From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 17 Oct 2025 14:22:05 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v5.15.195~11
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=91af74a760e7e32153e82e4bdecbb2ad752b1d7a;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	media-pci-ivtv-add-check-for-dma-map-result.patch
	mm-slab-make-__free-kfree-accept-error-pointers.patch
---

diff --git a/queue-5.15/media-pci-ivtv-add-check-for-dma-map-result.patch b/queue-5.15/media-pci-ivtv-add-check-for-dma-map-result.patch
new file mode 100644
index 0000000000..9165d38a7a
--- /dev/null
+++ b/queue-5.15/media-pci-ivtv-add-check-for-dma-map-result.patch
@@ -0,0 +1,82 @@
+From 629913d6d79508b166c66e07e4857e20233d85a9 Mon Sep 17 00:00:00 2001
+From: Mikhail Kobuk <m.kobuk@ispras.ru>
+Date: Thu, 28 Mar 2024 02:32:23 +0300
+Subject: media: pci: ivtv: Add check for DMA map result
+
+From: Mikhail Kobuk <m.kobuk@ispras.ru>
+
+commit 629913d6d79508b166c66e07e4857e20233d85a9 upstream.
+
+In case DMA fails, 'dma->SG_length' is 0. This value is later used to
+access 'dma->SGarray[dma->SG_length - 1]', which will cause out of
+bounds access.
+
+Add check to return early on invalid value. Adjust warnings accordingly.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 1932dc2f4cf6 ("media: pci/ivtv: switch from 'pci_' to 'dma_' API")
+Signed-off-by: Mikhail Kobuk <m.kobuk@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/ivtv/ivtv-udma.c |    8 ++++++++
+ drivers/media/pci/ivtv/ivtv-yuv.c  |    6 ++++++
+ drivers/media/pci/ivtv/ivtvfb.c    |    6 +++---
+ 3 files changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/pci/ivtv/ivtv-udma.c
++++ b/drivers/media/pci/ivtv/ivtv-udma.c
+@@ -131,6 +131,8 @@ int ivtv_udma_setup(struct ivtv *itv, un
+ 
+ 	/* Fill SG List with new values */
+ 	if (ivtv_udma_fill_sg_list(dma, &user_dma, 0) < 0) {
++		IVTV_DEBUG_WARN("%s: could not allocate bounce buffers for highmem userspace buffers\n",
++				__func__);
+ 		unpin_user_pages(dma->map, dma->page_count);
+ 		dma->page_count = 0;
+ 		return -ENOMEM;
+@@ -139,6 +141,12 @@ int ivtv_udma_setup(struct ivtv *itv, un
+ 	/* Map SG List */
+ 	dma->SG_length = dma_map_sg(&itv->pdev->dev, dma->SGlist,
+ 				    dma->page_count, DMA_TO_DEVICE);
++	if (!dma->SG_length) {
++		IVTV_DEBUG_WARN("%s: DMA map error, SG_length is 0\n", __func__);
++		unpin_user_pages(dma->map, dma->page_count);
++		dma->page_count = 0;
++		return -EINVAL;
++	}
+ 
+ 	/* Fill SG Array with new values */
+ 	ivtv_udma_fill_sg_array (dma, ivtv_dest_addr, 0, -1);
+--- a/drivers/media/pci/ivtv/ivtv-yuv.c
++++ b/drivers/media/pci/ivtv/ivtv-yuv.c
+@@ -115,6 +115,12 @@ static int ivtv_yuv_prep_user_dma(struct
+ 	}
+ 	dma->SG_length = dma_map_sg(&itv->pdev->dev, dma->SGlist,
+ 				    dma->page_count, DMA_TO_DEVICE);
++	if (!dma->SG_length) {
++		IVTV_DEBUG_WARN("%s: DMA map error, SG_length is 0\n", __func__);
++		unpin_user_pages(dma->map, dma->page_count);
++		dma->page_count = 0;
++		return -EINVAL;
++	}
+ 
+ 	/* Fill SG Array with new values */
+ 	ivtv_udma_fill_sg_array(dma, y_buffer_offset, uv_buffer_offset, y_size);
+--- a/drivers/media/pci/ivtv/ivtvfb.c
++++ b/drivers/media/pci/ivtv/ivtvfb.c
+@@ -281,10 +281,10 @@ static int ivtvfb_prep_dec_dma_to_device
+ 	/* Map User DMA */
+ 	if (ivtv_udma_setup(itv, ivtv_dest_addr, userbuf, size_in_bytes) <= 0) {
+ 		mutex_unlock(&itv->udma.lock);
+-		IVTVFB_WARN("ivtvfb_prep_dec_dma_to_device, Error with pin_user_pages: %d bytes, %d pages returned\n",
+-			       size_in_bytes, itv->udma.page_count);
++		IVTVFB_WARN("%s, Error in ivtv_udma_setup: %d bytes, %d pages returned\n",
++			       __func__, size_in_bytes, itv->udma.page_count);
+ 
+-		/* pin_user_pages must have failed completely */
++		/* pin_user_pages or DMA must have failed completely */
+ 		return -EIO;
+ 	}
+ 
diff --git a/queue-5.15/mm-slab-make-__free-kfree-accept-error-pointers.patch b/queue-5.15/mm-slab-make-__free-kfree-accept-error-pointers.patch
new file mode 100644
index 0000000000..577215a09a
--- /dev/null
+++ b/queue-5.15/mm-slab-make-__free-kfree-accept-error-pointers.patch
@@ -0,0 +1,42 @@
+From cd7eb8f83fcf258f71e293f7fc52a70be8ed0128 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Sun, 28 Apr 2024 17:26:44 +0300
+Subject: mm/slab: make __free(kfree) accept error pointers
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit cd7eb8f83fcf258f71e293f7fc52a70be8ed0128 upstream.
+
+Currently, if an automatically freed allocation is an error pointer that
+will lead to a crash.  An example of this is in wm831x_gpio_dbg_show().
+
+   171	char *label __free(kfree) = gpiochip_dup_line_label(chip, i);
+   172	if (IS_ERR(label)) {
+   173		dev_err(wm831x->dev, "Failed to duplicate label\n");
+   174		continue;
+   175  }
+
+The auto clean up function should check for error pointers as well,
+otherwise we're going to keep hitting issues like this.
+
+Fixes: 54da6a092431 ("locking: Introduce __cleanup() based infrastructure")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Acked-by: David Rientjes <rientjes@google.com>
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/slab.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/slab.h
++++ b/include/linux/slab.h
+@@ -187,7 +187,7 @@ void kfree(const void *objp);
+ void kfree_sensitive(const void *objp);
+ size_t __ksize(const void *objp);
+ 
+-DEFINE_FREE(kfree, void *, if (_T) kfree(_T))
++DEFINE_FREE(kfree, void *, if (!IS_ERR_OR_NULL(_T)) kfree(_T))
+ 
+ /**
+  * ksize - Report actual allocation size of associated object
diff --git a/queue-5.15/series b/queue-5.15/series
index 30606ee7fe..6fec41fb84 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -270,3 +270,5 @@ arm64-mte-do-not-flag-the-zero-page-as-pg_mte_tagged.patch
 media-pci-ivtv-switch-from-pci_-to-dma_-api.patch
 media-pci-ivtv-add-missing-check-after-dma-map.patch
 xen-events-update-virq_to_irq-on-migration.patch
+media-pci-ivtv-add-check-for-dma-map-result.patch
+mm-slab-make-__free-kfree-accept-error-pointers.patch