From: Sasha Levin Date: Sat, 7 Jan 2023 17:15:51 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v5.15.87~53 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=06e9e3e8a55d3a2ebfc31253ce579dcf070a5763;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/btrfs-replace-strncpy-with-strscpy.patch b/queue-5.4/btrfs-replace-strncpy-with-strscpy.patch new file mode 100644 index 00000000000..f89d296ae9c --- /dev/null +++ b/queue-5.4/btrfs-replace-strncpy-with-strscpy.patch @@ -0,0 +1,63 @@ +From 3bcbb61c068f6af9baf904e4d990208c58ae69f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 11:14:45 -0500 +Subject: btrfs: replace strncpy() with strscpy() + +[ Upstream commit 63d5429f68a3d4c4aa27e65a05196c17f86c41d6 ] + +Using strncpy() on NUL-terminated strings are deprecated. To avoid +possible forming of non-terminated string strscpy() should be used. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +CC: stable@vger.kernel.org # 4.9+ +Signed-off-by: Artem Chernyshev +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ioctl.c | 9 +++------ + fs/btrfs/rcu-string.h | 6 +++++- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c +index 8553bd4361dd..64b443aa61ca 100644 +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -3299,13 +3299,10 @@ static long btrfs_ioctl_dev_info(struct btrfs_fs_info *fs_info, + di_args->bytes_used = btrfs_device_get_bytes_used(dev); + di_args->total_bytes = btrfs_device_get_total_bytes(dev); + memcpy(di_args->uuid, dev->uuid, sizeof(di_args->uuid)); +- if (dev->name) { +- strncpy(di_args->path, rcu_str_deref(dev->name), +- sizeof(di_args->path) - 1); +- di_args->path[sizeof(di_args->path) - 1] = 0; +- } else { ++ if (dev->name) ++ strscpy(di_args->path, rcu_str_deref(dev->name), sizeof(di_args->path)); ++ else + di_args->path[0] = '\0'; +- } + + out: + rcu_read_unlock(); +diff --git a/fs/btrfs/rcu-string.h b/fs/btrfs/rcu-string.h +index a97dc74a4d3d..02f15321cecc 100644 +--- a/fs/btrfs/rcu-string.h ++++ b/fs/btrfs/rcu-string.h +@@ -18,7 +18,11 @@ static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask) + (len * sizeof(char)), mask); + if (!ret) + return ret; +- strncpy(ret->str, src, len); ++ /* Warn if the source got unexpectedly truncated. */ ++ if (WARN_ON(strscpy(ret->str, src, len) < 0)) { ++ kfree(ret); ++ return NULL; ++ } + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.4/media-s5p-mfc-clear-workbit-to-handle-error-conditio.patch b/queue-5.4/media-s5p-mfc-clear-workbit-to-handle-error-conditio.patch new file mode 100644 index 00000000000..9bd16a3bde7 --- /dev/null +++ b/queue-5.4/media-s5p-mfc-clear-workbit-to-handle-error-conditio.patch @@ -0,0 +1,43 @@ +From 75d33a2a5960932772150cfa2a9fad44f875641e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:02:26 +0530 +Subject: media: s5p-mfc: Clear workbit to handle error condition + +From: Smitha T Murthy + +[ Upstream commit d3f3c2fe54e30b0636496d842ffbb5ad3a547f9b ] + +During error on CLOSE_INSTANCE command, ctx_work_bits was not getting +cleared. During consequent mfc execution NULL pointer dereferencing of +this context led to kernel panic. This patch fixes this issue by making +sure to clear ctx_work_bits always. + +Fixes: 818cd91ab8c6 ("[media] s5p-mfc: Extract open/close MFC instance commands") +Cc: stable@vger.kernel.org +Cc: linux-fsd@tesla.com +Signed-off-by: Smitha T Murthy +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c b/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c +index da138c314963..58822ec5370e 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c +@@ -468,8 +468,10 @@ void s5p_mfc_close_mfc_inst(struct s5p_mfc_dev *dev, struct s5p_mfc_ctx *ctx) + s5p_mfc_hw_call(dev->mfc_ops, try_run, dev); + /* Wait until instance is returned or timeout occurred */ + if (s5p_mfc_wait_for_done_ctx(ctx, +- S5P_MFC_R2H_CMD_CLOSE_INSTANCE_RET, 0)) ++ S5P_MFC_R2H_CMD_CLOSE_INSTANCE_RET, 0)){ ++ clear_work_bit_irqsave(ctx); + mfc_err("Err returning instance\n"); ++ } + + /* Free resources */ + s5p_mfc_hw_call(dev->mfc_ops, release_codec_buffers, ctx); +-- +2.35.1 + diff --git a/queue-5.4/media-s5p-mfc-fix-in-register-read-and-write-for-h26.patch b/queue-5.4/media-s5p-mfc-fix-in-register-read-and-write-for-h26.patch new file mode 100644 index 00000000000..e453789b5e2 --- /dev/null +++ b/queue-5.4/media-s5p-mfc-fix-in-register-read-and-write-for-h26.patch @@ -0,0 +1,85 @@ +From 4f0228890d8d4ab13574fb5c9dac4d7cc3f02db5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:02:25 +0530 +Subject: media: s5p-mfc: Fix in register read and write for H264 + +From: Smitha T Murthy + +[ Upstream commit 06710cd5d2436135046898d7e4b9408c8bb99446 ] + +Few of the H264 encoder registers written were not getting reflected +since the read values were not stored and getting overwritten. + +Fixes: 6a9c6f681257 ("[media] s5p-mfc: Add variants to access mfc registers") + +Cc: stable@vger.kernel.org +Cc: linux-fsd@tesla.com +Signed-off-by: Smitha T Murthy +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c b/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c +index a1453053e31a..ef8169f6c428 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c +@@ -1060,7 +1060,7 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx) + } + + /* aspect ratio VUI */ +- readl(mfc_regs->e_h264_options); ++ reg = readl(mfc_regs->e_h264_options); + reg &= ~(0x1 << 5); + reg |= ((p_h264->vui_sar & 0x1) << 5); + writel(reg, mfc_regs->e_h264_options); +@@ -1083,7 +1083,7 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx) + + /* intra picture period for H.264 open GOP */ + /* control */ +- readl(mfc_regs->e_h264_options); ++ reg = readl(mfc_regs->e_h264_options); + reg &= ~(0x1 << 4); + reg |= ((p_h264->open_gop & 0x1) << 4); + writel(reg, mfc_regs->e_h264_options); +@@ -1097,23 +1097,23 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx) + } + + /* 'WEIGHTED_BI_PREDICTION' for B is disable */ +- readl(mfc_regs->e_h264_options); ++ reg = readl(mfc_regs->e_h264_options); + reg &= ~(0x3 << 9); + writel(reg, mfc_regs->e_h264_options); + + /* 'CONSTRAINED_INTRA_PRED_ENABLE' is disable */ +- readl(mfc_regs->e_h264_options); ++ reg = readl(mfc_regs->e_h264_options); + reg &= ~(0x1 << 14); + writel(reg, mfc_regs->e_h264_options); + + /* ASO */ +- readl(mfc_regs->e_h264_options); ++ reg = readl(mfc_regs->e_h264_options); + reg &= ~(0x1 << 6); + reg |= ((p_h264->aso & 0x1) << 6); + writel(reg, mfc_regs->e_h264_options); + + /* hier qp enable */ +- readl(mfc_regs->e_h264_options); ++ reg = readl(mfc_regs->e_h264_options); + reg &= ~(0x1 << 8); + reg |= ((p_h264->open_gop & 0x1) << 8); + writel(reg, mfc_regs->e_h264_options); +@@ -1134,7 +1134,7 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx) + writel(reg, mfc_regs->e_h264_num_t_layer); + + /* frame packing SEI generation */ +- readl(mfc_regs->e_h264_options); ++ reg = readl(mfc_regs->e_h264_options); + reg &= ~(0x1 << 25); + reg |= ((p_h264->sei_frame_packing & 0x1) << 25); + writel(reg, mfc_regs->e_h264_options); +-- +2.35.1 + diff --git a/queue-5.4/media-s5p-mfc-fix-to-handle-reference-queue-during-f.patch b/queue-5.4/media-s5p-mfc-fix-to-handle-reference-queue-during-f.patch new file mode 100644 index 00000000000..0a856c3deba --- /dev/null +++ b/queue-5.4/media-s5p-mfc-fix-to-handle-reference-queue-during-f.patch @@ -0,0 +1,67 @@ +From f0282c7df882741fe119ae67d35f1acc7d21bed5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:02:27 +0530 +Subject: media: s5p-mfc: Fix to handle reference queue during finishing + +From: Smitha T Murthy + +[ Upstream commit d8a46bc4e1e0446459daa77c4ce14218d32dacf9 ] + +On receiving last buffer driver puts MFC to MFCINST_FINISHING state which +in turn skips transferring of frame from SRC to REF queue. This causes +driver to stop MFC encoding and last frame is lost. + +This patch guarantees safe handling of frames during MFCINST_FINISHING and +correct clearing of workbit to avoid early stopping of encoding. + +Fixes: af9357467810 ("[media] MFC: Add MFC 5.1 V4L2 driver") + +Cc: stable@vger.kernel.org +Cc: linux-fsd@tesla.com +Signed-off-by: Smitha T Murthy +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc_enc.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c b/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c +index 912fe0c5ab18..6ed3df5ae5bb 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c +@@ -1212,6 +1212,7 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx) + unsigned long mb_y_addr, mb_c_addr; + int slice_type; + unsigned int strm_size; ++ bool src_ready; + + slice_type = s5p_mfc_hw_call(dev->mfc_ops, get_enc_slice_type, dev); + strm_size = s5p_mfc_hw_call(dev->mfc_ops, get_enc_strm_size, dev); +@@ -1251,7 +1252,8 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx) + } + } + } +- if ((ctx->src_queue_cnt > 0) && (ctx->state == MFCINST_RUNNING)) { ++ if (ctx->src_queue_cnt > 0 && (ctx->state == MFCINST_RUNNING || ++ ctx->state == MFCINST_FINISHING)) { + mb_entry = list_entry(ctx->src_queue.next, struct s5p_mfc_buf, + list); + if (mb_entry->flags & MFC_BUF_FLAG_USED) { +@@ -1282,7 +1284,13 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx) + vb2_set_plane_payload(&mb_entry->b->vb2_buf, 0, strm_size); + vb2_buffer_done(&mb_entry->b->vb2_buf, VB2_BUF_STATE_DONE); + } +- if ((ctx->src_queue_cnt == 0) || (ctx->dst_queue_cnt == 0)) ++ ++ src_ready = true; ++ if (ctx->state == MFCINST_RUNNING && ctx->src_queue_cnt == 0) ++ src_ready = false; ++ if (ctx->state == MFCINST_FINISHING && ctx->ref_queue_cnt == 0) ++ src_ready = false; ++ if (!src_ready || ctx->dst_queue_cnt == 0) + clear_work_bit(ctx); + + return 0; +-- +2.35.1 + diff --git a/queue-5.4/pm-devfreq-governor-add-a-private-governor_data-for-.patch b/queue-5.4/pm-devfreq-governor-add-a-private-governor_data-for-.patch new file mode 100644 index 00000000000..808950958d5 --- /dev/null +++ b/queue-5.4/pm-devfreq-governor-add-a-private-governor_data-for-.patch @@ -0,0 +1,157 @@ +From db8ad6fb741827a93330976b62b762c5e2b1b632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 15:21:09 +0800 +Subject: PM/devfreq: governor: Add a private governor_data for governor + +From: Kant Fan + +[ Upstream commit 5fdded8448924e3631d466eea499b11606c43640 ] + +The member void *data in the structure devfreq can be overwrite +by governor_userspace. For example: +1. The device driver assigned the devfreq governor to simple_ondemand +by the function devfreq_add_device() and init the devfreq member +void *data to a pointer of a static structure devfreq_simple_ondemand_data +by the function devfreq_add_device(). +2. The user changed the devfreq governor to userspace by the command +"echo userspace > /sys/class/devfreq/.../governor". +3. The governor userspace alloced a dynamic memory for the struct +userspace_data and assigend the member void *data of devfreq to +this memory by the function userspace_init(). +4. The user changed the devfreq governor back to simple_ondemand +by the command "echo simple_ondemand > /sys/class/devfreq/.../governor". +5. The governor userspace exited and assigned the member void *data +in the structure devfreq to NULL by the function userspace_exit(). +6. The governor simple_ondemand fetched the static information of +devfreq_simple_ondemand_data in the function +devfreq_simple_ondemand_func() but the member void *data of devfreq was +assigned to NULL by the function userspace_exit(). +7. The information of upthreshold and downdifferential is lost +and the governor simple_ondemand can't work correctly. + +The member void *data in the structure devfreq is designed for +a static pointer used in a governor and inited by the function +devfreq_add_device(). This patch add an element named governor_data +in the devfreq structure which can be used by a governor(E.g userspace) +who want to assign a private data to do some private things. + +Fixes: ce26c5bb9569 ("PM / devfreq: Add basic governors") +Cc: stable@vger.kernel.org # 5.10+ +Reviewed-by: Chanwoo Choi +Acked-by: MyungJoo Ham +Signed-off-by: Kant Fan +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/devfreq/devfreq.c | 6 ++---- + drivers/devfreq/governor_userspace.c | 12 ++++++------ + include/linux/devfreq.h | 11 ++++++----- + 3 files changed, 14 insertions(+), 15 deletions(-) + +diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c +index c79652ee94be..f5ad9b998654 100644 +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -603,8 +603,7 @@ static void devfreq_dev_release(struct device *dev) + * @dev: the device to add devfreq feature. + * @profile: device-specific profile to run devfreq. + * @governor_name: name of the policy to choose frequency. +- * @data: private data for the governor. The devfreq framework does not +- * touch this value. ++ * @data: devfreq driver pass to governors, governor should not change it. + */ + struct devfreq *devfreq_add_device(struct device *dev, + struct devfreq_dev_profile *profile, +@@ -788,8 +787,7 @@ static void devm_devfreq_dev_release(struct device *dev, void *res) + * @dev: the device to add devfreq feature. + * @profile: device-specific profile to run devfreq. + * @governor_name: name of the policy to choose frequency. +- * @data: private data for the governor. The devfreq framework does not +- * touch this value. ++ * @data: devfreq driver pass to governors, governor should not change it. + * + * This function manages automatically the memory of devfreq device using device + * resource management and simplify the free operation for memory of devfreq +diff --git a/drivers/devfreq/governor_userspace.c b/drivers/devfreq/governor_userspace.c +index af94942fcf95..a3ae4dc4668b 100644 +--- a/drivers/devfreq/governor_userspace.c ++++ b/drivers/devfreq/governor_userspace.c +@@ -21,7 +21,7 @@ struct userspace_data { + + static int devfreq_userspace_func(struct devfreq *df, unsigned long *freq) + { +- struct userspace_data *data = df->data; ++ struct userspace_data *data = df->governor_data; + + if (data->valid) + *freq = data->user_frequency; +@@ -40,7 +40,7 @@ static ssize_t store_freq(struct device *dev, struct device_attribute *attr, + int err = 0; + + mutex_lock(&devfreq->lock); +- data = devfreq->data; ++ data = devfreq->governor_data; + + sscanf(buf, "%lu", &wanted); + data->user_frequency = wanted; +@@ -60,7 +60,7 @@ static ssize_t show_freq(struct device *dev, struct device_attribute *attr, + int err = 0; + + mutex_lock(&devfreq->lock); +- data = devfreq->data; ++ data = devfreq->governor_data; + + if (data->valid) + err = sprintf(buf, "%lu\n", data->user_frequency); +@@ -91,7 +91,7 @@ static int userspace_init(struct devfreq *devfreq) + goto out; + } + data->valid = false; +- devfreq->data = data; ++ devfreq->governor_data = data; + + err = sysfs_create_group(&devfreq->dev.kobj, &dev_attr_group); + out: +@@ -107,8 +107,8 @@ static void userspace_exit(struct devfreq *devfreq) + if (devfreq->dev.kobj.sd) + sysfs_remove_group(&devfreq->dev.kobj, &dev_attr_group); + +- kfree(devfreq->data); +- devfreq->data = NULL; ++ kfree(devfreq->governor_data); ++ devfreq->governor_data = NULL; + } + + static int devfreq_userspace_handler(struct devfreq *devfreq, +diff --git a/include/linux/devfreq.h b/include/linux/devfreq.h +index 2bae9ed3c783..7535f860d45d 100644 +--- a/include/linux/devfreq.h ++++ b/include/linux/devfreq.h +@@ -121,10 +121,10 @@ struct devfreq_dev_profile { + * devfreq.nb to the corresponding register notifier call chain. + * @work: delayed work for load monitoring. + * @previous_freq: previously configured frequency value. +- * @data: Private data of the governor. The devfreq framework does not +- * touch this. +- * @min_freq: Limit minimum frequency requested by user (0: none) +- * @max_freq: Limit maximum frequency requested by user (0: none) ++ * @data: devfreq driver pass to governors, governor should not change it. ++ * @governor_data: private data for governors, devfreq core doesn't touch it. ++ * @min_freq: Limit minimum frequency requested by user (0: none) ++ * @max_freq: Limit maximum frequency requested by user (0: none) + * @scaling_min_freq: Limit minimum frequency requested by OPP interface + * @scaling_max_freq: Limit maximum frequency requested by OPP interface + * @stop_polling: devfreq polling status of a device. +@@ -159,7 +159,8 @@ struct devfreq { + unsigned long previous_freq; + struct devfreq_dev_status last_status; + +- void *data; /* private data for governors */ ++ void *data; ++ void *governor_data; + + unsigned long min_freq; + unsigned long max_freq; +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index d7c93392821..d3302a9b537 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -536,3 +536,8 @@ ext4-avoid-unaccounted-block-allocation-when-expanding-inode.patch ext4-allocate-extended-attribute-value-in-vmalloc-area.patch drm-amdgpu-make-display-pinning-more-flexible-v2.patch cifs-prevent-copying-past-input-buffer-boundaries.patch +btrfs-replace-strncpy-with-strscpy.patch +pm-devfreq-governor-add-a-private-governor_data-for-.patch +media-s5p-mfc-fix-to-handle-reference-queue-during-f.patch +media-s5p-mfc-clear-workbit-to-handle-error-conditio.patch +media-s5p-mfc-fix-in-register-read-and-write-for-h26.patch