From: Greg Kroah-Hartman Date: Mon, 6 Jun 2022 13:49:18 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.10.121~85 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5604c36f8df322883c54f39f1dba69372b7e21ab;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch md-fix-an-incorrect-null-check-in-md_reload_sb.patch media-coda-add-more-h264-levels-for-coda960.patch media-coda-fix-reported-h264-profile.patch --- diff --git a/queue-4.19/drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch b/queue-4.19/drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch new file mode 100644 index 00000000000..6c2d83df9b9 --- /dev/null +++ b/queue-4.19/drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch @@ -0,0 +1,64 @@ +From 31ab27b14daaa75541a415c6794d6f3567fea44a Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Mon, 23 May 2022 10:24:18 +1000 +Subject: drm/amdgpu/cs: make commands with 0 chunks illegal behaviour. + +From: Dave Airlie + +commit 31ab27b14daaa75541a415c6794d6f3567fea44a upstream. + +Submitting a cs with 0 chunks, causes an oops later, found trying +to execute the wrong userspace driver. + +MESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo + +[172536.665184] BUG: kernel NULL pointer dereference, address: 00000000000001d8 +[172536.665188] #PF: supervisor read access in kernel mode +[172536.665189] #PF: error_code(0x0000) - not-present page +[172536.665191] PGD 6712a0067 P4D 6712a0067 PUD 5af9ff067 PMD 0 +[172536.665195] Oops: 0000 [#1] SMP NOPTI +[172536.665197] CPU: 7 PID: 2769838 Comm: glxinfo Tainted: P O 5.10.81 #1-NixOS +[172536.665199] Hardware name: To be filled by O.E.M. To be filled by O.E.M./CROSSHAIR V FORMULA-Z, BIOS 2201 03/23/2015 +[172536.665272] RIP: 0010:amdgpu_cs_ioctl+0x96/0x1ce0 [amdgpu] +[172536.665274] Code: 75 18 00 00 4c 8b b2 88 00 00 00 8b 46 08 48 89 54 24 68 49 89 f7 4c 89 5c 24 60 31 d2 4c 89 74 24 30 85 c0 0f 85 c0 01 00 00 <48> 83 ba d8 01 00 00 00 48 8b b4 24 90 00 00 00 74 16 48 8b 46 10 +[172536.665276] RSP: 0018:ffffb47c0e81bbe0 EFLAGS: 00010246 +[172536.665277] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[172536.665278] RDX: 0000000000000000 RSI: ffffb47c0e81be28 RDI: ffffb47c0e81bd68 +[172536.665279] RBP: ffff936524080010 R08: 0000000000000000 R09: ffffb47c0e81be38 +[172536.665281] R10: ffff936524080010 R11: ffff936524080000 R12: ffffb47c0e81bc40 +[172536.665282] R13: ffffb47c0e81be28 R14: ffff9367bc410000 R15: ffffb47c0e81be28 +[172536.665283] FS: 00007fe35e05d740(0000) GS:ffff936c1edc0000(0000) knlGS:0000000000000000 +[172536.665284] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[172536.665286] CR2: 00000000000001d8 CR3: 0000000532e46000 CR4: 00000000000406e0 +[172536.665287] Call Trace: +[172536.665322] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu] +[172536.665332] drm_ioctl_kernel+0xaa/0xf0 [drm] +[172536.665338] drm_ioctl+0x201/0x3b0 [drm] +[172536.665369] ? amdgpu_cs_find_mapping+0x110/0x110 [amdgpu] +[172536.665372] ? selinux_file_ioctl+0x135/0x230 +[172536.665399] amdgpu_drm_ioctl+0x49/0x80 [amdgpu] +[172536.665403] __x64_sys_ioctl+0x83/0xb0 +[172536.665406] do_syscall_64+0x33/0x40 +[172536.665409] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2018 +Signed-off-by: Dave Airlie +Cc: stable@vger.kernel.org +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c +@@ -110,7 +110,7 @@ static int amdgpu_cs_parser_init(struct + int ret; + + if (cs->in.num_chunks == 0) +- return 0; ++ return -EINVAL; + + chunk_array = kmalloc_array(cs->in.num_chunks, sizeof(uint64_t), GFP_KERNEL); + if (!chunk_array) diff --git a/queue-4.19/drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch b/queue-4.19/drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch new file mode 100644 index 00000000000..d16f5094c03 --- /dev/null +++ b/queue-4.19/drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch @@ -0,0 +1,54 @@ +From 8fb6c44fe8468f92ac7b8bbfcca4404a4e88645f Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 1 Mar 2022 18:11:38 -0800 +Subject: drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX + +From: Brian Norris + +commit 8fb6c44fe8468f92ac7b8bbfcca4404a4e88645f upstream. + +If the display is not enable()d, then we aren't holding a runtime PM +reference here. Thus, it's easy to accidentally cause a hang, if user +space is poking around at /dev/drm_dp_aux0 at the "wrong" time. + +Let's get a runtime PM reference, and check that we "see" the panel. +Don't force any panel power-up, etc., because that can be intrusive, and +that's not what other drivers do (see +drivers/gpu/drm/bridge/ti-sn65dsi86.c and +drivers/gpu/drm/bridge/parade-ps8640.c.) + +Fixes: 0d97ad03f422 ("drm/bridge: analogix_dp: Remove duplicated code") +Cc: +Cc: Tomeu Vizoso +Signed-off-by: Brian Norris +Reviewed-by: Douglas Anderson +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20220301181107.v4.1.I773a08785666ebb236917b0c8e6c05e3de471e75@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c ++++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c +@@ -1514,8 +1514,19 @@ static ssize_t analogix_dpaux_transfer(s + struct drm_dp_aux_msg *msg) + { + struct analogix_dp_device *dp = to_dp(aux); ++ int ret; + +- return analogix_dp_transfer(dp, msg); ++ pm_runtime_get_sync(dp->dev); ++ ++ ret = analogix_dp_detect_hpd(dp); ++ if (ret) ++ goto out; ++ ++ ret = analogix_dp_transfer(dp, msg); ++out: ++ pm_runtime_put(dp->dev); ++ ++ return ret; + } + + struct analogix_dp_device * diff --git a/queue-4.19/drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch b/queue-4.19/drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch new file mode 100644 index 00000000000..d7f1e5b5bd2 --- /dev/null +++ b/queue-4.19/drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch @@ -0,0 +1,58 @@ +From 1c3b2a27def609473ed13b1cd668cb10deab49b4 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Sun, 27 Mar 2022 15:58:24 +0800 +Subject: drm/nouveau/clk: Fix an incorrect NULL check on list iterator + +From: Xiaomeng Tong + +commit 1c3b2a27def609473ed13b1cd668cb10deab49b4 upstream. + +The bug is here: + if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp)) + return cstate; + +The list iterator value 'cstate' will *always* be set and non-NULL +by list_for_each_entry_from_reverse(), so it is incorrect to assume +that the iterator value will be unchanged if the list is empty or no +element is found (In fact, it will be a bogus pointer to an invalid +structure object containing the HEAD). Also it missed a NULL check +at callsite and may lead to invalid memory access after that. + +To fix this bug, just return 'encoder' when found, otherwise return +NULL. And add the NULL check. + +Cc: stable@vger.kernel.org +Fixes: 1f7f3d91ad38a ("drm/nouveau/clk: Respect voltage limits in nvkm_cstate_prog") +Signed-off-by: Xiaomeng Tong +Reviewed-by: Lyude Paul +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20220327075824.11806-1-xiam0nd.tong@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c +@@ -134,10 +134,10 @@ nvkm_cstate_find_best(struct nvkm_clk *c + + list_for_each_entry_from_reverse(cstate, &pstate->list, head) { + if (nvkm_cstate_valid(clk, cstate, max_volt, clk->temp)) +- break; ++ return cstate; + } + +- return cstate; ++ return NULL; + } + + static struct nvkm_cstate * +@@ -168,6 +168,8 @@ nvkm_cstate_prog(struct nvkm_clk *clk, s + if (!list_empty(&pstate->list)) { + cstate = nvkm_cstate_get(clk, pstate, cstatei); + cstate = nvkm_cstate_find_best(clk, pstate, cstate); ++ if (!cstate) ++ return -EINVAL; + } else { + cstate = &pstate->base; + } diff --git a/queue-4.19/md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch b/queue-4.19/md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch new file mode 100644 index 00000000000..61ecb5dc966 --- /dev/null +++ b/queue-4.19/md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch @@ -0,0 +1,55 @@ +From fc8738343eefc4ea8afb6122826dea48eacde514 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Fri, 8 Apr 2022 16:37:28 +0800 +Subject: md: fix an incorrect NULL check in does_sb_need_changing + +From: Xiaomeng Tong + +commit fc8738343eefc4ea8afb6122826dea48eacde514 upstream. + +The bug is here: + if (!rdev) + +The list iterator value 'rdev' will *always* be set and non-NULL +by rdev_for_each(), so it is incorrect to assume that the iterator +value will be NULL if the list is empty or no element found. +Otherwise it will bypass the NULL check and lead to invalid memory +access passing the check. + +To fix the bug, use a new variable 'iter' as the list iterator, +while using the original variable 'rdev' as a dedicated pointer to +point to the found element. + +Cc: stable@vger.kernel.org +Fixes: 2aa82191ac36 ("md-cluster: Perform a lazy update") +Acked-by: Guoqing Jiang +Signed-off-by: Xiaomeng Tong +Acked-by: Goldwyn Rodrigues +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2443,14 +2443,16 @@ static void sync_sbs(struct mddev *mddev + + static bool does_sb_need_changing(struct mddev *mddev) + { +- struct md_rdev *rdev; ++ struct md_rdev *rdev = NULL, *iter; + struct mdp_superblock_1 *sb; + int role; + + /* Find a good rdev */ +- rdev_for_each(rdev, mddev) +- if ((rdev->raid_disk >= 0) && !test_bit(Faulty, &rdev->flags)) ++ rdev_for_each(iter, mddev) ++ if ((iter->raid_disk >= 0) && !test_bit(Faulty, &iter->flags)) { ++ rdev = iter; + break; ++ } + + /* No good device found. */ + if (!rdev) diff --git a/queue-4.19/md-fix-an-incorrect-null-check-in-md_reload_sb.patch b/queue-4.19/md-fix-an-incorrect-null-check-in-md_reload_sb.patch new file mode 100644 index 00000000000..985f55161d7 --- /dev/null +++ b/queue-4.19/md-fix-an-incorrect-null-check-in-md_reload_sb.patch @@ -0,0 +1,57 @@ +From 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 Mon Sep 17 00:00:00 2001 +From: Xiaomeng Tong +Date: Fri, 8 Apr 2022 16:47:15 +0800 +Subject: md: fix an incorrect NULL check in md_reload_sb + +From: Xiaomeng Tong + +commit 64c54d9244a4efe9bc6e9c98e13c4bbb8bb39083 upstream. + +The bug is here: + if (!rdev || rdev->desc_nr != nr) { + +The list iterator value 'rdev' will *always* be set and non-NULL +by rdev_for_each_rcu(), so it is incorrect to assume that the +iterator value will be NULL if the list is empty or no element +found (In fact, it will be a bogus pointer to an invalid struct +object containing the HEAD). Otherwise it will bypass the check +and lead to invalid memory access passing the check. + +To fix the bug, use a new variable 'iter' as the list iterator, +while using the original variable 'pdev' as a dedicated pointer to +point to the found element. + +Cc: stable@vger.kernel.org +Fixes: 70bcecdb1534 ("md-cluster: Improve md_reload_sb to be less error prone") +Signed-off-by: Xiaomeng Tong +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -9325,16 +9325,18 @@ static int read_rdev(struct mddev *mddev + + void md_reload_sb(struct mddev *mddev, int nr) + { +- struct md_rdev *rdev; ++ struct md_rdev *rdev = NULL, *iter; + int err; + + /* Find the rdev */ +- rdev_for_each_rcu(rdev, mddev) { +- if (rdev->desc_nr == nr) ++ rdev_for_each_rcu(iter, mddev) { ++ if (iter->desc_nr == nr) { ++ rdev = iter; + break; ++ } + } + +- if (!rdev || rdev->desc_nr != nr) { ++ if (!rdev) { + pr_warn("%s: %d Could not find rdev with nr %d\n", __func__, __LINE__, nr); + return; + } diff --git a/queue-4.19/media-coda-add-more-h264-levels-for-coda960.patch b/queue-4.19/media-coda-add-more-h264-levels-for-coda960.patch new file mode 100644 index 00000000000..431a6406827 --- /dev/null +++ b/queue-4.19/media-coda-add-more-h264-levels-for-coda960.patch @@ -0,0 +1,51 @@ +From eb2fd187abc878a2dfad46902becb74963473c7d Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Wed, 6 Apr 2022 21:23:43 +0100 +Subject: media: coda: Add more H264 levels for CODA960 + +From: Nicolas Dufresne + +commit eb2fd187abc878a2dfad46902becb74963473c7d upstream. + +Add H264 level 1.0, 4.1, 4.2 to the list of supported formats. +While the hardware does not fully support these levels, it does support +most of them. The constraints on frame size and pixel formats already +cover the limitation. + +This fixes negotiation of level on GStreamer 1.17.1. + +Cc: stable@vger.kernel.org +Fixes: 42a68012e67c2 ("media: coda: add read-only h.264 decoder profile/level controls") +Suggested-by: Philipp Zabel +Signed-off-by: Nicolas Dufresne +Signed-off-by: Ezequiel Garcia +Signed-off-by: Fabio Estevam +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/coda/coda-common.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/coda/coda-common.c ++++ b/drivers/media/platform/coda/coda-common.c +@@ -1909,12 +1909,15 @@ static void coda_encode_ctrls(struct cod + if (ctx->dev->devtype->product == CODA_960) { + v4l2_ctrl_new_std_menu(&ctx->ctrls, &coda_ctrl_ops, + V4L2_CID_MPEG_VIDEO_H264_LEVEL, +- V4L2_MPEG_VIDEO_H264_LEVEL_4_0, +- ~((1 << V4L2_MPEG_VIDEO_H264_LEVEL_2_0) | ++ V4L2_MPEG_VIDEO_H264_LEVEL_4_2, ++ ~((1 << V4L2_MPEG_VIDEO_H264_LEVEL_1_0) | ++ (1 << V4L2_MPEG_VIDEO_H264_LEVEL_2_0) | + (1 << V4L2_MPEG_VIDEO_H264_LEVEL_3_0) | + (1 << V4L2_MPEG_VIDEO_H264_LEVEL_3_1) | + (1 << V4L2_MPEG_VIDEO_H264_LEVEL_3_2) | +- (1 << V4L2_MPEG_VIDEO_H264_LEVEL_4_0)), ++ (1 << V4L2_MPEG_VIDEO_H264_LEVEL_4_0) | ++ (1 << V4L2_MPEG_VIDEO_H264_LEVEL_4_1) | ++ (1 << V4L2_MPEG_VIDEO_H264_LEVEL_4_2)), + V4L2_MPEG_VIDEO_H264_LEVEL_4_0); + } + v4l2_ctrl_new_std(&ctx->ctrls, &coda_ctrl_ops, diff --git a/queue-4.19/media-coda-fix-reported-h264-profile.patch b/queue-4.19/media-coda-fix-reported-h264-profile.patch new file mode 100644 index 00000000000..35da177cc54 --- /dev/null +++ b/queue-4.19/media-coda-fix-reported-h264-profile.patch @@ -0,0 +1,56 @@ +From 7110c08ea71953a7fc342f0b76046f72442cf26c Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Wed, 6 Apr 2022 21:23:42 +0100 +Subject: media: coda: Fix reported H264 profile + +From: Nicolas Dufresne + +commit 7110c08ea71953a7fc342f0b76046f72442cf26c upstream. + +The CODA960 manual states that ASO/FMO features of baseline are not +supported, so for this reason this driver should only report +constrained baseline support. + +This fixes negotiation issue with constrained baseline content +on GStreamer 1.17.1. + +ASO/FMO features are unsupported for the encoder and untested for the +decoder because there is currently no userspace support. Neither GStreamer +parsers nor FFMPEG parsers support ASO/FMO. + +Cc: stable@vger.kernel.org +Fixes: 42a68012e67c2 ("media: coda: add read-only h.264 decoder profile/level controls") +Signed-off-by: Nicolas Dufresne +Signed-off-by: Ezequiel Garcia +Tested-by: Pascal Speck +Signed-off-by: Fabio Estevam +Reviewed-by: Philipp Zabel +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/coda/coda-common.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/coda/coda-common.c ++++ b/drivers/media/platform/coda/coda-common.c +@@ -1894,8 +1894,8 @@ static void coda_encode_ctrls(struct cod + 0x0, V4L2_MPEG_VIDEO_H264_LOOP_FILTER_MODE_ENABLED); + v4l2_ctrl_new_std_menu(&ctx->ctrls, &coda_ctrl_ops, + V4L2_CID_MPEG_VIDEO_H264_PROFILE, +- V4L2_MPEG_VIDEO_H264_PROFILE_BASELINE, 0x0, +- V4L2_MPEG_VIDEO_H264_PROFILE_BASELINE); ++ V4L2_MPEG_VIDEO_H264_PROFILE_CONSTRAINED_BASELINE, 0x0, ++ V4L2_MPEG_VIDEO_H264_PROFILE_CONSTRAINED_BASELINE); + if (ctx->dev->devtype->product == CODA_HX4 || + ctx->dev->devtype->product == CODA_7541) { + v4l2_ctrl_new_std_menu(&ctx->ctrls, &coda_ctrl_ops, +@@ -1977,7 +1977,7 @@ static void coda_decode_ctrls(struct cod + ctx->h264_profile_ctrl = v4l2_ctrl_new_std_menu(&ctx->ctrls, + &coda_ctrl_ops, V4L2_CID_MPEG_VIDEO_H264_PROFILE, + V4L2_MPEG_VIDEO_H264_PROFILE_HIGH, +- ~((1 << V4L2_MPEG_VIDEO_H264_PROFILE_BASELINE) | ++ ~((1 << V4L2_MPEG_VIDEO_H264_PROFILE_CONSTRAINED_BASELINE) | + (1 << V4L2_MPEG_VIDEO_H264_PROFILE_MAIN) | + (1 << V4L2_MPEG_VIDEO_H264_PROFILE_HIGH)), + V4L2_MPEG_VIDEO_H264_PROFILE_HIGH); diff --git a/queue-4.19/series b/queue-4.19/series index a997327c0d9..2d4bd8d3b4a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -160,3 +160,10 @@ dlm-fix-missing-lkb-refcount-handling.patch ocfs2-dlmfs-fix-error-handling-of-user_dlm_destroy_lock.patch scsi-dc395x-fix-a-missing-check-on-list-iterator.patch scsi-ufs-qcom-add-a-readl-to-make-sure-ref_clk-gets-enabled.patch +drm-amdgpu-cs-make-commands-with-0-chunks-illegal-behaviour.patch +drm-nouveau-clk-fix-an-incorrect-null-check-on-list-iterator.patch +drm-bridge-analogix_dp-grab-runtime-pm-reference-for-dp-aux.patch +md-fix-an-incorrect-null-check-in-does_sb_need_changing.patch +md-fix-an-incorrect-null-check-in-md_reload_sb.patch +media-coda-fix-reported-h264-profile.patch +media-coda-add-more-h264-levels-for-coda960.patch