From: Greg Kroah-Hartman Date: Tue, 18 Feb 2025 14:11:13 +0000 (+0100) Subject: 6.13-stable patches X-Git-Tag: v6.1.129~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fe7994b4615055e5d410eafd9b36636478ab94e4;p=thirdparty%2Fkernel%2Fstable-queue.git 6.13-stable patches added patches: drm-msm-dpu-fix-x1e80100-intf_6-underrun-vsync-interrupt.patch drm-msm-dpu1-don-t-choke-on-disabling-the-writeback-connector.patch drm-msm-gem-prevent-integer-overflow-in-msm_ioctl_gem_submit.patch drm-rcar-du-dsi-fix-phy-lock-bit-check.patch drm-tidss-clear-the-interrupt-status-for-interrupts-being-disabled.patch drm-tidss-fix-issue-in-irq-handling-causing-irq-flood-issue.patch drm-tidss-fix-race-condition-while-handling-interrupt-registers.patch drm-v3d-stop-active-perfmon-if-it-is-being-destroyed.patch drm-xe-tracing-fix-a-potential-tp_printk-uaf.patch drm-zynqmp_dp-fix-integer-overflow-in-zynqmp_dp_rate_get.patch --- diff --git a/queue-6.13/drm-msm-dpu-fix-x1e80100-intf_6-underrun-vsync-interrupt.patch b/queue-6.13/drm-msm-dpu-fix-x1e80100-intf_6-underrun-vsync-interrupt.patch new file mode 100644 index 0000000000..592425e27c --- /dev/null +++ b/queue-6.13/drm-msm-dpu-fix-x1e80100-intf_6-underrun-vsync-interrupt.patch @@ -0,0 +1,47 @@ +From ce55101e6ba188296dbdb9506665d26f23110292 Mon Sep 17 00:00:00 2001 +From: Stephan Gerhold +Date: Fri, 15 Nov 2024 13:55:13 +0100 +Subject: drm/msm/dpu: fix x1e80100 intf_6 underrun/vsync interrupt + +From: Stephan Gerhold + +commit ce55101e6ba188296dbdb9506665d26f23110292 upstream. + +The IRQ indexes for the intf_6 underrun/vsync interrupts are swapped. +DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16) is the actual underrun interrupt and +DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17) is the vsync interrupt. + +This causes timeout errors when using the DP2 controller, e.g. + [dpu error]enc37 frame done timeout + *ERROR* irq timeout id=37, intf_mode=INTF_MODE_VIDEO intf=6 wb=-1, pp=2, intr=0 + *ERROR* wait disable failed: id:37 intf:6 ret:-110 + +Correct them to fix these errors and make DP2 work properly. + +Cc: stable@vger.kernel.org +Fixes: e3b1f369db5a ("drm/msm/dpu: Add X1E80100 support") +Signed-off-by: Stephan Gerhold +Tested-by: Johan Hovold +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/624681/ +Link: https://lore.kernel.org/r/20241115-x1e80100-dp2-fix-v1-1-727b9fe6f390@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h ++++ b/drivers/gpu/drm/msm/disp/dpu1/catalog/dpu_9_2_x1e80100.h +@@ -391,8 +391,8 @@ static const struct dpu_intf_cfg x1e8010 + .type = INTF_DP, + .controller_id = MSM_DP_CONTROLLER_2, + .prog_fetch_lines_worst_case = 24, +- .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17), +- .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16), ++ .intr_underrun = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 16), ++ .intr_vsync = DPU_IRQ_IDX(MDP_SSPP_TOP0_INTR, 17), + }, { + .name = "intf_7", .id = INTF_7, + .base = 0x3b000, .len = 0x280, diff --git a/queue-6.13/drm-msm-dpu1-don-t-choke-on-disabling-the-writeback-connector.patch b/queue-6.13/drm-msm-dpu1-don-t-choke-on-disabling-the-writeback-connector.patch new file mode 100644 index 0000000000..2a1acb795c --- /dev/null +++ b/queue-6.13/drm-msm-dpu1-don-t-choke-on-disabling-the-writeback-connector.patch @@ -0,0 +1,59 @@ +From d9f55e2abfb933818c772eba659a9b7ab28a44d0 Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Mon, 9 Dec 2024 12:04:24 +0200 +Subject: drm/msm/dpu1: don't choke on disabling the writeback connector +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Baryshkov + +commit d9f55e2abfb933818c772eba659a9b7ab28a44d0 upstream. + +During suspend/resume process all connectors are explicitly disabled and +then reenabled. However resume fails because of the connector_status check: + +[dpu error]connector not connected 3 +[drm:drm_mode_config_helper_resume [drm_kms_helper]] *ERROR* Failed to resume (-22) + +It doesn't make sense to check for the Writeback connected status (and +other drivers don't perform such check), so drop the check. + +It wasn't a problem before the commit 71174f362d67 ("drm/msm/dpu: move +writeback's atomic_check to dpu_writeback.c"), since encoder's +atomic_check() is called under a different conditions that the +connector's atomic_check() (e.g. it is not called if there is no +connected CRTC or if the corresponding connector is not a part of the +new state). + +Fixes: 71174f362d67 ("drm/msm/dpu: move writeback's atomic_check to dpu_writeback.c") +Cc: stable@vger.kernel.org +Reported-by: Leonard Lausen +Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/57 +Tested-by: Leonard Lausen # on sc7180 lazor +Tested-by: György Kurucz +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Tested-by: Jessica Zhang # Trogdor (sc7180) +Patchwork: https://patchwork.freedesktop.org/patch/627828/ +Link: https://lore.kernel.org/r/20241209-dpu-fix-wb-v4-1-7fe93059f9e0@linaro.org +Signed-off-by: Abhinav Kumar +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_writeback.c +@@ -42,9 +42,6 @@ static int dpu_wb_conn_atomic_check(stru + if (!conn_state || !conn_state->connector) { + DPU_ERROR("invalid connector state\n"); + return -EINVAL; +- } else if (conn_state->connector->status != connector_status_connected) { +- DPU_ERROR("connector not connected %d\n", conn_state->connector->status); +- return -EINVAL; + } + + crtc = conn_state->crtc; diff --git a/queue-6.13/drm-msm-gem-prevent-integer-overflow-in-msm_ioctl_gem_submit.patch b/queue-6.13/drm-msm-gem-prevent-integer-overflow-in-msm_ioctl_gem_submit.patch new file mode 100644 index 0000000000..8e29eeb256 --- /dev/null +++ b/queue-6.13/drm-msm-gem-prevent-integer-overflow-in-msm_ioctl_gem_submit.patch @@ -0,0 +1,36 @@ +From 3a47f4b439beb98e955d501c609dfd12b7836d61 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 15 Nov 2024 17:50:08 +0300 +Subject: drm/msm/gem: prevent integer overflow in msm_ioctl_gem_submit() + +From: Dan Carpenter + +commit 3a47f4b439beb98e955d501c609dfd12b7836d61 upstream. + +The "submit->cmd[i].size" and "submit->cmd[i].offset" variables are u32 +values that come from the user via the submit_lookup_cmds() function. +This addition could lead to an integer wrapping bug so use size_add() +to prevent that. + +Fixes: 198725337ef1 ("drm/msm: fix cmdstream size check") +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Patchwork: https://patchwork.freedesktop.org/patch/624696/ +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_gem_submit.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_gem_submit.c ++++ b/drivers/gpu/drm/msm/msm_gem_submit.c +@@ -787,8 +787,7 @@ int msm_ioctl_gem_submit(struct drm_devi + goto out; + + if (!submit->cmd[i].size || +- ((submit->cmd[i].size + submit->cmd[i].offset) > +- obj->size / 4)) { ++ (size_add(submit->cmd[i].size, submit->cmd[i].offset) > obj->size / 4)) { + SUBMIT_ERROR(submit, "invalid cmdstream size: %u\n", submit->cmd[i].size * 4); + ret = -EINVAL; + goto out; diff --git a/queue-6.13/drm-rcar-du-dsi-fix-phy-lock-bit-check.patch b/queue-6.13/drm-rcar-du-dsi-fix-phy-lock-bit-check.patch new file mode 100644 index 0000000000..3a95410ff6 --- /dev/null +++ b/queue-6.13/drm-rcar-du-dsi-fix-phy-lock-bit-check.patch @@ -0,0 +1,51 @@ +From 6389e616fae8a101ce00068f7690461ab57b29d8 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Tue, 17 Dec 2024 07:31:35 +0200 +Subject: drm/rcar-du: dsi: Fix PHY lock bit check + +From: Tomi Valkeinen + +commit 6389e616fae8a101ce00068f7690461ab57b29d8 upstream. + +The driver checks for bit 16 (using CLOCKSET1_LOCK define) in CLOCKSET1 +register when waiting for the PPI clock. However, the right bit to check +is bit 17 (CLOCKSET1_LOCK_PHY define). Not only that, but there's +nothing in the documents for bit 16 for V3U nor V4H. + +So, fix the check to use bit 17, and drop the define for bit 16. + +Fixes: 155358310f01 ("drm: rcar-du: Add R-Car DSI driver") +Fixes: 11696c5e8924 ("drm: Place Renesas drivers in a separate dir") +Cc: stable@vger.kernel.org +Signed-off-by: Tomi Valkeinen +Reviewed-by: Laurent Pinchart +Tested-by: Geert Uytterhoeven +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20241217-rcar-gh-dsi-v5-1-e77421093c05@ideasonboard.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c | 2 +- + drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c ++++ b/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi.c +@@ -587,7 +587,7 @@ static int rcar_mipi_dsi_startup(struct + for (timeout = 10; timeout > 0; --timeout) { + if ((rcar_mipi_dsi_read(dsi, PPICLSR) & PPICLSR_STPST) && + (rcar_mipi_dsi_read(dsi, PPIDLSR) & PPIDLSR_STPST) && +- (rcar_mipi_dsi_read(dsi, CLOCKSET1) & CLOCKSET1_LOCK)) ++ (rcar_mipi_dsi_read(dsi, CLOCKSET1) & CLOCKSET1_LOCK_PHY)) + break; + + usleep_range(1000, 2000); +--- a/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h ++++ b/drivers/gpu/drm/renesas/rcar-du/rcar_mipi_dsi_regs.h +@@ -142,7 +142,6 @@ + + #define CLOCKSET1 0x101c + #define CLOCKSET1_LOCK_PHY (1 << 17) +-#define CLOCKSET1_LOCK (1 << 16) + #define CLOCKSET1_CLKSEL (1 << 8) + #define CLOCKSET1_CLKINSEL_EXTAL (0 << 2) + #define CLOCKSET1_CLKINSEL_DIG (1 << 2) diff --git a/queue-6.13/drm-tidss-clear-the-interrupt-status-for-interrupts-being-disabled.patch b/queue-6.13/drm-tidss-clear-the-interrupt-status-for-interrupts-being-disabled.patch new file mode 100644 index 0000000000..0b5f2ca618 --- /dev/null +++ b/queue-6.13/drm-tidss-clear-the-interrupt-status-for-interrupts-being-disabled.patch @@ -0,0 +1,72 @@ +From 361a2ebb5cad211732ec3c5d962de49b21895590 Mon Sep 17 00:00:00 2001 +From: Devarsh Thakkar +Date: Mon, 21 Oct 2024 17:07:49 +0300 +Subject: drm/tidss: Clear the interrupt status for interrupts being disabled + +From: Devarsh Thakkar + +commit 361a2ebb5cad211732ec3c5d962de49b21895590 upstream. + +The driver does not touch the irqstatus register when it is disabling +interrupts. This might cause an interrupt to trigger for an interrupt +that was just disabled. + +To fix the issue, clear the irqstatus registers right after disabling +the interrupts. + +Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem") +Cc: stable@vger.kernel.org +Reported-by: Jonathan Cormier +Closes: https://e2e.ti.com/support/processors-group/processors/f/processors-forum/1394222/am625-issue-about-tidss-rcu_preempt-self-detected-stall-on-cpu/5424479#5424479 +Signed-off-by: Devarsh Thakkar +[Tomi: mostly rewrote the patch] +Reviewed-by: Jonathan Cormier +Tested-by: Jonathan Cormier +Reviewed-by: Aradhya Bhatia +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20241021-tidss-irq-fix-v1-5-82ddaec94e4a@ideasonboard.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tidss/tidss_dispc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/tidss/tidss_dispc.c ++++ b/drivers/gpu/drm/tidss/tidss_dispc.c +@@ -700,7 +700,7 @@ void dispc_k2g_set_irqenable(struct disp + { + dispc_irq_t old_mask = dispc_k2g_read_irqenable(dispc); + +- /* clear the irqstatus for newly enabled irqs */ ++ /* clear the irqstatus for irqs that will be enabled */ + dispc_k2g_clear_irqstatus(dispc, (mask ^ old_mask) & mask); + + dispc_k2g_vp_set_irqenable(dispc, 0, mask); +@@ -708,6 +708,9 @@ void dispc_k2g_set_irqenable(struct disp + + dispc_write(dispc, DISPC_IRQENABLE_SET, (1 << 0) | (1 << 7)); + ++ /* clear the irqstatus for irqs that were disabled */ ++ dispc_k2g_clear_irqstatus(dispc, (mask ^ old_mask) & old_mask); ++ + /* flush posted write */ + dispc_k2g_read_irqenable(dispc); + } +@@ -839,7 +842,7 @@ static void dispc_k3_set_irqenable(struc + + old_mask = dispc_k3_read_irqenable(dispc); + +- /* clear the irqstatus for newly enabled irqs */ ++ /* clear the irqstatus for irqs that will be enabled */ + dispc_k3_clear_irqstatus(dispc, (old_mask ^ mask) & mask); + + for (i = 0; i < dispc->feat->num_vps; ++i) { +@@ -864,6 +867,9 @@ static void dispc_k3_set_irqenable(struc + if (main_disable) + dispc_write(dispc, DISPC_IRQENABLE_CLR, main_disable); + ++ /* clear the irqstatus for irqs that were disabled */ ++ dispc_k3_clear_irqstatus(dispc, (old_mask ^ mask) & old_mask); ++ + /* Flush posted writes */ + dispc_read(dispc, DISPC_IRQENABLE_SET); + } diff --git a/queue-6.13/drm-tidss-fix-issue-in-irq-handling-causing-irq-flood-issue.patch b/queue-6.13/drm-tidss-fix-issue-in-irq-handling-causing-irq-flood-issue.patch new file mode 100644 index 0000000000..ecf254b0ca --- /dev/null +++ b/queue-6.13/drm-tidss-fix-issue-in-irq-handling-causing-irq-flood-issue.patch @@ -0,0 +1,83 @@ +From 44b6730ab53ef04944fbaf6da0e77397531517b7 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Mon, 21 Oct 2024 17:07:45 +0300 +Subject: drm/tidss: Fix issue in irq handling causing irq-flood issue + +From: Tomi Valkeinen + +commit 44b6730ab53ef04944fbaf6da0e77397531517b7 upstream. + +It has been observed that sometimes DSS will trigger an interrupt and +the top level interrupt (DISPC_IRQSTATUS) is not zero, but the VP and +VID level interrupt-statuses are zero. + +As the top level irqstatus is supposed to tell whether we have VP/VID +interrupts, the thinking of the driver authors was that this particular +case could never happen. Thus the driver only clears the DISPC_IRQSTATUS +bits which has corresponding interrupts in VP/VID status. So when this +issue happens, the driver will not clear DISPC_IRQSTATUS, and we get an +interrupt flood. + +It is unclear why the issue happens. It could be a race issue in the +driver, but no such race has been found. It could also be an issue with +the HW. However a similar case can be easily triggered by manually +writing to DISPC_IRQSTATUS_RAW. This will forcibly set a bit in the +DISPC_IRQSTATUS and trigger an interrupt, and as the driver never clears +the bit, we get an interrupt flood. + +To fix the issue, always clear DISPC_IRQSTATUS. The concern with this +solution is that if the top level irqstatus is the one that triggers the +interrupt, always clearing DISPC_IRQSTATUS might leave some interrupts +unhandled if VP/VID interrupt statuses have bits set. However, testing +shows that if any of the irqstatuses is set (i.e. even if +DISPC_IRQSTATUS == 0, but a VID irqstatus has a bit set), we will get an +interrupt. + +Co-developed-by: Bin Liu +Signed-off-by: Bin Liu +Co-developed-by: Devarsh Thakkar +Signed-off-by: Devarsh Thakkar +Co-developed-by: Jonathan Cormier +Signed-off-by: Jonathan Cormier +Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem") +Cc: stable@vger.kernel.org +Tested-by: Jonathan Cormier +Reviewed-by: Aradhya Bhatia +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20241021-tidss-irq-fix-v1-1-82ddaec94e4a@ideasonboard.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tidss/tidss_dispc.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/tidss/tidss_dispc.c ++++ b/drivers/gpu/drm/tidss/tidss_dispc.c +@@ -780,24 +780,20 @@ static + void dispc_k3_clear_irqstatus(struct dispc_device *dispc, dispc_irq_t clearmask) + { + unsigned int i; +- u32 top_clear = 0; + + for (i = 0; i < dispc->feat->num_vps; ++i) { +- if (clearmask & DSS_IRQ_VP_MASK(i)) { ++ if (clearmask & DSS_IRQ_VP_MASK(i)) + dispc_k3_vp_write_irqstatus(dispc, i, clearmask); +- top_clear |= BIT(i); +- } + } + for (i = 0; i < dispc->feat->num_planes; ++i) { +- if (clearmask & DSS_IRQ_PLANE_MASK(i)) { ++ if (clearmask & DSS_IRQ_PLANE_MASK(i)) + dispc_k3_vid_write_irqstatus(dispc, i, clearmask); +- top_clear |= BIT(4 + i); +- } + } + if (dispc->feat->subrev == DISPC_K2G) + return; + +- dispc_write(dispc, DISPC_IRQSTATUS, top_clear); ++ /* always clear the top level irqstatus */ ++ dispc_write(dispc, DISPC_IRQSTATUS, dispc_read(dispc, DISPC_IRQSTATUS)); + + /* Flush posted writes */ + dispc_read(dispc, DISPC_IRQSTATUS); diff --git a/queue-6.13/drm-tidss-fix-race-condition-while-handling-interrupt-registers.patch b/queue-6.13/drm-tidss-fix-race-condition-while-handling-interrupt-registers.patch new file mode 100644 index 0000000000..705cfdb901 --- /dev/null +++ b/queue-6.13/drm-tidss-fix-race-condition-while-handling-interrupt-registers.patch @@ -0,0 +1,57 @@ +From a9a73f2661e6f625d306c9b0ef082e4593f45a21 Mon Sep 17 00:00:00 2001 +From: Devarsh Thakkar +Date: Mon, 21 Oct 2024 17:07:50 +0300 +Subject: drm/tidss: Fix race condition while handling interrupt registers + +From: Devarsh Thakkar + +commit a9a73f2661e6f625d306c9b0ef082e4593f45a21 upstream. + +The driver has a spinlock for protecting the irq_masks field and irq +enable registers. However, the driver misses protecting the irq status +registers which can lead to races. + +Take the spinlock when accessing irqstatus too. + +Fixes: 32a1795f57ee ("drm/tidss: New driver for TI Keystone platform Display SubSystem") +Cc: stable@vger.kernel.org +Signed-off-by: Devarsh Thakkar +[Tomi: updated the desc] +Reviewed-by: Jonathan Cormier +Tested-by: Jonathan Cormier +Reviewed-by: Aradhya Bhatia +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20241021-tidss-irq-fix-v1-6-82ddaec94e4a@ideasonboard.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tidss/tidss_dispc.c | 4 ++++ + drivers/gpu/drm/tidss/tidss_irq.c | 2 ++ + 2 files changed, 6 insertions(+) + +--- a/drivers/gpu/drm/tidss/tidss_dispc.c ++++ b/drivers/gpu/drm/tidss/tidss_dispc.c +@@ -2763,8 +2763,12 @@ static void dispc_init_errata(struct dis + */ + static void dispc_softreset_k2g(struct dispc_device *dispc) + { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&dispc->tidss->wait_lock, flags); + dispc_set_irqenable(dispc, 0); + dispc_read_and_clear_irqstatus(dispc); ++ spin_unlock_irqrestore(&dispc->tidss->wait_lock, flags); + + for (unsigned int vp_idx = 0; vp_idx < dispc->feat->num_vps; ++vp_idx) + VP_REG_FLD_MOD(dispc, vp_idx, DISPC_VP_CONTROL, 0, 0, 0); +--- a/drivers/gpu/drm/tidss/tidss_irq.c ++++ b/drivers/gpu/drm/tidss/tidss_irq.c +@@ -60,7 +60,9 @@ static irqreturn_t tidss_irq_handler(int + unsigned int id; + dispc_irq_t irqstatus; + ++ spin_lock(&tidss->wait_lock); + irqstatus = dispc_read_and_clear_irqstatus(tidss->dispc); ++ spin_unlock(&tidss->wait_lock); + + for (id = 0; id < tidss->num_crtcs; id++) { + struct drm_crtc *crtc = tidss->crtcs[id]; diff --git a/queue-6.13/drm-v3d-stop-active-perfmon-if-it-is-being-destroyed.patch b/queue-6.13/drm-v3d-stop-active-perfmon-if-it-is-being-destroyed.patch new file mode 100644 index 0000000000..8f6572a212 --- /dev/null +++ b/queue-6.13/drm-v3d-stop-active-perfmon-if-it-is-being-destroyed.patch @@ -0,0 +1,52 @@ +From 21f1435b1e6b012a07c42f36b206d2b66fc8f13b Mon Sep 17 00:00:00 2001 +From: Christian Gmeiner +Date: Mon, 18 Nov 2024 23:19:47 +0100 +Subject: drm/v3d: Stop active perfmon if it is being destroyed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian Gmeiner + +commit 21f1435b1e6b012a07c42f36b206d2b66fc8f13b upstream. + +If the active performance monitor (`v3d->active_perfmon`) is being +destroyed, stop it first. Currently, the active perfmon is not +stopped during destruction, leaving the `v3d->active_perfmon` pointer +stale. This can lead to undefined behavior and instability. + +This patch ensures that the active perfmon is stopped before being +destroyed, aligning with the behavior introduced in commit +7d1fd3638ee3 ("drm/v3d: Stop the active perfmon before being destroyed"). + +Cc: stable@vger.kernel.org # v5.15+ +Fixes: 26a4dc29b74a ("drm/v3d: Expose performance counters to userspace") +Signed-off-by: Christian Gmeiner +Signed-off-by: Maíra Canal +Link: https://patchwork.freedesktop.org/patch/msgid/20241118221948.1758130-1-christian.gmeiner@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/v3d/v3d_perfmon.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/v3d/v3d_perfmon.c ++++ b/drivers/gpu/drm/v3d/v3d_perfmon.c +@@ -384,6 +384,7 @@ int v3d_perfmon_destroy_ioctl(struct drm + { + struct v3d_file_priv *v3d_priv = file_priv->driver_priv; + struct drm_v3d_perfmon_destroy *req = data; ++ struct v3d_dev *v3d = v3d_priv->v3d; + struct v3d_perfmon *perfmon; + + mutex_lock(&v3d_priv->perfmon.lock); +@@ -393,6 +394,10 @@ int v3d_perfmon_destroy_ioctl(struct drm + if (!perfmon) + return -EINVAL; + ++ /* If the active perfmon is being destroyed, stop it first */ ++ if (perfmon == v3d->active_perfmon) ++ v3d_perfmon_stop(v3d, perfmon, false); ++ + v3d_perfmon_put(perfmon); + + return 0; diff --git a/queue-6.13/drm-xe-tracing-fix-a-potential-tp_printk-uaf.patch b/queue-6.13/drm-xe-tracing-fix-a-potential-tp_printk-uaf.patch new file mode 100644 index 0000000000..4042811c85 --- /dev/null +++ b/queue-6.13/drm-xe-tracing-fix-a-potential-tp_printk-uaf.patch @@ -0,0 +1,72 @@ +From 07089083a526ea19daa72a1edf9d6e209615b77c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Hellstr=C3=B6m?= +Date: Mon, 23 Dec 2024 14:42:50 +0100 +Subject: drm/xe/tracing: Fix a potential TP_printk UAF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Hellström + +commit 07089083a526ea19daa72a1edf9d6e209615b77c upstream. + +The commit +afd2627f727b ("tracing: Check "%s" dereference via the field and not the TP_printk format") +exposes potential UAFs in the xe_bo_move trace event. + +Fix those by avoiding dereferencing the +xe_mem_type_to_name[] array at TP_printk time. + +Since some code refactoring has taken place, explicit backporting may +be needed for kernels older than 6.10. + +Fixes: e46d3f813abd ("drm/xe/trace: Extract bo, vm, vma traces") +Cc: Gustavo Sousa +Cc: Lucas De Marchi +Cc: Radhakrishna Sripada +Cc: Matt Roper +Cc: "Thomas Hellström" +Cc: Rodrigo Vivi +Cc: intel-xe@lists.freedesktop.org +Cc: # v6.11+ +Signed-off-by: Thomas Hellström +Reviewed-by: Jonathan Cavitt +Link: https://patchwork.freedesktop.org/patch/msgid/20241223134250.14345-1-thomas.hellstrom@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xe/xe_trace_bo.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/xe/xe_trace_bo.h ++++ b/drivers/gpu/drm/xe/xe_trace_bo.h +@@ -55,8 +55,8 @@ TRACE_EVENT(xe_bo_move, + TP_STRUCT__entry( + __field(struct xe_bo *, bo) + __field(size_t, size) +- __field(u32, new_placement) +- __field(u32, old_placement) ++ __string(new_placement_name, xe_mem_type_to_name[new_placement]) ++ __string(old_placement_name, xe_mem_type_to_name[old_placement]) + __string(device_id, __dev_name_bo(bo)) + __field(bool, move_lacks_source) + ), +@@ -64,15 +64,15 @@ TRACE_EVENT(xe_bo_move, + TP_fast_assign( + __entry->bo = bo; + __entry->size = bo->size; +- __entry->new_placement = new_placement; +- __entry->old_placement = old_placement; ++ __assign_str(new_placement_name); ++ __assign_str(old_placement_name); + __assign_str(device_id); + __entry->move_lacks_source = move_lacks_source; + ), + TP_printk("move_lacks_source:%s, migrate object %p [size %zu] from %s to %s device_id:%s", + __entry->move_lacks_source ? "yes" : "no", __entry->bo, __entry->size, +- xe_mem_type_to_name[__entry->old_placement], +- xe_mem_type_to_name[__entry->new_placement], __get_str(device_id)) ++ __get_str(old_placement_name), ++ __get_str(new_placement_name), __get_str(device_id)) + ); + + DECLARE_EVENT_CLASS(xe_vma, diff --git a/queue-6.13/drm-zynqmp_dp-fix-integer-overflow-in-zynqmp_dp_rate_get.patch b/queue-6.13/drm-zynqmp_dp-fix-integer-overflow-in-zynqmp_dp_rate_get.patch new file mode 100644 index 0000000000..22274045e2 --- /dev/null +++ b/queue-6.13/drm-zynqmp_dp-fix-integer-overflow-in-zynqmp_dp_rate_get.patch @@ -0,0 +1,45 @@ +From 67a615c5cb6dc33ed35492dc0d67e496cbe8de68 Mon Sep 17 00:00:00 2001 +From: Karol Przybylski +Date: Sun, 15 Dec 2024 13:53:55 +0100 +Subject: drm: zynqmp_dp: Fix integer overflow in zynqmp_dp_rate_get() + +From: Karol Przybylski + +commit 67a615c5cb6dc33ed35492dc0d67e496cbe8de68 upstream. + +This patch fixes a potential integer overflow in the zynqmp_dp_rate_get() + +The issue comes up when the expression +drm_dp_bw_code_to_link_rate(dp->test.bw_code) * 10000 is evaluated using 32-bit +Now the constant is a compatible 64-bit type. + +Resolves coverity issues: CID 1636340 and CID 1635811 + +Cc: stable@vger.kernel.org +Fixes: 28edaacb821c ("drm: zynqmp_dp: Add debugfs interface for compliance testing") +Signed-off-by: Karol Przybylski +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/stable/20241212095057.1015146-1-karprzy7%40gmail.com +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20241215125355.938953-1-karprzy7@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/xlnx/zynqmp_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/xlnx/zynqmp_dp.c b/drivers/gpu/drm/xlnx/zynqmp_dp.c +index 25c5dc61ee88..56a261a40ea3 100644 +--- a/drivers/gpu/drm/xlnx/zynqmp_dp.c ++++ b/drivers/gpu/drm/xlnx/zynqmp_dp.c +@@ -2190,7 +2190,7 @@ static int zynqmp_dp_rate_get(void *data, u64 *val) + struct zynqmp_dp *dp = data; + + mutex_lock(&dp->lock); +- *val = drm_dp_bw_code_to_link_rate(dp->test.bw_code) * 10000; ++ *val = drm_dp_bw_code_to_link_rate(dp->test.bw_code) * 10000ULL; + mutex_unlock(&dp->lock); + return 0; + } +-- +2.48.1 + diff --git a/queue-6.13/series b/queue-6.13/series index cf4b9972c9..c8f1c8ee9f 100644 --- a/queue-6.13/series +++ b/queue-6.13/series @@ -249,3 +249,13 @@ ipv6-mcast-add-rcu-protection-to-mld_newpack.patch s390-qeth-move-netif_napi_add_tx-and-napi_enable-fro.patch reapply-net-skb-introduce-and-use-a-single-page-frag.patch io_uring-uring_cmd-unconditionally-copy-sqes-at-prep.patch +drm-tidss-fix-issue-in-irq-handling-causing-irq-flood-issue.patch +drm-tidss-fix-race-condition-while-handling-interrupt-registers.patch +drm-tidss-clear-the-interrupt-status-for-interrupts-being-disabled.patch +drm-msm-gem-prevent-integer-overflow-in-msm_ioctl_gem_submit.patch +drm-rcar-du-dsi-fix-phy-lock-bit-check.patch +drm-msm-dpu-fix-x1e80100-intf_6-underrun-vsync-interrupt.patch +drm-msm-dpu1-don-t-choke-on-disabling-the-writeback-connector.patch +drm-v3d-stop-active-perfmon-if-it-is-being-destroyed.patch +drm-zynqmp_dp-fix-integer-overflow-in-zynqmp_dp_rate_get.patch +drm-xe-tracing-fix-a-potential-tp_printk-uaf.patch