From e480eabae232b92ff44ce63678280373713920a4 Mon Sep 17 00:00:00 2001
From: Lukas Wunner <lukas@wunner.de>
Date: Thu, 18 May 2017 21:33:44 +0200
Subject: [PATCH 1/4] drm/radeon: Fix oops upon driver load on PowerXpress
 laptops

Nicolai Stange reports the following oops which is caused by
dereferencing rdev->pdev before it's subsequently set by
radeon_device_init().  Fix it.

  BUG: unable to handle kernel NULL pointer dereference at 00000000000007cb
  IP: radeon_driver_load_kms+0xeb/0x230 [radeon]
  ...
  Call Trace:
   drm_dev_register+0x146/0x1d0 [drm]
   drm_get_pci_dev+0x9a/0x180 [drm]
   radeon_pci_probe+0xb8/0xe0 [radeon]
   local_pci_probe+0x45/0xa0
   pci_device_probe+0x14f/0x1a0
   driver_probe_device+0x29c/0x450
   __driver_attach+0xdf/0xf0
   ? driver_probe_device+0x450/0x450
   bus_for_each_dev+0x6c/0xc0
   driver_attach+0x1e/0x20
   bus_add_driver+0x170/0x270
   driver_register+0x60/0xe0
   ? 0xffffffffc0508000
   __pci_register_driver+0x4c/0x50
   drm_pci_init+0xeb/0x100 [drm]
   ? vga_switcheroo_register_handler+0x6a/0x90
   ? 0xffffffffc0508000
   radeon_init+0x98/0xb6 [radeon]
   do_one_initcall+0x52/0x1a0
   ? __vunmap+0x81/0xb0
   ? kmem_cache_alloc_trace+0x159/0x1b0
   ? do_init_module+0x27/0x1f8
   do_init_module+0x5f/0x1f8
   load_module+0x27ce/0x2be0
   SYSC_finit_module+0xdf/0x110
   ? SYSC_finit_module+0xdf/0x110
   SyS_finit_module+0xe/0x10
   do_syscall_64+0x67/0x150
   entry_SYSCALL64_slow_path+0x25/0x25

Fixes: 7ffb0ce31cf9 ("drm/radeon: Don't register Thunderbolt eGPU with vga_switcheroo")
Reported-and-tested-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Link: http://patchwork.freedesktop.org/patch/msgid/cfb91ba052af06117137eec0637543a2626a7979.1495135190.git.lukas@wunner.de
---
 drivers/gpu/drm/radeon/radeon_kms.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
index e3e7cb1d10a2..4761f27f2ca2 100644
--- a/drivers/gpu/drm/radeon/radeon_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_kms.c
@@ -116,7 +116,7 @@ int radeon_driver_load_kms(struct drm_device *dev, unsigned long flags)
 	if ((radeon_runtime_pm != 0) &&
 	    radeon_has_atpx() &&
 	    ((flags & RADEON_IS_IGP) == 0) &&
-	    !pci_is_thunderbolt_attached(rdev->pdev))
+	    !pci_is_thunderbolt_attached(dev->pdev))
 		flags |= RADEON_IS_PX;
 
 	/* radeon_device_init should report only fatal error

From 429030bc944ee9a8bbe5d9bb23dcda0ae2205450 Mon Sep 17 00:00:00 2001
From: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Date: Fri, 19 May 2017 14:58:19 -0300
Subject: [PATCH 2/4] drm: qxl: Delay entering atomic context during cursor
 update

qxl_release_map will enter an atomic context, but since we still need to
alloc memory for BOs, we better delay that until we have everything we
need, in case we need to sleep inside the allocation.  This avoids the
Sleep in atomic state below, which was reported by Mike.

 [   43.910362] BUG: sleeping function called from invalid context at mm/slab.h:432
 [   43.910955] in_atomic(): 1, irqs_disabled(): 0, pid: 2077, name: Xorg
 [   43.911472] Preemption disabled at:
 [   43.911478] [<ffffffffa02b1c45>] qxl_bo_kmap_atomic_page+0xa5/0x100 [qxl]
 [   43.912103] CPU: 0 PID: 2077 Comm: Xorg Tainted: G            E   4.12.0-master #38
 [ 43.912550] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
 rel-1.8.1-0-g4adadbd-20161202_174313-build11a 04/01/2014
 [   43.913202] Call Trace:
 [   43.913371]  dump_stack+0x65/0x89
 [   43.913581]  ? qxl_bo_kmap_atomic_page+0xa5/0x100 [qxl]
 [   43.913876]  ___might_sleep+0x11a/0x190
 [   43.914095]  __might_sleep+0x4a/0x80
 [   43.914319]  ? qxl_bo_create+0x50/0x190 [qxl]
 [   43.914565]  kmem_cache_alloc_trace+0x46/0x180
 [   43.914836]  qxl_bo_create+0x50/0x190 [qxl]
 [   43.915082]  ? refcount_dec_and_test+0x11/0x20
 [   43.915332]  ? ttm_mem_io_reserve+0x41/0xe0 [ttm]
 [   43.915595]  qxl_alloc_bo_reserved+0x37/0xb0 [qxl]
 [   43.915884]  qxl_cursor_atomic_update+0x8f/0x260 [qxl]
 [   43.916172]  ? drm_atomic_helper_update_legacy_modeset_state+0x1d6/0x210 [drm_kms_helper]
 [   43.916623]  drm_atomic_helper_commit_planes+0xec/0x230 [drm_kms_helper]
 [   43.916995]  drm_atomic_helper_commit_tail+0x2b/0x60 [drm_kms_helper]
 [   43.917398]  commit_tail+0x65/0x70 [drm_kms_helper]
 [   43.917693]  drm_atomic_helper_commit+0xa9/0x100 [drm_kms_helper]
 [   43.918039]  drm_atomic_commit+0x4b/0x50 [drm]
 [   43.918334]  drm_atomic_helper_update_plane+0xf1/0x110 [drm_kms_helper]
 [   43.918902]  __setplane_internal+0x19f/0x280 [drm]
 [   43.919240]  drm_mode_cursor_universal+0x101/0x1c0 [drm]
 [   43.919541]  drm_mode_cursor_common+0x15b/0x1d0 [drm]
 [   43.919858]  drm_mode_cursor2_ioctl+0xe/0x10 [drm]
 [   43.920157]  drm_ioctl+0x211/0x460 [drm]
 [   43.920383]  ? drm_mode_cursor_ioctl+0x50/0x50 [drm]
 [   43.920664]  ? handle_mm_fault+0x93/0x160
 [   43.920893]  do_vfs_ioctl+0x96/0x6e0
 [   43.921117]  ? __fget+0x73/0xa0
 [   43.921322]  SyS_ioctl+0x41/0x70
 [   43.921545]  entry_SYSCALL_64_fastpath+0x1a/0xa5
 [   43.922188] RIP: 0033:0x7f1145804bc7
 [   43.922526] RSP: 002b:00007ffcd3e50508 EFLAGS: 00003246 ORIG_RAX: 0000000000000010
 [   43.923367] RAX: ffffffffffffffda RBX: 0000000000000040 RCX: 00007f1145804bc7
 [   43.923852] RDX: 00007ffcd3e50540 RSI: 00000000c02464bb RDI: 000000000000000b
 [   43.924299] RBP: 0000000000000040 R08: 0000000000000040 R09: 000000000000000c
 [   43.924694] R10: 00007ffcd3e50340 R11: 0000000000003246 R12: 0000000000000018
 [   43.925128] R13: 00000000022bc390 R14: 0000000000000040 R15: 00007ffcd3e5062c

Reported-by: Mike Galbraith <efault@gmx.de>
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Link: http://patchwork.freedesktop.org/patch/msgid/20170519175819.15682-1-krisman@collabora.co.uk
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 drivers/gpu/drm/qxl/qxl_display.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c
index 058340a002c2..4a340efd8ba6 100644
--- a/drivers/gpu/drm/qxl/qxl_display.c
+++ b/drivers/gpu/drm/qxl/qxl_display.c
@@ -575,8 +575,6 @@ static void qxl_cursor_atomic_update(struct drm_plane *plane,
 	if (ret)
 		return;
 
-	cmd = (struct qxl_cursor_cmd *) qxl_release_map(qdev, release);
-
 	if (fb != old_state->fb) {
 		obj = to_qxl_framebuffer(fb)->obj;
 		user_bo = gem_to_qxl_bo(obj);
@@ -614,6 +612,7 @@ static void qxl_cursor_atomic_update(struct drm_plane *plane,
 		qxl_bo_kunmap(cursor_bo);
 		qxl_bo_kunmap(user_bo);
 
+		cmd = (struct qxl_cursor_cmd *) qxl_release_map(qdev, release);
 		cmd->u.set.visible = 1;
 		cmd->u.set.shape = qxl_bo_physical_address(qdev,
 							   cursor_bo, 0);
@@ -624,6 +623,7 @@ static void qxl_cursor_atomic_update(struct drm_plane *plane,
 		if (ret)
 			goto out_free_release;
 
+		cmd = (struct qxl_cursor_cmd *) qxl_release_map(qdev, release);
 		cmd->type = QXL_CURSOR_MOVE;
 	}
 

From f928543404bdf6bb4e8d6a6c3ced5edebd0d6f38 Mon Sep 17 00:00:00 2001
From: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Mon, 22 May 2017 15:59:45 +0200
Subject: [PATCH 3/4] drm: Fix deadlock retry loop in page_flip_ioctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I failed to properly onion-wrap the unwind code: We acquire the vblank
reference before we start with the wait-wound locking dance, hence we
must make sure we retry before we drop the reference. Oops.

v2: The vblank_put must be after the frambuffer_put (Michel). I suck at
unwrapping code that doesn't use separate labels for each stage, but
checks each pointer first ... While re-reading everything I also
realized that we must clean up the fb refcounts, and specifically
plane->old_fb before we drop the locks, either in the final unlocking,
or in the w/w retry path. Hence the correct fix is to drop the
vblank_put to the very bottom.

Fixes: 29dc0d1de182 ("drm: Roll out acquire context for the page_flip ioctl")
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: David Airlie <airlied@linux.ie>
Cc: dri-devel@lists.freedesktop.org
Reported-by: Tommi Rantala <tt.rantala@gmail.com>
Cc: Tommi Rantala <tt.rantala@gmail.com>
Cc: Michel Dänzer <michel@daenzer.net>
Tested-by: Tommi Rantala <tt.rantala@gmail.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170522135945.28831-1-daniel.vetter@ffwll.ch
---
 drivers/gpu/drm/drm_plane.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_plane.c b/drivers/gpu/drm/drm_plane.c
index fedd4d60d9cd..5dc8c4350602 100644
--- a/drivers/gpu/drm/drm_plane.c
+++ b/drivers/gpu/drm/drm_plane.c
@@ -948,8 +948,6 @@ retry:
 	}
 
 out:
-	if (ret && crtc->funcs->page_flip_target)
-		drm_crtc_vblank_put(crtc);
 	if (fb)
 		drm_framebuffer_put(fb);
 	if (crtc->primary->old_fb)
@@ -964,5 +962,8 @@ out:
 	drm_modeset_drop_locks(&ctx);
 	drm_modeset_acquire_fini(&ctx);
 
+	if (ret && crtc->funcs->page_flip_target)
+		drm_crtc_vblank_put(crtc);
+
 	return ret;
 }

From 82bc9a42cf854fdf63155759c0aa790bd1f361b0 Mon Sep 17 00:00:00 2001
From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Date: Tue, 18 Apr 2017 13:43:32 +0200
Subject: [PATCH 4/4] drm/gma500/psb: Actually use VBT mode when it is found

With LVDS we were incorrectly picking the pre-programmed mode instead of
the prefered mode provided by VBT. Make sure we pick the VBT mode if
one is provided. It is likely that the mode read-out code is still wrong
but this patch fixes the immediate problem on most machines.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=78562
Cc: <stable@vger.kernel.org>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170418114332.12183-1-patrik.r.jakobsson@gmail.com
---
 drivers/gpu/drm/gma500/psb_intel_lvds.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c
index 0066fe7e622e..be3eefec5152 100644
--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c
+++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c
@@ -759,20 +759,23 @@ void psb_intel_lvds_init(struct drm_device *dev,
 		if (scan->type & DRM_MODE_TYPE_PREFERRED) {
 			mode_dev->panel_fixed_mode =
 			    drm_mode_duplicate(dev, scan);
+			DRM_DEBUG_KMS("Using mode from DDC\n");
 			goto out;	/* FIXME: check for quirks */
 		}
 	}
 
 	/* Failed to get EDID, what about VBT? do we need this? */
-	if (mode_dev->vbt_mode)
+	if (dev_priv->lfp_lvds_vbt_mode) {
 		mode_dev->panel_fixed_mode =
-		    drm_mode_duplicate(dev, mode_dev->vbt_mode);
+			drm_mode_duplicate(dev, dev_priv->lfp_lvds_vbt_mode);
 
-	if (!mode_dev->panel_fixed_mode)
-		if (dev_priv->lfp_lvds_vbt_mode)
-			mode_dev->panel_fixed_mode =
-				drm_mode_duplicate(dev,
-					dev_priv->lfp_lvds_vbt_mode);
+		if (mode_dev->panel_fixed_mode) {
+			mode_dev->panel_fixed_mode->type |=
+				DRM_MODE_TYPE_PREFERRED;
+			DRM_DEBUG_KMS("Using mode from VBT\n");
+			goto out;
+		}
+	}
 
 	/*
 	 * If we didn't get EDID, try checking if the panel is already turned
@@ -789,6 +792,7 @@ void psb_intel_lvds_init(struct drm_device *dev,
 		if (mode_dev->panel_fixed_mode) {
 			mode_dev->panel_fixed_mode->type |=
 			    DRM_MODE_TYPE_PREFERRED;
+			DRM_DEBUG_KMS("Using pre-programmed mode\n");
 			goto out;	/* FIXME: check for quirks */
 		}
 	}