From 2d7a9b60185a680c726dd988a75cb2aa9acb53c8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 28 Feb 2023 19:45:00 +0100 Subject: [PATCH] 6.2-stable patches added patches: bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch drm-amd-display-move-dcn314-domain-power-control-to-dmcub.patch drm-amd-display-properly-reuse-completion-structure.patch vc_screen-don-t-clobber-return-value-in-vcs_read.patch --- ...not-return-neigh-in-nud_failed-state.patch | 48 +++++++ ...dcn314-domain-power-control-to-dmcub.patch | 134 ++++++++++++++++++ ...-properly-reuse-completion-structure.patch | 49 +++++++ queue-6.2/series | 4 + ...n-t-clobber-return-value-in-vcs_read.patch | 56 ++++++++ 5 files changed, 291 insertions(+) create mode 100644 queue-6.2/bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch create mode 100644 queue-6.2/drm-amd-display-move-dcn314-domain-power-control-to-dmcub.patch create mode 100644 queue-6.2/drm-amd-display-properly-reuse-completion-structure.patch create mode 100644 queue-6.2/vc_screen-don-t-clobber-return-value-in-vcs_read.patch diff --git a/queue-6.2/bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch b/queue-6.2/bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch new file mode 100644 index 00000000000..3b224858f8c --- /dev/null +++ b/queue-6.2/bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch @@ -0,0 +1,48 @@ +From 1fe4850b34ab512ff911e2c035c75fb6438f7307 Mon Sep 17 00:00:00 2001 +From: Martin KaFai Lau +Date: Thu, 16 Feb 2023 16:41:48 -0800 +Subject: bpf: bpf_fib_lookup should not return neigh in NUD_FAILED state + +From: Martin KaFai Lau + +commit 1fe4850b34ab512ff911e2c035c75fb6438f7307 upstream. + +The bpf_fib_lookup() helper does not only look up the fib (ie. route) +but it also looks up the neigh. Before returning the neigh, the helper +does not check for NUD_VALID. When a neigh state (neigh->nud_state) +is in NUD_FAILED, its dmac (neigh->ha) could be all zeros. The helper +still returns SUCCESS instead of NO_NEIGH in this case. Because of the +SUCCESS return value, the bpf prog directly uses the returned dmac +and ends up filling all zero in the eth header. + +This patch checks for NUD_VALID and returns NO_NEIGH if the neigh is +not valid. + +Signed-off-by: Martin KaFai Lau +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20230217004150.2980689-3-martin.lau@linux.dev +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -5816,7 +5816,7 @@ static int bpf_ipv4_fib_lookup(struct ne + neigh = __ipv6_neigh_lookup_noref_stub(dev, dst); + } + +- if (!neigh) ++ if (!neigh || !(neigh->nud_state & NUD_VALID)) + return BPF_FIB_LKUP_RET_NO_NEIGH; + + return bpf_fib_set_fwd_params(params, neigh, dev, mtu); +@@ -5931,7 +5931,7 @@ static int bpf_ipv6_fib_lookup(struct ne + * not needed here. + */ + neigh = __ipv6_neigh_lookup_noref_stub(dev, dst); +- if (!neigh) ++ if (!neigh || !(neigh->nud_state & NUD_VALID)) + return BPF_FIB_LKUP_RET_NO_NEIGH; + + return bpf_fib_set_fwd_params(params, neigh, dev, mtu); diff --git a/queue-6.2/drm-amd-display-move-dcn314-domain-power-control-to-dmcub.patch b/queue-6.2/drm-amd-display-move-dcn314-domain-power-control-to-dmcub.patch new file mode 100644 index 00000000000..41bd68d462e --- /dev/null +++ b/queue-6.2/drm-amd-display-move-dcn314-domain-power-control-to-dmcub.patch @@ -0,0 +1,134 @@ +From e383b12709e32d6494c948422070c2464b637e44 Mon Sep 17 00:00:00 2001 +From: Nicholas Kazlauskas +Date: Mon, 23 Jan 2023 14:59:28 -0500 +Subject: drm/amd/display: Move DCN314 DOMAIN power control to DMCUB + +From: Nicholas Kazlauskas + +commit e383b12709e32d6494c948422070c2464b637e44 upstream. + +[Why] +DOMAIN power gating control is now required to be done via firmware +due to interlock with other power features. This is to avoid +intermittent issues in the LB memories. + +[How] +If the firmware supports the command then use the new firmware as +the sequence can avoid potential display corruption issues. + +The command will be ignored on firmware that does not support DOMAIN +power control and the pipes will remain always on - frequent PG cycling +can cause the issue to occur on the old sequence, so we should avoid it. + +Reviewed-by: Hansen Dsouza +Acked-by: Qingqing Zhuo +Signed-off-by: Nicholas Kazlauskas +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: "Limonciello, Mario" +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.c | 24 ++++++++++++++++++ + drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.h | 2 + + drivers/gpu/drm/amd/display/dc/dcn314/dcn314_init.c | 2 - + drivers/gpu/drm/amd/display/dmub/inc/dmub_cmd.h | 25 +++++++++++++++++++ + 4 files changed, 52 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.c +@@ -391,3 +391,27 @@ void dcn314_set_pixels_per_cycle(struct + pipe_ctx->stream_res.stream_enc->funcs->set_input_mode(pipe_ctx->stream_res.stream_enc, + pix_per_cycle); + } ++ ++void dcn314_hubp_pg_control(struct dce_hwseq *hws, unsigned int hubp_inst, bool power_on) ++{ ++ struct dc_context *ctx = hws->ctx; ++ union dmub_rb_cmd cmd; ++ ++ if (hws->ctx->dc->debug.disable_hubp_power_gate) ++ return; ++ ++ PERF_TRACE(); ++ ++ memset(&cmd, 0, sizeof(cmd)); ++ cmd.domain_control.header.type = DMUB_CMD__VBIOS; ++ cmd.domain_control.header.sub_type = DMUB_CMD__VBIOS_DOMAIN_CONTROL; ++ cmd.domain_control.header.payload_bytes = sizeof(cmd.domain_control.data); ++ cmd.domain_control.data.inst = hubp_inst; ++ cmd.domain_control.data.power_gate = !power_on; ++ ++ dc_dmub_srv_cmd_queue(ctx->dmub_srv, &cmd); ++ dc_dmub_srv_cmd_execute(ctx->dmub_srv); ++ dc_dmub_srv_wait_idle(ctx->dmub_srv); ++ ++ PERF_TRACE(); ++} +--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.h ++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_hwseq.h +@@ -41,4 +41,6 @@ unsigned int dcn314_calculate_dccg_k1_k2 + + void dcn314_set_pixels_per_cycle(struct pipe_ctx *pipe_ctx); + ++void dcn314_hubp_pg_control(struct dce_hwseq *hws, unsigned int hubp_inst, bool power_on); ++ + #endif /* __DC_HWSS_DCN314_H__ */ +--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_init.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_init.c +@@ -137,7 +137,7 @@ static const struct hwseq_private_funcs + .plane_atomic_disable = dcn20_plane_atomic_disable, + .plane_atomic_power_down = dcn10_plane_atomic_power_down, + .enable_power_gating_plane = dcn314_enable_power_gating_plane, +- .hubp_pg_control = dcn31_hubp_pg_control, ++ .hubp_pg_control = dcn314_hubp_pg_control, + .program_all_writeback_pipes_in_tree = dcn30_program_all_writeback_pipes_in_tree, + .update_odm = dcn314_update_odm, + .dsc_pg_control = dcn314_dsc_pg_control, +--- a/drivers/gpu/drm/amd/display/dmub/inc/dmub_cmd.h ++++ b/drivers/gpu/drm/amd/display/dmub/inc/dmub_cmd.h +@@ -457,6 +457,10 @@ enum dmub_cmd_vbios_type { + * Query DP alt status on a transmitter. + */ + DMUB_CMD__VBIOS_TRANSMITTER_QUERY_DP_ALT = 26, ++ /** ++ * Controls domain power gating ++ */ ++ DMUB_CMD__VBIOS_DOMAIN_CONTROL = 28, + }; + + //============================================================================== +@@ -1205,6 +1209,23 @@ struct dmub_rb_cmd_dig1_transmitter_cont + }; + + /** ++ * struct dmub_rb_cmd_domain_control_data - Data for DOMAIN power control ++ */ ++struct dmub_rb_cmd_domain_control_data { ++ uint8_t inst : 6; /**< DOMAIN instance to control */ ++ uint8_t power_gate : 1; /**< 1=power gate, 0=power up */ ++ uint8_t reserved[3]; /**< Reserved for future use */ ++}; ++ ++/** ++ * struct dmub_rb_cmd_domain_control - Controls DOMAIN power gating ++ */ ++struct dmub_rb_cmd_domain_control { ++ struct dmub_cmd_header header; /**< header */ ++ struct dmub_rb_cmd_domain_control_data data; /**< payload */ ++}; ++ ++/** + * DPIA tunnel command parameters. + */ + struct dmub_cmd_dig_dpia_control_data { +@@ -3232,6 +3253,10 @@ union dmub_rb_cmd { + */ + struct dmub_rb_cmd_dig1_transmitter_control dig1_transmitter_control; + /** ++ * Definition of a DMUB_CMD__VBIOS_DOMAIN_CONTROL command. ++ */ ++ struct dmub_rb_cmd_domain_control domain_control; ++ /** + * Definition of a DMUB_CMD__PSR_SET_VERSION command. + */ + struct dmub_rb_cmd_psr_set_version psr_set_version; diff --git a/queue-6.2/drm-amd-display-properly-reuse-completion-structure.patch b/queue-6.2/drm-amd-display-properly-reuse-completion-structure.patch new file mode 100644 index 00000000000..00fde2e86ff --- /dev/null +++ b/queue-6.2/drm-amd-display-properly-reuse-completion-structure.patch @@ -0,0 +1,49 @@ +From 0cf8307adbc6beb5ff3b8a76afedc6e4e0b536a9 Mon Sep 17 00:00:00 2001 +From: Stylon Wang +Date: Tue, 10 Jan 2023 14:38:33 +0800 +Subject: drm/amd/display: Properly reuse completion structure + +From: Stylon Wang + +commit 0cf8307adbc6beb5ff3b8a76afedc6e4e0b536a9 upstream. + +[Why] +Connecting displays to TBT3 docks often produces invalid +replies for DPIA AUX requests. It turns out the completion +structure was not re-initialized before reusing it, resulting +in immature wake up to completion. + +[How] +Properly call reinit_completion() on reused completion structure. + +Cc: stable@vger.kernel.org +Reviewed-by: Solomon Chiu +Acked-by: Alan Liu +Signed-off-by: Stylon Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Cc: "Limonciello, Mario" +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -10359,6 +10359,7 @@ int amdgpu_dm_process_dmub_aux_transfer_ + ret = p_notify->aux_reply.length; + *operation_result = p_notify->result; + out: ++ reinit_completion(&adev->dm.dmub_aux_transfer_done); + mutex_unlock(&adev->dm.dpia_aux_lock); + return ret; + } +@@ -10386,6 +10387,8 @@ int amdgpu_dm_process_dmub_set_config_sy + *operation_result = SET_CONFIG_UNKNOWN_ERROR; + } + ++ if (!is_cmd_complete) ++ reinit_completion(&adev->dm.dmub_aux_transfer_done); + mutex_unlock(&adev->dm.dpia_aux_lock); + return ret; + } diff --git a/queue-6.2/series b/queue-6.2/series index fafae31a339..fb60cb5b5c1 100644 --- a/queue-6.2/series +++ b/queue-6.2/series @@ -1,2 +1,6 @@ alsa-hda-cs35l41-correct-error-condition-handling.patch crypto-arm64-sm4-gcm-fix-possible-crash-in-gcm-cryption.patch +bpf-bpf_fib_lookup-should-not-return-neigh-in-nud_failed-state.patch +vc_screen-don-t-clobber-return-value-in-vcs_read.patch +drm-amd-display-move-dcn314-domain-power-control-to-dmcub.patch +drm-amd-display-properly-reuse-completion-structure.patch diff --git a/queue-6.2/vc_screen-don-t-clobber-return-value-in-vcs_read.patch b/queue-6.2/vc_screen-don-t-clobber-return-value-in-vcs_read.patch new file mode 100644 index 00000000000..00449a24a07 --- /dev/null +++ b/queue-6.2/vc_screen-don-t-clobber-return-value-in-vcs_read.patch @@ -0,0 +1,56 @@ +From ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= +Date: Mon, 20 Feb 2023 06:46:12 +0000 +Subject: vc_screen: don't clobber return value in vcs_read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Thomas Weißschuh + +commit ae3419fbac845b4d3f3a9fae4cc80c68d82cdf6e upstream. + +Commit 226fae124b2d ("vc_screen: move load of struct vc_data pointer in +vcs_read() to avoid UAF") moved the call to vcs_vc() into the loop. + +While doing this it also moved the unconditional assignment of + + ret = -ENXIO; + +This unconditional assignment was valid outside the loop but within it +it clobbers the actual value of ret. + +To avoid this only assign "ret = -ENXIO" when actually needed. + +[ Also, the 'goto unlock_out" needs to be just a "break", so that it + does the right thing when it exits on later iterations when partial + success has happened - Linus ] + +Reported-by: Storm Dragon +Link: https://lore.kernel.org/lkml/Y%2FKS6vdql2pIsCiI@hotmail.com/ +Fixes: 226fae124b2d ("vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF") +Signed-off-by: Thomas Weißschuh +Link: https://lore.kernel.org/lkml/64981d94-d00c-4b31-9063-43ad0a384bde@t-8ch.de/ +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vc_screen.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/tty/vt/vc_screen.c ++++ b/drivers/tty/vt/vc_screen.c +@@ -403,10 +403,11 @@ vcs_read(struct file *file, char __user + unsigned int this_round, skip = 0; + int size; + +- ret = -ENXIO; + vc = vcs_vc(inode, &viewed); +- if (!vc) +- goto unlock_out; ++ if (!vc) { ++ ret = -ENXIO; ++ break; ++ } + + /* Check whether we are above size each round, + * as copy_to_user at the end of this loop -- 2.39.5