From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 22 Mar 2019 10:15:44 +0000 (+0100)
Subject: 3.18-stable patches
X-Git-Tag: v3.18.137~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dbb71a45a2b18280841c3876e7e612c8fdde86d5;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch
	media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch
---

diff --git a/queue-3.18/drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch b/queue-3.18/drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch
new file mode 100644
index 00000000000..8fe4eb8f5bb
--- /dev/null
+++ b/queue-3.18/drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch
@@ -0,0 +1,35 @@
+From cc5034a5d293dd620484d1d836aa16c6764a1c8c Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Fri, 15 Feb 2019 14:29:26 -0600
+Subject: drm/radeon/evergreen_cs: fix missing break in switch statement
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit cc5034a5d293dd620484d1d836aa16c6764a1c8c upstream.
+
+Add missing break statement in order to prevent the code from falling
+through to case CB_TARGET_MASK.
+
+This bug was found thanks to the ongoing efforts to enable
+-Wimplicit-fallthrough.
+
+Fixes: dd220a00e8bd ("drm/radeon/kms: add support for streamout v7")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/evergreen_cs.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/radeon/evergreen_cs.c
++++ b/drivers/gpu/drm/radeon/evergreen_cs.c
+@@ -1318,6 +1318,7 @@ static int evergreen_cs_check_reg(struct
+ 			return -EINVAL;
+ 		}
+ 		ib[idx] += (u32)((reloc->gpu_offset >> 8) & 0xffffffff);
++		break;
+ 	case CB_TARGET_MASK:
+ 		track->cb_target_mask = radeon_get_ib_value(p, idx);
+ 		track->cb_dirty = true;
diff --git a/queue-3.18/media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch b/queue-3.18/media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch
new file mode 100644
index 00000000000..6bdba56ef64
--- /dev/null
+++ b/queue-3.18/media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch
@@ -0,0 +1,58 @@
+From 9dd0627d8d62a7ddb001a75f63942d92b5336561 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Wed, 30 Jan 2019 05:09:41 -0500
+Subject: media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 9dd0627d8d62a7ddb001a75f63942d92b5336561 upstream.
+
+The UVC video driver converts the timestamp from hardware specific unit
+to one known by the kernel at the time when the buffer is dequeued. This
+is fine in general, but the streamoff operation consists of the
+following steps (among other things):
+
+1. uvc_video_clock_cleanup --- the hardware clock sample array is
+   released and the pointer to the array is set to NULL,
+
+2. buffers in active state are returned to the user and
+
+3. buf_finish callback is called on buffers that are prepared.
+   buf_finish includes calling uvc_video_clock_update that accesses the
+   hardware clock sample array.
+
+The above is serialised by a queue specific mutex. Address the problem
+by skipping the clock conversion if the hardware clock sample array is
+already released.
+
+Fixes: 9c0863b1cc48 ("[media] vb2: call buf_finish from __queue_cancel")
+
+Reported-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
+Tested-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/uvc/uvc_video.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -627,6 +627,14 @@ void uvc_video_clock_update(struct uvc_s
+ 	u32 rem;
+ 	u64 y;
+ 
++	/*
++	 * We will get called from __vb2_queue_cancel() if there are buffers
++	 * done but not dequeued by the user, but the sample array has already
++	 * been released at that time. Just bail out in that case.
++	 */
++	if (!clock->samples)
++		return;
++
+ 	spin_lock_irqsave(&clock->lock, flags);
+ 
+ 	if (clock->count < clock->size)
diff --git a/queue-3.18/series b/queue-3.18/series
index 0cda6f05eee..bb0987d99c1 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -130,3 +130,5 @@ nfsd-fix-memory-corruption-caused-by-readdir.patch
 nfsd-fix-wrong-check-in-write_v4_end_grace.patch
 md-fix-failed-allocation-of-md_register_thread.patch
 rcu-do-rcu-gp-kthread-self-wakeup-from-softirq-and-interrupt.patch
+media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch
+drm-radeon-evergreen_cs-fix-missing-break-in-switch-statement.patch