--- /dev/null
+From 960cfc5012c33270d737a4fbe79a8ecbf0c1a73d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 21:55:13 +0300
+Subject: ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
+
+From: Murad Masimov <m.masimov@maxima.ru>
+
+[ Upstream commit 8abbf1f01d6a2ef9f911f793e30f7382154b5a3a ]
+
+If amdtp_stream_init() fails in amdtp_tscm_init(), the latter returns zero,
+though it's supposed to return error code, which is checked inside
+init_stream() in file tascam-stream.c.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 47faeea25ef3 ("ALSA: firewire-tascam: add data block processing layer")
+Signed-off-by: Murad Masimov <m.masimov@maxima.ru>
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://patch.msgid.link/20241101185517.1819-1-m.masimov@maxima.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/firewire/tascam/amdtp-tascam.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/firewire/tascam/amdtp-tascam.c b/sound/firewire/tascam/amdtp-tascam.c
+index 64d66a8025455..ad185ff3209db 100644
+--- a/sound/firewire/tascam/amdtp-tascam.c
++++ b/sound/firewire/tascam/amdtp-tascam.c
+@@ -244,7 +244,7 @@ int amdtp_tscm_init(struct amdtp_stream *s, struct fw_unit *unit,
+ err = amdtp_stream_init(s, unit, dir, flags, fmt,
+ process_ctx_payloads, sizeof(struct amdtp_tscm));
+ if (err < 0)
+- return 0;
++ return err;
+
+ if (dir == AMDTP_OUT_STREAM) {
+ // Use fixed value for FDF field.
+--
+2.43.0
+
--- /dev/null
+From ed4f42c6b0a76d53aacea10da78a57f1c78c4fdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Nov 2024 15:02:42 +0100
+Subject: ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove
+
+From: Amelie Delaunay <amelie.delaunay@foss.st.com>
+
+[ Upstream commit 9bb4af400c386374ab1047df44c508512c08c31f ]
+
+In case of error when requesting ctrl_chan DMA channel, ctrl_chan is not
+null. So the release of the dma channel leads to the following issue:
+[ 4.879000] st,stm32-spdifrx 500d0000.audio-controller:
+dma_request_slave_channel error -19
+[ 4.888975] Unable to handle kernel NULL pointer dereference
+at virtual address 000000000000003d
+[...]
+[ 5.096577] Call trace:
+[ 5.099099] dma_release_channel+0x24/0x100
+[ 5.103235] stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx]
+[ 5.109494] stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx]
+
+To avoid this issue, release channel only if the pointer is valid.
+
+Fixes: 794df9448edb ("ASoC: stm32: spdifrx: manage rebind issue")
+Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Signed-off-by: Olivier Moysan <olivier.moysan@foss.st.com>
+Link: https://patch.msgid.link/20241105140242.527279-1-olivier.moysan@foss.st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/stm/stm32_spdifrx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/stm/stm32_spdifrx.c b/sound/soc/stm/stm32_spdifrx.c
+index 48145f5535880..e3d6258afbac8 100644
+--- a/sound/soc/stm/stm32_spdifrx.c
++++ b/sound/soc/stm/stm32_spdifrx.c
+@@ -947,7 +947,7 @@ static int stm32_spdifrx_remove(struct platform_device *pdev)
+ {
+ struct stm32_spdifrx_data *spdifrx = platform_get_drvdata(pdev);
+
+- if (spdifrx->ctrl_chan)
++ if (!IS_ERR(spdifrx->ctrl_chan))
+ dma_release_channel(spdifrx->ctrl_chan);
+
+ if (spdifrx->dmab)
+--
+2.43.0
+
--- /dev/null
+From f221c854b9a187c06207fdef6c98d22a1347bbae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 12:25:09 +0200
+Subject: media: adv7604: prevent underflow condition when reporting colorspace
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 50b9fa751d1aef5d262bde871c70a7f44262f0bc ]
+
+Currently, adv76xx_log_status() reads some date using
+io_read() which may return negative values. The current logic
+doesn't check such errors, causing colorspace to be reported
+on a wrong way at adv76xx_log_status(), as reported by Coverity.
+
+If I/O error happens there, print a different message, instead
+of reporting bogus messages to userspace.
+
+Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/adv7604.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c
+index d688ffff7a074..5ed5a22b946ff 100644
+--- a/drivers/media/i2c/adv7604.c
++++ b/drivers/media/i2c/adv7604.c
+@@ -2517,10 +2517,10 @@ static int adv76xx_log_status(struct v4l2_subdev *sd)
+ const struct adv76xx_chip_info *info = state->info;
+ struct v4l2_dv_timings timings;
+ struct stdi_readback stdi;
+- u8 reg_io_0x02 = io_read(sd, 0x02);
++ int ret;
++ u8 reg_io_0x02;
+ u8 edid_enabled;
+ u8 cable_det;
+-
+ static const char * const csc_coeff_sel_rb[16] = {
+ "bypassed", "YPbPr601 -> RGB", "reserved", "YPbPr709 -> RGB",
+ "reserved", "RGB -> YPbPr601", "reserved", "RGB -> YPbPr709",
+@@ -2619,13 +2619,21 @@ static int adv76xx_log_status(struct v4l2_subdev *sd)
+ v4l2_info(sd, "-----Color space-----\n");
+ v4l2_info(sd, "RGB quantization range ctrl: %s\n",
+ rgb_quantization_range_txt[state->rgb_quantization_range]);
+- v4l2_info(sd, "Input color space: %s\n",
+- input_color_space_txt[reg_io_0x02 >> 4]);
+- v4l2_info(sd, "Output color space: %s %s, alt-gamma %s\n",
+- (reg_io_0x02 & 0x02) ? "RGB" : "YCbCr",
+- (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ?
+- "(16-235)" : "(0-255)",
+- (reg_io_0x02 & 0x08) ? "enabled" : "disabled");
++
++ ret = io_read(sd, 0x02);
++ if (ret < 0) {
++ v4l2_info(sd, "Can't read Input/Output color space\n");
++ } else {
++ reg_io_0x02 = ret;
++
++ v4l2_info(sd, "Input color space: %s\n",
++ input_color_space_txt[reg_io_0x02 >> 4]);
++ v4l2_info(sd, "Output color space: %s %s, alt-gamma %s\n",
++ (reg_io_0x02 & 0x02) ? "RGB" : "YCbCr",
++ (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ?
++ "(16-235)" : "(0-255)",
++ (reg_io_0x02 & 0x08) ? "enabled" : "disabled");
++ }
+ v4l2_info(sd, "Color space conversion: %s\n",
+ csc_coeff_sel_rb[cp_read(sd, info->cp_csc) >> 4]);
+
+--
+2.43.0
+
--- /dev/null
+From 3947a81c62c13ae1418df9ce967e894a4ac298e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 16:05:16 +0200
+Subject: media: dvb_frontend: don't play tricks with underflow values
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 9883a4d41aba7612644e9bb807b971247cea9b9d ]
+
+fepriv->auto_sub_step is unsigned. Setting it to -1 is just a
+trick to avoid calling continue, as reported by Coverity.
+
+It relies to have this code just afterwards:
+
+ if (!ready) fepriv->auto_sub_step++;
+
+Simplify the code by simply setting it to zero and use
+continue to return to the while loop.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_frontend.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index d76ac3ec93c2f..762058d748ddf 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -443,8 +443,8 @@ static int dvb_frontend_swzigzag_autotune(struct dvb_frontend *fe, int check_wra
+
+ default:
+ fepriv->auto_step++;
+- fepriv->auto_sub_step = -1; /* it'll be incremented to 0 in a moment */
+- break;
++ fepriv->auto_sub_step = 0;
++ continue;
+ }
+
+ if (!ready) fepriv->auto_sub_step++;
+--
+2.43.0
+
--- /dev/null
+From ee629e9f11e55254a854787c39b2db765dd7a259 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Oct 2024 15:23:01 +0200
+Subject: media: dvbdev: prevent the risk of out of memory access
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+[ Upstream commit 972e63e895abbe8aa1ccbdbb4e6362abda7cd457 ]
+
+The dvbdev contains a static variable used to store dvb minors.
+
+The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set
+or not. When not set, dvb_register_device() won't check for
+boundaries, as it will rely that a previous call to
+dvb_register_adapter() would already be enforcing it.
+
+On a similar way, dvb_device_open() uses the assumption
+that the register functions already did the needed checks.
+
+This can be fragile if some device ends using different
+calls. This also generate warnings on static check analysers
+like Coverity.
+
+So, add explicit guards to prevent potential risk of OOM issues.
+
+Fixes: 5dd3f3071070 ("V4L/DVB (9361): Dynamic DVB minor allocation")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvbdev.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
+index 661588fc64f6a..71344ae26fea7 100644
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -96,10 +96,15 @@ static DECLARE_RWSEM(minor_rwsem);
+ static int dvb_device_open(struct inode *inode, struct file *file)
+ {
+ struct dvb_device *dvbdev;
++ unsigned int minor = iminor(inode);
++
++ if (minor >= MAX_DVB_MINORS)
++ return -ENODEV;
+
+ mutex_lock(&dvbdev_mutex);
+ down_read(&minor_rwsem);
+- dvbdev = dvb_minors[iminor(inode)];
++
++ dvbdev = dvb_minors[minor];
+
+ if (dvbdev && dvbdev->fops) {
+ int err = 0;
+@@ -539,7 +544,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ for (minor = 0; minor < MAX_DVB_MINORS; minor++)
+ if (dvb_minors[minor] == NULL)
+ break;
+- if (minor == MAX_DVB_MINORS) {
++ if (minor >= MAX_DVB_MINORS) {
+ if (new_node) {
+ list_del (&new_node->list_head);
+ kfree(dvbdevfops);
+@@ -554,6 +559,14 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
+ }
+ #else
+ minor = nums2minor(adap->num, type, id);
++ if (minor >= MAX_DVB_MINORS) {
++ dvb_media_device_free(dvbdev);
++ list_del(&dvbdev->list_head);
++ kfree(dvbdev);
++ *pdvbdev = NULL;
++ mutex_unlock(&dvbdev_register_lock);
++ return ret;
++ }
+ #endif
+ dvbdev->minor = minor;
+ dvb_minors[minor] = dvb_device_get(dvbdev);
+--
+2.43.0
+
--- /dev/null
+From 67b3981823bc5540f103c1427e1f252d622f4f32 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Oct 2024 12:02:53 +0100
+Subject: scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+[ Upstream commit 7ce3e6107103214d354a16729a472f588be60572 ]
+
+We have two reports of failed memory allocation in btrfs' code which is
+calling into report zones.
+
+Both of these reports have the following signature coming from
+__vmalloc_area_node():
+
+ kworker/u17:5: vmalloc error: size 0, failed to allocate pages, mode:0x10dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NORETRY|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0
+
+Further debugging showed these where allocations of one sector (512
+bytes) and at least one of the reporter's systems where low on memory,
+so going through the overhead of allocating a vm area failed.
+
+Switching the allocation from __vmalloc() to kvzalloc() avoids the
+overhead of vmalloc() on small allocations and succeeds.
+
+Note: the buffer is already freed using kvfree() so there's no need to
+adjust the free path.
+
+Cc: Qu Wenru <wqu@suse.com>
+Cc: Naohiro Aota <naohiro.aota@wdc.com>
+Link: https://github.com/kdave/btrfs-progs/issues/779
+Link: https://github.com/kdave/btrfs-progs/issues/915
+Fixes: 23a50861adda ("scsi: sd_zbc: Cleanup sd_zbc_alloc_report_buffer()")
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Link: https://lore.kernel.org/r/20241030110253.11718-1-jth@kernel.org
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sd_zbc.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c
+index ed06798983f87..00791a42b8d87 100644
+--- a/drivers/scsi/sd_zbc.c
++++ b/drivers/scsi/sd_zbc.c
+@@ -168,8 +168,7 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp,
+ bufsize = min_t(size_t, bufsize, queue_max_segments(q) << PAGE_SHIFT);
+
+ while (bufsize >= SECTOR_SIZE) {
+- buf = __vmalloc(bufsize,
+- GFP_KERNEL | __GFP_ZERO | __GFP_NORETRY);
++ buf = kvzalloc(bufsize, GFP_KERNEL | __GFP_NORETRY);
+ if (buf) {
+ *buflen = bufsize;
+ return buf;
+--
+2.43.0
+
net-arc-fix-the-device-for-dma_map_single-dma_unmap_.patch
revert-alsa-hda-conexant-mute-speakers-at-suspend-shutdown.patch
media-stb0899_algo-initialize-cfr-before-using-it.patch
+media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch
+media-dvb_frontend-don-t-play-tricks-with-underflow-.patch
+media-adv7604-prevent-underflow-condition-when-repor.patch
+scsi-sd_zbc-use-kvzalloc-to-allocate-report-zones-bu.patch
+alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch
+asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
