From: Sasha Levin Date: Sat, 9 Nov 2024 11:37:23 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v5.15.172~72 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d1afc15c257eda6c8d05b1385fb370437f09719;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch b/queue-5.10/alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch new file mode 100644 index 00000000000..c4fb3caddd4 --- /dev/null +++ b/queue-5.10/alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch @@ -0,0 +1,41 @@ +From c150fb5e546135a3fe5cd32e4aa8f8b678eff6bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2024 21:55:13 +0300 +Subject: ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() + +From: Murad Masimov + +[ Upstream commit 8abbf1f01d6a2ef9f911f793e30f7382154b5a3a ] + +If amdtp_stream_init() fails in amdtp_tscm_init(), the latter returns zero, +though it's supposed to return error code, which is checked inside +init_stream() in file tascam-stream.c. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 47faeea25ef3 ("ALSA: firewire-tascam: add data block processing layer") +Signed-off-by: Murad Masimov +Reviewed-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20241101185517.1819-1-m.masimov@maxima.ru +Signed-off-by: Sasha Levin +--- + sound/firewire/tascam/amdtp-tascam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/tascam/amdtp-tascam.c b/sound/firewire/tascam/amdtp-tascam.c +index f823a2ab3544b..8ffc065b77f95 100644 +--- a/sound/firewire/tascam/amdtp-tascam.c ++++ b/sound/firewire/tascam/amdtp-tascam.c +@@ -244,7 +244,7 @@ int amdtp_tscm_init(struct amdtp_stream *s, struct fw_unit *unit, + CIP_NONBLOCKING | CIP_SKIP_DBC_ZERO_CHECK, fmt, + process_ctx_payloads, sizeof(struct amdtp_tscm)); + if (err < 0) +- return 0; ++ return err; + + if (dir == AMDTP_OUT_STREAM) { + // Use fixed value for FDF field. +-- +2.43.0 + diff --git a/queue-5.10/asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch b/queue-5.10/asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch new file mode 100644 index 00000000000..1c6bd7b2b53 --- /dev/null +++ b/queue-5.10/asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch @@ -0,0 +1,49 @@ +From d09e70309405ebc1d6d8a101d4a7d47079812864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Nov 2024 15:02:42 +0100 +Subject: ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove + +From: Amelie Delaunay + +[ Upstream commit 9bb4af400c386374ab1047df44c508512c08c31f ] + +In case of error when requesting ctrl_chan DMA channel, ctrl_chan is not +null. So the release of the dma channel leads to the following issue: +[ 4.879000] st,stm32-spdifrx 500d0000.audio-controller: +dma_request_slave_channel error -19 +[ 4.888975] Unable to handle kernel NULL pointer dereference +at virtual address 000000000000003d +[...] +[ 5.096577] Call trace: +[ 5.099099] dma_release_channel+0x24/0x100 +[ 5.103235] stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx] +[ 5.109494] stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx] + +To avoid this issue, release channel only if the pointer is valid. + +Fixes: 794df9448edb ("ASoC: stm32: spdifrx: manage rebind issue") +Signed-off-by: Amelie Delaunay +Signed-off-by: Olivier Moysan +Link: https://patch.msgid.link/20241105140242.527279-1-olivier.moysan@foss.st.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_spdifrx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/stm/stm32_spdifrx.c b/sound/soc/stm/stm32_spdifrx.c +index 1bfa3b2ba9744..ef518cff84f28 100644 +--- a/sound/soc/stm/stm32_spdifrx.c ++++ b/sound/soc/stm/stm32_spdifrx.c +@@ -948,7 +948,7 @@ static int stm32_spdifrx_remove(struct platform_device *pdev) + { + struct stm32_spdifrx_data *spdifrx = platform_get_drvdata(pdev); + +- if (spdifrx->ctrl_chan) ++ if (!IS_ERR(spdifrx->ctrl_chan)) + dma_release_channel(spdifrx->ctrl_chan); + + if (spdifrx->dmab) +-- +2.43.0 + diff --git a/queue-5.10/media-adv7604-prevent-underflow-condition-when-repor.patch b/queue-5.10/media-adv7604-prevent-underflow-condition-when-repor.patch new file mode 100644 index 00000000000..45f9345d0cc --- /dev/null +++ b/queue-5.10/media-adv7604-prevent-underflow-condition-when-repor.patch @@ -0,0 +1,74 @@ +From a0f97ac5ede13c45fde034e1514e0a4946e49bcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 12:25:09 +0200 +Subject: media: adv7604: prevent underflow condition when reporting colorspace + +From: Mauro Carvalho Chehab + +[ Upstream commit 50b9fa751d1aef5d262bde871c70a7f44262f0bc ] + +Currently, adv76xx_log_status() reads some date using +io_read() which may return negative values. The current logic +doesn't check such errors, causing colorspace to be reported +on a wrong way at adv76xx_log_status(), as reported by Coverity. + +If I/O error happens there, print a different message, instead +of reporting bogus messages to userspace. + +Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder") +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7604.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c +index 8cf1704308bf5..32c223b333486 100644 +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -2487,10 +2487,10 @@ static int adv76xx_log_status(struct v4l2_subdev *sd) + const struct adv76xx_chip_info *info = state->info; + struct v4l2_dv_timings timings; + struct stdi_readback stdi; +- u8 reg_io_0x02 = io_read(sd, 0x02); ++ int ret; ++ u8 reg_io_0x02; + u8 edid_enabled; + u8 cable_det; +- + static const char * const csc_coeff_sel_rb[16] = { + "bypassed", "YPbPr601 -> RGB", "reserved", "YPbPr709 -> RGB", + "reserved", "RGB -> YPbPr601", "reserved", "RGB -> YPbPr709", +@@ -2589,13 +2589,21 @@ static int adv76xx_log_status(struct v4l2_subdev *sd) + v4l2_info(sd, "-----Color space-----\n"); + v4l2_info(sd, "RGB quantization range ctrl: %s\n", + rgb_quantization_range_txt[state->rgb_quantization_range]); +- v4l2_info(sd, "Input color space: %s\n", +- input_color_space_txt[reg_io_0x02 >> 4]); +- v4l2_info(sd, "Output color space: %s %s, alt-gamma %s\n", +- (reg_io_0x02 & 0x02) ? "RGB" : "YCbCr", +- (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ? +- "(16-235)" : "(0-255)", +- (reg_io_0x02 & 0x08) ? "enabled" : "disabled"); ++ ++ ret = io_read(sd, 0x02); ++ if (ret < 0) { ++ v4l2_info(sd, "Can't read Input/Output color space\n"); ++ } else { ++ reg_io_0x02 = ret; ++ ++ v4l2_info(sd, "Input color space: %s\n", ++ input_color_space_txt[reg_io_0x02 >> 4]); ++ v4l2_info(sd, "Output color space: %s %s, alt-gamma %s\n", ++ (reg_io_0x02 & 0x02) ? "RGB" : "YCbCr", ++ (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ? ++ "(16-235)" : "(0-255)", ++ (reg_io_0x02 & 0x08) ? "enabled" : "disabled"); ++ } + v4l2_info(sd, "Color space conversion: %s\n", + csc_coeff_sel_rb[cp_read(sd, info->cp_csc) >> 4]); + +-- +2.43.0 + diff --git a/queue-5.10/media-dvb_frontend-don-t-play-tricks-with-underflow-.patch b/queue-5.10/media-dvb_frontend-don-t-play-tricks-with-underflow-.patch new file mode 100644 index 00000000000..80ea62747fa --- /dev/null +++ b/queue-5.10/media-dvb_frontend-don-t-play-tricks-with-underflow-.patch @@ -0,0 +1,44 @@ +From f4b568bcf74f6c06c6ab9ef6f458dfec0a75d161 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 16:05:16 +0200 +Subject: media: dvb_frontend: don't play tricks with underflow values + +From: Mauro Carvalho Chehab + +[ Upstream commit 9883a4d41aba7612644e9bb807b971247cea9b9d ] + +fepriv->auto_sub_step is unsigned. Setting it to -1 is just a +trick to avoid calling continue, as reported by Coverity. + +It relies to have this code just afterwards: + + if (!ready) fepriv->auto_sub_step++; + +Simplify the code by simply setting it to zero and use +continue to return to the while loop. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_frontend.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index ad3e42a4eaf73..01efb4bd260d9 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -442,8 +442,8 @@ static int dvb_frontend_swzigzag_autotune(struct dvb_frontend *fe, int check_wra + + default: + fepriv->auto_step++; +- fepriv->auto_sub_step = -1; /* it'll be incremented to 0 in a moment */ +- break; ++ fepriv->auto_sub_step = 0; ++ continue; + } + + if (!ready) fepriv->auto_sub_step++; +-- +2.43.0 + diff --git a/queue-5.10/media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch b/queue-5.10/media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch new file mode 100644 index 00000000000..d3bc9086df0 --- /dev/null +++ b/queue-5.10/media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch @@ -0,0 +1,80 @@ +From 434f8731ccb2fccb384ada8e3d6f2741be79270d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 15:23:01 +0200 +Subject: media: dvbdev: prevent the risk of out of memory access + +From: Mauro Carvalho Chehab + +[ Upstream commit 972e63e895abbe8aa1ccbdbb4e6362abda7cd457 ] + +The dvbdev contains a static variable used to store dvb minors. + +The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set +or not. When not set, dvb_register_device() won't check for +boundaries, as it will rely that a previous call to +dvb_register_adapter() would already be enforcing it. + +On a similar way, dvb_device_open() uses the assumption +that the register functions already did the needed checks. + +This can be fragile if some device ends using different +calls. This also generate warnings on static check analysers +like Coverity. + +So, add explicit guards to prevent potential risk of OOM issues. + +Fixes: 5dd3f3071070 ("V4L/DVB (9361): Dynamic DVB minor allocation") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index 661588fc64f6a..71344ae26fea7 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -96,10 +96,15 @@ static DECLARE_RWSEM(minor_rwsem); + static int dvb_device_open(struct inode *inode, struct file *file) + { + struct dvb_device *dvbdev; ++ unsigned int minor = iminor(inode); ++ ++ if (minor >= MAX_DVB_MINORS) ++ return -ENODEV; + + mutex_lock(&dvbdev_mutex); + down_read(&minor_rwsem); +- dvbdev = dvb_minors[iminor(inode)]; ++ ++ dvbdev = dvb_minors[minor]; + + if (dvbdev && dvbdev->fops) { + int err = 0; +@@ -539,7 +544,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + for (minor = 0; minor < MAX_DVB_MINORS; minor++) + if (dvb_minors[minor] == NULL) + break; +- if (minor == MAX_DVB_MINORS) { ++ if (minor >= MAX_DVB_MINORS) { + if (new_node) { + list_del (&new_node->list_head); + kfree(dvbdevfops); +@@ -554,6 +559,14 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + } + #else + minor = nums2minor(adap->num, type, id); ++ if (minor >= MAX_DVB_MINORS) { ++ dvb_media_device_free(dvbdev); ++ list_del(&dvbdev->list_head); ++ kfree(dvbdev); ++ *pdvbdev = NULL; ++ mutex_unlock(&dvbdev_register_lock); ++ return ret; ++ } + #endif + dvbdev->minor = minor; + dvb_minors[minor] = dvb_device_get(dvbdev); +-- +2.43.0 + diff --git a/queue-5.10/scsi-sd_zbc-use-kvzalloc-to-allocate-report-zones-bu.patch b/queue-5.10/scsi-sd_zbc-use-kvzalloc-to-allocate-report-zones-bu.patch new file mode 100644 index 00000000000..91e78899e3b --- /dev/null +++ b/queue-5.10/scsi-sd_zbc-use-kvzalloc-to-allocate-report-zones-bu.patch @@ -0,0 +1,58 @@ +From 2adc7b962acfce61001ceb663c774eaf414879c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2024 12:02:53 +0100 +Subject: scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer + +From: Johannes Thumshirn + +[ Upstream commit 7ce3e6107103214d354a16729a472f588be60572 ] + +We have two reports of failed memory allocation in btrfs' code which is +calling into report zones. + +Both of these reports have the following signature coming from +__vmalloc_area_node(): + + kworker/u17:5: vmalloc error: size 0, failed to allocate pages, mode:0x10dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NORETRY|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0 + +Further debugging showed these where allocations of one sector (512 +bytes) and at least one of the reporter's systems where low on memory, +so going through the overhead of allocating a vm area failed. + +Switching the allocation from __vmalloc() to kvzalloc() avoids the +overhead of vmalloc() on small allocations and succeeds. + +Note: the buffer is already freed using kvfree() so there's no need to +adjust the free path. + +Cc: Qu Wenru +Cc: Naohiro Aota +Link: https://github.com/kdave/btrfs-progs/issues/779 +Link: https://github.com/kdave/btrfs-progs/issues/915 +Fixes: 23a50861adda ("scsi: sd_zbc: Cleanup sd_zbc_alloc_report_buffer()") +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/20241030110253.11718-1-jth@kernel.org +Reviewed-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sd_zbc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/scsi/sd_zbc.c b/drivers/scsi/sd_zbc.c +index 01088f333dbc4..9b5dca0b6cf9a 100644 +--- a/drivers/scsi/sd_zbc.c ++++ b/drivers/scsi/sd_zbc.c +@@ -169,8 +169,7 @@ static void *sd_zbc_alloc_report_buffer(struct scsi_disk *sdkp, + bufsize = min_t(size_t, bufsize, queue_max_segments(q) << PAGE_SHIFT); + + while (bufsize >= SECTOR_SIZE) { +- buf = __vmalloc(bufsize, +- GFP_KERNEL | __GFP_ZERO | __GFP_NORETRY); ++ buf = kvzalloc(bufsize, GFP_KERNEL | __GFP_NORETRY); + if (buf) { + *buflen = bufsize; + return buf; +-- +2.43.0 + diff --git a/queue-5.10/series b/queue-5.10/series index c4cdaaa8c79..3ae780ec7c6 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -20,3 +20,9 @@ net-phy-ti-add-phy_rst_after_clk_en-flag.patch net-arc-fix-the-device-for-dma_map_single-dma_unmap_.patch revert-alsa-hda-conexant-mute-speakers-at-suspend-shutdown.patch media-stb0899_algo-initialize-cfr-before-using-it.patch +media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch +media-dvb_frontend-don-t-play-tricks-with-underflow-.patch +media-adv7604-prevent-underflow-condition-when-repor.patch +scsi-sd_zbc-use-kvzalloc-to-allocate-report-zones-bu.patch +alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch +asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch