From: Sasha Levin Date: Wed, 4 Sep 2024 17:42:41 +0000 (-0400) Subject: Fixes for 6.6 X-Git-Tag: v6.1.109~25 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e52fbe17cb341864f5ffb4009049b80c2db6e40a;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.6 Signed-off-by: Sasha Levin --- diff --git a/queue-6.6/apparmor-fix-possible-null-pointer-dereference.patch b/queue-6.6/apparmor-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..59fe2024a55 --- /dev/null +++ b/queue-6.6/apparmor-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,107 @@ +From 3c6572b881997de08171134fb44985ac90d0e006 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 01:12:29 +0900 +Subject: apparmor: fix possible NULL pointer dereference + +From: Leesoo Ahn + +[ Upstream commit 3dd384108d53834002be5630132ad5c3f32166ad ] + +profile->parent->dents[AAFS_PROF_DIR] could be NULL only if its parent is made +from __create_missing_ancestors(..) and 'ent->old' is NULL in +aa_replace_profiles(..). +In that case, it must return an error code and the code, -ENOENT represents +its state that the path of its parent is not existed yet. + +BUG: kernel NULL pointer dereference, address: 0000000000000030 +PGD 0 P4D 0 +PREEMPT SMP PTI +CPU: 4 PID: 3362 Comm: apparmor_parser Not tainted 6.8.0-24-generic #24 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 +RIP: 0010:aafs_create.constprop.0+0x7f/0x130 +Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae +RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0 +Call Trace: + + ? show_regs+0x6d/0x80 + ? __die+0x24/0x80 + ? page_fault_oops+0x99/0x1b0 + ? kernelmode_fixup_or_oops+0xb2/0x140 + ? __bad_area_nosemaphore+0x1a5/0x2c0 + ? find_vma+0x34/0x60 + ? bad_area_nosemaphore+0x16/0x30 + ? do_user_addr_fault+0x2a2/0x6b0 + ? exc_page_fault+0x83/0x1b0 + ? asm_exc_page_fault+0x27/0x30 + ? aafs_create.constprop.0+0x7f/0x130 + ? aafs_create.constprop.0+0x51/0x130 + __aafs_profile_mkdir+0x3d6/0x480 + aa_replace_profiles+0x83f/0x1270 + policy_update+0xe3/0x180 + profile_load+0xbc/0x150 + ? rw_verify_area+0x47/0x140 + vfs_write+0x100/0x480 + ? __x64_sys_openat+0x55/0xa0 + ? syscall_exit_to_user_mode+0x86/0x260 + ksys_write+0x73/0x100 + __x64_sys_write+0x19/0x30 + x64_sys_call+0x7e/0x25c0 + do_syscall_64+0x7f/0x180 + entry_SYSCALL_64_after_hwframe+0x78/0x80 +RIP: 0033:0x7be9f211c574 +Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89 +RSP: 002b:00007ffd26f2b8c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00005d504415e200 RCX: 00007be9f211c574 +RDX: 0000000000001fc1 RSI: 00005d504418bc80 RDI: 0000000000000004 +RBP: 0000000000001fc1 R08: 0000000000001fc1 R09: 0000000080000000 +R10: 0000000000000000 R11: 0000000000000202 R12: 00005d504418bc80 +R13: 0000000000000004 R14: 00007ffd26f2b9b0 R15: 00007ffd26f2ba30 + +Modules linked in: snd_seq_dummy snd_hrtimer qrtr snd_hda_codec_generic snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device i2c_i801 snd_timer i2c_smbus qxl snd soundcore drm_ttm_helper lpc_ich ttm joydev input_leds serio_raw mac_hid binfmt_misc msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci libahci psmouse virtio_rng xhci_pci xhci_pci_renesas +CR2: 0000000000000030 +---[ end trace 0000000000000000 ]--- +RIP: 0010:aafs_create.constprop.0+0x7f/0x130 +Code: 4c 63 e0 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 45 31 c9 45 31 d2 c3 cc cc cc cc <4d> 8b 55 30 4d 8d ba a0 00 00 00 4c 89 55 c0 4c 89 ff e8 7a 6a ae +RSP: 0018:ffffc9000b2c7c98 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 00000000000041ed RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: ffffc9000b2c7cd8 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82baac10 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +FS: 00007be9f22cf740(0000) GS:ffff88817bc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000030 CR3: 0000000134b08000 CR4: 00000000000006f0 + +Signed-off-by: Leesoo Ahn +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/apparmorfs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c +index 63ddefb6ddd1..23b2853ce3c4 100644 +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -1698,6 +1698,10 @@ int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) + struct aa_profile *p; + p = aa_deref_parent(profile); + dent = prof_dir(p); ++ if (!dent) { ++ error = -ENOENT; ++ goto fail2; ++ } + /* adding to parent that previously didn't have children */ + dent = aafs_create_dir("profiles", dent); + if (IS_ERR(dent)) +-- +2.43.0 + diff --git a/queue-6.6/block-remove-the-blk_flush_integrity-call-in-blk_int.patch b/queue-6.6/block-remove-the-blk_flush_integrity-call-in-blk_int.patch new file mode 100644 index 00000000000..0ba5d6fdcf3 --- /dev/null +++ b/queue-6.6/block-remove-the-blk_flush_integrity-call-in-blk_int.patch @@ -0,0 +1,44 @@ +From e7991d5975f4f1d61bbdd41031f2a91036f4302a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Jun 2024 10:48:16 +0200 +Subject: block: remove the blk_flush_integrity call in + blk_integrity_unregister + +From: Christoph Hellwig + +[ Upstream commit e8bc14d116aeac8f0f133ec8d249acf4e0658da7 ] + +Now that there are no indirect calls for PI processing there is no +way to dereference a NULL pointer here. Additionally drivers now always +freeze the queue (or in case of stacking drivers use their internal +equivalent) around changing the integrity profile. + +This is effectively a revert of commit 3df49967f6f1 ("block: flush the +integrity workqueue in blk_integrity_unregister"). + +Signed-off-by: Christoph Hellwig +Reviewed-by: Martin K. Petersen +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20240613084839.1044015-7-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-integrity.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/block/blk-integrity.c b/block/blk-integrity.c +index d4e9b4556d14..5276c556a9df 100644 +--- a/block/blk-integrity.c ++++ b/block/blk-integrity.c +@@ -396,8 +396,6 @@ void blk_integrity_unregister(struct gendisk *disk) + if (!bi->profile) + return; + +- /* ensure all bios are off the integrity workqueue */ +- blk_flush_integrity(); + blk_queue_flag_clear(QUEUE_FLAG_STABLE_WRITES, disk->queue); + memset(bi, 0, sizeof(*bi)); + } +-- +2.43.0 + diff --git a/queue-6.6/cpufreq-scmi-avoid-overflow-of-target_freq-in-fast-s.patch b/queue-6.6/cpufreq-scmi-avoid-overflow-of-target_freq-in-fast-s.patch new file mode 100644 index 00000000000..ae8f9954202 --- /dev/null +++ b/queue-6.6/cpufreq-scmi-avoid-overflow-of-target_freq-in-fast-s.patch @@ -0,0 +1,41 @@ +From 2b6e20bbcb9bbd2d03b914700498cfa59ab3f050 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 May 2024 12:07:32 +0530 +Subject: cpufreq: scmi: Avoid overflow of target_freq in fast switch + +From: Jagadeesh Kona + +[ Upstream commit 074cffb5020ddcaa5fafcc55655e5da6ebe8c831 ] + +Conversion of target_freq to HZ in scmi_cpufreq_fast_switch() +can lead to overflow if the multiplied result is greater than +UINT_MAX, since type of target_freq is unsigned int. Avoid this +overflow by assigning target_freq to unsigned long variable for +converting it to HZ. + +Signed-off-by: Jagadeesh Kona +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/scmi-cpufreq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c +index 028df8a5f537..079940c69ee0 100644 +--- a/drivers/cpufreq/scmi-cpufreq.c ++++ b/drivers/cpufreq/scmi-cpufreq.c +@@ -62,9 +62,9 @@ static unsigned int scmi_cpufreq_fast_switch(struct cpufreq_policy *policy, + unsigned int target_freq) + { + struct scmi_data *priv = policy->driver_data; ++ unsigned long freq = target_freq; + +- if (!perf_ops->freq_set(ph, priv->domain_id, +- target_freq * 1000, true)) ++ if (!perf_ops->freq_set(ph, priv->domain_id, freq * 1000, true)) + return target_freq; + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/crypto-stm32-cryp-call-finalize-with-bh-disabled.patch b/queue-6.6/crypto-stm32-cryp-call-finalize-with-bh-disabled.patch new file mode 100644 index 00000000000..bb5ac6ad287 --- /dev/null +++ b/queue-6.6/crypto-stm32-cryp-call-finalize-with-bh-disabled.patch @@ -0,0 +1,51 @@ +From 734a55b93e37faa76c92580dfb2549a0aadffc6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 16:05:48 +0200 +Subject: crypto: stm32/cryp - call finalize with bh disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Méré + +[ Upstream commit 56ddb9aa3b324c2d9645b5a7343e46010cf3f6ce ] + +The finalize operation in interrupt mode produce a produces a spinlock +recursion warning. The reason is the fact that BH must be disabled +during this process. + +Signed-off-by: Maxime Méré +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/stm32/stm32-cryp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/stm32/stm32-cryp.c b/drivers/crypto/stm32/stm32-cryp.c +index f095f0065428..2f1b82cf10b1 100644 +--- a/drivers/crypto/stm32/stm32-cryp.c ++++ b/drivers/crypto/stm32/stm32-cryp.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1665,8 +1666,11 @@ static irqreturn_t stm32_cryp_irq_thread(int irq, void *arg) + it_mask &= ~IMSCR_OUT; + stm32_cryp_write(cryp, cryp->caps->imsc, it_mask); + +- if (!cryp->payload_in && !cryp->header_in && !cryp->payload_out) ++ if (!cryp->payload_in && !cryp->header_in && !cryp->payload_out) { ++ local_bh_disable(); + stm32_cryp_finish_req(cryp, 0); ++ local_bh_enable(); ++ } + + return IRQ_HANDLED; + } +-- +2.43.0 + diff --git a/queue-6.6/dmaengine-altera-msgdma-properly-free-descriptor-in-.patch b/queue-6.6/dmaengine-altera-msgdma-properly-free-descriptor-in-.patch new file mode 100644 index 00000000000..6120fb8806f --- /dev/null +++ b/queue-6.6/dmaengine-altera-msgdma-properly-free-descriptor-in-.patch @@ -0,0 +1,55 @@ +From 2a34bf7cdaf2d11a8f312bbcef64b16f3d4498a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jun 2024 23:31:48 +0200 +Subject: dmaengine: altera-msgdma: properly free descriptor in + msgdma_free_descriptor + +From: Olivier Dautricourt + +[ Upstream commit 54e4ada1a4206f878e345ae01cf37347d803d1b1 ] + +Remove list_del call in msgdma_chan_desc_cleanup, this should be the role +of msgdma_free_descriptor. In consequence replace list_add_tail with +list_move_tail in msgdma_free_descriptor. + +This fixes the path: + msgdma_free_chan_resources -> msgdma_free_descriptors -> + msgdma_free_desc_list -> msgdma_free_descriptor + +which does not correctly free the descriptors as first nodes were not +removed from the list. + +Signed-off-by: Olivier Dautricourt +Tested-by: Olivier Dautricourt +Link: https://lore.kernel.org/r/20240608213216.25087-3-olivierdautricourt@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/altera-msgdma.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/dma/altera-msgdma.c b/drivers/dma/altera-msgdma.c +index 8c479a3676fc..711e3756a39a 100644 +--- a/drivers/dma/altera-msgdma.c ++++ b/drivers/dma/altera-msgdma.c +@@ -233,7 +233,7 @@ static void msgdma_free_descriptor(struct msgdma_device *mdev, + struct msgdma_sw_desc *child, *next; + + mdev->desc_free_cnt++; +- list_add_tail(&desc->node, &mdev->free_list); ++ list_move_tail(&desc->node, &mdev->free_list); + list_for_each_entry_safe(child, next, &desc->tx_list, node) { + mdev->desc_free_cnt++; + list_move_tail(&child->node, &mdev->free_list); +@@ -588,8 +588,6 @@ static void msgdma_chan_desc_cleanup(struct msgdma_device *mdev) + list_for_each_entry_safe(desc, next, &mdev->done_list, node) { + struct dmaengine_desc_callback cb; + +- list_del(&desc->node); +- + dmaengine_desc_get_callback(&desc->async_tx, &cb); + if (dmaengine_desc_callback_valid(&cb)) { + spin_unlock_irqrestore(&mdev->lock, irqflags); +-- +2.43.0 + diff --git a/queue-6.6/dmaengine-altera-msgdma-use-irq-variant-of-spin_lock.patch b/queue-6.6/dmaengine-altera-msgdma-use-irq-variant-of-spin_lock.patch new file mode 100644 index 00000000000..014cbca63d9 --- /dev/null +++ b/queue-6.6/dmaengine-altera-msgdma-use-irq-variant-of-spin_lock.patch @@ -0,0 +1,51 @@ +From b81b04e762943dd7ec8d7a821826918889bd74c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jun 2024 23:31:46 +0200 +Subject: dmaengine: altera-msgdma: use irq variant of spin_lock/unlock while + invoking callbacks + +From: Olivier Dautricourt + +[ Upstream commit 261d3a85d959841821ca0d69f9d7b0d4087661c4 ] + +As we first take the lock with spin_lock_irqsave in msgdma_tasklet, Lockdep +might complain about this. Inspired by commit 9558cf4ad07e +("dmaengine: zynqmp_dma: fix lockdep warning in tasklet") + +Signed-off-by: Olivier Dautricourt +Tested-by: Olivier Dautricourt +Suggested-by: Eric Schwarz +Link: https://lore.kernel.org/r/20240608213216.25087-1-olivierdautricourt@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/altera-msgdma.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/altera-msgdma.c b/drivers/dma/altera-msgdma.c +index 4153c2edb049..8c479a3676fc 100644 +--- a/drivers/dma/altera-msgdma.c ++++ b/drivers/dma/altera-msgdma.c +@@ -583,6 +583,7 @@ static void msgdma_issue_pending(struct dma_chan *chan) + static void msgdma_chan_desc_cleanup(struct msgdma_device *mdev) + { + struct msgdma_sw_desc *desc, *next; ++ unsigned long irqflags; + + list_for_each_entry_safe(desc, next, &mdev->done_list, node) { + struct dmaengine_desc_callback cb; +@@ -591,9 +592,9 @@ static void msgdma_chan_desc_cleanup(struct msgdma_device *mdev) + + dmaengine_desc_get_callback(&desc->async_tx, &cb); + if (dmaengine_desc_callback_valid(&cb)) { +- spin_unlock(&mdev->lock); ++ spin_unlock_irqrestore(&mdev->lock, irqflags); + dmaengine_desc_callback_invoke(&cb, NULL); +- spin_lock(&mdev->lock); ++ spin_lock_irqsave(&mdev->lock, irqflags); + } + + /* Run any dependencies, then free the descriptor */ +-- +2.43.0 + diff --git a/queue-6.6/driver-iio-add-missing-checks-on-iio_info-s-callback.patch b/queue-6.6/driver-iio-add-missing-checks-on-iio_info-s-callback.patch new file mode 100644 index 00000000000..30cbae75a36 --- /dev/null +++ b/queue-6.6/driver-iio-add-missing-checks-on-iio_info-s-callback.patch @@ -0,0 +1,174 @@ +From 710237f902b96498583d6ed0dab4b826edb0504e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 May 2024 11:22:46 +0200 +Subject: driver: iio: add missing checks on iio_info's callback access + +From: Julien Stephan + +[ Upstream commit c4ec8dedca961db056ec85cb7ca8c9f7e2e92252 ] + +Some callbacks from iio_info structure are accessed without any check, so +if a driver doesn't implement them trying to access the corresponding +sysfs entries produce a kernel oops such as: + +[ 2203.527791] Unable to handle kernel NULL pointer dereference at virtual address 00000000 when execute +[...] +[ 2203.783416] Call trace: +[ 2203.783429] iio_read_channel_info_avail from dev_attr_show+0x18/0x48 +[ 2203.789807] dev_attr_show from sysfs_kf_seq_show+0x90/0x120 +[ 2203.794181] sysfs_kf_seq_show from seq_read_iter+0xd0/0x4e4 +[ 2203.798555] seq_read_iter from vfs_read+0x238/0x2a0 +[ 2203.802236] vfs_read from ksys_read+0xa4/0xd4 +[ 2203.805385] ksys_read from ret_fast_syscall+0x0/0x54 +[ 2203.809135] Exception stack(0xe0badfa8 to 0xe0badff0) +[ 2203.812880] dfa0: 00000003 b6f10f80 00000003 b6eab000 00020000 00000000 +[ 2203.819746] dfc0: 00000003 b6f10f80 7ff00000 00000003 00000003 00000000 00020000 00000000 +[ 2203.826619] dfe0: b6e1bc88 bed80958 b6e1bc94 b6e1bcb0 +[ 2203.830363] Code: bad PC value +[ 2203.832695] ---[ end trace 0000000000000000 ]--- + +Reviewed-by: Nuno Sa +Signed-off-by: Julien Stephan +Link: https://lore.kernel.org/r/20240530-iio-core-fix-segfault-v3-1-8b7cd2a03773@baylibre.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/industrialio-core.c | 7 ++++++- + drivers/iio/industrialio-event.c | 9 +++++++++ + drivers/iio/inkern.c | 32 ++++++++++++++++++++++---------- + 3 files changed, 37 insertions(+), 11 deletions(-) + +diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c +index 5e1a85ca1211..121bde49ccb7 100644 +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -752,9 +752,11 @@ static ssize_t iio_read_channel_info(struct device *dev, + INDIO_MAX_RAW_ELEMENTS, + vals, &val_len, + this_attr->address); +- else ++ else if (indio_dev->info->read_raw) + ret = indio_dev->info->read_raw(indio_dev, this_attr->c, + &vals[0], &vals[1], this_attr->address); ++ else ++ return -EINVAL; + + if (ret < 0) + return ret; +@@ -836,6 +838,9 @@ static ssize_t iio_read_channel_info_avail(struct device *dev, + int length; + int type; + ++ if (!indio_dev->info->read_avail) ++ return -EINVAL; ++ + ret = indio_dev->info->read_avail(indio_dev, this_attr->c, + &vals, &type, &length, + this_attr->address); +diff --git a/drivers/iio/industrialio-event.c b/drivers/iio/industrialio-event.c +index 19f7a91157ee..f67e4afa5f94 100644 +--- a/drivers/iio/industrialio-event.c ++++ b/drivers/iio/industrialio-event.c +@@ -285,6 +285,9 @@ static ssize_t iio_ev_state_store(struct device *dev, + if (ret < 0) + return ret; + ++ if (!indio_dev->info->write_event_config) ++ return -EINVAL; ++ + ret = indio_dev->info->write_event_config(indio_dev, + this_attr->c, iio_ev_attr_type(this_attr), + iio_ev_attr_dir(this_attr), val); +@@ -300,6 +303,9 @@ static ssize_t iio_ev_state_show(struct device *dev, + struct iio_dev_attr *this_attr = to_iio_dev_attr(attr); + int val; + ++ if (!indio_dev->info->read_event_config) ++ return -EINVAL; ++ + val = indio_dev->info->read_event_config(indio_dev, + this_attr->c, iio_ev_attr_type(this_attr), + iio_ev_attr_dir(this_attr)); +@@ -318,6 +324,9 @@ static ssize_t iio_ev_value_show(struct device *dev, + int val, val2, val_arr[2]; + int ret; + ++ if (!indio_dev->info->read_event_value) ++ return -EINVAL; ++ + ret = indio_dev->info->read_event_value(indio_dev, + this_attr->c, iio_ev_attr_type(this_attr), + iio_ev_attr_dir(this_attr), iio_ev_attr_info(this_attr), +diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c +index 7a1f6713318a..b85556538475 100644 +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -562,6 +562,7 @@ EXPORT_SYMBOL_GPL(devm_iio_channel_get_all); + static int iio_channel_read(struct iio_channel *chan, int *val, int *val2, + enum iio_chan_info_enum info) + { ++ const struct iio_info *iio_info = chan->indio_dev->info; + int unused; + int vals[INDIO_MAX_RAW_ELEMENTS]; + int ret; +@@ -573,15 +574,18 @@ static int iio_channel_read(struct iio_channel *chan, int *val, int *val2, + if (!iio_channel_has_info(chan->channel, info)) + return -EINVAL; + +- if (chan->indio_dev->info->read_raw_multi) { +- ret = chan->indio_dev->info->read_raw_multi(chan->indio_dev, +- chan->channel, INDIO_MAX_RAW_ELEMENTS, +- vals, &val_len, info); ++ if (iio_info->read_raw_multi) { ++ ret = iio_info->read_raw_multi(chan->indio_dev, ++ chan->channel, ++ INDIO_MAX_RAW_ELEMENTS, ++ vals, &val_len, info); + *val = vals[0]; + *val2 = vals[1]; ++ } else if (iio_info->read_raw) { ++ ret = iio_info->read_raw(chan->indio_dev, ++ chan->channel, val, val2, info); + } else { +- ret = chan->indio_dev->info->read_raw(chan->indio_dev, +- chan->channel, val, val2, info); ++ return -EINVAL; + } + + return ret; +@@ -801,11 +805,15 @@ static int iio_channel_read_avail(struct iio_channel *chan, + const int **vals, int *type, int *length, + enum iio_chan_info_enum info) + { ++ const struct iio_info *iio_info = chan->indio_dev->info; ++ + if (!iio_channel_has_available(chan->channel, info)) + return -EINVAL; + +- return chan->indio_dev->info->read_avail(chan->indio_dev, chan->channel, +- vals, type, length, info); ++ if (iio_info->read_avail) ++ return iio_info->read_avail(chan->indio_dev, chan->channel, ++ vals, type, length, info); ++ return -EINVAL; + } + + int iio_read_avail_channel_attribute(struct iio_channel *chan, +@@ -995,8 +1003,12 @@ EXPORT_SYMBOL_GPL(iio_get_channel_type); + static int iio_channel_write(struct iio_channel *chan, int val, int val2, + enum iio_chan_info_enum info) + { +- return chan->indio_dev->info->write_raw(chan->indio_dev, +- chan->channel, val, val2, info); ++ const struct iio_info *iio_info = chan->indio_dev->info; ++ ++ if (iio_info->write_raw) ++ return iio_info->write_raw(chan->indio_dev, ++ chan->channel, val, val2, info); ++ return -EINVAL; + } + + int iio_write_channel_attribute(struct iio_channel *chan, int val, int val2, +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-amdgpu-check-tbo-resource-pointer.patch b/queue-6.6/drm-amd-amdgpu-check-tbo-resource-pointer.patch new file mode 100644 index 00000000000..e00819a9c76 --- /dev/null +++ b/queue-6.6/drm-amd-amdgpu-check-tbo-resource-pointer.patch @@ -0,0 +1,40 @@ +From 1bf32e3a831e967e198780578926643abf9cdacb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 02:26:55 +0800 +Subject: drm/amd/amdgpu: Check tbo resource pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Asad Kamal + +[ Upstream commit 6cd2b872643bb29bba01a8ac739138db7bd79007 ] + +Validate tbo resource pointer, skip if NULL + +Signed-off-by: Asad Kamal +Reviewed-by: Christian König +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index eb663eb81156..251627c91f98 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -4480,7 +4480,8 @@ static int amdgpu_device_recover_vram(struct amdgpu_device *adev) + shadow = vmbo->shadow; + + /* No need to recover an evicted BO */ +- if (shadow->tbo.resource->mem_type != TTM_PL_TT || ++ if (!shadow->tbo.resource || ++ shadow->tbo.resource->mem_type != TTM_PL_TT || + shadow->tbo.resource->start == AMDGPU_BO_INVALID_OFFSET || + shadow->parent->tbo.resource->mem_type != TTM_PL_VRAM) + continue; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-add-array-index-check-for-hdcp-ddc-a.patch b/queue-6.6/drm-amd-display-add-array-index-check-for-hdcp-ddc-a.patch new file mode 100644 index 00000000000..cce89e696dd --- /dev/null +++ b/queue-6.6/drm-amd-display-add-array-index-check-for-hdcp-ddc-a.patch @@ -0,0 +1,95 @@ +From f5079f8231de9f5b2e40fd1dd6af02f662493001 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 10:09:31 -0400 +Subject: drm/amd/display: Add array index check for hdcp ddc access + +From: Hersen Wu + +[ Upstream commit 4e70c0f5251c25885c31ee84a31f99a01f7cf50e ] + +[Why] +Coverity reports OVERRUN warning. Do not check if array +index valid. + +[How] +Check msg_id valid and valid array index. + +Reviewed-by: Alex Hung +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/modules/hdcp/hdcp_ddc.c | 28 ++++++++++++++++--- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c +index 8e9caae7c955..1b2df97226a3 100644 +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c +@@ -156,11 +156,16 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp, + uint32_t cur_size = 0; + uint32_t data_offset = 0; + +- if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { ++ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID || ++ msg_id >= MOD_HDCP_MESSAGE_ID_MAX) + return MOD_HDCP_STATUS_DDC_FAILURE; +- } + + if (is_dp_hdcp(hdcp)) { ++ int num_dpcd_addrs = sizeof(hdcp_dpcd_addrs) / ++ sizeof(hdcp_dpcd_addrs[0]); ++ if (msg_id >= num_dpcd_addrs) ++ return MOD_HDCP_STATUS_DDC_FAILURE; ++ + while (buf_len > 0) { + cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); + success = hdcp->config.ddc.funcs.read_dpcd(hdcp->config.ddc.handle, +@@ -175,6 +180,11 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp, + data_offset += cur_size; + } + } else { ++ int num_i2c_offsets = sizeof(hdcp_i2c_offsets) / ++ sizeof(hdcp_i2c_offsets[0]); ++ if (msg_id >= num_i2c_offsets) ++ return MOD_HDCP_STATUS_DDC_FAILURE; ++ + success = hdcp->config.ddc.funcs.read_i2c( + hdcp->config.ddc.handle, + HDCP_I2C_ADDR, +@@ -219,11 +229,16 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp, + uint32_t cur_size = 0; + uint32_t data_offset = 0; + +- if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) { ++ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID || ++ msg_id >= MOD_HDCP_MESSAGE_ID_MAX) + return MOD_HDCP_STATUS_DDC_FAILURE; +- } + + if (is_dp_hdcp(hdcp)) { ++ int num_dpcd_addrs = sizeof(hdcp_dpcd_addrs) / ++ sizeof(hdcp_dpcd_addrs[0]); ++ if (msg_id >= num_dpcd_addrs) ++ return MOD_HDCP_STATUS_DDC_FAILURE; ++ + while (buf_len > 0) { + cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE); + success = hdcp->config.ddc.funcs.write_dpcd( +@@ -239,6 +254,11 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp, + data_offset += cur_size; + } + } else { ++ int num_i2c_offsets = sizeof(hdcp_i2c_offsets) / ++ sizeof(hdcp_i2c_offsets[0]); ++ if (msg_id >= num_i2c_offsets) ++ return MOD_HDCP_STATUS_DDC_FAILURE; ++ + hdcp->buf[0] = hdcp_i2c_offsets[msg_id]; + memmove(&hdcp->buf[1], buf, buf_len); + success = hdcp->config.ddc.funcs.write_i2c( +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-added-null-check-at-start-of-dc_vali.patch b/queue-6.6/drm-amd-display-added-null-check-at-start-of-dc_vali.patch new file mode 100644 index 00000000000..cfd7c84b26c --- /dev/null +++ b/queue-6.6/drm-amd-display-added-null-check-at-start-of-dc_vali.patch @@ -0,0 +1,43 @@ +From 3b64afbcb7a0b52c322cb68e5c151cbf23ab882c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 May 2024 08:51:19 -0400 +Subject: drm/amd/display: added NULL check at start of dc_validate_stream + +From: winstang + +[ Upstream commit 26c56049cc4f1705b498df013949427692a4b0d5 ] + +[Why] +prevent invalid memory access + +[How] +check if dc and stream are NULL + +Co-authored-by: winstang +Reviewed-by: Alvin Lee +Acked-by: Zaeem Mohamed +Signed-off-by: winstang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +index 84923c5400d3..733e445331ea 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c +@@ -3927,6 +3927,9 @@ void resource_build_bit_depth_reduction_params(struct dc_stream_state *stream, + + enum dc_status dc_validate_stream(struct dc *dc, struct dc_stream_state *stream) + { ++ if (dc == NULL || stream == NULL) ++ return DC_ERROR_UNEXPECTED; ++ + struct dc_link *link = stream->link; + struct timing_generator *tg = dc->res_pool->timing_generators[0]; + enum dc_status res = DC_OK; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-assign-linear_pitch_alignment-even-f.patch b/queue-6.6/drm-amd-display-assign-linear_pitch_alignment-even-f.patch new file mode 100644 index 00000000000..a249009726d --- /dev/null +++ b/queue-6.6/drm-amd-display-assign-linear_pitch_alignment-even-f.patch @@ -0,0 +1,38 @@ +From 038832e62f4c52565981ac6996541d6e586dccb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 14:42:18 -0400 +Subject: drm/amd/display: Assign linear_pitch_alignment even for VM + +From: Alvin Lee + +[ Upstream commit 984debc133efa05e62f5aa1a7a1dd8ca0ef041f4 ] + +[Description] +Assign linear_pitch_alignment so we don't cause a divide by 0 +error in VM environments + +Reviewed-by: Sohaib Nadeem +Acked-by: Wayne Lin +Signed-off-by: Alvin Lee +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index 72db370e2f21..50e643bfdfba 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -1298,6 +1298,7 @@ struct dc *dc_create(const struct dc_init_data *init_params) + return NULL; + + if (init_params->dce_environment == DCE_ENV_VIRTUAL_HW) { ++ dc->caps.linear_pitch_alignment = 64; + if (!dc_construct_ctx(dc, init_params)) + goto destruct_dc; + } else { +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-check-bios-images-before-it-is-used.patch b/queue-6.6/drm-amd-display-check-bios-images-before-it-is-used.patch new file mode 100644 index 00000000000..725680210c9 --- /dev/null +++ b/queue-6.6/drm-amd-display-check-bios-images-before-it-is-used.patch @@ -0,0 +1,86 @@ +From 27ef795b2472b3d4f55d9658ae210712b76c16eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2024 08:24:13 -0600 +Subject: drm/amd/display: Check BIOS images before it is used + +From: Alex Hung + +[ Upstream commit 8b0ddf19cca2a352b2a7e01d99d3ba949a99c84c ] + +BIOS images may fail to load and null checks are added before they are +used. + +This fixes 6 NULL_RETURNS issues reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Hamza Mahfooz +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c +index 19cd1bd844df..684b005f564c 100644 +--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c ++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c +@@ -667,6 +667,9 @@ static enum bp_result get_ss_info_v3_1( + ss_table_header_include = ((ATOM_ASIC_INTERNAL_SS_INFO_V3 *) bios_get_image(&bp->base, + DATA_TABLES(ASIC_InternalSS_Info), + struct_size(ss_table_header_include, asSpreadSpectrum, 1))); ++ if (!ss_table_header_include) ++ return BP_RESULT_UNSUPPORTED; ++ + table_size = + (le16_to_cpu(ss_table_header_include->sHeader.usStructureSize) + - sizeof(ATOM_COMMON_TABLE_HEADER)) +@@ -1036,6 +1039,8 @@ static enum bp_result get_ss_info_from_internal_ss_info_tbl_V2_1( + &bp->base, + DATA_TABLES(ASIC_InternalSS_Info), + struct_size(header, asSpreadSpectrum, 1))); ++ if (!header) ++ return result; + + memset(info, 0, sizeof(struct spread_spectrum_info)); + +@@ -1109,6 +1114,8 @@ static enum bp_result get_ss_info_from_ss_info_table( + get_atom_data_table_revision(header, &revision); + + tbl = GET_IMAGE(ATOM_SPREAD_SPECTRUM_INFO, DATA_TABLES(SS_Info)); ++ if (!tbl) ++ return result; + + if (1 != revision.major || 2 > revision.minor) + return result; +@@ -1636,6 +1643,8 @@ static uint32_t get_ss_entry_number_from_ss_info_tbl( + + tbl = GET_IMAGE(ATOM_SPREAD_SPECTRUM_INFO, + DATA_TABLES(SS_Info)); ++ if (!tbl) ++ return number; + + if (1 != revision.major || 2 > revision.minor) + return number; +@@ -1718,6 +1727,8 @@ static uint32_t get_ss_entry_number_from_internal_ss_info_tbl_v2_1( + &bp->base, + DATA_TABLES(ASIC_InternalSS_Info), + struct_size(header_include, asSpreadSpectrum, 1))); ++ if (!header_include) ++ return 0; + + size = (le16_to_cpu(header_include->sHeader.usStructureSize) + - sizeof(ATOM_COMMON_TABLE_HEADER)) +@@ -1756,6 +1767,9 @@ static uint32_t get_ss_entry_number_from_internal_ss_info_tbl_V3_1( + header_include = ((ATOM_ASIC_INTERNAL_SS_INFO_V3 *) bios_get_image(&bp->base, + DATA_TABLES(ASIC_InternalSS_Info), + struct_size(header_include, asSpreadSpectrum, 1))); ++ if (!header_include) ++ return number; ++ + size = (le16_to_cpu(header_include->sHeader.usStructureSize) - + sizeof(ATOM_COMMON_TABLE_HEADER)) / + sizeof(ATOM_ASIC_SS_ASSIGNMENT_V3); +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-check-gpio_id-before-used-as-array-i.patch b/queue-6.6/drm-amd-display-check-gpio_id-before-used-as-array-i.patch new file mode 100644 index 00000000000..b442e4967f6 --- /dev/null +++ b/queue-6.6/drm-amd-display-check-gpio_id-before-used-as-array-i.patch @@ -0,0 +1,80 @@ +From 2da497715af85a7341cd479af855e50e77b648d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 16:40:00 -0600 +Subject: drm/amd/display: Check gpio_id before used as array index + +From: Alex Hung + +[ Upstream commit 2a5626eeb3b5eec7a36886f9556113dd93ec8ed6 ] + +[WHY & HOW] +GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore +should be checked in advance. + +This fixes 5 OVERRUN issues reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c +index 3ede6e02c3a7..2f8ca831afa2 100644 +--- a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c ++++ b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c +@@ -239,6 +239,9 @@ static bool is_pin_busy( + enum gpio_id id, + uint32_t en) + { ++ if (id == GPIO_ID_UNKNOWN) ++ return false; ++ + return service->busyness[id][en]; + } + +@@ -247,6 +250,9 @@ static void set_pin_busy( + enum gpio_id id, + uint32_t en) + { ++ if (id == GPIO_ID_UNKNOWN) ++ return; ++ + service->busyness[id][en] = true; + } + +@@ -255,6 +261,9 @@ static void set_pin_free( + enum gpio_id id, + uint32_t en) + { ++ if (id == GPIO_ID_UNKNOWN) ++ return; ++ + service->busyness[id][en] = false; + } + +@@ -263,7 +272,7 @@ enum gpio_result dal_gpio_service_lock( + enum gpio_id id, + uint32_t en) + { +- if (!service->busyness[id]) { ++ if (id != GPIO_ID_UNKNOWN && !service->busyness[id]) { + ASSERT_CRITICAL(false); + return GPIO_RESULT_OPEN_FAILED; + } +@@ -277,7 +286,7 @@ enum gpio_result dal_gpio_service_unlock( + enum gpio_id id, + uint32_t en) + { +- if (!service->busyness[id]) { ++ if (id != GPIO_ID_UNKNOWN && !service->busyness[id]) { + ASSERT_CRITICAL(false); + return GPIO_RESULT_OPEN_FAILED; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-check-index-for-aux_rd_interval-befo.patch b/queue-6.6/drm-amd-display-check-index-for-aux_rd_interval-befo.patch new file mode 100644 index 00000000000..f4862712bd8 --- /dev/null +++ b/queue-6.6/drm-amd-display-check-index-for-aux_rd_interval-befo.patch @@ -0,0 +1,43 @@ +From 8b8579044f9bb082bbcd1e548dda23fb7ee316f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Apr 2024 18:22:43 -0600 +Subject: drm/amd/display: Check index for aux_rd_interval before using + +From: Alex Hung + +[ Upstream commit 9ba2ea6337b4f159aecb177555a6a81da92d302e ] + +aux_rd_interval has size of 7 and should be checked. + +This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Acked-by: Tom Chung +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/dc/link/protocols/link_dp_training.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c +index 16a62e018712..9d1adfc09fb2 100644 +--- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c ++++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training.c +@@ -914,10 +914,10 @@ static enum dc_status configure_lttpr_mode_non_transparent( + /* Driver does not need to train the first hop. Skip DPCD read and clear + * AUX_RD_INTERVAL for DPTX-to-DPIA hop. + */ +- if (link->ep_type == DISPLAY_ENDPOINT_USB4_DPIA) ++ if (link->ep_type == DISPLAY_ENDPOINT_USB4_DPIA && repeater_cnt > 0 && repeater_cnt < MAX_REPEATER_CNT) + link->dpcd_caps.lttpr_caps.aux_rd_interval[--repeater_cnt] = 0; + +- for (repeater_id = repeater_cnt; repeater_id > 0; repeater_id--) { ++ for (repeater_id = repeater_cnt; repeater_id > 0 && repeater_id < MAX_REPEATER_CNT; repeater_id--) { + aux_interval_address = DP_TRAINING_AUX_RD_INTERVAL_PHY_REPEATER1 + + ((DP_REPEATER_CONFIGURATION_AND_STATUS_SIZE) * (repeater_id - 1)); + core_link_read_dpcd( +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-check-msg_id-before-processing-trans.patch b/queue-6.6/drm-amd-display-check-msg_id-before-processing-trans.patch new file mode 100644 index 00000000000..763ac0171df --- /dev/null +++ b/queue-6.6/drm-amd-display-check-msg_id-before-processing-trans.patch @@ -0,0 +1,68 @@ +From 88de6dfafcd682866bc4426a1ff39e876b02d1b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 16:47:42 -0600 +Subject: drm/amd/display: Check msg_id before processing transcation + +From: Alex Hung + +[ Upstream commit fa71face755e27dc44bc296416ebdf2c67163316 ] + +[WHY & HOW] +HDCP_MESSAGE_ID_INVALID (-1) is not a valid msg_id nor is it a valid +array index, and it needs checking before used. + +This fixes 4 OVERRUN issues reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c +index 25ffc052d53b..df2cb5279ce5 100644 +--- a/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c ++++ b/drivers/gpu/drm/amd/display/dc/hdcp/hdcp_msg.c +@@ -130,13 +130,21 @@ static bool hdmi_14_process_transaction( + const uint8_t hdcp_i2c_addr_link_primary = 0x3a; /* 0x74 >> 1*/ + const uint8_t hdcp_i2c_addr_link_secondary = 0x3b; /* 0x76 >> 1*/ + struct i2c_command i2c_command; +- uint8_t offset = hdcp_i2c_offsets[message_info->msg_id]; ++ uint8_t offset; + struct i2c_payload i2c_payloads[] = { +- { true, 0, 1, &offset }, ++ { true, 0, 1, 0 }, + /* actual hdcp payload, will be filled later, zeroed for now*/ + { 0 } + }; + ++ if (message_info->msg_id == HDCP_MESSAGE_ID_INVALID) { ++ DC_LOG_ERROR("%s: Invalid message_info msg_id - %d\n", __func__, message_info->msg_id); ++ return false; ++ } ++ ++ offset = hdcp_i2c_offsets[message_info->msg_id]; ++ i2c_payloads[0].data = &offset; ++ + switch (message_info->link) { + case HDCP_LINK_SECONDARY: + i2c_payloads[0].address = hdcp_i2c_addr_link_secondary; +@@ -310,6 +318,11 @@ static bool dp_11_process_transaction( + struct dc_link *link, + struct hdcp_protection_message *message_info) + { ++ if (message_info->msg_id == HDCP_MESSAGE_ID_INVALID) { ++ DC_LOG_ERROR("%s: Invalid message_info msg_id - %d\n", __func__, message_info->msg_id); ++ return false; ++ } ++ + return dpcd_access_helper( + link, + message_info->length, +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-check-num_valid_sets-before-accessin.patch b/queue-6.6/drm-amd-display-check-num_valid_sets-before-accessin.patch new file mode 100644 index 00000000000..87ee731260c --- /dev/null +++ b/queue-6.6/drm-amd-display-check-num_valid_sets-before-accessin.patch @@ -0,0 +1,43 @@ +From faba96a94faacd36cfb8815cf6d9e2ea4d142ad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 16:22:35 -0600 +Subject: drm/amd/display: Check num_valid_sets before accessing + reader_wm_sets[] + +From: Alex Hung + +[ Upstream commit b38a4815f79b87efb196cd5121579fc51e29a7fb ] + +[WHY & HOW] +num_valid_sets needs to be checked to avoid a negative index when +accessing reader_wm_sets[num_valid_sets - 1]. + +This fixes an OVERRUN issue reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c +index 0c6a4ab72b1d..97cdc24cef9a 100644 +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn21/rn_clk_mgr.c +@@ -484,7 +484,8 @@ static void build_watermark_ranges(struct clk_bw_params *bw_params, struct pp_sm + ranges->reader_wm_sets[num_valid_sets].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX; + + /* Modify previous watermark range to cover up to max */ +- ranges->reader_wm_sets[num_valid_sets - 1].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX; ++ if (num_valid_sets > 0) ++ ranges->reader_wm_sets[num_valid_sets - 1].max_fill_clk_mhz = PP_SMU_WM_SET_RANGE_CLK_UNCONSTRAINED_MAX; + } + num_valid_sets++; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-correct-the-defined-value-for-amdgpu.patch b/queue-6.6/drm-amd-display-correct-the-defined-value-for-amdgpu.patch new file mode 100644 index 00000000000..d2b9e75204b --- /dev/null +++ b/queue-6.6/drm-amd-display-correct-the-defined-value-for-amdgpu.patch @@ -0,0 +1,41 @@ +From 14781b8233a79ac86fceb476eaf994f1681f0b24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 May 2024 15:33:48 +0800 +Subject: drm/amd/display: Correct the defined value for + AMDGPU_DMUB_NOTIFICATION_MAX + +From: Wayne Lin + +[ Upstream commit ad28d7c3d989fc5689581664653879d664da76f0 ] + +[Why & How] +It actually exposes '6' types in enum dmub_notification_type. Not 5. Using smaller +number to create array dmub_callback & dmub_thread_offload has potential to access +item out of array bound. Fix it. + +Reviewed-by: Jerry Zuo +Acked-by: Zaeem Mohamed +Signed-off-by: Wayne Lin +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h +index 9e4cc5eeda76..88606b805330 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.h +@@ -49,7 +49,7 @@ + + #define AMDGPU_DM_MAX_NUM_EDP 2 + +-#define AMDGPU_DMUB_NOTIFICATION_MAX 5 ++#define AMDGPU_DMUB_NOTIFICATION_MAX 6 + + #define HDMI_AMD_VENDOR_SPECIFIC_DATA_BLOCK_IEEE_REGISTRATION_ID 0x00001A + #define AMD_VSDB_VERSION_3_FEATURECAP_REPLAYMODE 0x40 +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-don-t-use-fsleep-for-psr-exit-waits-.patch b/queue-6.6/drm-amd-display-don-t-use-fsleep-for-psr-exit-waits-.patch new file mode 100644 index 00000000000..0c2bda07978 --- /dev/null +++ b/queue-6.6/drm-amd-display-don-t-use-fsleep-for-psr-exit-waits-.patch @@ -0,0 +1,42 @@ +From af36122a660004e918a7497cb7dd4b15e27bdf64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Sep 2023 15:06:41 -0400 +Subject: drm/amd/display: Don't use fsleep for PSR exit waits on dmub replay + +From: Nicholas Kazlauskas + +[ Upstream commit b5236da757adc75d7e52c69bdc233d29249a0d0c ] + +[Why] +These functions can be called from high IRQ levels and the OS will hang +if it tries to use a usleep_highres or a msleep. + +[How] +Replace the flseep with a udelay for dmub_replay_enable. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce/dmub_replay.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce/dmub_replay.c b/drivers/gpu/drm/amd/display/dc/dce/dmub_replay.c +index 28149e53c2a6..eeb5b8247c96 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce/dmub_replay.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dmub_replay.c +@@ -102,7 +102,8 @@ static void dmub_replay_enable(struct dmub_replay *dmub, bool enable, bool wait, + break; + } + +- fsleep(500); ++ /* must *not* be fsleep - this can be called from high irq levels */ ++ udelay(500); + } + + /* assert if max retry hit */ +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-ensure-index-calculation-will-not-ov.patch b/queue-6.6/drm-amd-display-ensure-index-calculation-will-not-ov.patch new file mode 100644 index 00000000000..e37251d6df1 --- /dev/null +++ b/queue-6.6/drm-amd-display-ensure-index-calculation-will-not-ov.patch @@ -0,0 +1,46 @@ +From edbe7bdeae044c915ac6b71342b5743a80b74e0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 17:08:04 -0600 +Subject: drm/amd/display: Ensure index calculation will not overflow + +From: Alex Hung + +[ Upstream commit 8e2734bf444767fed787305ccdcb36a2be5301a2 ] + +[WHY & HOW] +Make sure vmid0p72_idx, vnom0p8_idx and vmax0p9_idx calculation will +never overflow and exceess array size. + +This fixes 3 OVERRUN and 1 INTEGER_OVERFLOW issues reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c b/drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c +index 50b0434354f8..c08169de3660 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/calcs/dcn_calcs.c +@@ -1453,10 +1453,9 @@ void dcn_bw_update_from_pplib_fclks( + ASSERT(fclks->num_levels); + + vmin0p65_idx = 0; +- vmid0p72_idx = fclks->num_levels - +- (fclks->num_levels > 2 ? 3 : (fclks->num_levels > 1 ? 2 : 1)); +- vnom0p8_idx = fclks->num_levels - (fclks->num_levels > 1 ? 2 : 1); +- vmax0p9_idx = fclks->num_levels - 1; ++ vmid0p72_idx = fclks->num_levels > 2 ? fclks->num_levels - 3 : 0; ++ vnom0p8_idx = fclks->num_levels > 1 ? fclks->num_levels - 2 : 0; ++ vmax0p9_idx = fclks->num_levels > 0 ? fclks->num_levels - 1 : 0; + + dc->dcn_soc->fabric_and_dram_bandwidth_vmin0p65 = + 32 * (fclks->data[vmin0p65_idx].clocks_in_khz / 1000.0) / 1000.0; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-fix-coverity-integer_overflow-within.patch b/queue-6.6/drm-amd-display-fix-coverity-integer_overflow-within.patch new file mode 100644 index 00000000000..1e3bb9605f4 --- /dev/null +++ b/queue-6.6/drm-amd-display-fix-coverity-integer_overflow-within.patch @@ -0,0 +1,52 @@ +From ecde7c60134f19bbb109e5a8bd5a7486d6d2cb85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 11:58:11 -0400 +Subject: drm/amd/display: Fix Coverity INTEGER_OVERFLOW within + dal_gpio_service_create + +From: Hersen Wu + +[ Upstream commit c6077aa66fa230d12f37fef01161ef080d13b726 ] + +[Why] +For subtraction, coverity reports integer overflow +warning message when variable type is uint32_t. + +[How] +Change variable type to int32_t. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c +index 2f8ca831afa2..f2037d78f71a 100644 +--- a/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c ++++ b/drivers/gpu/drm/amd/display/dc/gpio/gpio_service.c +@@ -56,7 +56,7 @@ struct gpio_service *dal_gpio_service_create( + struct dc_context *ctx) + { + struct gpio_service *service; +- uint32_t index_of_id; ++ int32_t index_of_id; + + service = kzalloc(sizeof(struct gpio_service), GFP_KERNEL); + +@@ -112,7 +112,7 @@ struct gpio_service *dal_gpio_service_create( + return service; + + failure_2: +- while (index_of_id) { ++ while (index_of_id > 0) { + --index_of_id; + kfree(service->busyness[index_of_id]); + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-fix-coverity-integer_overflow-within.patch-15851 b/queue-6.6/drm-amd-display-fix-coverity-integer_overflow-within.patch-15851 new file mode 100644 index 00000000000..7772264c4a2 --- /dev/null +++ b/queue-6.6/drm-amd-display-fix-coverity-integer_overflow-within.patch-15851 @@ -0,0 +1,50 @@ +From 528f95bed9c496768fbe4267a4771fba2f8bc0b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 12:13:59 -0400 +Subject: drm/amd/display: Fix Coverity INTEGER_OVERFLOW within + decide_fallback_link_setting_max_bw_policy + +From: Hersen Wu + +[ Upstream commit 83c0c8361347cf43937348e8ca0a487679c003ae ] + +[Why] +For addtion (uint8_t) variable + constant 1, +coverity generates message below: +Truncation due to cast operation on "cur_idx + 1" from +32 to 8 bits. + +Then Coverity assume result is 32 bits value be saved into +8 bits variable. When result is used as index to access +array, Coverity suspects index invalid. + +[How] +Change varaible type to uint32_t. + +Reviewed-by: Alex Hung +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c +index 9a0beaf601f8..16f4865e4246 100644 +--- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c ++++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c +@@ -528,7 +528,7 @@ static bool decide_fallback_link_setting_max_bw_policy( + struct dc_link_settings *cur, + enum link_training_result training_result) + { +- uint8_t cur_idx = 0, next_idx; ++ uint32_t cur_idx = 0, next_idx; + bool found = false; + + if (training_result == LINK_TRAINING_ABORT) +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-fix-coverity-interger_overflow-withi.patch b/queue-6.6/drm-amd-display-fix-coverity-interger_overflow-withi.patch new file mode 100644 index 00000000000..0a1798daa5d --- /dev/null +++ b/queue-6.6/drm-amd-display-fix-coverity-interger_overflow-withi.patch @@ -0,0 +1,65 @@ +From 13d32fd6ab55101ff3c451029e3dcff3f931c11b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 10:46:41 -0400 +Subject: drm/amd/display: Fix Coverity INTERGER_OVERFLOW within + construct_integrated_info + +From: Hersen Wu + +[ Upstream commit 176abbcc71952e23009a6ed194fd203b99646884 ] + +[Why] +For substrcation, coverity reports integer overflow +warning message when variable type is uint32_t. + +[How] +Change varaible type to int32_t. + +Reviewed-by: Alex Hung +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/bios/bios_parser.c | 4 ++-- + drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 7 +++++-- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c +index 6b3190447581..19cd1bd844df 100644 +--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c ++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser.c +@@ -2552,8 +2552,8 @@ static enum bp_result construct_integrated_info( + + /* Sort voltage table from low to high*/ + if (result == BP_RESULT_OK) { +- uint32_t i; +- uint32_t j; ++ int32_t i; ++ int32_t j; + + for (i = 1; i < NUMBER_OF_DISP_CLK_VOLTAGE; ++i) { + for (j = i; j > 0; --j) { +diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +index 93720cf069d7..384ddb28e6f6 100644 +--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c ++++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c +@@ -2935,8 +2935,11 @@ static enum bp_result construct_integrated_info( + struct atom_common_table_header *header; + struct atom_data_revision revision; + +- uint32_t i; +- uint32_t j; ++ int32_t i; ++ int32_t j; ++ ++ if (!info) ++ return result; + + if (info && DATA_TABLES(integratedsysteminfo)) { + header = GET_IMAGE(struct atom_common_table_header, +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-fix-index-may-exceed-array-range-wit.patch b/queue-6.6/drm-amd-display-fix-index-may-exceed-array-range-wit.patch new file mode 100644 index 00000000000..65a2b767422 --- /dev/null +++ b/queue-6.6/drm-amd-display-fix-index-may-exceed-array-range-wit.patch @@ -0,0 +1,117 @@ +From a4f7126ee60e774e4480502f830e82de8b62e538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 09:24:44 -0400 +Subject: drm/amd/display: Fix index may exceed array range within + fpu_update_bw_bounding_box + +From: Hersen Wu + +[ Upstream commit 188fd1616ec43033cedbe343b6579e9921e2d898 ] + +[Why] +Coverity reports OVERRUN warning. soc.num_states could +be 40. But array range of bw_params->clk_table.entries is 8. + +[How] +Assert if soc.num_states greater than 8. + +Reviewed-by: Alex Hung +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/dcn302/dcn302_fpu.c | 10 ++++++++++ + drivers/gpu/drm/amd/display/dc/dml/dcn303/dcn303_fpu.c | 10 ++++++++++ + drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 10 ++++++++++ + drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c | 10 ++++++++++ + 4 files changed, 40 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn302/dcn302_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn302/dcn302_fpu.c +index e2bcd205aa93..8da97a96b1ce 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn302/dcn302_fpu.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn302/dcn302_fpu.c +@@ -304,6 +304,16 @@ void dcn302_fpu_update_bw_bounding_box(struct dc *dc, struct clk_bw_params *bw_p + dram_speed_mts[num_states++] = bw_params->clk_table.entries[j++].memclk_mhz * 16; + } + ++ /* bw_params->clk_table.entries[MAX_NUM_DPM_LVL]. ++ * MAX_NUM_DPM_LVL is 8. ++ * dcn3_02_soc.clock_limits[DC__VOLTAGE_STATES]. ++ * DC__VOLTAGE_STATES is 40. ++ */ ++ if (num_states > MAX_NUM_DPM_LVL) { ++ ASSERT(0); ++ return; ++ } ++ + dcn3_02_soc.num_states = num_states; + for (i = 0; i < dcn3_02_soc.num_states; i++) { + dcn3_02_soc.clock_limits[i].state = i; +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn303/dcn303_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn303/dcn303_fpu.c +index 3eb3a021ab7d..c283780ad062 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn303/dcn303_fpu.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn303/dcn303_fpu.c +@@ -299,6 +299,16 @@ void dcn303_fpu_update_bw_bounding_box(struct dc *dc, struct clk_bw_params *bw_p + dram_speed_mts[num_states++] = bw_params->clk_table.entries[j++].memclk_mhz * 16; + } + ++ /* bw_params->clk_table.entries[MAX_NUM_DPM_LVL]. ++ * MAX_NUM_DPM_LVL is 8. ++ * dcn3_02_soc.clock_limits[DC__VOLTAGE_STATES]. ++ * DC__VOLTAGE_STATES is 40. ++ */ ++ if (num_states > MAX_NUM_DPM_LVL) { ++ ASSERT(0); ++ return; ++ } ++ + dcn3_03_soc.num_states = num_states; + for (i = 0; i < dcn3_03_soc.num_states; i++) { + dcn3_03_soc.clock_limits[i].state = i; +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c +index cf3b400c8619..3d82cbef1274 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c +@@ -2885,6 +2885,16 @@ void dcn32_update_bw_bounding_box_fpu(struct dc *dc, struct clk_bw_params *bw_pa + dram_speed_mts[num_states++] = bw_params->clk_table.entries[j++].memclk_mhz * 16; + } + ++ /* bw_params->clk_table.entries[MAX_NUM_DPM_LVL]. ++ * MAX_NUM_DPM_LVL is 8. ++ * dcn3_02_soc.clock_limits[DC__VOLTAGE_STATES]. ++ * DC__VOLTAGE_STATES is 40. ++ */ ++ if (num_states > MAX_NUM_DPM_LVL) { ++ ASSERT(0); ++ return; ++ } ++ + dcn3_2_soc.num_states = num_states; + for (i = 0; i < dcn3_2_soc.num_states; i++) { + dcn3_2_soc.clock_limits[i].state = i; +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c +index b26fcf86014c..ae2196c36f21 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c +@@ -789,6 +789,16 @@ void dcn321_update_bw_bounding_box_fpu(struct dc *dc, struct clk_bw_params *bw_p + dram_speed_mts[num_states++] = bw_params->clk_table.entries[j++].memclk_mhz * 16; + } + ++ /* bw_params->clk_table.entries[MAX_NUM_DPM_LVL]. ++ * MAX_NUM_DPM_LVL is 8. ++ * dcn3_02_soc.clock_limits[DC__VOLTAGE_STATES]. ++ * DC__VOLTAGE_STATES is 40. ++ */ ++ if (num_states > MAX_NUM_DPM_LVL) { ++ ASSERT(0); ++ return; ++ } ++ + dcn3_21_soc.num_states = num_states; + for (i = 0; i < dcn3_21_soc.num_states; i++) { + dcn3_21_soc.clock_limits[i].state = i; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-skip-inactive-planes-within-modesupp.patch b/queue-6.6/drm-amd-display-skip-inactive-planes-within-modesupp.patch new file mode 100644 index 00000000000..b87ec7d8c76 --- /dev/null +++ b/queue-6.6/drm-amd-display-skip-inactive-planes-within-modesupp.patch @@ -0,0 +1,48 @@ +From 413ef0cf7fa09f3c1e54034b5beb0a4be73ec453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 16:39:37 -0400 +Subject: drm/amd/display: Skip inactive planes within + ModeSupportAndSystemConfiguration + +From: Hersen Wu + +[ Upstream commit a54f7e866cc73a4cb71b8b24bb568ba35c8969df ] + +[Why] +Coverity reports Memory - illegal accesses. + +[How] +Skip inactive planes. + +Reviewed-by: Alex Hung +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c b/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c +index 9a3ded311195..85453bbb4f9b 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/display_mode_vba.c +@@ -1099,8 +1099,13 @@ void ModeSupportAndSystemConfiguration(struct display_mode_lib *mode_lib) + + // Total Available Pipes Support Check + for (k = 0; k < mode_lib->vba.NumberOfActivePlanes; ++k) { +- total_pipes += mode_lib->vba.DPPPerPlane[k]; + pipe_idx = get_pipe_idx(mode_lib, k); ++ if (pipe_idx == -1) { ++ ASSERT(0); ++ continue; // skip inactive planes ++ } ++ total_pipes += mode_lib->vba.DPPPerPlane[k]; ++ + if (mode_lib->vba.cache_pipes[pipe_idx].clks_cfg.dppclk_mhz > 0.0) + mode_lib->vba.DPPCLK[k] = mode_lib->vba.cache_pipes[pipe_idx].clks_cfg.dppclk_mhz; + else +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch b/queue-6.6/drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch new file mode 100644 index 00000000000..5987ada13d7 --- /dev/null +++ b/queue-6.6/drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch @@ -0,0 +1,41 @@ +From a74ab7c1b28e92b64f60a0094a6ce36cf7b1dde5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2024 10:47:37 -0600 +Subject: drm/amd/display: Skip wbscl_set_scaler_filter if filter is null + +From: Alex Hung + +[ Upstream commit c4d31653c03b90e51515b1380115d1aedad925dd ] + +Callers can pass null in filter (i.e. from returned from the function +wbscl_get_filter_coeffs_16p) and a null check is added to ensure that is +not the case. + +This fixes 4 NULL_RETURNS issues reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Hamza Mahfooz +Signed-off-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c +index 994fb732a7cb..a0d437f0ce2b 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dwb_scl.c +@@ -690,6 +690,9 @@ static void wbscl_set_scaler_filter( + int pair; + uint16_t odd_coef, even_coef; + ++ if (!filter) ++ return; ++ + for (phase = 0; phase < (NUM_PHASES / 2 + 1); phase++) { + for (pair = 0; pair < tap_pairs; pair++) { + even_coef = filter[phase * taps + 2 * pair]; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-spinlock-before-reading-event.patch b/queue-6.6/drm-amd-display-spinlock-before-reading-event.patch new file mode 100644 index 00000000000..85fafd6efc8 --- /dev/null +++ b/queue-6.6/drm-amd-display-spinlock-before-reading-event.patch @@ -0,0 +1,54 @@ +From ab417feb73e1a20462aa8c066e8e326319bd05c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 10:33:47 -0600 +Subject: drm/amd/display: Spinlock before reading event + +From: Alex Hung + +[ Upstream commit ae13c8a5cff92015b9a3eb7cee65ebc75859487f ] + +[WHY & HOW] +A read of acrtc_attach->base.state->event was not locked so moving it +inside the spinlock. + +This fixes a LOCK_EVASION issue reported by Coverity. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 37f79ae0b6c2..44c155683824 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -8286,15 +8286,13 @@ static void amdgpu_dm_commit_planes(struct drm_atomic_state *state, + bundle->stream_update.vrr_infopacket = + &acrtc_state->stream->vrr_infopacket; + } +- } else if (cursor_update && acrtc_state->active_planes > 0 && +- acrtc_attach->base.state->event) { +- drm_crtc_vblank_get(pcrtc); +- ++ } else if (cursor_update && acrtc_state->active_planes > 0) { + spin_lock_irqsave(&pcrtc->dev->event_lock, flags); +- +- acrtc_attach->event = acrtc_attach->base.state->event; +- acrtc_attach->base.state->event = NULL; +- ++ if (acrtc_attach->base.state->event) { ++ drm_crtc_vblank_get(pcrtc); ++ acrtc_attach->event = acrtc_attach->base.state->event; ++ acrtc_attach->base.state->event = NULL; ++ } + spin_unlock_irqrestore(&pcrtc->dev->event_lock, flags); + } + +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch b/queue-6.6/drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch new file mode 100644 index 00000000000..12b5459cea3 --- /dev/null +++ b/queue-6.6/drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch @@ -0,0 +1,46 @@ +From 2e175d504af37db4e68a6cda53b4982fe98e5153 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 16:00:19 -0400 +Subject: drm/amd/display: Stop amdgpu_dm initialize when stream nums greater + than 6 + +From: Hersen Wu + +[ Upstream commit 84723eb6068c50610c5c0893980d230d7afa2105 ] + +[Why] +Coverity reports OVERRUN warning. Should abort amdgpu_dm +initialize. + +[How] +Return failure to amdgpu_dm_init. + +Reviewed-by: Harry Wentland +Acked-by: Tom Chung +Signed-off-by: Hersen Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 94059aef762b..37f79ae0b6c2 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -4357,7 +4357,10 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev) + + /* There is one primary plane per CRTC */ + primary_planes = dm->dc->caps.max_streams; +- ASSERT(primary_planes <= AMDGPU_MAX_PLANES); ++ if (primary_planes > AMDGPU_MAX_PLANES) { ++ DRM_ERROR("DM: Plane nums out of 6 planes\n"); ++ return -EINVAL; ++ } + + /* + * Initialize primary planes, implicit planes for legacy IOCTLS. +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-display-use-preferred-link-settings-for-dp-s.patch b/queue-6.6/drm-amd-display-use-preferred-link-settings-for-dp-s.patch new file mode 100644 index 00000000000..c28004110b4 --- /dev/null +++ b/queue-6.6/drm-amd-display-use-preferred-link-settings-for-dp-s.patch @@ -0,0 +1,63 @@ +From 44d0e072a035ed61dabef9dda72c9f3fec69a9cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 12:20:41 -0400 +Subject: drm/amd/display: use preferred link settings for dp signal only + +From: Wenjing Liu + +[ Upstream commit abf34ca465f5cd182b07701d3f3d369c0fc04723 ] + +[why] +We set preferred link settings for virtual signal. However we don't support +virtual signal for UHBR link rate. If preferred is set to UHBR link rate, we +will allow virtual signal with UHBR link rate which causes system crashes. + +Reviewed-by: Dillon Varone +Acked-by: Zaeem Mohamed +Signed-off-by: Wenjing Liu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../dc/link/protocols/link_dp_capability.c | 24 ++++++++----------- + 1 file changed, 10 insertions(+), 14 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c +index 16f4865e4246..3d589072fe30 100644 +--- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c ++++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_capability.c +@@ -908,21 +908,17 @@ bool link_decide_link_settings(struct dc_stream_state *stream, + + memset(link_setting, 0, sizeof(*link_setting)); + +- /* if preferred is specified through AMDDP, use it, if it's enough +- * to drive the mode +- */ +- if (link->preferred_link_setting.lane_count != +- LANE_COUNT_UNKNOWN && +- link->preferred_link_setting.link_rate != +- LINK_RATE_UNKNOWN) { ++ if (dc_is_dp_signal(stream->signal) && ++ link->preferred_link_setting.lane_count != LANE_COUNT_UNKNOWN && ++ link->preferred_link_setting.link_rate != LINK_RATE_UNKNOWN) { ++ /* if preferred is specified through AMDDP, use it, if it's enough ++ * to drive the mode ++ */ + *link_setting = link->preferred_link_setting; +- return true; +- } +- +- /* MST doesn't perform link training for now +- * TODO: add MST specific link training routine +- */ +- if (stream->signal == SIGNAL_TYPE_DISPLAY_PORT_MST) { ++ } else if (stream->signal == SIGNAL_TYPE_DISPLAY_PORT_MST) { ++ /* MST doesn't perform link training for now ++ * TODO: add MST specific link training routine ++ */ + decide_mst_link_settings(link, link_setting); + } else if (link->connector_signal == SIGNAL_TYPE_EDP) { + /* enable edp link optimization for DSC eDP case */ +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-check-negtive-return-for-table-entries.patch b/queue-6.6/drm-amd-pm-check-negtive-return-for-table-entries.patch new file mode 100644 index 00000000000..a5b2e6c01c1 --- /dev/null +++ b/queue-6.6/drm-amd-pm-check-negtive-return-for-table-entries.patch @@ -0,0 +1,61 @@ +From 9c8e7487fc431b16a5e3fa399388a0940d32f339 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 16:01:23 +0800 +Subject: drm/amd/pm: check negtive return for table entries + +From: Jesse Zhang + +[ Upstream commit f76059fe14395b37ba8d997eb0381b1b9e80a939 ] + +Function hwmgr->hwmgr_func->get_num_of_pp_table_entries(hwmgr) returns a negative number + +Signed-off-by: Jesse Zhang +Suggested-by: Tim Huang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c +index f4bd8e9357e2..18f00038d844 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/pp_psm.c +@@ -30,9 +30,8 @@ int psm_init_power_state_table(struct pp_hwmgr *hwmgr) + { + int result; + unsigned int i; +- unsigned int table_entries; + struct pp_power_state *state; +- int size; ++ int size, table_entries; + + if (hwmgr->hwmgr_func->get_num_of_pp_table_entries == NULL) + return 0; +@@ -40,15 +39,19 @@ int psm_init_power_state_table(struct pp_hwmgr *hwmgr) + if (hwmgr->hwmgr_func->get_power_state_size == NULL) + return 0; + +- hwmgr->num_ps = table_entries = hwmgr->hwmgr_func->get_num_of_pp_table_entries(hwmgr); ++ table_entries = hwmgr->hwmgr_func->get_num_of_pp_table_entries(hwmgr); + +- hwmgr->ps_size = size = hwmgr->hwmgr_func->get_power_state_size(hwmgr) + ++ size = hwmgr->hwmgr_func->get_power_state_size(hwmgr) + + sizeof(struct pp_power_state); + +- if (table_entries == 0 || size == 0) { ++ if (table_entries <= 0 || size == 0) { + pr_warn("Please check whether power state management is supported on this asic\n"); ++ hwmgr->num_ps = 0; ++ hwmgr->ps_size = 0; + return 0; + } ++ hwmgr->num_ps = table_entries; ++ hwmgr->ps_size = size; + + hwmgr->ps = kcalloc(table_entries, size, GFP_KERNEL); + if (hwmgr->ps == NULL) +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-check-specific-index-for-aldebaran.patch b/queue-6.6/drm-amd-pm-check-specific-index-for-aldebaran.patch new file mode 100644 index 00000000000..0ffa3be6bb2 --- /dev/null +++ b/queue-6.6/drm-amd-pm-check-specific-index-for-aldebaran.patch @@ -0,0 +1,37 @@ +From 561247d9b21f21b00f9097c1dd8ec59e2c6ce776 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 17:13:28 +0800 +Subject: drm/amd/pm: check specific index for aldebaran + +From: Jesse Zhang + +[ Upstream commit 0ce8ef2639c112ae203c985b758389e378630aac ] + +Check for specific indexes that may be invalid values. + +Signed-off-by: Jesse Zhang +Reviewed-by: Yang Wang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c +index 5afd03e42bbf..ded8952d9849 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c +@@ -1931,7 +1931,8 @@ static int aldebaran_mode2_reset(struct smu_context *smu) + + index = smu_cmn_to_asic_specific_index(smu, CMN2ASIC_MAPPING_MSG, + SMU_MSG_GfxDeviceDriverReset); +- ++ if (index < 0 ) ++ return -EINVAL; + mutex_lock(&smu->message_lock); + if (smu_version >= 0x00441400) { + ret = smu_cmn_send_msg_without_waiting(smu, (uint16_t)index, SMU_RESET_MODE_2); +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-check-specific-index-for-smu13.patch b/queue-6.6/drm-amd-pm-check-specific-index-for-smu13.patch new file mode 100644 index 00000000000..72831662d94 --- /dev/null +++ b/queue-6.6/drm-amd-pm-check-specific-index-for-smu13.patch @@ -0,0 +1,37 @@ +From 05189702a1d2e3db8156f25e6ac12e81d19f3538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 17:50:21 +0800 +Subject: drm/amd/pm: check specific index for smu13 + +From: Jesse Zhang + +[ Upstream commit a3ac9d1c9751f00026c2d98b802ec8a98626c3ed ] + +Check for specific indexes that may be invalid values. + +Signed-off-by: Jesse Zhang +Suggested-by: Tim Huang +Reviewed-by: Tim Huang +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c +index be4b7b64f878..44c5f8585f1e 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_6_ppt.c +@@ -2058,6 +2058,8 @@ static int smu_v13_0_6_mode2_reset(struct smu_context *smu) + + index = smu_cmn_to_asic_specific_index(smu, CMN2ASIC_MAPPING_MSG, + SMU_MSG_GfxDeviceDriverReset); ++ if (index < 0) ++ return index; + + mutex_lock(&smu->message_lock); + +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-fix-negative-array-index-read.patch b/queue-6.6/drm-amd-pm-fix-negative-array-index-read.patch new file mode 100644 index 00000000000..edb4977692e --- /dev/null +++ b/queue-6.6/drm-amd-pm-fix-negative-array-index-read.patch @@ -0,0 +1,94 @@ +From 054b93402ab04db34cdcdc7a0b3422614d46fc85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 10:23:48 +0800 +Subject: drm/amd/pm: Fix negative array index read + +From: Jesse Zhang + +[ Upstream commit c8c19ebf7c0b202a6a2d37a52ca112432723db5f ] + +Avoid using the negative values +for clk_idex as an index into an array pptable->DpmDescriptor. + +V2: fix clk_index return check (Tim Huang) + +Signed-off-by: Jesse Zhang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 27 ++++++++++++++----- + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +index c564f6e191f8..b1b23233635a 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c +@@ -1222,19 +1222,22 @@ static int navi10_get_current_clk_freq_by_table(struct smu_context *smu, + value); + } + +-static bool navi10_is_support_fine_grained_dpm(struct smu_context *smu, enum smu_clk_type clk_type) ++static int navi10_is_support_fine_grained_dpm(struct smu_context *smu, enum smu_clk_type clk_type) + { + PPTable_t *pptable = smu->smu_table.driver_pptable; + DpmDescriptor_t *dpm_desc = NULL; +- uint32_t clk_index = 0; ++ int clk_index = 0; + + clk_index = smu_cmn_to_asic_specific_index(smu, + CMN2ASIC_MAPPING_CLK, + clk_type); ++ if (clk_index < 0) ++ return clk_index; ++ + dpm_desc = &pptable->DpmDescriptor[clk_index]; + + /* 0 - Fine grained DPM, 1 - Discrete DPM */ +- return dpm_desc->SnapToDiscrete == 0; ++ return dpm_desc->SnapToDiscrete == 0 ? 1 : 0; + } + + static inline bool navi10_od_feature_is_supported(struct smu_11_0_overdrive_table *od_table, enum SMU_11_0_ODFEATURE_CAP cap) +@@ -1290,7 +1293,11 @@ static int navi10_emit_clk_levels(struct smu_context *smu, + if (ret) + return ret; + +- if (!navi10_is_support_fine_grained_dpm(smu, clk_type)) { ++ ret = navi10_is_support_fine_grained_dpm(smu, clk_type); ++ if (ret < 0) ++ return ret; ++ ++ if (!ret) { + for (i = 0; i < count; i++) { + ret = smu_v11_0_get_dpm_freq_by_index(smu, + clk_type, i, &value); +@@ -1499,7 +1506,11 @@ static int navi10_print_clk_levels(struct smu_context *smu, + if (ret) + return size; + +- if (!navi10_is_support_fine_grained_dpm(smu, clk_type)) { ++ ret = navi10_is_support_fine_grained_dpm(smu, clk_type); ++ if (ret < 0) ++ return ret; ++ ++ if (!ret) { + for (i = 0; i < count; i++) { + ret = smu_v11_0_get_dpm_freq_by_index(smu, clk_type, i, &value); + if (ret) +@@ -1668,7 +1679,11 @@ static int navi10_force_clk_levels(struct smu_context *smu, + case SMU_UCLK: + case SMU_FCLK: + /* There is only 2 levels for fine grained DPM */ +- if (navi10_is_support_fine_grained_dpm(smu, clk_type)) { ++ ret = navi10_is_support_fine_grained_dpm(smu, clk_type); ++ if (ret < 0) ++ return ret; ++ ++ if (ret) { + soft_max_level = (soft_max_level >= 1 ? 1 : 0); + soft_min_level = (soft_min_level >= 1 ? 1 : 0); + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-fix-the-out-of-bounds-read-warning.patch b/queue-6.6/drm-amd-pm-fix-the-out-of-bounds-read-warning.patch new file mode 100644 index 00000000000..f44fd8f1787 --- /dev/null +++ b/queue-6.6/drm-amd-pm-fix-the-out-of-bounds-read-warning.patch @@ -0,0 +1,39 @@ +From 5baef2dffa1ab607e1fbe3c1e16981d387fcdf39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Apr 2024 10:29:08 +0800 +Subject: drm/amd/pm: fix the Out-of-bounds read warning + +From: Jesse Zhang + +[ Upstream commit 12c6967428a099bbba9dfd247bb4322a984fcc0b ] + +using index i - 1U may beyond element index +for mc_data[] when i = 0. + +Signed-off-by: Jesse Zhang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c +index f503e61faa60..cc3b62f73394 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c +@@ -73,8 +73,9 @@ static int atomctrl_retrieve_ac_timing( + j++; + } else if ((table->mc_reg_address[i].uc_pre_reg_data & + LOW_NIBBLE_MASK) == DATA_EQU_PREV) { +- table->mc_reg_table_entry[num_ranges].mc_data[i] = +- table->mc_reg_table_entry[num_ranges].mc_data[i-1]; ++ if (i) ++ table->mc_reg_table_entry[num_ranges].mc_data[i] = ++ table->mc_reg_table_entry[num_ranges].mc_data[i-1]; + } + } + num_ranges++; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warning-for-sm.patch b/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warning-for-sm.patch new file mode 100644 index 00000000000..3931ec5d9ba --- /dev/null +++ b/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warning-for-sm.patch @@ -0,0 +1,87 @@ +From 188f90b6d10356313828af2fb32f474409f78436 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 12:52:45 +0800 +Subject: drm/amd/pm: fix uninitialized variable warning for smu8_hwmgr +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tim Huang + +[ Upstream commit 86df36b934640866eb249a4488abb148b985a0d9 ] + +Clear warnings that using uninitialized value level when fails +to get the value from SMU. + +Signed-off-by: Tim Huang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c +index eb744401e056..7e1197420873 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c +@@ -584,6 +584,7 @@ static int smu8_init_uvd_limit(struct pp_hwmgr *hwmgr) + hwmgr->dyn_state.uvd_clock_voltage_dependency_table; + unsigned long clock = 0; + uint32_t level; ++ int ret; + + if (NULL == table || table->count <= 0) + return -EINVAL; +@@ -591,7 +592,9 @@ static int smu8_init_uvd_limit(struct pp_hwmgr *hwmgr) + data->uvd_dpm.soft_min_clk = 0; + data->uvd_dpm.hard_min_clk = 0; + +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxUvdLevel, &level); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxUvdLevel, &level); ++ if (ret) ++ return ret; + + if (level < table->count) + clock = table->entries[level].vclk; +@@ -611,6 +614,7 @@ static int smu8_init_vce_limit(struct pp_hwmgr *hwmgr) + hwmgr->dyn_state.vce_clock_voltage_dependency_table; + unsigned long clock = 0; + uint32_t level; ++ int ret; + + if (NULL == table || table->count <= 0) + return -EINVAL; +@@ -618,7 +622,9 @@ static int smu8_init_vce_limit(struct pp_hwmgr *hwmgr) + data->vce_dpm.soft_min_clk = 0; + data->vce_dpm.hard_min_clk = 0; + +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxEclkLevel, &level); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxEclkLevel, &level); ++ if (ret) ++ return ret; + + if (level < table->count) + clock = table->entries[level].ecclk; +@@ -638,6 +644,7 @@ static int smu8_init_acp_limit(struct pp_hwmgr *hwmgr) + hwmgr->dyn_state.acp_clock_voltage_dependency_table; + unsigned long clock = 0; + uint32_t level; ++ int ret; + + if (NULL == table || table->count <= 0) + return -EINVAL; +@@ -645,7 +652,9 @@ static int smu8_init_acp_limit(struct pp_hwmgr *hwmgr) + data->acp_dpm.soft_min_clk = 0; + data->acp_dpm.hard_min_clk = 0; + +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxAclkLevel, &level); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxAclkLevel, &level); ++ if (ret) ++ return ret; + + if (level < table->count) + clock = table->entries[level].acpclk; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warning.patch b/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warning.patch new file mode 100644 index 00000000000..122bb39ed14 --- /dev/null +++ b/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warning.patch @@ -0,0 +1,37 @@ +From a988feb7db7aa30fbd77d5c4209f8b01b4ad8a0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Apr 2024 15:36:26 +0800 +Subject: drm/amd/pm: fix uninitialized variable warning + +From: Jesse Zhang + +[ Upstream commit 7c836905520703dbc8b938993b6d4d718bc739f3 ] + +Check the return of function smum_send_msg_to_smc +as it may fail to initialize the variable. + +Signed-off-by: Jesse Zhang +Reviewed-by: Yang Wang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c +index 7bf46e4974f8..86f95a291d65 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c +@@ -99,7 +99,7 @@ static void pp_swctf_delayed_work_handler(struct work_struct *work) + struct amdgpu_device *adev = hwmgr->adev; + struct amdgpu_dpm_thermal *range = + &adev->pm.dpm.thermal; +- uint32_t gpu_temperature, size; ++ uint32_t gpu_temperature, size = sizeof(gpu_temperature); + int ret; + + /* +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch b/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch new file mode 100644 index 00000000000..cc730c0c20c --- /dev/null +++ b/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch @@ -0,0 +1,180 @@ +From 7e7d6ea64873254de36e89373d9c14d195a96e0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Apr 2024 12:41:42 +0800 +Subject: drm/amd/pm: fix uninitialized variable warnings for vega10_hwmgr + +From: Tim Huang + +[ Upstream commit 5fa7d540d95d97ddc021a74583f6b3da4df9c93a ] + +Clear warnings that using uninitialized variable when fails +to get the valid value from SMU. + +Signed-off-by: Tim Huang +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 46 ++++++++++++++----- + .../amd/pm/powerplay/smumgr/vega10_smumgr.c | 6 ++- + 2 files changed, 39 insertions(+), 13 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +index d500da8194e2..a97e393067e4 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +@@ -354,13 +354,13 @@ static int vega10_odn_initial_default_setting(struct pp_hwmgr *hwmgr) + return 0; + } + +-static void vega10_init_dpm_defaults(struct pp_hwmgr *hwmgr) ++static int vega10_init_dpm_defaults(struct pp_hwmgr *hwmgr) + { + struct vega10_hwmgr *data = hwmgr->backend; +- int i; + uint32_t sub_vendor_id, hw_revision; + uint32_t top32, bottom32; + struct amdgpu_device *adev = hwmgr->adev; ++ int ret, i; + + vega10_initialize_power_tune_defaults(hwmgr); + +@@ -485,9 +485,12 @@ static void vega10_init_dpm_defaults(struct pp_hwmgr *hwmgr) + if (data->registry_data.vr0hot_enabled) + data->smu_features[GNLD_VR0HOT].supported = true; + +- smum_send_msg_to_smc(hwmgr, ++ ret = smum_send_msg_to_smc(hwmgr, + PPSMC_MSG_GetSmuVersion, + &hwmgr->smu_version); ++ if (ret) ++ return ret; ++ + /* ACG firmware has major version 5 */ + if ((hwmgr->smu_version & 0xff000000) == 0x5000000) + data->smu_features[GNLD_ACG].supported = true; +@@ -505,10 +508,16 @@ static void vega10_init_dpm_defaults(struct pp_hwmgr *hwmgr) + data->smu_features[GNLD_PCC_LIMIT].supported = true; + + /* Get the SN to turn into a Unique ID */ +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32); +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32); ++ if (ret) ++ return ret; ++ ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32); ++ if (ret) ++ return ret; + + adev->unique_id = ((uint64_t)bottom32 << 32) | top32; ++ return 0; + } + + #ifdef PPLIB_VEGA10_EVV_SUPPORT +@@ -882,7 +891,9 @@ static int vega10_hwmgr_backend_init(struct pp_hwmgr *hwmgr) + + vega10_set_features_platform_caps(hwmgr); + +- vega10_init_dpm_defaults(hwmgr); ++ result = vega10_init_dpm_defaults(hwmgr); ++ if (result) ++ return result; + + #ifdef PPLIB_VEGA10_EVV_SUPPORT + /* Get leakage voltage based on leakage ID. */ +@@ -3913,11 +3924,14 @@ static int vega10_get_gpu_power(struct pp_hwmgr *hwmgr, + uint32_t *query) + { + uint32_t value; ++ int ret; + + if (!query) + return -EINVAL; + +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrPkgPwr, &value); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrPkgPwr, &value); ++ if (ret) ++ return ret; + + /* SMC returning actual watts, keep consistent with legacy asics, low 8 bit as 8 fractional bits */ + *query = value << 8; +@@ -4813,14 +4827,16 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr, + uint32_t gen_speed, lane_width, current_gen_speed, current_lane_width; + PPTable_t *pptable = &(data->smc_state_table.pp_table); + +- int i, now, size = 0, count = 0; ++ int i, ret, now, size = 0, count = 0; + + switch (type) { + case PP_SCLK: + if (data->registry_data.sclk_dpm_key_disabled) + break; + +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentGfxclkIndex, &now); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentGfxclkIndex, &now); ++ if (ret) ++ break; + + if (hwmgr->pp_one_vf && + (hwmgr->dpm_level == AMD_DPM_FORCED_LEVEL_PROFILE_PEAK)) +@@ -4836,7 +4852,9 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr, + if (data->registry_data.mclk_dpm_key_disabled) + break; + +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentUclkIndex, &now); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentUclkIndex, &now); ++ if (ret) ++ break; + + for (i = 0; i < mclk_table->count; i++) + size += sprintf(buf + size, "%d: %uMhz %s\n", +@@ -4847,7 +4865,9 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr, + if (data->registry_data.socclk_dpm_key_disabled) + break; + +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentSocclkIndex, &now); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetCurrentSocclkIndex, &now); ++ if (ret) ++ break; + + for (i = 0; i < soc_table->count; i++) + size += sprintf(buf + size, "%d: %uMhz %s\n", +@@ -4858,8 +4878,10 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr, + if (data->registry_data.dcefclk_dpm_key_disabled) + break; + +- smum_send_msg_to_smc_with_parameter(hwmgr, ++ ret = smum_send_msg_to_smc_with_parameter(hwmgr, + PPSMC_MSG_GetClockFreqMHz, CLK_DCEFCLK, &now); ++ if (ret) ++ break; + + for (i = 0; i < dcef_table->count; i++) + size += sprintf(buf + size, "%d: %uMhz %s\n", +diff --git a/drivers/gpu/drm/amd/pm/powerplay/smumgr/vega10_smumgr.c b/drivers/gpu/drm/amd/pm/powerplay/smumgr/vega10_smumgr.c +index a70d73896649..f9c0f117725d 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/smumgr/vega10_smumgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/smumgr/vega10_smumgr.c +@@ -130,13 +130,17 @@ int vega10_get_enabled_smc_features(struct pp_hwmgr *hwmgr, + uint64_t *features_enabled) + { + uint32_t enabled_features; ++ int ret; + + if (features_enabled == NULL) + return -EINVAL; + +- smum_send_msg_to_smc(hwmgr, ++ ret = smum_send_msg_to_smc(hwmgr, + PPSMC_MSG_GetEnabledSmuFeatures, + &enabled_features); ++ if (ret) ++ return ret; ++ + *features_enabled = enabled_features; + + return 0; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch-16851 b/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch-16851 new file mode 100644 index 00000000000..4880b49acbd --- /dev/null +++ b/queue-6.6/drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch-16851 @@ -0,0 +1,56 @@ +From ef12f439652643df8bb2075bde9fad640310416b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Apr 2024 15:42:03 +0800 +Subject: drm/amd/pm: fix uninitialized variable warnings for vangogh_ppt + +From: Tim Huang + +[ Upstream commit b2871de6961d24d421839fbfa4aa3008ec9170d5 ] + +1. Fix a issue that using uninitialized mask to get the ultimate frequency. +2. Check return of smu_cmn_send_smc_msg_with_param to avoid using +uninitialized variable residency. + +Signed-off-by: Tim Huang +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c +index 201cec599842..f46cda889483 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c +@@ -1009,6 +1009,18 @@ static int vangogh_get_dpm_ultimate_freq(struct smu_context *smu, + } + } + if (min) { ++ ret = vangogh_get_profiling_clk_mask(smu, ++ AMD_DPM_FORCED_LEVEL_PROFILE_MIN_MCLK, ++ NULL, ++ NULL, ++ &mclk_mask, ++ &fclk_mask, ++ &soc_mask); ++ if (ret) ++ goto failed; ++ ++ vclk_mask = dclk_mask = 0; ++ + switch (clk_type) { + case SMU_UCLK: + case SMU_MCLK: +@@ -2481,6 +2493,8 @@ static u32 vangogh_set_gfxoff_residency(struct smu_context *smu, bool start) + + ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_LogGfxOffResidency, + start, &residency); ++ if (ret) ++ return ret; + + if (!start) + adev->gfx.gfx_off_residency = residency; +-- +2.43.0 + diff --git a/queue-6.6/drm-amd-pm-fix-warning-using-uninitialized-value-of-.patch b/queue-6.6/drm-amd-pm-fix-warning-using-uninitialized-value-of-.patch new file mode 100644 index 00000000000..80797c60977 --- /dev/null +++ b/queue-6.6/drm-amd-pm-fix-warning-using-uninitialized-value-of-.patch @@ -0,0 +1,41 @@ +From e36c43e8896899a635b18fcbff0f21a8cb33240e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Apr 2024 15:26:25 +0800 +Subject: drm/amd/pm: fix warning using uninitialized value of max_vid_step + +From: Jesse Zhang + +[ Upstream commit 17e3bea65cdc453695b2fe4ff26d25d17f5339e9 ] + +Check the return of pp_atomfwctrl_get_Voltage_table_v4 +as it may fail to initialize max_vid_step +V2: change the check condition (Tim Huang) + +Signed-off-by: Jesse Zhang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +index d43a530aba0e..d500da8194e2 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +@@ -2571,8 +2571,11 @@ static int vega10_init_smc_table(struct pp_hwmgr *hwmgr) + } + } + +- pp_atomfwctrl_get_voltage_table_v4(hwmgr, VOLTAGE_TYPE_VDDC, ++ result = pp_atomfwctrl_get_voltage_table_v4(hwmgr, VOLTAGE_TYPE_VDDC, + VOLTAGE_OBJ_SVID2, &voltage_table); ++ PP_ASSERT_WITH_CODE(!result, ++ "Failed to get voltage table!", ++ return result); + pp_table->MaxVidStep = voltage_table.max_vid_step; + + pp_table->GfxDpmVoltageMode = +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-add-lock-in-amdgpu_gart_invalidate_tlb.patch b/queue-6.6/drm-amdgpu-add-lock-in-amdgpu_gart_invalidate_tlb.patch new file mode 100644 index 00000000000..7cb64735321 --- /dev/null +++ b/queue-6.6/drm-amdgpu-add-lock-in-amdgpu_gart_invalidate_tlb.patch @@ -0,0 +1,51 @@ +From fd2c27e6d997ac7494ebb16a52e818c317b5bf16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 May 2024 17:11:30 -0400 +Subject: drm/amdgpu: add lock in amdgpu_gart_invalidate_tlb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunxiang Li + +[ Upstream commit 18f2525d31401e5142db95ff3a6ec0f4147be818 ] + +We need to take the reset domain lock before flush hdp. We can't put the +lock inside amdgpu_device_flush_hdp itself because it is used during +reset where we already take the write side lock. + +Signed-off-by: Yunxiang Li +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c +index 73b8cca35bab..eace2c9d0c36 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c +@@ -34,6 +34,7 @@ + #include + #endif + #include "amdgpu.h" ++#include "amdgpu_reset.h" + #include + #include + +@@ -400,7 +401,10 @@ void amdgpu_gart_invalidate_tlb(struct amdgpu_device *adev) + return; + + mb(); +- amdgpu_device_flush_hdp(adev, NULL); ++ if (down_read_trylock(&adev->reset_domain->sem)) { ++ amdgpu_device_flush_hdp(adev, NULL); ++ up_read(&adev->reset_domain->sem); ++ } + for_each_set_bit(i, adev->vmhubs_mask, AMDGPU_MAX_VMHUBS) + amdgpu_gmc_flush_gpu_tlb(adev, 0, i, 0); + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-add-lock-in-kfd_process_dequeue_from_devi.patch b/queue-6.6/drm-amdgpu-add-lock-in-kfd_process_dequeue_from_devi.patch new file mode 100644 index 00000000000..69beb665437 --- /dev/null +++ b/queue-6.6/drm-amdgpu-add-lock-in-kfd_process_dequeue_from_devi.patch @@ -0,0 +1,52 @@ +From a4c2564db4988fb5c74bb7cd69de0ca64be471b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jun 2024 12:29:30 -0400 +Subject: drm/amdgpu: add lock in kfd_process_dequeue_from_device + +From: Yunxiang Li + +[ Upstream commit d225960c2330e102370815367b877baaf8bb8b5d ] + +We need to take the reset domain lock before talking to MES. While in +this case we can take the lock inside the mes helper. We can't do so for +most other mes helpers since they are used during reset. So for +consistency sake we add the lock here. + +Signed-off-by: Yunxiang Li +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +index 43eff221eae5..8aca92624a77 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c +@@ -28,6 +28,7 @@ + #include "kfd_priv.h" + #include "kfd_kernel_queue.h" + #include "amdgpu_amdkfd.h" ++#include "amdgpu_reset.h" + + static inline struct process_queue_node *get_queue_by_qid( + struct process_queue_manager *pqm, unsigned int qid) +@@ -87,8 +88,12 @@ void kfd_process_dequeue_from_device(struct kfd_process_device *pdd) + return; + + dev->dqm->ops.process_termination(dev->dqm, &pdd->qpd); +- if (dev->kfd->shared_resources.enable_mes) +- amdgpu_mes_flush_shader_debugger(dev->adev, pdd->proc_ctx_gpu_addr); ++ if (dev->kfd->shared_resources.enable_mes && ++ down_read_trylock(&dev->adev->reset_domain->sem)) { ++ amdgpu_mes_flush_shader_debugger(dev->adev, ++ pdd->proc_ctx_gpu_addr); ++ up_read(&dev->adev->reset_domain->sem); ++ } + pdd->already_dequeued = true; + } + +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-add-skip_hw_access-checks-for-sriov.patch b/queue-6.6/drm-amdgpu-add-skip_hw_access-checks-for-sriov.patch new file mode 100644 index 00000000000..2e2a9b1198c --- /dev/null +++ b/queue-6.6/drm-amdgpu-add-skip_hw_access-checks-for-sriov.patch @@ -0,0 +1,60 @@ +From 7f3a64603da10f67ccde76a13d1c86b7e2e82156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 May 2024 16:14:55 -0400 +Subject: drm/amdgpu: add skip_hw_access checks for sriov +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yunxiang Li + +[ Upstream commit b3948ad1ac582f560e1f3aeaecf384619921c48d ] + +Accessing registers via host is missing the check for skip_hw_access and +the lockdep check that comes with it. + +Signed-off-by: Yunxiang Li +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +index 7768c756fe88..d9dc675b46ae 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +@@ -998,6 +998,9 @@ static u32 amdgpu_virt_rlcg_reg_rw(struct amdgpu_device *adev, u32 offset, u32 v + return 0; + } + ++ if (amdgpu_device_skip_hw_access(adev)) ++ return 0; ++ + reg_access_ctrl = &adev->gfx.rlc.reg_access_ctrl[xcc_id]; + scratch_reg0 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg0; + scratch_reg1 = (void __iomem *)adev->rmmio + 4 * reg_access_ctrl->scratch_reg1; +@@ -1073,6 +1076,9 @@ void amdgpu_sriov_wreg(struct amdgpu_device *adev, + { + u32 rlcg_flag; + ++ if (amdgpu_device_skip_hw_access(adev)) ++ return; ++ + if (!amdgpu_sriov_runtime(adev) && + amdgpu_virt_get_rlcg_reg_access_flag(adev, acc_flags, hwip, true, &rlcg_flag)) { + amdgpu_virt_rlcg_reg_rw(adev, offset, value, rlcg_flag, xcc_id); +@@ -1090,6 +1096,9 @@ u32 amdgpu_sriov_rreg(struct amdgpu_device *adev, + { + u32 rlcg_flag; + ++ if (amdgpu_device_skip_hw_access(adev)) ++ return 0; ++ + if (!amdgpu_sriov_runtime(adev) && + amdgpu_virt_get_rlcg_reg_access_flag(adev, acc_flags, hwip, false, &rlcg_flag)) + return amdgpu_virt_rlcg_reg_rw(adev, offset, 0, rlcg_flag, xcc_id); +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-avoid-reading-vf2pf-info-size-from-fb.patch b/queue-6.6/drm-amdgpu-avoid-reading-vf2pf-info-size-from-fb.patch new file mode 100644 index 00000000000..5db85b3eca2 --- /dev/null +++ b/queue-6.6/drm-amdgpu-avoid-reading-vf2pf-info-size-from-fb.patch @@ -0,0 +1,37 @@ +From a666e0e5f1f8dfac7fa8ccd6e531a4df61186977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Apr 2024 16:35:14 -0400 +Subject: drm/amdgpu: avoid reading vf2pf info size from FB + +From: Zhigang Luo + +[ Upstream commit 3bcc0ee14768d886cedff65da72d83d375a31a56 ] + +VF can't access FB when host is doing mode1 reset. Using sizeof to get +vf2pf info size, instead of reading it from vf2pf header stored in FB. + +Signed-off-by: Zhigang Luo +Reviewed-by: Hawking Zhang +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +index ff4f52e07cc0..7768c756fe88 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c +@@ -615,7 +615,7 @@ static int amdgpu_virt_write_vf2pf_data(struct amdgpu_device *adev) + vf2pf_info->dummy_page_addr = (uint64_t)adev->dummy_page_addr; + vf2pf_info->checksum = + amd_sriov_msg_checksum( +- vf2pf_info, vf2pf_info->header.size, 0, 0); ++ vf2pf_info, sizeof(*vf2pf_info), 0, 0); + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-dereference-after-null-check.patch b/queue-6.6/drm-amdgpu-fix-dereference-after-null-check.patch new file mode 100644 index 00000000000..c6b2077d2d4 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-dereference-after-null-check.patch @@ -0,0 +1,35 @@ +From f240a9894ca7f772147c7c6651a470ce52057230 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 14:51:35 +0800 +Subject: drm/amdgpu: fix dereference after null check + +From: Jesse Zhang + +[ Upstream commit b1f7810b05d1950350ac2e06992982974343e441 ] + +check the pointer hive before use. + +Signed-off-by: Jesse Zhang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 251627c91f98..9c99d69b4b08 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -5236,7 +5236,7 @@ int amdgpu_device_gpu_recover(struct amdgpu_device *adev, + * to put adev in the 1st position. + */ + INIT_LIST_HEAD(&device_list); +- if (!amdgpu_sriov_vf(adev) && (adev->gmc.xgmi.num_physical_nodes > 1)) { ++ if (!amdgpu_sriov_vf(adev) && (adev->gmc.xgmi.num_physical_nodes > 1) && hive) { + list_for_each_entry(tmp_adev, &hive->device_list, gmc.xgmi.head) { + list_add_tail(&tmp_adev->reset_list, &device_list); + if (gpu_reset_for_dev_remove && adev->shutdown) +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch b/queue-6.6/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch new file mode 100644 index 00000000000..b090a9c7193 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch @@ -0,0 +1,35 @@ +From 2016b693aeac242ef22d437d328b06d7de203dbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 16:30:01 +0800 +Subject: drm/amdgpu: fix mc_data out-of-bounds read warning + +From: Tim Huang + +[ Upstream commit 51dfc0a4d609fe700750a62f41447f01b8c9ea50 ] + +Clear warning that read mc_data[i-1] may out-of-bounds. + +Signed-off-by: Tim Huang +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +index dce9e7d5e4ec..a14a54a734c1 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c +@@ -1476,6 +1476,8 @@ int amdgpu_atombios_init_mc_reg_table(struct amdgpu_device *adev, + (u32)le32_to_cpu(*((u32 *)reg_data + j)); + j++; + } else if ((reg_table->mc_reg_address[i].pre_reg_data & LOW_NIBBLE_MASK) == DATA_EQU_PREV) { ++ if (i == 0) ++ continue; + reg_table->mc_reg_table_entry[num_ranges].mc_data[i] = + reg_table->mc_reg_table_entry[num_ranges].mc_data[i - 1]; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-out-of-bounds-read-of-df_v1_7_channel.patch b/queue-6.6/drm-amdgpu-fix-out-of-bounds-read-of-df_v1_7_channel.patch new file mode 100644 index 00000000000..febd53fa938 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-out-of-bounds-read-of-df_v1_7_channel.patch @@ -0,0 +1,36 @@ +From 26aaae6190e9a0dcff6e96dfbd538984c70fa228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 May 2024 09:29:33 +0800 +Subject: drm/amdgpu: Fix out-of-bounds read of df_v1_7_channel_number + +From: Ma Jun + +[ Upstream commit d768394fa99467bcf2703bde74ddc96eeb0b71fa ] + +Check the fb_channel_number range to avoid the array out-of-bounds +read error + +Signed-off-by: Ma Jun +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/df_v1_7.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/df_v1_7.c b/drivers/gpu/drm/amd/amdgpu/df_v1_7.c +index 5dfab80ffff2..cd298556f7a6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/df_v1_7.c ++++ b/drivers/gpu/drm/amd/amdgpu/df_v1_7.c +@@ -70,6 +70,8 @@ static u32 df_v1_7_get_hbm_channel_number(struct amdgpu_device *adev) + int fb_channel_number; + + fb_channel_number = adev->df.funcs->get_fb_channel_number(adev); ++ if (fb_channel_number >= ARRAY_SIZE(df_v1_7_channel_number)) ++ fb_channel_number = 0; + + return df_v1_7_channel_number[fb_channel_number]; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-out-of-bounds-write-warning.patch b/queue-6.6/drm-amdgpu-fix-out-of-bounds-write-warning.patch new file mode 100644 index 00000000000..eb5b8ad1195 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-out-of-bounds-write-warning.patch @@ -0,0 +1,40 @@ +From 225734600d9405f73eac432f91060de4d5f24940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 14:00:17 +0800 +Subject: drm/amdgpu: Fix out-of-bounds write warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Jun + +[ Upstream commit be1684930f5262a622d40ce7a6f1423530d87f89 ] + +Check the ring type value to fix the out-of-bounds +write warning + +Signed-off-by: Ma Jun +Suggested-by: Christian König +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +index 0bedffc4eb43..f44b303ae287 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -352,7 +352,7 @@ int amdgpu_ring_init(struct amdgpu_device *adev, struct amdgpu_ring *ring, + ring->max_dw = max_dw; + ring->hw_prio = hw_prio; + +- if (!ring->no_scheduler) { ++ if (!ring->no_scheduler && ring->funcs->type < AMDGPU_HW_IP_NUM) { + hw_ip = ring->funcs->type; + num_sched = &adev->gpu_sched[hw_ip][hw_prio].num_scheds; + adev->gpu_sched[hw_ip][hw_prio].sched[(*num_sched)++] = +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-overflowed-array-index-read-warning.patch b/queue-6.6/drm-amdgpu-fix-overflowed-array-index-read-warning.patch new file mode 100644 index 00000000000..1e4cdddcf9c --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-overflowed-array-index-read-warning.patch @@ -0,0 +1,41 @@ +From b54ce4fa15e23870ebdeaffd8d5880b0287d93fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 13:15:27 +0800 +Subject: drm/amdgpu: fix overflowed array index read warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tim Huang + +[ Upstream commit ebbc2ada5c636a6a63d8316a3408753768f5aa9f ] + +Clear overflowed array index read warning by cast operation. + +Signed-off-by: Tim Huang +Reviewed-by: Alex Deucher +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +index dbde3b41c088..0bedffc4eb43 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c +@@ -469,8 +469,9 @@ static ssize_t amdgpu_debugfs_ring_read(struct file *f, char __user *buf, + size_t size, loff_t *pos) + { + struct amdgpu_ring *ring = file_inode(f)->i_private; +- int r, i; + uint32_t value, result, early[3]; ++ loff_t i; ++ int r; + + if (*pos & 3 || size & 3) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-the-uninitialized-variable-warning.patch b/queue-6.6/drm-amdgpu-fix-the-uninitialized-variable-warning.patch new file mode 100644 index 00000000000..7a40e0d06fe --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-the-uninitialized-variable-warning.patch @@ -0,0 +1,38 @@ +From 1b03c2a16e3b872a7e8e492679b7ac34282b4d3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 15:44:56 +0800 +Subject: drm/amdgpu: Fix the uninitialized variable warning + +From: Ma Jun + +[ Upstream commit 7e39d7ec35883a168343ea02f40e260e176c6c63 ] + +Check the user input and phy_id value range to fix +"Using uninitialized value phy_id" + +Signed-off-by: Ma Jun +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c +index 8ed0e073656f..41ebe690eeff 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_securedisplay.c +@@ -135,6 +135,10 @@ static ssize_t amdgpu_securedisplay_debugfs_write(struct file *f, const char __u + mutex_unlock(&psp->securedisplay_context.mutex); + break; + case 2: ++ if (size < 3 || phy_id >= TA_SECUREDISPLAY_MAX_PHY) { ++ dev_err(adev->dev, "Invalid input: %s\n", str); ++ return -EINVAL; ++ } + mutex_lock(&psp->securedisplay_context.mutex); + psp_prep_securedisplay_cmd_buf(psp, &securedisplay_cmd, + TA_SECUREDISPLAY_COMMAND__SEND_ROI_CRC); +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-the-waring-dereferencing-hive.patch b/queue-6.6/drm-amdgpu-fix-the-waring-dereferencing-hive.patch new file mode 100644 index 00000000000..df11e761cce --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-the-waring-dereferencing-hive.patch @@ -0,0 +1,36 @@ +From b1a069bae9ba678ee830c78aaa4064d9ea9b93f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 16:20:49 +0800 +Subject: drm/amdgpu: fix the waring dereferencing hive + +From: Jesse Zhang + +[ Upstream commit 1940708ccf5aff76de4e0b399f99267c93a89193 ] + +Check the amdgpu_hive_info *hive that maybe is NULL. + +Signed-off-by: Jesse Zhang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +index 429ef212c1f2..a4f9015345cc 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c +@@ -1336,6 +1336,9 @@ static void psp_xgmi_reflect_topology_info(struct psp_context *psp, + uint8_t dst_num_links = node_info.num_links; + + hive = amdgpu_get_xgmi_hive(psp->adev); ++ if (WARN_ON(!hive)) ++ return; ++ + list_for_each_entry(mirror_adev, &hive->device_list, gmc.xgmi.head) { + struct psp_xgmi_topology_info *mirror_top_info; + int j; +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-the-warning-division-or-modulo-by-zer.patch b/queue-6.6/drm-amdgpu-fix-the-warning-division-or-modulo-by-zer.patch new file mode 100644 index 00000000000..7c378d6f291 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-the-warning-division-or-modulo-by-zer.patch @@ -0,0 +1,40 @@ +From ded78573ce0a35633dc6afa0458fe18524edad4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 17:32:53 +0800 +Subject: drm/amdgpu: Fix the warning division or modulo by zero + +From: Jesse Zhang + +[ Upstream commit 1a00f2ac82d6bc6689388c7edcd2a4bd82664f3c ] + +Checks the partition mode and returns an error for an invalid mode. + +Signed-off-by: Jesse Zhang +Suggested-by: Lijo Lazar +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c b/drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c +index 0284c9198a04..6c6f9d9b5d89 100644 +--- a/drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c ++++ b/drivers/gpu/drm/amd/amdgpu/aqua_vanjaram.c +@@ -500,6 +500,12 @@ static int aqua_vanjaram_switch_partition_mode(struct amdgpu_xcp_mgr *xcp_mgr, + + if (mode == AMDGPU_AUTO_COMPUTE_PARTITION_MODE) { + mode = __aqua_vanjaram_get_auto_mode(xcp_mgr); ++ if (mode == AMDGPU_UNKNOWN_COMPUTE_PARTITION_MODE) { ++ dev_err(adev->dev, ++ "Invalid config, no compatible compute partition mode found, available memory partitions: %d", ++ adev->gmc.num_mem_partitions); ++ return -EINVAL; ++ } + } else if (!__aqua_vanjaram_is_valid_mode(xcp_mgr, mode)) { + dev_err(adev->dev, + "Invalid compute partition mode requested, requested: %s, available memory partitions: %d", +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch b/queue-6.6/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch new file mode 100644 index 00000000000..77dd3af31a0 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch @@ -0,0 +1,36 @@ +From 2a4858b80a3ae82479b9d181cc9dce607fbc5ca9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 May 2024 16:21:00 +0800 +Subject: drm/amdgpu: fix ucode out-of-bounds read warning + +From: Tim Huang + +[ Upstream commit 8944acd0f9db33e17f387fdc75d33bb473d7936f ] + +Clear warning that read ucode[] may out-of-bounds. + +Signed-off-by: Tim Huang +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c +index b8280be6225d..c3d89088123d 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cgs.c +@@ -213,6 +213,9 @@ static int amdgpu_cgs_get_firmware_info(struct cgs_device *cgs_device, + struct amdgpu_firmware_info *ucode; + + id = fw_type_convert(cgs_device, type); ++ if (id >= AMDGPU_UCODE_ID_MAXIMUM) ++ return -EINVAL; ++ + ucode = &adev->firmware.ucode[id]; + if (ucode->fw == NULL) + return -EINVAL; +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch b/queue-6.6/drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch new file mode 100644 index 00000000000..f486b652a30 --- /dev/null +++ b/queue-6.6/drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch @@ -0,0 +1,35 @@ +From 93dc4ce57d72d0c22ac93cdcc325bca61f5b6425 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 10:50:54 +0800 +Subject: drm/amdgpu: Fix uninitialized variable warning in amdgpu_afmt_acr + +From: Ma Jun + +[ Upstream commit c0d6bd3cd209419cc46ac49562bef1db65d90e70 ] + +Assign value to clock to fix the warning below: +"Using uninitialized value res. Field res.clock is uninitialized" + +Signed-off-by: Ma Jun +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c +index a4d65973bf7c..80771b1480ff 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_afmt.c +@@ -100,6 +100,7 @@ struct amdgpu_afmt_acr amdgpu_afmt_acr(uint32_t clock) + amdgpu_afmt_calc_cts(clock, &res.cts_32khz, &res.n_32khz, 32000); + amdgpu_afmt_calc_cts(clock, &res.cts_44_1khz, &res.n_44_1khz, 44100); + amdgpu_afmt_calc_cts(clock, &res.cts_48khz, &res.n_48khz, 48000); ++ res.clock = clock; + + return res; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-pm-check-input-value-for-custom-profile-m.patch b/queue-6.6/drm-amdgpu-pm-check-input-value-for-custom-profile-m.patch new file mode 100644 index 00000000000..91920567476 --- /dev/null +++ b/queue-6.6/drm-amdgpu-pm-check-input-value-for-custom-profile-m.patch @@ -0,0 +1,65 @@ +From 35f8b99fd5d7557bf625f4e7559b854bc6ebf396 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 10:05:21 +0800 +Subject: drm/amdgpu/pm: Check input value for CUSTOM profile mode setting on + legacy SOCs + +From: Ma Jun + +[ Upstream commit df0a9bd92fbbd3fcafcb2bce6463c9228a3e6868 ] + +Check the input value for CUSTOM profile mode setting on legacy +SOCs. Otherwise we may use uninitalized value of input[] + +Signed-off-by: Ma Jun +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 2 +- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 8 ++++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c +index 163864bd51c3..53849fd3615f 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c +@@ -5641,7 +5641,7 @@ static int smu7_set_power_profile_mode(struct pp_hwmgr *hwmgr, long *input, uint + mode = input[size]; + switch (mode) { + case PP_SMC_POWER_PROFILE_CUSTOM: +- if (size < 8 && size != 0) ++ if (size != 8 && size != 0) + return -EINVAL; + /* If only CUSTOM is passed in, use the saved values. Check + * that we actually have a CUSTOM profile by ensuring that +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c +index f97ac4b79d8b..9fdb9990d188 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c +@@ -4102,9 +4102,11 @@ static int vega20_set_power_profile_mode(struct pp_hwmgr *hwmgr, long *input, ui + if (power_profile_mode == PP_SMC_POWER_PROFILE_CUSTOM) { + struct vega20_hwmgr *data = + (struct vega20_hwmgr *)(hwmgr->backend); +- if (size == 0 && !data->is_custom_profile_set) ++ ++ if (size != 10 && size != 0) + return -EINVAL; +- if (size < 10 && size != 0) ++ ++ if (size == 0 && !data->is_custom_profile_set) + return -EINVAL; + + result = vega20_get_activity_monitor_coeff(hwmgr, +@@ -4166,6 +4168,8 @@ static int vega20_set_power_profile_mode(struct pp_hwmgr *hwmgr, long *input, ui + activity_monitor.Fclk_PD_Data_error_coeff = input[8]; + activity_monitor.Fclk_PD_Data_error_rate_coeff = input[9]; + break; ++ default: ++ return -EINVAL; + } + + result = vega20_set_activity_monitor_coeff(hwmgr, +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-pm-check-the-return-value-of-smum_send_ms.patch b/queue-6.6/drm-amdgpu-pm-check-the-return-value-of-smum_send_ms.patch new file mode 100644 index 00000000000..bb967490aeb --- /dev/null +++ b/queue-6.6/drm-amdgpu-pm-check-the-return-value-of-smum_send_ms.patch @@ -0,0 +1,49 @@ +From 0f62f7b74fd4124c5bab2eb53d2aa1bbbbe4d56b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 14:38:04 +0800 +Subject: drm/amdgpu/pm: Check the return value of smum_send_msg_to_smc + +From: Ma Jun + +[ Upstream commit 579f0c21baec9e7506b6bb3f60f0a9b6d07693b4 ] + +Check the return value of smum_send_msg_to_smc, otherwise +we might use an uninitialized variable "now" + +Signed-off-by: Ma Jun +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c +index 02ba68d7c654..0b181bc8931c 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c +@@ -1036,7 +1036,9 @@ static int smu10_print_clock_levels(struct pp_hwmgr *hwmgr, + + switch (type) { + case PP_SCLK: +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetGfxclkFrequency, &now); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetGfxclkFrequency, &now); ++ if (ret) ++ return ret; + + /* driver only know min/max gfx_clk, Add level 1 for all other gfx clks */ + if (now == data->gfx_max_freq_limit/100) +@@ -1057,7 +1059,9 @@ static int smu10_print_clock_levels(struct pp_hwmgr *hwmgr, + i == 2 ? "*" : ""); + break; + case PP_MCLK: +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetFclkFrequency, &now); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetFclkFrequency, &now); ++ if (ret) ++ return ret; + + for (i = 0; i < mclk_table->count; i++) + size += sprintf(buf + size, "%d: %uMhz %s\n", +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-pm-fix-uninitialized-variable-agc_btc_res.patch b/queue-6.6/drm-amdgpu-pm-fix-uninitialized-variable-agc_btc_res.patch new file mode 100644 index 00000000000..6791bece51c --- /dev/null +++ b/queue-6.6/drm-amdgpu-pm-fix-uninitialized-variable-agc_btc_res.patch @@ -0,0 +1,50 @@ +From 7c503baf5e2b3798ca1e114ce18af4c1657a6696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Apr 2024 14:41:38 +0800 +Subject: drm/amdgpu/pm: Fix uninitialized variable agc_btc_response + +From: Ma Jun + +[ Upstream commit df4409d8a04dd39d7f2aa0c5f528a56b99eaaa13 ] + +Assign an default value to agc_btc_response in failed case + +Signed-off-by: Ma Jun +Acked-by: Alex Deucher +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +index a97e393067e4..6c87b3d4ab36 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +@@ -2361,15 +2361,20 @@ static int vega10_acg_enable(struct pp_hwmgr *hwmgr) + { + struct vega10_hwmgr *data = hwmgr->backend; + uint32_t agc_btc_response; ++ int ret; + + if (data->smu_features[GNLD_ACG].supported) { + if (0 == vega10_enable_smc_features(hwmgr, true, + data->smu_features[GNLD_DPM_PREFETCHER].smu_feature_bitmap)) + data->smu_features[GNLD_DPM_PREFETCHER].enabled = true; + +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_InitializeAcg, NULL); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_InitializeAcg, NULL); ++ if (ret) ++ return ret; + +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_RunAcgBtc, &agc_btc_response); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_RunAcgBtc, &agc_btc_response); ++ if (ret) ++ agc_btc_response = 0; + + if (1 == agc_btc_response) { + if (1 == data->acg_loop_state) +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-pm-fix-uninitialized-variable-warning-for.patch b/queue-6.6/drm-amdgpu-pm-fix-uninitialized-variable-warning-for.patch new file mode 100644 index 00000000000..f76b10492e1 --- /dev/null +++ b/queue-6.6/drm-amdgpu-pm-fix-uninitialized-variable-warning-for.patch @@ -0,0 +1,185 @@ +From edd902ea31f820fa4efb013ad754962578f30abf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Apr 2024 17:46:08 +0800 +Subject: drm/amdgpu/pm: Fix uninitialized variable warning for smu10 + +From: Ma Jun + +[ Upstream commit 336c8f558d596699d3d9814a45600139b2f23f27 ] + +Check return value of smum_send_msg_to_smc to fix +uninitialized variable varning + +Signed-off-by: Ma Jun +Acked-by: Alex Deucher +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c | 21 +++++++++++++---- + .../drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c | 20 ++++++++++++---- + .../drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 23 ++++++++++++++----- + 3 files changed, 48 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c +index 0b181bc8931c..f62381b189ad 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c +@@ -1554,7 +1554,10 @@ static int smu10_set_fine_grain_clk_vol(struct pp_hwmgr *hwmgr, + } + + if (input[0] == 0) { +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMinGfxclkFrequency, &min_freq); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMinGfxclkFrequency, &min_freq); ++ if (ret) ++ return ret; ++ + if (input[1] < min_freq) { + pr_err("Fine grain setting minimum sclk (%ld) MHz is less than the minimum allowed (%d) MHz\n", + input[1], min_freq); +@@ -1562,7 +1565,10 @@ static int smu10_set_fine_grain_clk_vol(struct pp_hwmgr *hwmgr, + } + smu10_data->gfx_actual_soft_min_freq = input[1]; + } else if (input[0] == 1) { +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxGfxclkFrequency, &max_freq); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxGfxclkFrequency, &max_freq); ++ if (ret) ++ return ret; ++ + if (input[1] > max_freq) { + pr_err("Fine grain setting maximum sclk (%ld) MHz is greater than the maximum allowed (%d) MHz\n", + input[1], max_freq); +@@ -1577,10 +1583,15 @@ static int smu10_set_fine_grain_clk_vol(struct pp_hwmgr *hwmgr, + pr_err("Input parameter number not correct\n"); + return -EINVAL; + } +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMinGfxclkFrequency, &min_freq); +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxGfxclkFrequency, &max_freq); +- ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMinGfxclkFrequency, &min_freq); ++ if (ret) ++ return ret; + smu10_data->gfx_actual_soft_min_freq = min_freq; ++ ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetMaxGfxclkFrequency, &max_freq); ++ if (ret) ++ return ret; ++ + smu10_data->gfx_actual_soft_max_freq = max_freq; + } else if (type == PP_OD_COMMIT_DPM_TABLE) { + if (size != 0) { +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c +index 460067933de2..069c0f5205e0 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c +@@ -293,12 +293,12 @@ static int vega12_set_features_platform_caps(struct pp_hwmgr *hwmgr) + return 0; + } + +-static void vega12_init_dpm_defaults(struct pp_hwmgr *hwmgr) ++static int vega12_init_dpm_defaults(struct pp_hwmgr *hwmgr) + { + struct vega12_hwmgr *data = (struct vega12_hwmgr *)(hwmgr->backend); + struct amdgpu_device *adev = hwmgr->adev; + uint32_t top32, bottom32; +- int i; ++ int i, ret; + + data->smu_features[GNLD_DPM_PREFETCHER].smu_feature_id = + FEATURE_DPM_PREFETCHER_BIT; +@@ -364,10 +364,16 @@ static void vega12_init_dpm_defaults(struct pp_hwmgr *hwmgr) + } + + /* Get the SN to turn into a Unique ID */ +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32); +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32); ++ if (ret) ++ return ret; ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32); ++ if (ret) ++ return ret; + + adev->unique_id = ((uint64_t)bottom32 << 32) | top32; ++ ++ return 0; + } + + static int vega12_set_private_data_based_on_pptable(struct pp_hwmgr *hwmgr) +@@ -410,7 +416,11 @@ static int vega12_hwmgr_backend_init(struct pp_hwmgr *hwmgr) + + vega12_set_features_platform_caps(hwmgr); + +- vega12_init_dpm_defaults(hwmgr); ++ result = vega12_init_dpm_defaults(hwmgr); ++ if (result) { ++ pr_err("%s failed\n", __func__); ++ return result; ++ } + + /* Parse pptable data read from VBIOS */ + vega12_set_private_data_based_on_pptable(hwmgr); +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c +index 3b33af30eb0f..f97ac4b79d8b 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c +@@ -328,12 +328,12 @@ static int vega20_set_features_platform_caps(struct pp_hwmgr *hwmgr) + return 0; + } + +-static void vega20_init_dpm_defaults(struct pp_hwmgr *hwmgr) ++static int vega20_init_dpm_defaults(struct pp_hwmgr *hwmgr) + { + struct vega20_hwmgr *data = (struct vega20_hwmgr *)(hwmgr->backend); + struct amdgpu_device *adev = hwmgr->adev; + uint32_t top32, bottom32; +- int i; ++ int i, ret; + + data->smu_features[GNLD_DPM_PREFETCHER].smu_feature_id = + FEATURE_DPM_PREFETCHER_BIT; +@@ -404,10 +404,17 @@ static void vega20_init_dpm_defaults(struct pp_hwmgr *hwmgr) + } + + /* Get the SN to turn into a Unique ID */ +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32); +- smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32); ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumTop32, &top32); ++ if (ret) ++ return ret; ++ ++ ret = smum_send_msg_to_smc(hwmgr, PPSMC_MSG_ReadSerialNumBottom32, &bottom32); ++ if (ret) ++ return ret; + + adev->unique_id = ((uint64_t)bottom32 << 32) | top32; ++ ++ return 0; + } + + static int vega20_set_private_data_based_on_pptable(struct pp_hwmgr *hwmgr) +@@ -427,6 +434,7 @@ static int vega20_hwmgr_backend_init(struct pp_hwmgr *hwmgr) + { + struct vega20_hwmgr *data; + struct amdgpu_device *adev = hwmgr->adev; ++ int result; + + data = kzalloc(sizeof(struct vega20_hwmgr), GFP_KERNEL); + if (data == NULL) +@@ -452,8 +460,11 @@ static int vega20_hwmgr_backend_init(struct pp_hwmgr *hwmgr) + + vega20_set_features_platform_caps(hwmgr); + +- vega20_init_dpm_defaults(hwmgr); +- ++ result = vega20_init_dpm_defaults(hwmgr); ++ if (result) { ++ pr_err("%s failed\n", __func__); ++ return result; ++ } + /* Parse pptable data read from VBIOS */ + vega20_set_private_data_based_on_pptable(hwmgr); + +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-the-warning-dereferencing-obj-for-nbio_v7.patch b/queue-6.6/drm-amdgpu-the-warning-dereferencing-obj-for-nbio_v7.patch new file mode 100644 index 00000000000..3272ac91a3f --- /dev/null +++ b/queue-6.6/drm-amdgpu-the-warning-dereferencing-obj-for-nbio_v7.patch @@ -0,0 +1,36 @@ +From 5c9be64f5683d71e6475faf86b1187256337b611 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 15:22:42 +0800 +Subject: drm/amdgpu: the warning dereferencing obj for nbio_v7_4 + +From: Jesse Zhang + +[ Upstream commit d190b459b2a4304307c3468ed97477b808381011 ] + +if ras_manager obj null, don't print NBIO err data + +Signed-off-by: Jesse Zhang +Suggested-by: Tim Huang +Reviewed-by: Tim Huang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c b/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c +index 685abf57ffdd..977b956bf930 100644 +--- a/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c ++++ b/drivers/gpu/drm/amd/amdgpu/nbio_v7_4.c +@@ -384,7 +384,7 @@ static void nbio_v7_4_handle_ras_controller_intr_no_bifring(struct amdgpu_device + else + WREG32_SOC15(NBIO, 0, mmBIF_DOORBELL_INT_CNTL, bif_doorbell_intr_cntl); + +- if (!ras->disable_ras_err_cnt_harvest) { ++ if (ras && !ras->disable_ras_err_cnt_harvest && obj) { + /* + * clear error status after ras_controller_intr + * according to hw team and count ue number +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgpu-update-type-of-buf-size-to-u32-for-eeprom.patch b/queue-6.6/drm-amdgpu-update-type-of-buf-size-to-u32-for-eeprom.patch new file mode 100644 index 00000000000..5e0042e96bf --- /dev/null +++ b/queue-6.6/drm-amdgpu-update-type-of-buf-size-to-u32-for-eeprom.patch @@ -0,0 +1,71 @@ +From d85ea0111df8b1a456747494568a18aeb4828fca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 May 2024 18:04:26 +0800 +Subject: drm/amdgpu: update type of buf size to u32 for eeprom functions + +From: Tao Zhou + +[ Upstream commit 2aadb520bfacec12527effce3566f8df55e5d08e ] + +Avoid overflow issue. + +Signed-off-by: Tao Zhou +Reviewed-by: Yang Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c | 6 +++--- + drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h | 4 ++-- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c +index e71768661ca8..09a34c7258e2 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.c +@@ -179,7 +179,7 @@ static int __amdgpu_eeprom_xfer(struct i2c_adapter *i2c_adap, u32 eeprom_addr, + * Returns the number of bytes read/written; -errno on error. + */ + static int amdgpu_eeprom_xfer(struct i2c_adapter *i2c_adap, u32 eeprom_addr, +- u8 *eeprom_buf, u16 buf_size, bool read) ++ u8 *eeprom_buf, u32 buf_size, bool read) + { + const struct i2c_adapter_quirks *quirks = i2c_adap->quirks; + u16 limit; +@@ -225,7 +225,7 @@ static int amdgpu_eeprom_xfer(struct i2c_adapter *i2c_adap, u32 eeprom_addr, + + int amdgpu_eeprom_read(struct i2c_adapter *i2c_adap, + u32 eeprom_addr, u8 *eeprom_buf, +- u16 bytes) ++ u32 bytes) + { + return amdgpu_eeprom_xfer(i2c_adap, eeprom_addr, eeprom_buf, bytes, + true); +@@ -233,7 +233,7 @@ int amdgpu_eeprom_read(struct i2c_adapter *i2c_adap, + + int amdgpu_eeprom_write(struct i2c_adapter *i2c_adap, + u32 eeprom_addr, u8 *eeprom_buf, +- u16 bytes) ++ u32 bytes) + { + return amdgpu_eeprom_xfer(i2c_adap, eeprom_addr, eeprom_buf, bytes, + false); +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h +index 6935adb2be1f..8083b8253ef4 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_eeprom.h +@@ -28,10 +28,10 @@ + + int amdgpu_eeprom_read(struct i2c_adapter *i2c_adap, + u32 eeprom_addr, u8 *eeprom_buf, +- u16 bytes); ++ u32 bytes); + + int amdgpu_eeprom_write(struct i2c_adapter *i2c_adap, + u32 eeprom_addr, u8 *eeprom_buf, +- u16 bytes); ++ u32 bytes); + + #endif +-- +2.43.0 + diff --git a/queue-6.6/drm-amdgu-fix-unintentional-integer-overflow-for-mal.patch b/queue-6.6/drm-amdgu-fix-unintentional-integer-overflow-for-mal.patch new file mode 100644 index 00000000000..c695d8a41e1 --- /dev/null +++ b/queue-6.6/drm-amdgu-fix-unintentional-integer-overflow-for-mal.patch @@ -0,0 +1,39 @@ +From 4e006a950dbb10396d64688dbc9036b07301dd28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 17:29:01 +0800 +Subject: drm/amdgu: fix Unintentional integer overflow for mall size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jesse Zhang + +[ Upstream commit c09d2eff81a997c169e0cacacd6b60c5e3aa33f2 ] + +Potentially overflowing expression mall_size_per_umc * adev->gmc.num_umc with type unsigned int (32 bits, unsigned) +is evaluated using 32-bit arithmetic,and then used in a context that expects an expression of type u64 (64 bits, unsigned). + +Signed-off-by: Jesse Zhang +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c +index cf2faeae1d0d..b04d789bfd10 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c +@@ -1550,7 +1550,7 @@ static int amdgpu_discovery_get_mall_info(struct amdgpu_device *adev) + break; + case 2: + mall_size_per_umc = le32_to_cpu(mall_info->v2.mall_size_per_umc); +- adev->gmc.mall_size = mall_size_per_umc * adev->gmc.num_umc; ++ adev->gmc.mall_size = (uint64_t)mall_size_per_umc * adev->gmc.num_umc; + break; + default: + dev_err(adev->dev, +-- +2.43.0 + diff --git a/queue-6.6/drm-amdkfd-check-debug-trap-enable-before-write-dbg_.patch b/queue-6.6/drm-amdkfd-check-debug-trap-enable-before-write-dbg_.patch new file mode 100644 index 00000000000..7fccbf0a507 --- /dev/null +++ b/queue-6.6/drm-amdkfd-check-debug-trap-enable-before-write-dbg_.patch @@ -0,0 +1,47 @@ +From aeb27898b743d93d399327fe56082a70460ff696 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Apr 2024 11:27:16 +0800 +Subject: drm/amdkfd: Check debug trap enable before write dbg_ev_file + +From: Lin.Cao + +[ Upstream commit 547033b593063eb85bfdf9b25a5f1b8fd1911be2 ] + +In interrupt context, write dbg_ev_file will be run by work queue. It +will cause write dbg_ev_file execution after debug_trap_disable, which +will cause NULL pointer access. +v2: cancel work "debug_event_workarea" before set dbg_ev_file as NULL. + +Signed-off-by: Lin.Cao +Reviewed-by: Jonathan Kim +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_debug.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_debug.c b/drivers/gpu/drm/amd/amdkfd/kfd_debug.c +index 9ec750666382..94aaf2fc556c 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_debug.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_debug.c +@@ -103,7 +103,8 @@ void debug_event_write_work_handler(struct work_struct *work) + struct kfd_process, + debug_event_workarea); + +- kernel_write(process->dbg_ev_file, &write_data, 1, &pos); ++ if (process->debug_trap_enabled && process->dbg_ev_file) ++ kernel_write(process->dbg_ev_file, &write_data, 1, &pos); + } + + /* update process/device/queue exception status, write to descriptor +@@ -645,6 +646,7 @@ int kfd_dbg_trap_disable(struct kfd_process *target) + else if (target->runtime_info.runtime_state != DEBUG_RUNTIME_STATE_DISABLED) + target->runtime_info.runtime_state = DEBUG_RUNTIME_STATE_ENABLED; + ++ cancel_work_sync(&target->debug_event_workarea); + fput(target->dbg_ev_file); + target->dbg_ev_file = NULL; + +-- +2.43.0 + diff --git a/queue-6.6/drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch b/queue-6.6/drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch new file mode 100644 index 00000000000..cd09d7ff9e5 --- /dev/null +++ b/queue-6.6/drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch @@ -0,0 +1,71 @@ +From 275421f76699f64bb628bb83e9072f6ff385458d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 15:31:08 -0400 +Subject: drm/amdkfd: Reconcile the definition and use of oem_id in struct + kfd_topology_device + +From: Michael Chen + +[ Upstream commit 10f624ef239bd136cdcc5bbc626157a57b938a31 ] + +Currently oem_id is defined as uint8_t[6] and casted to uint64_t* +in some use case. This would lead code scanner to complain about +access beyond. Re-define it in union to enforce 8-byte size and +alignment to avoid potential issue. + +Signed-off-by: Michael Chen +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_crat.h | 2 -- + drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 3 +-- + drivers/gpu/drm/amd/amdkfd/kfd_topology.h | 5 ++++- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.h b/drivers/gpu/drm/amd/amdkfd/kfd_crat.h +index 74c2d7a0d628..2f54ee08f269 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.h +@@ -42,8 +42,6 @@ + #define CRAT_OEMTABLEID_LENGTH 8 + #define CRAT_RESERVED_LENGTH 6 + +-#define CRAT_OEMID_64BIT_MASK ((1ULL << (CRAT_OEMID_LENGTH * 8)) - 1) +- + /* Compute Unit flags */ + #define COMPUTE_UNIT_CPU (1 << 0) /* Create Virtual CRAT for CPU */ + #define COMPUTE_UNIT_GPU (1 << 1) /* Create Virtual CRAT for GPU */ +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +index 61157fddc15c..8362a71ab707 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c +@@ -958,8 +958,7 @@ static void kfd_update_system_properties(void) + dev = list_last_entry(&topology_device_list, + struct kfd_topology_device, list); + if (dev) { +- sys_props.platform_id = +- (*((uint64_t *)dev->oem_id)) & CRAT_OEMID_64BIT_MASK; ++ sys_props.platform_id = dev->oem_id64; + sys_props.platform_oem = *((uint64_t *)dev->oem_table_id); + sys_props.platform_rev = dev->oem_revision; + } +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_topology.h b/drivers/gpu/drm/amd/amdkfd/kfd_topology.h +index 27386ce9a021..2d1c9d771bef 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.h ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.h +@@ -154,7 +154,10 @@ struct kfd_topology_device { + struct attribute attr_gpuid; + struct attribute attr_name; + struct attribute attr_props; +- uint8_t oem_id[CRAT_OEMID_LENGTH]; ++ union { ++ uint8_t oem_id[CRAT_OEMID_LENGTH]; ++ uint64_t oem_id64; ++ }; + uint8_t oem_table_id[CRAT_OEMTABLEID_LENGTH]; + uint32_t oem_revision; + }; +-- +2.43.0 + diff --git a/queue-6.6/drm-bridge-tc358767-check-if-fully-initialized-befor.patch b/queue-6.6/drm-bridge-tc358767-check-if-fully-initialized-befor.patch new file mode 100644 index 00000000000..bdf099fd42e --- /dev/null +++ b/queue-6.6/drm-bridge-tc358767-check-if-fully-initialized-befor.patch @@ -0,0 +1,39 @@ +From 2fa1203a99a71f38e9477fa3027d6aac60fd9e2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 22:33:12 +0200 +Subject: drm/bridge: tc358767: Check if fully initialized before signalling + HPD event via IRQ + +From: Marek Vasut + +[ Upstream commit 162e48cb1d84c2c966b649b8ac5c9d4f75f6d44f ] + +Make sure the connector is fully initialized before signalling any +HPD events via drm_kms_helper_hotplug_event(), otherwise this may +lead to NULL pointer dereference. + +Signed-off-by: Marek Vasut +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240531203333.277476-1-marex@denx.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358767.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c +index d941c3a0e611..7fd4a5fe03ed 100644 +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -2034,7 +2034,7 @@ static irqreturn_t tc_irq_handler(int irq, void *arg) + dev_err(tc->dev, "syserr %x\n", stat); + } + +- if (tc->hpd_pin >= 0 && tc->bridge.dev) { ++ if (tc->hpd_pin >= 0 && tc->bridge.dev && tc->aux.drm_dev) { + /* + * H is triggered when the GPIO goes high. + * +-- +2.43.0 + diff --git a/queue-6.6/drm-drm-bridge-drop-conditionals-around-of_node-poin.patch b/queue-6.6/drm-drm-bridge-drop-conditionals-around-of_node-poin.patch new file mode 100644 index 00000000000..22a0d949f5d --- /dev/null +++ b/queue-6.6/drm-drm-bridge-drop-conditionals-around-of_node-poin.patch @@ -0,0 +1,47 @@ +From 74f5f42c35daf9aedbc96283321c30fc591c634f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 May 2024 02:00:00 +0800 +Subject: drm/drm-bridge: Drop conditionals around of_node pointers + +From: Sui Jingfeng + +[ Upstream commit ad3323a6ccb7d43bbeeaa46d5311c43d5d361fc7 ] + +Having conditional around the of_node pointer of the drm_bridge structure +is not necessary, since drm_bridge structure always has the of_node as its +member. + +Let's drop the conditional to get a better looks, please also note that +this is following the already accepted commitments. see commit d8dfccde2709 +("drm/bridge: Drop conditionals around of_node pointers") for reference. + +Signed-off-by: Sui Jingfeng +Reviewed-by: Laurent Pinchart +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20240507180001.1358816-1-sui.jingfeng@linux.dev +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_bridge.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c +index 62d8a291c49c..70b05582e616 100644 +--- a/drivers/gpu/drm/drm_bridge.c ++++ b/drivers/gpu/drm/drm_bridge.c +@@ -353,13 +353,8 @@ int drm_bridge_attach(struct drm_encoder *encoder, struct drm_bridge *bridge, + bridge->encoder = NULL; + list_del(&bridge->chain_node); + +-#ifdef CONFIG_OF + DRM_ERROR("failed to attach bridge %pOF to encoder %s: %d\n", + bridge->of_node, encoder->name, ret); +-#else +- DRM_ERROR("failed to attach bridge to encoder %s: %d\n", +- encoder->name, ret); +-#endif + + return ret; + } +-- +2.43.0 + diff --git a/queue-6.6/drm-kfd-correct-pinned-buffer-handling-at-kfd-restor.patch b/queue-6.6/drm-kfd-correct-pinned-buffer-handling-at-kfd-restor.patch new file mode 100644 index 00000000000..274b97f1d3c --- /dev/null +++ b/queue-6.6/drm-kfd-correct-pinned-buffer-handling-at-kfd-restor.patch @@ -0,0 +1,59 @@ +From 47f81bf09d1dcd88577e7e4fa5399ecc22a7c513 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 23:54:25 -0500 +Subject: drm/kfd: Correct pinned buffer handling at kfd restore and validate + process + +From: Xiaogang Chen + +[ Upstream commit f326d7cc745683f53052b84382bd10567b45cd5d ] + +This reverts commit 8a774fe912ff ("drm/amdgpu: avoid restore process run into dead loop") +since buffer got pinned is not related whether it needs mapping +And skip buffer validation at kfd driver if the buffer has been pinned. + +Signed-off-by: Xiaogang Chen +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +index 9d72bb0a0eae..a1f35510d539 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -407,6 +407,10 @@ static int amdgpu_amdkfd_bo_validate(struct amdgpu_bo *bo, uint32_t domain, + "Called with userptr BO")) + return -EINVAL; + ++ /* bo has been pinned, not need validate it */ ++ if (bo->tbo.pin_count) ++ return 0; ++ + amdgpu_bo_placement_from_domain(bo, domain); + + ret = ttm_bo_validate(&bo->tbo, &bo->placement, &ctx); +@@ -2631,7 +2635,7 @@ static int confirm_valid_user_pages_locked(struct amdkfd_process_info *process_i + + /* keep mem without hmm range at userptr_inval_list */ + if (!mem->range) +- continue; ++ continue; + + /* Only check mem with hmm range associated */ + valid = amdgpu_ttm_tt_get_user_pages_done( +@@ -2848,9 +2852,6 @@ int amdgpu_amdkfd_gpuvm_restore_process_bos(void *info, struct dma_fence **ef) + if (!attachment->is_mapped) + continue; + +- if (attachment->bo_va->base.bo->tbo.pin_count) +- continue; +- + kfd_mem_dmaunmap_attachment(mem, attachment); + ret = update_gpuvm_pte(mem, attachment, &sync_obj); + if (ret) { +-- +2.43.0 + diff --git a/queue-6.6/drm-meson-plane-add-error-handling.patch b/queue-6.6/drm-meson-plane-add-error-handling.patch new file mode 100644 index 00000000000..be5e799662e --- /dev/null +++ b/queue-6.6/drm-meson-plane-add-error-handling.patch @@ -0,0 +1,63 @@ +From 13df7f7de35ffa03db73d6c0170ca366829a693d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Nov 2023 03:34:05 -0800 +Subject: drm/meson: plane: Add error handling + +From: Haoran Liu + +[ Upstream commit 3c28b239620e249b68beeca17f429e317fa6b8d4 ] + +This patch adds robust error handling to the meson_plane_create +function in drivers/gpu/drm/meson/meson_plane.c. The function +previously lacked proper handling for potential failure scenarios +of the drm_universal_plane_init call. + +Signed-off-by: Haoran Liu +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20231129113405.33057-1-liuhaoran14@163.com +[narmstrong: fixe the commit subject] +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20231129113405.33057-1-liuhaoran14@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_plane.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c +index 815dfe30492b..b43ac61201f3 100644 +--- a/drivers/gpu/drm/meson/meson_plane.c ++++ b/drivers/gpu/drm/meson/meson_plane.c +@@ -534,6 +534,7 @@ int meson_plane_create(struct meson_drm *priv) + struct meson_plane *meson_plane; + struct drm_plane *plane; + const uint64_t *format_modifiers = format_modifiers_default; ++ int ret; + + meson_plane = devm_kzalloc(priv->drm->dev, sizeof(*meson_plane), + GFP_KERNEL); +@@ -548,12 +549,16 @@ int meson_plane_create(struct meson_drm *priv) + else if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A)) + format_modifiers = format_modifiers_afbc_g12a; + +- drm_universal_plane_init(priv->drm, plane, 0xFF, +- &meson_plane_funcs, +- supported_drm_formats, +- ARRAY_SIZE(supported_drm_formats), +- format_modifiers, +- DRM_PLANE_TYPE_PRIMARY, "meson_primary_plane"); ++ ret = drm_universal_plane_init(priv->drm, plane, 0xFF, ++ &meson_plane_funcs, ++ supported_drm_formats, ++ ARRAY_SIZE(supported_drm_formats), ++ format_modifiers, ++ DRM_PLANE_TYPE_PRIMARY, "meson_primary_plane"); ++ if (ret) { ++ devm_kfree(priv->drm->dev, meson_plane); ++ return ret; ++ } + + drm_plane_helper_add(plane, &meson_plane_helper_funcs); + +-- +2.43.0 + diff --git a/queue-6.6/f2fs-fix-to-do-sanity-check-on-blocks-for-inline_dat.patch b/queue-6.6/f2fs-fix-to-do-sanity-check-on-blocks-for-inline_dat.patch new file mode 100644 index 00000000000..91d57d14530 --- /dev/null +++ b/queue-6.6/f2fs-fix-to-do-sanity-check-on-blocks-for-inline_dat.patch @@ -0,0 +1,86 @@ +From 10a5c759618b6ea230ff39b49bb1e4af75e8179c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 May 2024 14:23:18 +0800 +Subject: f2fs: fix to do sanity check on blocks for inline_data inode + +From: Chao Yu + +[ Upstream commit c240c87bcd44a1a2375fc8ef8c645d1f1fe76466 ] + +inode can be fuzzed, so it can has F2FS_INLINE_DATA flag and valid +i_blocks/i_nid value, this patch supports to do extra sanity check +to detect such corrupted state. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 2 +- + fs/f2fs/inline.c | 20 +++++++++++++++++++- + fs/f2fs/inode.c | 2 +- + 3 files changed, 21 insertions(+), 3 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 00eff023cd9d..6371b295fba6 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -4148,7 +4148,7 @@ extern struct kmem_cache *f2fs_inode_entry_slab; + * inline.c + */ + bool f2fs_may_inline_data(struct inode *inode); +-bool f2fs_sanity_check_inline_data(struct inode *inode); ++bool f2fs_sanity_check_inline_data(struct inode *inode, struct page *ipage); + bool f2fs_may_inline_dentry(struct inode *inode); + void f2fs_do_read_inline_data(struct page *page, struct page *ipage); + void f2fs_truncate_inline_inode(struct inode *inode, +diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c +index 2cbe557f971e..a3f8b4ed495e 100644 +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -33,11 +33,29 @@ bool f2fs_may_inline_data(struct inode *inode) + return !f2fs_post_read_required(inode); + } + +-bool f2fs_sanity_check_inline_data(struct inode *inode) ++static bool inode_has_blocks(struct inode *inode, struct page *ipage) ++{ ++ struct f2fs_inode *ri = F2FS_INODE(ipage); ++ int i; ++ ++ if (F2FS_HAS_BLOCKS(inode)) ++ return true; ++ ++ for (i = 0; i < DEF_NIDS_PER_INODE; i++) { ++ if (ri->i_nid[i]) ++ return true; ++ } ++ return false; ++} ++ ++bool f2fs_sanity_check_inline_data(struct inode *inode, struct page *ipage) + { + if (!f2fs_has_inline_data(inode)) + return false; + ++ if (inode_has_blocks(inode, ipage)) ++ return false; ++ + if (!support_inline_data(inode)) + return true; + +diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c +index 26e857fee631..709b2f79872f 100644 +--- a/fs/f2fs/inode.c ++++ b/fs/f2fs/inode.c +@@ -346,7 +346,7 @@ static bool sanity_check_inode(struct inode *inode, struct page *node_page) + } + } + +- if (f2fs_sanity_check_inline_data(inode)) { ++ if (f2fs_sanity_check_inline_data(inode, node_page)) { + f2fs_warn(sbi, "%s: inode (ino=%lx, mode=%u) should not have inline_data, run fsck to fix", + __func__, inode->i_ino, inode->i_mode); + return false; +-- +2.43.0 + diff --git a/queue-6.6/fsnotify-clear-parent_watched-flags-lazily.patch b/queue-6.6/fsnotify-clear-parent_watched-flags-lazily.patch new file mode 100644 index 00000000000..9e531bcc5b0 --- /dev/null +++ b/queue-6.6/fsnotify-clear-parent_watched-flags-lazily.patch @@ -0,0 +1,208 @@ +From a65bf5a64f75f53785e245f525e65dbda6a4feb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 May 2024 13:30:07 +0200 +Subject: fsnotify: clear PARENT_WATCHED flags lazily + +From: Amir Goldstein + +[ Upstream commit 172e422ffea20a89bfdc672741c1aad6fbb5044e ] + +In some setups directories can have many (usually negative) dentries. +Hence __fsnotify_update_child_dentry_flags() function can take a +significant amount of time. Since the bulk of this function happens +under inode->i_lock this causes a significant contention on the lock +when we remove the watch from the directory as the +__fsnotify_update_child_dentry_flags() call from fsnotify_recalc_mask() +races with __fsnotify_update_child_dentry_flags() calls from +__fsnotify_parent() happening on children. This can lead upto softlockup +reports reported by users. + +Fix the problem by calling fsnotify_update_children_dentry_flags() to +set PARENT_WATCHED flags only when parent starts watching children. + +When parent stops watching children, clear false positive PARENT_WATCHED +flags lazily in __fsnotify_parent() for each accessed child. + +Suggested-by: Jan Kara +Signed-off-by: Amir Goldstein +Signed-off-by: Stephen Brennan +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/notify/fsnotify.c | 31 +++++++++++++++++++++---------- + fs/notify/fsnotify.h | 2 +- + fs/notify/mark.c | 32 +++++++++++++++++++++++++++++--- + include/linux/fsnotify_backend.h | 8 +++++--- + 4 files changed, 56 insertions(+), 17 deletions(-) + +diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c +index 7974e91ffe13..b5d8f238fce4 100644 +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -103,17 +103,13 @@ void fsnotify_sb_delete(struct super_block *sb) + * parent cares. Thus when an event happens on a child it can quickly tell + * if there is a need to find a parent and send the event to the parent. + */ +-void __fsnotify_update_child_dentry_flags(struct inode *inode) ++void fsnotify_set_children_dentry_flags(struct inode *inode) + { + struct dentry *alias; +- int watched; + + if (!S_ISDIR(inode->i_mode)) + return; + +- /* determine if the children should tell inode about their events */ +- watched = fsnotify_inode_watches_children(inode); +- + spin_lock(&inode->i_lock); + /* run all of the dentries associated with this inode. Since this is a + * directory, there damn well better only be one item on this list */ +@@ -129,10 +125,7 @@ void __fsnotify_update_child_dentry_flags(struct inode *inode) + continue; + + spin_lock_nested(&child->d_lock, DENTRY_D_LOCK_NESTED); +- if (watched) +- child->d_flags |= DCACHE_FSNOTIFY_PARENT_WATCHED; +- else +- child->d_flags &= ~DCACHE_FSNOTIFY_PARENT_WATCHED; ++ child->d_flags |= DCACHE_FSNOTIFY_PARENT_WATCHED; + spin_unlock(&child->d_lock); + } + spin_unlock(&alias->d_lock); +@@ -140,6 +133,24 @@ void __fsnotify_update_child_dentry_flags(struct inode *inode) + spin_unlock(&inode->i_lock); + } + ++/* ++ * Lazily clear false positive PARENT_WATCHED flag for child whose parent had ++ * stopped watching children. ++ */ ++static void fsnotify_clear_child_dentry_flag(struct inode *pinode, ++ struct dentry *dentry) ++{ ++ spin_lock(&dentry->d_lock); ++ /* ++ * d_lock is a sufficient barrier to prevent observing a non-watched ++ * parent state from before the fsnotify_set_children_dentry_flags() ++ * or fsnotify_update_flags() call that had set PARENT_WATCHED. ++ */ ++ if (!fsnotify_inode_watches_children(pinode)) ++ dentry->d_flags &= ~DCACHE_FSNOTIFY_PARENT_WATCHED; ++ spin_unlock(&dentry->d_lock); ++} ++ + /* Are inode/sb/mount interested in parent and name info with this event? */ + static bool fsnotify_event_needs_parent(struct inode *inode, struct mount *mnt, + __u32 mask) +@@ -208,7 +219,7 @@ int __fsnotify_parent(struct dentry *dentry, __u32 mask, const void *data, + p_inode = parent->d_inode; + p_mask = fsnotify_inode_watches_children(p_inode); + if (unlikely(parent_watched && !p_mask)) +- __fsnotify_update_child_dentry_flags(p_inode); ++ fsnotify_clear_child_dentry_flag(p_inode, dentry); + + /* + * Include parent/name in notification either if some notification +diff --git a/fs/notify/fsnotify.h b/fs/notify/fsnotify.h +index fde74eb333cc..2b4267de86e6 100644 +--- a/fs/notify/fsnotify.h ++++ b/fs/notify/fsnotify.h +@@ -74,7 +74,7 @@ static inline void fsnotify_clear_marks_by_sb(struct super_block *sb) + * update the dentry->d_flags of all of inode's children to indicate if inode cares + * about events that happen to its children. + */ +-extern void __fsnotify_update_child_dentry_flags(struct inode *inode); ++extern void fsnotify_set_children_dentry_flags(struct inode *inode); + + extern struct kmem_cache *fsnotify_mark_connector_cachep; + +diff --git a/fs/notify/mark.c b/fs/notify/mark.c +index c74ef947447d..4be6e883d492 100644 +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -176,6 +176,24 @@ static void *__fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) + return fsnotify_update_iref(conn, want_iref); + } + ++static bool fsnotify_conn_watches_children( ++ struct fsnotify_mark_connector *conn) ++{ ++ if (conn->type != FSNOTIFY_OBJ_TYPE_INODE) ++ return false; ++ ++ return fsnotify_inode_watches_children(fsnotify_conn_inode(conn)); ++} ++ ++static void fsnotify_conn_set_children_dentry_flags( ++ struct fsnotify_mark_connector *conn) ++{ ++ if (conn->type != FSNOTIFY_OBJ_TYPE_INODE) ++ return; ++ ++ fsnotify_set_children_dentry_flags(fsnotify_conn_inode(conn)); ++} ++ + /* + * Calculate mask of events for a list of marks. The caller must make sure + * connector and connector->obj cannot disappear under us. Callers achieve +@@ -184,15 +202,23 @@ static void *__fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) + */ + void fsnotify_recalc_mask(struct fsnotify_mark_connector *conn) + { ++ bool update_children; ++ + if (!conn) + return; + + spin_lock(&conn->lock); ++ update_children = !fsnotify_conn_watches_children(conn); + __fsnotify_recalc_mask(conn); ++ update_children &= fsnotify_conn_watches_children(conn); + spin_unlock(&conn->lock); +- if (conn->type == FSNOTIFY_OBJ_TYPE_INODE) +- __fsnotify_update_child_dentry_flags( +- fsnotify_conn_inode(conn)); ++ /* ++ * Set children's PARENT_WATCHED flags only if parent started watching. ++ * When parent stops watching, we clear false positive PARENT_WATCHED ++ * flags lazily in __fsnotify_parent(). ++ */ ++ if (update_children) ++ fsnotify_conn_set_children_dentry_flags(conn); + } + + /* Free all connectors queued for freeing once SRCU period ends */ +diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h +index c0892d75ce33..575415b51349 100644 +--- a/include/linux/fsnotify_backend.h ++++ b/include/linux/fsnotify_backend.h +@@ -563,12 +563,14 @@ static inline __u32 fsnotify_parent_needed_mask(__u32 mask) + + static inline int fsnotify_inode_watches_children(struct inode *inode) + { ++ __u32 parent_mask = READ_ONCE(inode->i_fsnotify_mask); ++ + /* FS_EVENT_ON_CHILD is set if the inode may care */ +- if (!(inode->i_fsnotify_mask & FS_EVENT_ON_CHILD)) ++ if (!(parent_mask & FS_EVENT_ON_CHILD)) + return 0; + /* this inode might care about child events, does it care about the + * specific set of events that can happen on a child? */ +- return inode->i_fsnotify_mask & FS_EVENTS_POSS_ON_CHILD; ++ return parent_mask & FS_EVENTS_POSS_ON_CHILD; + } + + /* +@@ -582,7 +584,7 @@ static inline void fsnotify_update_flags(struct dentry *dentry) + /* + * Serialisation of setting PARENT_WATCHED on the dentries is provided + * by d_lock. If inotify_inode_watched changes after we have taken +- * d_lock, the following __fsnotify_update_child_dentry_flags call will ++ * d_lock, the following fsnotify_set_children_dentry_flags call will + * find our entry, so it will spin until we complete here, and update + * us with the new state. + */ +-- +2.43.0 + diff --git a/queue-6.6/gfs2-revert-add-quota_change-type.patch b/queue-6.6/gfs2-revert-add-quota_change-type.patch new file mode 100644 index 00000000000..57e24d801f0 --- /dev/null +++ b/queue-6.6/gfs2-revert-add-quota_change-type.patch @@ -0,0 +1,115 @@ +From 67297810fe091eecf16189919ea6964b689e95d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2024 22:13:15 +0200 +Subject: gfs2: Revert "Add quota_change type" + +From: Andreas Gruenbacher + +[ Upstream commit ec4b5200c8af9ce021399d3192b3379c089396c3 ] + +Commit 432928c93779 ("gfs2: Add quota_change type") makes the incorrect +assertion that function do_qc() should behave differently in the two +contexts it is used in, but that isn't actually true. In all cases, +do_qc() grabs a "reference" when it starts using a slot in the per-node +quota changes file, and it releases that "reference" when no more +residual changes remain. Revert that broken commit. + +There are some remaining issues with function do_qc() which are +addressed in the next commit. + +This reverts commit 432928c9377959684c748a9bc6553ed2d3c2ea4f. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/quota.c | 19 +++++++------------ + fs/gfs2/util.c | 6 +++--- + 2 files changed, 10 insertions(+), 15 deletions(-) + +diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c +index 892b1c44de53..299b6d6aaa79 100644 +--- a/fs/gfs2/quota.c ++++ b/fs/gfs2/quota.c +@@ -75,9 +75,6 @@ + #define GFS2_QD_HASH_SIZE BIT(GFS2_QD_HASH_SHIFT) + #define GFS2_QD_HASH_MASK (GFS2_QD_HASH_SIZE - 1) + +-#define QC_CHANGE 0 +-#define QC_SYNC 1 +- + /* Lock order: qd_lock -> bucket lock -> qd->lockref.lock -> lru lock */ + /* -> sd_bitmap_lock */ + static DEFINE_SPINLOCK(qd_lock); +@@ -697,7 +694,7 @@ static int sort_qd(const void *a, const void *b) + return 0; + } + +-static void do_qc(struct gfs2_quota_data *qd, s64 change, int qc_type) ++static void do_qc(struct gfs2_quota_data *qd, s64 change) + { + struct gfs2_sbd *sdp = qd->qd_sbd; + struct gfs2_inode *ip = GFS2_I(sdp->sd_qc_inode); +@@ -722,18 +719,16 @@ static void do_qc(struct gfs2_quota_data *qd, s64 change, int qc_type) + qd->qd_change = x; + spin_unlock(&qd_lock); + +- if (qc_type == QC_CHANGE) { +- if (!test_and_set_bit(QDF_CHANGE, &qd->qd_flags)) { +- qd_hold(qd); +- slot_hold(qd); +- } +- } else { ++ if (!x) { + gfs2_assert_warn(sdp, test_bit(QDF_CHANGE, &qd->qd_flags)); + clear_bit(QDF_CHANGE, &qd->qd_flags); + qc->qc_flags = 0; + qc->qc_id = 0; + slot_put(qd); + qd_put(qd); ++ } else if (!test_and_set_bit(QDF_CHANGE, &qd->qd_flags)) { ++ qd_hold(qd); ++ slot_hold(qd); + } + + if (change < 0) /* Reset quiet flag if we freed some blocks */ +@@ -978,7 +973,7 @@ static int do_sync(unsigned int num_qd, struct gfs2_quota_data **qda) + if (error) + goto out_end_trans; + +- do_qc(qd, -qd->qd_change_sync, QC_SYNC); ++ do_qc(qd, -qd->qd_change_sync); + set_bit(QDF_REFRESH, &qd->qd_flags); + } + +@@ -1300,7 +1295,7 @@ void gfs2_quota_change(struct gfs2_inode *ip, s64 change, + + if (qid_eq(qd->qd_id, make_kqid_uid(uid)) || + qid_eq(qd->qd_id, make_kqid_gid(gid))) { +- do_qc(qd, change, QC_CHANGE); ++ do_qc(qd, change); + } + } + } +diff --git a/fs/gfs2/util.c b/fs/gfs2/util.c +index fc3ecb180ac5..b65261e0cae3 100644 +--- a/fs/gfs2/util.c ++++ b/fs/gfs2/util.c +@@ -99,12 +99,12 @@ int check_journal_clean(struct gfs2_sbd *sdp, struct gfs2_jdesc *jd, + */ + int gfs2_freeze_lock_shared(struct gfs2_sbd *sdp) + { ++ int flags = LM_FLAG_NOEXP | GL_EXACT; + int error; + +- error = gfs2_glock_nq_init(sdp->sd_freeze_gl, LM_ST_SHARED, +- LM_FLAG_NOEXP | GL_EXACT, ++ error = gfs2_glock_nq_init(sdp->sd_freeze_gl, LM_ST_SHARED, flags, + &sdp->sd_freeze_gh); +- if (error) ++ if (error && error != GLR_TRYFAILED) + fs_err(sdp, "can't lock the freeze glock: %d\n", error); + return error; + } +-- +2.43.0 + diff --git a/queue-6.6/hwmon-k10temp-check-return-value-of-amd_smn_read.patch b/queue-6.6/hwmon-k10temp-check-return-value-of-amd_smn_read.patch new file mode 100644 index 00000000000..a3b3bc43f9a --- /dev/null +++ b/queue-6.6/hwmon-k10temp-check-return-value-of-amd_smn_read.patch @@ -0,0 +1,123 @@ +From f36206bf8fff6b4cecc2848f043ad80a40dd0842 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Jun 2024 11:12:56 -0500 +Subject: hwmon: (k10temp) Check return value of amd_smn_read() + +From: Yazen Ghannam + +[ Upstream commit c2d79cc5455c891de6c93e1e0c73d806e299c54f ] + +Check the return value of amd_smn_read() before saving a value. This +ensures invalid values aren't saved or used. + +There are three cases here with slightly different behavior: + +1) read_tempreg_nb_zen(): + This is a function pointer which does not include a return code. + In this case, set the register value to 0 on failure. This + enforces Read-as-Zero behavior. + +2) k10temp_read_temp(): + This function does have return codes, so return the error code + from the failed register read. Continued operation is not + necessary, since there is no valid data from the register. + Furthermore, if the register value was set to 0, then the + following operation would underflow. + +3) k10temp_get_ccd_support(): + This function reads the same register from multiple CCD + instances in a loop. And a bitmask is formed if a specific bit + is set in each register instance. The loop should continue on a + failed register read, skipping the bit check. + +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Mario Limonciello +Acked-by: Guenter Roeck +Link: https://lore.kernel.org/r/20240606-fix-smn-bad-read-v4-3-ffde21931c3f@amd.com +Signed-off-by: Sasha Levin +--- + drivers/hwmon/k10temp.c | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/drivers/hwmon/k10temp.c b/drivers/hwmon/k10temp.c +index bae0becfa24b..ae0f454c305d 100644 +--- a/drivers/hwmon/k10temp.c ++++ b/drivers/hwmon/k10temp.c +@@ -153,8 +153,9 @@ static void read_tempreg_nb_f15(struct pci_dev *pdev, u32 *regval) + + static void read_tempreg_nb_zen(struct pci_dev *pdev, u32 *regval) + { +- amd_smn_read(amd_pci_dev_to_node_id(pdev), +- ZEN_REPORTED_TEMP_CTRL_BASE, regval); ++ if (amd_smn_read(amd_pci_dev_to_node_id(pdev), ++ ZEN_REPORTED_TEMP_CTRL_BASE, regval)) ++ *regval = 0; + } + + static long get_raw_temp(struct k10temp_data *data) +@@ -205,6 +206,7 @@ static int k10temp_read_temp(struct device *dev, u32 attr, int channel, + long *val) + { + struct k10temp_data *data = dev_get_drvdata(dev); ++ int ret = -EOPNOTSUPP; + u32 regval; + + switch (attr) { +@@ -221,13 +223,17 @@ static int k10temp_read_temp(struct device *dev, u32 attr, int channel, + *val = 0; + break; + case 2 ... 13: /* Tccd{1-12} */ +- amd_smn_read(amd_pci_dev_to_node_id(data->pdev), +- ZEN_CCD_TEMP(data->ccd_offset, channel - 2), +- ®val); ++ ret = amd_smn_read(amd_pci_dev_to_node_id(data->pdev), ++ ZEN_CCD_TEMP(data->ccd_offset, channel - 2), ++ ®val); ++ ++ if (ret) ++ return ret; ++ + *val = (regval & ZEN_CCD_TEMP_MASK) * 125 - 49000; + break; + default: +- return -EOPNOTSUPP; ++ return ret; + } + break; + case hwmon_temp_max: +@@ -243,7 +249,7 @@ static int k10temp_read_temp(struct device *dev, u32 attr, int channel, + - ((regval >> 24) & 0xf)) * 500 + 52000; + break; + default: +- return -EOPNOTSUPP; ++ return ret; + } + return 0; + } +@@ -381,8 +387,20 @@ static void k10temp_get_ccd_support(struct pci_dev *pdev, + int i; + + for (i = 0; i < limit; i++) { +- amd_smn_read(amd_pci_dev_to_node_id(pdev), +- ZEN_CCD_TEMP(data->ccd_offset, i), ®val); ++ /* ++ * Ignore inaccessible CCDs. ++ * ++ * Some systems will return a register value of 0, and the TEMP_VALID ++ * bit check below will naturally fail. ++ * ++ * Other systems will return a PCI_ERROR_RESPONSE (0xFFFFFFFF) for ++ * the register value. And this will incorrectly pass the TEMP_VALID ++ * bit check. ++ */ ++ if (amd_smn_read(amd_pci_dev_to_node_id(pdev), ++ ZEN_CCD_TEMP(data->ccd_offset, i), ®val)) ++ continue; ++ + if (regval & ZEN_CCD_TEMP_VALID) + data->show_temp |= BIT(TCCD_BIT(i)); + } +-- +2.43.0 + diff --git a/queue-6.6/hwspinlock-introduce-hwspin_lock_bust.patch b/queue-6.6/hwspinlock-introduce-hwspin_lock_bust.patch new file mode 100644 index 00000000000..a98e363e4f4 --- /dev/null +++ b/queue-6.6/hwspinlock-introduce-hwspin_lock_bust.patch @@ -0,0 +1,137 @@ +From 341bcde5a8e01f024256d883d83bc71600ad628d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 11:09:55 -0700 +Subject: hwspinlock: Introduce hwspin_lock_bust() + +From: Richard Maina + +[ Upstream commit 7c327d56597d8de1680cf24e956b704270d3d84a ] + +When a remoteproc crashes or goes down unexpectedly this can result in +a state where locks held by the remoteproc will remain locked possibly +resulting in deadlock. This new API hwspin_lock_bust() allows +hwspinlock implementers to define a bust operation for freeing previously +acquired hwspinlocks after verifying ownership of the acquired lock. + +Signed-off-by: Richard Maina +Reviewed-by: Bjorn Andersson +Signed-off-by: Chris Lew +Link: https://lore.kernel.org/r/20240529-hwspinlock-bust-v3-1-c8b924ffa5a2@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + Documentation/locking/hwspinlock.rst | 11 ++++++++++ + drivers/hwspinlock/hwspinlock_core.c | 28 ++++++++++++++++++++++++ + drivers/hwspinlock/hwspinlock_internal.h | 3 +++ + include/linux/hwspinlock.h | 6 +++++ + 4 files changed, 48 insertions(+) + +diff --git a/Documentation/locking/hwspinlock.rst b/Documentation/locking/hwspinlock.rst +index 6f03713b7003..2ffaa3cbd63f 100644 +--- a/Documentation/locking/hwspinlock.rst ++++ b/Documentation/locking/hwspinlock.rst +@@ -85,6 +85,17 @@ is already free). + + Should be called from a process context (might sleep). + ++:: ++ ++ int hwspin_lock_bust(struct hwspinlock *hwlock, unsigned int id); ++ ++After verifying the owner of the hwspinlock, release a previously acquired ++hwspinlock; returns 0 on success, or an appropriate error code on failure ++(e.g. -EOPNOTSUPP if the bust operation is not defined for the specific ++hwspinlock). ++ ++Should be called from a process context (might sleep). ++ + :: + + int hwspin_lock_timeout(struct hwspinlock *hwlock, unsigned int timeout); +diff --git a/drivers/hwspinlock/hwspinlock_core.c b/drivers/hwspinlock/hwspinlock_core.c +index ada694ba9f95..f279dd010b73 100644 +--- a/drivers/hwspinlock/hwspinlock_core.c ++++ b/drivers/hwspinlock/hwspinlock_core.c +@@ -302,6 +302,34 @@ void __hwspin_unlock(struct hwspinlock *hwlock, int mode, unsigned long *flags) + } + EXPORT_SYMBOL_GPL(__hwspin_unlock); + ++/** ++ * hwspin_lock_bust() - bust a specific hwspinlock ++ * @hwlock: a previously-acquired hwspinlock which we want to bust ++ * @id: identifier of the remote lock holder, if applicable ++ * ++ * This function will bust a hwspinlock that was previously acquired as ++ * long as the current owner of the lock matches the id given by the caller. ++ * ++ * Context: Process context. ++ * ++ * Returns: 0 on success, or -EINVAL if the hwspinlock does not exist, or ++ * the bust operation fails, and -EOPNOTSUPP if the bust operation is not ++ * defined for the hwspinlock. ++ */ ++int hwspin_lock_bust(struct hwspinlock *hwlock, unsigned int id) ++{ ++ if (WARN_ON(!hwlock)) ++ return -EINVAL; ++ ++ if (!hwlock->bank->ops->bust) { ++ pr_err("bust operation not defined\n"); ++ return -EOPNOTSUPP; ++ } ++ ++ return hwlock->bank->ops->bust(hwlock, id); ++} ++EXPORT_SYMBOL_GPL(hwspin_lock_bust); ++ + /** + * of_hwspin_lock_simple_xlate - translate hwlock_spec to return a lock id + * @bank: the hwspinlock device bank +diff --git a/drivers/hwspinlock/hwspinlock_internal.h b/drivers/hwspinlock/hwspinlock_internal.h +index 29892767bb7a..f298fc0ee5ad 100644 +--- a/drivers/hwspinlock/hwspinlock_internal.h ++++ b/drivers/hwspinlock/hwspinlock_internal.h +@@ -21,6 +21,8 @@ struct hwspinlock_device; + * @trylock: make a single attempt to take the lock. returns 0 on + * failure and true on success. may _not_ sleep. + * @unlock: release the lock. always succeed. may _not_ sleep. ++ * @bust: optional, platform-specific bust handler, called by hwspinlock ++ * core to bust a specific lock. + * @relax: optional, platform-specific relax handler, called by hwspinlock + * core while spinning on a lock, between two successive + * invocations of @trylock. may _not_ sleep. +@@ -28,6 +30,7 @@ struct hwspinlock_device; + struct hwspinlock_ops { + int (*trylock)(struct hwspinlock *lock); + void (*unlock)(struct hwspinlock *lock); ++ int (*bust)(struct hwspinlock *lock, unsigned int id); + void (*relax)(struct hwspinlock *lock); + }; + +diff --git a/include/linux/hwspinlock.h b/include/linux/hwspinlock.h +index bfe7c1f1ac6d..f0231dbc4777 100644 +--- a/include/linux/hwspinlock.h ++++ b/include/linux/hwspinlock.h +@@ -68,6 +68,7 @@ int __hwspin_lock_timeout(struct hwspinlock *, unsigned int, int, + int __hwspin_trylock(struct hwspinlock *, int, unsigned long *); + void __hwspin_unlock(struct hwspinlock *, int, unsigned long *); + int of_hwspin_lock_get_id_byname(struct device_node *np, const char *name); ++int hwspin_lock_bust(struct hwspinlock *hwlock, unsigned int id); + int devm_hwspin_lock_free(struct device *dev, struct hwspinlock *hwlock); + struct hwspinlock *devm_hwspin_lock_request(struct device *dev); + struct hwspinlock *devm_hwspin_lock_request_specific(struct device *dev, +@@ -127,6 +128,11 @@ void __hwspin_unlock(struct hwspinlock *hwlock, int mode, unsigned long *flags) + { + } + ++static inline int hwspin_lock_bust(struct hwspinlock *hwlock, unsigned int id) ++{ ++ return 0; ++} ++ + static inline int of_hwspin_lock_get_id(struct device_node *np, int index) + { + return 0; +-- +2.43.0 + diff --git a/queue-6.6/ionic-fix-potential-irq-name-truncation.patch b/queue-6.6/ionic-fix-potential-irq-name-truncation.patch new file mode 100644 index 00000000000..0370b14a202 --- /dev/null +++ b/queue-6.6/ionic-fix-potential-irq-name-truncation.patch @@ -0,0 +1,38 @@ +From a49b50fa643dbc2448c376afa6e781171291ddb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 17:02:53 -0700 +Subject: ionic: fix potential irq name truncation + +From: Shannon Nelson + +[ Upstream commit 3eb76e71b16e8ba5277bf97617aef51f5e64dbe4 ] + +Address a warning about potential string truncation based on the +string buffer sizes. We can add some hints to the string format +specifier to set limits on the resulting possible string to +squelch the complaints. + +Signed-off-by: Shannon Nelson +Link: https://lore.kernel.org/r/20240529000259.25775-2-shannon.nelson@amd.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/pensando/ionic/ionic_lif.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +index 7e6e1bed525a..9d724d228b83 100644 +--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c ++++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c +@@ -234,7 +234,7 @@ static int ionic_request_irq(struct ionic_lif *lif, struct ionic_qcq *qcq) + name = dev_name(dev); + + snprintf(intr->name, sizeof(intr->name), +- "%s-%s-%s", IONIC_DRV_NAME, name, q->name); ++ "%.5s-%.16s-%.8s", IONIC_DRV_NAME, name, q->name); + + return devm_request_irq(dev, intr->vector, ionic_isr, + 0, intr->name, &qcq->napi); +-- +2.43.0 + diff --git a/queue-6.6/media-uvcvideo-enforce-alignment-of-frame-and-interv.patch b/queue-6.6/media-uvcvideo-enforce-alignment-of-frame-and-interv.patch new file mode 100644 index 00000000000..69ce57fdc54 --- /dev/null +++ b/queue-6.6/media-uvcvideo-enforce-alignment-of-frame-and-interv.patch @@ -0,0 +1,68 @@ +From dd88244dd89a1161b0cbe037603d35b4149bf438 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Apr 2024 17:56:18 +0000 +Subject: media: uvcvideo: Enforce alignment of frame and interval + +From: Ricardo Ribalda + +[ Upstream commit c8931ef55bd325052ec496f242aea7f6de47dc9c ] + +Struct uvc_frame and interval (u32*) are packaged together on +streaming->formats on a single contiguous allocation. + +Right now they are allocated right after uvc_format, without taking into +consideration their required alignment. + +This is working fine because both structures have a field with a +pointer, but it will stop working when the sizeof() of any of those +structs is not a multiple of the sizeof(void*). + +Enforce that alignment during the allocation. + +Signed-off-by: Ricardo Ribalda +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20240404-uvc-align-v2-1-9e104b0ecfbd@chromium.org +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 68bf41147a61..04e7f58553db 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -687,16 +687,26 @@ static int uvc_parse_streaming(struct uvc_device *dev, + goto error; + } + +- size = nformats * sizeof(*format) + nframes * sizeof(*frame) ++ /* ++ * Allocate memory for the formats, the frames and the intervals, ++ * plus any required padding to guarantee that everything has the ++ * correct alignment. ++ */ ++ size = nformats * sizeof(*format); ++ size = ALIGN(size, __alignof__(*frame)) + nframes * sizeof(*frame); ++ size = ALIGN(size, __alignof__(*interval)) + + nintervals * sizeof(*interval); ++ + format = kzalloc(size, GFP_KERNEL); +- if (format == NULL) { ++ if (!format) { + ret = -ENOMEM; + goto error; + } + +- frame = (struct uvc_frame *)&format[nformats]; +- interval = (u32 *)&frame[nframes]; ++ frame = (void *)format + nformats * sizeof(*format); ++ frame = PTR_ALIGN(frame, __alignof__(*frame)); ++ interval = (void *)frame + nframes * sizeof(*frame); ++ interval = PTR_ALIGN(interval, __alignof__(*interval)); + + streaming->formats = format; + streaming->nformats = 0; +-- +2.43.0 + diff --git a/queue-6.6/media-v4l2-cci-always-assign-val.patch b/queue-6.6/media-v4l2-cci-always-assign-val.patch new file mode 100644 index 00000000000..456139ea24d --- /dev/null +++ b/queue-6.6/media-v4l2-cci-always-assign-val.patch @@ -0,0 +1,46 @@ +From a7e02b1236f40577853ec9562074d9b77fd5d500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 May 2024 14:00:51 +0300 +Subject: media: v4l2-cci: Always assign *val + +From: Sakari Ailus + +[ Upstream commit 7417b1b1f36cc214dc458e717278a27a912d3b51 ] + +Always assign *val to 0 in cci_read(). This has the benefit of not +requiring initialisation of the variables data is read to using +cci_read(). Once smatch is fixed, it could catch the use of uninitialised +reads. + +Signed-off-by: Sakari Ailus +Tested-by: Benjamin Mugnier +Reviewed-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-cci.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/v4l2-core/v4l2-cci.c b/drivers/media/v4l2-core/v4l2-cci.c +index ee3475bed37f..1ff94affbaf3 100644 +--- a/drivers/media/v4l2-core/v4l2-cci.c ++++ b/drivers/media/v4l2-core/v4l2-cci.c +@@ -23,6 +23,15 @@ int cci_read(struct regmap *map, u32 reg, u64 *val, int *err) + u8 buf[8]; + int ret; + ++ /* ++ * TODO: Fix smatch. Assign *val to 0 here in order to avoid ++ * failing a smatch check on caller when the caller proceeds to ++ * read *val without initialising it on caller's side. *val is set ++ * to a valid value whenever this function returns 0 but smatch ++ * can't figure that out currently. ++ */ ++ *val = 0; ++ + if (err && *err) + return *err; + +-- +2.43.0 + diff --git a/queue-6.6/net-mlx5e-shampo-fix-incorrect-page-release.patch b/queue-6.6/net-mlx5e-shampo-fix-incorrect-page-release.patch new file mode 100644 index 00000000000..894368be950 --- /dev/null +++ b/queue-6.6/net-mlx5e-shampo-fix-incorrect-page-release.patch @@ -0,0 +1,47 @@ +From e4bd3e8ace3abc03ea6167722d994c9d86f2f612 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jun 2024 00:22:07 +0300 +Subject: net/mlx5e: SHAMPO, Fix incorrect page release + +From: Dragos Tatulea + +[ Upstream commit 70bd03b89f20b9bbe51a7f73c4950565a17a45f7 ] + +Under the following conditions: +1) No skb created yet +2) header_size == 0 (no SHAMPO header) +3) header_index + 1 % MLX5E_SHAMPO_WQ_HEADER_PER_PAGE == 0 (this is the + last page fragment of a SHAMPO header page) + +a new skb is formed with a page that is NOT a SHAMPO header page (it +is a regular data page). Further down in the same function +(mlx5e_handle_rx_cqe_mpwrq_shampo()), a SHAMPO header page from +header_index is released. This is wrong and it leads to SHAMPO header +pages being released more than once. + +Signed-off-by: Dragos Tatulea +Signed-off-by: Tariq Toukan +Link: https://lore.kernel.org/r/20240603212219.1037656-3-tariqt@nvidia.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +index 79ec6fcc9e25..57b0e26696e3 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c +@@ -2369,7 +2369,8 @@ static void mlx5e_handle_rx_cqe_mpwrq_shampo(struct mlx5e_rq *rq, struct mlx5_cq + if (flush) + mlx5e_shampo_flush_skb(rq, cqe, match); + free_hd_entry: +- mlx5e_free_rx_shampo_hd_entry(rq, header_index); ++ if (likely(head_size)) ++ mlx5e_free_rx_shampo_hd_entry(rq, header_index); + mpwrq_cqe_out: + if (likely(wi->consumed_strides < rq->mpwqe.num_strides)) + return; +-- +2.43.0 + diff --git a/queue-6.6/net-remove-null-pointer-net-parameter-in-ip_metrics_.patch b/queue-6.6/net-remove-null-pointer-net-parameter-in-ip_metrics_.patch new file mode 100644 index 00000000000..8b5771381b4 --- /dev/null +++ b/queue-6.6/net-remove-null-pointer-net-parameter-in-ip_metrics_.patch @@ -0,0 +1,183 @@ +From 45dfe77d45dbaa9700adc2e849bc5884fd2b0ce2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 May 2024 23:46:34 +0800 +Subject: net: remove NULL-pointer net parameter in ip_metrics_convert + +From: Jason Xing + +[ Upstream commit 61e2bbafb00e4b9a5de45e6448a7b6b818658576 ] + +When I was doing some experiments, I found that when using the first +parameter, namely, struct net, in ip_metrics_convert() always triggers NULL +pointer crash. Then I digged into this part, realizing that we can remove +this one due to its uselessness. + +Signed-off-by: Jason Xing +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip.h | 3 +-- + include/net/tcp.h | 2 +- + net/ipv4/fib_semantics.c | 5 ++--- + net/ipv4/metrics.c | 8 ++++---- + net/ipv4/tcp_cong.c | 11 +++++------ + net/ipv6/route.c | 2 +- + 6 files changed, 14 insertions(+), 17 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index 162cf2d2f841..6f1ff4846451 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -497,8 +497,7 @@ static inline unsigned int ip_skb_dst_mtu(struct sock *sk, + return mtu - lwtunnel_headroom(skb_dst(skb)->lwtstate, mtu); + } + +-struct dst_metrics *ip_fib_metrics_init(struct net *net, struct nlattr *fc_mx, +- int fc_mx_len, ++struct dst_metrics *ip_fib_metrics_init(struct nlattr *fc_mx, int fc_mx_len, + struct netlink_ext_ack *extack); + static inline void ip_fib_metrics_put(struct dst_metrics *fib_metrics) + { +diff --git a/include/net/tcp.h b/include/net/tcp.h +index cc3b56bf19e0..c206ffaa8ed7 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1140,7 +1140,7 @@ extern struct tcp_congestion_ops tcp_reno; + + struct tcp_congestion_ops *tcp_ca_find(const char *name); + struct tcp_congestion_ops *tcp_ca_find_key(u32 key); +-u32 tcp_ca_get_key_by_name(struct net *net, const char *name, bool *ecn_ca); ++u32 tcp_ca_get_key_by_name(const char *name, bool *ecn_ca); + #ifdef CONFIG_INET + char *tcp_ca_get_name_by_key(u32 key, char *buffer); + #else +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index e3268615a65a..233d9d0437c2 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -1030,7 +1030,7 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi) + bool ecn_ca = false; + + nla_strscpy(tmp, nla, sizeof(tmp)); +- val = tcp_ca_get_key_by_name(fi->fib_net, tmp, &ecn_ca); ++ val = tcp_ca_get_key_by_name(tmp, &ecn_ca); + } else { + if (nla_len(nla) != sizeof(u32)) + return false; +@@ -1459,8 +1459,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg, + fi = kzalloc(struct_size(fi, fib_nh, nhs), GFP_KERNEL); + if (!fi) + goto failure; +- fi->fib_metrics = ip_fib_metrics_init(fi->fib_net, cfg->fc_mx, +- cfg->fc_mx_len, extack); ++ fi->fib_metrics = ip_fib_metrics_init(cfg->fc_mx, cfg->fc_mx_len, extack); + if (IS_ERR(fi->fib_metrics)) { + err = PTR_ERR(fi->fib_metrics); + kfree(fi); +diff --git a/net/ipv4/metrics.c b/net/ipv4/metrics.c +index 0e3ee1532848..8ddac1f595ed 100644 +--- a/net/ipv4/metrics.c ++++ b/net/ipv4/metrics.c +@@ -7,7 +7,7 @@ + #include + #include + +-static int ip_metrics_convert(struct net *net, struct nlattr *fc_mx, ++static int ip_metrics_convert(struct nlattr *fc_mx, + int fc_mx_len, u32 *metrics, + struct netlink_ext_ack *extack) + { +@@ -31,7 +31,7 @@ static int ip_metrics_convert(struct net *net, struct nlattr *fc_mx, + char tmp[TCP_CA_NAME_MAX]; + + nla_strscpy(tmp, nla, sizeof(tmp)); +- val = tcp_ca_get_key_by_name(net, tmp, &ecn_ca); ++ val = tcp_ca_get_key_by_name(tmp, &ecn_ca); + if (val == TCP_CA_UNSPEC) { + NL_SET_ERR_MSG(extack, "Unknown tcp congestion algorithm"); + return -EINVAL; +@@ -63,7 +63,7 @@ static int ip_metrics_convert(struct net *net, struct nlattr *fc_mx, + return 0; + } + +-struct dst_metrics *ip_fib_metrics_init(struct net *net, struct nlattr *fc_mx, ++struct dst_metrics *ip_fib_metrics_init(struct nlattr *fc_mx, + int fc_mx_len, + struct netlink_ext_ack *extack) + { +@@ -77,7 +77,7 @@ struct dst_metrics *ip_fib_metrics_init(struct net *net, struct nlattr *fc_mx, + if (unlikely(!fib_metrics)) + return ERR_PTR(-ENOMEM); + +- err = ip_metrics_convert(net, fc_mx, fc_mx_len, fib_metrics->metrics, ++ err = ip_metrics_convert(fc_mx, fc_mx_len, fib_metrics->metrics, + extack); + if (!err) { + refcount_set(&fib_metrics->refcnt, 1); +diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c +index 1b34050a7538..95dbb2799be4 100644 +--- a/net/ipv4/tcp_cong.c ++++ b/net/ipv4/tcp_cong.c +@@ -46,8 +46,7 @@ void tcp_set_ca_state(struct sock *sk, const u8 ca_state) + } + + /* Must be called with rcu lock held */ +-static struct tcp_congestion_ops *tcp_ca_find_autoload(struct net *net, +- const char *name) ++static struct tcp_congestion_ops *tcp_ca_find_autoload(const char *name) + { + struct tcp_congestion_ops *ca = tcp_ca_find(name); + +@@ -182,7 +181,7 @@ int tcp_update_congestion_control(struct tcp_congestion_ops *ca, struct tcp_cong + return ret; + } + +-u32 tcp_ca_get_key_by_name(struct net *net, const char *name, bool *ecn_ca) ++u32 tcp_ca_get_key_by_name(const char *name, bool *ecn_ca) + { + const struct tcp_congestion_ops *ca; + u32 key = TCP_CA_UNSPEC; +@@ -190,7 +189,7 @@ u32 tcp_ca_get_key_by_name(struct net *net, const char *name, bool *ecn_ca) + might_sleep(); + + rcu_read_lock(); +- ca = tcp_ca_find_autoload(net, name); ++ ca = tcp_ca_find_autoload(name); + if (ca) { + key = ca->key; + *ecn_ca = ca->flags & TCP_CONG_NEEDS_ECN; +@@ -287,7 +286,7 @@ int tcp_set_default_congestion_control(struct net *net, const char *name) + int ret; + + rcu_read_lock(); +- ca = tcp_ca_find_autoload(net, name); ++ ca = tcp_ca_find_autoload(name); + if (!ca) { + ret = -ENOENT; + } else if (!bpf_try_module_get(ca, ca->owner)) { +@@ -425,7 +424,7 @@ int tcp_set_congestion_control(struct sock *sk, const char *name, bool load, + if (!load) + ca = tcp_ca_find(name); + else +- ca = tcp_ca_find_autoload(sock_net(sk), name); ++ ca = tcp_ca_find_autoload(name); + + /* No change asking for existing value */ + if (ca == icsk->icsk_ca_ops) { +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 49ef5623c55e..0299886dbeb9 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3754,7 +3754,7 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg, + if (!rt) + goto out; + +- rt->fib6_metrics = ip_fib_metrics_init(net, cfg->fc_mx, cfg->fc_mx_len, ++ rt->fib6_metrics = ip_fib_metrics_init(cfg->fc_mx, cfg->fc_mx_len, + extack); + if (IS_ERR(rt->fib6_metrics)) { + err = PTR_ERR(rt->fib6_metrics); +-- +2.43.0 + diff --git a/queue-6.6/pci-al-check-ioresource_bus-existence-during-probe.patch b/queue-6.6/pci-al-check-ioresource_bus-existence-during-probe.patch new file mode 100644 index 00000000000..85da60e7ddd --- /dev/null +++ b/queue-6.6/pci-al-check-ioresource_bus-existence-during-probe.patch @@ -0,0 +1,85 @@ +From 1547314608680d8e50095c1d976c8c7843d713ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 May 2024 15:57:05 +0300 +Subject: PCI: al: Check IORESOURCE_BUS existence during probe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Aleksandr Mishin + +[ Upstream commit a9927c2cac6e9831361e43a14d91277818154e6a ] + +If IORESOURCE_BUS is not provided in Device Tree it will be fabricated in +of_pci_parse_bus_range(), so NULL pointer dereference should not happen +here. + +But that's hard to verify, so check for NULL anyway. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Link: https://lore.kernel.org/linux-pci/20240503125705.46055-1-amishin@t-argos.ru +Suggested-by: Bjorn Helgaas +Signed-off-by: Aleksandr Mishin +Signed-off-by: Krzysztof Wilczyński +[bhelgaas: commit log] +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-al.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/pci/controller/dwc/pcie-al.c b/drivers/pci/controller/dwc/pcie-al.c +index b8cb77c9c4bd..3132b27bc006 100644 +--- a/drivers/pci/controller/dwc/pcie-al.c ++++ b/drivers/pci/controller/dwc/pcie-al.c +@@ -242,18 +242,24 @@ static struct pci_ops al_child_pci_ops = { + .write = pci_generic_config_write, + }; + +-static void al_pcie_config_prepare(struct al_pcie *pcie) ++static int al_pcie_config_prepare(struct al_pcie *pcie) + { + struct al_pcie_target_bus_cfg *target_bus_cfg; + struct dw_pcie_rp *pp = &pcie->pci->pp; + unsigned int ecam_bus_mask; ++ struct resource_entry *ft; + u32 cfg_control_offset; ++ struct resource *bus; + u8 subordinate_bus; + u8 secondary_bus; + u32 cfg_control; + u32 reg; +- struct resource *bus = resource_list_first_type(&pp->bridge->windows, IORESOURCE_BUS)->res; + ++ ft = resource_list_first_type(&pp->bridge->windows, IORESOURCE_BUS); ++ if (!ft) ++ return -ENODEV; ++ ++ bus = ft->res; + target_bus_cfg = &pcie->target_bus_cfg; + + ecam_bus_mask = (pcie->ecam_size >> PCIE_ECAM_BUS_SHIFT) - 1; +@@ -287,6 +293,8 @@ static void al_pcie_config_prepare(struct al_pcie *pcie) + FIELD_PREP(CFG_CONTROL_SEC_BUS_MASK, secondary_bus); + + al_pcie_controller_writel(pcie, cfg_control_offset, reg); ++ ++ return 0; + } + + static int al_pcie_host_init(struct dw_pcie_rp *pp) +@@ -305,7 +313,9 @@ static int al_pcie_host_init(struct dw_pcie_rp *pp) + if (rc) + return rc; + +- al_pcie_config_prepare(pcie); ++ rc = al_pcie_config_prepare(pcie); ++ if (rc) ++ return rc; + + return 0; + } +-- +2.43.0 + diff --git a/queue-6.6/platform-chrome-cros_ec_lpc-mec-access-can-use-an-am.patch b/queue-6.6/platform-chrome-cros_ec_lpc-mec-access-can-use-an-am.patch new file mode 100644 index 00000000000..64d4797882b --- /dev/null +++ b/queue-6.6/platform-chrome-cros_ec_lpc-mec-access-can-use-an-am.patch @@ -0,0 +1,178 @@ +From 6d1426ac1ac49abd2b6d045a47aab1c5ae3c6614 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2024 07:33:48 +0100 +Subject: platform/chrome: cros_ec_lpc: MEC access can use an AML mutex + +From: Ben Walsh + +[ Upstream commit 60c7df66450e3a7821a8d68496c20c95de6a15c5 ] + +Framework Laptops have ACPI code which accesses the MEC memory. It +uses an AML mutex to prevent concurrent access. But the cros_ec_lpc +driver was not aware of this mutex. The ACPI code and LPC driver both +attempted to talk to the EC at the same time, messing up communication +with the EC. + +Allow the LPC driver MEC code to find and use the AML mutex. + +Tested-by: Dustin L. Howett +Signed-off-by: Ben Walsh +Link: https://lore.kernel.org/r/20240605063351.14836-3-ben@jubnut.com +Signed-off-by: Tzung-Bi Shih +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_lpc_mec.c | 76 ++++++++++++++++++++++- + drivers/platform/chrome/cros_ec_lpc_mec.h | 11 ++++ + 2 files changed, 85 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/chrome/cros_ec_lpc_mec.c b/drivers/platform/chrome/cros_ec_lpc_mec.c +index 0d9c79b270ce..63b6b261b8e5 100644 +--- a/drivers/platform/chrome/cros_ec_lpc_mec.c ++++ b/drivers/platform/chrome/cros_ec_lpc_mec.c +@@ -10,13 +10,65 @@ + + #include "cros_ec_lpc_mec.h" + ++#define ACPI_LOCK_DELAY_MS 500 ++ + /* + * This mutex must be held while accessing the EMI unit. We can't rely on the + * EC mutex because memmap data may be accessed without it being held. + */ + static DEFINE_MUTEX(io_mutex); ++/* ++ * An alternative mutex to be used when the ACPI AML code may also ++ * access memmap data. When set, this mutex is used in preference to ++ * io_mutex. ++ */ ++static acpi_handle aml_mutex; ++ + static u16 mec_emi_base, mec_emi_end; + ++/** ++ * cros_ec_lpc_mec_lock() - Acquire mutex for EMI ++ * ++ * @return: Negative error code, or zero for success ++ */ ++static int cros_ec_lpc_mec_lock(void) ++{ ++ bool success; ++ ++ if (!aml_mutex) { ++ mutex_lock(&io_mutex); ++ return 0; ++ } ++ ++ success = ACPI_SUCCESS(acpi_acquire_mutex(aml_mutex, ++ NULL, ACPI_LOCK_DELAY_MS)); ++ if (!success) ++ return -EBUSY; ++ ++ return 0; ++} ++ ++/** ++ * cros_ec_lpc_mec_unlock() - Release mutex for EMI ++ * ++ * @return: Negative error code, or zero for success ++ */ ++static int cros_ec_lpc_mec_unlock(void) ++{ ++ bool success; ++ ++ if (!aml_mutex) { ++ mutex_unlock(&io_mutex); ++ return 0; ++ } ++ ++ success = ACPI_SUCCESS(acpi_release_mutex(aml_mutex, NULL)); ++ if (!success) ++ return -EBUSY; ++ ++ return 0; ++} ++ + /** + * cros_ec_lpc_mec_emi_write_address() - Initialize EMI at a given address. + * +@@ -77,6 +129,7 @@ u8 cros_ec_lpc_io_bytes_mec(enum cros_ec_lpc_mec_io_type io_type, + int io_addr; + u8 sum = 0; + enum cros_ec_lpc_mec_emi_access_mode access, new_access; ++ int ret; + + /* Return checksum of 0 if window is not initialized */ + WARN_ON(mec_emi_base == 0 || mec_emi_end == 0); +@@ -92,7 +145,9 @@ u8 cros_ec_lpc_io_bytes_mec(enum cros_ec_lpc_mec_io_type io_type, + else + access = ACCESS_TYPE_LONG_AUTO_INCREMENT; + +- mutex_lock(&io_mutex); ++ ret = cros_ec_lpc_mec_lock(); ++ if (ret) ++ return ret; + + /* Initialize I/O at desired address */ + cros_ec_lpc_mec_emi_write_address(offset, access); +@@ -134,7 +189,9 @@ u8 cros_ec_lpc_io_bytes_mec(enum cros_ec_lpc_mec_io_type io_type, + } + + done: +- mutex_unlock(&io_mutex); ++ ret = cros_ec_lpc_mec_unlock(); ++ if (ret) ++ return ret; + + return sum; + } +@@ -146,3 +203,18 @@ void cros_ec_lpc_mec_init(unsigned int base, unsigned int end) + mec_emi_end = end; + } + EXPORT_SYMBOL(cros_ec_lpc_mec_init); ++ ++int cros_ec_lpc_mec_acpi_mutex(struct acpi_device *adev, const char *pathname) ++{ ++ int status; ++ ++ if (!adev) ++ return -ENOENT; ++ ++ status = acpi_get_handle(adev->handle, pathname, &aml_mutex); ++ if (ACPI_FAILURE(status)) ++ return -ENOENT; ++ ++ return 0; ++} ++EXPORT_SYMBOL(cros_ec_lpc_mec_acpi_mutex); +diff --git a/drivers/platform/chrome/cros_ec_lpc_mec.h b/drivers/platform/chrome/cros_ec_lpc_mec.h +index 9d0521b23e8a..3f3af37e58a5 100644 +--- a/drivers/platform/chrome/cros_ec_lpc_mec.h ++++ b/drivers/platform/chrome/cros_ec_lpc_mec.h +@@ -8,6 +8,8 @@ + #ifndef __CROS_EC_LPC_MEC_H + #define __CROS_EC_LPC_MEC_H + ++#include ++ + enum cros_ec_lpc_mec_emi_access_mode { + /* 8-bit access */ + ACCESS_TYPE_BYTE = 0x0, +@@ -45,6 +47,15 @@ enum cros_ec_lpc_mec_io_type { + */ + void cros_ec_lpc_mec_init(unsigned int base, unsigned int end); + ++/** ++ * cros_ec_lpc_mec_acpi_mutex() - Find and set ACPI mutex for MEC ++ * ++ * @adev: Parent ACPI device ++ * @pathname: Name of AML mutex ++ * @return: Negative error code, or zero for success ++ */ ++int cros_ec_lpc_mec_acpi_mutex(struct acpi_device *adev, const char *pathname); ++ + /** + * cros_ec_lpc_mec_in_range() - Determine if addresses are in MEC EMI range. + * +-- +2.43.0 + diff --git a/queue-6.6/pwm-xilinx-fix-u32-overflow-issue-in-32-bit-width-pw.patch b/queue-6.6/pwm-xilinx-fix-u32-overflow-issue-in-32-bit-width-pw.patch new file mode 100644 index 00000000000..1360561280a --- /dev/null +++ b/queue-6.6/pwm-xilinx-fix-u32-overflow-issue-in-32-bit-width-pw.patch @@ -0,0 +1,59 @@ +From abda204368c4c9e7d53bcbd114707719bb476e12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 16:07:15 +0000 +Subject: pwm: xilinx: Fix u32 overflow issue in 32-bit width PWM mode. + +From: Ken Sloat + +[ Upstream commit 56f45266df67aa0f5b2a6881c8c4d16dbfff6b7d ] + +This timer HW supports 8, 16 and 32-bit timer widths. This +driver currently uses a u32 to store the max possible value +of the timer. However, statements perform addition of 2 in +xilinx_pwm_apply() when calculating the period_cycles and +duty_cycles values. Since priv->max is a u32, this will +result in an overflow to 1 which will not only be incorrect +but fail on range comparison. This results in making it +impossible to set the PWM in this timer mode. + +There are two obvious solutions to the current problem: +1. Cast each instance where overflow occurs to u64. +2. Change priv->max from a u32 to a u64. + +Solution #1 requires more code modifications, and leaves +opportunity to introduce similar overflows if other math +statements are added in the future. These may also go +undetected if running in non 32-bit timer modes. + +Solution #2 is the much smaller and cleaner approach and +thus the chosen method in this patch. + +This was tested on a Zynq UltraScale+ with multiple +instances of the PWM IP. + +Signed-off-by: Ken Sloat +Reviewed-by: Michal Simek +Reviewed-by: Sean Anderson +Link: https://lore.kernel.org/r/SJ0P222MB0107490C5371B848EF04351CA1E19@SJ0P222MB0107.NAMP222.PROD.OUTLOOK.COM +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +--- + include/clocksource/timer-xilinx.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/clocksource/timer-xilinx.h b/include/clocksource/timer-xilinx.h +index c0f56fe6d22a..d116f18de899 100644 +--- a/include/clocksource/timer-xilinx.h ++++ b/include/clocksource/timer-xilinx.h +@@ -41,7 +41,7 @@ struct regmap; + struct xilinx_timer_priv { + struct regmap *map; + struct clk *clk; +- u32 max; ++ u64 max; + }; + + /** +-- +2.43.0 + diff --git a/queue-6.6/rcu-nocb-remove-buggy-bypass-lock-contention-mitigat.patch b/queue-6.6/rcu-nocb-remove-buggy-bypass-lock-contention-mitigat.patch new file mode 100644 index 00000000000..9a77c36ba98 --- /dev/null +++ b/queue-6.6/rcu-nocb-remove-buggy-bypass-lock-contention-mitigat.patch @@ -0,0 +1,140 @@ +From 0afa9e56cab2e1f954f487fda0ec8e9ccf7630f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Apr 2024 16:18:35 +0200 +Subject: rcu/nocb: Remove buggy bypass lock contention mitigation + +From: Frederic Weisbecker + +[ Upstream commit e4f78057291608f6968a6789c5ebb3bde7d95504 ] + +The bypass lock contention mitigation assumes there can be at most +2 contenders on the bypass lock, following this scheme: + +1) One kthread takes the bypass lock +2) Another one spins on it and increment the contended counter +3) A third one (a bypass enqueuer) sees the contended counter on and + busy loops waiting on it to decrement. + +However this assumption is wrong. There can be only one CPU to find the +lock contended because call_rcu() (the bypass enqueuer) is the only +bypass lock acquire site that may not already hold the NOCB lock +beforehand, all the other sites must first contend on the NOCB lock. +Therefore step 2) is impossible. + +The other problem is that the mitigation assumes that contenders all +belong to the same rdp CPU, which is also impossible for a raw spinlock. +In theory the warning could trigger if the enqueuer holds the bypass +lock and another CPU flushes the bypass queue concurrently but this is +prevented from all flush users: + +1) NOCB kthreads only flush if they successfully _tried_ to lock the + bypass lock. So no contention management here. + +2) Flush on callbacks migration happen remotely when the CPU is offline. + No concurrency against bypass enqueue. + +3) Flush on deoffloading happen either locally with IRQs disabled or + remotely when the CPU is not yet online. No concurrency against + bypass enqueue. + +4) Flush on barrier entrain happen either locally with IRQs disabled or + remotely when the CPU is offline. No concurrency against + bypass enqueue. + +For those reasons, the bypass lock contention mitigation isn't needed +and is even wrong. Remove it but keep the warning reporting a contended +bypass lock on a remote CPU, to keep unexpected contention awareness. + +Signed-off-by: Frederic Weisbecker +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.h | 1 - + kernel/rcu/tree_nocb.h | 32 ++++++-------------------------- + 2 files changed, 6 insertions(+), 27 deletions(-) + +diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h +index e9821a8422db..9eb43b501ff5 100644 +--- a/kernel/rcu/tree.h ++++ b/kernel/rcu/tree.h +@@ -224,7 +224,6 @@ struct rcu_data { + struct swait_queue_head nocb_state_wq; /* For offloading state changes */ + struct task_struct *nocb_gp_kthread; + raw_spinlock_t nocb_lock; /* Guard following pair of fields. */ +- atomic_t nocb_lock_contended; /* Contention experienced. */ + int nocb_defer_wakeup; /* Defer wakeup of nocb_kthread. */ + struct timer_list nocb_timer; /* Enforce finite deferral. */ + unsigned long nocb_gp_adv_time; /* Last call_rcu() CB adv (jiffies). */ +diff --git a/kernel/rcu/tree_nocb.h b/kernel/rcu/tree_nocb.h +index 2b24405b9cd2..30b34f215ca3 100644 +--- a/kernel/rcu/tree_nocb.h ++++ b/kernel/rcu/tree_nocb.h +@@ -91,8 +91,7 @@ module_param(nocb_nobypass_lim_per_jiffy, int, 0); + + /* + * Acquire the specified rcu_data structure's ->nocb_bypass_lock. If the +- * lock isn't immediately available, increment ->nocb_lock_contended to +- * flag the contention. ++ * lock isn't immediately available, perform minimal sanity check. + */ + static void rcu_nocb_bypass_lock(struct rcu_data *rdp) + __acquires(&rdp->nocb_bypass_lock) +@@ -100,29 +99,12 @@ static void rcu_nocb_bypass_lock(struct rcu_data *rdp) + lockdep_assert_irqs_disabled(); + if (raw_spin_trylock(&rdp->nocb_bypass_lock)) + return; +- atomic_inc(&rdp->nocb_lock_contended); ++ /* ++ * Contention expected only when local enqueue collide with ++ * remote flush from kthreads. ++ */ + WARN_ON_ONCE(smp_processor_id() != rdp->cpu); +- smp_mb__after_atomic(); /* atomic_inc() before lock. */ + raw_spin_lock(&rdp->nocb_bypass_lock); +- smp_mb__before_atomic(); /* atomic_dec() after lock. */ +- atomic_dec(&rdp->nocb_lock_contended); +-} +- +-/* +- * Spinwait until the specified rcu_data structure's ->nocb_lock is +- * not contended. Please note that this is extremely special-purpose, +- * relying on the fact that at most two kthreads and one CPU contend for +- * this lock, and also that the two kthreads are guaranteed to have frequent +- * grace-period-duration time intervals between successive acquisitions +- * of the lock. This allows us to use an extremely simple throttling +- * mechanism, and further to apply it only to the CPU doing floods of +- * call_rcu() invocations. Don't try this at home! +- */ +-static void rcu_nocb_wait_contended(struct rcu_data *rdp) +-{ +- WARN_ON_ONCE(smp_processor_id() != rdp->cpu); +- while (WARN_ON_ONCE(atomic_read(&rdp->nocb_lock_contended))) +- cpu_relax(); + } + + /* +@@ -510,7 +492,6 @@ static bool rcu_nocb_try_bypass(struct rcu_data *rdp, struct rcu_head *rhp, + } + + // We need to use the bypass. +- rcu_nocb_wait_contended(rdp); + rcu_nocb_bypass_lock(rdp); + ncbs = rcu_cblist_n_cbs(&rdp->nocb_bypass); + rcu_segcblist_inc_len(&rdp->cblist); /* Must precede enqueue. */ +@@ -1668,12 +1649,11 @@ static void show_rcu_nocb_state(struct rcu_data *rdp) + + sprintf(bufw, "%ld", rsclp->gp_seq[RCU_WAIT_TAIL]); + sprintf(bufr, "%ld", rsclp->gp_seq[RCU_NEXT_READY_TAIL]); +- pr_info(" CB %d^%d->%d %c%c%c%c%c%c F%ld L%ld C%d %c%c%s%c%s%c%c q%ld %c CPU %d%s\n", ++ pr_info(" CB %d^%d->%d %c%c%c%c%c F%ld L%ld C%d %c%c%s%c%s%c%c q%ld %c CPU %d%s\n", + rdp->cpu, rdp->nocb_gp_rdp->cpu, + nocb_next_rdp ? nocb_next_rdp->cpu : -1, + "kK"[!!rdp->nocb_cb_kthread], + "bB"[raw_spin_is_locked(&rdp->nocb_bypass_lock)], +- "cC"[!!atomic_read(&rdp->nocb_lock_contended)], + "lL"[raw_spin_is_locked(&rdp->nocb_lock)], + "sS"[!!rdp->nocb_cb_sleep], + ".W"[swait_active(&rdp->nocb_cb_wq)], +-- +2.43.0 + diff --git a/queue-6.6/rdma-efa-properly-handle-unexpected-aq-completions.patch b/queue-6.6/rdma-efa-properly-handle-unexpected-aq-completions.patch new file mode 100644 index 00000000000..309ab030880 --- /dev/null +++ b/queue-6.6/rdma-efa-properly-handle-unexpected-aq-completions.patch @@ -0,0 +1,112 @@ +From 5bb7605a3c78d3ca2004f70afba60acb9c4c64b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 May 2024 06:46:30 +0000 +Subject: RDMA/efa: Properly handle unexpected AQ completions + +From: Michael Margolin + +[ Upstream commit 2d0e7ba468eae365f3c4bc9266679e1f8dd405f0 ] + +Do not try to handle admin command completion if it has an unexpected +command id and print a relevant error message. + +Reviewed-by: Firas Jahjah +Reviewed-by: Yehuda Yitschak +Signed-off-by: Michael Margolin +Link: https://lore.kernel.org/r/20240513064630.6247-1-mrgolin@amazon.com +Reviewed-by: Gal Pressman +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/efa/efa_com.c | 30 ++++++++++++++++------------- + 1 file changed, 17 insertions(+), 13 deletions(-) + +diff --git a/drivers/infiniband/hw/efa/efa_com.c b/drivers/infiniband/hw/efa/efa_com.c +index 16a24a05fc2a..bafd210dd43e 100644 +--- a/drivers/infiniband/hw/efa/efa_com.c ++++ b/drivers/infiniband/hw/efa/efa_com.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 OR BSD-2-Clause + /* +- * Copyright 2018-2021 Amazon.com, Inc. or its affiliates. All rights reserved. ++ * Copyright 2018-2024 Amazon.com, Inc. or its affiliates. All rights reserved. + */ + + #include "efa_com.h" +@@ -406,8 +406,8 @@ static struct efa_comp_ctx *efa_com_submit_admin_cmd(struct efa_com_admin_queue + return comp_ctx; + } + +-static void efa_com_handle_single_admin_completion(struct efa_com_admin_queue *aq, +- struct efa_admin_acq_entry *cqe) ++static int efa_com_handle_single_admin_completion(struct efa_com_admin_queue *aq, ++ struct efa_admin_acq_entry *cqe) + { + struct efa_comp_ctx *comp_ctx; + u16 cmd_id; +@@ -416,11 +416,11 @@ static void efa_com_handle_single_admin_completion(struct efa_com_admin_queue *a + EFA_ADMIN_ACQ_COMMON_DESC_COMMAND_ID); + + comp_ctx = efa_com_get_comp_ctx(aq, cmd_id, false); +- if (!comp_ctx) { ++ if (comp_ctx->status != EFA_CMD_SUBMITTED) { + ibdev_err(aq->efa_dev, +- "comp_ctx is NULL. Changing the admin queue running state\n"); +- clear_bit(EFA_AQ_STATE_RUNNING_BIT, &aq->state); +- return; ++ "Received completion with unexpected command id[%d], sq producer: %d, sq consumer: %d, cq consumer: %d\n", ++ cmd_id, aq->sq.pc, aq->sq.cc, aq->cq.cc); ++ return -EINVAL; + } + + comp_ctx->status = EFA_CMD_COMPLETED; +@@ -428,14 +428,17 @@ static void efa_com_handle_single_admin_completion(struct efa_com_admin_queue *a + + if (!test_bit(EFA_AQ_STATE_POLLING_BIT, &aq->state)) + complete(&comp_ctx->wait_event); ++ ++ return 0; + } + + static void efa_com_handle_admin_completion(struct efa_com_admin_queue *aq) + { + struct efa_admin_acq_entry *cqe; + u16 queue_size_mask; +- u16 comp_num = 0; ++ u16 comp_cmds = 0; + u8 phase; ++ int err; + u16 ci; + + queue_size_mask = aq->depth - 1; +@@ -453,10 +456,12 @@ static void efa_com_handle_admin_completion(struct efa_com_admin_queue *aq) + * phase bit was validated + */ + dma_rmb(); +- efa_com_handle_single_admin_completion(aq, cqe); ++ err = efa_com_handle_single_admin_completion(aq, cqe); ++ if (!err) ++ comp_cmds++; + ++ aq->cq.cc++; + ci++; +- comp_num++; + if (ci == aq->depth) { + ci = 0; + phase = !phase; +@@ -465,10 +470,9 @@ static void efa_com_handle_admin_completion(struct efa_com_admin_queue *aq) + cqe = &aq->cq.entries[ci]; + } + +- aq->cq.cc += comp_num; + aq->cq.phase = phase; +- aq->sq.cc += comp_num; +- atomic64_add(comp_num, &aq->stats.completed_cmd); ++ aq->sq.cc += comp_cmds; ++ atomic64_add(comp_cmds, &aq->stats.completed_cmd); + } + + static int efa_com_comp_status_to_errno(u8 comp_status) +-- +2.43.0 + diff --git a/queue-6.6/regmap-spi-fix-potential-off-by-one-when-calculating.patch b/queue-6.6/regmap-spi-fix-potential-off-by-one-when-calculating.patch new file mode 100644 index 00000000000..05750fe387d --- /dev/null +++ b/queue-6.6/regmap-spi-fix-potential-off-by-one-when-calculating.patch @@ -0,0 +1,47 @@ +From 2355b64dd1be6ff91b809fc882e9cb5026ce111e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2024 23:53:15 +0300 +Subject: regmap: spi: Fix potential off-by-one when calculating reserved size + +From: Andy Shevchenko + +[ Upstream commit d4ea1d504d2701ba04412f98dc00d45a104c52ab ] + +If we ever meet a hardware that uses weird register bits and padding, +we may end up in off-by-one error since x/8 + y/8 might not be equal +to (x + y)/8 in some cases. + +bits pad x/8+y/8 (x+y)/8 +4..7 0..3 0 0 // x + y from 4 up to 7 +4..7 4..7 0 1 // x + y from 8 up to 11 +4..7 8..11 1 1 // x + y from 12 up to 15 +8..15 0..7 1 1 // x + y from 8 up to 15 +8..15 8..15 2 2 // x + y from 16 up to 23 + +Fix this by using (x+y)/8. + +Signed-off-by: Andy Shevchenko +Link: https://msgid.link/r/20240605205315.19132-1-andy.shevchenko@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap-spi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/base/regmap/regmap-spi.c b/drivers/base/regmap/regmap-spi.c +index 37ab23a9d034..7f14c5ed1e22 100644 +--- a/drivers/base/regmap/regmap-spi.c ++++ b/drivers/base/regmap/regmap-spi.c +@@ -122,8 +122,7 @@ static const struct regmap_bus *regmap_get_spi_bus(struct spi_device *spi, + return ERR_PTR(-ENOMEM); + + max_msg_size = spi_max_message_size(spi); +- reg_reserve_size = config->reg_bits / BITS_PER_BYTE +- + config->pad_bits / BITS_PER_BYTE; ++ reg_reserve_size = (config->reg_bits + config->pad_bits) / BITS_PER_BYTE; + if (max_size + reg_reserve_size > max_msg_size) + max_size -= reg_reserve_size; + +-- +2.43.0 + diff --git a/queue-6.6/series b/queue-6.6/series index 3e85d059ead..81df24ba6a5 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -37,3 +37,94 @@ selftests-mptcp-join-disable-get-and-dump-addr-checks.patch selftests-mptcp-join-stop-transfer-when-check-is-done-part-2.2.patch mptcp-avoid-duplicated-sub_closed-events.patch mptcp-pr_debug-add-missing-n-at-the-end.patch +drm-amdgpu-fix-uninitialized-variable-warning-in-amd.patch +drm-amd-display-assign-linear_pitch_alignment-even-f.patch +drm-amdgpu-fix-overflowed-array-index-read-warning.patch +drm-amdgpu-pm-check-the-return-value-of-smum_send_ms.patch +drm-amd-pm-fix-uninitialized-variable-warning.patch +drm-amd-pm-fix-uninitialized-variable-warning-for-sm.patch +drm-amd-pm-fix-warning-using-uninitialized-value-of-.patch +drm-amd-pm-fix-negative-array-index-read.patch +drm-amd-pm-fix-the-out-of-bounds-read-warning.patch +drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch +drm-amdgpu-avoid-reading-vf2pf-info-size-from-fb.patch +drm-amd-display-check-gpio_id-before-used-as-array-i.patch +drm-amd-display-stop-amdgpu_dm-initialize-when-strea.patch +drm-amd-display-check-index-for-aux_rd_interval-befo.patch +drm-amd-display-add-array-index-check-for-hdcp-ddc-a.patch +drm-amd-display-check-num_valid_sets-before-accessin.patch +drm-amd-display-check-msg_id-before-processing-trans.patch +drm-amd-display-fix-coverity-interger_overflow-withi.patch +drm-amd-display-fix-coverity-integer_overflow-within.patch +drm-amd-display-spinlock-before-reading-event.patch +drm-amd-display-fix-coverity-integer_overflow-within.patch-15851 +drm-amd-display-ensure-index-calculation-will-not-ov.patch +drm-amd-display-skip-inactive-planes-within-modesupp.patch +drm-amd-display-fix-index-may-exceed-array-range-wit.patch +drm-amd-amdgpu-check-tbo-resource-pointer.patch +drm-drm-bridge-drop-conditionals-around-of_node-poin.patch +drm-amd-pm-fix-uninitialized-variable-warnings-for-v.patch-16851 +drm-amdgpu-pm-fix-uninitialized-variable-warning-for.patch +drm-amdgpu-pm-fix-uninitialized-variable-agc_btc_res.patch +drm-amdgpu-fix-the-uninitialized-variable-warning.patch +drm-amdgpu-fix-out-of-bounds-write-warning.patch +drm-amdkfd-check-debug-trap-enable-before-write-dbg_.patch +drm-amdgpu-fix-out-of-bounds-read-of-df_v1_7_channel.patch +drm-amdgpu-fix-ucode-out-of-bounds-read-warning.patch +drm-amdgpu-fix-mc_data-out-of-bounds-read-warning.patch +drm-amdkfd-reconcile-the-definition-and-use-of-oem_i.patch +apparmor-fix-possible-null-pointer-dereference.patch +wifi-ath12k-initialize-ret-in-ath12k_qmi_load_file_t.patch +wifi-ath11k-initialize-ret-in-ath11k_qmi_load_file_t.patch +drm-amdgpu-pm-check-input-value-for-custom-profile-m.patch +drm-amdgpu-fix-the-warning-division-or-modulo-by-zer.patch +drm-amdgpu-fix-dereference-after-null-check.patch +drm-amdgpu-fix-the-waring-dereferencing-hive.patch +drm-amd-pm-check-specific-index-for-aldebaran.patch +drm-amd-pm-check-specific-index-for-smu13.patch +drm-amdgpu-the-warning-dereferencing-obj-for-nbio_v7.patch +drm-amd-pm-check-negtive-return-for-table-entries.patch +wifi-rtw89-ser-avoid-multiple-deinit-on-same-cam.patch +drm-kfd-correct-pinned-buffer-handling-at-kfd-restor.patch +drm-amdgpu-update-type-of-buf-size-to-u32-for-eeprom.patch +wifi-iwlwifi-remove-fw_running-op.patch +cpufreq-scmi-avoid-overflow-of-target_freq-in-fast-s.patch +pci-al-check-ioresource_bus-existence-during-probe.patch +wifi-mac80211-check-ieee80211_bss_info_change_notify.patch +hwspinlock-introduce-hwspin_lock_bust.patch +soc-qcom-smem-add-qcom_smem_bust_hwspin_lock_by_host.patch +rdma-efa-properly-handle-unexpected-aq-completions.patch +ionic-fix-potential-irq-name-truncation.patch +pwm-xilinx-fix-u32-overflow-issue-in-32-bit-width-pw.patch +rcu-nocb-remove-buggy-bypass-lock-contention-mitigat.patch +media-v4l2-cci-always-assign-val.patch +usbip-don-t-submit-special-requests-twice.patch +usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch +fsnotify-clear-parent_watched-flags-lazily.patch +net-remove-null-pointer-net-parameter-in-ip_metrics_.patch +drm-amdgu-fix-unintentional-integer-overflow-for-mal.patch +regmap-spi-fix-potential-off-by-one-when-calculating.patch +smack-tcp-ipv4-fix-incorrect-labeling.patch +platform-chrome-cros_ec_lpc-mec-access-can-use-an-am.patch +net-mlx5e-shampo-fix-incorrect-page-release.patch +drm-meson-plane-add-error-handling.patch +crypto-stm32-cryp-call-finalize-with-bh-disabled.patch +gfs2-revert-add-quota_change-type.patch +drm-bridge-tc358767-check-if-fully-initialized-befor.patch +dmaengine-altera-msgdma-use-irq-variant-of-spin_lock.patch +dmaengine-altera-msgdma-properly-free-descriptor-in-.patch +hwmon-k10temp-check-return-value-of-amd_smn_read.patch +wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch +f2fs-fix-to-do-sanity-check-on-blocks-for-inline_dat.patch +driver-iio-add-missing-checks-on-iio_info-s-callback.patch +block-remove-the-blk_flush_integrity-call-in-blk_int.patch +drm-amdgpu-add-skip_hw_access-checks-for-sriov.patch +drm-amdgpu-add-lock-in-amdgpu_gart_invalidate_tlb.patch +drm-amdgpu-add-lock-in-kfd_process_dequeue_from_devi.patch +drm-amd-display-don-t-use-fsleep-for-psr-exit-waits-.patch +drm-amd-display-added-null-check-at-start-of-dc_vali.patch +drm-amd-display-correct-the-defined-value-for-amdgpu.patch +drm-amd-display-use-preferred-link-settings-for-dp-s.patch +drm-amd-display-check-bios-images-before-it-is-used.patch +drm-amd-display-skip-wbscl_set_scaler_filter-if-filt.patch +media-uvcvideo-enforce-alignment-of-frame-and-interv.patch diff --git a/queue-6.6/smack-tcp-ipv4-fix-incorrect-labeling.patch b/queue-6.6/smack-tcp-ipv4-fix-incorrect-labeling.patch new file mode 100644 index 00000000000..f6599981442 --- /dev/null +++ b/queue-6.6/smack-tcp-ipv4-fix-incorrect-labeling.patch @@ -0,0 +1,69 @@ +From 5ce8d5f1cdded4308d34e1e3abb0af2f9c5edbc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jun 2024 15:41:50 -0700 +Subject: smack: tcp: ipv4, fix incorrect labeling + +From: Casey Schaufler + +[ Upstream commit 2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550 ] + +Currently, Smack mirrors the label of incoming tcp/ipv4 connections: +when a label 'foo' connects to a label 'bar' with tcp/ipv4, +'foo' always gets 'foo' in returned ipv4 packets. So, +1) returned packets are incorrectly labeled ('foo' instead of 'bar') +2) 'bar' can write to 'foo' without being authorized to write. + +Here is a scenario how to see this: + +* Take two machines, let's call them C and S, + with active Smack in the default state + (no settings, no rules, no labeled hosts, only builtin labels) + +* At S, add Smack rule 'foo bar w' + (labels 'foo' and 'bar' are instantiated at S at this moment) + +* At S, at label 'bar', launch a program + that listens for incoming tcp/ipv4 connections + +* From C, at label 'foo', connect to the listener at S. + (label 'foo' is instantiated at C at this moment) + Connection succeedes and works. + +* Send some data in both directions. +* Collect network traffic of this connection. + +All packets in both directions are labeled with the CIPSO +of the label 'foo'. Hence, label 'bar' writes to 'foo' without +being authorized, and even without ever being known at C. + +If anybody cares: exactly the same happens with DCCP. + +This behavior 1st manifested in release 2.6.29.4 (see Fixes below) +and it looks unintentional. At least, no explanation was provided. + +I changed returned packes label into the 'bar', +to bring it into line with the Smack documentation claims. + +Signed-off-by: Konstantin Andreev +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index 6b92e09d3f78..98c2bdbfcaed 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4354,7 +4354,7 @@ static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, + rcu_read_unlock(); + + if (hskp == NULL) +- rc = netlbl_req_setattr(req, &skp->smk_netlabel); ++ rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); + else + netlbl_req_delattr(req); + +-- +2.43.0 + diff --git a/queue-6.6/soc-qcom-smem-add-qcom_smem_bust_hwspin_lock_by_host.patch b/queue-6.6/soc-qcom-smem-add-qcom_smem_bust_hwspin_lock_by_host.patch new file mode 100644 index 00000000000..e051ce80f48 --- /dev/null +++ b/queue-6.6/soc-qcom-smem-add-qcom_smem_bust_hwspin_lock_by_host.patch @@ -0,0 +1,76 @@ +From d42e4101fe5f8d46996e42866b5086b6fafb0243 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 May 2024 11:09:57 -0700 +Subject: soc: qcom: smem: Add qcom_smem_bust_hwspin_lock_by_host() + +From: Chris Lew + +[ Upstream commit 2e3f0d693875db698891ffe89a18121bda5b95b8 ] + +Add qcom_smem_bust_hwspin_lock_by_host to enable remoteproc to bust the +hwspin_lock owned by smem. In the event the remoteproc crashes +unexpectedly, the remoteproc driver can invoke this API to try and bust +the hwspin_lock and release the lock if still held by the remoteproc +device. + +Signed-off-by: Chris Lew +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20240529-hwspinlock-bust-v3-3-c8b924ffa5a2@quicinc.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smem.c | 26 ++++++++++++++++++++++++++ + include/linux/soc/qcom/smem.h | 2 ++ + 2 files changed, 28 insertions(+) + +diff --git a/drivers/soc/qcom/smem.c b/drivers/soc/qcom/smem.c +index d4a89d2bb43b..2e8568d6cde9 100644 +--- a/drivers/soc/qcom/smem.c ++++ b/drivers/soc/qcom/smem.c +@@ -359,6 +359,32 @@ static struct qcom_smem *__smem; + /* Timeout (ms) for the trylock of remote spinlocks */ + #define HWSPINLOCK_TIMEOUT 1000 + ++/* The qcom hwspinlock id is always plus one from the smem host id */ ++#define SMEM_HOST_ID_TO_HWSPINLOCK_ID(__x) ((__x) + 1) ++ ++/** ++ * qcom_smem_bust_hwspin_lock_by_host() - bust the smem hwspinlock for a host ++ * @host: remote processor id ++ * ++ * Busts the hwspin_lock for the given smem host id. This helper is intended ++ * for remoteproc drivers that manage remoteprocs with an equivalent smem ++ * driver instance in the remote firmware. Drivers can force a release of the ++ * smem hwspin_lock if the rproc unexpectedly goes into a bad state. ++ * ++ * Context: Process context. ++ * ++ * Returns: 0 on success, otherwise negative errno. ++ */ ++int qcom_smem_bust_hwspin_lock_by_host(unsigned int host) ++{ ++ /* This function is for remote procs, so ignore SMEM_HOST_APPS */ ++ if (host == SMEM_HOST_APPS || host >= SMEM_HOST_COUNT) ++ return -EINVAL; ++ ++ return hwspin_lock_bust(__smem->hwlock, SMEM_HOST_ID_TO_HWSPINLOCK_ID(host)); ++} ++EXPORT_SYMBOL_GPL(qcom_smem_bust_hwspin_lock_by_host); ++ + /** + * qcom_smem_is_available() - Check if SMEM is available + * +diff --git a/include/linux/soc/qcom/smem.h b/include/linux/soc/qcom/smem.h +index a36a3b9d4929..03187bc95851 100644 +--- a/include/linux/soc/qcom/smem.h ++++ b/include/linux/soc/qcom/smem.h +@@ -14,4 +14,6 @@ phys_addr_t qcom_smem_virt_to_phys(void *p); + + int qcom_smem_get_soc_id(u32 *id); + ++int qcom_smem_bust_hwspin_lock_by_host(unsigned int host); ++ + #endif +-- +2.43.0 + diff --git a/queue-6.6/usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch b/queue-6.6/usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch new file mode 100644 index 00000000000..1e6478742c6 --- /dev/null +++ b/queue-6.6/usb-typec-ucsi-fix-null-pointer-dereference-in-trace.patch @@ -0,0 +1,44 @@ +From de9904498f33a8b56f291438d37a6a04f1003ba2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 20:12:41 +0000 +Subject: usb: typec: ucsi: Fix null pointer dereference in trace + +From: Abhishek Pandit-Subedi + +[ Upstream commit 99516f76db48e1a9d54cdfed63c1babcee4e71a5 ] + +ucsi_register_altmode checks IS_ERR for the alt pointer and treats +NULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled, +ucsi_register_displayport returns NULL which causes a NULL pointer +dereference in trace. Rather than return NULL, call +typec_port_register_altmode to register DisplayPort alternate mode +as a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled. + +Reviewed-by: Benson Leung +Reviewed-by: Heikki Krogerus +Signed-off-by: Abhishek Pandit-Subedi +Signed-off-by: Jameson Thies +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20240510201244.2968152-2-jthies@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/ucsi/ucsi.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/ucsi/ucsi.h b/drivers/usb/typec/ucsi/ucsi.h +index 2a886e58cd63..42c60eba5fb6 100644 +--- a/drivers/usb/typec/ucsi/ucsi.h ++++ b/drivers/usb/typec/ucsi/ucsi.h +@@ -404,7 +404,7 @@ ucsi_register_displayport(struct ucsi_connector *con, + bool override, int offset, + struct typec_altmode_desc *desc) + { +- return NULL; ++ return typec_port_register_altmode(con->port, desc); + } + + static inline void +-- +2.43.0 + diff --git a/queue-6.6/usbip-don-t-submit-special-requests-twice.patch b/queue-6.6/usbip-don-t-submit-special-requests-twice.patch new file mode 100644 index 00000000000..b45c46f69c0 --- /dev/null +++ b/queue-6.6/usbip-don-t-submit-special-requests-twice.patch @@ -0,0 +1,183 @@ +From 20605d78ca23fce89e1a7289997ada6d1a0682b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 May 2024 16:15:38 +0200 +Subject: usbip: Don't submit special requests twice + +From: Simon Holesch + +[ Upstream commit 8b6b386f9aa936ed0c190446c71cf59d4a507690 ] + +Skip submitting URBs, when identical requests were already sent in +tweak_special_requests(). Instead call the completion handler directly +to return the result of the URB. + +Even though submitting those requests twice should be harmless, there +are USB devices that react poorly to some duplicated requests. + +One example is the ChipIdea controller implementation in U-Boot: The +second SET_CONFIGURATION request makes U-Boot disable and re-enable all +endpoints. Re-enabling an endpoint in the ChipIdea controller, however, +was broken until U-Boot commit b272c8792502 ("usb: ci: Fix gadget +reinit"). + +Signed-off-by: Simon Holesch +Acked-by: Shuah Khan +Reviewed-by: Hongren Zheng +Tested-by: Hongren Zheng +Link: https://lore.kernel.org/r/20240519141922.171460-1-simon@holesch.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/stub_rx.c | 77 ++++++++++++++++++++++++------------- + 1 file changed, 50 insertions(+), 27 deletions(-) + +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index fc01b31bbb87..6338d818bc8b 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -144,53 +144,62 @@ static int tweak_set_configuration_cmd(struct urb *urb) + if (err && err != -ENODEV) + dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n", + config, err); +- return 0; ++ return err; + } + + static int tweak_reset_device_cmd(struct urb *urb) + { + struct stub_priv *priv = (struct stub_priv *) urb->context; + struct stub_device *sdev = priv->sdev; ++ int err; + + dev_info(&urb->dev->dev, "usb_queue_reset_device\n"); + +- if (usb_lock_device_for_reset(sdev->udev, NULL) < 0) { ++ err = usb_lock_device_for_reset(sdev->udev, NULL); ++ if (err < 0) { + dev_err(&urb->dev->dev, "could not obtain lock to reset device\n"); +- return 0; ++ return err; + } +- usb_reset_device(sdev->udev); ++ err = usb_reset_device(sdev->udev); + usb_unlock_device(sdev->udev); + +- return 0; ++ return err; + } + + /* + * clear_halt, set_interface, and set_configuration require special tricks. ++ * Returns 1 if request was tweaked, 0 otherwise. + */ +-static void tweak_special_requests(struct urb *urb) ++static int tweak_special_requests(struct urb *urb) + { ++ int err; ++ + if (!urb || !urb->setup_packet) +- return; ++ return 0; + + if (usb_pipetype(urb->pipe) != PIPE_CONTROL) +- return; ++ return 0; + + if (is_clear_halt_cmd(urb)) + /* tweak clear_halt */ +- tweak_clear_halt_cmd(urb); ++ err = tweak_clear_halt_cmd(urb); + + else if (is_set_interface_cmd(urb)) + /* tweak set_interface */ +- tweak_set_interface_cmd(urb); ++ err = tweak_set_interface_cmd(urb); + + else if (is_set_configuration_cmd(urb)) + /* tweak set_configuration */ +- tweak_set_configuration_cmd(urb); ++ err = tweak_set_configuration_cmd(urb); + + else if (is_reset_device_cmd(urb)) +- tweak_reset_device_cmd(urb); +- else ++ err = tweak_reset_device_cmd(urb); ++ else { + usbip_dbg_stub_rx("no need to tweak\n"); ++ return 0; ++ } ++ ++ return !err; + } + + /* +@@ -468,6 +477,7 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + int support_sg = 1; + int np = 0; + int ret, i; ++ int is_tweaked; + + if (pipe == -1) + return; +@@ -580,8 +590,11 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + priv->urbs[i]->pipe = pipe; + priv->urbs[i]->complete = stub_complete; + +- /* no need to submit an intercepted request, but harmless? */ +- tweak_special_requests(priv->urbs[i]); ++ /* ++ * all URBs belong to a single PDU, so a global is_tweaked flag is ++ * enough ++ */ ++ is_tweaked = tweak_special_requests(priv->urbs[i]); + + masking_bogus_flags(priv->urbs[i]); + } +@@ -594,22 +607,32 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, + + /* urb is now ready to submit */ + for (i = 0; i < priv->num_urbs; i++) { +- ret = usb_submit_urb(priv->urbs[i], GFP_KERNEL); ++ if (!is_tweaked) { ++ ret = usb_submit_urb(priv->urbs[i], GFP_KERNEL); + +- if (ret == 0) +- usbip_dbg_stub_rx("submit urb ok, seqnum %u\n", +- pdu->base.seqnum); +- else { +- dev_err(&udev->dev, "submit_urb error, %d\n", ret); +- usbip_dump_header(pdu); +- usbip_dump_urb(priv->urbs[i]); ++ if (ret == 0) ++ usbip_dbg_stub_rx("submit urb ok, seqnum %u\n", ++ pdu->base.seqnum); ++ else { ++ dev_err(&udev->dev, "submit_urb error, %d\n", ret); ++ usbip_dump_header(pdu); ++ usbip_dump_urb(priv->urbs[i]); + ++ /* ++ * Pessimistic. ++ * This connection will be discarded. ++ */ ++ usbip_event_add(ud, SDEV_EVENT_ERROR_SUBMIT); ++ break; ++ } ++ } else { + /* +- * Pessimistic. +- * This connection will be discarded. ++ * An identical URB was already submitted in ++ * tweak_special_requests(). Skip submitting this URB to not ++ * duplicate the request. + */ +- usbip_event_add(ud, SDEV_EVENT_ERROR_SUBMIT); +- break; ++ priv->urbs[i]->status = 0; ++ stub_complete(priv->urbs[i]); + } + } + +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath11k-initialize-ret-in-ath11k_qmi_load_file_t.patch b/queue-6.6/wifi-ath11k-initialize-ret-in-ath11k_qmi_load_file_t.patch new file mode 100644 index 00000000000..b2bbe868e4a --- /dev/null +++ b/queue-6.6/wifi-ath11k-initialize-ret-in-ath11k_qmi_load_file_t.patch @@ -0,0 +1,45 @@ +From 771ab623956ed4be45ddeb6a539013e44aac73f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 11:52:09 -0700 +Subject: wifi: ath11k: initialize 'ret' in ath11k_qmi_load_file_target_mem() + +From: Jeff Johnson + +[ Upstream commit 199f149e97dc7be80e5eed4b232529c1d1aa8055 ] + +smatch flagged the following issue: + +drivers/net/wireless/ath/ath11k/qmi.c:2401 ath11k_qmi_load_file_target_mem() error: uninitialized symbol 'ret'. + +The reality is that 'ret' is initialized in every path through +ath11k_qmi_load_file_target_mem() except one, the case where the input +'len' is 0, and hence the "while (remaining)" loop is never entered. +But to make sure this case is also handled, add an initializer to the +declaration of 'ret'. + +No functional changes, compile tested only. + +Signed-off-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240504-qmi_load_file_target_mem-v1-2-069fc44c45eb@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/qmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c +index a831d9474e9e..83dc284392de 100644 +--- a/drivers/net/wireless/ath/ath11k/qmi.c ++++ b/drivers/net/wireless/ath/ath11k/qmi.c +@@ -2293,7 +2293,7 @@ static int ath11k_qmi_load_file_target_mem(struct ath11k_base *ab, + struct qmi_txn txn; + const u8 *temp = data; + void __iomem *bdf_addr = NULL; +- int ret; ++ int ret = 0; + u32 remaining = len; + + req = kzalloc(sizeof(*req), GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-6.6/wifi-ath12k-initialize-ret-in-ath12k_qmi_load_file_t.patch b/queue-6.6/wifi-ath12k-initialize-ret-in-ath12k_qmi_load_file_t.patch new file mode 100644 index 00000000000..cdcc99714fa --- /dev/null +++ b/queue-6.6/wifi-ath12k-initialize-ret-in-ath12k_qmi_load_file_t.patch @@ -0,0 +1,45 @@ +From c60b91bc970abaf08f86d3d04514a6d5fc127a8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 May 2024 11:52:08 -0700 +Subject: wifi: ath12k: initialize 'ret' in ath12k_qmi_load_file_target_mem() + +From: Jeff Johnson + +[ Upstream commit bb0b0a6b96e6de854cb1e349e17bd0e8bf421a59 ] + +smatch flagged the following issue: + +drivers/net/wireless/ath/ath12k/qmi.c:2619 ath12k_qmi_load_file_target_mem() error: uninitialized symbol 'ret'. + +The reality is that 'ret' is initialized in every path through +ath12k_qmi_load_file_target_mem() except one, the case where the input +'len' is 0, and hence the "while (remaining)" loop is never entered. +But to make sure this case is also handled, add an initializer to the +declaration of 'ret'. + +No functional changes, compile tested only. + +Signed-off-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://msgid.link/20240504-qmi_load_file_target_mem-v1-1-069fc44c45eb@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath12k/qmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath12k/qmi.c b/drivers/net/wireless/ath/ath12k/qmi.c +index f1379a5e60cd..c49f585cc396 100644 +--- a/drivers/net/wireless/ath/ath12k/qmi.c ++++ b/drivers/net/wireless/ath/ath12k/qmi.c +@@ -2312,7 +2312,7 @@ static int ath12k_qmi_load_file_target_mem(struct ath12k_base *ab, + struct qmi_wlanfw_bdf_download_resp_msg_v01 resp; + struct qmi_txn txn = {}; + const u8 *temp = data; +- int ret; ++ int ret = 0; + u32 remaining = len; + + req = kzalloc(sizeof(*req), GFP_KERNEL); +-- +2.43.0 + diff --git a/queue-6.6/wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch b/queue-6.6/wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch new file mode 100644 index 00000000000..5a32c12014a --- /dev/null +++ b/queue-6.6/wifi-cfg80211-make-hash-table-duplicates-more-surviv.patch @@ -0,0 +1,130 @@ +From 192dac0f402d86760108f0accafbed7597373015 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jun 2024 20:17:17 +0200 +Subject: wifi: cfg80211: make hash table duplicates more survivable + +From: Johannes Berg + +[ Upstream commit 7f12e26a194d0043441f870708093d9c2c3bad7d ] + +Jiazi Li reported that they occasionally see hash table duplicates +as evidenced by the WARN_ON() in rb_insert_bss() in this code. It +isn't clear how that happens, nor have I been able to reproduce it, +but if it does happen, the kernel crashes later, when it tries to +unhash the entry that's now not hashed. + +Try to make this situation more survivable by removing the BSS from +the list(s) as well, that way it's fully leaked here (as had been +the intent in the hash insert error path), and no longer reachable +through the list(s) so it shouldn't be unhashed again later. + +Link: https://lore.kernel.org/r/20231026013528.GA24122@Jiazi.Li +Signed-off-by: Johannes Berg +Link: https://msgid.link/20240607181726.36835-2-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/scan.c | 46 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 34 insertions(+), 12 deletions(-) + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 74db51348a7f..4d88e797ae49 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -1562,7 +1562,7 @@ struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy, + } + EXPORT_SYMBOL(cfg80211_get_bss); + +-static void rb_insert_bss(struct cfg80211_registered_device *rdev, ++static bool rb_insert_bss(struct cfg80211_registered_device *rdev, + struct cfg80211_internal_bss *bss) + { + struct rb_node **p = &rdev->bss_tree.rb_node; +@@ -1578,7 +1578,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev, + + if (WARN_ON(!cmp)) { + /* will sort of leak this BSS */ +- return; ++ return false; + } + + if (cmp < 0) +@@ -1589,6 +1589,7 @@ static void rb_insert_bss(struct cfg80211_registered_device *rdev, + + rb_link_node(&bss->rbn, parent, p); + rb_insert_color(&bss->rbn, &rdev->bss_tree); ++ return true; + } + + static struct cfg80211_internal_bss * +@@ -1615,6 +1616,34 @@ rb_find_bss(struct cfg80211_registered_device *rdev, + return NULL; + } + ++static void cfg80211_insert_bss(struct cfg80211_registered_device *rdev, ++ struct cfg80211_internal_bss *bss) ++{ ++ lockdep_assert_held(&rdev->bss_lock); ++ ++ if (!rb_insert_bss(rdev, bss)) ++ return; ++ list_add_tail(&bss->list, &rdev->bss_list); ++ rdev->bss_entries++; ++} ++ ++static void cfg80211_rehash_bss(struct cfg80211_registered_device *rdev, ++ struct cfg80211_internal_bss *bss) ++{ ++ lockdep_assert_held(&rdev->bss_lock); ++ ++ rb_erase(&bss->rbn, &rdev->bss_tree); ++ if (!rb_insert_bss(rdev, bss)) { ++ list_del(&bss->list); ++ if (!list_empty(&bss->hidden_list)) ++ list_del_init(&bss->hidden_list); ++ if (!list_empty(&bss->pub.nontrans_list)) ++ list_del_init(&bss->pub.nontrans_list); ++ rdev->bss_entries--; ++ } ++ rdev->bss_generation++; ++} ++ + static bool cfg80211_combine_bsses(struct cfg80211_registered_device *rdev, + struct cfg80211_internal_bss *new) + { +@@ -1876,9 +1905,7 @@ __cfg80211_bss_update(struct cfg80211_registered_device *rdev, + bss_ref_get(rdev, bss_from_pub(tmp->pub.transmitted_bss)); + } + +- list_add_tail(&new->list, &rdev->bss_list); +- rdev->bss_entries++; +- rb_insert_bss(rdev, new); ++ cfg80211_insert_bss(rdev, new); + found = new; + } + +@@ -3111,19 +3138,14 @@ void cfg80211_update_assoc_bss_entry(struct wireless_dev *wdev, + if (!WARN_ON(!__cfg80211_unlink_bss(rdev, new))) + rdev->bss_generation++; + } +- +- rb_erase(&cbss->rbn, &rdev->bss_tree); +- rb_insert_bss(rdev, cbss); +- rdev->bss_generation++; ++ cfg80211_rehash_bss(rdev, cbss); + + list_for_each_entry_safe(nontrans_bss, tmp, + &cbss->pub.nontrans_list, + nontrans_list) { + bss = bss_from_pub(nontrans_bss); + bss->pub.channel = chan; +- rb_erase(&bss->rbn, &rdev->bss_tree); +- rb_insert_bss(rdev, bss); +- rdev->bss_generation++; ++ cfg80211_rehash_bss(rdev, bss); + } + + done: +-- +2.43.0 + diff --git a/queue-6.6/wifi-iwlwifi-remove-fw_running-op.patch b/queue-6.6/wifi-iwlwifi-remove-fw_running-op.patch new file mode 100644 index 00000000000..87b6d103381 --- /dev/null +++ b/queue-6.6/wifi-iwlwifi-remove-fw_running-op.patch @@ -0,0 +1,80 @@ +From 4e117b40372dc1850801489e67e6a4128361247f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 May 2024 17:06:40 +0300 +Subject: wifi: iwlwifi: remove fw_running op + +From: Shahar S Matityahu + +[ Upstream commit 37733bffda3285d18bd1d72c14b3a1cf39c56a5e ] + +fw_running assumes that memory can be retrieved only after alive. +This assumption is no longer true as we support dump before alive. +To avoid invalid access to the NIC, check that STATUS_DEVICE_ENABLED +bit in trans status is set before dumping instead of the prior check. + +Signed-off-by: Shahar S Matityahu +Reviewed-by: Luciano Coelho +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240510170500.ca07138cedeb.I090e31d3eaeb4ba19f5f84aba997ccd36927e9ac@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/debugfs.c | 3 +-- + drivers/net/wireless/intel/iwlwifi/fw/runtime.h | 1 - + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 6 ------ + 3 files changed, 1 insertion(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c b/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c +index 3356e36e2af7..0b71a71ca240 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/debugfs.c +@@ -230,8 +230,7 @@ static ssize_t iwl_dbgfs_send_hcmd_write(struct iwl_fw_runtime *fwrt, char *buf, + .data = { NULL, }, + }; + +- if (fwrt->ops && fwrt->ops->fw_running && +- !fwrt->ops->fw_running(fwrt->ops_ctx)) ++ if (!iwl_trans_fw_running(fwrt->trans)) + return -EIO; + + if (count < header_size + 1 || count > 1024 * 4) +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h +index 702586945533..5812b58c92b0 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h ++++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h +@@ -18,7 +18,6 @@ + struct iwl_fw_runtime_ops { + void (*dump_start)(void *ctx); + void (*dump_end)(void *ctx); +- bool (*fw_running)(void *ctx); + int (*send_hcmd)(void *ctx, struct iwl_host_cmd *host_cmd); + bool (*d3_debug_enable)(void *ctx); + }; +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +index 5336a4afde4d..945524470a1e 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -702,11 +702,6 @@ static void iwl_mvm_fwrt_dump_end(void *ctx) + mutex_unlock(&mvm->mutex); + } + +-static bool iwl_mvm_fwrt_fw_running(void *ctx) +-{ +- return iwl_mvm_firmware_running(ctx); +-} +- + static int iwl_mvm_fwrt_send_hcmd(void *ctx, struct iwl_host_cmd *host_cmd) + { + struct iwl_mvm *mvm = (struct iwl_mvm *)ctx; +@@ -727,7 +722,6 @@ static bool iwl_mvm_d3_debug_enable(void *ctx) + static const struct iwl_fw_runtime_ops iwl_mvm_fwrt_ops = { + .dump_start = iwl_mvm_fwrt_dump_start, + .dump_end = iwl_mvm_fwrt_dump_end, +- .fw_running = iwl_mvm_fwrt_fw_running, + .send_hcmd = iwl_mvm_fwrt_send_hcmd, + .d3_debug_enable = iwl_mvm_d3_debug_enable, + }; +-- +2.43.0 + diff --git a/queue-6.6/wifi-mac80211-check-ieee80211_bss_info_change_notify.patch b/queue-6.6/wifi-mac80211-check-ieee80211_bss_info_change_notify.patch new file mode 100644 index 00000000000..2c2a56bb1a7 --- /dev/null +++ b/queue-6.6/wifi-mac80211-check-ieee80211_bss_info_change_notify.patch @@ -0,0 +1,45 @@ +From af7a03d80ed3297ad2d5df9c9741f26845b88bfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 May 2024 12:11:40 +0200 +Subject: wifi: mac80211: check ieee80211_bss_info_change_notify() against MLD + +From: Johannes Berg + +[ Upstream commit a0ca76e5b7d550fcd74753d5fdaaf23f1a9bfdb4 ] + +It's not valid to call ieee80211_bss_info_change_notify() with +an sdata that's an MLD, remove the FIXME comment (it's not true) +and add a warning. + +Reviewed-by: Miriam Rachel Korenblit +Link: https://msgid.link/20240523121140.97a589b13d24.I61988788d81fb3cf97a490dfd3167f67a141d1fd@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/main.c b/net/mac80211/main.c +index 066424e62ff0..71d60f57a886 100644 +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -215,6 +215,8 @@ void ieee80211_bss_info_change_notify(struct ieee80211_sub_if_data *sdata, + + might_sleep(); + ++ WARN_ON_ONCE(ieee80211_vif_is_mld(&sdata->vif)); ++ + if (!changed || sdata->vif.type == NL80211_IFTYPE_AP_VLAN) + return; + +@@ -247,7 +249,6 @@ void ieee80211_bss_info_change_notify(struct ieee80211_sub_if_data *sdata, + if (changed & ~BSS_CHANGED_VIF_CFG_FLAGS) { + u64 ch = changed & ~BSS_CHANGED_VIF_CFG_FLAGS; + +- /* FIXME: should be for each link */ + trace_drv_link_info_changed(local, sdata, &sdata->vif.bss_conf, + changed); + if (local->ops->link_info_changed) +-- +2.43.0 + diff --git a/queue-6.6/wifi-rtw89-ser-avoid-multiple-deinit-on-same-cam.patch b/queue-6.6/wifi-rtw89-ser-avoid-multiple-deinit-on-same-cam.patch new file mode 100644 index 00000000000..e0c6c35bc2f --- /dev/null +++ b/queue-6.6/wifi-rtw89-ser-avoid-multiple-deinit-on-same-cam.patch @@ -0,0 +1,44 @@ +From b5bf85891e9108c977a8596b1081dff9c4b446e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 May 2024 17:06:43 +0800 +Subject: wifi: rtw89: ser: avoid multiple deinit on same CAM + +From: Zong-Zhe Yang + +[ Upstream commit cea4066588308fa932b6b03486c608efff1d761c ] + +We did deinit CAM in STA iteration in VIF loop. But, the STA iteration +missed to restrict the target VIF. So, if there are multiple VIFs, we +would deinit a CAM multiple times. Now, fix it. + +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Link: https://msgid.link/20240509090646.35304-2-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/ser.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/ser.c b/drivers/net/wireless/realtek/rtw89/ser.c +index c1644353053f..01b17b8f4ff9 100644 +--- a/drivers/net/wireless/realtek/rtw89/ser.c ++++ b/drivers/net/wireless/realtek/rtw89/ser.c +@@ -308,9 +308,13 @@ static void ser_reset_vif(struct rtw89_dev *rtwdev, struct rtw89_vif *rtwvif) + + static void ser_sta_deinit_cam_iter(void *data, struct ieee80211_sta *sta) + { +- struct rtw89_vif *rtwvif = (struct rtw89_vif *)data; +- struct rtw89_dev *rtwdev = rtwvif->rtwdev; ++ struct rtw89_vif *target_rtwvif = (struct rtw89_vif *)data; + struct rtw89_sta *rtwsta = (struct rtw89_sta *)sta->drv_priv; ++ struct rtw89_vif *rtwvif = rtwsta->rtwvif; ++ struct rtw89_dev *rtwdev = rtwvif->rtwdev; ++ ++ if (rtwvif != target_rtwvif) ++ return; + + if (rtwvif->net_type == RTW89_NET_TYPE_AP_MODE || sta->tdls) + rtw89_cam_deinit_addr_cam(rtwdev, &rtwsta->addr_cam); +-- +2.43.0 +