--- /dev/null
+From 8403fdd775858a7bf04868d43daea0acbe49ddfc Mon Sep 17 00:00:00 2001
+From: Ameer Hamza <amhamza.mgc@gmail.com>
+Date: Mon, 6 Dec 2021 11:43:15 +0100
+Subject: media: venus: vdec: fixed possible memory leak issue
+
+From: Ameer Hamza <amhamza.mgc@gmail.com>
+
+commit 8403fdd775858a7bf04868d43daea0acbe49ddfc upstream.
+
+The venus_helper_alloc_dpb_bufs() implementation allows an early return
+on an error path when checking the id from ida_alloc_min() which would
+not release the earlier buffer allocation.
+
+Move the direct kfree() from the error checking of dma_alloc_attrs() to
+the common fail path to ensure that allocations are released on all
+error paths in this function.
+
+Addresses-Coverity: 1494120 ("Resource leak")
+
+cc: stable@vger.kernel.org # 5.16+
+Fixes: 40d87aafee29 ("media: venus: vdec: decoded picture buffer handling during reconfig sequence")
+Signed-off-by: Ameer Hamza <amhamza.mgc@gmail.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/helpers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/venus/helpers.c
++++ b/drivers/media/platform/qcom/venus/helpers.c
+@@ -189,7 +189,6 @@ int venus_helper_alloc_dpb_bufs(struct v
+ buf->va = dma_alloc_attrs(dev, buf->size, &buf->da, GFP_KERNEL,
+ buf->attrs);
+ if (!buf->va) {
+- kfree(buf);
+ ret = -ENOMEM;
+ goto fail;
+ }
+@@ -209,6 +208,7 @@ int venus_helper_alloc_dpb_bufs(struct v
+ return 0;
+
+ fail:
++ kfree(buf);
+ venus_helper_free_dpb_bufs(inst);
+ return ret;
+ }
--- /dev/null
+From 49b7d376abe54a49e8bd5e64824032b7c97c62d4 Mon Sep 17 00:00:00 2001
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Fri, 8 Apr 2022 17:10:35 +0200
+Subject: net/smc: Fix af_ops of child socket pointing to released memory
+
+From: Karsten Graul <kgraul@linux.ibm.com>
+
+commit 49b7d376abe54a49e8bd5e64824032b7c97c62d4 upstream.
+
+Child sockets may inherit the af_ops from the parent listen socket.
+When the listen socket is released then the af_ops of the child socket
+points to released memory.
+Solve that by restoring the original af_ops for child sockets which
+inherited the parent af_ops. And clear any inherited user_data of the
+parent socket.
+
+Fixes: 8270d9c21041 ("net/smc: Limit backlog connections")
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -79,6 +79,7 @@ static struct sock *smc_tcp_syn_recv_soc
+ bool *own_req)
+ {
+ struct smc_sock *smc;
++ struct sock *child;
+
+ smc = smc_clcsock_user_data(sk);
+
+@@ -92,8 +93,17 @@ static struct sock *smc_tcp_syn_recv_soc
+ }
+
+ /* passthrough to original syn recv sock fct */
+- return smc->ori_af_ops->syn_recv_sock(sk, skb, req, dst, req_unhash,
+- own_req);
++ child = smc->ori_af_ops->syn_recv_sock(sk, skb, req, dst, req_unhash,
++ own_req);
++ /* child must not inherit smc or its ops */
++ if (child) {
++ rcu_assign_sk_user_data(child, NULL);
++
++ /* v4-mapped sockets don't inherit parent ops. Don't restore. */
++ if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
++ inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
++ }
++ return child;
+
+ drop:
+ dst_release(dst);
--- /dev/null
+From b5a23a60e8ab5711f4952912424347bf3864ce8d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 15 Nov 2024 11:59:54 +0100
+Subject: serial: amba-pl011: fix build regression
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit b5a23a60e8ab5711f4952912424347bf3864ce8d upstream.
+
+When CONFIG_DMA_ENGINE is disabled, the driver now fails to build:
+
+drivers/tty/serial/amba-pl011.c: In function 'pl011_unthrottle_rx':
+drivers/tty/serial/amba-pl011.c:1822:16: error: 'struct uart_amba_port' has no member named 'using_rx_dma'
+ 1822 | if (uap->using_rx_dma) {
+ | ^~
+drivers/tty/serial/amba-pl011.c:1823:20: error: 'struct uart_amba_port' has no member named 'dmacr'
+ 1823 | uap->dmacr |= UART011_RXDMAE;
+ | ^~
+drivers/tty/serial/amba-pl011.c:1824:32: error: 'struct uart_amba_port' has no member named 'dmacr'
+ 1824 | pl011_write(uap->dmacr, uap, REG_DMACR);
+ | ^~
+
+Add the missing #ifdef check around these field accesses, matching
+what other parts of this driver do.
+
+Fixes: 2bcacc1c87ac ("serial: amba-pl011: Fix RX stall when DMA is used")
+Cc: stable <stable@kernel.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202411140617.nkjeHhsK-lkp@intel.com/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20241115110021.744332-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/amba-pl011.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -1842,10 +1842,12 @@ static void pl011_unthrottle_rx(struct u
+
+ pl011_write(uap->im, uap, REG_IMSC);
+
++#ifdef CONFIG_DMA_ENGINE
+ if (uap->using_rx_dma) {
+ uap->dmacr |= UART011_RXDMAE;
+ pl011_write(uap->dmacr, uap, REG_DMACR);
+ }
++#endif
+
+ uart_port_unlock_irqrestore(&uap->port, flags);
+ }
net-dsa-microchip-correct-ksz8795-static-mac-table-access.patch
drm-amd-display-correct-the-defined-value-for-amdgpu_dmub_notification_max.patch
drm-amdgpu-rework-resume-handling-for-display-v2.patch
+serial-amba-pl011-fix-build-regression.patch
+media-venus-vdec-fixed-possible-memory-leak-issue.patch
+net-smc-fix-af_ops-of-child-socket-pointing-to-released-memory.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
