--- /dev/null
+From c66c2f00dd847dc9963a0836fbc38a9f166c3ec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Dec 2023 21:34:34 +0200
+Subject: drm/i915: Fix intel_atomic_setup_scalers() plane_state handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+[ Upstream commit c3070f080f9ba18dea92eaa21730f7ab85b5c8f4 ]
+
+Since the plane_state variable is declared outside the scaler_users
+loop in intel_atomic_setup_scalers(), and it's never reset back to
+NULL inside the loop we may end up calling intel_atomic_setup_scaler()
+with a non-NULL plane state for the pipe scaling case. That is bad
+because intel_atomic_setup_scaler() determines whether we are doing
+plane scaling or pipe scaling based on plane_state!=NULL. The end
+result is that we may miscalculate the scaler mode for pipe scaling.
+
+The hardware becomes somewhat upset if we end up in this situation
+when scanning out a planar format on a SDR plane. We end up
+programming the pipe scaler into planar mode as well, and the
+result is a screenfull of garbage.
+
+Fix the situation by making sure we pass the correct plane_state==NULL
+when calculating the scaler mode for pipe scaling.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231207193441.20206-2-ville.syrjala@linux.intel.com
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit e81144106e21271c619f0c722a09e27ccb8c043d)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/skl_scaler.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/i915/display/skl_scaler.c b/drivers/gpu/drm/i915/display/skl_scaler.c
+index a9cc5cfad0bd2..e55df2f05cbd5 100644
+--- a/drivers/gpu/drm/i915/display/skl_scaler.c
++++ b/drivers/gpu/drm/i915/display/skl_scaler.c
+@@ -450,7 +450,6 @@ int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv,
+ {
+ struct drm_plane *plane = NULL;
+ struct intel_plane *intel_plane;
+- struct intel_plane_state *plane_state = NULL;
+ struct intel_crtc_scaler_state *scaler_state =
+ &crtc_state->scaler_state;
+ struct drm_atomic_state *drm_state = crtc_state->uapi.state;
+@@ -482,6 +481,7 @@ int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv,
+
+ /* walkthrough scaler_users bits and start assigning scalers */
+ for (i = 0; i < sizeof(scaler_state->scaler_users) * 8; i++) {
++ struct intel_plane_state *plane_state = NULL;
+ int *scaler_id;
+ const char *name;
+ int idx, ret;
+--
+2.43.0
+
--- /dev/null
+From d7cb4271fcdbe28aaf0bd6143eb347292ce5c92d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Dec 2022 15:05:08 +0200
+Subject: drm/i915/mtl: limit second scaler vertical scaling in ver >= 14
+
+From: Luca Coelho <luciano.coelho@intel.com>
+
+[ Upstream commit 8d4312e2b228ba7a5ac79154458098274ec61e9b ]
+
+In newer hardware versions (i.e. display version >= 14), the second
+scaler doesn't support vertical scaling.
+
+The current implementation of the scaling limits is simplified and
+only occurs when the planes are created, so we don't know which scaler
+is being used.
+
+In order to handle separate scaling limits for horizontal and vertical
+scaling, and different limits per scaler, split the checks in two
+phases. We first do a simple check during plane creation and use the
+best-case scenario (because we don't know the scaler that may be used
+at a later point) and then do a more specific check when the scalers
+are actually being set up.
+
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Reviewed-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
+Signed-off-by: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20221223130509.43245-2-luciano.coelho@intel.com
+Stable-dep-of: c3070f080f9b ("drm/i915: Fix intel_atomic_setup_scalers() plane_state handling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_atomic.c | 85 ++++++++++++++++++---
+ 1 file changed, 75 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_atomic.c b/drivers/gpu/drm/i915/display/intel_atomic.c
+index b4e7ac51aa31d..4b4514ce6d88b 100644
+--- a/drivers/gpu/drm/i915/display/intel_atomic.c
++++ b/drivers/gpu/drm/i915/display/intel_atomic.c
+@@ -40,6 +40,7 @@
+ #include "intel_global_state.h"
+ #include "intel_hdcp.h"
+ #include "intel_psr.h"
++#include "intel_fb.h"
+ #include "skl_universal_plane.h"
+
+ /**
+@@ -310,11 +311,11 @@ intel_crtc_destroy_state(struct drm_crtc *crtc,
+ kfree(crtc_state);
+ }
+
+-static void intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_state,
+- int num_scalers_need, struct intel_crtc *intel_crtc,
+- const char *name, int idx,
+- struct intel_plane_state *plane_state,
+- int *scaler_id)
++static int intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_state,
++ int num_scalers_need, struct intel_crtc *intel_crtc,
++ const char *name, int idx,
++ struct intel_plane_state *plane_state,
++ int *scaler_id)
+ {
+ struct drm_i915_private *dev_priv = to_i915(intel_crtc->base.dev);
+ int j;
+@@ -334,7 +335,7 @@ static void intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_sta
+
+ if (drm_WARN(&dev_priv->drm, *scaler_id < 0,
+ "Cannot find scaler for %s:%d\n", name, idx))
+- return;
++ return -EINVAL;
+
+ /* set scaler mode */
+ if (plane_state && plane_state->hw.fb &&
+@@ -375,9 +376,71 @@ static void intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_sta
+ mode = SKL_PS_SCALER_MODE_DYN;
+ }
+
++ /*
++ * FIXME: we should also check the scaler factors for pfit, so
++ * this shouldn't be tied directly to planes.
++ */
++ if (plane_state && plane_state->hw.fb) {
++ const struct drm_framebuffer *fb = plane_state->hw.fb;
++ const struct drm_rect *src = &plane_state->uapi.src;
++ const struct drm_rect *dst = &plane_state->uapi.dst;
++ int hscale, vscale, max_vscale, max_hscale;
++
++ /*
++ * FIXME: When two scalers are needed, but only one of
++ * them needs to downscale, we should make sure that
++ * the one that needs downscaling support is assigned
++ * as the first scaler, so we don't reject downscaling
++ * unnecessarily.
++ */
++
++ if (DISPLAY_VER(dev_priv) >= 14) {
++ /*
++ * On versions 14 and up, only the first
++ * scaler supports a vertical scaling factor
++ * of more than 1.0, while a horizontal
++ * scaling factor of 3.0 is supported.
++ */
++ max_hscale = 0x30000 - 1;
++ if (*scaler_id == 0)
++ max_vscale = 0x30000 - 1;
++ else
++ max_vscale = 0x10000;
++
++ } else if (DISPLAY_VER(dev_priv) >= 10 ||
++ !intel_format_info_is_yuv_semiplanar(fb->format, fb->modifier)) {
++ max_hscale = 0x30000 - 1;
++ max_vscale = 0x30000 - 1;
++ } else {
++ max_hscale = 0x20000 - 1;
++ max_vscale = 0x20000 - 1;
++ }
++
++ /*
++ * FIXME: We should change the if-else block above to
++ * support HQ vs dynamic scaler properly.
++ */
++
++ /* Check if required scaling is within limits */
++ hscale = drm_rect_calc_hscale(src, dst, 1, max_hscale);
++ vscale = drm_rect_calc_vscale(src, dst, 1, max_vscale);
++
++ if (hscale < 0 || vscale < 0) {
++ drm_dbg_kms(&dev_priv->drm,
++ "Scaler %d doesn't support required plane scaling\n",
++ *scaler_id);
++ drm_rect_debug_print("src: ", src, true);
++ drm_rect_debug_print("dst: ", dst, false);
++
++ return -EINVAL;
++ }
++ }
++
+ drm_dbg_kms(&dev_priv->drm, "Attached scaler id %u.%u to %s:%d\n",
+ intel_crtc->pipe, *scaler_id, name, idx);
+ scaler_state->scalers[*scaler_id].mode = mode;
++
++ return 0;
+ }
+
+ /**
+@@ -437,7 +500,7 @@ int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv,
+ for (i = 0; i < sizeof(scaler_state->scaler_users) * 8; i++) {
+ int *scaler_id;
+ const char *name;
+- int idx;
++ int idx, ret;
+
+ /* skip if scaler not required */
+ if (!(scaler_state->scaler_users & (1 << i)))
+@@ -494,9 +557,11 @@ int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv,
+ scaler_id = &plane_state->scaler_id;
+ }
+
+- intel_atomic_setup_scaler(scaler_state, num_scalers_need,
+- intel_crtc, name, idx,
+- plane_state, scaler_id);
++ ret = intel_atomic_setup_scaler(scaler_state, num_scalers_need,
++ intel_crtc, name, idx,
++ plane_state, scaler_id);
++ if (ret < 0)
++ return ret;
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 496588cb28dbb467f357c1b55ca0182fd264ab1e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Apr 2023 20:55:16 +0300
+Subject: drm/i915: Relocate intel_atomic_setup_scalers()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+[ Upstream commit 8976b18249407df8bf6ea18ecae0640a15341a50 ]
+
+Move intel_atomic_setup_scalers() next to the other scaler
+code in skl_scaler.c.
+
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230418175528.13117-4-ville.syrjala@linux.intel.com
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Stable-dep-of: c3070f080f9b ("drm/i915: Fix intel_atomic_setup_scalers() plane_state handling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/display/intel_atomic.c | 256 -------------------
+ drivers/gpu/drm/i915/display/intel_atomic.h | 4 -
+ drivers/gpu/drm/i915/display/skl_scaler.c | 257 ++++++++++++++++++++
+ drivers/gpu/drm/i915/display/skl_scaler.h | 10 +-
+ 4 files changed, 265 insertions(+), 262 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/display/intel_atomic.c b/drivers/gpu/drm/i915/display/intel_atomic.c
+index 4b4514ce6d88b..655c039a9c8f3 100644
+--- a/drivers/gpu/drm/i915/display/intel_atomic.c
++++ b/drivers/gpu/drm/i915/display/intel_atomic.c
+@@ -311,262 +311,6 @@ intel_crtc_destroy_state(struct drm_crtc *crtc,
+ kfree(crtc_state);
+ }
+
+-static int intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_state,
+- int num_scalers_need, struct intel_crtc *intel_crtc,
+- const char *name, int idx,
+- struct intel_plane_state *plane_state,
+- int *scaler_id)
+-{
+- struct drm_i915_private *dev_priv = to_i915(intel_crtc->base.dev);
+- int j;
+- u32 mode;
+-
+- if (*scaler_id < 0) {
+- /* find a free scaler */
+- for (j = 0; j < intel_crtc->num_scalers; j++) {
+- if (scaler_state->scalers[j].in_use)
+- continue;
+-
+- *scaler_id = j;
+- scaler_state->scalers[*scaler_id].in_use = 1;
+- break;
+- }
+- }
+-
+- if (drm_WARN(&dev_priv->drm, *scaler_id < 0,
+- "Cannot find scaler for %s:%d\n", name, idx))
+- return -EINVAL;
+-
+- /* set scaler mode */
+- if (plane_state && plane_state->hw.fb &&
+- plane_state->hw.fb->format->is_yuv &&
+- plane_state->hw.fb->format->num_planes > 1) {
+- struct intel_plane *plane = to_intel_plane(plane_state->uapi.plane);
+- if (DISPLAY_VER(dev_priv) == 9) {
+- mode = SKL_PS_SCALER_MODE_NV12;
+- } else if (icl_is_hdr_plane(dev_priv, plane->id)) {
+- /*
+- * On gen11+'s HDR planes we only use the scaler for
+- * scaling. They have a dedicated chroma upsampler, so
+- * we don't need the scaler to upsample the UV plane.
+- */
+- mode = PS_SCALER_MODE_NORMAL;
+- } else {
+- struct intel_plane *linked =
+- plane_state->planar_linked_plane;
+-
+- mode = PS_SCALER_MODE_PLANAR;
+-
+- if (linked)
+- mode |= PS_PLANE_Y_SEL(linked->id);
+- }
+- } else if (DISPLAY_VER(dev_priv) >= 10) {
+- mode = PS_SCALER_MODE_NORMAL;
+- } else if (num_scalers_need == 1 && intel_crtc->num_scalers > 1) {
+- /*
+- * when only 1 scaler is in use on a pipe with 2 scalers
+- * scaler 0 operates in high quality (HQ) mode.
+- * In this case use scaler 0 to take advantage of HQ mode
+- */
+- scaler_state->scalers[*scaler_id].in_use = 0;
+- *scaler_id = 0;
+- scaler_state->scalers[0].in_use = 1;
+- mode = SKL_PS_SCALER_MODE_HQ;
+- } else {
+- mode = SKL_PS_SCALER_MODE_DYN;
+- }
+-
+- /*
+- * FIXME: we should also check the scaler factors for pfit, so
+- * this shouldn't be tied directly to planes.
+- */
+- if (plane_state && plane_state->hw.fb) {
+- const struct drm_framebuffer *fb = plane_state->hw.fb;
+- const struct drm_rect *src = &plane_state->uapi.src;
+- const struct drm_rect *dst = &plane_state->uapi.dst;
+- int hscale, vscale, max_vscale, max_hscale;
+-
+- /*
+- * FIXME: When two scalers are needed, but only one of
+- * them needs to downscale, we should make sure that
+- * the one that needs downscaling support is assigned
+- * as the first scaler, so we don't reject downscaling
+- * unnecessarily.
+- */
+-
+- if (DISPLAY_VER(dev_priv) >= 14) {
+- /*
+- * On versions 14 and up, only the first
+- * scaler supports a vertical scaling factor
+- * of more than 1.0, while a horizontal
+- * scaling factor of 3.0 is supported.
+- */
+- max_hscale = 0x30000 - 1;
+- if (*scaler_id == 0)
+- max_vscale = 0x30000 - 1;
+- else
+- max_vscale = 0x10000;
+-
+- } else if (DISPLAY_VER(dev_priv) >= 10 ||
+- !intel_format_info_is_yuv_semiplanar(fb->format, fb->modifier)) {
+- max_hscale = 0x30000 - 1;
+- max_vscale = 0x30000 - 1;
+- } else {
+- max_hscale = 0x20000 - 1;
+- max_vscale = 0x20000 - 1;
+- }
+-
+- /*
+- * FIXME: We should change the if-else block above to
+- * support HQ vs dynamic scaler properly.
+- */
+-
+- /* Check if required scaling is within limits */
+- hscale = drm_rect_calc_hscale(src, dst, 1, max_hscale);
+- vscale = drm_rect_calc_vscale(src, dst, 1, max_vscale);
+-
+- if (hscale < 0 || vscale < 0) {
+- drm_dbg_kms(&dev_priv->drm,
+- "Scaler %d doesn't support required plane scaling\n",
+- *scaler_id);
+- drm_rect_debug_print("src: ", src, true);
+- drm_rect_debug_print("dst: ", dst, false);
+-
+- return -EINVAL;
+- }
+- }
+-
+- drm_dbg_kms(&dev_priv->drm, "Attached scaler id %u.%u to %s:%d\n",
+- intel_crtc->pipe, *scaler_id, name, idx);
+- scaler_state->scalers[*scaler_id].mode = mode;
+-
+- return 0;
+-}
+-
+-/**
+- * intel_atomic_setup_scalers() - setup scalers for crtc per staged requests
+- * @dev_priv: i915 device
+- * @intel_crtc: intel crtc
+- * @crtc_state: incoming crtc_state to validate and setup scalers
+- *
+- * This function sets up scalers based on staged scaling requests for
+- * a @crtc and its planes. It is called from crtc level check path. If request
+- * is a supportable request, it attaches scalers to requested planes and crtc.
+- *
+- * This function takes into account the current scaler(s) in use by any planes
+- * not being part of this atomic state
+- *
+- * Returns:
+- * 0 - scalers were setup succesfully
+- * error code - otherwise
+- */
+-int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv,
+- struct intel_crtc *intel_crtc,
+- struct intel_crtc_state *crtc_state)
+-{
+- struct drm_plane *plane = NULL;
+- struct intel_plane *intel_plane;
+- struct intel_plane_state *plane_state = NULL;
+- struct intel_crtc_scaler_state *scaler_state =
+- &crtc_state->scaler_state;
+- struct drm_atomic_state *drm_state = crtc_state->uapi.state;
+- struct intel_atomic_state *intel_state = to_intel_atomic_state(drm_state);
+- int num_scalers_need;
+- int i;
+-
+- num_scalers_need = hweight32(scaler_state->scaler_users);
+-
+- /*
+- * High level flow:
+- * - staged scaler requests are already in scaler_state->scaler_users
+- * - check whether staged scaling requests can be supported
+- * - add planes using scalers that aren't in current transaction
+- * - assign scalers to requested users
+- * - as part of plane commit, scalers will be committed
+- * (i.e., either attached or detached) to respective planes in hw
+- * - as part of crtc_commit, scaler will be either attached or detached
+- * to crtc in hw
+- */
+-
+- /* fail if required scalers > available scalers */
+- if (num_scalers_need > intel_crtc->num_scalers){
+- drm_dbg_kms(&dev_priv->drm,
+- "Too many scaling requests %d > %d\n",
+- num_scalers_need, intel_crtc->num_scalers);
+- return -EINVAL;
+- }
+-
+- /* walkthrough scaler_users bits and start assigning scalers */
+- for (i = 0; i < sizeof(scaler_state->scaler_users) * 8; i++) {
+- int *scaler_id;
+- const char *name;
+- int idx, ret;
+-
+- /* skip if scaler not required */
+- if (!(scaler_state->scaler_users & (1 << i)))
+- continue;
+-
+- if (i == SKL_CRTC_INDEX) {
+- name = "CRTC";
+- idx = intel_crtc->base.base.id;
+-
+- /* panel fitter case: assign as a crtc scaler */
+- scaler_id = &scaler_state->scaler_id;
+- } else {
+- name = "PLANE";
+-
+- /* plane scaler case: assign as a plane scaler */
+- /* find the plane that set the bit as scaler_user */
+- plane = drm_state->planes[i].ptr;
+-
+- /*
+- * to enable/disable hq mode, add planes that are using scaler
+- * into this transaction
+- */
+- if (!plane) {
+- struct drm_plane_state *state;
+-
+- /*
+- * GLK+ scalers don't have a HQ mode so it
+- * isn't necessary to change between HQ and dyn mode
+- * on those platforms.
+- */
+- if (DISPLAY_VER(dev_priv) >= 10)
+- continue;
+-
+- plane = drm_plane_from_index(&dev_priv->drm, i);
+- state = drm_atomic_get_plane_state(drm_state, plane);
+- if (IS_ERR(state)) {
+- drm_dbg_kms(&dev_priv->drm,
+- "Failed to add [PLANE:%d] to drm_state\n",
+- plane->base.id);
+- return PTR_ERR(state);
+- }
+- }
+-
+- intel_plane = to_intel_plane(plane);
+- idx = plane->base.id;
+-
+- /* plane on different crtc cannot be a scaler user of this crtc */
+- if (drm_WARN_ON(&dev_priv->drm,
+- intel_plane->pipe != intel_crtc->pipe))
+- continue;
+-
+- plane_state = intel_atomic_get_new_plane_state(intel_state,
+- intel_plane);
+- scaler_id = &plane_state->scaler_id;
+- }
+-
+- ret = intel_atomic_setup_scaler(scaler_state, num_scalers_need,
+- intel_crtc, name, idx,
+- plane_state, scaler_id);
+- if (ret < 0)
+- return ret;
+- }
+-
+- return 0;
+-}
+-
+ struct drm_atomic_state *
+ intel_atomic_state_alloc(struct drm_device *dev)
+ {
+diff --git a/drivers/gpu/drm/i915/display/intel_atomic.h b/drivers/gpu/drm/i915/display/intel_atomic.h
+index d2700c74c9dac..509deb75f6985 100644
+--- a/drivers/gpu/drm/i915/display/intel_atomic.h
++++ b/drivers/gpu/drm/i915/display/intel_atomic.h
+@@ -54,8 +54,4 @@ struct intel_crtc_state *
+ intel_atomic_get_crtc_state(struct drm_atomic_state *state,
+ struct intel_crtc *crtc);
+
+-int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv,
+- struct intel_crtc *intel_crtc,
+- struct intel_crtc_state *crtc_state);
+-
+ #endif /* __INTEL_ATOMIC_H__ */
+diff --git a/drivers/gpu/drm/i915/display/skl_scaler.c b/drivers/gpu/drm/i915/display/skl_scaler.c
+index 37eabeff8197f..a9cc5cfad0bd2 100644
+--- a/drivers/gpu/drm/i915/display/skl_scaler.c
++++ b/drivers/gpu/drm/i915/display/skl_scaler.c
+@@ -294,6 +294,263 @@ int skl_update_scaler_plane(struct intel_crtc_state *crtc_state,
+ return 0;
+ }
+
++static int intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_state,
++ int num_scalers_need, struct intel_crtc *intel_crtc,
++ const char *name, int idx,
++ struct intel_plane_state *plane_state,
++ int *scaler_id)
++{
++ struct drm_i915_private *dev_priv = to_i915(intel_crtc->base.dev);
++ int j;
++ u32 mode;
++
++ if (*scaler_id < 0) {
++ /* find a free scaler */
++ for (j = 0; j < intel_crtc->num_scalers; j++) {
++ if (scaler_state->scalers[j].in_use)
++ continue;
++
++ *scaler_id = j;
++ scaler_state->scalers[*scaler_id].in_use = 1;
++ break;
++ }
++ }
++
++ if (drm_WARN(&dev_priv->drm, *scaler_id < 0,
++ "Cannot find scaler for %s:%d\n", name, idx))
++ return -EINVAL;
++
++ /* set scaler mode */
++ if (plane_state && plane_state->hw.fb &&
++ plane_state->hw.fb->format->is_yuv &&
++ plane_state->hw.fb->format->num_planes > 1) {
++ struct intel_plane *plane = to_intel_plane(plane_state->uapi.plane);
++
++ if (DISPLAY_VER(dev_priv) == 9) {
++ mode = SKL_PS_SCALER_MODE_NV12;
++ } else if (icl_is_hdr_plane(dev_priv, plane->id)) {
++ /*
++ * On gen11+'s HDR planes we only use the scaler for
++ * scaling. They have a dedicated chroma upsampler, so
++ * we don't need the scaler to upsample the UV plane.
++ */
++ mode = PS_SCALER_MODE_NORMAL;
++ } else {
++ struct intel_plane *linked =
++ plane_state->planar_linked_plane;
++
++ mode = PS_SCALER_MODE_PLANAR;
++
++ if (linked)
++ mode |= PS_PLANE_Y_SEL(linked->id);
++ }
++ } else if (DISPLAY_VER(dev_priv) >= 10) {
++ mode = PS_SCALER_MODE_NORMAL;
++ } else if (num_scalers_need == 1 && intel_crtc->num_scalers > 1) {
++ /*
++ * when only 1 scaler is in use on a pipe with 2 scalers
++ * scaler 0 operates in high quality (HQ) mode.
++ * In this case use scaler 0 to take advantage of HQ mode
++ */
++ scaler_state->scalers[*scaler_id].in_use = 0;
++ *scaler_id = 0;
++ scaler_state->scalers[0].in_use = 1;
++ mode = SKL_PS_SCALER_MODE_HQ;
++ } else {
++ mode = SKL_PS_SCALER_MODE_DYN;
++ }
++
++ /*
++ * FIXME: we should also check the scaler factors for pfit, so
++ * this shouldn't be tied directly to planes.
++ */
++ if (plane_state && plane_state->hw.fb) {
++ const struct drm_framebuffer *fb = plane_state->hw.fb;
++ const struct drm_rect *src = &plane_state->uapi.src;
++ const struct drm_rect *dst = &plane_state->uapi.dst;
++ int hscale, vscale, max_vscale, max_hscale;
++
++ /*
++ * FIXME: When two scalers are needed, but only one of
++ * them needs to downscale, we should make sure that
++ * the one that needs downscaling support is assigned
++ * as the first scaler, so we don't reject downscaling
++ * unnecessarily.
++ */
++
++ if (DISPLAY_VER(dev_priv) >= 14) {
++ /*
++ * On versions 14 and up, only the first
++ * scaler supports a vertical scaling factor
++ * of more than 1.0, while a horizontal
++ * scaling factor of 3.0 is supported.
++ */
++ max_hscale = 0x30000 - 1;
++ if (*scaler_id == 0)
++ max_vscale = 0x30000 - 1;
++ else
++ max_vscale = 0x10000;
++
++ } else if (DISPLAY_VER(dev_priv) >= 10 ||
++ !intel_format_info_is_yuv_semiplanar(fb->format, fb->modifier)) {
++ max_hscale = 0x30000 - 1;
++ max_vscale = 0x30000 - 1;
++ } else {
++ max_hscale = 0x20000 - 1;
++ max_vscale = 0x20000 - 1;
++ }
++
++ /*
++ * FIXME: We should change the if-else block above to
++ * support HQ vs dynamic scaler properly.
++ */
++
++ /* Check if required scaling is within limits */
++ hscale = drm_rect_calc_hscale(src, dst, 1, max_hscale);
++ vscale = drm_rect_calc_vscale(src, dst, 1, max_vscale);
++
++ if (hscale < 0 || vscale < 0) {
++ drm_dbg_kms(&dev_priv->drm,
++ "Scaler %d doesn't support required plane scaling\n",
++ *scaler_id);
++ drm_rect_debug_print("src: ", src, true);
++ drm_rect_debug_print("dst: ", dst, false);
++
++ return -EINVAL;
++ }
++ }
++
++ drm_dbg_kms(&dev_priv->drm, "Attached scaler id %u.%u to %s:%d\n",
++ intel_crtc->pipe, *scaler_id, name, idx);
++ scaler_state->scalers[*scaler_id].mode = mode;
++
++ return 0;
++}
++
++/**
++ * intel_atomic_setup_scalers() - setup scalers for crtc per staged requests
++ * @dev_priv: i915 device
++ * @intel_crtc: intel crtc
++ * @crtc_state: incoming crtc_state to validate and setup scalers
++ *
++ * This function sets up scalers based on staged scaling requests for
++ * a @crtc and its planes. It is called from crtc level check path. If request
++ * is a supportable request, it attaches scalers to requested planes and crtc.
++ *
++ * This function takes into account the current scaler(s) in use by any planes
++ * not being part of this atomic state
++ *
++ * Returns:
++ * 0 - scalers were setup successfully
++ * error code - otherwise
++ */
++int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv,
++ struct intel_crtc *intel_crtc,
++ struct intel_crtc_state *crtc_state)
++{
++ struct drm_plane *plane = NULL;
++ struct intel_plane *intel_plane;
++ struct intel_plane_state *plane_state = NULL;
++ struct intel_crtc_scaler_state *scaler_state =
++ &crtc_state->scaler_state;
++ struct drm_atomic_state *drm_state = crtc_state->uapi.state;
++ struct intel_atomic_state *intel_state = to_intel_atomic_state(drm_state);
++ int num_scalers_need;
++ int i;
++
++ num_scalers_need = hweight32(scaler_state->scaler_users);
++
++ /*
++ * High level flow:
++ * - staged scaler requests are already in scaler_state->scaler_users
++ * - check whether staged scaling requests can be supported
++ * - add planes using scalers that aren't in current transaction
++ * - assign scalers to requested users
++ * - as part of plane commit, scalers will be committed
++ * (i.e., either attached or detached) to respective planes in hw
++ * - as part of crtc_commit, scaler will be either attached or detached
++ * to crtc in hw
++ */
++
++ /* fail if required scalers > available scalers */
++ if (num_scalers_need > intel_crtc->num_scalers) {
++ drm_dbg_kms(&dev_priv->drm,
++ "Too many scaling requests %d > %d\n",
++ num_scalers_need, intel_crtc->num_scalers);
++ return -EINVAL;
++ }
++
++ /* walkthrough scaler_users bits and start assigning scalers */
++ for (i = 0; i < sizeof(scaler_state->scaler_users) * 8; i++) {
++ int *scaler_id;
++ const char *name;
++ int idx, ret;
++
++ /* skip if scaler not required */
++ if (!(scaler_state->scaler_users & (1 << i)))
++ continue;
++
++ if (i == SKL_CRTC_INDEX) {
++ name = "CRTC";
++ idx = intel_crtc->base.base.id;
++
++ /* panel fitter case: assign as a crtc scaler */
++ scaler_id = &scaler_state->scaler_id;
++ } else {
++ name = "PLANE";
++
++ /* plane scaler case: assign as a plane scaler */
++ /* find the plane that set the bit as scaler_user */
++ plane = drm_state->planes[i].ptr;
++
++ /*
++ * to enable/disable hq mode, add planes that are using scaler
++ * into this transaction
++ */
++ if (!plane) {
++ struct drm_plane_state *state;
++
++ /*
++ * GLK+ scalers don't have a HQ mode so it
++ * isn't necessary to change between HQ and dyn mode
++ * on those platforms.
++ */
++ if (DISPLAY_VER(dev_priv) >= 10)
++ continue;
++
++ plane = drm_plane_from_index(&dev_priv->drm, i);
++ state = drm_atomic_get_plane_state(drm_state, plane);
++ if (IS_ERR(state)) {
++ drm_dbg_kms(&dev_priv->drm,
++ "Failed to add [PLANE:%d] to drm_state\n",
++ plane->base.id);
++ return PTR_ERR(state);
++ }
++ }
++
++ intel_plane = to_intel_plane(plane);
++ idx = plane->base.id;
++
++ /* plane on different crtc cannot be a scaler user of this crtc */
++ if (drm_WARN_ON(&dev_priv->drm,
++ intel_plane->pipe != intel_crtc->pipe))
++ continue;
++
++ plane_state = intel_atomic_get_new_plane_state(intel_state,
++ intel_plane);
++ scaler_id = &plane_state->scaler_id;
++ }
++
++ ret = intel_atomic_setup_scaler(scaler_state, num_scalers_need,
++ intel_crtc, name, idx,
++ plane_state, scaler_id);
++ if (ret < 0)
++ return ret;
++ }
++
++ return 0;
++}
++
+ static int glk_coef_tap(int i)
+ {
+ return i % 7;
+diff --git a/drivers/gpu/drm/i915/display/skl_scaler.h b/drivers/gpu/drm/i915/display/skl_scaler.h
+index 0097d5d08e102..f040f6ac061f2 100644
+--- a/drivers/gpu/drm/i915/display/skl_scaler.h
++++ b/drivers/gpu/drm/i915/display/skl_scaler.h
+@@ -8,17 +8,22 @@
+ #include <linux/types.h>
+
+ enum drm_scaling_filter;
++enum pipe;
+ struct drm_i915_private;
++struct intel_crtc;
+ struct intel_crtc_state;
+-struct intel_plane_state;
+ struct intel_plane;
+-enum pipe;
++struct intel_plane_state;
+
+ int skl_update_scaler_crtc(struct intel_crtc_state *crtc_state);
+
+ int skl_update_scaler_plane(struct intel_crtc_state *crtc_state,
+ struct intel_plane_state *plane_state);
+
++int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv,
++ struct intel_crtc *intel_crtc,
++ struct intel_crtc_state *crtc_state);
++
+ void skl_pfit_enable(const struct intel_crtc_state *crtc_state);
+
+ void skl_program_plane_scaler(struct intel_plane *plane,
+@@ -26,4 +31,5 @@ void skl_program_plane_scaler(struct intel_plane *plane,
+ const struct intel_plane_state *plane_state);
+ void skl_detach_scalers(const struct intel_crtc_state *crtc_state);
+ void skl_scaler_disable(const struct intel_crtc_state *old_crtc_state);
++
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 9a7b2cef7d414c945287ebdf3943f8f9c67a5133 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Dec 2023 08:23:49 +0900
+Subject: ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit 13736654481198e519059d4a2e2e3b20fa9fdb3e ]
+
+MS confirm that "AISi" name of SMB2_CREATE_ALLOCATION_SIZE in MS-SMB2
+specification is a typo. cifs/ksmbd have been using this wrong name from
+MS-SMB2. It should be "AlSi". Also It will cause problem when running
+smb2.create.open test in smbtorture against ksmbd.
+
+Cc: stable@vger.kernel.org
+Fixes: 12197a7fdda9 ("Clarify SMB2/SMB3 create context and add missing ones")
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
+index f32c99c9ba131..301c155c52677 100644
+--- a/fs/cifs/smb2pdu.h
++++ b/fs/cifs/smb2pdu.h
+@@ -779,7 +779,7 @@ struct smb2_tree_disconnect_rsp {
+ #define SMB2_CREATE_SD_BUFFER "SecD" /* security descriptor */
+ #define SMB2_CREATE_DURABLE_HANDLE_REQUEST "DHnQ"
+ #define SMB2_CREATE_DURABLE_HANDLE_RECONNECT "DHnC"
+-#define SMB2_CREATE_ALLOCATION_SIZE "AISi"
++#define SMB2_CREATE_ALLOCATION_SIZE "AlSi"
+ #define SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc"
+ #define SMB2_CREATE_TIMEWARP_REQUEST "TWrp"
+ #define SMB2_CREATE_QUERY_ON_DISK_ID "QFid"
+--
+2.43.0
+
i2c-aspeed-handle-the-coalesced-stop-conditions-with.patch
pinctrl-at91-pio4-use-dedicated-lock-class-for-irq.patch
gpiolib-cdev-add-gpio_device-locking-wrapper-around-.patch
+ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch
+drm-i915-mtl-limit-second-scaler-vertical-scaling-in.patch
+drm-i915-relocate-intel_atomic_setup_scalers.patch
+drm-i915-fix-intel_atomic_setup_scalers-plane_state-.patch
+smb-client-fix-null-deref-in-asn1_ber_decoder.patch
+smb-client-fix-oob-in-smb2_query_reparse_point.patch
--- /dev/null
+From fb278ac9dfe2e5d654654e1a4208053a5821617b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 10:26:42 -0300
+Subject: smb: client: fix NULL deref in asn1_ber_decoder()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+[ Upstream commit 90d025c2e953c11974e76637977c473200593a46 ]
+
+If server replied SMB2_NEGOTIATE with a zero SecurityBufferOffset,
+smb2_get_data_area() sets @len to non-zero but return NULL, so
+decode_negTokeninit() ends up being called with a NULL @security_blob:
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000000
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 2 PID: 871 Comm: mount.cifs Not tainted 6.7.0-rc4 #2
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+ RIP: 0010:asn1_ber_decoder+0x173/0xc80
+ Code: 01 4c 39 2c 24 75 09 45 84 c9 0f 85 2f 03 00 00 48 8b 14 24 4c 29 ea 48 83 fa 01 0f 86 1e 07 00 00 48 8b 74 24 28 4d 8d 5d 01 <42> 0f b6 3c 2e 89 fa 40 88 7c 24 5c f7 d2 83 e2 1f 0f 84 3d 07 00
+ RSP: 0018:ffffc9000063f950 EFLAGS: 00010202
+ RAX: 0000000000000002 RBX: 0000000000000000 RCX: 000000000000004a
+ RDX: 000000000000004a RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000002 R11: 0000000000000001 R12: 0000000000000000
+ R13: 0000000000000000 R14: 000000000000004d R15: 0000000000000000
+ FS: 00007fce52b0fbc0(0000) GS:ffff88806ba00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 000000001ae64000 CR4: 0000000000750ef0
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ? __die+0x23/0x70
+ ? page_fault_oops+0x181/0x480
+ ? __stack_depot_save+0x1e6/0x480
+ ? exc_page_fault+0x6f/0x1c0
+ ? asm_exc_page_fault+0x26/0x30
+ ? asn1_ber_decoder+0x173/0xc80
+ ? check_object+0x40/0x340
+ decode_negTokenInit+0x1e/0x30 [cifs]
+ SMB2_negotiate+0xc99/0x17c0 [cifs]
+ ? smb2_negotiate+0x46/0x60 [cifs]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ smb2_negotiate+0x46/0x60 [cifs]
+ cifs_negotiate_protocol+0xae/0x130 [cifs]
+ cifs_get_smb_ses+0x517/0x1040 [cifs]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? queue_delayed_work_on+0x5d/0x90
+ cifs_mount_get_session+0x78/0x200 [cifs]
+ dfs_mount_share+0x13a/0x9f0 [cifs]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? lock_acquire+0xbf/0x2b0
+ ? find_nls+0x16/0x80
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ cifs_mount+0x7e/0x350 [cifs]
+ cifs_smb3_do_mount+0x128/0x780 [cifs]
+ smb3_get_tree+0xd9/0x290 [cifs]
+ vfs_get_tree+0x2c/0x100
+ ? capable+0x37/0x70
+ path_mount+0x2d7/0xb80
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? _raw_spin_unlock_irqrestore+0x44/0x60
+ __x64_sys_mount+0x11a/0x150
+ do_syscall_64+0x47/0xf0
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+ RIP: 0033:0x7fce52c2ab1e
+
+Fix this by setting @len to zero when @off == 0 so callers won't
+attempt to dereference non-existing data areas.
+
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2misc.c | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
+index 29b5554f6263f..e2f401c8c5ce7 100644
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -298,6 +298,9 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = {
+ char *
+ smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr)
+ {
++ const int max_off = 4096;
++ const int max_len = 128 * 1024;
++
+ *off = 0;
+ *len = 0;
+
+@@ -369,29 +372,20 @@ smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr)
+ * Invalid length or offset probably means data area is invalid, but
+ * we have little choice but to ignore the data area in this case.
+ */
+- if (*off > 4096) {
+- cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off);
+- *len = 0;
+- *off = 0;
+- } else if (*off < 0) {
+- cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n",
+- *off);
++ if (unlikely(*off < 0 || *off > max_off ||
++ *len < 0 || *len > max_len)) {
++ cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n",
++ __func__, *off, *len);
+ *off = 0;
+ *len = 0;
+- } else if (*len < 0) {
+- cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n",
+- *len);
+- *len = 0;
+- } else if (*len > 128 * 1024) {
+- cifs_dbg(VFS, "data area larger than 128K: %d\n", *len);
++ } else if (*off == 0) {
+ *len = 0;
+ }
+
+ /* return pointer to beginning of data area, ie offset from SMB start */
+- if ((*off != 0) && (*len != 0))
++ if (*off > 0 && *len > 0)
+ return (char *)shdr + *off;
+- else
+- return NULL;
++ return NULL;
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From b9f113912596b6dd0a4ee80c68beb46dd6672cfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 10:26:43 -0300
+Subject: smb: client: fix OOB in smb2_query_reparse_point()
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+[ Upstream commit 3a42709fa909e22b0be4bb1e2795aa04ada732a3 ]
+
+Validate @ioctl_rsp->OutputOffset and @ioctl_rsp->OutputCount so that
+their sum does not wrap to a number that is smaller than @reparse_buf
+and we end up with a wild pointer as follows:
+
+ BUG: unable to handle page fault for address: ffff88809c5cd45f
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 4a01067 P4D 4a01067 PUD 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 2 PID: 1260 Comm: mount.cifs Not tainted 6.7.0-rc4 #2
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
+ rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+ RIP: 0010:smb2_query_reparse_point+0x3e0/0x4c0 [cifs]
+ Code: ff ff e8 f3 51 fe ff 41 89 c6 58 5a 45 85 f6 0f 85 14 fe ff ff
+ 49 8b 57 48 8b 42 60 44 8b 42 64 42 8d 0c 00 49 39 4f 50 72 40 <8b>
+ 04 02 48 8b 9d f0 fe ff ff 49 8b 57 50 89 03 48 8b 9d e8 fe ff
+ RSP: 0018:ffffc90000347a90 EFLAGS: 00010212
+ RAX: 000000008000001f RBX: ffff88800ae11000 RCX: 00000000000000ec
+ RDX: ffff88801c5cd440 RSI: 0000000000000000 RDI: ffffffff82004aa4
+ RBP: ffffc90000347bb0 R08: 00000000800000cd R09: 0000000000000001
+ R10: 0000000000000000 R11: 0000000000000024 R12: ffff8880114d4100
+ R13: ffff8880114d4198 R14: 0000000000000000 R15: ffff8880114d4000
+ FS: 00007f02c07babc0(0000) GS:ffff88806ba00000(0000)
+ knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffff88809c5cd45f CR3: 0000000011750000 CR4: 0000000000750ef0
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ ? __die+0x23/0x70
+ ? page_fault_oops+0x181/0x480
+ ? search_module_extables+0x19/0x60
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? exc_page_fault+0x1b6/0x1c0
+ ? asm_exc_page_fault+0x26/0x30
+ ? _raw_spin_unlock_irqrestore+0x44/0x60
+ ? smb2_query_reparse_point+0x3e0/0x4c0 [cifs]
+ cifs_get_fattr+0x16e/0xa50 [cifs]
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? lock_acquire+0xbf/0x2b0
+ cifs_root_iget+0x163/0x5f0 [cifs]
+ cifs_smb3_do_mount+0x5bd/0x780 [cifs]
+ smb3_get_tree+0xd9/0x290 [cifs]
+ vfs_get_tree+0x2c/0x100
+ ? capable+0x37/0x70
+ path_mount+0x2d7/0xb80
+ ? srso_alias_return_thunk+0x5/0xfbef5
+ ? _raw_spin_unlock_irqrestore+0x44/0x60
+ __x64_sys_mount+0x11a/0x150
+ do_syscall_64+0x47/0xf0
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+ RIP: 0033:0x7f02c08d5b1e
+
+Fixes: 2e4564b31b64 ("smb3: add support for stat of WSL reparse points for special file types")
+Cc: stable@vger.kernel.org
+Reported-by: Robert Morris <rtm@csail.mit.edu>
+Signed-off-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2ops.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
+index 7c2ecbb17f542..f31da2647d042 100644
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -3263,7 +3263,7 @@ smb2_query_reparse_tag(const unsigned int xid, struct cifs_tcon *tcon,
+ struct kvec close_iov[1];
+ struct smb2_ioctl_rsp *ioctl_rsp;
+ struct reparse_data_buffer *reparse_buf;
+- u32 plen;
++ u32 off, count, len;
+
+ cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
+
+@@ -3343,16 +3343,22 @@ smb2_query_reparse_tag(const unsigned int xid, struct cifs_tcon *tcon,
+ */
+ if (rc == 0) {
+ /* See MS-FSCC 2.3.23 */
++ off = le32_to_cpu(ioctl_rsp->OutputOffset);
++ count = le32_to_cpu(ioctl_rsp->OutputCount);
++ if (check_add_overflow(off, count, &len) ||
++ len > rsp_iov[1].iov_len) {
++ cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",
++ __func__, off, count);
++ rc = -EIO;
++ goto query_rp_exit;
++ }
+
+- reparse_buf = (struct reparse_data_buffer *)
+- ((char *)ioctl_rsp +
+- le32_to_cpu(ioctl_rsp->OutputOffset));
+- plen = le32_to_cpu(ioctl_rsp->OutputCount);
+-
+- if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) >
+- rsp_iov[1].iov_len) {
+- cifs_tcon_dbg(FYI, "srv returned invalid ioctl len: %d\n",
+- plen);
++ reparse_buf = (void *)((u8 *)ioctl_rsp + off);
++ len = sizeof(*reparse_buf);
++ if (count < len ||
++ count < le16_to_cpu(reparse_buf->ReparseDataLength) + len) {
++ cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n",
++ __func__, off, count);
+ rc = -EIO;
+ goto query_rp_exit;
+ }
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
