--- /dev/null
+From 3c1c18551e6ac1b988d0a05c5650e3f6c95a1b8a Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Tue, 1 Oct 2024 16:56:22 +0200
+Subject: can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 3c1c18551e6ac1b988d0a05c5650e3f6c95a1b8a upstream.
+
+Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround
+broken TEF FIFO tail index erratum") introduced
+mcp251xfd_get_tef_len() to get the number of unhandled transmit events
+from the Transmit Event FIFO (TEF).
+
+As the TEF has no head pointer, the driver uses the TX FIFO's tail
+pointer instead, assuming that send frames are completed. However the
+check for the TEF being full was not correct. This leads to the driver
+stop working if the TEF is full.
+
+Fix the TEF full check by assuming that if, from the driver's point of
+view, there are no free TX buffers in the chip and the TX FIFO is
+empty, all messages must have been sent and the TEF must therefore be
+full.
+
+Reported-by: Sven Schuchmann <schuchmann@schleissheimer.de>
+Closes: https://patch.msgid.link/FR3P281MB155216711EFF900AD9791B7ED9692@FR3P281MB1552.DEUP281.PROD.OUTLOOK.COM
+Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum")
+Tested-by: Sven Schuchmann <schuchmann@schleissheimer.de>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20241104-mcp251xfd-fix-length-calculation-v3-1-608b6e7e2197@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
+index f732556d233a..d3ac865933fd 100644
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
+@@ -16,9 +16,9 @@
+
+ #include "mcp251xfd.h"
+
+-static inline bool mcp251xfd_tx_fifo_sta_full(u32 fifo_sta)
++static inline bool mcp251xfd_tx_fifo_sta_empty(u32 fifo_sta)
+ {
+- return !(fifo_sta & MCP251XFD_REG_FIFOSTA_TFNRFNIF);
++ return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF;
+ }
+
+ static inline int
+@@ -122,7 +122,11 @@ mcp251xfd_get_tef_len(struct mcp251xfd_priv *priv, u8 *len_p)
+ if (err)
+ return err;
+
+- if (mcp251xfd_tx_fifo_sta_full(fifo_sta)) {
++ /* If the chip says the TX-FIFO is empty, but there are no TX
++ * buffers free in the ring, we assume all have been sent.
++ */
++ if (mcp251xfd_tx_fifo_sta_empty(fifo_sta) &&
++ mcp251xfd_get_tx_free(tx_ring) == 0) {
+ *len_p = tx_ring->obj_num;
+ return 0;
+ }
+--
+2.47.0
+
--- /dev/null
+From eb9a839b3d8a989be5970035a5cf29bcd6ffd24d Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Fri, 25 Oct 2024 14:34:40 +0200
+Subject: can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit eb9a839b3d8a989be5970035a5cf29bcd6ffd24d upstream.
+
+Since commit 50ea5449c563 ("can: mcp251xfd: fix ring configuration
+when switching from CAN-CC to CAN-FD mode"), the current ring and
+coalescing configuration is passed to can_ram_get_layout(). That fixed
+the issue when switching between CAN-CC and CAN-FD mode with
+configured ring (rx, tx) and/or coalescing parameters (rx-frames-irq,
+tx-frames-irq).
+
+However 50ea5449c563 ("can: mcp251xfd: fix ring configuration when
+switching from CAN-CC to CAN-FD mode"), introduced a regression when
+switching CAN modes with disabled coalescing configuration: Even if
+the previous CAN mode has no coalescing configured, the new mode is
+configured with active coalescing. This leads to delayed receiving of
+CAN-FD frames.
+
+This comes from the fact, that ethtool uses usecs = 0 and max_frames =
+1 to disable coalescing, however the driver uses internally
+priv->{rx,tx}_obj_num_coalesce_irq = 0 to indicate disabled
+coalescing.
+
+Fix the regression by assigning struct ethtool_coalesce
+ec->{rx,tx}_max_coalesced_frames_irq = 1 if coalescing is disabled in
+the driver as can_ram_get_layout() expects this.
+
+Reported-by: https://github.com/vdh-robothania
+Closes: https://github.com/raspberrypi/linux/issues/6407
+Fixes: 50ea5449c563 ("can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD mode")
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241025-mcp251xfd-fix-coalesing-v1-1-9d11416de1df@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-ring.c
+@@ -2,7 +2,7 @@
+ //
+ // mcp251xfd - Microchip MCP251xFD Family CAN controller driver
+ //
+-// Copyright (c) 2019, 2020, 2021 Pengutronix,
++// Copyright (c) 2019, 2020, 2021, 2024 Pengutronix,
+ // Marc Kleine-Budde <kernel@pengutronix.de>
+ //
+ // Based on:
+@@ -473,9 +473,11 @@ int mcp251xfd_ring_alloc(struct mcp251xf
+ };
+ const struct ethtool_coalesce ec = {
+ .rx_coalesce_usecs_irq = priv->rx_coalesce_usecs_irq,
+- .rx_max_coalesced_frames_irq = priv->rx_obj_num_coalesce_irq,
++ .rx_max_coalesced_frames_irq = priv->rx_obj_num_coalesce_irq == 0 ?
++ 1 : priv->rx_obj_num_coalesce_irq,
+ .tx_coalesce_usecs_irq = priv->tx_coalesce_usecs_irq,
+- .tx_max_coalesced_frames_irq = priv->tx_obj_num_coalesce_irq,
++ .tx_max_coalesced_frames_irq = priv->tx_obj_num_coalesce_irq == 0 ?
++ 1 : priv->tx_obj_num_coalesce_irq,
+ };
+ struct can_ram_layout layout;
+
--- /dev/null
+From 0a77715db22611df50b178374c51e2ba0d58866e Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sat, 2 Nov 2024 18:46:38 +0900
+Subject: ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 0a77715db22611df50b178374c51e2ba0d58866e upstream.
+
+There is a race condition between ksmbd_smb2_session_create and
+ksmbd_expire_session. This patch add missing sessions_table_lock
+while adding/deleting session from global session table.
+
+Cc: stable@vger.kernel.org # v5.15+
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/mgmt/user_session.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -174,6 +174,7 @@ static void ksmbd_expire_session(struct
+ unsigned long id;
+ struct ksmbd_session *sess;
+
++ down_write(&sessions_table_lock);
+ down_write(&conn->session_lock);
+ xa_for_each(&conn->sessions, id, sess) {
+ if (atomic_read(&sess->refcnt) == 0 &&
+@@ -187,6 +188,7 @@ static void ksmbd_expire_session(struct
+ }
+ }
+ up_write(&conn->session_lock);
++ up_write(&sessions_table_lock);
+ }
+
+ int ksmbd_session_register(struct ksmbd_conn *conn,
+@@ -228,7 +230,6 @@ void ksmbd_sessions_deregister(struct ks
+ }
+ }
+ }
+- up_write(&sessions_table_lock);
+
+ down_write(&conn->session_lock);
+ xa_for_each(&conn->sessions, id, sess) {
+@@ -248,6 +249,7 @@ void ksmbd_sessions_deregister(struct ks
+ }
+ }
+ up_write(&conn->session_lock);
++ up_write(&sessions_table_lock);
+ }
+
+ struct ksmbd_session *ksmbd_session_lookup(struct ksmbd_conn *conn,
--- /dev/null
+From b8fc56fbca7482c1e5c0e3351c6ae78982e25ada Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Mon, 4 Nov 2024 13:40:41 +0900
+Subject: ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit b8fc56fbca7482c1e5c0e3351c6ae78982e25ada upstream.
+
+ksmbd_user_session_put should be called under smb3_preauth_hash_rsp().
+It will avoid freeing session before calling smb3_preauth_hash_rsp().
+
+Cc: stable@vger.kernel.org # v5.15+
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/server.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/server/server.c
++++ b/fs/smb/server/server.c
+@@ -238,11 +238,11 @@ static void __handle_ksmbd_work(struct k
+ } while (is_chained == true);
+
+ send:
+- if (work->sess)
+- ksmbd_user_session_put(work->sess);
+ if (work->tcon)
+ ksmbd_tree_connect_put(work->tcon);
+ smb3_preauth_hash_rsp(work);
++ if (work->sess)
++ ksmbd_user_session_put(work->sess);
+ if (work->sess && work->sess->enc && work->encrypted &&
+ conn->ops->encrypt_resp) {
+ rc = conn->ops->encrypt_resp(work);
--- /dev/null
+From 3abab905b14f4ba756d413f37f1fb02b708eee93 Mon Sep 17 00:00:00 2001
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+Date: Mon, 28 Oct 2024 08:28:30 +0900
+Subject: ksmbd: Fix the missing xa_store error check
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+commit 3abab905b14f4ba756d413f37f1fb02b708eee93 upstream.
+
+xa_store() can fail, it return xa_err(-EINVAL) if the entry cannot
+be stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed,
+so check error for xa_store() to fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: b685757c7b08 ("ksmbd: Implements sess->rpc_handle_list as xarray")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/mgmt/user_session.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -90,7 +90,7 @@ static int __rpc_method(char *rpc_name)
+
+ int ksmbd_session_rpc_open(struct ksmbd_session *sess, char *rpc_name)
+ {
+- struct ksmbd_session_rpc *entry;
++ struct ksmbd_session_rpc *entry, *old;
+ struct ksmbd_rpc_command *resp;
+ int method;
+
+@@ -106,16 +106,19 @@ int ksmbd_session_rpc_open(struct ksmbd_
+ entry->id = ksmbd_ipc_id_alloc();
+ if (entry->id < 0)
+ goto free_entry;
+- xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL);
++ old = xa_store(&sess->rpc_handle_list, entry->id, entry, GFP_KERNEL);
++ if (xa_is_err(old))
++ goto free_id;
+
+ resp = ksmbd_rpc_open(sess, entry->id);
+ if (!resp)
+- goto free_id;
++ goto erase_xa;
+
+ kvfree(resp);
+ return entry->id;
+-free_id:
++erase_xa:
+ xa_erase(&sess->rpc_handle_list, entry->id);
++free_id:
+ ksmbd_rpc_id_free(entry->id);
+ free_entry:
+ kfree(entry);
--- /dev/null
+From 438d3085ba5b8b5bfa5290faa594e577f6ac9aa7 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 11:38:10 +0200
+Subject: media: ar0521: don't overflow when checking PLL values
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 438d3085ba5b8b5bfa5290faa594e577f6ac9aa7 upstream.
+
+The PLL checks are comparing 64 bit integers with 32 bit
+ones, as reported by Coverity. Depending on the values of
+the variables, this may underflow.
+
+Fix it ensuring that both sides of the expression are u64.
+
+Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ar0521.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/ar0521.c
++++ b/drivers/media/i2c/ar0521.c
+@@ -223,10 +223,10 @@ static u32 calc_pll(struct ar0521_dev *s
+ continue; /* Minimum value */
+ if (new_mult > 254)
+ break; /* Maximum, larger pre won't work either */
+- if (sensor->extclk_freq * (u64)new_mult < AR0521_PLL_MIN *
++ if (sensor->extclk_freq * (u64)new_mult < (u64)AR0521_PLL_MIN *
+ new_pre)
+ continue;
+- if (sensor->extclk_freq * (u64)new_mult > AR0521_PLL_MAX *
++ if (sensor->extclk_freq * (u64)new_mult > (u64)AR0521_PLL_MAX *
+ new_pre)
+ break; /* Larger pre won't work either */
+ new_pll = div64_round_up(sensor->extclk_freq * (u64)new_mult,
--- /dev/null
+From 576a307a7650bd544fbb24df801b9b7863b85e2f Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 12:14:11 +0200
+Subject: media: cx24116: prevent overflows on SNR calculus
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream.
+
+as reported by Coverity, if reading SNR registers fail, a negative
+number will be returned, causing an underflow when reading SNR
+registers.
+
+Prevent that.
+
+Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/cx24116.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/cx24116.c
++++ b/drivers/media/dvb-frontends/cx24116.c
+@@ -741,6 +741,7 @@ static int cx24116_read_snr_pct(struct d
+ {
+ struct cx24116_state *state = fe->demodulator_priv;
+ u8 snr_reading;
++ int ret;
+ static const u32 snr_tab[] = { /* 10 x Table (rounded up) */
+ 0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667,
+ 0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667,
+@@ -749,7 +750,11 @@ static int cx24116_read_snr_pct(struct d
+
+ dprintk("%s()\n", __func__);
+
+- snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0);
++ ret = cx24116_readreg(state, CX24116_REG_QUALITY0);
++ if (ret < 0)
++ return ret;
++
++ snr_reading = ret;
+
+ if (snr_reading >= 0xa0 /* 100% */)
+ *snr = 0xffff;
--- /dev/null
+From ba9cf6b430433e57bfc8072364e944b7c0eca2a4 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Wed, 16 Oct 2024 11:24:15 +0200
+Subject: media: pulse8-cec: fix data timestamp at pulse8_setup()
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit ba9cf6b430433e57bfc8072364e944b7c0eca2a4 upstream.
+
+As pointed by Coverity, there is a hidden overflow condition there.
+As date is signed and u8 is unsigned, doing:
+
+ date = (data[0] << 24)
+
+With a value bigger than 07f will make all upper bits of date
+0xffffffff. This can be demonstrated with this small code:
+
+<code>
+typedef int64_t time64_t;
+typedef uint8_t u8;
+
+int main(void)
+{
+ u8 data[] = { 0xde ,0xad , 0xbe, 0xef };
+ time64_t date;
+
+ date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+ printf("Invalid data = 0x%08lx\n", date);
+
+ date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+ printf("Expected data = 0x%08lx\n", date);
+
+ return 0;
+}
+</code>
+
+Fix it by converting the upper bit calculation to unsigned.
+
+Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/cec/usb/pulse8/pulse8-cec.c
++++ b/drivers/media/cec/usb/pulse8/pulse8-cec.c
+@@ -685,7 +685,7 @@ static int pulse8_setup(struct pulse8 *p
+ err = pulse8_send_and_wait(pulse8, cmd, 1, cmd[0], 4);
+ if (err)
+ return err;
+- date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
++ date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+ dev_info(pulse8->dev, "Firmware build date %ptT\n", &date);
+
+ dev_dbg(pulse8->dev, "Persistent config:\n");
--- /dev/null
+From 14a22762c3daeac59a5a534e124acbb4d7a79b3a Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 11:10:31 +0200
+Subject: media: s5p-jpeg: prevent buffer overflows
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream.
+
+The current logic allows word to be less than 2. If this happens,
+there will be buffer overflows, as reported by smatch. Add extra
+checks to prevent it.
+
+While here, remove an unused word = 0 assignment.
+
+Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
++++ b/drivers/media/platform/samsung/s5p-jpeg/jpeg-core.c
+@@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_
+ (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
+ jpeg_buffer.curr = 0;
+
+- word = 0;
+-
+ if (get_word_be(&jpeg_buffer, &word))
+ return;
+- jpeg_buffer.size = (long)word - 2;
++
++ if (word < 2)
++ jpeg_buffer.size = 0;
++ else
++ jpeg_buffer.size = (long)word - 2;
++
+ jpeg_buffer.data += 2;
+ jpeg_buffer.curr = 0;
+
+@@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_b
+ if (byte == -1)
+ return -1;
+ *word = (unsigned int)byte | temp;
++
+ return 0;
+ }
+
+@@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ if (get_word_be(&jpeg_buffer, &word))
+ break;
+ length = (long)word - 2;
+- if (!length)
++ if (length <= 0)
+ return false;
+ sof = jpeg_buffer.curr; /* after 0xffc0 */
+ sof_len = length;
+@@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ if (get_word_be(&jpeg_buffer, &word))
+ break;
+ length = (long)word - 2;
+- if (!length)
++ if (length <= 0)
+ return false;
+ if (n_dqt >= S5P_JPEG_MAX_MARKER)
+ return false;
+@@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ if (get_word_be(&jpeg_buffer, &word))
+ break;
+ length = (long)word - 2;
+- if (!length)
++ if (length <= 0)
+ return false;
+ if (n_dht >= S5P_JPEG_MAX_MARKER)
+ return false;
+@@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ if (get_word_be(&jpeg_buffer, &word))
+ break;
+ length = (long)word - 2;
++ /* No need to check underflows as skip() does it */
+ skip(&jpeg_buffer, length);
+ break;
+ }
--- /dev/null
+From 4c76f331a9a173ac8fe1297a9231c2a38f88e368 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 14:23:38 +0200
+Subject: media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 4c76f331a9a173ac8fe1297a9231c2a38f88e368 upstream.
+
+As detected by Coverity, the error check logic at get_ctrl() is
+broken: if ptr_to_user() fails to fill a control due to an error,
+no errors are returned and v4l2_g_ctrl() returns success on a
+failed operation, which may cause applications to fail.
+
+Add an error check at get_ctrl() and ensure that it will
+be returned to userspace without filling the control value if
+get_ctrl() fails.
+
+Fixes: 71c689dc2e73 ("media: v4l2-ctrls: split up into four source files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls-api.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c
+@@ -753,9 +753,10 @@ static int get_ctrl(struct v4l2_ctrl *ct
+ for (i = 0; i < master->ncontrols; i++)
+ cur_to_new(master->cluster[i]);
+ ret = call_op(master, g_volatile_ctrl);
+- new_to_user(c, ctrl);
++ if (!ret)
++ ret = new_to_user(c, ctrl);
+ } else {
+- cur_to_user(c, ctrl);
++ ret = cur_to_user(c, ctrl);
+ }
+ v4l2_ctrl_unlock(master);
+ return ret;
+@@ -770,7 +771,10 @@ int v4l2_g_ctrl(struct v4l2_ctrl_handler
+ if (!ctrl || !ctrl->is_int)
+ return -EINVAL;
+ ret = get_ctrl(ctrl, &c);
+- control->value = c.value;
++
++ if (!ret)
++ control->value = c.value;
++
+ return ret;
+ }
+ EXPORT_SYMBOL(v4l2_g_ctrl);
+@@ -811,10 +815,11 @@ static int set_ctrl_lock(struct v4l2_fh
+ int ret;
+
+ v4l2_ctrl_lock(ctrl);
+- user_to_new(c, ctrl);
+- ret = set_ctrl(fh, ctrl, 0);
++ ret = user_to_new(c, ctrl);
++ if (!ret)
++ ret = set_ctrl(fh, ctrl, 0);
+ if (!ret)
+- cur_to_user(c, ctrl);
++ ret = cur_to_user(c, ctrl);
+ v4l2_ctrl_unlock(ctrl);
+ return ret;
+ }
--- /dev/null
+From e6a3ea83fbe15d4818d01804e904cbb0e64e543b Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Wed, 16 Oct 2024 11:53:15 +0200
+Subject: media: v4l2-tpg: prevent the risk of a division by zero
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit e6a3ea83fbe15d4818d01804e904cbb0e64e543b upstream.
+
+As reported by Coverity, the logic at tpg_precalculate_line()
+blindly rescales the buffer even when scaled_witdh is equal to
+zero. If this ever happens, this will cause a division by zero.
+
+Instead, add a WARN_ON_ONCE() to trigger such cases and return
+without doing any precalculation.
+
+Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+@@ -1795,6 +1795,9 @@ static void tpg_precalculate_line(struct
+ unsigned p;
+ unsigned x;
+
++ if (WARN_ON_ONCE(!tpg->src_width || !tpg->scaled_width))
++ return;
++
+ switch (tpg->pattern) {
+ case TPG_PAT_GREEN:
+ contrast = TPG_COLOR_100_RED;
tools-lib-thermal-fix-sampling-handler-context-ptr.patch
thermal-of-support-thermal-zones-w-o-trips-subnode.patch
asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch
+media-ar0521-don-t-overflow-when-checking-pll-values.patch
+media-s5p-jpeg-prevent-buffer-overflows.patch
+media-cx24116-prevent-overflows-on-snr-calculus.patch
+media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch
+media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
+media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch
+can-mcp251xfd-mcp251xfd_get_tef_len-fix-length-calculation.patch
+can-mcp251xfd-mcp251xfd_ring_alloc-fix-coalescing-configuration-when-switching-can-modes.patch
+ksmbd-fix-slab-use-after-free-in-ksmbd_smb2_session_create.patch
+ksmbd-fix-the-missing-xa_store-error-check.patch
+ksmbd-fix-slab-use-after-free-in-smb3_preauth_hash_rsp.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
