From 97b48fda871b72c9d4be6739b9d11618d24f0d12 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 2 Oct 2022 17:08:43 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	media-dvb_vb2-fix-possible-out-of-bound-access.patch
	media-rkvdec-disable-h.264-error-detection.patch
---
 ...vb2-fix-possible-out-of-bound-access.patch | 53 +++++++++++++++++++
 ...rkvdec-disable-h.264-error-detection.patch | 43 +++++++++++++++
 queue-5.10/series                             |  2 +
 3 files changed, 98 insertions(+)
 create mode 100644 queue-5.10/media-dvb_vb2-fix-possible-out-of-bound-access.patch
 create mode 100644 queue-5.10/media-rkvdec-disable-h.264-error-detection.patch

diff --git a/queue-5.10/media-dvb_vb2-fix-possible-out-of-bound-access.patch b/queue-5.10/media-dvb_vb2-fix-possible-out-of-bound-access.patch
new file mode 100644
index 00000000000..da3da5b905b
--- /dev/null
+++ b/queue-5.10/media-dvb_vb2-fix-possible-out-of-bound-access.patch
@@ -0,0 +1,53 @@
+From 37238699073e7e93f05517e529661151173cd458 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Thu, 19 May 2022 03:17:43 +0100
+Subject: media: dvb_vb2: fix possible out of bound access
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 37238699073e7e93f05517e529661151173cd458 upstream.
+
+vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index
+controlled by the user.
+
+Fix this by adding range checking code before using them.
+
+Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvb_vb2.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/media/dvb-core/dvb_vb2.c
++++ b/drivers/media/dvb-core/dvb_vb2.c
+@@ -358,6 +358,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *
+ 
+ int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
+ {
++	struct vb2_queue *q = &ctx->vb_q;
++
++	if (b->index >= q->num_buffers) {
++		dprintk(1, "[%s] buffer index out of range\n", ctx->name);
++		return -EINVAL;
++	}
+ 	vb2_core_querybuf(&ctx->vb_q, b->index, b);
+ 	dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
+ 	return 0;
+@@ -382,8 +388,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *c
+ 
+ int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
+ {
++	struct vb2_queue *q = &ctx->vb_q;
+ 	int ret;
+ 
++	if (b->index >= q->num_buffers) {
++		dprintk(1, "[%s] buffer index out of range\n", ctx->name);
++		return -EINVAL;
++	}
+ 	ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
+ 	if (ret) {
+ 		dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,
diff --git a/queue-5.10/media-rkvdec-disable-h.264-error-detection.patch b/queue-5.10/media-rkvdec-disable-h.264-error-detection.patch
new file mode 100644
index 00000000000..1f8da3e4c45
--- /dev/null
+++ b/queue-5.10/media-rkvdec-disable-h.264-error-detection.patch
@@ -0,0 +1,43 @@
+From 3a99c4474112f49a5459933d8758614002ca0ddc Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Fri, 10 Jun 2022 13:52:11 +0100
+Subject: media: rkvdec: Disable H.264 error detection
+
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+
+commit 3a99c4474112f49a5459933d8758614002ca0ddc upstream.
+
+Quite often, the HW get stuck in error condition if a stream error
+was detected. As documented, the HW should stop immediately and self
+reset. There is likely a problem or a miss-understanding of the self
+reset mechanism, as unless we make a long pause, the next command
+will then report an error even if there is no error in it.
+
+Disabling error detection fixes the issue, and let the decoder continue
+after an error. This patch is safe for backport into older kernels.
+
+Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Tested-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/rkvdec/rkvdec-h264.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/media/rkvdec/rkvdec-h264.c
++++ b/drivers/staging/media/rkvdec/rkvdec-h264.c
+@@ -1124,8 +1124,8 @@ static int rkvdec_h264_run(struct rkvdec
+ 
+ 	schedule_delayed_work(&rkvdec->watchdog_work, msecs_to_jiffies(2000));
+ 
+-	writel(0xffffffff, rkvdec->regs + RKVDEC_REG_STRMD_ERR_EN);
+-	writel(0xffffffff, rkvdec->regs + RKVDEC_REG_H264_ERR_E);
++	writel(0, rkvdec->regs + RKVDEC_REG_STRMD_ERR_EN);
++	writel(0, rkvdec->regs + RKVDEC_REG_H264_ERR_E);
+ 	writel(1, rkvdec->regs + RKVDEC_REG_PREF_LUMA_CACHE_COMMAND);
+ 	writel(1, rkvdec->regs + RKVDEC_REG_PREF_CHR_CACHE_COMMAND);
+ 
diff --git a/queue-5.10/series b/queue-5.10/series
index 3d879323be3..1dec3ed15c7 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -24,3 +24,5 @@ mm-page_alloc-fix-race-condition-between-build_all_zonelists-and-page-allocation
 mm-prevent-page_frag_alloc-from-corrupting-the-memory.patch
 mm-migrate_device.c-flush-tlb-while-holding-ptl.patch
 mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch
+media-dvb_vb2-fix-possible-out-of-bound-access.patch
+media-rkvdec-disable-h.264-error-detection.patch
-- 
2.47.3