--- /dev/null
+From 1fe4850b34ab512ff911e2c035c75fb6438f7307 Mon Sep 17 00:00:00 2001
+From: Martin KaFai Lau <martin.lau@kernel.org>
+Date: Thu, 16 Feb 2023 16:41:48 -0800
+Subject: bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state
+
+From: Martin KaFai Lau <martin.lau@kernel.org>
+
+commit 1fe4850b34ab512ff911e2c035c75fb6438f7307 upstream.
+
+The bpf_fib_lookup() helper does not only look up the fib (ie. route)
+but it also looks up the neigh. Before returning the neigh, the helper
+does not check for NUD_VALID. When a neigh state (neigh->nud_state)
+is in NUD_FAILED, its dmac (neigh->ha) could be all zeros. The helper
+still returns SUCCESS instead of NO_NEIGH in this case. Because of the
+SUCCESS return value, the bpf prog directly uses the returned dmac
+and ends up filling all zero in the eth header.
+
+This patch checks for NUD_VALID and returns NO_NEIGH if the neigh is
+not valid.
+
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20230217004150.2980689-3-martin.lau@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/filter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -5816,7 +5816,7 @@ static int bpf_ipv4_fib_lookup(struct ne
+ neigh = __ipv6_neigh_lookup_noref_stub(dev, dst);
+ }
+
+- if (!neigh)
++ if (!neigh || !(neigh->nud_state & NUD_VALID))
+ return BPF_FIB_LKUP_RET_NO_NEIGH;
+
+ return bpf_fib_set_fwd_params(params, neigh, dev, mtu);
+@@ -5931,7 +5931,7 @@ static int bpf_ipv6_fib_lookup(struct ne
+ * not needed here.
+ */
+ neigh = __ipv6_neigh_lookup_noref_stub(dev, dst);
+- if (!neigh)
++ if (!neigh || !(neigh->nud_state & NUD_VALID))
+ return BPF_FIB_LKUP_RET_NO_NEIGH;
+
+ return bpf_fib_set_fwd_params(params, neigh, dev, mtu);
--- /dev/null
+From e383b12709e32d6494c948422070c2464b637e44 Mon Sep 17 00:00:00 2001
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Date: Mon, 23 Jan 2023 14:59:28 -0500
+Subject: drm/amd/display: Move DCN314 DOMAIN power control to DMCUB
+
+From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+
+commit e383b12709e32d6494c948422070c2464b637e44 upstream.
+
+[Why]
+DOMAIN power gating control is now required to be done via firmware
+due to interlock with other power features. This is to avoid
+intermittent issues in the LB memories.
+
+[How]
+If the firmware supports the command then use the new firmware as
+the sequence can avoid potential display corruption issues.
+
+The command will be ignored on firmware that does not support DOMAIN
+power control and the pipes will remain always on - frequent PG cycling
+can cause the issue to occur on the old sequence, so we should avoid it.
+
+Reviewed-by: Hansen Dsouza <hansen.dsouza@amd.com>
+Acked-by: Qingqing Zhuo <qingqing.zhuo@amd.com>
+Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: "Limonciello, Mario" <Mario.Limonciello@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.c | 24 ++++++++++++++++++
+ drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.h | 2 +
+ drivers/gpu/drm/amd/display/dc/dcn314/dcn314_init.c | 2 -
+ drivers/gpu/drm/amd/display/dmub/inc/dmub_cmd.h | 25 +++++++++++++++++++
+ 4 files changed, 52 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.c
+@@ -391,3 +391,27 @@ void dcn314_set_pixels_per_cycle(struct
+ pipe_ctx->stream_res.stream_enc->funcs->set_input_mode(pipe_ctx->stream_res.stream_enc,
+ pix_per_cycle);
+ }
++
++void dcn314_hubp_pg_control(struct dce_hwseq *hws, unsigned int hubp_inst, bool power_on)
++{
++ struct dc_context *ctx = hws->ctx;
++ union dmub_rb_cmd cmd;
++
++ if (hws->ctx->dc->debug.disable_hubp_power_gate)
++ return;
++
++ PERF_TRACE();
++
++ memset(&cmd, 0, sizeof(cmd));
++ cmd.domain_control.header.type = DMUB_CMD__VBIOS;
++ cmd.domain_control.header.sub_type = DMUB_CMD__VBIOS_DOMAIN_CONTROL;
++ cmd.domain_control.header.payload_bytes = sizeof(cmd.domain_control.data);
++ cmd.domain_control.data.inst = hubp_inst;
++ cmd.domain_control.data.power_gate = !power_on;
++
++ dc_dmub_srv_cmd_queue(ctx->dmub_srv, &cmd);
++ dc_dmub_srv_cmd_execute(ctx->dmub_srv);
++ dc_dmub_srv_wait_idle(ctx->dmub_srv);
++
++ PERF_TRACE();
++}
+--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.h
++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.h
+@@ -41,4 +41,6 @@ unsigned int dcn314_calculate_dccg_k1_k2
+
+ void dcn314_set_pixels_per_cycle(struct pipe_ctx *pipe_ctx);
+
++void dcn314_hubp_pg_control(struct dce_hwseq *hws, unsigned int hubp_inst, bool power_on);
++
+ #endif /* __DC_HWSS_DCN314_H__ */
+--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_init.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_init.c
+@@ -137,7 +137,7 @@ static const struct hwseq_private_funcs
+ .plane_atomic_disable = dcn20_plane_atomic_disable,
+ .plane_atomic_power_down = dcn10_plane_atomic_power_down,
+ .enable_power_gating_plane = dcn314_enable_power_gating_plane,
+- .hubp_pg_control = dcn31_hubp_pg_control,
++ .hubp_pg_control = dcn314_hubp_pg_control,
+ .program_all_writeback_pipes_in_tree = dcn30_program_all_writeback_pipes_in_tree,
+ .update_odm = dcn314_update_odm,
+ .dsc_pg_control = dcn314_dsc_pg_control,
+--- a/drivers/gpu/drm/amd/display/dmub/inc/dmub_cmd.h
++++ b/drivers/gpu/drm/amd/display/dmub/inc/dmub_cmd.h
+@@ -457,6 +457,10 @@ enum dmub_cmd_vbios_type {
+ * Query DP alt status on a transmitter.
+ */
+ DMUB_CMD__VBIOS_TRANSMITTER_QUERY_DP_ALT = 26,
++ /**
++ * Controls domain power gating
++ */
++ DMUB_CMD__VBIOS_DOMAIN_CONTROL = 28,
+ };
+
+ //==============================================================================
+@@ -1205,6 +1209,23 @@ struct dmub_rb_cmd_dig1_transmitter_cont
+ };
+
+ /**
++ * struct dmub_rb_cmd_domain_control_data - Data for DOMAIN power control
++ */
++struct dmub_rb_cmd_domain_control_data {
++ uint8_t inst : 6; /**< DOMAIN instance to control */
++ uint8_t power_gate : 1; /**< 1=power gate, 0=power up */
++ uint8_t reserved[3]; /**< Reserved for future use */
++};
++
++/**
++ * struct dmub_rb_cmd_domain_control - Controls DOMAIN power gating
++ */
++struct dmub_rb_cmd_domain_control {
++ struct dmub_cmd_header header; /**< header */
++ struct dmub_rb_cmd_domain_control_data data; /**< payload */
++};
++
++/**
+ * DPIA tunnel command parameters.
+ */
+ struct dmub_cmd_dig_dpia_control_data {
+@@ -3232,6 +3253,10 @@ union dmub_rb_cmd {
+ */
+ struct dmub_rb_cmd_dig1_transmitter_control dig1_transmitter_control;
+ /**
++ * Definition of a DMUB_CMD__VBIOS_DOMAIN_CONTROL command.
++ */
++ struct dmub_rb_cmd_domain_control domain_control;
++ /**
+ * Definition of a DMUB_CMD__PSR_SET_VERSION command.
+ */
+ struct dmub_rb_cmd_psr_set_version psr_set_version;
--- /dev/null
+From 0cf8307adbc6beb5ff3b8a76afedc6e4e0b536a9 Mon Sep 17 00:00:00 2001
+From: Stylon Wang <stylon.wang@amd.com>
+Date: Tue, 10 Jan 2023 14:38:33 +0800
+Subject: drm/amd/display: Properly reuse completion structure
+
+From: Stylon Wang <stylon.wang@amd.com>
+
+commit 0cf8307adbc6beb5ff3b8a76afedc6e4e0b536a9 upstream.
+
+[Why]
+Connecting displays to TBT3 docks often produces invalid
+replies for DPIA AUX requests. It turns out the completion
+structure was not re-initialized before reusing it, resulting
+in immature wake up to completion.
+
+[How]
+Properly call reinit_completion() on reused completion structure.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Solomon Chiu <solomon.chiu@amd.com>
+Acked-by: Alan Liu <HaoPing.Liu@amd.com>
+Signed-off-by: Stylon Wang <stylon.wang@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: "Limonciello, Mario" <mario.limonciello@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -10359,6 +10359,7 @@ int amdgpu_dm_process_dmub_aux_transfer_
+ ret = p_notify->aux_reply.length;
+ *operation_result = p_notify->result;
+ out:
++ reinit_completion(&adev->dm.dmub_aux_transfer_done);
+ mutex_unlock(&adev->dm.dpia_aux_lock);
+ return ret;
+ }
+@@ -10386,6 +10387,8 @@ int amdgpu_dm_process_dmub_set_config_sy
+ *operation_result = SET_CONFIG_UNKNOWN_ERROR;
+ }
+
++ if (!is_cmd_complete)
++ reinit_completion(&adev->dm.dmub_aux_transfer_done);
+ mutex_unlock(&adev->dm.dpia_aux_lock);
+ return ret;
+ }
alsa-hda-cs35l41-correct-error-condition-handling.patch
crypto-arm64-sm4-gcm-fix-possible-crash-in-gcm-cryption.patch
+bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch
+vc_screen-don-t-clobber-return-value-in-vcs_read.patch
+drm-amd-display-move-dcn314-domain-power-control-to-dmcub.patch
+drm-amd-display-properly-reuse-completion-structure.patch
--- /dev/null
+From ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
+Date: Mon, 20 Feb 2023 06:46:12 +0000
+Subject: vc_screen: don't clobber return value in vcs_read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+commit ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e upstream.
+
+Commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in
+vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop.
+
+While doing this it also moved the unconditional assignment of
+
+ ret = -ENXIO;
+
+This unconditional assignment was valid outside the loop but within it
+it clobbers the actual value of ret.
+
+To avoid this only assign "ret = -ENXIO" when actually needed.
+
+[ Also, the 'goto unlock_out" needs to be just a "break", so that it
+ does the right thing when it exits on later iterations when partial
+ success has happened - Linus ]
+
+Reported-by: Storm Dragon <stormdragon2976@gmail.com>
+Link: https://lore.kernel.org/lkml/Y%2FKS6vdql2pIsCiI@hotmail.com/
+Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lore.kernel.org/lkml/64981d94-d00c-4b31-9063-43ad0a384bde@t-8ch.de/
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vc_screen.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/vt/vc_screen.c
++++ b/drivers/tty/vt/vc_screen.c
+@@ -403,10 +403,11 @@ vcs_read(struct file *file, char __user
+ unsigned int this_round, skip = 0;
+ int size;
+
+- ret = -ENXIO;
+ vc = vcs_vc(inode, &viewed);
+- if (!vc)
+- goto unlock_out;
++ if (!vc) {
++ ret = -ENXIO;
++ break;
++ }
+
+ /* Check whether we are above size each round,
+ * as copy_to_user at the end of this loop
projects / thirdparty / kernel / stable-queue.git / commitdiff
