5.4-stable patches

added patches:
	media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch

diff --git a/queue-5.4/media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch b/queue-5.4/media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch
new file mode 100644 (file)
index 0000000..4a3ab91
--- /dev/null
+++ b/queue-5.4/media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch
@@ -0,0 +1,47 @@
+From 49befc830daa743e051a65468c05c2ff9e8580e6 Mon Sep 17 00:00:00 2001
+From: Vedang Nagar <quic_vnagar@quicinc.com>
+Date: Mon, 19 May 2025 12:42:21 +0530
+Subject: media: venus: Add a check for packet size after reading from shared memory
+
+From: Vedang Nagar <quic_vnagar@quicinc.com>
+
+commit 49befc830daa743e051a65468c05c2ff9e8580e6 upstream.
+
+Add a check to ensure that the packet size does not exceed the number of
+available words after reading the packet header from shared memory. This
+ensures that the size provided by the firmware is safe to process and
+prevent potential out-of-bounds memory access.
+
+Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
+Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -240,6 +240,7 @@ static int venus_write_queue(struct venu
+ static int venus_read_queue(struct venus_hfi_device *hdev,
+                           struct iface_queue *queue, void *pkt, u32 *tx_req)
+ {
++      struct hfi_pkt_hdr *pkt_hdr = NULL;
+       struct hfi_queue_header *qhdr;
+       u32 dwords, new_rd_idx;
+       u32 rd_idx, wr_idx, type, qsize;
+@@ -305,6 +306,9 @@ static int venus_read_queue(struct venus
+                       memcpy(pkt, rd_ptr, len);
+                       memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2);
+               }
++              pkt_hdr = (struct hfi_pkt_hdr *)(pkt);
++              if ((pkt_hdr->size >> 2) != dwords)
++                      return -EINVAL;
+       } else {
+               /* bad packet received, dropping */
+               new_rd_idx = qhdr->write_idx;

diff --git a/queue-5.4/series b/queue-5.4/series
index 36c97f85ca38b74700cecb808e895df3123c699b..d6513214d5d3d710d77542e83920d3f7e1665eee 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -305,3 +305,4 @@ media-gspca-add-bounds-checking-to-firmware-parser.patch
 media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch
 media-usbtv-lock-resolution-while-streaming.patch
 media-ov2659-fix-memory-leaks-in-ov2659_probe.patch
+media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch