--- /dev/null
+From 04d8a1bbd7433b32bb4a2940287d699ada8d2e66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Jan 2023 11:14:45 -0500
+Subject: btrfs: replace strncpy() with strscpy()
+
+[ Upstream commit 63d5429f68a3d4c4aa27e65a05196c17f86c41d6 ]
+
+Using strncpy() on NUL-terminated strings are deprecated. To avoid
+possible forming of non-terminated string strscpy() should be used.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+CC: stable@vger.kernel.org # 4.9+
+Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ioctl.c | 9 +++------
+ fs/btrfs/rcu-string.h | 6 +++++-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 752b5d265284..4f2513388567 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3234,13 +3234,10 @@ static long btrfs_ioctl_dev_info(struct btrfs_fs_info *fs_info,
+ di_args->bytes_used = btrfs_device_get_bytes_used(dev);
+ di_args->total_bytes = btrfs_device_get_total_bytes(dev);
+ memcpy(di_args->uuid, dev->uuid, sizeof(di_args->uuid));
+- if (dev->name) {
+- strncpy(di_args->path, rcu_str_deref(dev->name),
+- sizeof(di_args->path) - 1);
+- di_args->path[sizeof(di_args->path) - 1] = 0;
+- } else {
++ if (dev->name)
++ strscpy(di_args->path, rcu_str_deref(dev->name), sizeof(di_args->path));
++ else
+ di_args->path[0] = '\0';
+- }
+
+ out:
+ rcu_read_unlock();
+diff --git a/fs/btrfs/rcu-string.h b/fs/btrfs/rcu-string.h
+index a97dc74a4d3d..02f15321cecc 100644
+--- a/fs/btrfs/rcu-string.h
++++ b/fs/btrfs/rcu-string.h
+@@ -18,7 +18,11 @@ static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask)
+ (len * sizeof(char)), mask);
+ if (!ret)
+ return ret;
+- strncpy(ret->str, src, len);
++ /* Warn if the source got unexpectedly truncated. */
++ if (WARN_ON(strscpy(ret->str, src, len) < 0)) {
++ kfree(ret);
++ return NULL;
++ }
+ return ret;
+ }
+
+--
+2.35.1
+
--- /dev/null
+From d2685359f36d8f2468fd98c915db59231997cd89 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Nov 2022 16:15:44 +0000
+Subject: btrfs: send: avoid unnecessary backref lookups when finding clone
+ source
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 22a3c0ac8ed0043af209a15928ae4c4855b0a4c4 ]
+
+At find_extent_clone(), unless we are given an inline extent, a file
+extent item that represents hole or an extent that starts beyond the
+i_size, we always do backref walking to look for clone sources, unless
+if we have more than SEND_MAX_EXTENT_REFS (64) known references on the
+extent.
+
+However if we know we only have one reference in the extent item and only
+one clone source (the send root), then it's pointless to do the backref
+walking to search for clone sources, as we can't clone from any other
+root. So skip the backref walking in that case.
+
+The following test was run on a non-debug kernel (Debian's default kernel
+config):
+
+ $ cat test.sh
+ #!/bin/bash
+
+ DEV=/dev/sdi
+ MNT=/mnt/sdi
+
+ mkfs.btrfs -f $DEV
+ mount $DEV $MNT
+
+ # Create an extent tree that's not too small and none of the
+ # extents is shared.
+ for ((i = 1; i <= 50000; i++)); do
+ xfs_io -f -c "pwrite 0 4K" $MNT/file_$i > /dev/null
+ echo -ne "\r$i files created..."
+ done
+ echo
+
+ btrfs subvolume snapshot -r $MNT $MNT/snap
+
+ start=$(date +%s%N)
+ btrfs send $MNT/snap > /dev/null
+ end=$(date +%s%N)
+
+ dur=$(( (end - start) / 1000000 ))
+ echo -e "\nsend took $dur milliseconds"
+
+ umount $MNT
+
+Before this change:
+
+ send took 5389 milliseconds
+
+After this change:
+
+ send took 4519 milliseconds (-16.1%)
+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: 63d5429f68a3 ("btrfs: replace strncpy() with strscpy()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index eb2f8e84ffc9..80d248e88761 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -1306,6 +1306,7 @@ static int find_extent_clone(struct send_ctx *sctx,
+ u64 disk_byte;
+ u64 num_bytes;
+ u64 extent_item_pos;
++ u64 extent_refs;
+ u64 flags = 0;
+ struct btrfs_file_extent_item *fi;
+ struct extent_buffer *eb = path->nodes[0];
+@@ -1373,14 +1374,22 @@ static int find_extent_clone(struct send_ctx *sctx,
+
+ ei = btrfs_item_ptr(tmp_path->nodes[0], tmp_path->slots[0],
+ struct btrfs_extent_item);
++ extent_refs = btrfs_extent_refs(tmp_path->nodes[0], ei);
+ /*
+ * Backreference walking (iterate_extent_inodes() below) is currently
+ * too expensive when an extent has a large number of references, both
+ * in time spent and used memory. So for now just fallback to write
+ * operations instead of clone operations when an extent has more than
+ * a certain amount of references.
++ *
++ * Also, if we have only one reference and only the send root as a clone
++ * source - meaning no clone roots were given in the struct
++ * btrfs_ioctl_send_args passed to the send ioctl - then it's our
++ * reference and there's no point in doing backref walking which is
++ * expensive, so exit early.
+ */
+- if (btrfs_extent_refs(tmp_path->nodes[0], ei) > SEND_MAX_EXTENT_REFS) {
++ if ((extent_refs == 1 && sctx->clone_roots_cnt == 1) ||
++ extent_refs > SEND_MAX_EXTENT_REFS) {
+ ret = -ENOENT;
+ goto out;
+ }
+--
+2.35.1
+
--- /dev/null
+From ac9f434bfefa980fb11e05791cb7c51e0262218e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 16:02:26 +0530
+Subject: media: s5p-mfc: Clear workbit to handle error condition
+
+From: Smitha T Murthy <smitha.t@samsung.com>
+
+[ Upstream commit d3f3c2fe54e30b0636496d842ffbb5ad3a547f9b ]
+
+During error on CLOSE_INSTANCE command, ctx_work_bits was not getting
+cleared. During consequent mfc execution NULL pointer dereferencing of
+this context led to kernel panic. This patch fixes this issue by making
+sure to clear ctx_work_bits always.
+
+Fixes: 818cd91ab8c6 ("[media] s5p-mfc: Extract open/close MFC instance commands")
+Cc: stable@vger.kernel.org
+Cc: linux-fsd@tesla.com
+Signed-off-by: Smitha T Murthy <smitha.t@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c b/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c
+index ee7b15b335e0..31bbf1cc5388 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c
+@@ -472,8 +472,10 @@ void s5p_mfc_close_mfc_inst(struct s5p_mfc_dev *dev, struct s5p_mfc_ctx *ctx)
+ s5p_mfc_hw_call(dev->mfc_ops, try_run, dev);
+ /* Wait until instance is returned or timeout occurred */
+ if (s5p_mfc_wait_for_done_ctx(ctx,
+- S5P_MFC_R2H_CMD_CLOSE_INSTANCE_RET, 0))
++ S5P_MFC_R2H_CMD_CLOSE_INSTANCE_RET, 0)){
++ clear_work_bit_irqsave(ctx);
+ mfc_err("Err returning instance\n");
++ }
+
+ /* Free resources */
+ s5p_mfc_hw_call(dev->mfc_ops, release_codec_buffers, ctx);
+--
+2.35.1
+
--- /dev/null
+From 9220e71c8b3755b419983e33bc8c702ed8b6e4c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 16:02:25 +0530
+Subject: media: s5p-mfc: Fix in register read and write for H264
+
+From: Smitha T Murthy <smitha.t@samsung.com>
+
+[ Upstream commit 06710cd5d2436135046898d7e4b9408c8bb99446 ]
+
+Few of the H264 encoder registers written were not getting reflected
+since the read values were not stored and getting overwritten.
+
+Fixes: 6a9c6f681257 ("[media] s5p-mfc: Add variants to access mfc registers")
+
+Cc: stable@vger.kernel.org
+Cc: linux-fsd@tesla.com
+Signed-off-by: Smitha T Murthy <smitha.t@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c b/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c
+index 7c629be43205..1171b76df036 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c
+@@ -1063,7 +1063,7 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx)
+ }
+
+ /* aspect ratio VUI */
+- readl(mfc_regs->e_h264_options);
++ reg = readl(mfc_regs->e_h264_options);
+ reg &= ~(0x1 << 5);
+ reg |= ((p_h264->vui_sar & 0x1) << 5);
+ writel(reg, mfc_regs->e_h264_options);
+@@ -1086,7 +1086,7 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx)
+
+ /* intra picture period for H.264 open GOP */
+ /* control */
+- readl(mfc_regs->e_h264_options);
++ reg = readl(mfc_regs->e_h264_options);
+ reg &= ~(0x1 << 4);
+ reg |= ((p_h264->open_gop & 0x1) << 4);
+ writel(reg, mfc_regs->e_h264_options);
+@@ -1100,23 +1100,23 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx)
+ }
+
+ /* 'WEIGHTED_BI_PREDICTION' for B is disable */
+- readl(mfc_regs->e_h264_options);
++ reg = readl(mfc_regs->e_h264_options);
+ reg &= ~(0x3 << 9);
+ writel(reg, mfc_regs->e_h264_options);
+
+ /* 'CONSTRAINED_INTRA_PRED_ENABLE' is disable */
+- readl(mfc_regs->e_h264_options);
++ reg = readl(mfc_regs->e_h264_options);
+ reg &= ~(0x1 << 14);
+ writel(reg, mfc_regs->e_h264_options);
+
+ /* ASO */
+- readl(mfc_regs->e_h264_options);
++ reg = readl(mfc_regs->e_h264_options);
+ reg &= ~(0x1 << 6);
+ reg |= ((p_h264->aso & 0x1) << 6);
+ writel(reg, mfc_regs->e_h264_options);
+
+ /* hier qp enable */
+- readl(mfc_regs->e_h264_options);
++ reg = readl(mfc_regs->e_h264_options);
+ reg &= ~(0x1 << 8);
+ reg |= ((p_h264->open_gop & 0x1) << 8);
+ writel(reg, mfc_regs->e_h264_options);
+@@ -1137,7 +1137,7 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx)
+ writel(reg, mfc_regs->e_h264_num_t_layer);
+
+ /* frame packing SEI generation */
+- readl(mfc_regs->e_h264_options);
++ reg = readl(mfc_regs->e_h264_options);
+ reg &= ~(0x1 << 25);
+ reg |= ((p_h264->sei_frame_packing & 0x1) << 25);
+ writel(reg, mfc_regs->e_h264_options);
+--
+2.35.1
+
--- /dev/null
+From 59ea515c99d1aa3f35fb91df7c48857851566ade Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 7 Sep 2022 16:02:27 +0530
+Subject: media: s5p-mfc: Fix to handle reference queue during finishing
+
+From: Smitha T Murthy <smitha.t@samsung.com>
+
+[ Upstream commit d8a46bc4e1e0446459daa77c4ce14218d32dacf9 ]
+
+On receiving last buffer driver puts MFC to MFCINST_FINISHING state which
+in turn skips transferring of frame from SRC to REF queue. This causes
+driver to stop MFC encoding and last frame is lost.
+
+This patch guarantees safe handling of frames during MFCINST_FINISHING and
+correct clearing of workbit to avoid early stopping of encoding.
+
+Fixes: af9357467810 ("[media] MFC: Add MFC 5.1 V4L2 driver")
+
+Cc: stable@vger.kernel.org
+Cc: linux-fsd@tesla.com
+Signed-off-by: Smitha T Murthy <smitha.t@samsung.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc_enc.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c b/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c
+index 3ad4f5073002..cc8d101eb2b0 100644
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c
+@@ -1224,6 +1224,7 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx)
+ unsigned long mb_y_addr, mb_c_addr;
+ int slice_type;
+ unsigned int strm_size;
++ bool src_ready;
+
+ slice_type = s5p_mfc_hw_call(dev->mfc_ops, get_enc_slice_type, dev);
+ strm_size = s5p_mfc_hw_call(dev->mfc_ops, get_enc_strm_size, dev);
+@@ -1263,7 +1264,8 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx)
+ }
+ }
+ }
+- if ((ctx->src_queue_cnt > 0) && (ctx->state == MFCINST_RUNNING)) {
++ if (ctx->src_queue_cnt > 0 && (ctx->state == MFCINST_RUNNING ||
++ ctx->state == MFCINST_FINISHING)) {
+ mb_entry = list_entry(ctx->src_queue.next, struct s5p_mfc_buf,
+ list);
+ if (mb_entry->flags & MFC_BUF_FLAG_USED) {
+@@ -1294,7 +1296,13 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx)
+ vb2_set_plane_payload(&mb_entry->b->vb2_buf, 0, strm_size);
+ vb2_buffer_done(&mb_entry->b->vb2_buf, VB2_BUF_STATE_DONE);
+ }
+- if ((ctx->src_queue_cnt == 0) || (ctx->dst_queue_cnt == 0))
++
++ src_ready = true;
++ if (ctx->state == MFCINST_RUNNING && ctx->src_queue_cnt == 0)
++ src_ready = false;
++ if (ctx->state == MFCINST_FINISHING && ctx->ref_queue_cnt == 0)
++ src_ready = false;
++ if (!src_ready || ctx->dst_queue_cnt == 0)
+ clear_work_bit(ctx);
+
+ return 0;
+--
+2.35.1
+
ext4-avoid-unaccounted-block-allocation-when-expanding-inode.patch
ext4-allocate-extended-attribute-value-in-vmalloc-area.patch
drm-amdgpu-make-display-pinning-more-flexible-v2.patch
+btrfs-send-avoid-unnecessary-backref-lookups-when-fi.patch
+btrfs-replace-strncpy-with-strscpy.patch
+media-s5p-mfc-fix-to-handle-reference-queue-during-f.patch
+media-s5p-mfc-clear-workbit-to-handle-error-conditio.patch
+media-s5p-mfc-fix-in-register-read-and-write-for-h26.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
