avoid-multiple-deinit-on-same-cam.patch
+drm-amdgpu-update-type-of-buf-size-to-u32-for-eeprom.patch
+wifi-iwlwifi-remove-fw_running-op.patch
+cpufreq-scmi-avoid-overflow-of-target_freq-in-fast-s.patch
+pci-al-check-ioresource_bus-existence-during-probe.patch
+hwspinlock-introduce-hwspin_lock_bust.patch
+rdma-efa-properly-handle-unexpected-aq-completions.patch
+ionic-fix-potential-irq-name-truncation.patch
+pwm-xilinx-fix-u32-overflow-issue-in-32-bit-width-pw.patch
+rcu-nocb-remove-buggy-bypass-lock-contention-mitigat.patch
+usbip-don-t-submit-special-requests-twice.patch
+usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch
+fsnotify-clear-parent_watched-flags-lazily.patch
+regmap-spi-fix-potential-off-by-one-when-calculating.patch
+smack-tcp-ipv4-fix-incorrect-labeling.patch
+net-mlx5e-shampo-fix-incorrect-page-release.patch
+drm-meson-plane-add-error-handling.patch
+drm-bridge-tc358767-check-if-fully-initialized-befor.patch
+dmaengine-altera-msgdma-use-irq-variant-of-spin_lock.patch
+dmaengine-altera-msgdma-properly-free-descriptor-in-.patch
+hwmon-k10temp-check-return-value-of-amd_smn_read.patch
+wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch
+driver-iio-add-missing-checks-on-iio_info-s-callback.patch
+block-remove-the-blk_flush_integrity-call-in-blk_int.patch
+drm-amd-display-added-null-check-at-start-of-dc_vali.patch
+drm-amd-display-correct-the-defined-value-for-amdgpu.patch
+drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch
+media-uvcvideo-enforce-alignment-of-frame-and-interv.patch

diff --git a/queue-6.1/smack-tcp-ipv4-fix-incorrect-labeling.patch b/queue-6.1/smack-tcp-ipv4-fix-incorrect-labeling.patch
new file mode 100644 (file)
index 0000000..5ee060a
--- /dev/null
+++ b/queue-6.1/smack-tcp-ipv4-fix-incorrect-labeling.patch
@@ -0,0 +1,69 @@
+From 4f755f7947ad08b79c763b70ed26ffaf5aac33b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Jun 2024 15:41:50 -0700
+Subject: smack: tcp: ipv4, fix incorrect labeling
+
+From: Casey Schaufler <casey@schaufler-ca.com>
+
+[ Upstream commit 2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550 ]
+
+Currently, Smack mirrors the label of incoming tcp/ipv4 connections:
+when a label 'foo' connects to a label 'bar' with tcp/ipv4,
+'foo' always gets 'foo' in returned ipv4 packets. So,
+1) returned packets are incorrectly labeled ('foo' instead of 'bar')
+2) 'bar' can write to 'foo' without being authorized to write.
+
+Here is a scenario how to see this:
+
+* Take two machines, let's call them C and S,
+   with active Smack in the default state
+   (no settings, no rules, no labeled hosts, only builtin labels)
+
+* At S, add Smack rule 'foo bar w'
+   (labels 'foo' and 'bar' are instantiated at S at this moment)
+
+* At S, at label 'bar', launch a program
+   that listens for incoming tcp/ipv4 connections
+
+* From C, at label 'foo', connect to the listener at S.
+   (label 'foo' is instantiated at C at this moment)
+   Connection succeedes and works.
+
+* Send some data in both directions.
+* Collect network traffic of this connection.
+
+All packets in both directions are labeled with the CIPSO
+of the label 'foo'. Hence, label 'bar' writes to 'foo' without
+being authorized, and even without ever being known at C.
+
+If anybody cares: exactly the same happens with DCCP.
+
+This behavior 1st manifested in release 2.6.29.4 (see Fixes below)
+and it looks unintentional. At least, no explanation was provided.
+
+I changed returned packes label into the 'bar',
+to bring it into line with the Smack documentation claims.
+
+Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack_lsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index b0a483e40c82..75b3e91d5a5f 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -4290,7 +4290,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
+       rcu_read_unlock();
+ 
+       if (hskp == NULL)
+-              rc = netlbl_req_setattr(req, &skp->smk_netlabel);
++              rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel);
+       else
+               netlbl_req_delattr(req);
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch b/queue-6.1/usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch
new file mode 100644 (file)
index 0000000..c4837b8
--- /dev/null
+++ b/queue-6.1/usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch
@@ -0,0 +1,44 @@
+From 6c9fcdc2662ab6149ded15e8dc52f0813b509687 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 May 2024 20:12:41 +0000
+Subject: usb: typec: ucsi: Fix null pointer dereference in trace
+
+From: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+
+[ Upstream commit 99516f76db48e1a9d54cdfed63c1babcee4e71a5 ]
+
+ucsi_register_altmode checks IS_ERR for the alt pointer and treats
+NULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled,
+ucsi_register_displayport returns NULL which causes a NULL pointer
+dereference in trace. Rather than return NULL, call
+typec_port_register_altmode to register DisplayPort alternate mode
+as a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled.
+
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Signed-off-by: Jameson Thies <jthies@google.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20240510201244.2968152-2-jthies@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/ucsi/ucsi.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h
+index dbb10cb310d4..4a1a86e37fd5 100644
+--- a/drivers/usb/typec/ucsi/ucsi.h
++++ b/drivers/usb/typec/ucsi/ucsi.h
+@@ -373,7 +373,7 @@ ucsi_register_displayport(struct ucsi_connector *con,
+                         bool override, int offset,
+                         struct typec_altmode_desc *desc)
+ {
+-      return NULL;
++      return typec_port_register_altmode(con->port, desc);
+ }
+ 
+ static inline void
+-- 
+2.43.0
+

diff --git a/queue-6.1/usbip-don-t-submit-special-requests-twice.patch b/queue-6.1/usbip-don-t-submit-special-requests-twice.patch
new file mode 100644 (file)
index 0000000..60d583d
--- /dev/null
+++ b/queue-6.1/usbip-don-t-submit-special-requests-twice.patch
@@ -0,0 +1,183 @@
+From 3a93ec4a36e01097646b0e2850c9a04755cbe277 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 May 2024 16:15:38 +0200
+Subject: usbip: Don't submit special requests twice
+
+From: Simon Holesch <simon@holesch.de>
+
+[ Upstream commit 8b6b386f9aa936ed0c190446c71cf59d4a507690 ]
+
+Skip submitting URBs, when identical requests were already sent in
+tweak_special_requests(). Instead call the completion handler directly
+to return the result of the URB.
+
+Even though submitting those requests twice should be harmless, there
+are USB devices that react poorly to some duplicated requests.
+
+One example is the ChipIdea controller implementation in U-Boot: The
+second SET_CONFIGURATION request makes U-Boot disable and re-enable all
+endpoints. Re-enabling an endpoint in the ChipIdea controller, however,
+was broken until U-Boot commit b272c8792502 ("usb: ci: Fix gadget
+reinit").
+
+Signed-off-by: Simon Holesch <simon@holesch.de>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Reviewed-by: Hongren Zheng <i@zenithal.me>
+Tested-by: Hongren Zheng <i@zenithal.me>
+Link: https://lore.kernel.org/r/20240519141922.171460-1-simon@holesch.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/stub_rx.c | 77 ++++++++++++++++++++++++-------------
+ 1 file changed, 50 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
+index fc01b31bbb87..6338d818bc8b 100644
+--- a/drivers/usb/usbip/stub_rx.c
++++ b/drivers/usb/usbip/stub_rx.c
+@@ -144,53 +144,62 @@ static int tweak_set_configuration_cmd(struct urb *urb)
+       if (err && err != -ENODEV)
+               dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n",
+                       config, err);
+-      return 0;
++      return err;
+ }
+ 
+ static int tweak_reset_device_cmd(struct urb *urb)
+ {
+       struct stub_priv *priv = (struct stub_priv *) urb->context;
+       struct stub_device *sdev = priv->sdev;
++      int err;
+ 
+       dev_info(&urb->dev->dev, "usb_queue_reset_device\n");
+ 
+-      if (usb_lock_device_for_reset(sdev->udev, NULL) < 0) {
++      err = usb_lock_device_for_reset(sdev->udev, NULL);
++      if (err < 0) {
+               dev_err(&urb->dev->dev, "could not obtain lock to reset device\n");
+-              return 0;
++              return err;
+       }
+-      usb_reset_device(sdev->udev);
++      err = usb_reset_device(sdev->udev);
+       usb_unlock_device(sdev->udev);
+ 
+-      return 0;
++      return err;
+ }
+ 
+ /*
+  * clear_halt, set_interface, and set_configuration require special tricks.
++ * Returns 1 if request was tweaked, 0 otherwise.
+  */
+-static void tweak_special_requests(struct urb *urb)
++static int tweak_special_requests(struct urb *urb)
+ {
++      int err;
++
+       if (!urb || !urb->setup_packet)
+-              return;
++              return 0;
+ 
+       if (usb_pipetype(urb->pipe) != PIPE_CONTROL)
+-              return;
++              return 0;
+ 
+       if (is_clear_halt_cmd(urb))
+               /* tweak clear_halt */
+-               tweak_clear_halt_cmd(urb);
++              err = tweak_clear_halt_cmd(urb);
+ 
+       else if (is_set_interface_cmd(urb))
+               /* tweak set_interface */
+-              tweak_set_interface_cmd(urb);
++              err = tweak_set_interface_cmd(urb);
+ 
+       else if (is_set_configuration_cmd(urb))
+               /* tweak set_configuration */
+-              tweak_set_configuration_cmd(urb);
++              err = tweak_set_configuration_cmd(urb);
+ 
+       else if (is_reset_device_cmd(urb))
+-              tweak_reset_device_cmd(urb);
+-      else
++              err = tweak_reset_device_cmd(urb);
++      else {
+               usbip_dbg_stub_rx("no need to tweak\n");
++              return 0;
++      }
++
++      return !err;
+ }
+ 
+ /*
+@@ -468,6 +477,7 @@ static void stub_recv_cmd_submit(struct stub_device *sdev,
+       int support_sg = 1;
+       int np = 0;
+       int ret, i;
++      int is_tweaked;
+ 
+       if (pipe == -1)
+               return;
+@@ -580,8 +590,11 @@ static void stub_recv_cmd_submit(struct stub_device *sdev,
+               priv->urbs[i]->pipe = pipe;
+               priv->urbs[i]->complete = stub_complete;
+ 
+-              /* no need to submit an intercepted request, but harmless? */
+-              tweak_special_requests(priv->urbs[i]);
++              /*
++               * all URBs belong to a single PDU, so a global is_tweaked flag is
++               * enough
++               */
++              is_tweaked = tweak_special_requests(priv->urbs[i]);
+ 
+               masking_bogus_flags(priv->urbs[i]);
+       }
+@@ -594,22 +607,32 @@ static void stub_recv_cmd_submit(struct stub_device *sdev,
+ 
+       /* urb is now ready to submit */
+       for (i = 0; i < priv->num_urbs; i++) {
+-              ret = usb_submit_urb(priv->urbs[i], GFP_KERNEL);
++              if (!is_tweaked) {
++                      ret = usb_submit_urb(priv->urbs[i], GFP_KERNEL);
+ 
+-              if (ret == 0)
+-                      usbip_dbg_stub_rx("submit urb ok, seqnum %u\n",
+-                                      pdu->base.seqnum);
+-              else {
+-                      dev_err(&udev->dev, "submit_urb error, %d\n", ret);
+-                      usbip_dump_header(pdu);
+-                      usbip_dump_urb(priv->urbs[i]);
++                      if (ret == 0)
++                              usbip_dbg_stub_rx("submit urb ok, seqnum %u\n",
++                                              pdu->base.seqnum);
++                      else {
++                              dev_err(&udev->dev, "submit_urb error, %d\n", ret);
++                              usbip_dump_header(pdu);
++                              usbip_dump_urb(priv->urbs[i]);
+ 
++                              /*
++                               * Pessimistic.
++                               * This connection will be discarded.
++                               */
++                              usbip_event_add(ud, SDEV_EVENT_ERROR_SUBMIT);
++                              break;
++                      }
++              } else {
+                       /*
+-                       * Pessimistic.
+-                       * This connection will be discarded.
++                       * An identical URB was already submitted in
++                       * tweak_special_requests(). Skip submitting this URB to not
++                       * duplicate the request.
+                        */
+-                      usbip_event_add(ud, SDEV_EVENT_ERROR_SUBMIT);
+-                      break;
++                      priv->urbs[i]->status = 0;
++                      stub_complete(priv->urbs[i]);
+               }
+       }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/wifi-ath11k-initialize-ret-in-ath11k_qmi_load_file_t.patch b/queue-6.1/wifi-ath11k-initialize-ret-in-ath11k_qmi_load_file_t.patch
new file mode 100644 (file)
index 0000000..c09bbdf
--- /dev/null
+++ b/queue-6.1/wifi-ath11k-initialize-ret-in-ath11k_qmi_load_file_t.patch
@@ -0,0 +1,45 @@
+From 371ccd9bf82f55f9816808c948cbbc04bdc5470f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 May 2024 11:52:09 -0700
+Subject: wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem()
+
+From: Jeff Johnson <quic_jjohnson@quicinc.com>
+
+[ Upstream commit 199f149e97dc7be80e5eed4b232529c1d1aa8055 ]
+
+smatch flagged the following issue:
+
+drivers/net/wireless/ath/ath11k/qmi.c:2401 ath11k_qmi_load_file_target_mem() error: uninitialized symbol 'ret'.
+
+The reality is that 'ret' is initialized in every path through
+ath11k_qmi_load_file_target_mem() except one, the case where the input
+'len' is 0, and hence the "while (remaining)" loop is never entered.
+But to make sure this case is also handled, add an initializer to the
+declaration of 'ret'.
+
+No functional changes, compile tested only.
+
+Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240504-qmi_load_file_target_mem-v1-2-069fc44c45eb@quicinc.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/qmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c
+index 01b02c03fa89..764cd320c6c1 100644
+--- a/drivers/net/wireless/ath/ath11k/qmi.c
++++ b/drivers/net/wireless/ath/ath11k/qmi.c
+@@ -2293,7 +2293,7 @@ static int ath11k_qmi_load_file_target_mem(struct ath11k_base *ab,
+       struct qmi_txn txn;
+       const u8 *temp = data;
+       void __iomem *bdf_addr = NULL;
+-      int ret;
++      int ret = 0;
+       u32 remaining = len;
+ 
+       req = kzalloc(sizeof(*req), GFP_KERNEL);
+-- 
+2.43.0
+

diff --git a/queue-6.1/wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch b/queue-6.1/wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch
new file mode 100644 (file)
index 0000000..81ba696
--- /dev/null
+++ b/queue-6.1/wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch
@@ -0,0 +1,131 @@
+From 4c2a62faac54804c271f8b9f34a31ee2fc400d94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Jun 2024 20:17:17 +0200
+Subject: wifi: cfg80211: make hash table duplicates more survivable
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 7f12e26a194d0043441f870708093d9c2c3bad7d ]
+
+Jiazi Li reported that they occasionally see hash table duplicates
+as evidenced by the WARN_ON() in rb_insert_bss() in this code.  It
+isn't clear how that happens, nor have I been able to reproduce it,
+but if it does happen, the kernel crashes later, when it tries to
+unhash the entry that's now not hashed.
+
+Try to make this situation more survivable by removing the BSS from
+the list(s) as well, that way it's fully leaked here (as had been
+the intent in the hash insert error path), and no longer reachable
+through the list(s) so it shouldn't be unhashed again later.
+
+Link: https://lore.kernel.org/r/20231026013528.GA24122@Jiazi.Li
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://msgid.link/20240607181726.36835-2-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 46 +++++++++++++++++++++++++++++++++------------
+ 1 file changed, 34 insertions(+), 12 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 3cd162e53173..d18716e5b2cc 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1534,7 +1534,7 @@ struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy,
+ }
+ EXPORT_SYMBOL(cfg80211_get_bss);
+ 
+-static void rb_insert_bss(struct cfg80211_registered_device *rdev,
++static bool rb_insert_bss(struct cfg80211_registered_device *rdev,
+                         struct cfg80211_internal_bss *bss)
+ {
+       struct rb_node **p = &rdev->bss_tree.rb_node;
+@@ -1550,7 +1550,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev,
+ 
+               if (WARN_ON(!cmp)) {
+                       /* will sort of leak this BSS */
+-                      return;
++                      return false;
+               }
+ 
+               if (cmp < 0)
+@@ -1561,6 +1561,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev,
+ 
+       rb_link_node(&bss->rbn, parent, p);
+       rb_insert_color(&bss->rbn, &rdev->bss_tree);
++      return true;
+ }
+ 
+ static struct cfg80211_internal_bss *
+@@ -1587,6 +1588,34 @@ rb_find_bss(struct cfg80211_registered_device *rdev,
+       return NULL;
+ }
+ 
++static void cfg80211_insert_bss(struct cfg80211_registered_device *rdev,
++                              struct cfg80211_internal_bss *bss)
++{
++      lockdep_assert_held(&rdev->bss_lock);
++
++      if (!rb_insert_bss(rdev, bss))
++              return;
++      list_add_tail(&bss->list, &rdev->bss_list);
++      rdev->bss_entries++;
++}
++
++static void cfg80211_rehash_bss(struct cfg80211_registered_device *rdev,
++                                struct cfg80211_internal_bss *bss)
++{
++      lockdep_assert_held(&rdev->bss_lock);
++
++      rb_erase(&bss->rbn, &rdev->bss_tree);
++      if (!rb_insert_bss(rdev, bss)) {
++              list_del(&bss->list);
++              if (!list_empty(&bss->hidden_list))
++                      list_del_init(&bss->hidden_list);
++              if (!list_empty(&bss->pub.nontrans_list))
++                      list_del_init(&bss->pub.nontrans_list);
++              rdev->bss_entries--;
++      }
++      rdev->bss_generation++;
++}
++
+ static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev,
+                                  struct cfg80211_internal_bss *new)
+ {
+@@ -1862,9 +1891,7 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
+                       bss_ref_get(rdev, pbss);
+               }
+ 
+-              list_add_tail(&new->list, &rdev->bss_list);
+-              rdev->bss_entries++;
+-              rb_insert_bss(rdev, new);
++              cfg80211_insert_bss(rdev, new);
+               found = new;
+       }
+ 
+@@ -2651,10 +2678,7 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev,
+               if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new)))
+                       rdev->bss_generation++;
+       }
+-
+-      rb_erase(&cbss->rbn, &rdev->bss_tree);
+-      rb_insert_bss(rdev, cbss);
+-      rdev->bss_generation++;
++      cfg80211_rehash_bss(rdev, cbss);
+ 
+       list_for_each_entry_safe(nontrans_bss, tmp,
+                                &cbss->pub.nontrans_list,
+@@ -2662,9 +2686,7 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev,
+               bss = container_of(nontrans_bss,
+                                  struct cfg80211_internal_bss, pub);
+               bss->pub.channel = chan;
+-              rb_erase(&bss->rbn, &rdev->bss_tree);
+-              rb_insert_bss(rdev, bss);
+-              rdev->bss_generation++;
++              cfg80211_rehash_bss(rdev, bss);
+       }
+ 
+ done:
+-- 
+2.43.0
+

diff --git a/queue-6.1/wifi-iwlwifi-remove-fw_running-op.patch b/queue-6.1/wifi-iwlwifi-remove-fw_running-op.patch
new file mode 100644 (file)
index 0000000..e49b2e0
--- /dev/null
+++ b/queue-6.1/wifi-iwlwifi-remove-fw_running-op.patch
@@ -0,0 +1,80 @@
+From 9f5c66cef54747649320b4f977e53000fca9b700 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 May 2024 17:06:40 +0300
+Subject: wifi: iwlwifi: remove fw_running op
+
+From: Shahar S Matityahu <shahar.s.matityahu@intel.com>
+
+[ Upstream commit 37733bffda3285d18bd1d72c14b3a1cf39c56a5e ]
+
+fw_running assumes that memory can be retrieved only after alive.
+This assumption is no longer true as we support dump before alive.
+To avoid invalid access to the NIC, check that STATUS_DEVICE_ENABLED
+bit in trans status is set before dumping instead of the prior check.
+
+Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com>
+Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240510170500.ca07138cedeb.I090e31d3eaeb4ba19f5f84aba997ccd36927e9ac@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/debugfs.c | 3 +--
+ drivers/net/wireless/intel/iwlwifi/fw/runtime.h | 1 -
+ drivers/net/wireless/intel/iwlwifi/mvm/ops.c    | 6 ------
+ 3 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c b/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c
+index 7d4340c56628..51bb54485351 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c
+@@ -252,8 +252,7 @@ static ssize_t iwl_dbgfs_send_hcmd_write(struct iwl_fw_runtime *fwrt, char *buf,
+               .data = { NULL, },
+       };
+ 
+-      if (fwrt->ops && fwrt->ops->fw_running &&
+-          !fwrt->ops->fw_running(fwrt->ops_ctx))
++      if (!iwl_trans_fw_running(fwrt->trans))
+               return -EIO;
+ 
+       if (count < header_size + 1 || count > 1024 * 4)
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
+index d3cb1ae68a96..7b7bf3aecc14 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
++++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h
+@@ -18,7 +18,6 @@
+ struct iwl_fw_runtime_ops {
+       void (*dump_start)(void *ctx);
+       void (*dump_end)(void *ctx);
+-      bool (*fw_running)(void *ctx);
+       int (*send_hcmd)(void *ctx, struct iwl_host_cmd *host_cmd);
+       bool (*d3_debug_enable)(void *ctx);
+ };
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+index 864f5fb26040..88b6d4e566c4 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+@@ -670,11 +670,6 @@ static void iwl_mvm_fwrt_dump_end(void *ctx)
+       mutex_unlock(&mvm->mutex);
+ }
+ 
+-static bool iwl_mvm_fwrt_fw_running(void *ctx)
+-{
+-      return iwl_mvm_firmware_running(ctx);
+-}
+-
+ static int iwl_mvm_fwrt_send_hcmd(void *ctx, struct iwl_host_cmd *host_cmd)
+ {
+       struct iwl_mvm *mvm = (struct iwl_mvm *)ctx;
+@@ -695,7 +690,6 @@ static bool iwl_mvm_d3_debug_enable(void *ctx)
+ static const struct iwl_fw_runtime_ops iwl_mvm_fwrt_ops = {
+       .dump_start = iwl_mvm_fwrt_dump_start,
+       .dump_end = iwl_mvm_fwrt_dump_end,
+-      .fw_running = iwl_mvm_fwrt_fw_running,
+       .send_hcmd = iwl_mvm_fwrt_send_hcmd,
+       .d3_debug_enable = iwl_mvm_d3_debug_enable,
+ };
+-- 
+2.43.0
+

diff --git a/queue-6.1/wifi-rtw89-ser-avoid-multiple-deinit-on-same-cam.patch b/queue-6.1/wifi-rtw89-ser-avoid-multiple-deinit-on-same-cam.patch
new file mode 100644 (file)
index 0000000..944ae88
--- /dev/null
+++ b/queue-6.1/wifi-rtw89-ser-avoid-multiple-deinit-on-same-cam.patch
@@ -0,0 +1,44 @@
+From bffa335e831c2a73e3fac8d63242c1e8d0deefe2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 May 2024 17:06:43 +0800
+Subject: wifi: rtw89: ser: avoid multiple deinit on same CAM
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit cea4066588308fa932b6b03486c608efff1d761c ]
+
+We did deinit CAM in STA iteration in VIF loop. But, the STA iteration
+missed to restrict the target VIF. So, if there are multiple VIFs, we
+would deinit a CAM multiple times. Now, fix it.
+
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://msgid.link/20240509090646.35304-2-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/ser.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/ser.c b/drivers/net/wireless/realtek/rtw89/ser.c
+index c1a4bc1c64d1..afb1b41e1a9a 100644
+--- a/drivers/net/wireless/realtek/rtw89/ser.c
++++ b/drivers/net/wireless/realtek/rtw89/ser.c
+@@ -304,9 +304,13 @@ static void ser_reset_vif(struct rtw89_dev *rtwdev, struct rtw89_vif *rtwvif)
+ 
+ static void ser_sta_deinit_cam_iter(void *data, struct ieee80211_sta *sta)
+ {
+-      struct rtw89_vif *rtwvif = (struct rtw89_vif *)data;
+-      struct rtw89_dev *rtwdev = rtwvif->rtwdev;
++      struct rtw89_vif *target_rtwvif = (struct rtw89_vif *)data;
+       struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv;
++      struct rtw89_vif *rtwvif = rtwsta->rtwvif;
++      struct rtw89_dev *rtwdev = rtwvif->rtwdev;
++
++      if (rtwvif != target_rtwvif)
++              return;
+ 
+       if (rtwvif->net_type == RTW89_NET_TYPE_AP_MODE || sta->tdls)
+               rtw89_cam_deinit_addr_cam(rtwdev, &rtwsta->addr_cam);
+-- 
+2.43.0
+