--- /dev/null
+From 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 30 Jan 2020 22:13:51 -0800
+Subject: lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more()
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 upstream.
+
+In case memory resources for _ptr2_ were allocated, release them before
+return.
+
+Notice that in case _ptr1_ happens to be NULL, krealloc() behaves
+exactly like kmalloc().
+
+Addresses-Coverity-ID: 1490594 ("Resource leak")
+Link: http://lkml.kernel.org/r/20200123160115.GA4202@embeddedor
+Fixes: 3f15801cdc23 ("lib: add kasan test module")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/test_kasan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/lib/test_kasan.c
++++ b/lib/test_kasan.c
+@@ -124,6 +124,7 @@ static noinline void __init kmalloc_oob_
+ if (!ptr1 || !ptr2) {
+ pr_err("Allocation failed\n");
+ kfree(ptr1);
++ kfree(ptr2);
+ return;
+ }
+
--- /dev/null
+From 3c7470b6f68434acae459482ab920d1e3fabd1c7 Mon Sep 17 00:00:00 2001
+From: John Hubbard <jhubbard@nvidia.com>
+Date: Thu, 30 Jan 2020 22:12:50 -0800
+Subject: media/v4l2-core: set pages dirty upon releasing DMA buffers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John Hubbard <jhubbard@nvidia.com>
+
+commit 3c7470b6f68434acae459482ab920d1e3fabd1c7 upstream.
+
+After DMA is complete, and the device and CPU caches are synchronized,
+it's still required to mark the CPU pages as dirty, if the data was
+coming from the device. However, this driver was just issuing a bare
+put_page() call, without any set_page_dirty*() call.
+
+Fix the problem, by calling set_page_dirty_lock() if the CPU pages were
+potentially receiving data from the device.
+
+Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com
+Signed-off-by: John Hubbard <jhubbard@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Cc: <stable@vger.kernel.org>
+Cc: Alex Williamson <alex.williamson@redhat.com>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Cc: Björn Töpel <bjorn.topel@intel.com>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Cc: Ira Weiny <ira.weiny@intel.com>
+Cc: Jan Kara <jack@suse.cz>
+Cc: Jason Gunthorpe <jgg@mellanox.com>
+Cc: Jason Gunthorpe <jgg@ziepe.ca>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Jerome Glisse <jglisse@redhat.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Leon Romanovsky <leonro@mellanox.com>
+Cc: Mike Rapoport <rppt@linux.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/videobuf-dma-sg.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/videobuf-dma-sg.c
++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c
+@@ -352,8 +352,11 @@ int videobuf_dma_free(struct videobuf_dm
+ BUG_ON(dma->sglen);
+
+ if (dma->pages) {
+- for (i = 0; i < dma->nr_pages; i++)
++ for (i = 0; i < dma->nr_pages; i++) {
++ if (dma->direction == DMA_FROM_DEVICE)
++ set_page_dirty_lock(dma->pages[i]);
+ put_page(dma->pages[i]);
++ }
+ kfree(dma->pages);
+ dma->pages = NULL;
+ }
--- /dev/null
+From f51e50db4c20d46930b33be3f208851265694f3e Mon Sep 17 00:00:00 2001
+From: Helen Koike <helen.koike@collabora.com>
+Date: Tue, 17 Dec 2019 21:00:22 +0100
+Subject: media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments
+
+From: Helen Koike <helen.koike@collabora.com>
+
+commit f51e50db4c20d46930b33be3f208851265694f3e upstream.
+
+boundary->width and boundary->height are sizes relative to
+boundary->left and boundary->top coordinates, but they were not being
+taken into consideration to adjust r->left and r->top, leading to the
+following error:
+
+Consider the follow as initial values for boundary and r:
+
+struct v4l2_rect boundary = {
+ .left = 100,
+ .top = 100,
+ .width = 800,
+ .height = 600,
+}
+
+struct v4l2_rect r = {
+ .left = 0,
+ .top = 0,
+ .width = 1920,
+ .height = 960,
+}
+
+calling v4l2_rect_map_inside(&r, &boundary) was modifying r to:
+
+r = {
+ .left = 0,
+ .top = 0,
+ .width = 800,
+ .height = 600,
+}
+
+Which is wrongly outside the boundary rectangle, because:
+
+ v4l2_rect_set_max_size(r, boundary); // r->width = 800, r->height = 600
+ ...
+ if (r->left + r->width > boundary->width) // true
+ r->left = boundary->width - r->width; // r->left = 800 - 800
+ if (r->top + r->height > boundary->height) // true
+ r->top = boundary->height - r->height; // r->height = 600 - 600
+
+Fix this by considering top/left coordinates from boundary.
+
+Fixes: ac49de8c49d7 ("[media] v4l2-rect.h: new header with struct v4l2_rect helper functions")
+Signed-off-by: Helen Koike <helen.koike@collabora.com>
+Cc: <stable@vger.kernel.org> # for v4.7 and up
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/media/v4l2-rect.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/include/media/v4l2-rect.h
++++ b/include/media/v4l2-rect.h
+@@ -75,10 +75,10 @@ static inline void v4l2_rect_map_inside(
+ r->left = boundary->left;
+ if (r->top < boundary->top)
+ r->top = boundary->top;
+- if (r->left + r->width > boundary->width)
+- r->left = boundary->width - r->width;
+- if (r->top + r->height > boundary->height)
+- r->top = boundary->height - r->height;
++ if (r->left + r->width > boundary->left + boundary->width)
++ r->left = boundary->left + boundary->width - r->width;
++ if (r->top + r->height > boundary->top + boundary->height)
++ r->top = boundary->top + boundary->height - r->height;
+ }
+
+ /**
usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch
usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch
alsa-dummy-fix-pcm-format-loop-in-proc-output.patch
+media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch
+media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch
+lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
