From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 18 Feb 2025 15:02:37 +0000 (+0100)
Subject: 6.6-stable patches
X-Git-Tag: v6.1.129~37
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e9c304000d2d5451d2a2b8ec1d01cccf047290ef;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	drm-amd-display-add-null-check-for-head_pipe-in-dcn201_acquire_free_pipe_for_layer.patch
	drm-amd-display-pass-non-null-to-dcn20_validate_apply_pipe_split_flags.patch
	x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch
---

diff --git a/queue-6.6/drm-amd-display-add-null-check-for-head_pipe-in-dcn201_acquire_free_pipe_for_layer.patch b/queue-6.6/drm-amd-display-add-null-check-for-head_pipe-in-dcn201_acquire_free_pipe_for_layer.patch
new file mode 100644
index 0000000000..ac98e859a0
--- /dev/null
+++ b/queue-6.6/drm-amd-display-add-null-check-for-head_pipe-in-dcn201_acquire_free_pipe_for_layer.patch
@@ -0,0 +1,55 @@
+From f22f4754aaa47d8c59f166ba3042182859e5dff7 Mon Sep 17 00:00:00 2001
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Date: Sun, 21 Jul 2024 19:18:58 +0530
+Subject: drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer
+
+From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+
+commit f22f4754aaa47d8c59f166ba3042182859e5dff7 upstream.
+
+This commit addresses a potential null pointer dereference issue in the
+`dcn201_acquire_free_pipe_for_layer` function. The issue could occur
+when `head_pipe` is null.
+
+The fix adds a check to ensure `head_pipe` is not null before asserting
+it. If `head_pipe` is null, the function returns NULL to prevent a
+potential null pointer dereference.
+
+Reported by smatch:
+drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn201/dcn201_resource.c:1016 dcn201_acquire_free_pipe_for_layer() error: we previously assumed 'head_pipe' could be null (see line 1010)
+
+Cc: Tom Chung <chiahsuan.chung@amd.com>
+Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
+Cc: Roman Li <roman.li@amd.com>
+Cc: Alex Hung <alex.hung@amd.com>
+Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Cc: Harry Wentland <harry.wentland@amd.com>
+Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
+Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[ dcn201 was moved from drivers/gpu/drm/amd/display/dc to
+  drivers/gpu/drm/amd/display/dc/resource since commit
+  8b8eed05a1c6 ("drm/amd/display: Refactor resource into component directory").
+  The path is changed accordingly to apply the patch on 6.6.y. ]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn201/dcn201_resource.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn201/dcn201_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn201/dcn201_resource.c
+@@ -1002,8 +1002,10 @@ static struct pipe_ctx *dcn201_acquire_f
+ 	struct pipe_ctx *head_pipe = resource_get_otg_master_for_stream(res_ctx, opp_head_pipe->stream);
+ 	struct pipe_ctx *idle_pipe = resource_find_free_secondary_pipe_legacy(res_ctx, pool, head_pipe);
+ 
+-	if (!head_pipe)
++	if (!head_pipe) {
+ 		ASSERT(0);
++		return NULL;
++	}
+ 
+ 	if (!idle_pipe)
+ 		return NULL;
diff --git a/queue-6.6/drm-amd-display-pass-non-null-to-dcn20_validate_apply_pipe_split_flags.patch b/queue-6.6/drm-amd-display-pass-non-null-to-dcn20_validate_apply_pipe_split_flags.patch
new file mode 100644
index 0000000000..435ab8ca16
--- /dev/null
+++ b/queue-6.6/drm-amd-display-pass-non-null-to-dcn20_validate_apply_pipe_split_flags.patch
@@ -0,0 +1,71 @@
+From 5559598742fb4538e4c51c48ef70563c49c2af23 Mon Sep 17 00:00:00 2001
+From: Alex Hung <alex.hung@amd.com>
+Date: Thu, 27 Jun 2024 11:51:27 -0600
+Subject: drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags
+
+From: Alex Hung <alex.hung@amd.com>
+
+commit 5559598742fb4538e4c51c48ef70563c49c2af23 upstream.
+
+[WHAT & HOW]
+"dcn20_validate_apply_pipe_split_flags" dereferences merge, and thus it
+cannot be a null pointer. Let's pass a valid pointer to avoid null
+dereference.
+
+This fixes 2 FORWARD_NULL issues reported by Coverity.
+
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Signed-off-by: Jerry Zuo <jerry.zuo@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+[ dcn20 and dcn21 were moved from drivers/gpu/drm/amd/display/dc to
+  drivers/gpu/drm/amd/display/dc/resource since commit
+  8b8eed05a1c6 ("drm/amd/display: Refactor resource into component directory").
+  The path is changed accordingly to apply the patch on 6.6.y. ]
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c |    3 ++-
+ drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c |    3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+@@ -2026,6 +2026,7 @@ bool dcn20_fast_validate_bw(
+ {
+ 	bool out = false;
+ 	int split[MAX_PIPES] = { 0 };
++	bool merge[MAX_PIPES] = { false };
+ 	int pipe_cnt, i, pipe_idx, vlevel;
+ 
+ 	ASSERT(pipes);
+@@ -2050,7 +2051,7 @@ bool dcn20_fast_validate_bw(
+ 	if (vlevel > context->bw_ctx.dml.soc.num_states)
+ 		goto validate_fail;
+ 
+-	vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, NULL);
++	vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, merge);
+ 
+ 	/*initialize pipe_just_split_from to invalid idx*/
+ 	for (i = 0; i < MAX_PIPES; i++)
+--- a/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn21/dcn21_resource.c
+@@ -800,6 +800,7 @@ bool dcn21_fast_validate_bw(struct dc *d
+ {
+ 	bool out = false;
+ 	int split[MAX_PIPES] = { 0 };
++	bool merge[MAX_PIPES] = { false };
+ 	int pipe_cnt, i, pipe_idx, vlevel;
+ 
+ 	ASSERT(pipes);
+@@ -842,7 +843,7 @@ bool dcn21_fast_validate_bw(struct dc *d
+ 			goto validate_fail;
+ 	}
+ 
+-	vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, NULL);
++	vlevel = dcn20_validate_apply_pipe_split_flags(dc, context, vlevel, split, merge);
+ 
+ 	for (i = 0, pipe_idx = 0; i < dc->res_pool->pipe_count; i++) {
+ 		struct pipe_ctx *pipe = &context->res_ctx.pipe_ctx[i];
diff --git a/queue-6.6/series b/queue-6.6/series
index abbbce623a..dced9d1161 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -130,3 +130,6 @@ drm-tidss-fix-issue-in-irq-handling-causing-irq-flood-issue.patch
 drm-tidss-clear-the-interrupt-status-for-interrupts-being-disabled.patch
 drm-rcar-du-dsi-fix-phy-lock-bit-check.patch
 drm-v3d-stop-active-perfmon-if-it-is-being-destroyed.patch
+x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch
+drm-amd-display-add-null-check-for-head_pipe-in-dcn201_acquire_free_pipe_for_layer.patch
+drm-amd-display-pass-non-null-to-dcn20_validate_apply_pipe_split_flags.patch
diff --git a/queue-6.6/x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch b/queue-6.6/x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch
new file mode 100644
index 0000000000..aadf99b724
--- /dev/null
+++ b/queue-6.6/x86-static-call-remove-early_boot_irqs_disabled-check-to-fix-xen-pvh-dom0.patch
@@ -0,0 +1,44 @@
+From 5cc2db37124bb33914996d6fdbb2ddb3811f2945 Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Sat, 21 Dec 2024 21:10:46 +0000
+Subject: x86/static-call: Remove early_boot_irqs_disabled check to fix Xen PVH dom0
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+
+commit 5cc2db37124bb33914996d6fdbb2ddb3811f2945 upstream.
+
+__static_call_update_early() has a check for early_boot_irqs_disabled, but
+is used before early_boot_irqs_disabled is set up in start_kernel().
+
+Xen PV has always special cased early_boot_irqs_disabled, but Xen PVH does
+not and falls over the BUG when booting as dom0.
+
+It is very suspect that early_boot_irqs_disabled starts as 0, becomes 1 for
+a time, then becomes 0 again, but as this needs backporting to fix a
+breakage in a security fix, dropping the BUG_ON() is the far safer option.
+
+Fixes: 0ef8047b737d ("x86/static-call: provide a way to do very early static-call updates")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219620
+Reported-by: Alex Zenla <alex@edera.dev>
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Alex Zenla <alex@edera.dev>
+Link: https://lore.kernel.org/r/20241221211046.6475-1-andrew.cooper3@citrix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/static_call.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/x86/kernel/static_call.c
++++ b/arch/x86/kernel/static_call.c
+@@ -175,7 +175,6 @@ EXPORT_SYMBOL_GPL(arch_static_call_trans
+ noinstr void __static_call_update_early(void *tramp, void *func)
+ {
+ 	BUG_ON(system_state != SYSTEM_BOOTING);
+-	BUG_ON(!early_boot_irqs_disabled);
+ 	BUG_ON(static_call_initialized);
+ 	__text_gen_insn(tramp, JMP32_INSN_OPCODE, tramp, func, JMP32_INSN_SIZE);
+ 	sync_core();