From: Sasha Levin <sashal@kernel.org>
Date: Sun, 10 Mar 2024 13:16:45 +0000 (-0400)
Subject: Drop soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
X-Git-Tag: v6.8.1~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2989c468015ca9b9bd434142dbd2340218dcef75;p=thirdparty%2Fkernel%2Fstable-queue.git

Drop soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-6.6/series b/queue-6.6/series
index 6c7522adf1b..7d28bb76846 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -2,7 +2,6 @@ drm-bridge-add-transparent-bridge-helper.patch
 drm-bridge-implement-generic-dp-hpd-bridge.patch
 soc-qcom-pmic-glink-switch-to-drm_aux_hpd_bridge.patch
 drm-bridge-aux-hpd-separate-allocation-and-registrat.patch
-soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
 dt-bindings-dma-fsl-edma-add-fsl-edma.h-to-prevent-h.patch
 dmaengine-fsl-edma-utilize-common-dt-binding-header-.patch
 dmaengine-fsl-edma-correct-max_segment_size-setting.patch
diff --git a/queue-6.6/soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch b/queue-6.6/soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
deleted file mode 100644
index 79c4b4e1a4a..00000000000
--- a/queue-6.6/soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 67a4099fba7bfae3544f7d85c0fb4e9e47c744b9 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 17 Feb 2024 16:02:25 +0100
-Subject: soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free
-
-From: Johan Hovold <johan+linaro@kernel.org>
-
-[ Upstream commit b979f2d50a099f3402418d7ff5f26c3952fb08bb ]
-
-A recent DRM series purporting to simplify support for "transparent
-bridges" and handling of probe deferrals ironically exposed a
-use-after-free issue on pmic_glink_altmode probe deferral.
-
-This has manifested itself as the display subsystem occasionally failing
-to initialise and NULL-pointer dereferences during boot of machines like
-the Lenovo ThinkPad X13s.
-
-Specifically, the dp-hpd bridge is currently registered before all
-resources have been acquired which means that it can also be
-deregistered on probe deferrals.
-
-In the meantime there is a race window where the new aux bridge driver
-(or PHY driver previously) may have looked up the dp-hpd bridge and
-stored a (non-reference-counted) pointer to the bridge which is about to
-be deallocated.
-
-When the display controller is later initialised, this triggers a
-use-after-free when attaching the bridges:
-
-	dp -> aux -> dp-hpd (freed)
-
-which may, for example, result in the freed bridge failing to attach:
-
-	[drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16
-
-or a NULL-pointer dereference:
-
-	Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
-	...
-	Call trace:
-	  drm_bridge_attach+0x70/0x1a8 [drm]
-	  drm_aux_bridge_attach+0x24/0x38 [aux_bridge]
-	  drm_bridge_attach+0x80/0x1a8 [drm]
-	  dp_bridge_init+0xa8/0x15c [msm]
-	  msm_dp_modeset_init+0x28/0xc4 [msm]
-
-The DRM bridge implementation is clearly fragile and implicitly built on
-the assumption that bridges may never go away. In this case, the fix is
-to move the bridge registration in the pmic_glink_altmode driver to
-after all resources have been looked up.
-
-Incidentally, with the new dp-hpd bridge implementation, which registers
-child devices, this is also a requirement due to a long-standing issue
-in driver core that can otherwise lead to a probe deferral loop (see
-commit fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")).
-
-[DB: slightly fixed commit message by adding the word 'commit']
-Fixes: 080b4e24852b ("soc: qcom: pmic_glink: Introduce altmode support")
-Fixes: 2bcca96abfbf ("soc: qcom: pmic-glink: switch to DRM_AUX_HPD_BRIDGE")
-Cc: <stable@vger.kernel.org>      # 6.3
-Cc: Bjorn Andersson <andersson@kernel.org>
-Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
-Reviewed-by: Bjorn Andersson <andersson@kernel.org>
-Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Link: https://patchwork.freedesktop.org/patch/msgid/20240217150228.5788-4-johan+linaro@kernel.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/soc/qcom/pmic_glink_altmode.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/soc/qcom/pmic_glink_altmode.c b/drivers/soc/qcom/pmic_glink_altmode.c
-index c07cddecc85e9..0b869de665101 100644
---- a/drivers/soc/qcom/pmic_glink_altmode.c
-+++ b/drivers/soc/qcom/pmic_glink_altmode.c
-@@ -76,7 +76,7 @@ struct pmic_glink_altmode_port {
- 
- 	struct work_struct work;
- 
--	struct device *bridge;
-+	struct auxiliary_device *bridge;
- 
- 	enum typec_orientation orientation;
- 	u16 svid;
-@@ -230,7 +230,7 @@ static void pmic_glink_altmode_worker(struct work_struct *work)
- 	else
- 		pmic_glink_altmode_enable_usb(altmode, alt_port);
- 
--	drm_aux_hpd_bridge_notify(alt_port->bridge,
-+	drm_aux_hpd_bridge_notify(&alt_port->bridge->dev,
- 				  alt_port->hpd_state ?
- 				  connector_status_connected :
- 				  connector_status_disconnected);
-@@ -454,7 +454,7 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
- 		alt_port->index = port;
- 		INIT_WORK(&alt_port->work, pmic_glink_altmode_worker);
- 
--		alt_port->bridge = drm_dp_hpd_bridge_register(dev, to_of_node(fwnode));
-+		alt_port->bridge = devm_drm_dp_hpd_bridge_alloc(dev, to_of_node(fwnode));
- 		if (IS_ERR(alt_port->bridge)) {
- 			fwnode_handle_put(fwnode);
- 			return PTR_ERR(alt_port->bridge);
-@@ -510,6 +510,16 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
- 		}
- 	}
- 
-+	for (port = 0; port < ARRAY_SIZE(altmode->ports); port++) {
-+		alt_port = &altmode->ports[port];
-+		if (!alt_port->bridge)
-+			continue;
-+
-+		ret = devm_drm_dp_hpd_bridge_add(dev, alt_port->bridge);
-+		if (ret)
-+			return ret;
-+	}
-+
- 	altmode->client = devm_pmic_glink_register_client(dev,
- 							  altmode->owner_id,
- 							  pmic_glink_altmode_callback,
--- 
-2.43.0
-
diff --git a/queue-6.7/series b/queue-6.7/series
index 89ab0f8eb5d..89bc660d616 100644
--- a/queue-6.7/series
+++ b/queue-6.7/series
@@ -2,7 +2,6 @@ drm-bridge-add-transparent-bridge-helper.patch
 drm-bridge-implement-generic-dp-hpd-bridge.patch
 soc-qcom-pmic-glink-switch-to-drm_aux_hpd_bridge.patch
 drm-bridge-aux-hpd-separate-allocation-and-registrat.patch
-soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
 dt-bindings-dma-fsl-edma-add-fsl-edma.h-to-prevent-h.patch
 dmaengine-fsl-edma-utilize-common-dt-binding-header-.patch
 dmaengine-fsl-edma-correct-max_segment_size-setting.patch
diff --git a/queue-6.7/soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch b/queue-6.7/soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
deleted file mode 100644
index bbb518d6869..00000000000
--- a/queue-6.7/soc-qcom-pmic_glink_altmode-fix-drm-bridge-use-after.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 34ffd4992df436d6a57996dbb04e9105b44c6a9f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 17 Feb 2024 16:02:25 +0100
-Subject: soc: qcom: pmic_glink_altmode: fix drm bridge use-after-free
-
-From: Johan Hovold <johan+linaro@kernel.org>
-
-[ Upstream commit b979f2d50a099f3402418d7ff5f26c3952fb08bb ]
-
-A recent DRM series purporting to simplify support for "transparent
-bridges" and handling of probe deferrals ironically exposed a
-use-after-free issue on pmic_glink_altmode probe deferral.
-
-This has manifested itself as the display subsystem occasionally failing
-to initialise and NULL-pointer dereferences during boot of machines like
-the Lenovo ThinkPad X13s.
-
-Specifically, the dp-hpd bridge is currently registered before all
-resources have been acquired which means that it can also be
-deregistered on probe deferrals.
-
-In the meantime there is a race window where the new aux bridge driver
-(or PHY driver previously) may have looked up the dp-hpd bridge and
-stored a (non-reference-counted) pointer to the bridge which is about to
-be deallocated.
-
-When the display controller is later initialised, this triggers a
-use-after-free when attaching the bridges:
-
-	dp -> aux -> dp-hpd (freed)
-
-which may, for example, result in the freed bridge failing to attach:
-
-	[drm:drm_bridge_attach [drm]] *ERROR* failed to attach bridge /soc@0/phy@88eb000 to encoder TMDS-31: -16
-
-or a NULL-pointer dereference:
-
-	Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
-	...
-	Call trace:
-	  drm_bridge_attach+0x70/0x1a8 [drm]
-	  drm_aux_bridge_attach+0x24/0x38 [aux_bridge]
-	  drm_bridge_attach+0x80/0x1a8 [drm]
-	  dp_bridge_init+0xa8/0x15c [msm]
-	  msm_dp_modeset_init+0x28/0xc4 [msm]
-
-The DRM bridge implementation is clearly fragile and implicitly built on
-the assumption that bridges may never go away. In this case, the fix is
-to move the bridge registration in the pmic_glink_altmode driver to
-after all resources have been looked up.
-
-Incidentally, with the new dp-hpd bridge implementation, which registers
-child devices, this is also a requirement due to a long-standing issue
-in driver core that can otherwise lead to a probe deferral loop (see
-commit fbc35b45f9f6 ("Add documentation on meaning of -EPROBE_DEFER")).
-
-[DB: slightly fixed commit message by adding the word 'commit']
-Fixes: 080b4e24852b ("soc: qcom: pmic_glink: Introduce altmode support")
-Fixes: 2bcca96abfbf ("soc: qcom: pmic-glink: switch to DRM_AUX_HPD_BRIDGE")
-Cc: <stable@vger.kernel.org>      # 6.3
-Cc: Bjorn Andersson <andersson@kernel.org>
-Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
-Reviewed-by: Bjorn Andersson <andersson@kernel.org>
-Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
-Link: https://patchwork.freedesktop.org/patch/msgid/20240217150228.5788-4-johan+linaro@kernel.org
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/soc/qcom/pmic_glink_altmode.c | 16 +++++++++++++---
- 1 file changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/soc/qcom/pmic_glink_altmode.c b/drivers/soc/qcom/pmic_glink_altmode.c
-index 1539ccb7a346d..e1d32e1b79902 100644
---- a/drivers/soc/qcom/pmic_glink_altmode.c
-+++ b/drivers/soc/qcom/pmic_glink_altmode.c
-@@ -76,7 +76,7 @@ struct pmic_glink_altmode_port {
- 
- 	struct work_struct work;
- 
--	struct device *bridge;
-+	struct auxiliary_device *bridge;
- 
- 	enum typec_orientation orientation;
- 	u16 svid;
-@@ -230,7 +230,7 @@ static void pmic_glink_altmode_worker(struct work_struct *work)
- 	else
- 		pmic_glink_altmode_enable_usb(altmode, alt_port);
- 
--	drm_aux_hpd_bridge_notify(alt_port->bridge,
-+	drm_aux_hpd_bridge_notify(&alt_port->bridge->dev,
- 				  alt_port->hpd_state ?
- 				  connector_status_connected :
- 				  connector_status_disconnected);
-@@ -454,7 +454,7 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
- 		alt_port->index = port;
- 		INIT_WORK(&alt_port->work, pmic_glink_altmode_worker);
- 
--		alt_port->bridge = drm_dp_hpd_bridge_register(dev, to_of_node(fwnode));
-+		alt_port->bridge = devm_drm_dp_hpd_bridge_alloc(dev, to_of_node(fwnode));
- 		if (IS_ERR(alt_port->bridge)) {
- 			fwnode_handle_put(fwnode);
- 			return PTR_ERR(alt_port->bridge);
-@@ -510,6 +510,16 @@ static int pmic_glink_altmode_probe(struct auxiliary_device *adev,
- 		}
- 	}
- 
-+	for (port = 0; port < ARRAY_SIZE(altmode->ports); port++) {
-+		alt_port = &altmode->ports[port];
-+		if (!alt_port->bridge)
-+			continue;
-+
-+		ret = devm_drm_dp_hpd_bridge_add(dev, alt_port->bridge);
-+		if (ret)
-+			return ret;
-+	}
-+
- 	altmode->client = devm_pmic_glink_register_client(dev,
- 							  altmode->owner_id,
- 							  pmic_glink_altmode_callback,
--- 
-2.43.0
-