From: Greg Kroah-Hartman Date: Mon, 18 Aug 2025 11:21:39 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.12.43~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93a87621236996623d599068ca2b95248fcfb97c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch parisc-makefile-fix-a-typo-in-palo.conf.patch --- diff --git a/queue-5.4/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch b/queue-5.4/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch new file mode 100644 index 0000000000..704f45521c --- /dev/null +++ b/queue-5.4/media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch @@ -0,0 +1,58 @@ +From bda2859bff0b9596a19648f3740c697ce4c71496 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Mon, 7 Jul 2025 18:34:01 +0000 +Subject: media: uvcvideo: Do not mark valid metadata as invalid + +From: Ricardo Ribalda + +commit bda2859bff0b9596a19648f3740c697ce4c71496 upstream. + +Currently, the driver performs a length check of the metadata buffer +before the actual metadata size is known and before the metadata is +decided to be copied. This results in valid metadata buffers being +incorrectly marked as invalid. + +Move the length check to occur after the metadata size is determined and +is decided to be copied. + +Cc: stable@vger.kernel.org +Fixes: 088ead255245 ("media: uvcvideo: Add a metadata device node") +Reviewed-by: Laurent Pinchart +Reviewed-by: Hans de Goede +Signed-off-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250707-uvc-meta-v8-1-ed17f8b1218b@chromium.org +Signed-off-by: Hans de Goede +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1309,12 +1309,6 @@ static void uvc_video_decode_meta(struct + if (!meta_buf || length == 2) + return; + +- if (meta_buf->length - meta_buf->bytesused < +- length + sizeof(meta->ns) + sizeof(meta->sof)) { +- meta_buf->error = 1; +- return; +- } +- + has_pts = mem[1] & UVC_STREAM_PTS; + has_scr = mem[1] & UVC_STREAM_SCR; + +@@ -1335,6 +1329,12 @@ static void uvc_video_decode_meta(struct + !memcmp(scr, stream->clock.last_scr, 6))) + return; + ++ if (meta_buf->length - meta_buf->bytesused < ++ length + sizeof(meta->ns) + sizeof(meta->sof)) { ++ meta_buf->error = 1; ++ return; ++ } ++ + meta = (struct uvc_meta_buf *)((u8 *)meta_buf->mem + meta_buf->bytesused); + local_irq_save(flags); + time = uvc_video_get_time(); diff --git a/queue-5.4/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch b/queue-5.4/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch new file mode 100644 index 0000000000..2386a0492e --- /dev/null +++ b/queue-5.4/media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch @@ -0,0 +1,43 @@ +From 782b6a718651eda3478b1824b37a8b3185d2740c Mon Sep 17 00:00:00 2001 +From: Youngjun Lee +Date: Tue, 10 Jun 2025 21:41:07 +0900 +Subject: media: uvcvideo: Fix 1-byte out-of-bounds read in uvc_parse_format() + +From: Youngjun Lee + +commit 782b6a718651eda3478b1824b37a8b3185d2740c upstream. + +The buffer length check before calling uvc_parse_format() only ensured +that the buffer has at least 3 bytes (buflen > 2), buf the function +accesses buffer[3], requiring at least 4 bytes. + +This can lead to an out-of-bounds read if the buffer has exactly 3 bytes. + +Fix it by checking that the buffer has at least 4 bytes in +uvc_parse_format(). + +Signed-off-by: Youngjun Lee +Reviewed-by: Laurent Pinchart +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org +Reviewed-by: Ricardo Ribalda +Link: https://lore.kernel.org/r/20250610124107.37360-1-yjjuny.lee@samsung.com +Signed-off-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_driver.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -452,6 +452,9 @@ static int uvc_parse_format(struct uvc_d + unsigned int i, n; + u8 ftype; + ++ if (buflen < 4) ++ return -EINVAL; ++ + format->type = buffer[2]; + format->index = buffer[3]; + diff --git a/queue-5.4/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch b/queue-5.4/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch new file mode 100644 index 0000000000..3be63bc7a8 --- /dev/null +++ b/queue-5.4/mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch @@ -0,0 +1,66 @@ +From d1534ae23c2b6be350c8ab060803fbf6e9682adc Mon Sep 17 00:00:00 2001 +From: Waiman Long +Date: Mon, 28 Jul 2025 15:02:48 -0400 +Subject: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup() + +From: Waiman Long + +commit d1534ae23c2b6be350c8ab060803fbf6e9682adc upstream. + +A soft lockup warning was observed on a relative small system x86-64 +system with 16 GB of memory when running a debug kernel with kmemleak +enabled. + + watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134] + +The test system was running a workload with hot unplug happening in +parallel. Then kemleak decided to disable itself due to its inability to +allocate more kmemleak objects. The debug kernel has its +CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000. + +The soft lockup happened in kmemleak_do_cleanup() when the existing +kmemleak objects were being removed and deleted one-by-one in a loop via a +workqueue. In this particular case, there are at least 40,000 objects +that need to be processed and given the slowness of a debug kernel and the +fact that a raw_spinlock has to be acquired and released in +__delete_object(), it could take a while to properly handle all these +objects. + +As kmemleak has been disabled in this case, the object removal and +deletion process can be further optimized as locking isn't really needed. +However, it is probably not worth the effort to optimize for such an edge +case that should rarely happen. So the simple solution is to call +cond_resched() at periodic interval in the iteration loop to avoid soft +lockup. + +Link: https://lkml.kernel.org/r/20250728190248.605750-1-longman@redhat.com +Signed-off-by: Waiman Long +Acked-by: Catalin Marinas +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1849,6 +1849,7 @@ static const struct file_operations kmem + static void __kmemleak_do_cleanup(void) + { + struct kmemleak_object *object, *tmp; ++ unsigned int cnt = 0; + + /* + * Kmemleak has already been disabled, no need for RCU list traversal +@@ -1857,6 +1858,10 @@ static void __kmemleak_do_cleanup(void) + list_for_each_entry_safe(object, tmp, &object_list, object_list) { + __remove_object(object); + __delete_object(object); ++ ++ /* Call cond_resched() once per 64 iterations to avoid soft lockup */ ++ if (!(++cnt & 0x3f)) ++ cond_resched(); + } + } + diff --git a/queue-5.4/parisc-makefile-fix-a-typo-in-palo.conf.patch b/queue-5.4/parisc-makefile-fix-a-typo-in-palo.conf.patch new file mode 100644 index 0000000000..fb3897a3dd --- /dev/null +++ b/queue-5.4/parisc-makefile-fix-a-typo-in-palo.conf.patch @@ -0,0 +1,35 @@ +From 963f1b20a8d2a098954606b9725cd54336a2a86c Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Wed, 25 Jun 2025 00:39:33 -0700 +Subject: parisc: Makefile: fix a typo in palo.conf + +From: Randy Dunlap + +commit 963f1b20a8d2a098954606b9725cd54336a2a86c upstream. + +Correct "objree" to "objtree". "objree" is not defined. + +Fixes: 75dd47472b92 ("kbuild: remove src and obj from the top Makefile") +Signed-off-by: Randy Dunlap +Cc: Masahiro Yamada +Cc: "James E.J. Bottomley" +Cc: Helge Deller +Cc: linux-parisc@vger.kernel.org +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # v5.3+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/Makefile ++++ b/arch/parisc/Makefile +@@ -134,7 +134,7 @@ palo lifimage: vmlinuz + fi + @if test ! -f "$(PALOCONF)"; then \ + cp $(srctree)/arch/parisc/defpalo.conf $(objtree)/palo.conf; \ +- echo 'A generic palo config file ($(objree)/palo.conf) has been created for you.'; \ ++ echo 'A generic palo config file ($(objtree)/palo.conf) has been created for you.'; \ + echo 'You should check it and re-run "make palo".'; \ + echo 'WARNING: the "lifimage" file is now placed in this directory by default!'; \ + false; \ diff --git a/queue-5.4/series b/queue-5.4/series index f5a88b0883..244e647783 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -276,3 +276,7 @@ misc-rtsx-usb-ensure-mmc-child-device-is-active-when-card-is-present.patch comedi-fix-race-between-polling-and-detaching.patch thunderbolt-fix-copy-paste-error-in-match_service_id.patch btrfs-fix-log-tree-replay-failure-due-to-file-with-0-links-and-extents.patch +parisc-makefile-fix-a-typo-in-palo.conf.patch +mm-kmemleak-avoid-soft-lockup-in-__kmemleak_do_cleanup.patch +media-uvcvideo-fix-1-byte-out-of-bounds-read-in-uvc_parse_format.patch +media-uvcvideo-do-not-mark-valid-metadata-as-invalid.patch