* [Nouveau] Off-by-one or bad BIOS image? Apple eMac 800 GeForce 2MX
@ 2022-01-19 7:27 Nick Lopez
2022-01-20 18:24 ` Ilia Mirkin
0 siblings, 1 reply; 4+ messages in thread
From: Nick Lopez @ 2022-01-19 7:27 UTC (permalink / raw)
To: nouveau
[-- Attachment #1.1: Type: text/plain, Size: 1797 bytes --]
Because I watch too much retro YouTube I decided it was a good idea to try installing Adelie Linux on my old G4/800 eMac, but the Live installer would freeze. By blacklisting nouveau I was able to get it booted and manually installed and, after hours and hours of compiling, get a working kernel tree to poke at. After only a few iterations with dump_stack() and nvkm_debug and the output of envytools/nvbios I worked out at the last initscript instruction was stored in the last byte of the ROM. I think the bounds check in the nvbios_addr() function is miscalculating the limit as one byte short, that’s why I was seeing this in the syslog:
nouveau 0000:00:10.0: bios: OOB 1 000007b2 000007b2
nouveau 0000:00:10.0: devinit: 0x000007b2[ ]: unknown opcode 0x00
nouveau 0000:00:10.0: preinit failed with -22
nouveau: DRM-master:00000000:00000080: init failed with -22
nouveau 0000:00:10.0: DRM-master: Device allocation failed: -22
nouveau: probe of 0000:00:10.0 failed with error -22
After I changed the limit check from:
if (unlikely(*addr + size >= bios->size)) {
to:
if (unlikely(*addr + size > bios->size)) {
it initialized the card properly, brought up the fbconsole and even seems to be working in X with DRI. So the question is: was the bounds check wrong, or is the NVDA,BMP image provided by OpenFirmware truncated? I’m guess this doesn’t turn up elsewhere because the ROM images read through any of the other methods are the size of flash chip they’re stored on so there’s always unused space at the end and they never use the last byte where the NVDA,BMP provided by OpenFirmware is just the active section.
The patch is against the Adelie easy-kernel patch 5.4 tree, but it looks like that code is still there in the current upstream torvalds/linux git.
[-- Attachment #1.2: Type: text/html, Size: 3197 bytes --]
[-- Attachment #2: nouvaeu-initscripts-off-by-one.patch --]
[-- Type: application/octet-stream, Size: 498 bytes --]
--- drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c.orig 2022-01-18 22:40:49.400644104 +0000
+++ drivers/gpu/drm/nouveau/nvkm/subdev/bios/base.c 2022-01-18 21:59:46.128469791 +0000
@@ -38,7 +38,7 @@
*addr += bios->imaged_addr;
}
- if (unlikely(*addr + size >= bios->size)) {
+ if (unlikely(*addr + size > bios->size)) {
nvkm_error(&bios->subdev, "OOB %d %08x %08x\n", size, p, *addr);
return false;
}
[-- Attachment #3: nvbios.txt --]
[-- Type: text/plain, Size: 39852 bytes --]
eMac # envytools/nvbios/nvbios gpu.bios
warning: No strap specified
BIOS size 0x7b3 [orig: 0x7b3], 0 valid parts:
WARN: Couldn't read part 0!
BIOS type: NV04
Subsystem id: 0x0000:0x0000
BMP 0x05.10 at 0x72
Bios version 0x03.11.00.15
Init script table at 0xcb: 9 main scripts
Init script 0 at 0x10d:
0x0000010d: 65 00 02 00 00 00 00 00 01 10 01 11 01 RESET R[0x000200] = 0x01000000, 0x01110110
0x0000011a: 6e 00 10 10 00 ff ff ff ff 00 00 00 80 NV_REG R[0x101000] &= 0xffffffff |= 0x80000000
0x00000127: 68 CONFIGURE_PREINIT
0x00000128: 7a 00 02 00 00 11 01 11 03 ZM_REG R[0x000200] = 0x03110111
0x00000131: 7a e0 10 00 00 80 80 80 80 ZM_REG R[0x0010e0] = 0x80808080
0x0000013a: 7a e4 10 00 00 80 80 80 80 ZM_REG R[0x0010e4] = 0x80808080
0x00000143: 7a 84 10 00 00 48 57 00 00 ZM_REG R[0x001084] = 0x00005748
0x0000014c: 7a 80 00 10 00 00 00 02 00 ZM_REG R[0x100080] = 0x00020000
0x00000155: 66 CONFIGURE_MEM
0x00000156: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x0000015c: 74 00 fa TIME 0xfa00
0x0000015f: 7a d4 02 10 00 01 00 00 00 ZM_REG R[0x1002d4] = 0x00000001
0x00000168: 7a c4 02 10 00 02 00 00 00 ZM_REG R[0x1002c4] = 0x00000002
0x00000171: 7a c0 02 10 00 31 01 00 00 ZM_REG R[0x1002c0] = 0x00000131
0x0000017a: 74 e8 03 TIME 0x03e8
0x0000017d: 7a d4 02 10 00 01 00 00 00 ZM_REG R[0x1002d4] = 0x00000001
0x00000186: 7a d0 02 10 00 01 00 00 00 ZM_REG R[0x1002d0] = 0x00000001
0x0000018f: 7a d0 02 10 00 01 00 00 00 ZM_REG R[0x1002d0] = 0x00000001
0x00000198: 7a c0 02 10 00 31 00 00 00 ZM_REG R[0x1002c0] = 0x00000031
0x000001a1: 78 c4 03 01 df 00 INDEX_IO I[0x03c4][0x01] &= 0xdf |= 0x00
0x000001a7: 71 DONE
Init script 1 at 0x64c:
0x0000064c: 75 00 CONDITION 0x00
0x0000064e: 62 d4 03 3c 01 ZM_INDEX_IO I[0x03d4][0x3c] = 0x01
0x00000653: 38 NOT
0x00000654: 62 d4 03 3c 00 ZM_INDEX_IO I[0x03d4][0x3c] = 0x00
0x00000659: 72 RESUME
0x0000065a: 37 00 10 10 00 fe f0 d4 03 3c 0f COPY 0x03d4[0x3c] & ~0x0f |= (R[0x101000] << 0x02) & 0x000000f0
0x00000665: 71 DONE
Init script 2 at 0x666:
0x00000666: 78 d4 03 35 fe 01 INDEX_IO I[0x03d4][0x35] &= 0xfe |= 0x01
0x0000066c: 78 d4 03 3c f7 08 INDEX_IO I[0x03d4][0x3c] &= 0xf7 |= 0x08
0x00000672: 7a 00 02 00 00 11 01 01 01 ZM_REG R[0x000200] = 0x01010111
0x0000067b: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x00000681: 79 00 05 68 00 10 27 PLL R[0x680500] =PLL= 100000kHz
0x00000688: 79 04 05 68 00 e0 2e PLL R[0x680504] =PLL= 120000kHz
0x0000068f: 74 00 fa TIME 0xfa00
0x00000692: 6e b0 10 00 00 ff ff ff 0f 00 00 00 c0 NV_REG R[0x0010b0] &= 0x0fffffff |= 0xc0000000
0x0000069f: 6e b4 10 00 00 ff ff ff ff 00 00 00 00 NV_REG R[0x0010b4] &= 0xffffffff |= 0x00000000
0x000006ac: 6e b8 10 00 00 ff ff ff ff 00 00 00 00 NV_REG R[0x0010b8] &= 0xffffffff |= 0x00000000
0x000006b9: 6e bc 10 00 00 f0 ff ff ff 00 00 00 00 NV_REG R[0x0010bc] &= 0xfffffff0 |= 0x00000000
0x000006c6: 6e cc 10 00 00 ff ff ff ff 00 00 00 00 NV_REG R[0x0010cc] &= 0xffffffff |= 0x00000000
0x000006d3: 6e d4 10 00 00 ff ff ff ff 00 00 00 00 NV_REG R[0x0010d4] &= 0xffffffff |= 0x00000000
0x000006e0: 7a d8 10 00 00 88 88 88 88 ZM_REG R[0x0010d8] = 0x88888888
0x000006e9: 7a 0c 05 68 00 00 07 00 00 ZM_REG R[0x68050c] = 0x00000700
0x000006f2: 7a 0c 05 68 00 00 05 00 00 ZM_REG R[0x68050c] = 0x00000500
0x000006fb: 67 CONFIGURE_CLOCK
0x000006fc: 00 ???
0x000006fd: 01 ???
0x000006fe: 01 ???
0x000006ff: 01 ???
0x00000700: 02 ???
0x00000701: 01 ???
0x00000702: d4 ???
0x00000703: 02 ???
0x00000704: 10 ???
0x00000705: 00 ???
0x00000706: 01 ???
0x00000707: 00 ???
0x00000708: 00 ???
0x00000709: 00 ???
0x0000070a: 1c ???
0x0000070b: 02 ???
0x0000070c: 10 ???
0x0000070d: 00 ???
0x0000070e: 01 ???
0x0000070f: 00 ???
0x00000710: 00 ???
0x00000711: 00 ???
0x00000712: d0 ???
0x00000713: 02 ???
0x00000714: 10 ???
0x00000715: 00 ???
0x00000716: 01 ???
0x00000717: 00 ???
0x00000718: 00 ???
0x00000719: 00 ???
0x0000071a: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x00000720: 63 COMPUTE_MEM
0x00000721: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x00000727: 79 08 05 68 00 10 0e PLL R[0x680508] =PLL= 36000kHz
0x0000072e: 7a 88 10 00 00 f0 11 00 00 ZM_REG R[0x001088] = 0x000011f0
0x00000737: 7a 8c 10 00 00 d1 00 00 00 ZM_REG R[0x00108c] = 0x000000d1
0x00000740: 6e 80 08 68 00 ff ff ff df 00 00 00 10 NV_REG R[0x680880] &= 0xdfffffff |= 0x10000000
0x0000074d: 78 d4 03 38 00 00 INDEX_IO I[0x03d4][0x38] &= 0x00 |= 0x00
0x00000753: 78 d4 03 1a 00 3f INDEX_IO I[0x03d4][0x1a] &= 0x00 |= 0x3f
0x00000759: 78 d4 03 28 00 00 INDEX_IO I[0x03d4][0x28] &= 0x00 |= 0x00
0x0000075f: 78 d4 03 33 00 00 INDEX_IO I[0x03d4][0x33] &= 0x00 |= 0x00
0x00000765: 78 d4 03 21 00 fa INDEX_IO I[0x03d4][0x21] &= 0x00 |= 0xfa
0x0000076b: 78 d4 03 2b 00 00 INDEX_IO I[0x03d4][0x2b] &= 0x00 |= 0x00
0x00000771: 78 d4 03 2c 00 00 INDEX_IO I[0x03d4][0x2c] &= 0x00 |= 0x00
0x00000777: 78 d4 03 3a 00 00 INDEX_IO I[0x03d4][0x3a] &= 0x00 |= 0x00
0x0000077d: 78 d4 03 3b 00 00 INDEX_IO I[0x03d4][0x3b] &= 0x00 |= 0x00
0x00000783: 78 d4 03 4a 00 00 INDEX_IO I[0x03d4][0x4a] &= 0x00 |= 0x00
0x00000789: 78 d4 03 4b 00 00 INDEX_IO I[0x03d4][0x4b] &= 0x00 |= 0x00
0x0000078f: 78 d4 03 4c 00 00 INDEX_IO I[0x03d4][0x4c] &= 0x00 |= 0x00
0x00000795: 78 d4 03 52 00 04 INDEX_IO I[0x03d4][0x52] &= 0x00 |= 0x04
0x0000079b: 71 DONE
Init script 3 at 0x128:
0x00000128: 7a 00 02 00 00 11 01 11 03 ZM_REG R[0x000200] = 0x03110111
0x00000131: 7a e0 10 00 00 80 80 80 80 ZM_REG R[0x0010e0] = 0x80808080
0x0000013a: 7a e4 10 00 00 80 80 80 80 ZM_REG R[0x0010e4] = 0x80808080
0x00000143: 7a 84 10 00 00 48 57 00 00 ZM_REG R[0x001084] = 0x00005748
0x0000014c: 7a 80 00 10 00 00 00 02 00 ZM_REG R[0x100080] = 0x00020000
0x00000155: 66 CONFIGURE_MEM
0x00000156: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x0000015c: 74 00 fa TIME 0xfa00
0x0000015f: 7a d4 02 10 00 01 00 00 00 ZM_REG R[0x1002d4] = 0x00000001
0x00000168: 7a c4 02 10 00 02 00 00 00 ZM_REG R[0x1002c4] = 0x00000002
0x00000171: 7a c0 02 10 00 31 01 00 00 ZM_REG R[0x1002c0] = 0x00000131
0x0000017a: 74 e8 03 TIME 0x03e8
0x0000017d: 7a d4 02 10 00 01 00 00 00 ZM_REG R[0x1002d4] = 0x00000001
0x00000186: 7a d0 02 10 00 01 00 00 00 ZM_REG R[0x1002d0] = 0x00000001
0x0000018f: 7a d0 02 10 00 01 00 00 00 ZM_REG R[0x1002d0] = 0x00000001
0x00000198: 7a c0 02 10 00 31 00 00 00 ZM_REG R[0x1002c0] = 0x00000031
0x000001a1: 78 c4 03 01 df 00 INDEX_IO I[0x03c4][0x01] &= 0xdf |= 0x00
0x000001a7: 71 DONE
Init script 4 at 0x1a8:
0x000001a8: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x000001ae: 32 d4 03 3c f0 04 10 80 10 00 00 IO_RESTRICT_PROG R[0x001080] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x000001b9: 00 00 00 00 0x00000000
0x000001bd: 00 00 00 00 0x00000000
0x000001c1: 00 00 00 00 0x00000000
0x000001c5: 00 00 00 00 0x00000000
0x000001c9: 00 00 00 00 0x00000000
0x000001cd: 00 00 00 00 0x00000000
0x000001d1: 00 00 00 00 0x00000000
0x000001d5: 00 00 00 00 0x00000000
0x000001d9: 07 07 07 07 0x07070707
0x000001dd: 07 07 07 07 0x07070707
0x000001e1: 04 04 04 04 0x04040404
0x000001e5: 07 07 07 07 0x07070707
0x000001e9: 07 07 07 07 0x07070707
0x000001ed: 07 07 07 07 0x07070707
0x000001f1: 07 07 07 07 0x07070707
0x000001f5: 07 07 07 07 0x07070707
0x000001f9: }]
0x000001f9: 32 d4 03 3c f0 04 10 10 02 10 00 IO_RESTRICT_PROG R[0x100210] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x00000204: 00 00 00 00 0x00000000
0x00000208: 00 00 00 00 0x00000000
0x0000020c: 00 00 00 00 0x00000000
0x00000210: 00 00 00 00 0x00000000
0x00000214: 00 00 00 00 0x00000000
0x00000218: 00 00 00 00 0x00000000
0x0000021c: 00 00 00 00 0x00000000
0x00000220: 00 00 00 00 0x00000000
0x00000224: 00 00 00 00 0x00000000
0x00000228: 00 00 00 00 0x00000000
0x0000022c: 00 00 00 00 0x00000000
0x00000230: 00 00 00 00 0x00000000
0x00000234: 00 00 00 00 0x00000000
0x00000238: 00 00 00 00 0x00000000
0x0000023c: 00 00 00 00 0x00000000
0x00000240: 00 00 00 00 0x00000000
0x00000244: }]
0x00000244: 32 d4 03 3c f0 04 10 00 02 10 00 IO_RESTRICT_PROG R[0x100200] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x0000024f: 10 01 b1 08 0x08b10110
0x00000253: 10 11 c1 08 0x08c11110
0x00000257: 10 11 b0 08 0x08b01110
0x0000025b: 10 11 b0 08 0x08b01110
0x0000025f: 10 11 a0 08 0x08a01110
0x00000263: 10 11 91 08 0x08911110
0x00000267: 10 11 c1 09 0x09c11110
0x0000026b: 10 11 c1 09 0x09c11110
0x0000026f: 01 01 b1 08 0x08b10101
0x00000273: 01 01 b1 08 0x08b10101
0x00000277: 01 00 c1 08 0x08c10001
0x0000027b: 01 01 a1 08 0x08a10101
0x0000027f: 01 01 a1 08 0x08a10101
0x00000283: 11 10 c1 09 0x09c11011
0x00000287: 11 11 a1 08 0x08a11111
0x0000028b: 01 01 c1 08 0x08c10101
0x0000028f: }]
0x0000028f: 32 d4 03 3c f0 04 10 20 02 10 00 IO_RESTRICT_PROG R[0x100220] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x0000029a: 0a 0a 07 43 0x43070a0a
0x0000029e: 0a 0a 07 33 0x33070a0a
0x000002a2: 0a 0a 07 33 0x33070a0a
0x000002a6: 0a 0a 07 33 0x33070a0a
0x000002aa: 0a 0a 07 33 0x33070a0a
0x000002ae: 0a 0a 07 33 0x33070a0a
0x000002b2: 0a 0a 07 33 0x33070a0a
0x000002b6: 0a 0a 07 33 0x33070a0a
0x000002ba: 0c 0e 08 34 0x34080e0c
0x000002be: 0b 0d 07 34 0x34070d0b
0x000002c2: 09 0b 06 33 0x33060b09
0x000002c6: 0b 0d 07 34 0x34070d0b
0x000002ca: 0b 0d 07 34 0x34070d0b
0x000002ce: 0c 0e 07 44 0x44070e0c
0x000002d2: 0b 0d 07 34 0x34070d0b
0x000002d6: 0c 0e 08 34 0x34080e0c
0x000002da: }]
0x000002da: 32 d4 03 3c f0 04 10 24 02 10 00 IO_RESTRICT_PROG R[0x100224] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x000002e5: 50 11 21 02 0x02211150
0x000002e9: 50 11 21 02 0x02211150
0x000002ed: 50 11 21 02 0x02211150
0x000002f1: 50 11 21 02 0x02211150
0x000002f5: 50 11 21 02 0x02211150
0x000002f9: 50 11 21 02 0x02211150
0x000002fd: 50 11 21 02 0x02211150
0x00000301: 50 11 21 02 0x02211150
0x00000305: 60 21 44 02 0x02442160
0x00000309: 60 21 44 02 0x02442160
0x0000030d: 50 11 43 02 0x02431150
0x00000311: 60 21 43 02 0x02432160
0x00000315: 60 21 43 02 0x02432160
0x00000319: 50 11 22 02 0x02221150
0x0000031d: 60 21 43 02 0x02432160
0x00000321: 60 21 44 02 0x02442160
0x00000325: }]
0x00000325: 32 d4 03 3c f0 04 10 28 02 10 00 IO_RESTRICT_PROG R[0x100228] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x00000330: ff 09 00 00 0x000009ff
0x00000334: ff 09 00 00 0x000009ff
0x00000338: ff 09 00 00 0x000009ff
0x0000033c: ff 09 00 00 0x000009ff
0x00000340: ff 09 00 00 0x000009ff
0x00000344: ff 09 00 00 0x000009ff
0x00000348: ff 09 00 00 0x000009ff
0x0000034c: ff 09 00 00 0x000009ff
0x00000350: ff 04 00 00 0x000004ff
0x00000354: ff 04 00 00 0x000004ff
0x00000358: 9f 08 00 00 0x0000089f
0x0000035c: ff 09 00 00 0x000009ff
0x00000360: ff 09 00 00 0x000009ff
0x00000364: ff 09 00 00 0x000009ff
0x00000368: ff 09 00 00 0x000009ff
0x0000036c: ff 09 00 00 0x000009ff
0x00000370: }]
0x00000370: 32 d4 03 3c f0 04 10 c4 10 00 00 IO_RESTRICT_PROG R[0x0010c4] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x0000037b: 44 00 02 11 0x11020044
0x0000037f: 44 00 02 11 0x11020044
0x00000383: 44 00 02 11 0x11020044
0x00000387: 44 00 02 11 0x11020044
0x0000038b: 44 00 02 11 0x11020044
0x0000038f: 44 00 02 11 0x11020044
0x00000393: 44 00 02 11 0x11020044
0x00000397: 44 00 02 11 0x11020044
0x0000039b: 44 44 86 48 0x48864444
0x0000039f: 44 44 86 48 0x48864444
0x000003a3: 33 00 22 11 0x11220033
0x000003a7: 33 00 22 11 0x11220033
0x000003ab: 33 00 22 11 0x11220033
0x000003af: 33 00 22 11 0x11220033
0x000003b3: 33 00 22 11 0x11220033
0x000003b7: 44 44 86 48 0x48864444
0x000003bb: }]
0x000003bb: 32 d4 03 3c f0 04 10 c8 10 00 00 IO_RESTRICT_PROG R[0x0010c8] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x000003c6: f0 83 37 03 0x033783f0
0x000003ca: f0 83 37 03 0x033783f0
0x000003ce: f0 83 37 03 0x033783f0
0x000003d2: f0 83 37 03 0x033783f0
0x000003d6: f0 83 37 03 0x033783f0
0x000003da: f0 83 37 03 0x033783f0
0x000003de: f0 83 37 03 0x033783f0
0x000003e2: f0 83 37 03 0x033783f0
0x000003e6: 40 44 44 04 0x04444440
0x000003ea: 40 44 44 04 0x04444440
0x000003ee: f0 83 37 03 0x033783f0
0x000003f2: f0 83 37 03 0x033783f0
0x000003f6: f0 83 37 03 0x033783f0
0x000003fa: f0 83 37 03 0x033783f0
0x000003fe: f0 83 37 03 0x033783f0
0x00000402: 40 44 44 04 0x04444440
0x00000406: }]
0x00000406: 39 00 IO_FLAG_CONDITION 0x00
0x00000408: 6f 00 MACRO 0x00
0x0000040a: 72 RESUME
0x0000040b: 32 d4 03 3c f0 04 10 18 02 10 00 IO_RESTRICT_PROG R[0x100218] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x00000416: 01 00 00 00 0x00000001
0x0000041a: 01 00 00 00 0x00000001
0x0000041e: 01 00 00 00 0x00000001
0x00000422: 01 00 00 00 0x00000001
0x00000426: 01 00 00 00 0x00000001
0x0000042a: 01 00 00 00 0x00000001
0x0000042e: 01 00 00 00 0x00000001
0x00000432: 01 00 00 00 0x00000001
0x00000436: 01 00 00 00 0x00000001
0x0000043a: 01 00 00 00 0x00000001
0x0000043e: 01 00 00 00 0x00000001
0x00000442: 01 00 00 00 0x00000001
0x00000446: 01 00 00 00 0x00000001
0x0000044a: 01 00 00 00 0x00000001
0x0000044e: 01 00 00 00 0x00000001
0x00000452: 01 00 00 00 0x00000001
0x00000456: }]
0x00000456: 39 00 IO_FLAG_CONDITION 0x00
0x00000458: 6f 01 MACRO 0x01
0x0000045a: 38 NOT
0x0000045b: 6f 01 MACRO 0x01
0x0000045d: 6f 00 MACRO 0x00
0x0000045f: 32 d4 03 3c f0 04 10 c4 02 10 00 IO_RESTRICT_PROG R[0x1002c4] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x0000046a: ff ff ff ff 0xffffffff
0x0000046e: ff ff ff ff 0xffffffff
0x00000472: ff ff ff ff 0xffffffff
0x00000476: ff ff ff ff 0xffffffff
0x0000047a: ff ff ff ff 0xffffffff
0x0000047e: ff ff ff ff 0xffffffff
0x00000482: ff ff ff ff 0xffffffff
0x00000486: ff ff ff ff 0xffffffff
0x0000048a: 02 00 00 00 0x00000002
0x0000048e: 00 00 00 00 0x00000000
0x00000492: 00 00 00 00 0x00000000
0x00000496: 03 00 00 00 0x00000003
0x0000049a: 03 00 00 00 0x00000003
0x0000049e: 00 00 00 00 0x00000000
0x000004a2: 02 00 00 00 0x00000002
0x000004a6: 02 00 00 00 0x00000002
0x000004aa: }]
0x000004aa: 72 RESUME
0x000004ab: 32 d4 03 3c f0 04 10 c0 02 10 00 IO_RESTRICT_PROG R[0x1002c0] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x000004b6: 30 00 00 00 0x00000030
0x000004ba: 30 00 00 00 0x00000030
0x000004be: 30 00 00 00 0x00000030
0x000004c2: 30 00 00 00 0x00000030
0x000004c6: 30 00 00 00 0x00000030
0x000004ca: 30 00 00 00 0x00000030
0x000004ce: 30 00 00 00 0x00000030
0x000004d2: 30 00 00 00 0x00000030
0x000004d6: 31 01 00 00 0x00000131
0x000004da: 31 01 00 00 0x00000131
0x000004de: 31 01 00 00 0x00000131
0x000004e2: 31 00 00 00 0x00000031
0x000004e6: 31 00 00 00 0x00000031
0x000004ea: 31 00 00 00 0x00000031
0x000004ee: 31 00 00 00 0x00000031
0x000004f2: 31 01 00 00 0x00000131
0x000004f6: }]
0x000004f6: 39 00 IO_FLAG_CONDITION 0x00
0x000004f8: 33 08 REPEAT 0x08
0x000004fa: 6f 02 MACRO 0x02
0x000004fc: 36 END_REPEAT
0x000004fd: 33 03 REPEAT 0x03
0x000004ff: 6f 00 MACRO 0x00
0x00000501: 36 END_REPEAT
0x00000502: 38 NOT
0x00000503: 33 01 REPEAT 0x01
0x00000505: 6f 00 MACRO 0x00
0x00000507: 36 END_REPEAT
0x00000508: 33 02 REPEAT 0x02
0x0000050a: 6f 02 MACRO 0x02
0x0000050c: 36 END_REPEAT
0x0000050d: 72 RESUME
0x0000050e: 32 d4 03 3c f0 04 10 c0 02 10 00 IO_RESTRICT_PROG R[0x1002c0] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x00000519: 30 00 00 00 0x00000030
0x0000051d: 30 00 00 00 0x00000030
0x00000521: 30 00 00 00 0x00000030
0x00000525: 30 00 00 00 0x00000030
0x00000529: 30 00 00 00 0x00000030
0x0000052d: 30 00 00 00 0x00000030
0x00000531: 30 00 00 00 0x00000030
0x00000535: 30 00 00 00 0x00000030
0x00000539: 31 00 00 00 0x00000031
0x0000053d: 31 00 00 00 0x00000031
0x00000541: 31 01 00 00 0x00000131
0x00000545: 31 00 00 00 0x00000031
0x00000549: 31 01 00 00 0x00000131
0x0000054d: 31 00 00 00 0x00000031
0x00000551: 31 01 00 00 0x00000131
0x00000555: 31 00 00 00 0x00000031
0x00000559: }]
0x00000559: 74 e8 03 TIME 0x03e8
0x0000055c: 32 d4 03 3c f0 04 10 10 02 10 00 IO_RESTRICT_PROG R[0x100210] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x00000567: 00 00 00 80 0x80000000
0x0000056b: 00 00 00 80 0x80000000
0x0000056f: 00 00 00 80 0x80000000
0x00000573: 00 00 00 80 0x80000000
0x00000577: 00 00 00 80 0x80000000
0x0000057b: 00 00 00 80 0x80000000
0x0000057f: 00 00 00 80 0x80000000
0x00000583: 00 00 00 80 0x80000000
0x00000587: 00 00 00 80 0x80000000
0x0000058b: 00 00 00 80 0x80000000
0x0000058f: 00 00 00 80 0x80000000
0x00000593: 00 00 00 80 0x80000000
0x00000597: 00 00 00 80 0x80000000
0x0000059b: 00 00 00 80 0x80000000
0x0000059f: 00 00 00 80 0x80000000
0x000005a3: 00 00 00 80 0x80000000
0x000005a7: }]
0x000005a7: 32 d4 03 3c f0 04 10 d4 10 00 00 IO_RESTRICT_PROG R[0x0010d4] = (0x03d4[0x3c] & 0xf0) >> 4) [{
0x000005b2: 00 00 00 00 0x00000000
0x000005b6: 00 00 00 00 0x00000000
0x000005ba: 00 00 00 00 0x00000000
0x000005be: 00 00 00 00 0x00000000
0x000005c2: 00 00 00 00 0x00000000
0x000005c6: 00 00 00 00 0x00000000
0x000005ca: 00 00 00 00 0x00000000
0x000005ce: 00 00 00 00 0x00000000
0x000005d2: 00 00 00 02 0x02000000
0x000005d6: 00 00 00 02 0x02000000
0x000005da: 00 00 00 02 0x02000000
0x000005de: 00 00 00 02 0x02000000
0x000005e2: 00 00 00 02 0x02000000
0x000005e6: 00 00 00 02 0x02000000
0x000005ea: 00 00 00 02 0x02000000
0x000005ee: 00 00 00 02 0x02000000
0x000005f2: }]
0x000005f2: 71 DONE
Init script 5 at 0x71a:
0x0000071a: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x00000720: 63 COMPUTE_MEM
0x00000721: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x00000727: 79 08 05 68 00 10 0e PLL R[0x680508] =PLL= 36000kHz
0x0000072e: 7a 88 10 00 00 f0 11 00 00 ZM_REG R[0x001088] = 0x000011f0
0x00000737: 7a 8c 10 00 00 d1 00 00 00 ZM_REG R[0x00108c] = 0x000000d1
0x00000740: 6e 80 08 68 00 ff ff ff df 00 00 00 10 NV_REG R[0x680880] &= 0xdfffffff |= 0x10000000
0x0000074d: 78 d4 03 38 00 00 INDEX_IO I[0x03d4][0x38] &= 0x00 |= 0x00
0x00000753: 78 d4 03 1a 00 3f INDEX_IO I[0x03d4][0x1a] &= 0x00 |= 0x3f
0x00000759: 78 d4 03 28 00 00 INDEX_IO I[0x03d4][0x28] &= 0x00 |= 0x00
0x0000075f: 78 d4 03 33 00 00 INDEX_IO I[0x03d4][0x33] &= 0x00 |= 0x00
0x00000765: 78 d4 03 21 00 fa INDEX_IO I[0x03d4][0x21] &= 0x00 |= 0xfa
0x0000076b: 78 d4 03 2b 00 00 INDEX_IO I[0x03d4][0x2b] &= 0x00 |= 0x00
0x00000771: 78 d4 03 2c 00 00 INDEX_IO I[0x03d4][0x2c] &= 0x00 |= 0x00
0x00000777: 78 d4 03 3a 00 00 INDEX_IO I[0x03d4][0x3a] &= 0x00 |= 0x00
0x0000077d: 78 d4 03 3b 00 00 INDEX_IO I[0x03d4][0x3b] &= 0x00 |= 0x00
0x00000783: 78 d4 03 4a 00 00 INDEX_IO I[0x03d4][0x4a] &= 0x00 |= 0x00
0x00000789: 78 d4 03 4b 00 00 INDEX_IO I[0x03d4][0x4b] &= 0x00 |= 0x00
0x0000078f: 78 d4 03 4c 00 00 INDEX_IO I[0x03d4][0x4c] &= 0x00 |= 0x00
0x00000795: 78 d4 03 52 00 04 INDEX_IO I[0x03d4][0x52] &= 0x00 |= 0x04
0x0000079b: 71 DONE
Init script 6 at 0x5f3:
0x000005f3: 34 d4 03 3c f0 04 ff 10 00 05 68 00 IO_RESTRICT_PLL R[0x680500] =PLL= (0x03d4[0x3c] & 0xf0) >> 4) IOFCOND 0xff [{
0x000005ff: 5c 44 175000kHz
0x00000601: 5c 44 175000kHz
0x00000603: 5c 44 175000kHz
0x00000605: 5c 44 175000kHz
0x00000607: 5c 44 175000kHz
0x00000609: 5c 44 175000kHz
0x0000060b: 5c 44 175000kHz
0x0000060d: 5c 44 175000kHz
0x0000060f: 5c 44 175000kHz
0x00000611: 5c 44 175000kHz
0x00000613: 5c 44 175000kHz
0x00000615: 5c 44 175000kHz
0x00000617: 5c 44 175000kHz
0x00000619: 5c 44 175000kHz
0x0000061b: 5c 44 175000kHz
0x0000061d: 5c 44 175000kHz
0x0000061f: }]
0x0000061f: 34 d4 03 3c f0 04 01 10 04 05 68 00 IO_RESTRICT_PLL R[0x680504] =PLL= (0x03d4[0x3c] & 0xf0) >> 4) IOFCOND 0x01 [{
0x0000062b: d8 40 166000kHz
0x0000062d: d8 40 166000kHz
0x0000062f: d8 40 166000kHz
0x00000631: d8 40 166000kHz
0x00000633: d8 40 166000kHz
0x00000635: d8 40 166000kHz
0x00000637: d8 40 166000kHz
0x00000639: d8 40 166000kHz
0x0000063b: d8 40 166000kHz
0x0000063d: d8 40 166000kHz
0x0000063f: d8 40 166000kHz
0x00000641: d8 40 166000kHz
0x00000643: d8 40 166000kHz
0x00000645: d8 40 166000kHz
0x00000647: d8 40 166000kHz
0x00000649: d8 40 166000kHz
0x0000064b: }]
0x0000064b: 71 DONE
Init script 7 at 0x156:
0x00000156: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x0000015c: 74 00 fa TIME 0xfa00
0x0000015f: 7a d4 02 10 00 01 00 00 00 ZM_REG R[0x1002d4] = 0x00000001
0x00000168: 7a c4 02 10 00 02 00 00 00 ZM_REG R[0x1002c4] = 0x00000002
0x00000171: 7a c0 02 10 00 31 01 00 00 ZM_REG R[0x1002c0] = 0x00000131
0x0000017a: 74 e8 03 TIME 0x03e8
0x0000017d: 7a d4 02 10 00 01 00 00 00 ZM_REG R[0x1002d4] = 0x00000001
0x00000186: 7a d0 02 10 00 01 00 00 00 ZM_REG R[0x1002d0] = 0x00000001
0x0000018f: 7a d0 02 10 00 01 00 00 00 ZM_REG R[0x1002d0] = 0x00000001
0x00000198: 7a c0 02 10 00 31 00 00 00 ZM_REG R[0x1002c0] = 0x00000031
0x000001a1: 78 c4 03 01 df 00 INDEX_IO I[0x03c4][0x01] &= 0xdf |= 0x00
0x000001a7: 71 DONE
Init script 8 at 0x79c:
0x0000079c: 78 c4 03 01 ff 20 INDEX_IO I[0x03c4][0x01] &= 0xff |= 0x20
0x000007a2: 7a 00 02 10 00 01 01 c1 08 ZM_REG R[0x100200] = 0x08c10101
0x000007ab: 63 COMPUTE_MEM
0x000007ac: 78 c4 03 01 df 00 INDEX_IO I[0x03c4][0x01] &= 0xdf |= 0x00
0x000007b2: 71 DONE
Condition table at 0xdf: 1 conditions:
0x000000df: 00 10 10 00 40 00 00 00 40 00 00 00 [0x00] R[0x101000] & 0x00000040 == 0x00000040
IO Condition table at 0xeb: 0 conditions:
IO Flag Condition table at 0xeb: 2 conditions:
0x000000eb: d4 03 3c f0 04 fd 00 01 00 [0x00] BIOS[0x00fd + 0x03d4[0x3c] & 0xf0 >> 4] & 0x01 == 0x00
0x000000f4: d4 03 3c f0 04 fd 00 01 01 [0x01] BIOS[0x00fd + 0x03d4[0x3c] & 0xf0 >> 4] & 0x01 == 0x01
Macro index table at 0x6fc: 3 macro indices:
0x000006fc: 00 01 [0x00] 0x00 *1
0x000006fe: 01 01 [0x01] 0x01 *1
0x00000700: 02 01 [0x02] 0x02 *1
Macro table at 0x702: 3 macros:
0x00000702: d4 02 10 00 01 00 00 00 [0x00] R[0x1002d4] = 0x00000001
0x0000070a: 1c 02 10 00 01 00 00 00 [0x01] R[0x10021c] = 0x00000001
0x00000712: d0 02 10 00 01 00 00 00 [0x02] R[0x1002d0] = 0x00000001
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Nouveau] Off-by-one or bad BIOS image? Apple eMac 800 GeForce 2MX
2022-01-19 7:27 [Nouveau] Off-by-one or bad BIOS image? Apple eMac 800 GeForce 2MX Nick Lopez
@ 2022-01-20 18:24 ` Ilia Mirkin
2022-01-21 5:07 ` Nick Lopez
[not found] ` <2cc8f675-dec2-4640-88ab-b64dea2e3bc6@DM3NAM02FT036.eop-nam02.prod.protection.outlook.com>
0 siblings, 2 replies; 4+ messages in thread
From: Ilia Mirkin @ 2022-01-20 18:24 UTC (permalink / raw)
To: Nick Lopez; +Cc: nouveau
This stuff is always so confusing. Let's think this through.... if
bios size is 4, and we're trying to read a 4-byte thing starting at
address 0, that _ought_ to work, I think. So in my strawman case,
bios->size == 4, and size == 4. So we should only error if size >
bios->size, not if they're ==. Looks like your patch is right.
Want to make a linux kernel patch submission with this? (i.e.
including changelog, signoff, etc?)
Cheers,
-ilia
On Thu, Jan 20, 2022 at 1:17 PM Nick Lopez <nick@glowingmonkey.org> wrote:
>
> Because I watch too much retro YouTube I decided it was a good idea to try installing Adelie Linux on my old G4/800 eMac, but the Live installer would freeze. By blacklisting nouveau I was able to get it booted and manually installed and, after hours and hours of compiling, get a working kernel tree to poke at. After only a few iterations with dump_stack() and nvkm_debug and the output of envytools/nvbios I worked out at the last initscript instruction was stored in the last byte of the ROM. I think the bounds check in the nvbios_addr() function is miscalculating the limit as one byte short, that’s why I was seeing this in the syslog:
>
>
>
> nouveau 0000:00:10.0: bios: OOB 1 000007b2 000007b2
>
> nouveau 0000:00:10.0: devinit: 0x000007b2[ ]: unknown opcode 0x00
>
> nouveau 0000:00:10.0: preinit failed with -22
>
> nouveau: DRM-master:00000000:00000080: init failed with -22
>
> nouveau 0000:00:10.0: DRM-master: Device allocation failed: -22
>
> nouveau: probe of 0000:00:10.0 failed with error -22
>
>
>
> After I changed the limit check from:
>
> if (unlikely(*addr + size >= bios->size)) {
>
> to:
>
> if (unlikely(*addr + size > bios->size)) {
>
>
>
> it initialized the card properly, brought up the fbconsole and even seems to be working in X with DRI. So the question is: was the bounds check wrong, or is the NVDA,BMP image provided by OpenFirmware truncated? I’m guess this doesn’t turn up elsewhere because the ROM images read through any of the other methods are the size of flash chip they’re stored on so there’s always unused space at the end and they never use the last byte where the NVDA,BMP provided by OpenFirmware is just the active section.
>
>
>
> The patch is against the Adelie easy-kernel patch 5.4 tree, but it looks like that code is still there in the current upstream torvalds/linux git.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Nouveau] Off-by-one or bad BIOS image? Apple eMac 800 GeForce 2MX
2022-01-20 18:24 ` Ilia Mirkin
@ 2022-01-21 5:07 ` Nick Lopez
[not found] ` <2cc8f675-dec2-4640-88ab-b64dea2e3bc6@DM3NAM02FT036.eop-nam02.prod.protection.outlook.com>
1 sibling, 0 replies; 4+ messages in thread
From: Nick Lopez @ 2022-01-21 5:07 UTC (permalink / raw)
To: Ilia Mirkin; +Cc: nouveau
[-- Attachment #1: Type: text/plain, Size: 2727 bytes --]
If it’s correct I’d like to see it make its way upstream. I have no idea what the submission procedure is.
From: Ilia Mirkin
Sent: Thursday, January 20, 2022 11:24 AM
To: Nick Lopez
Cc: nouveau@lists.freedesktop.org
Subject: Re: [Nouveau] Off-by-one or bad BIOS image? Apple eMac 800 GeForce 2MX
This stuff is always so confusing. Let's think this through.... if
bios size is 4, and we're trying to read a 4-byte thing starting at
address 0, that _ought_ to work, I think. So in my strawman case,
bios->size == 4, and size == 4. So we should only error if size >
bios->size, not if they're ==. Looks like your patch is right.
Want to make a linux kernel patch submission with this? (i.e.
including changelog, signoff, etc?)
Cheers,
-ilia
On Thu, Jan 20, 2022 at 1:17 PM Nick Lopez <nick@glowingmonkey.org> wrote:
>
> Because I watch too much retro YouTube I decided it was a good idea to try installing Adelie Linux on my old G4/800 eMac, but the Live installer would freeze. By blacklisting nouveau I was able to get it booted and manually installed and, after hours and hours of compiling, get a working kernel tree to poke at. After only a few iterations with dump_stack() and nvkm_debug and the output of envytools/nvbios I worked out at the last initscript instruction was stored in the last byte of the ROM. I think the bounds check in the nvbios_addr() function is miscalculating the limit as one byte short, that’s why I was seeing this in the syslog:
>
>
>
> nouveau 0000:00:10.0: bios: OOB 1 000007b2 000007b2
>
> nouveau 0000:00:10.0: devinit: 0x000007b2[ ]: unknown opcode 0x00
>
> nouveau 0000:00:10.0: preinit failed with -22
>
> nouveau: DRM-master:00000000:00000080: init failed with -22
>
> nouveau 0000:00:10.0: DRM-master: Device allocation failed: -22
>
> nouveau: probe of 0000:00:10.0 failed with error -22
>
>
>
> After I changed the limit check from:
>
> if (unlikely(*addr + size >= bios->size)) {
>
> to:
>
> if (unlikely(*addr + size > bios->size)) {
>
>
>
> it initialized the card properly, brought up the fbconsole and even seems to be working in X with DRI. So the question is: was the bounds check wrong, or is the NVDA,BMP image provided by OpenFirmware truncated? I’m guess this doesn’t turn up elsewhere because the ROM images read through any of the other methods are the size of flash chip they’re stored on so there’s always unused space at the end and they never use the last byte where the NVDA,BMP provided by OpenFirmware is just the active section.
>
>
>
> The patch is against the Adelie easy-kernel patch 5.4 tree, but it looks like that code is still there in the current upstream torvalds/linux git.
[-- Attachment #2: Type: text/html, Size: 5834 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Nouveau] Off-by-one or bad BIOS image? Apple eMac 800 GeForce 2MX
[not found] ` <2cc8f675-dec2-4640-88ab-b64dea2e3bc6@DM3NAM02FT036.eop-nam02.prod.protection.outlook.com>
@ 2022-01-21 6:48 ` Ilia Mirkin
0 siblings, 0 replies; 4+ messages in thread
From: Ilia Mirkin @ 2022-01-21 6:48 UTC (permalink / raw)
To: Nick Lopez; +Cc: nouveau
There's a surprisingly long document at
https://docs.kernel.org/process/submitting-patches.html
But basically make a git commit, make sure the commit message looks
like other commit messages in the area (look at "git log
drivers/gpu/drm/nouveau" for inspiration). Make sure your
Signed-off-by is on there. Then git format-patch the commit, and use
git send-email to send the resulting file to this mailing list +
dri-devel (or any other method of causing the contents of that file to
end up as the email that's sent rather than an attachment).
Cheers,
-ilia
On Fri, Jan 21, 2022 at 12:07 AM Nick Lopez <nick@glowingmonkey.org> wrote:
>
> If it’s correct I’d like to see it make its way upstream. I have no idea what the submission procedure is.
>
>
>
> From: Ilia Mirkin
> Sent: Thursday, January 20, 2022 11:24 AM
> To: Nick Lopez
> Cc: nouveau@lists.freedesktop.org
> Subject: Re: [Nouveau] Off-by-one or bad BIOS image? Apple eMac 800 GeForce 2MX
>
>
>
> This stuff is always so confusing. Let's think this through.... if
>
> bios size is 4, and we're trying to read a 4-byte thing starting at
>
> address 0, that _ought_ to work, I think. So in my strawman case,
>
> bios->size == 4, and size == 4. So we should only error if size >
>
> bios->size, not if they're ==. Looks like your patch is right.
>
>
>
> Want to make a linux kernel patch submission with this? (i.e.
>
> including changelog, signoff, etc?)
>
>
>
> Cheers,
>
>
>
> -ilia
>
>
>
> On Thu, Jan 20, 2022 at 1:17 PM Nick Lopez <nick@glowingmonkey.org> wrote:
>
> >
>
> > Because I watch too much retro YouTube I decided it was a good idea to try installing Adelie Linux on my old G4/800 eMac, but the Live installer would freeze. By blacklisting nouveau I was able to get it booted and manually installed and, after hours and hours of compiling, get a working kernel tree to poke at. After only a few iterations with dump_stack() and nvkm_debug and the output of envytools/nvbios I worked out at the last initscript instruction was stored in the last byte of the ROM. I think the bounds check in the nvbios_addr() function is miscalculating the limit as one byte short, that’s why I was seeing this in the syslog:
>
> >
>
> >
>
> >
>
> > nouveau 0000:00:10.0: bios: OOB 1 000007b2 000007b2
>
> >
>
> > nouveau 0000:00:10.0: devinit: 0x000007b2[ ]: unknown opcode 0x00
>
> >
>
> > nouveau 0000:00:10.0: preinit failed with -22
>
> >
>
> > nouveau: DRM-master:00000000:00000080: init failed with -22
>
> >
>
> > nouveau 0000:00:10.0: DRM-master: Device allocation failed: -22
>
> >
>
> > nouveau: probe of 0000:00:10.0 failed with error -22
>
> >
>
> >
>
> >
>
> > After I changed the limit check from:
>
> >
>
> > if (unlikely(*addr + size >= bios->size)) {
>
> >
>
> > to:
>
> >
>
> > if (unlikely(*addr + size > bios->size)) {
>
> >
>
> >
>
> >
>
> > it initialized the card properly, brought up the fbconsole and even seems to be working in X with DRI. So the question is: was the bounds check wrong, or is the NVDA,BMP image provided by OpenFirmware truncated? I’m guess this doesn’t turn up elsewhere because the ROM images read through any of the other methods are the size of flash chip they’re stored on so there’s always unused space at the end and they never use the last byte where the NVDA,BMP provided by OpenFirmware is just the active section.
>
> >
>
> >
>
> >
>
> > The patch is against the Adelie easy-kernel patch 5.4 tree, but it looks like that code is still there in the current upstream torvalds/linux git.
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-21 7:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-19 7:27 [Nouveau] Off-by-one or bad BIOS image? Apple eMac 800 GeForce 2MX Nick Lopez
2022-01-20 18:24 ` Ilia Mirkin
2022-01-21 5:07 ` Nick Lopez
[not found] ` <2cc8f675-dec2-4640-88ab-b64dea2e3bc6@DM3NAM02FT036.eop-nam02.prod.protection.outlook.com>
2022-01-21 6:48 ` Ilia Mirkin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).