--- /dev/null
+From 37238699073e7e93f05517e529661151173cd458 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Thu, 19 May 2022 03:17:43 +0100
+Subject: media: dvb_vb2: fix possible out of bound access
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 37238699073e7e93f05517e529661151173cd458 upstream.
+
+vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index
+controlled by the user.
+
+Fix this by adding range checking code before using them.
+
+Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvb_vb2.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/media/dvb-core/dvb_vb2.c
++++ b/drivers/media/dvb-core/dvb_vb2.c
+@@ -354,6 +354,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *
+
+ int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
+ {
++ struct vb2_queue *q = &ctx->vb_q;
++
++ if (b->index >= q->num_buffers) {
++ dprintk(1, "[%s] buffer index out of range\n", ctx->name);
++ return -EINVAL;
++ }
+ vb2_core_querybuf(&ctx->vb_q, b->index, b);
+ dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
+ return 0;
+@@ -378,8 +384,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *c
+
+ int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
+ {
++ struct vb2_queue *q = &ctx->vb_q;
+ int ret;
+
++ if (b->index >= q->num_buffers) {
++ dprintk(1, "[%s] buffer index out of range\n", ctx->name);
++ return -EINVAL;
++ }
+ ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
+ if (ret) {
+ dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,
--- /dev/null
+From a2d2e593d39bc2f29a1cd5e3779af457fd26490c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?=
+ <nfraprado@collabora.com>
+Date: Fri, 17 Jun 2022 21:39:06 +0100
+Subject: media: mediatek: vcodec: Drop platform_get_resource(IORESOURCE_IRQ)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: NĂcolas F. R. A. Prado <nfraprado@collabora.com>
+
+commit a2d2e593d39bc2f29a1cd5e3779af457fd26490c upstream.
+
+Commit a1a2b7125e10 ("of/platform: Drop static setup of IRQ resource
+from DT core") removed support for calling platform_get_resource(...,
+IORESOURCE_IRQ, ...) on DT-based drivers, but the probe() function of
+mtk-vcodec's encoder was still making use of it. This caused the encoder
+driver to fail probe.
+
+Since the platform_get_resource() call was only being used to check for
+the presence of the interrupt (its returned resource wasn't even used)
+and platform_get_irq() was already being used to get the IRQ, simply
+drop the use of platform_get_resource(IORESOURCE_IRQ) and handle the
+failure of platform_get_irq(), to get the driver probing again.
+
+[hverkuil: drop unused struct resource *res]
+
+Fixes: a1a2b7125e10 ("of/platform: Drop static setup of IRQ resource from DT core")
+Signed-off-by: NĂcolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc_drv.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc_drv.c
++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc_drv.c
+@@ -228,7 +228,6 @@ static int mtk_vcodec_probe(struct platf
+ {
+ struct mtk_vcodec_dev *dev;
+ struct video_device *vfd_enc;
+- struct resource *res;
+ phandle rproc_phandle;
+ enum mtk_vcodec_fw_type fw_type;
+ int ret;
+@@ -272,14 +271,12 @@ static int mtk_vcodec_probe(struct platf
+ goto err_res;
+ }
+
+- res = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
+- if (res == NULL) {
+- dev_err(&pdev->dev, "failed to get irq resource");
+- ret = -ENOENT;
++ dev->enc_irq = platform_get_irq(pdev, 0);
++ if (dev->enc_irq < 0) {
++ ret = dev->enc_irq;
+ goto err_res;
+ }
+
+- dev->enc_irq = platform_get_irq(pdev, 0);
+ irq_set_status_flags(dev->enc_irq, IRQ_NOAUTOEN);
+ ret = devm_request_irq(&pdev->dev, dev->enc_irq,
+ mtk_vcodec_enc_irq_handler,
--- /dev/null
+From 3a99c4474112f49a5459933d8758614002ca0ddc Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Fri, 10 Jun 2022 13:52:11 +0100
+Subject: media: rkvdec: Disable H.264 error detection
+
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+
+commit 3a99c4474112f49a5459933d8758614002ca0ddc upstream.
+
+Quite often, the HW get stuck in error condition if a stream error
+was detected. As documented, the HW should stop immediately and self
+reset. There is likely a problem or a miss-understanding of the self
+reset mechanism, as unless we make a long pause, the next command
+will then report an error even if there is no error in it.
+
+Disabling error detection fixes the issue, and let the decoder continue
+after an error. This patch is safe for backport into older kernels.
+
+Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Tested-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/rkvdec/rkvdec-h264.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/media/rkvdec/rkvdec-h264.c
++++ b/drivers/staging/media/rkvdec/rkvdec-h264.c
+@@ -1175,8 +1175,8 @@ static int rkvdec_h264_run(struct rkvdec
+
+ schedule_delayed_work(&rkvdec->watchdog_work, msecs_to_jiffies(2000));
+
+- writel(0xffffffff, rkvdec->regs + RKVDEC_REG_STRMD_ERR_EN);
+- writel(0xffffffff, rkvdec->regs + RKVDEC_REG_H264_ERR_E);
++ writel(0, rkvdec->regs + RKVDEC_REG_STRMD_ERR_EN);
++ writel(0, rkvdec->regs + RKVDEC_REG_H264_ERR_E);
+ writel(1, rkvdec->regs + RKVDEC_REG_PREF_LUMA_CACHE_COMMAND);
+ writel(1, rkvdec->regs + RKVDEC_REG_PREF_CHR_CACHE_COMMAND);
+
--- /dev/null
+From 4e768c8e34e639cff66a0f175bc4aebf472e4305 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Mon, 21 Mar 2022 08:33:56 +0000
+Subject: media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args()
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 4e768c8e34e639cff66a0f175bc4aebf472e4305 upstream.
+
+The v4l2_compat_get_array_args() function can leave uninitialized memory in the
+buffer it is passed. So zero it before copying array elements from userspace
+into the buffer.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+ff18193ff05f3f87f226@syzkaller.appspotmail.com
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -1040,6 +1040,8 @@ int v4l2_compat_get_array_args(struct fi
+ {
+ int err = 0;
+
++ memset(mbuf, 0, array_size);
++
+ switch (cmd) {
+ case VIDIOC_G_FMT32:
+ case VIDIOC_S_FMT32:
mm-bring-back-update_mmu_cache-to-finish_fault.patch
mm-hugetlb-correct-demote-page-offset-logic.patch
mm-hwpoison-check-mm-when-killing-accessing-process.patch
+media-dvb_vb2-fix-possible-out-of-bound-access.patch
+media-rkvdec-disable-h.264-error-detection.patch
+media-mediatek-vcodec-drop-platform_get_resource-ioresource_irq.patch
+media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
