--- /dev/null
+From b92e4b070a94a7707650c05e0bd8bd0dc7ffb332 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 21:55:13 +0300
+Subject: ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
+
+From: Murad Masimov <m.masimov@maxima.ru>
+
+[ Upstream commit 8abbf1f01d6a2ef9f911f793e30f7382154b5a3a ]
+
+If amdtp_stream_init() fails in amdtp_tscm_init(), the latter returns zero,
+though it's supposed to return error code, which is checked inside
+init_stream() in file tascam-stream.c.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 47faeea25ef3 ("ALSA: firewire-tascam: add data block processing layer")
+Signed-off-by: Murad Masimov <m.masimov@maxima.ru>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20241101185517.1819-1-m.masimov@maxima.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/firewire/tascam/amdtp-tascam.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/firewire/tascam/amdtp-tascam.c b/sound/firewire/tascam/amdtp-tascam.c
+index ab482423c1654..726cf659133b2 100644
+--- a/sound/firewire/tascam/amdtp-tascam.c
++++ b/sound/firewire/tascam/amdtp-tascam.c
+@@ -172,7 +172,7 @@ int amdtp_tscm_init(struct amdtp_stream *s, struct fw_unit *unit,
+ CIP_NONBLOCKING | CIP_SKIP_DBC_ZERO_CHECK, fmt,
+ process_data_blocks, sizeof(struct amdtp_tscm));
+ if (err < 0)
+- return 0;
++ return err;
+
+ /* Use fixed value for FDF field. */
+ s->fdf = 0x00;
+--
+2.43.0
+
--- /dev/null
+From 12fd5b225717b97c9fb04da85f5bf736483fd89e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 12:25:09 +0200
+Subject: media: adv7604: prevent underflow condition when reporting colorspace
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 50b9fa751d1aef5d262bde871c70a7f44262f0bc ]
+
+Currently, adv76xx_log_status() reads some date using
+io_read() which may return negative values. The current logic
+doesn't check such errors, causing colorspace to be reported
+on a wrong way at adv76xx_log_status(), as reported by Coverity.
+
+If I/O error happens there, print a different message, instead
+of reporting bogus messages to userspace.
+
+Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7604.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
+index 04577d409e63c..c48952f36af1a 100644
+--- a/drivers/media/i2c/adv7604.c
++++ b/drivers/media/i2c/adv7604.c
+@@ -2453,10 +2453,10 @@ static int adv76xx_log_status(struct v4l2_subdev *sd)
+ const struct adv76xx_chip_info *info = state->info;
+ struct v4l2_dv_timings timings;
+ struct stdi_readback stdi;
+- u8 reg_io_0x02 = io_read(sd, 0x02);
++ int ret;
++ u8 reg_io_0x02;
+ u8 edid_enabled;
+ u8 cable_det;
+-
+ static const char * const csc_coeff_sel_rb[16] = {
+ "bypassed", "YPbPr601 -> RGB", "reserved", "YPbPr709 -> RGB",
+ "reserved", "RGB -> YPbPr601", "reserved", "RGB -> YPbPr709",
+@@ -2555,13 +2555,21 @@ static int adv76xx_log_status(struct v4l2_subdev *sd)
+ v4l2_info(sd, "-----Color space-----\n");
+ v4l2_info(sd, "RGB quantization range ctrl: %s\n",
+ rgb_quantization_range_txt[state->rgb_quantization_range]);
+- v4l2_info(sd, "Input color space: %s\n",
+- input_color_space_txt[reg_io_0x02 >> 4]);
+- v4l2_info(sd, "Output color space: %s %s, alt-gamma %s\n",
+- (reg_io_0x02 & 0x02) ? "RGB" : "YCbCr",
+- (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ?
+- "(16-235)" : "(0-255)",
+- (reg_io_0x02 & 0x08) ? "enabled" : "disabled");
++
++ ret = io_read(sd, 0x02);
++ if (ret < 0) {
++ v4l2_info(sd, "Can't read Input/Output color space\n");
++ } else {
++ reg_io_0x02 = ret;
++
++ v4l2_info(sd, "Input color space: %s\n",
++ input_color_space_txt[reg_io_0x02 >> 4]);
++ v4l2_info(sd, "Output color space: %s %s, alt-gamma %s\n",
++ (reg_io_0x02 & 0x02) ? "RGB" : "YCbCr",
++ (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ?
++ "(16-235)" : "(0-255)",
++ (reg_io_0x02 & 0x08) ? "enabled" : "disabled");
++ }
+ v4l2_info(sd, "Color space conversion: %s\n",
+ csc_coeff_sel_rb[cp_read(sd, info->cp_csc) >> 4]);
+
+--
+2.43.0
+
--- /dev/null
+From 79d27d2a4ddb54525a64b7afa551296a0f912a99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 16:05:16 +0200
+Subject: media: dvb_frontend: don't play tricks with underflow values
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 9883a4d41aba7612644e9bb807b971247cea9b9d ]
+
+fepriv->auto_sub_step is unsigned. Setting it to -1 is just a
+trick to avoid calling continue, as reported by Coverity.
+
+It relies to have this code just afterwards:
+
+ if (!ready) fepriv->auto_sub_step++;
+
+Simplify the code by simply setting it to zero and use
+continue to return to the while loop.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_frontend.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index 90acf52cc253c..6082a8019c151 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -454,8 +454,8 @@ static int dvb_frontend_swzigzag_autotune(struct dvb_frontend *fe, int check_wra
+
+ default:
+ fepriv->auto_step++;
+- fepriv->auto_sub_step = -1; /* it'll be incremented to 0 in a moment */
+- break;
++ fepriv->auto_sub_step = 0;
++ continue;
+ }
+
+ if (!ready) fepriv->auto_sub_step++;
+--
+2.43.0
+
--- /dev/null
+From 303c5541811002922bcf547f62b8033f51174c3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 15:23:01 +0200
+Subject: media: dvbdev: prevent the risk of out of memory access
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 972e63e895abbe8aa1ccbdbb4e6362abda7cd457 ]
+
+The dvbdev contains a static variable used to store dvb minors.
+
+The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set
+or not. When not set, dvb_register_device() won't check for
+boundaries, as it will rely that a previous call to
+dvb_register_adapter() would already be enforcing it.
+
+On a similar way, dvb_device_open() uses the assumption
+that the register functions already did the needed checks.
+
+This can be fragile if some device ends using different
+calls. This also generate warnings on static check analysers
+like Coverity.
+
+So, add explicit guards to prevent potential risk of OOM issues.
+
+Fixes: 5dd3f3071070 ("V4L/DVB (9361): Dynamic DVB minor allocation")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvbdev.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
+index 5124f412c05dc..49d55c5bf717f 100644
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -96,10 +96,15 @@ static DECLARE_RWSEM(minor_rwsem);
+ static int dvb_device_open(struct inode *inode, struct file *file)
+ {
+ struct dvb_device *dvbdev;
++ unsigned int minor = iminor(inode);
++
++ if (minor >= MAX_DVB_MINORS)
++ return -ENODEV;
+
+ mutex_lock(&dvbdev_mutex);
+ down_read(&minor_rwsem);
+- dvbdev = dvb_minors[iminor(inode)];
++
++ dvbdev = dvb_minors[minor];
+
+ if (dvbdev && dvbdev->fops) {
+ int err = 0;
+@@ -539,7 +544,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ for (minor = 0; minor < MAX_DVB_MINORS; minor++)
+ if (dvb_minors[minor] == NULL)
+ break;
+- if (minor == MAX_DVB_MINORS) {
++ if (minor >= MAX_DVB_MINORS) {
+ if (new_node) {
+ list_del (&new_node->list_head);
+ kfree(dvbdevfops);
+@@ -554,6 +559,14 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ }
+ #else
+ minor = nums2minor(adap->num, type, id);
++ if (minor >= MAX_DVB_MINORS) {
++ dvb_media_device_free(dvbdev);
++ list_del(&dvbdev->list_head);
++ kfree(dvbdev);
++ *pdvbdev = NULL;
++ mutex_unlock(&dvbdev_register_lock);
++ return ret;
++ }
+ #endif
+ dvbdev->minor = minor;
+ dvb_minors[minor] = dvb_device_get(dvbdev);
+--
+2.43.0
+
can-c_can-fix-rx-tx-_errors-statistics.patch
net-hns3-fix-kernel-crash-when-uninstalling-driver.patch
media-stb0899_algo-initialize-cfr-before-using-it.patch
+media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch
+media-dvb_frontend-don-t-play-tricks-with-underflow-.patch
+media-adv7604-prevent-underflow-condition-when-repor.patch
+alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
