--- /dev/null
+From bda2859bff0b9596a19648f3740c697ce4c71496 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 7 Jul 2025 18:34:01 +0000
+Subject: media: uvcvideo: Do not mark valid metadata as invalid
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream.
+
+Currently, the driver performs a length check of the metadata buffer
+before the actual metadata size is known and before the metadata is
+decided to be copied. This results in valid metadata buffers being
+incorrectly marked as invalid.
+
+Move the length check to occur after the metadata size is determined and
+is decided to be copied.
+
+Cc: stable@vger.kernel.org
+Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node")
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org
+Signed-off-by: Hans de Goede <hansg@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -1309,12 +1309,6 @@ static void uvc_video_decode_meta(struct
+ if (!meta_buf || length == 2)
+ return;
+
+- if (meta_buf->length - meta_buf->bytesused <
+- length + sizeof(meta->ns) + sizeof(meta->sof)) {
+- meta_buf->error = 1;
+- return;
+- }
+-
+ has_pts = mem[1] & UVC_STREAM_PTS;
+ has_scr = mem[1] & UVC_STREAM_SCR;
+
+@@ -1335,6 +1329,12 @@ static void uvc_video_decode_meta(struct
+ !memcmp(scr, stream->clock.last_scr, 6)))
+ return;
+
++ if (meta_buf->length - meta_buf->bytesused <
++ length + sizeof(meta->ns) + sizeof(meta->sof)) {
++ meta_buf->error = 1;
++ return;
++ }
++
+ meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused);
+ local_irq_save(flags);
+ time = uvc_video_get_time();
--- /dev/null
+From 782b6a718651eda3478b1824b37a8b3185d2740c Mon Sep 17 00:00:00 2001
+From: Youngjun Lee <yjjuny.lee@samsung.com>
+Date: Tue, 10 Jun 2025 21:41:07 +0900
+Subject: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format()
+
+From: Youngjun Lee <yjjuny.lee@samsung.com>
+
+commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream.
+
+The buffer length check before calling uvc_parse_format() only ensured
+that the buffer has at least 3 bytes (buflen > 2), buf the function
+accesses buffer[3], requiring at least 4 bytes.
+
+This can lead to an out-of-bounds read if the buffer has exactly 3 bytes.
+
+Fix it by checking that the buffer has at least 4 bytes in
+uvc_parse_format().
+
+Signed-off-by: Youngjun Lee <yjjuny.lee@samsung.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -452,6 +452,9 @@ static int uvc_parse_format(struct uvc_d
+ unsigned int i, n;
+ u8 ftype;
+
++ if (buflen < 4)
++ return -EINVAL;
++
+ format->type = buffer[2];
+ format->index = buffer[3];
+
--- /dev/null
+From d1534ae23c2b6be350c8ab060803fbf6e9682adc Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Mon, 28 Jul 2025 15:02:48 -0400
+Subject: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
+
+From: Waiman Long <longman@redhat.com>
+
+commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream.
+
+A soft lockup warning was observed on a relative small system x86-64
+system with 16 GB of memory when running a debug kernel with kmemleak
+enabled.
+
+ watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]
+
+The test system was running a workload with hot unplug happening in
+parallel. Then kemleak decided to disable itself due to its inability to
+allocate more kmemleak objects. The debug kernel has its
+CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.
+
+The soft lockup happened in kmemleak_do_cleanup() when the existing
+kmemleak objects were being removed and deleted one-by-one in a loop via a
+workqueue. In this particular case, there are at least 40,000 objects
+that need to be processed and given the slowness of a debug kernel and the
+fact that a raw_spinlock has to be acquired and released in
+__delete_object(), it could take a while to properly handle all these
+objects.
+
+As kmemleak has been disabled in this case, the object removal and
+deletion process can be further optimized as locking isn't really needed.
+However, it is probably not worth the effort to optimize for such an edge
+case that should rarely happen. So the simple solution is to call
+cond_resched() at periodic interval in the iteration loop to avoid soft
+lockup.
+
+Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com
+Signed-off-by: Waiman Long <longman@redhat.com>
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/kmemleak.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/mm/kmemleak.c
++++ b/mm/kmemleak.c
+@@ -1849,6 +1849,7 @@ static const struct file_operations kmem
+ static void __kmemleak_do_cleanup(void)
+ {
+ struct kmemleak_object *object, *tmp;
++ unsigned int cnt = 0;
+
+ /*
+ * Kmemleak has already been disabled, no need for RCU list traversal
+@@ -1857,6 +1858,10 @@ static void __kmemleak_do_cleanup(void)
+ list_for_each_entry_safe(object, tmp, &object_list, object_list) {
+ __remove_object(object);
+ __delete_object(object);
++
++ /* Call cond_resched() once per 64 iterations to avoid soft lockup */
++ if (!(++cnt & 0x3f))
++ cond_resched();
+ }
+ }
+
--- /dev/null
+From 963f1b20a8d2a098954606b9725cd54336a2a86c Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Wed, 25 Jun 2025 00:39:33 -0700
+Subject: parisc: Makefile: fix a typo in palo.conf
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream.
+
+Correct "objree" to "objtree". "objree" is not defined.
+
+Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Masahiro Yamada <masahiroy@kernel.org>
+Cc: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
+Cc: Helge Deller <deller@gmx.de>
+Cc: linux-parisc@vger.kernel.org
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org # v5.3+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/Makefile
++++ b/arch/parisc/Makefile
+@@ -134,7 +134,7 @@ palo lifimage: vmlinuz
+ fi
+ @if test ! -f "$(PALOCONF)"; then \
+ cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \
+- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \
++ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \
+ echo 'You should check it and re-run "make palo".'; \
+ echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \
+ false; \
comedi-fix-race-between-polling-and-detaching.patch
thunderbolt-fix-copy-paste-error-in-match_service_id.patch
btrfs-fix-log-tree-replay-failure-due-to-file-with-0-links-and-extents.patch
+parisc-makefile-fix-a-typo-in-palo.conf.patch
+mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch
+media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch
+media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
