From 366c1bb1ba943221d4e64235d2678c0aaa5dd584 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 12:48:43 +0100 Subject: [PATCH] 6.6-stable patches added patches: dm-bufio-fix-warnings-about-duplicate-slab-caches.patch drm-amd-display-add-null-check-for-clk_mgr-and-clk_mgr-funcs-in-dcn30_init_hw.patch drm-amd-display-add-null-check-for-clk_mgr-in-dcn32_init_hw.patch drm-amd-display-add-null-check-for-function-pointer-in-dcn20_set_output_transfer_func.patch drm-amd-display-add-null-pointer-check-for-kzalloc.patch drm-amd-display-check-null-pointer-before-try-to-access-it.patch drm-amd-display-check-phantom_stream-before-it-is-used.patch perf-x86-intel-hide-topdown-metrics-events-if-the-feature-is-not-enumerated.patch --- ...warnings-about-duplicate-slab-caches.patch | 61 ++++++ ...r-and-clk_mgr-funcs-in-dcn30_init_hw.patch | 64 ++++++ ...l-check-for-clk_mgr-in-dcn32_init_hw.patch | 63 ++++++ ...er-in-dcn20_set_output_transfer_func.patch | 49 +++++ ...y-add-null-pointer-check-for-kzalloc.patch | 183 ++++++++++++++++++ ...null-pointer-before-try-to-access-it.patch | 48 +++++ ...eck-phantom_stream-before-it-is-used.patch | 39 ++++ ...nts-if-the-feature-is-not-enumerated.patch | 95 +++++++++ queue-6.6/series | 8 + 9 files changed, 610 insertions(+) create mode 100644 queue-6.6/dm-bufio-fix-warnings-about-duplicate-slab-caches.patch create mode 100644 queue-6.6/drm-amd-display-add-null-check-for-clk_mgr-and-clk_mgr-funcs-in-dcn30_init_hw.patch create mode 100644 queue-6.6/drm-amd-display-add-null-check-for-clk_mgr-in-dcn32_init_hw.patch create mode 100644 queue-6.6/drm-amd-display-add-null-check-for-function-pointer-in-dcn20_set_output_transfer_func.patch create mode 100644 queue-6.6/drm-amd-display-add-null-pointer-check-for-kzalloc.patch create mode 100644 queue-6.6/drm-amd-display-check-null-pointer-before-try-to-access-it.patch create mode 100644 queue-6.6/drm-amd-display-check-phantom_stream-before-it-is-used.patch create mode 100644 queue-6.6/perf-x86-intel-hide-topdown-metrics-events-if-the-feature-is-not-enumerated.patch diff --git a/queue-6.6/dm-bufio-fix-warnings-about-duplicate-slab-caches.patch b/queue-6.6/dm-bufio-fix-warnings-about-duplicate-slab-caches.patch new file mode 100644 index 00000000000..804b9276598 --- /dev/null +++ b/queue-6.6/dm-bufio-fix-warnings-about-duplicate-slab-caches.patch @@ -0,0 +1,61 @@ +From 42964e4b5e3ac95090bdd23ed7da2a941ccd902c Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 11 Nov 2024 16:48:18 +0100 +Subject: dm-bufio: fix warnings about duplicate slab caches + +From: Mikulas Patocka + +commit 42964e4b5e3ac95090bdd23ed7da2a941ccd902c upstream. + +The commit 4c39529663b9 adds a warning about duplicate cache names if +CONFIG_DEBUG_VM is selected. These warnings are triggered by the dm-bufio +code. The dm-bufio code allocates a slab cache with each client. It is +not possible to preallocate the caches in the module init function +because the size of auxiliary per-buffer data is not known at this point. + +So, this commit changes dm-bufio so that it appends a unique atomic value +to the cache name, to avoid the warnings. + +Signed-off-by: Mikulas Patocka +Fixes: 4c39529663b9 ("slab: Warn on duplicate cache names when DEBUG_VM=y") +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-bufio.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm-bufio.c ++++ b/drivers/md/dm-bufio.c +@@ -2444,7 +2444,8 @@ struct dm_bufio_client *dm_bufio_client_ + int r; + unsigned int num_locks; + struct dm_bufio_client *c; +- char slab_name[27]; ++ char slab_name[64]; ++ static atomic_t seqno = ATOMIC_INIT(0); + + if (!block_size || block_size & ((1 << SECTOR_SHIFT) - 1)) { + DMERR("%s: block size not specified or is not multiple of 512b", __func__); +@@ -2495,7 +2496,8 @@ struct dm_bufio_client *dm_bufio_client_ + (block_size < PAGE_SIZE || !is_power_of_2(block_size))) { + unsigned int align = min(1U << __ffs(block_size), (unsigned int)PAGE_SIZE); + +- snprintf(slab_name, sizeof(slab_name), "dm_bufio_cache-%u", block_size); ++ snprintf(slab_name, sizeof(slab_name), "dm_bufio_cache-%u-%u", ++ block_size, atomic_inc_return(&seqno)); + c->slab_cache = kmem_cache_create(slab_name, block_size, align, + SLAB_RECLAIM_ACCOUNT, NULL); + if (!c->slab_cache) { +@@ -2504,9 +2506,11 @@ struct dm_bufio_client *dm_bufio_client_ + } + } + if (aux_size) +- snprintf(slab_name, sizeof(slab_name), "dm_bufio_buffer-%u", aux_size); ++ snprintf(slab_name, sizeof(slab_name), "dm_bufio_buffer-%u-%u", ++ aux_size, atomic_inc_return(&seqno)); + else +- snprintf(slab_name, sizeof(slab_name), "dm_bufio_buffer"); ++ snprintf(slab_name, sizeof(slab_name), "dm_bufio_buffer-%u", ++ atomic_inc_return(&seqno)); + c->slab_buffer = kmem_cache_create(slab_name, sizeof(struct dm_buffer) + aux_size, + 0, SLAB_RECLAIM_ACCOUNT, NULL); + if (!c->slab_buffer) { diff --git a/queue-6.6/drm-amd-display-add-null-check-for-clk_mgr-and-clk_mgr-funcs-in-dcn30_init_hw.patch b/queue-6.6/drm-amd-display-add-null-check-for-clk_mgr-and-clk_mgr-funcs-in-dcn30_init_hw.patch new file mode 100644 index 00000000000..e7b56d53870 --- /dev/null +++ b/queue-6.6/drm-amd-display-add-null-check-for-clk_mgr-and-clk_mgr-funcs-in-dcn30_init_hw.patch @@ -0,0 +1,64 @@ +From cba7fec864172dadd953daefdd26e01742b71a6a Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Mon, 22 Jul 2024 16:21:19 +0530 +Subject: drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw + +From: Srinivasan Shanmugam + +commit cba7fec864172dadd953daefdd26e01742b71a6a upstream. + +This commit addresses a potential null pointer dereference issue in the +`dcn30_init_hw` function. The issue could occur when `dc->clk_mgr` or +`dc->clk_mgr->funcs` is null. + +The fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is +not null before accessing its functions. This prevents a potential null +pointer dereference. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:789 dcn30_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 628) + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +[Xiangyu: BP to fix CVE: CVE-2024-49917, modified the source path] +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +@@ -440,7 +440,7 @@ void dcn30_init_hw(struct dc *dc) + int edp_num; + uint32_t backlight = MAX_BACKLIGHT_LEVEL; + +- if (dc->clk_mgr && dc->clk_mgr->funcs->init_clocks) ++ if (dc->clk_mgr && dc->clk_mgr->funcs && dc->clk_mgr->funcs->init_clocks) + dc->clk_mgr->funcs->init_clocks(dc->clk_mgr); + + // Initialize the dccg +@@ -599,11 +599,12 @@ void dcn30_init_hw(struct dc *dc) + if (!dcb->funcs->is_accelerated_mode(dcb) && dc->res_pool->hubbub->funcs->init_watermarks) + dc->res_pool->hubbub->funcs->init_watermarks(dc->res_pool->hubbub); + +- if (dc->clk_mgr->funcs->notify_wm_ranges) ++ if (dc->clk_mgr && dc->clk_mgr->funcs && dc->clk_mgr->funcs->notify_wm_ranges) + dc->clk_mgr->funcs->notify_wm_ranges(dc->clk_mgr); + + //if softmax is enabled then hardmax will be set by a different call +- if (dc->clk_mgr->funcs->set_hard_max_memclk && !dc->clk_mgr->dc_mode_softmax_enabled) ++ if (dc->clk_mgr && dc->clk_mgr->funcs && dc->clk_mgr->funcs->set_hard_max_memclk && ++ !dc->clk_mgr->dc_mode_softmax_enabled) + dc->clk_mgr->funcs->set_hard_max_memclk(dc->clk_mgr); + + if (dc->res_pool->hubbub->funcs->force_pstate_change_control) diff --git a/queue-6.6/drm-amd-display-add-null-check-for-clk_mgr-in-dcn32_init_hw.patch b/queue-6.6/drm-amd-display-add-null-check-for-clk_mgr-in-dcn32_init_hw.patch new file mode 100644 index 00000000000..4f8ffe2a1d9 --- /dev/null +++ b/queue-6.6/drm-amd-display-add-null-check-for-clk_mgr-in-dcn32_init_hw.patch @@ -0,0 +1,63 @@ +From c395fd47d1565bd67671f45cca281b3acc2c31ef Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Mon, 22 Jul 2024 16:44:40 +0530 +Subject: drm/amd/display: Add NULL check for clk_mgr in dcn32_init_hw + +From: Srinivasan Shanmugam + +commit c395fd47d1565bd67671f45cca281b3acc2c31ef upstream. + +This commit addresses a potential null pointer dereference issue in the +`dcn32_init_hw` function. The issue could occur when `dc->clk_mgr` is +null. + +The fix adds a check to ensure `dc->clk_mgr` is not null before +accessing its functions. This prevents a potential null pointer +dereference. + +Reported by smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn32/dcn32_hwseq.c:961 dcn32_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 782) + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Alex Hung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +[Xiangyu: BP to fix CVE: CVE-2024-49915, modified the source path] +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c +@@ -773,7 +773,7 @@ void dcn32_init_hw(struct dc *dc) + int edp_num; + uint32_t backlight = MAX_BACKLIGHT_LEVEL; + +- if (dc->clk_mgr && dc->clk_mgr->funcs->init_clocks) ++ if (dc->clk_mgr && dc->clk_mgr->funcs && dc->clk_mgr->funcs->init_clocks) + dc->clk_mgr->funcs->init_clocks(dc->clk_mgr); + + // Initialize the dccg +@@ -950,10 +950,11 @@ void dcn32_init_hw(struct dc *dc) + if (!dcb->funcs->is_accelerated_mode(dcb) && dc->res_pool->hubbub->funcs->init_watermarks) + dc->res_pool->hubbub->funcs->init_watermarks(dc->res_pool->hubbub); + +- if (dc->clk_mgr->funcs->notify_wm_ranges) ++ if (dc->clk_mgr && dc->clk_mgr->funcs && dc->clk_mgr->funcs->notify_wm_ranges) + dc->clk_mgr->funcs->notify_wm_ranges(dc->clk_mgr); + +- if (dc->clk_mgr->funcs->set_hard_max_memclk && !dc->clk_mgr->dc_mode_softmax_enabled) ++ if (dc->clk_mgr && dc->clk_mgr->funcs && dc->clk_mgr->funcs->set_hard_max_memclk && ++ !dc->clk_mgr->dc_mode_softmax_enabled) + dc->clk_mgr->funcs->set_hard_max_memclk(dc->clk_mgr); + + if (dc->res_pool->hubbub->funcs->force_pstate_change_control) diff --git a/queue-6.6/drm-amd-display-add-null-check-for-function-pointer-in-dcn20_set_output_transfer_func.patch b/queue-6.6/drm-amd-display-add-null-check-for-function-pointer-in-dcn20_set_output_transfer_func.patch new file mode 100644 index 00000000000..339b220065b --- /dev/null +++ b/queue-6.6/drm-amd-display-add-null-check-for-function-pointer-in-dcn20_set_output_transfer_func.patch @@ -0,0 +1,49 @@ +From 62ed6f0f198da04e884062264df308277628004f Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Wed, 31 Jul 2024 13:09:28 +0530 +Subject: drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func + +From: Srinivasan Shanmugam + +commit 62ed6f0f198da04e884062264df308277628004f upstream. + +This commit adds a null check for the set_output_gamma function pointer +in the dcn20_set_output_transfer_func function. Previously, +set_output_gamma was being checked for null at line 1030, but then it +was being dereferenced without any null check at line 1048. This could +potentially lead to a null pointer dereference error if set_output_gamma +is null. + +To fix this, we now ensure that set_output_gamma is not null before +dereferencing it. We do this by adding a null check for set_output_gamma +before the call to set_output_gamma at line 1048. + +Cc: Tom Chung +Cc: Rodrigo Siqueira +Cc: Roman Li +Cc: Alex Hung +Cc: Aurabindo Pillai +Cc: Harry Wentland +Cc: Hamza Mahfooz +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Tom Chung +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +@@ -880,7 +880,8 @@ bool dcn20_set_output_transfer_func(stru + /* + * if above if is not executed then 'params' equal to 0 and set in bypass + */ +- mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ++ if (mpc->funcs->set_output_gamma) ++ mpc->funcs->set_output_gamma(mpc, mpcc_id, params); + + return true; + } diff --git a/queue-6.6/drm-amd-display-add-null-pointer-check-for-kzalloc.patch b/queue-6.6/drm-amd-display-add-null-pointer-check-for-kzalloc.patch new file mode 100644 index 00000000000..2e21bf3aecc --- /dev/null +++ b/queue-6.6/drm-amd-display-add-null-pointer-check-for-kzalloc.patch @@ -0,0 +1,183 @@ +From 8e65a1b7118acf6af96449e1e66b7adbc9396912 Mon Sep 17 00:00:00 2001 +From: Hersen Wu +Date: Mon, 22 Apr 2024 12:27:34 -0400 +Subject: drm/amd/display: Add NULL pointer check for kzalloc + +From: Hersen Wu + +commit 8e65a1b7118acf6af96449e1e66b7adbc9396912 upstream. + +[Why & How] +Check return pointer of kzalloc before using it. + +Reviewed-by: Alex Hung +Acked-by: Wayne Lin +Signed-off-by: Hersen Wu +Signed-off-by: Alex Deucher +[ Resolve minor conflicts ] +Signed-off-by: Bin Lan +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c | 8 ++++++++ + drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c | 8 ++++++++ + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c | 3 +++ + drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 5 +++++ + drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c | 5 +++++ + drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c | 2 ++ + drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c | 2 ++ + drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 5 +++++ + drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c | 2 ++ + 9 files changed, 40 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c +@@ -560,11 +560,19 @@ void dcn3_clk_mgr_construct( + dce_clock_read_ss_info(clk_mgr); + + clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL); ++ if (!clk_mgr->base.bw_params) { ++ BREAK_TO_DEBUGGER(); ++ return; ++ } + + /* need physical address of table to give to PMFW */ + clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx, + DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t), + &clk_mgr->wm_range_table_addr); ++ if (!clk_mgr->wm_range_table) { ++ BREAK_TO_DEBUGGER(); ++ return; ++ } + } + + void dcn3_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr) +--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c ++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c +@@ -1022,11 +1022,19 @@ void dcn32_clk_mgr_construct( + clk_mgr->smu_present = false; + + clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL); ++ if (!clk_mgr->base.bw_params) { ++ BREAK_TO_DEBUGGER(); ++ return; ++ } + + /* need physical address of table to give to PMFW */ + clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx, + DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t), + &clk_mgr->wm_range_table_addr); ++ if (!clk_mgr->wm_range_table) { ++ BREAK_TO_DEBUGGER(); ++ return; ++ } + } + + void dcn32_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr) +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_resource.c +@@ -2045,6 +2045,9 @@ bool dcn30_validate_bandwidth(struct dc + + BW_VAL_TRACE_COUNT(); + ++ if (!pipes) ++ goto validate_fail; ++ + DC_FP_START(); + out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true); + DC_FP_END(); +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c +@@ -1308,6 +1308,8 @@ static struct hpo_dp_link_encoder *dcn31 + + /* allocate HPO link encoder */ + hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); ++ if (!hpo_dp_enc31) ++ return NULL; /* out of memory */ + + hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, + &hpo_dp_link_enc_regs[inst], +@@ -1764,6 +1766,9 @@ bool dcn31_validate_bandwidth(struct dc + + BW_VAL_TRACE_COUNT(); + ++ if (!pipes) ++ goto validate_fail; ++ + DC_FP_START(); + out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true); + DC_FP_END(); +--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c +@@ -1381,6 +1381,8 @@ static struct hpo_dp_link_encoder *dcn31 + + /* allocate HPO link encoder */ + hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); ++ if (!hpo_dp_enc31) ++ return NULL; /* out of memory */ + + hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, + &hpo_dp_link_enc_regs[inst], +@@ -1741,6 +1743,9 @@ bool dcn314_validate_bandwidth(struct dc + + BW_VAL_TRACE_COUNT(); + ++ if (!pipes) ++ goto validate_fail; ++ + if (filter_modes_for_single_channel_workaround(dc, context)) + goto validate_fail; + +--- a/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c +@@ -1308,6 +1308,8 @@ static struct hpo_dp_link_encoder *dcn31 + + /* allocate HPO link encoder */ + hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); ++ if (!hpo_dp_enc31) ++ return NULL; /* out of memory */ + + hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, + &hpo_dp_link_enc_regs[inst], +--- a/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn316/dcn316_resource.c +@@ -1305,6 +1305,8 @@ static struct hpo_dp_link_encoder *dcn31 + + /* allocate HPO link encoder */ + hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); ++ if (!hpo_dp_enc31) ++ return NULL; /* out of memory */ + + hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst, + &hpo_dp_link_enc_regs[inst], +--- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c +@@ -1299,6 +1299,8 @@ static struct hpo_dp_link_encoder *dcn32 + + /* allocate HPO link encoder */ + hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); ++ if (!hpo_dp_enc31) ++ return NULL; /* out of memory */ + + #undef REG_STRUCT + #define REG_STRUCT hpo_dp_link_enc_regs +@@ -1845,6 +1847,9 @@ bool dcn32_validate_bandwidth(struct dc + + BW_VAL_TRACE_COUNT(); + ++ if (!pipes) ++ goto validate_fail; ++ + DC_FP_START(); + out = dcn32_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate); + DC_FP_END(); +--- a/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn321/dcn321_resource.c +@@ -1285,6 +1285,8 @@ static struct hpo_dp_link_encoder *dcn32 + + /* allocate HPO link encoder */ + hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL); ++ if (!hpo_dp_enc31) ++ return NULL; /* out of memory */ + + #undef REG_STRUCT + #define REG_STRUCT hpo_dp_link_enc_regs diff --git a/queue-6.6/drm-amd-display-check-null-pointer-before-try-to-access-it.patch b/queue-6.6/drm-amd-display-check-null-pointer-before-try-to-access-it.patch new file mode 100644 index 00000000000..eb5728b321f --- /dev/null +++ b/queue-6.6/drm-amd-display-check-null-pointer-before-try-to-access-it.patch @@ -0,0 +1,48 @@ +From 1b686053c06ffb9f4524b288110cf2a831ff7a25 Mon Sep 17 00:00:00 2001 +From: Rodrigo Siqueira +Date: Tue, 30 Jul 2024 20:02:45 -0600 +Subject: drm/amd/display: Check null pointer before try to access it + +From: Rodrigo Siqueira + +commit 1b686053c06ffb9f4524b288110cf2a831ff7a25 upstream. + +[why & how] +Change the order of the pipe_ctx->plane_state check to ensure that +plane_state is not null before accessing it. + +Reviewed-by: Alex Hung +Signed-off-by: Rodrigo Siqueira +Signed-off-by: Tom Chung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +[Xiangyu: BP to fix CVE: CVE-2024-49906, modified the source path] +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hwseq.c +@@ -1741,13 +1741,17 @@ static void dcn20_program_pipe( + (pipe_ctx->plane_state && pipe_ctx->plane_state->update_flags.bits.hdr_mult)) + hws->funcs.set_hdr_multiplier(pipe_ctx); + +- if (pipe_ctx->update_flags.bits.enable || +- (pipe_ctx->plane_state && ++ if ((pipe_ctx->plane_state && pipe_ctx->plane_state->update_flags.bits.hdr_mult) || ++ pipe_ctx->update_flags.bits.enable) ++ hws->funcs.set_hdr_multiplier(pipe_ctx); ++ ++ if ((pipe_ctx->plane_state && + pipe_ctx->plane_state->update_flags.bits.in_transfer_func_change) || + (pipe_ctx->plane_state && + pipe_ctx->plane_state->update_flags.bits.gamma_change) || + (pipe_ctx->plane_state && +- pipe_ctx->plane_state->update_flags.bits.lut_3d)) ++ pipe_ctx->plane_state->update_flags.bits.lut_3d) || ++ pipe_ctx->update_flags.bits.enable) + hws->funcs.set_input_transfer_func(dc, pipe_ctx, pipe_ctx->plane_state); + + /* dcn10_translate_regamma_to_hw_format takes 750us to finish diff --git a/queue-6.6/drm-amd-display-check-phantom_stream-before-it-is-used.patch b/queue-6.6/drm-amd-display-check-phantom_stream-before-it-is-used.patch new file mode 100644 index 00000000000..796b5396575 --- /dev/null +++ b/queue-6.6/drm-amd-display-check-phantom_stream-before-it-is-used.patch @@ -0,0 +1,39 @@ +From 3718a619a8c0a53152e76bb6769b6c414e1e83f4 Mon Sep 17 00:00:00 2001 +From: Alex Hung +Date: Thu, 20 Jun 2024 20:23:41 -0600 +Subject: drm/amd/display: Check phantom_stream before it is used + +From: Alex Hung + +commit 3718a619a8c0a53152e76bb6769b6c414e1e83f4 upstream. + +dcn32_enable_phantom_stream can return null, so returned value +must be checked before used. + +This fixes 1 NULL_RETURNS issue reported by Coverity. + +Reviewed-by: Rodrigo Siqueira +Signed-off-by: Jerry Zuo +Signed-off-by: Alex Hung +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +[Xiangyu: BP to fix CVE: CVE-2024-49897, modified the source path] +Signed-off-by: Xiangyu Chen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn32/dcn32_resource.c +@@ -1786,6 +1786,9 @@ void dcn32_add_phantom_pipes(struct dc * + // be a valid candidate for SubVP (i.e. has a plane, stream, doesn't + // already have phantom pipe assigned, etc.) by previous checks. + phantom_stream = dcn32_enable_phantom_stream(dc, context, pipes, pipe_cnt, index); ++ if (!phantom_stream) ++ return; ++ + dcn32_enable_phantom_plane(dc, context, phantom_stream, index); + + for (i = 0; i < dc->res_pool->pipe_count; i++) { diff --git a/queue-6.6/perf-x86-intel-hide-topdown-metrics-events-if-the-feature-is-not-enumerated.patch b/queue-6.6/perf-x86-intel-hide-topdown-metrics-events-if-the-feature-is-not-enumerated.patch new file mode 100644 index 00000000000..06f9aaab86f --- /dev/null +++ b/queue-6.6/perf-x86-intel-hide-topdown-metrics-events-if-the-feature-is-not-enumerated.patch @@ -0,0 +1,95 @@ +From 556a7c039a52c21da33eaae9269984a1ef59189b Mon Sep 17 00:00:00 2001 +From: Kan Liang +Date: Mon, 8 Jul 2024 12:33:34 -0700 +Subject: perf/x86/intel: Hide Topdown metrics events if the feature is not enumerated + +From: Kan Liang + +commit 556a7c039a52c21da33eaae9269984a1ef59189b upstream. + +The below error is observed on Ice Lake VM. + +$ perf stat +Error: +The sys_perf_event_open() syscall returned with 22 (Invalid argument) +for event (slots). +/bin/dmesg | grep -i perf may provide additional information. + +In a virtualization env, the Topdown metrics and the slots event haven't +been supported yet. The guest CPUID doesn't enumerate them. However, the +current kernel unconditionally exposes the slots event and the Topdown +metrics events to sysfs, which misleads the perf tool and triggers the +error. + +Hide the perf-metrics topdown events and the slots event if the +perf-metrics feature is not enumerated. + +The big core of a hybrid platform can also supports the perf-metrics +feature. Fix the hybrid platform as well. + +Closes: https://lore.kernel.org/lkml/CAM9d7cj8z+ryyzUHR+P1Dcpot2jjW+Qcc4CPQpfafTXN=LEU0Q@mail.gmail.com/ +Reported-by: Dongli Zhang +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Dongli Zhang +Link: https://lkml.kernel.org/r/20240708193336.1192217-2-kan.liang@linux.intel.com +Signed-off-by: Hagar Hemdan +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 34 +++++++++++++++++++++++++++++++++- + 1 file changed, 33 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -5559,8 +5559,22 @@ default_is_visible(struct kobject *kobj, + return attr->mode; + } + ++static umode_t ++td_is_visible(struct kobject *kobj, struct attribute *attr, int i) ++{ ++ /* ++ * Hide the perf metrics topdown events ++ * if the feature is not enumerated. ++ */ ++ if (x86_pmu.num_topdown_events) ++ return x86_pmu.intel_cap.perf_metrics ? attr->mode : 0; ++ ++ return attr->mode; ++} ++ + static struct attribute_group group_events_td = { + .name = "events", ++ .is_visible = td_is_visible, + }; + + static struct attribute_group group_events_mem = { +@@ -5762,9 +5776,27 @@ static umode_t hybrid_format_is_visible( + return (cpu >= 0) && (pmu->cpu_type & pmu_attr->pmu_type) ? attr->mode : 0; + } + ++static umode_t hybrid_td_is_visible(struct kobject *kobj, ++ struct attribute *attr, int i) ++{ ++ struct device *dev = kobj_to_dev(kobj); ++ struct x86_hybrid_pmu *pmu = ++ container_of(dev_get_drvdata(dev), struct x86_hybrid_pmu, pmu); ++ ++ if (!is_attr_for_this_pmu(kobj, attr)) ++ return 0; ++ ++ ++ /* Only the big core supports perf metrics */ ++ if (pmu->cpu_type == hybrid_big) ++ return pmu->intel_cap.perf_metrics ? attr->mode : 0; ++ ++ return attr->mode; ++} ++ + static struct attribute_group hybrid_group_events_td = { + .name = "events", +- .is_visible = hybrid_events_is_visible, ++ .is_visible = hybrid_td_is_visible, + }; + + static struct attribute_group hybrid_group_events_mem = { diff --git a/queue-6.6/series b/queue-6.6/series index 480b88bd699..ee82b17d511 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -460,3 +460,11 @@ alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch closures-change-bug_on-to-warn_on.patch dm-cache-fix-warnings-about-duplicate-slab-caches.patch +drm-amd-display-add-null-check-for-clk_mgr-and-clk_mgr-funcs-in-dcn30_init_hw.patch +drm-amd-display-add-null-check-for-clk_mgr-in-dcn32_init_hw.patch +drm-amd-display-check-null-pointer-before-try-to-access-it.patch +drm-amd-display-add-null-check-for-function-pointer-in-dcn20_set_output_transfer_func.patch +drm-amd-display-check-phantom_stream-before-it-is-used.patch +drm-amd-display-add-null-pointer-check-for-kzalloc.patch +dm-bufio-fix-warnings-about-duplicate-slab-caches.patch +perf-x86-intel-hide-topdown-metrics-events-if-the-feature-is-not-enumerated.patch -- 2.47.3