From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 21 Aug 2025 14:45:28 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v6.16.3~74
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9367bda89d8e1f288ce4b7b87b61f16319cbc36a;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch
---

diff --git a/queue-5.4/media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch b/queue-5.4/media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch
new file mode 100644
index 0000000000..4a3ab917c8
--- /dev/null
+++ b/queue-5.4/media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch
@@ -0,0 +1,47 @@
+From 49befc830daa743e051a65468c05c2ff9e8580e6 Mon Sep 17 00:00:00 2001
+From: Vedang Nagar <quic_vnagar@quicinc.com>
+Date: Mon, 19 May 2025 12:42:21 +0530
+Subject: media: venus: Add a check for packet size after reading from shared memory
+
+From: Vedang Nagar <quic_vnagar@quicinc.com>
+
+commit 49befc830daa743e051a65468c05c2ff9e8580e6 upstream.
+
+Add a check to ensure that the packet size does not exceed the number of
+available words after reading the packet header from shared memory. This
+ensures that the size provided by the firmware is safe to process and
+prevent potential out-of-bounds memory access.
+
+Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com>
+Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -240,6 +240,7 @@ static int venus_write_queue(struct venu
+ static int venus_read_queue(struct venus_hfi_device *hdev,
+ 			    struct iface_queue *queue, void *pkt, u32 *tx_req)
+ {
++	struct hfi_pkt_hdr *pkt_hdr = NULL;
+ 	struct hfi_queue_header *qhdr;
+ 	u32 dwords, new_rd_idx;
+ 	u32 rd_idx, wr_idx, type, qsize;
+@@ -305,6 +306,9 @@ static int venus_read_queue(struct venus
+ 			memcpy(pkt, rd_ptr, len);
+ 			memcpy(pkt + len, queue->qmem.kva, new_rd_idx << 2);
+ 		}
++		pkt_hdr = (struct hfi_pkt_hdr *)(pkt);
++		if ((pkt_hdr->size >> 2) != dwords)
++			return -EINVAL;
+ 	} else {
+ 		/* bad packet received, dropping */
+ 		new_rd_idx = qhdr->write_idx;
diff --git a/queue-5.4/series b/queue-5.4/series
index 36c97f85ca..d6513214d5 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -305,3 +305,4 @@ media-gspca-add-bounds-checking-to-firmware-parser.patch
 media-imx-fix-a-potential-memory-leak-in-imx_media_csc_scaler_device_init.patch
 media-usbtv-lock-resolution-while-streaming.patch
 media-ov2659-fix-memory-leaks-in-ov2659_probe.patch
+media-venus-add-a-check-for-packet-size-after-reading-from-shared-memory.patch