From: Sasha Levin Date: Sun, 24 Dec 2023 14:10:26 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v6.1.70~43^2~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7d392d4db467a3a713938d73c8fe447ec444d70e;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/drm-i915-fix-intel_atomic_setup_scalers-plane_state-.patch b/queue-5.15/drm-i915-fix-intel_atomic_setup_scalers-plane_state-.patch new file mode 100644 index 00000000000..37d11c6aee8 --- /dev/null +++ b/queue-5.15/drm-i915-fix-intel_atomic_setup_scalers-plane_state-.patch @@ -0,0 +1,62 @@ +From c66c2f00dd847dc9963a0836fbc38a9f166c3ec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Dec 2023 21:34:34 +0200 +Subject: drm/i915: Fix intel_atomic_setup_scalers() plane_state handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit c3070f080f9ba18dea92eaa21730f7ab85b5c8f4 ] + +Since the plane_state variable is declared outside the scaler_users +loop in intel_atomic_setup_scalers(), and it's never reset back to +NULL inside the loop we may end up calling intel_atomic_setup_scaler() +with a non-NULL plane state for the pipe scaling case. That is bad +because intel_atomic_setup_scaler() determines whether we are doing +plane scaling or pipe scaling based on plane_state!=NULL. The end +result is that we may miscalculate the scaler mode for pipe scaling. + +The hardware becomes somewhat upset if we end up in this situation +when scanning out a planar format on a SDR plane. We end up +programming the pipe scaler into planar mode as well, and the +result is a screenfull of garbage. + +Fix the situation by making sure we pass the correct plane_state==NULL +when calculating the scaler mode for pipe scaling. + +Cc: stable@vger.kernel.org +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20231207193441.20206-2-ville.syrjala@linux.intel.com +Reviewed-by: Jani Nikula +(cherry picked from commit e81144106e21271c619f0c722a09e27ccb8c043d) +Signed-off-by: Jani Nikula +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/skl_scaler.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/skl_scaler.c b/drivers/gpu/drm/i915/display/skl_scaler.c +index a9cc5cfad0bd2..e55df2f05cbd5 100644 +--- a/drivers/gpu/drm/i915/display/skl_scaler.c ++++ b/drivers/gpu/drm/i915/display/skl_scaler.c +@@ -450,7 +450,6 @@ int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv, + { + struct drm_plane *plane = NULL; + struct intel_plane *intel_plane; +- struct intel_plane_state *plane_state = NULL; + struct intel_crtc_scaler_state *scaler_state = + &crtc_state->scaler_state; + struct drm_atomic_state *drm_state = crtc_state->uapi.state; +@@ -482,6 +481,7 @@ int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv, + + /* walkthrough scaler_users bits and start assigning scalers */ + for (i = 0; i < sizeof(scaler_state->scaler_users) * 8; i++) { ++ struct intel_plane_state *plane_state = NULL; + int *scaler_id; + const char *name; + int idx, ret; +-- +2.43.0 + diff --git a/queue-5.15/drm-i915-mtl-limit-second-scaler-vertical-scaling-in.patch b/queue-5.15/drm-i915-mtl-limit-second-scaler-vertical-scaling-in.patch new file mode 100644 index 00000000000..89de8d89817 --- /dev/null +++ b/queue-5.15/drm-i915-mtl-limit-second-scaler-vertical-scaling-in.patch @@ -0,0 +1,170 @@ +From d7cb4271fcdbe28aaf0bd6143eb347292ce5c92d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Dec 2022 15:05:08 +0200 +Subject: drm/i915/mtl: limit second scaler vertical scaling in ver >= 14 + +From: Luca Coelho + +[ Upstream commit 8d4312e2b228ba7a5ac79154458098274ec61e9b ] + +In newer hardware versions (i.e. display version >= 14), the second +scaler doesn't support vertical scaling. + +The current implementation of the scaling limits is simplified and +only occurs when the planes are created, so we don't know which scaler +is being used. + +In order to handle separate scaling limits for horizontal and vertical +scaling, and different limits per scaler, split the checks in two +phases. We first do a simple check during plane creation and use the +best-case scenario (because we don't know the scaler that may be used +at a later point) and then do a more specific check when the scalers +are actually being set up. + +Signed-off-by: Luca Coelho +Reviewed-by: Stanislav Lisovskiy +Signed-off-by: Radhakrishna Sripada +Link: https://patchwork.freedesktop.org/patch/msgid/20221223130509.43245-2-luciano.coelho@intel.com +Stable-dep-of: c3070f080f9b ("drm/i915: Fix intel_atomic_setup_scalers() plane_state handling") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_atomic.c | 85 ++++++++++++++++++--- + 1 file changed, 75 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_atomic.c b/drivers/gpu/drm/i915/display/intel_atomic.c +index b4e7ac51aa31d..4b4514ce6d88b 100644 +--- a/drivers/gpu/drm/i915/display/intel_atomic.c ++++ b/drivers/gpu/drm/i915/display/intel_atomic.c +@@ -40,6 +40,7 @@ + #include "intel_global_state.h" + #include "intel_hdcp.h" + #include "intel_psr.h" ++#include "intel_fb.h" + #include "skl_universal_plane.h" + + /** +@@ -310,11 +311,11 @@ intel_crtc_destroy_state(struct drm_crtc *crtc, + kfree(crtc_state); + } + +-static void intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_state, +- int num_scalers_need, struct intel_crtc *intel_crtc, +- const char *name, int idx, +- struct intel_plane_state *plane_state, +- int *scaler_id) ++static int intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_state, ++ int num_scalers_need, struct intel_crtc *intel_crtc, ++ const char *name, int idx, ++ struct intel_plane_state *plane_state, ++ int *scaler_id) + { + struct drm_i915_private *dev_priv = to_i915(intel_crtc->base.dev); + int j; +@@ -334,7 +335,7 @@ static void intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_sta + + if (drm_WARN(&dev_priv->drm, *scaler_id < 0, + "Cannot find scaler for %s:%d\n", name, idx)) +- return; ++ return -EINVAL; + + /* set scaler mode */ + if (plane_state && plane_state->hw.fb && +@@ -375,9 +376,71 @@ static void intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_sta + mode = SKL_PS_SCALER_MODE_DYN; + } + ++ /* ++ * FIXME: we should also check the scaler factors for pfit, so ++ * this shouldn't be tied directly to planes. ++ */ ++ if (plane_state && plane_state->hw.fb) { ++ const struct drm_framebuffer *fb = plane_state->hw.fb; ++ const struct drm_rect *src = &plane_state->uapi.src; ++ const struct drm_rect *dst = &plane_state->uapi.dst; ++ int hscale, vscale, max_vscale, max_hscale; ++ ++ /* ++ * FIXME: When two scalers are needed, but only one of ++ * them needs to downscale, we should make sure that ++ * the one that needs downscaling support is assigned ++ * as the first scaler, so we don't reject downscaling ++ * unnecessarily. ++ */ ++ ++ if (DISPLAY_VER(dev_priv) >= 14) { ++ /* ++ * On versions 14 and up, only the first ++ * scaler supports a vertical scaling factor ++ * of more than 1.0, while a horizontal ++ * scaling factor of 3.0 is supported. ++ */ ++ max_hscale = 0x30000 - 1; ++ if (*scaler_id == 0) ++ max_vscale = 0x30000 - 1; ++ else ++ max_vscale = 0x10000; ++ ++ } else if (DISPLAY_VER(dev_priv) >= 10 || ++ !intel_format_info_is_yuv_semiplanar(fb->format, fb->modifier)) { ++ max_hscale = 0x30000 - 1; ++ max_vscale = 0x30000 - 1; ++ } else { ++ max_hscale = 0x20000 - 1; ++ max_vscale = 0x20000 - 1; ++ } ++ ++ /* ++ * FIXME: We should change the if-else block above to ++ * support HQ vs dynamic scaler properly. ++ */ ++ ++ /* Check if required scaling is within limits */ ++ hscale = drm_rect_calc_hscale(src, dst, 1, max_hscale); ++ vscale = drm_rect_calc_vscale(src, dst, 1, max_vscale); ++ ++ if (hscale < 0 || vscale < 0) { ++ drm_dbg_kms(&dev_priv->drm, ++ "Scaler %d doesn't support required plane scaling\n", ++ *scaler_id); ++ drm_rect_debug_print("src: ", src, true); ++ drm_rect_debug_print("dst: ", dst, false); ++ ++ return -EINVAL; ++ } ++ } ++ + drm_dbg_kms(&dev_priv->drm, "Attached scaler id %u.%u to %s:%d\n", + intel_crtc->pipe, *scaler_id, name, idx); + scaler_state->scalers[*scaler_id].mode = mode; ++ ++ return 0; + } + + /** +@@ -437,7 +500,7 @@ int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv, + for (i = 0; i < sizeof(scaler_state->scaler_users) * 8; i++) { + int *scaler_id; + const char *name; +- int idx; ++ int idx, ret; + + /* skip if scaler not required */ + if (!(scaler_state->scaler_users & (1 << i))) +@@ -494,9 +557,11 @@ int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv, + scaler_id = &plane_state->scaler_id; + } + +- intel_atomic_setup_scaler(scaler_state, num_scalers_need, +- intel_crtc, name, idx, +- plane_state, scaler_id); ++ ret = intel_atomic_setup_scaler(scaler_state, num_scalers_need, ++ intel_crtc, name, idx, ++ plane_state, scaler_id); ++ if (ret < 0) ++ return ret; + } + + return 0; +-- +2.43.0 + diff --git a/queue-5.15/drm-i915-relocate-intel_atomic_setup_scalers.patch b/queue-5.15/drm-i915-relocate-intel_atomic_setup_scalers.patch new file mode 100644 index 00000000000..a12a4033b7f --- /dev/null +++ b/queue-5.15/drm-i915-relocate-intel_atomic_setup_scalers.patch @@ -0,0 +1,613 @@ +From 496588cb28dbb467f357c1b55ca0182fd264ab1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Apr 2023 20:55:16 +0300 +Subject: drm/i915: Relocate intel_atomic_setup_scalers() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 8976b18249407df8bf6ea18ecae0640a15341a50 ] + +Move intel_atomic_setup_scalers() next to the other scaler +code in skl_scaler.c. + +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20230418175528.13117-4-ville.syrjala@linux.intel.com +Reviewed-by: Jani Nikula +Stable-dep-of: c3070f080f9b ("drm/i915: Fix intel_atomic_setup_scalers() plane_state handling") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_atomic.c | 256 ------------------- + drivers/gpu/drm/i915/display/intel_atomic.h | 4 - + drivers/gpu/drm/i915/display/skl_scaler.c | 257 ++++++++++++++++++++ + drivers/gpu/drm/i915/display/skl_scaler.h | 10 +- + 4 files changed, 265 insertions(+), 262 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_atomic.c b/drivers/gpu/drm/i915/display/intel_atomic.c +index 4b4514ce6d88b..655c039a9c8f3 100644 +--- a/drivers/gpu/drm/i915/display/intel_atomic.c ++++ b/drivers/gpu/drm/i915/display/intel_atomic.c +@@ -311,262 +311,6 @@ intel_crtc_destroy_state(struct drm_crtc *crtc, + kfree(crtc_state); + } + +-static int intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_state, +- int num_scalers_need, struct intel_crtc *intel_crtc, +- const char *name, int idx, +- struct intel_plane_state *plane_state, +- int *scaler_id) +-{ +- struct drm_i915_private *dev_priv = to_i915(intel_crtc->base.dev); +- int j; +- u32 mode; +- +- if (*scaler_id < 0) { +- /* find a free scaler */ +- for (j = 0; j < intel_crtc->num_scalers; j++) { +- if (scaler_state->scalers[j].in_use) +- continue; +- +- *scaler_id = j; +- scaler_state->scalers[*scaler_id].in_use = 1; +- break; +- } +- } +- +- if (drm_WARN(&dev_priv->drm, *scaler_id < 0, +- "Cannot find scaler for %s:%d\n", name, idx)) +- return -EINVAL; +- +- /* set scaler mode */ +- if (plane_state && plane_state->hw.fb && +- plane_state->hw.fb->format->is_yuv && +- plane_state->hw.fb->format->num_planes > 1) { +- struct intel_plane *plane = to_intel_plane(plane_state->uapi.plane); +- if (DISPLAY_VER(dev_priv) == 9) { +- mode = SKL_PS_SCALER_MODE_NV12; +- } else if (icl_is_hdr_plane(dev_priv, plane->id)) { +- /* +- * On gen11+'s HDR planes we only use the scaler for +- * scaling. They have a dedicated chroma upsampler, so +- * we don't need the scaler to upsample the UV plane. +- */ +- mode = PS_SCALER_MODE_NORMAL; +- } else { +- struct intel_plane *linked = +- plane_state->planar_linked_plane; +- +- mode = PS_SCALER_MODE_PLANAR; +- +- if (linked) +- mode |= PS_PLANE_Y_SEL(linked->id); +- } +- } else if (DISPLAY_VER(dev_priv) >= 10) { +- mode = PS_SCALER_MODE_NORMAL; +- } else if (num_scalers_need == 1 && intel_crtc->num_scalers > 1) { +- /* +- * when only 1 scaler is in use on a pipe with 2 scalers +- * scaler 0 operates in high quality (HQ) mode. +- * In this case use scaler 0 to take advantage of HQ mode +- */ +- scaler_state->scalers[*scaler_id].in_use = 0; +- *scaler_id = 0; +- scaler_state->scalers[0].in_use = 1; +- mode = SKL_PS_SCALER_MODE_HQ; +- } else { +- mode = SKL_PS_SCALER_MODE_DYN; +- } +- +- /* +- * FIXME: we should also check the scaler factors for pfit, so +- * this shouldn't be tied directly to planes. +- */ +- if (plane_state && plane_state->hw.fb) { +- const struct drm_framebuffer *fb = plane_state->hw.fb; +- const struct drm_rect *src = &plane_state->uapi.src; +- const struct drm_rect *dst = &plane_state->uapi.dst; +- int hscale, vscale, max_vscale, max_hscale; +- +- /* +- * FIXME: When two scalers are needed, but only one of +- * them needs to downscale, we should make sure that +- * the one that needs downscaling support is assigned +- * as the first scaler, so we don't reject downscaling +- * unnecessarily. +- */ +- +- if (DISPLAY_VER(dev_priv) >= 14) { +- /* +- * On versions 14 and up, only the first +- * scaler supports a vertical scaling factor +- * of more than 1.0, while a horizontal +- * scaling factor of 3.0 is supported. +- */ +- max_hscale = 0x30000 - 1; +- if (*scaler_id == 0) +- max_vscale = 0x30000 - 1; +- else +- max_vscale = 0x10000; +- +- } else if (DISPLAY_VER(dev_priv) >= 10 || +- !intel_format_info_is_yuv_semiplanar(fb->format, fb->modifier)) { +- max_hscale = 0x30000 - 1; +- max_vscale = 0x30000 - 1; +- } else { +- max_hscale = 0x20000 - 1; +- max_vscale = 0x20000 - 1; +- } +- +- /* +- * FIXME: We should change the if-else block above to +- * support HQ vs dynamic scaler properly. +- */ +- +- /* Check if required scaling is within limits */ +- hscale = drm_rect_calc_hscale(src, dst, 1, max_hscale); +- vscale = drm_rect_calc_vscale(src, dst, 1, max_vscale); +- +- if (hscale < 0 || vscale < 0) { +- drm_dbg_kms(&dev_priv->drm, +- "Scaler %d doesn't support required plane scaling\n", +- *scaler_id); +- drm_rect_debug_print("src: ", src, true); +- drm_rect_debug_print("dst: ", dst, false); +- +- return -EINVAL; +- } +- } +- +- drm_dbg_kms(&dev_priv->drm, "Attached scaler id %u.%u to %s:%d\n", +- intel_crtc->pipe, *scaler_id, name, idx); +- scaler_state->scalers[*scaler_id].mode = mode; +- +- return 0; +-} +- +-/** +- * intel_atomic_setup_scalers() - setup scalers for crtc per staged requests +- * @dev_priv: i915 device +- * @intel_crtc: intel crtc +- * @crtc_state: incoming crtc_state to validate and setup scalers +- * +- * This function sets up scalers based on staged scaling requests for +- * a @crtc and its planes. It is called from crtc level check path. If request +- * is a supportable request, it attaches scalers to requested planes and crtc. +- * +- * This function takes into account the current scaler(s) in use by any planes +- * not being part of this atomic state +- * +- * Returns: +- * 0 - scalers were setup succesfully +- * error code - otherwise +- */ +-int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv, +- struct intel_crtc *intel_crtc, +- struct intel_crtc_state *crtc_state) +-{ +- struct drm_plane *plane = NULL; +- struct intel_plane *intel_plane; +- struct intel_plane_state *plane_state = NULL; +- struct intel_crtc_scaler_state *scaler_state = +- &crtc_state->scaler_state; +- struct drm_atomic_state *drm_state = crtc_state->uapi.state; +- struct intel_atomic_state *intel_state = to_intel_atomic_state(drm_state); +- int num_scalers_need; +- int i; +- +- num_scalers_need = hweight32(scaler_state->scaler_users); +- +- /* +- * High level flow: +- * - staged scaler requests are already in scaler_state->scaler_users +- * - check whether staged scaling requests can be supported +- * - add planes using scalers that aren't in current transaction +- * - assign scalers to requested users +- * - as part of plane commit, scalers will be committed +- * (i.e., either attached or detached) to respective planes in hw +- * - as part of crtc_commit, scaler will be either attached or detached +- * to crtc in hw +- */ +- +- /* fail if required scalers > available scalers */ +- if (num_scalers_need > intel_crtc->num_scalers){ +- drm_dbg_kms(&dev_priv->drm, +- "Too many scaling requests %d > %d\n", +- num_scalers_need, intel_crtc->num_scalers); +- return -EINVAL; +- } +- +- /* walkthrough scaler_users bits and start assigning scalers */ +- for (i = 0; i < sizeof(scaler_state->scaler_users) * 8; i++) { +- int *scaler_id; +- const char *name; +- int idx, ret; +- +- /* skip if scaler not required */ +- if (!(scaler_state->scaler_users & (1 << i))) +- continue; +- +- if (i == SKL_CRTC_INDEX) { +- name = "CRTC"; +- idx = intel_crtc->base.base.id; +- +- /* panel fitter case: assign as a crtc scaler */ +- scaler_id = &scaler_state->scaler_id; +- } else { +- name = "PLANE"; +- +- /* plane scaler case: assign as a plane scaler */ +- /* find the plane that set the bit as scaler_user */ +- plane = drm_state->planes[i].ptr; +- +- /* +- * to enable/disable hq mode, add planes that are using scaler +- * into this transaction +- */ +- if (!plane) { +- struct drm_plane_state *state; +- +- /* +- * GLK+ scalers don't have a HQ mode so it +- * isn't necessary to change between HQ and dyn mode +- * on those platforms. +- */ +- if (DISPLAY_VER(dev_priv) >= 10) +- continue; +- +- plane = drm_plane_from_index(&dev_priv->drm, i); +- state = drm_atomic_get_plane_state(drm_state, plane); +- if (IS_ERR(state)) { +- drm_dbg_kms(&dev_priv->drm, +- "Failed to add [PLANE:%d] to drm_state\n", +- plane->base.id); +- return PTR_ERR(state); +- } +- } +- +- intel_plane = to_intel_plane(plane); +- idx = plane->base.id; +- +- /* plane on different crtc cannot be a scaler user of this crtc */ +- if (drm_WARN_ON(&dev_priv->drm, +- intel_plane->pipe != intel_crtc->pipe)) +- continue; +- +- plane_state = intel_atomic_get_new_plane_state(intel_state, +- intel_plane); +- scaler_id = &plane_state->scaler_id; +- } +- +- ret = intel_atomic_setup_scaler(scaler_state, num_scalers_need, +- intel_crtc, name, idx, +- plane_state, scaler_id); +- if (ret < 0) +- return ret; +- } +- +- return 0; +-} +- + struct drm_atomic_state * + intel_atomic_state_alloc(struct drm_device *dev) + { +diff --git a/drivers/gpu/drm/i915/display/intel_atomic.h b/drivers/gpu/drm/i915/display/intel_atomic.h +index d2700c74c9dac..509deb75f6985 100644 +--- a/drivers/gpu/drm/i915/display/intel_atomic.h ++++ b/drivers/gpu/drm/i915/display/intel_atomic.h +@@ -54,8 +54,4 @@ struct intel_crtc_state * + intel_atomic_get_crtc_state(struct drm_atomic_state *state, + struct intel_crtc *crtc); + +-int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv, +- struct intel_crtc *intel_crtc, +- struct intel_crtc_state *crtc_state); +- + #endif /* __INTEL_ATOMIC_H__ */ +diff --git a/drivers/gpu/drm/i915/display/skl_scaler.c b/drivers/gpu/drm/i915/display/skl_scaler.c +index 37eabeff8197f..a9cc5cfad0bd2 100644 +--- a/drivers/gpu/drm/i915/display/skl_scaler.c ++++ b/drivers/gpu/drm/i915/display/skl_scaler.c +@@ -294,6 +294,263 @@ int skl_update_scaler_plane(struct intel_crtc_state *crtc_state, + return 0; + } + ++static int intel_atomic_setup_scaler(struct intel_crtc_scaler_state *scaler_state, ++ int num_scalers_need, struct intel_crtc *intel_crtc, ++ const char *name, int idx, ++ struct intel_plane_state *plane_state, ++ int *scaler_id) ++{ ++ struct drm_i915_private *dev_priv = to_i915(intel_crtc->base.dev); ++ int j; ++ u32 mode; ++ ++ if (*scaler_id < 0) { ++ /* find a free scaler */ ++ for (j = 0; j < intel_crtc->num_scalers; j++) { ++ if (scaler_state->scalers[j].in_use) ++ continue; ++ ++ *scaler_id = j; ++ scaler_state->scalers[*scaler_id].in_use = 1; ++ break; ++ } ++ } ++ ++ if (drm_WARN(&dev_priv->drm, *scaler_id < 0, ++ "Cannot find scaler for %s:%d\n", name, idx)) ++ return -EINVAL; ++ ++ /* set scaler mode */ ++ if (plane_state && plane_state->hw.fb && ++ plane_state->hw.fb->format->is_yuv && ++ plane_state->hw.fb->format->num_planes > 1) { ++ struct intel_plane *plane = to_intel_plane(plane_state->uapi.plane); ++ ++ if (DISPLAY_VER(dev_priv) == 9) { ++ mode = SKL_PS_SCALER_MODE_NV12; ++ } else if (icl_is_hdr_plane(dev_priv, plane->id)) { ++ /* ++ * On gen11+'s HDR planes we only use the scaler for ++ * scaling. They have a dedicated chroma upsampler, so ++ * we don't need the scaler to upsample the UV plane. ++ */ ++ mode = PS_SCALER_MODE_NORMAL; ++ } else { ++ struct intel_plane *linked = ++ plane_state->planar_linked_plane; ++ ++ mode = PS_SCALER_MODE_PLANAR; ++ ++ if (linked) ++ mode |= PS_PLANE_Y_SEL(linked->id); ++ } ++ } else if (DISPLAY_VER(dev_priv) >= 10) { ++ mode = PS_SCALER_MODE_NORMAL; ++ } else if (num_scalers_need == 1 && intel_crtc->num_scalers > 1) { ++ /* ++ * when only 1 scaler is in use on a pipe with 2 scalers ++ * scaler 0 operates in high quality (HQ) mode. ++ * In this case use scaler 0 to take advantage of HQ mode ++ */ ++ scaler_state->scalers[*scaler_id].in_use = 0; ++ *scaler_id = 0; ++ scaler_state->scalers[0].in_use = 1; ++ mode = SKL_PS_SCALER_MODE_HQ; ++ } else { ++ mode = SKL_PS_SCALER_MODE_DYN; ++ } ++ ++ /* ++ * FIXME: we should also check the scaler factors for pfit, so ++ * this shouldn't be tied directly to planes. ++ */ ++ if (plane_state && plane_state->hw.fb) { ++ const struct drm_framebuffer *fb = plane_state->hw.fb; ++ const struct drm_rect *src = &plane_state->uapi.src; ++ const struct drm_rect *dst = &plane_state->uapi.dst; ++ int hscale, vscale, max_vscale, max_hscale; ++ ++ /* ++ * FIXME: When two scalers are needed, but only one of ++ * them needs to downscale, we should make sure that ++ * the one that needs downscaling support is assigned ++ * as the first scaler, so we don't reject downscaling ++ * unnecessarily. ++ */ ++ ++ if (DISPLAY_VER(dev_priv) >= 14) { ++ /* ++ * On versions 14 and up, only the first ++ * scaler supports a vertical scaling factor ++ * of more than 1.0, while a horizontal ++ * scaling factor of 3.0 is supported. ++ */ ++ max_hscale = 0x30000 - 1; ++ if (*scaler_id == 0) ++ max_vscale = 0x30000 - 1; ++ else ++ max_vscale = 0x10000; ++ ++ } else if (DISPLAY_VER(dev_priv) >= 10 || ++ !intel_format_info_is_yuv_semiplanar(fb->format, fb->modifier)) { ++ max_hscale = 0x30000 - 1; ++ max_vscale = 0x30000 - 1; ++ } else { ++ max_hscale = 0x20000 - 1; ++ max_vscale = 0x20000 - 1; ++ } ++ ++ /* ++ * FIXME: We should change the if-else block above to ++ * support HQ vs dynamic scaler properly. ++ */ ++ ++ /* Check if required scaling is within limits */ ++ hscale = drm_rect_calc_hscale(src, dst, 1, max_hscale); ++ vscale = drm_rect_calc_vscale(src, dst, 1, max_vscale); ++ ++ if (hscale < 0 || vscale < 0) { ++ drm_dbg_kms(&dev_priv->drm, ++ "Scaler %d doesn't support required plane scaling\n", ++ *scaler_id); ++ drm_rect_debug_print("src: ", src, true); ++ drm_rect_debug_print("dst: ", dst, false); ++ ++ return -EINVAL; ++ } ++ } ++ ++ drm_dbg_kms(&dev_priv->drm, "Attached scaler id %u.%u to %s:%d\n", ++ intel_crtc->pipe, *scaler_id, name, idx); ++ scaler_state->scalers[*scaler_id].mode = mode; ++ ++ return 0; ++} ++ ++/** ++ * intel_atomic_setup_scalers() - setup scalers for crtc per staged requests ++ * @dev_priv: i915 device ++ * @intel_crtc: intel crtc ++ * @crtc_state: incoming crtc_state to validate and setup scalers ++ * ++ * This function sets up scalers based on staged scaling requests for ++ * a @crtc and its planes. It is called from crtc level check path. If request ++ * is a supportable request, it attaches scalers to requested planes and crtc. ++ * ++ * This function takes into account the current scaler(s) in use by any planes ++ * not being part of this atomic state ++ * ++ * Returns: ++ * 0 - scalers were setup successfully ++ * error code - otherwise ++ */ ++int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv, ++ struct intel_crtc *intel_crtc, ++ struct intel_crtc_state *crtc_state) ++{ ++ struct drm_plane *plane = NULL; ++ struct intel_plane *intel_plane; ++ struct intel_plane_state *plane_state = NULL; ++ struct intel_crtc_scaler_state *scaler_state = ++ &crtc_state->scaler_state; ++ struct drm_atomic_state *drm_state = crtc_state->uapi.state; ++ struct intel_atomic_state *intel_state = to_intel_atomic_state(drm_state); ++ int num_scalers_need; ++ int i; ++ ++ num_scalers_need = hweight32(scaler_state->scaler_users); ++ ++ /* ++ * High level flow: ++ * - staged scaler requests are already in scaler_state->scaler_users ++ * - check whether staged scaling requests can be supported ++ * - add planes using scalers that aren't in current transaction ++ * - assign scalers to requested users ++ * - as part of plane commit, scalers will be committed ++ * (i.e., either attached or detached) to respective planes in hw ++ * - as part of crtc_commit, scaler will be either attached or detached ++ * to crtc in hw ++ */ ++ ++ /* fail if required scalers > available scalers */ ++ if (num_scalers_need > intel_crtc->num_scalers) { ++ drm_dbg_kms(&dev_priv->drm, ++ "Too many scaling requests %d > %d\n", ++ num_scalers_need, intel_crtc->num_scalers); ++ return -EINVAL; ++ } ++ ++ /* walkthrough scaler_users bits and start assigning scalers */ ++ for (i = 0; i < sizeof(scaler_state->scaler_users) * 8; i++) { ++ int *scaler_id; ++ const char *name; ++ int idx, ret; ++ ++ /* skip if scaler not required */ ++ if (!(scaler_state->scaler_users & (1 << i))) ++ continue; ++ ++ if (i == SKL_CRTC_INDEX) { ++ name = "CRTC"; ++ idx = intel_crtc->base.base.id; ++ ++ /* panel fitter case: assign as a crtc scaler */ ++ scaler_id = &scaler_state->scaler_id; ++ } else { ++ name = "PLANE"; ++ ++ /* plane scaler case: assign as a plane scaler */ ++ /* find the plane that set the bit as scaler_user */ ++ plane = drm_state->planes[i].ptr; ++ ++ /* ++ * to enable/disable hq mode, add planes that are using scaler ++ * into this transaction ++ */ ++ if (!plane) { ++ struct drm_plane_state *state; ++ ++ /* ++ * GLK+ scalers don't have a HQ mode so it ++ * isn't necessary to change between HQ and dyn mode ++ * on those platforms. ++ */ ++ if (DISPLAY_VER(dev_priv) >= 10) ++ continue; ++ ++ plane = drm_plane_from_index(&dev_priv->drm, i); ++ state = drm_atomic_get_plane_state(drm_state, plane); ++ if (IS_ERR(state)) { ++ drm_dbg_kms(&dev_priv->drm, ++ "Failed to add [PLANE:%d] to drm_state\n", ++ plane->base.id); ++ return PTR_ERR(state); ++ } ++ } ++ ++ intel_plane = to_intel_plane(plane); ++ idx = plane->base.id; ++ ++ /* plane on different crtc cannot be a scaler user of this crtc */ ++ if (drm_WARN_ON(&dev_priv->drm, ++ intel_plane->pipe != intel_crtc->pipe)) ++ continue; ++ ++ plane_state = intel_atomic_get_new_plane_state(intel_state, ++ intel_plane); ++ scaler_id = &plane_state->scaler_id; ++ } ++ ++ ret = intel_atomic_setup_scaler(scaler_state, num_scalers_need, ++ intel_crtc, name, idx, ++ plane_state, scaler_id); ++ if (ret < 0) ++ return ret; ++ } ++ ++ return 0; ++} ++ + static int glk_coef_tap(int i) + { + return i % 7; +diff --git a/drivers/gpu/drm/i915/display/skl_scaler.h b/drivers/gpu/drm/i915/display/skl_scaler.h +index 0097d5d08e102..f040f6ac061f2 100644 +--- a/drivers/gpu/drm/i915/display/skl_scaler.h ++++ b/drivers/gpu/drm/i915/display/skl_scaler.h +@@ -8,17 +8,22 @@ + #include + + enum drm_scaling_filter; ++enum pipe; + struct drm_i915_private; ++struct intel_crtc; + struct intel_crtc_state; +-struct intel_plane_state; + struct intel_plane; +-enum pipe; ++struct intel_plane_state; + + int skl_update_scaler_crtc(struct intel_crtc_state *crtc_state); + + int skl_update_scaler_plane(struct intel_crtc_state *crtc_state, + struct intel_plane_state *plane_state); + ++int intel_atomic_setup_scalers(struct drm_i915_private *dev_priv, ++ struct intel_crtc *intel_crtc, ++ struct intel_crtc_state *crtc_state); ++ + void skl_pfit_enable(const struct intel_crtc_state *crtc_state); + + void skl_program_plane_scaler(struct intel_plane *plane, +@@ -26,4 +31,5 @@ void skl_program_plane_scaler(struct intel_plane *plane, + const struct intel_plane_state *plane_state); + void skl_detach_scalers(const struct intel_crtc_state *crtc_state); + void skl_scaler_disable(const struct intel_crtc_state *old_crtc_state); ++ + #endif +-- +2.43.0 + diff --git a/queue-5.15/ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch b/queue-5.15/ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch new file mode 100644 index 00000000000..c7ef5ce031d --- /dev/null +++ b/queue-5.15/ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch @@ -0,0 +1,40 @@ +From 9a7b2cef7d414c945287ebdf3943f8f9c67a5133 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Dec 2023 08:23:49 +0900 +Subject: ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE + +From: Namjae Jeon + +[ Upstream commit 13736654481198e519059d4a2e2e3b20fa9fdb3e ] + +MS confirm that "AISi" name of SMB2_CREATE_ALLOCATION_SIZE in MS-SMB2 +specification is a typo. cifs/ksmbd have been using this wrong name from +MS-SMB2. It should be "AlSi". Also It will cause problem when running +smb2.create.open test in smbtorture against ksmbd. + +Cc: stable@vger.kernel.org +Fixes: 12197a7fdda9 ("Clarify SMB2/SMB3 create context and add missing ones") +Signed-off-by: Namjae Jeon +Reviewed-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h +index f32c99c9ba131..301c155c52677 100644 +--- a/fs/cifs/smb2pdu.h ++++ b/fs/cifs/smb2pdu.h +@@ -779,7 +779,7 @@ struct smb2_tree_disconnect_rsp { + #define SMB2_CREATE_SD_BUFFER "SecD" /* security descriptor */ + #define SMB2_CREATE_DURABLE_HANDLE_REQUEST "DHnQ" + #define SMB2_CREATE_DURABLE_HANDLE_RECONNECT "DHnC" +-#define SMB2_CREATE_ALLOCATION_SIZE "AISi" ++#define SMB2_CREATE_ALLOCATION_SIZE "AlSi" + #define SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST "MxAc" + #define SMB2_CREATE_TIMEWARP_REQUEST "TWrp" + #define SMB2_CREATE_QUERY_ON_DISK_ID "QFid" +-- +2.43.0 + diff --git a/queue-5.15/series b/queue-5.15/series index 0063ed8dcd3..33bbc57471b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -2,3 +2,9 @@ asoc-hdmi-codec-fix-missing-report-for-jack-initial-.patch i2c-aspeed-handle-the-coalesced-stop-conditions-with.patch pinctrl-at91-pio4-use-dedicated-lock-class-for-irq.patch gpiolib-cdev-add-gpio_device-locking-wrapper-around-.patch +ksmbd-fix-wrong-name-of-smb2_create_allocation_size.patch +drm-i915-mtl-limit-second-scaler-vertical-scaling-in.patch +drm-i915-relocate-intel_atomic_setup_scalers.patch +drm-i915-fix-intel_atomic_setup_scalers-plane_state-.patch +smb-client-fix-null-deref-in-asn1_ber_decoder.patch +smb-client-fix-oob-in-smb2_query_reparse_point.patch diff --git a/queue-5.15/smb-client-fix-null-deref-in-asn1_ber_decoder.patch b/queue-5.15/smb-client-fix-null-deref-in-asn1_ber_decoder.patch new file mode 100644 index 00000000000..d7e2792d14d --- /dev/null +++ b/queue-5.15/smb-client-fix-null-deref-in-asn1_ber_decoder.patch @@ -0,0 +1,136 @@ +From fb278ac9dfe2e5d654654e1a4208053a5821617b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 10:26:42 -0300 +Subject: smb: client: fix NULL deref in asn1_ber_decoder() + +From: Paulo Alcantara + +[ Upstream commit 90d025c2e953c11974e76637977c473200593a46 ] + +If server replied SMB2_NEGOTIATE with a zero SecurityBufferOffset, +smb2_get_data_area() sets @len to non-zero but return NULL, so +decode_negTokeninit() ends up being called with a NULL @security_blob: + + BUG: kernel NULL pointer dereference, address: 0000000000000000 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 2 PID: 871 Comm: mount.cifs Not tainted 6.7.0-rc4 #2 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + RIP: 0010:asn1_ber_decoder+0x173/0xc80 + Code: 01 4c 39 2c 24 75 09 45 84 c9 0f 85 2f 03 00 00 48 8b 14 24 4c 29 ea 48 83 fa 01 0f 86 1e 07 00 00 48 8b 74 24 28 4d 8d 5d 01 <42> 0f b6 3c 2e 89 fa 40 88 7c 24 5c f7 d2 83 e2 1f 0f 84 3d 07 00 + RSP: 0018:ffffc9000063f950 EFLAGS: 00010202 + RAX: 0000000000000002 RBX: 0000000000000000 RCX: 000000000000004a + RDX: 000000000000004a RSI: 0000000000000000 RDI: 0000000000000000 + RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000002 R11: 0000000000000001 R12: 0000000000000000 + R13: 0000000000000000 R14: 000000000000004d R15: 0000000000000000 + FS: 00007fce52b0fbc0(0000) GS:ffff88806ba00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 000000001ae64000 CR4: 0000000000750ef0 + PKRU: 55555554 + Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x181/0x480 + ? __stack_depot_save+0x1e6/0x480 + ? exc_page_fault+0x6f/0x1c0 + ? asm_exc_page_fault+0x26/0x30 + ? asn1_ber_decoder+0x173/0xc80 + ? check_object+0x40/0x340 + decode_negTokenInit+0x1e/0x30 [cifs] + SMB2_negotiate+0xc99/0x17c0 [cifs] + ? smb2_negotiate+0x46/0x60 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + smb2_negotiate+0x46/0x60 [cifs] + cifs_negotiate_protocol+0xae/0x130 [cifs] + cifs_get_smb_ses+0x517/0x1040 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? queue_delayed_work_on+0x5d/0x90 + cifs_mount_get_session+0x78/0x200 [cifs] + dfs_mount_share+0x13a/0x9f0 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? lock_acquire+0xbf/0x2b0 + ? find_nls+0x16/0x80 + ? srso_alias_return_thunk+0x5/0xfbef5 + cifs_mount+0x7e/0x350 [cifs] + cifs_smb3_do_mount+0x128/0x780 [cifs] + smb3_get_tree+0xd9/0x290 [cifs] + vfs_get_tree+0x2c/0x100 + ? capable+0x37/0x70 + path_mount+0x2d7/0xb80 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? _raw_spin_unlock_irqrestore+0x44/0x60 + __x64_sys_mount+0x11a/0x150 + do_syscall_64+0x47/0xf0 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + RIP: 0033:0x7fce52c2ab1e + +Fix this by setting @len to zero when @off == 0 so callers won't +attempt to dereference non-existing data areas. + +Reported-by: Robert Morris +Cc: stable@vger.kernel.org +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2misc.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c +index 29b5554f6263f..e2f401c8c5ce7 100644 +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -298,6 +298,9 @@ static const bool has_smb2_data_area[NUMBER_OF_SMB2_COMMANDS] = { + char * + smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr) + { ++ const int max_off = 4096; ++ const int max_len = 128 * 1024; ++ + *off = 0; + *len = 0; + +@@ -369,29 +372,20 @@ smb2_get_data_area_len(int *off, int *len, struct smb2_sync_hdr *shdr) + * Invalid length or offset probably means data area is invalid, but + * we have little choice but to ignore the data area in this case. + */ +- if (*off > 4096) { +- cifs_dbg(VFS, "offset %d too large, data area ignored\n", *off); +- *len = 0; +- *off = 0; +- } else if (*off < 0) { +- cifs_dbg(VFS, "negative offset %d to data invalid ignore data area\n", +- *off); ++ if (unlikely(*off < 0 || *off > max_off || ++ *len < 0 || *len > max_len)) { ++ cifs_dbg(VFS, "%s: invalid data area (off=%d len=%d)\n", ++ __func__, *off, *len); + *off = 0; + *len = 0; +- } else if (*len < 0) { +- cifs_dbg(VFS, "negative data length %d invalid, data area ignored\n", +- *len); +- *len = 0; +- } else if (*len > 128 * 1024) { +- cifs_dbg(VFS, "data area larger than 128K: %d\n", *len); ++ } else if (*off == 0) { + *len = 0; + } + + /* return pointer to beginning of data area, ie offset from SMB start */ +- if ((*off != 0) && (*len != 0)) ++ if (*off > 0 && *len > 0) + return (char *)shdr + *off; +- else +- return NULL; ++ return NULL; + } + + /* +-- +2.43.0 + diff --git a/queue-5.15/smb-client-fix-oob-in-smb2_query_reparse_point.patch b/queue-5.15/smb-client-fix-oob-in-smb2_query_reparse_point.patch new file mode 100644 index 00000000000..10e8f0f8edc --- /dev/null +++ b/queue-5.15/smb-client-fix-oob-in-smb2_query_reparse_point.patch @@ -0,0 +1,120 @@ +From b9f113912596b6dd0a4ee80c68beb46dd6672cfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Dec 2023 10:26:43 -0300 +Subject: smb: client: fix OOB in smb2_query_reparse_point() + +From: Paulo Alcantara + +[ Upstream commit 3a42709fa909e22b0be4bb1e2795aa04ada732a3 ] + +Validate @ioctl_rsp->OutputOffset and @ioctl_rsp->OutputCount so that +their sum does not wrap to a number that is smaller than @reparse_buf +and we end up with a wild pointer as follows: + + BUG: unable to handle page fault for address: ffff88809c5cd45f + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 4a01067 P4D 4a01067 PUD 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 2 PID: 1260 Comm: mount.cifs Not tainted 6.7.0-rc4 #2 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS + rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 + RIP: 0010:smb2_query_reparse_point+0x3e0/0x4c0 [cifs] + Code: ff ff e8 f3 51 fe ff 41 89 c6 58 5a 45 85 f6 0f 85 14 fe ff ff + 49 8b 57 48 8b 42 60 44 8b 42 64 42 8d 0c 00 49 39 4f 50 72 40 <8b> + 04 02 48 8b 9d f0 fe ff ff 49 8b 57 50 89 03 48 8b 9d e8 fe ff + RSP: 0018:ffffc90000347a90 EFLAGS: 00010212 + RAX: 000000008000001f RBX: ffff88800ae11000 RCX: 00000000000000ec + RDX: ffff88801c5cd440 RSI: 0000000000000000 RDI: ffffffff82004aa4 + RBP: ffffc90000347bb0 R08: 00000000800000cd R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000024 R12: ffff8880114d4100 + R13: ffff8880114d4198 R14: 0000000000000000 R15: ffff8880114d4000 + FS: 00007f02c07babc0(0000) GS:ffff88806ba00000(0000) + knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff88809c5cd45f CR3: 0000000011750000 CR4: 0000000000750ef0 + PKRU: 55555554 + Call Trace: + + ? __die+0x23/0x70 + ? page_fault_oops+0x181/0x480 + ? search_module_extables+0x19/0x60 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? exc_page_fault+0x1b6/0x1c0 + ? asm_exc_page_fault+0x26/0x30 + ? _raw_spin_unlock_irqrestore+0x44/0x60 + ? smb2_query_reparse_point+0x3e0/0x4c0 [cifs] + cifs_get_fattr+0x16e/0xa50 [cifs] + ? srso_alias_return_thunk+0x5/0xfbef5 + ? lock_acquire+0xbf/0x2b0 + cifs_root_iget+0x163/0x5f0 [cifs] + cifs_smb3_do_mount+0x5bd/0x780 [cifs] + smb3_get_tree+0xd9/0x290 [cifs] + vfs_get_tree+0x2c/0x100 + ? capable+0x37/0x70 + path_mount+0x2d7/0xb80 + ? srso_alias_return_thunk+0x5/0xfbef5 + ? _raw_spin_unlock_irqrestore+0x44/0x60 + __x64_sys_mount+0x11a/0x150 + do_syscall_64+0x47/0xf0 + entry_SYSCALL_64_after_hwframe+0x6f/0x77 + RIP: 0033:0x7f02c08d5b1e + +Fixes: 2e4564b31b64 ("smb3: add support for stat of WSL reparse points for special file types") +Cc: stable@vger.kernel.org +Reported-by: Robert Morris +Signed-off-by: Paulo Alcantara (SUSE) +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2ops.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c +index 7c2ecbb17f542..f31da2647d042 100644 +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -3263,7 +3263,7 @@ smb2_query_reparse_tag(const unsigned int xid, struct cifs_tcon *tcon, + struct kvec close_iov[1]; + struct smb2_ioctl_rsp *ioctl_rsp; + struct reparse_data_buffer *reparse_buf; +- u32 plen; ++ u32 off, count, len; + + cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path); + +@@ -3343,16 +3343,22 @@ smb2_query_reparse_tag(const unsigned int xid, struct cifs_tcon *tcon, + */ + if (rc == 0) { + /* See MS-FSCC 2.3.23 */ ++ off = le32_to_cpu(ioctl_rsp->OutputOffset); ++ count = le32_to_cpu(ioctl_rsp->OutputCount); ++ if (check_add_overflow(off, count, &len) || ++ len > rsp_iov[1].iov_len) { ++ cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n", ++ __func__, off, count); ++ rc = -EIO; ++ goto query_rp_exit; ++ } + +- reparse_buf = (struct reparse_data_buffer *) +- ((char *)ioctl_rsp + +- le32_to_cpu(ioctl_rsp->OutputOffset)); +- plen = le32_to_cpu(ioctl_rsp->OutputCount); +- +- if (plen + le32_to_cpu(ioctl_rsp->OutputOffset) > +- rsp_iov[1].iov_len) { +- cifs_tcon_dbg(FYI, "srv returned invalid ioctl len: %d\n", +- plen); ++ reparse_buf = (void *)((u8 *)ioctl_rsp + off); ++ len = sizeof(*reparse_buf); ++ if (count < len || ++ count < le16_to_cpu(reparse_buf->ReparseDataLength) + len) { ++ cifs_tcon_dbg(VFS, "%s: invalid ioctl: off=%d count=%d\n", ++ __func__, off, count); + rc = -EIO; + goto query_rp_exit; + } +-- +2.43.0 +