From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 12 Dec 2024 13:45:02 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v5.4.287~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d358136ec3a6912aa33dc23105384796c1cb5ba;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	media-venus-vdec-fixed-possible-memory-leak-issue.patch
	net-smc-fix-af_ops-of-child-socket-pointing-to-released-memory.patch
	serial-amba-pl011-fix-build-regression.patch
---

diff --git a/queue-5.15/media-venus-vdec-fixed-possible-memory-leak-issue.patch b/queue-5.15/media-venus-vdec-fixed-possible-memory-leak-issue.patch
new file mode 100644
index 00000000000..18e460e41e9
--- /dev/null
+++ b/queue-5.15/media-venus-vdec-fixed-possible-memory-leak-issue.patch
@@ -0,0 +1,48 @@
+From 8403fdd775858a7bf04868d43daea0acbe49ddfc Mon Sep 17 00:00:00 2001
+From: Ameer Hamza <amhamza.mgc@gmail.com>
+Date: Mon, 6 Dec 2021 11:43:15 +0100
+Subject: media: venus: vdec: fixed possible memory leak issue
+
+From: Ameer Hamza <amhamza.mgc@gmail.com>
+
+commit 8403fdd775858a7bf04868d43daea0acbe49ddfc upstream.
+
+The venus_helper_alloc_dpb_bufs() implementation allows an early return
+on an error path when checking the id from ida_alloc_min() which would
+not release the earlier buffer allocation.
+
+Move the direct kfree() from the error checking of dma_alloc_attrs() to
+the common fail path to ensure that allocations are released on all
+error paths in this function.
+
+Addresses-Coverity: 1494120 ("Resource leak")
+
+cc: stable@vger.kernel.org # 5.16+
+Fixes: 40d87aafee29 ("media: venus: vdec: decoded picture buffer handling during reconfig sequence")
+Signed-off-by: Ameer Hamza <amhamza.mgc@gmail.com>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/helpers.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/venus/helpers.c
++++ b/drivers/media/platform/qcom/venus/helpers.c
+@@ -189,7 +189,6 @@ int venus_helper_alloc_dpb_bufs(struct v
+ 		buf->va = dma_alloc_attrs(dev, buf->size, &buf->da, GFP_KERNEL,
+ 					  buf->attrs);
+ 		if (!buf->va) {
+-			kfree(buf);
+ 			ret = -ENOMEM;
+ 			goto fail;
+ 		}
+@@ -209,6 +208,7 @@ int venus_helper_alloc_dpb_bufs(struct v
+ 	return 0;
+ 
+ fail:
++	kfree(buf);
+ 	venus_helper_free_dpb_bufs(inst);
+ 	return ret;
+ }
diff --git a/queue-5.15/net-smc-fix-af_ops-of-child-socket-pointing-to-released-memory.patch b/queue-5.15/net-smc-fix-af_ops-of-child-socket-pointing-to-released-memory.patch
new file mode 100644
index 00000000000..e45b570b398
--- /dev/null
+++ b/queue-5.15/net-smc-fix-af_ops-of-child-socket-pointing-to-released-memory.patch
@@ -0,0 +1,56 @@
+From 49b7d376abe54a49e8bd5e64824032b7c97c62d4 Mon Sep 17 00:00:00 2001
+From: Karsten Graul <kgraul@linux.ibm.com>
+Date: Fri, 8 Apr 2022 17:10:35 +0200
+Subject: net/smc: Fix af_ops of child socket pointing to released memory
+
+From: Karsten Graul <kgraul@linux.ibm.com>
+
+commit 49b7d376abe54a49e8bd5e64824032b7c97c62d4 upstream.
+
+Child sockets may inherit the af_ops from the parent listen socket.
+When the listen socket is released then the af_ops of the child socket
+points to released memory.
+Solve that by restoring the original af_ops for child sockets which
+inherited the parent af_ops. And clear any inherited user_data of the
+parent socket.
+
+Fixes: 8270d9c21041 ("net/smc: Limit backlog connections")
+Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
+Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
+Reviewed-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/smc/af_smc.c |   14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -79,6 +79,7 @@ static struct sock *smc_tcp_syn_recv_soc
+ 					  bool *own_req)
+ {
+ 	struct smc_sock *smc;
++	struct sock *child;
+ 
+ 	smc = smc_clcsock_user_data(sk);
+ 
+@@ -92,8 +93,17 @@ static struct sock *smc_tcp_syn_recv_soc
+ 	}
+ 
+ 	/* passthrough to original syn recv sock fct */
+-	return smc->ori_af_ops->syn_recv_sock(sk, skb, req, dst, req_unhash,
+-					      own_req);
++	child = smc->ori_af_ops->syn_recv_sock(sk, skb, req, dst, req_unhash,
++					       own_req);
++	/* child must not inherit smc or its ops */
++	if (child) {
++		rcu_assign_sk_user_data(child, NULL);
++
++		/* v4-mapped sockets don't inherit parent ops. Don't restore. */
++		if (inet_csk(child)->icsk_af_ops == inet_csk(sk)->icsk_af_ops)
++			inet_csk(child)->icsk_af_ops = smc->ori_af_ops;
++	}
++	return child;
+ 
+ drop:
+ 	dst_release(dst);
diff --git a/queue-5.15/serial-amba-pl011-fix-build-regression.patch b/queue-5.15/serial-amba-pl011-fix-build-regression.patch
new file mode 100644
index 00000000000..c999ada0b9e
--- /dev/null
+++ b/queue-5.15/serial-amba-pl011-fix-build-regression.patch
@@ -0,0 +1,51 @@
+From b5a23a60e8ab5711f4952912424347bf3864ce8d Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 15 Nov 2024 11:59:54 +0100
+Subject: serial: amba-pl011: fix build regression
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit b5a23a60e8ab5711f4952912424347bf3864ce8d upstream.
+
+When CONFIG_DMA_ENGINE is disabled, the driver now fails to build:
+
+drivers/tty/serial/amba-pl011.c: In function 'pl011_unthrottle_rx':
+drivers/tty/serial/amba-pl011.c:1822:16: error: 'struct uart_amba_port' has no member named 'using_rx_dma'
+ 1822 |         if (uap->using_rx_dma) {
+      |                ^~
+drivers/tty/serial/amba-pl011.c:1823:20: error: 'struct uart_amba_port' has no member named 'dmacr'
+ 1823 |                 uap->dmacr |= UART011_RXDMAE;
+      |                    ^~
+drivers/tty/serial/amba-pl011.c:1824:32: error: 'struct uart_amba_port' has no member named 'dmacr'
+ 1824 |                 pl011_write(uap->dmacr, uap, REG_DMACR);
+      |                                ^~
+
+Add the missing #ifdef check around these field accesses, matching
+what other parts of this driver do.
+
+Fixes: 2bcacc1c87ac ("serial: amba-pl011: Fix RX stall when DMA is used")
+Cc: stable <stable@kernel.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202411140617.nkjeHhsK-lkp@intel.com/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20241115110021.744332-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/amba-pl011.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/tty/serial/amba-pl011.c
++++ b/drivers/tty/serial/amba-pl011.c
+@@ -1842,10 +1842,12 @@ static void pl011_unthrottle_rx(struct u
+ 
+ 	pl011_write(uap->im, uap, REG_IMSC);
+ 
++#ifdef CONFIG_DMA_ENGINE
+ 	if (uap->using_rx_dma) {
+ 		uap->dmacr |= UART011_RXDMAE;
+ 		pl011_write(uap->dmacr, uap, REG_DMACR);
+ 	}
++#endif
+ 
+ 	uart_port_unlock_irqrestore(&uap->port, flags);
+ }
diff --git a/queue-5.15/series b/queue-5.15/series
index c931f5eae43..c88188f6bdc 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -565,3 +565,6 @@ bluetooth-l2cap-fix-uaf-in-l2cap_connect.patch
 net-dsa-microchip-correct-ksz8795-static-mac-table-access.patch
 drm-amd-display-correct-the-defined-value-for-amdgpu_dmub_notification_max.patch
 drm-amdgpu-rework-resume-handling-for-display-v2.patch
+serial-amba-pl011-fix-build-regression.patch
+media-venus-vdec-fixed-possible-memory-leak-issue.patch
+net-smc-fix-af_ops-of-child-socket-pointing-to-released-memory.patch