From: Sasha Levin Date: Tue, 20 Sep 2022 21:23:51 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.19.11~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=999652a05d60c18c41b04a000d7d4d925fe10670;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch b/queue-4.19/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch new file mode 100644 index 00000000000..ba29659e1ec --- /dev/null +++ b/queue-4.19/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch @@ -0,0 +1,71 @@ +From 876c5d4307f5efb05294361c322710299d30a36a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 09:27:50 +0200 +Subject: ALSA: hda/sigmatel: Keep power up while beep is enabled + +From: Takashi Iwai + +[ Upstream commit 414d38ba871092aeac4ed097ac4ced89486646f7 ] + +It seems that the beep playback doesn't work well on IDT codec devices +when the codec auto-pm is enabled. Keep the power on while the beep +switch is enabled. + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1200544 +Link: https://lore.kernel.org/r/20220904072750.26164-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_sigmatel.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index 85c33f528d7b..2f6e4e3afd8f 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -222,6 +222,7 @@ struct sigmatel_spec { + + /* beep widgets */ + hda_nid_t anabeep_nid; ++ bool beep_power_on; + + /* SPDIF-out mux */ + const char * const *spdif_labels; +@@ -4463,6 +4464,26 @@ static int stac_suspend(struct hda_codec *codec) + stac_shutup(codec); + return 0; + } ++ ++static int stac_check_power_status(struct hda_codec *codec, hda_nid_t nid) ++{ ++ struct sigmatel_spec *spec = codec->spec; ++ int ret = snd_hda_gen_check_power_status(codec, nid); ++ ++#ifdef CONFIG_SND_HDA_INPUT_BEEP ++ if (nid == spec->gen.beep_nid && codec->beep) { ++ if (codec->beep->enabled != spec->beep_power_on) { ++ spec->beep_power_on = codec->beep->enabled; ++ if (spec->beep_power_on) ++ snd_hda_power_up_pm(codec); ++ else ++ snd_hda_power_down_pm(codec); ++ } ++ ret |= spec->beep_power_on; ++ } ++#endif ++ return ret; ++} + #else + #define stac_suspend NULL + #endif /* CONFIG_PM */ +@@ -4475,6 +4496,7 @@ static const struct hda_codec_ops stac_patch_ops = { + .unsol_event = snd_hda_jack_unsol_event, + #ifdef CONFIG_PM + .suspend = stac_suspend, ++ .check_power_status = stac_check_power_status, + #endif + .reboot_notify = stac_shutup, + }; +-- +2.35.1 + diff --git a/queue-4.19/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch b/queue-4.19/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch new file mode 100644 index 00000000000..e57a7b95e4d --- /dev/null +++ b/queue-4.19/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch @@ -0,0 +1,101 @@ +From e250b7445da662ea1dfac6e3efa59522edfc94ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:09:57 +0200 +Subject: ASoC: nau8824: Fix semaphore unbalance at error paths + +From: Takashi Iwai + +[ Upstream commit 5628560e90395d3812800a8e44a01c32ffa429ec ] + +The semaphore of nau8824 wasn't properly unlocked at some error +handling code paths, hence this may result in the unbalance (and +potential lock-up). Fix them to handle the semaphore up properly. + +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20220823081000.2965-3-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/nau8824.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/codecs/nau8824.c b/sound/soc/codecs/nau8824.c +index 4af87340b165..4f18bb272e92 100644 +--- a/sound/soc/codecs/nau8824.c ++++ b/sound/soc/codecs/nau8824.c +@@ -1075,6 +1075,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + struct snd_soc_component *component = dai->component; + struct nau8824 *nau8824 = snd_soc_component_get_drvdata(component); + unsigned int val_len = 0, osr, ctrl_val, bclk_fs, bclk_div; ++ int err = -EINVAL; + + nau8824_sema_acquire(nau8824, HZ); + +@@ -1091,7 +1092,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + osr &= NAU8824_DAC_OVERSAMPLE_MASK; + if (nau8824_clock_check(nau8824, substream->stream, + nau8824->fs, osr)) +- return -EINVAL; ++ goto error; + regmap_update_bits(nau8824->regmap, NAU8824_REG_CLK_DIVIDER, + NAU8824_CLK_DAC_SRC_MASK, + osr_dac_sel[osr].clk_src << NAU8824_CLK_DAC_SRC_SFT); +@@ -1101,7 +1102,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + osr &= NAU8824_ADC_SYNC_DOWN_MASK; + if (nau8824_clock_check(nau8824, substream->stream, + nau8824->fs, osr)) +- return -EINVAL; ++ goto error; + regmap_update_bits(nau8824->regmap, NAU8824_REG_CLK_DIVIDER, + NAU8824_CLK_ADC_SRC_MASK, + osr_adc_sel[osr].clk_src << NAU8824_CLK_ADC_SRC_SFT); +@@ -1122,7 +1123,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + else if (bclk_fs <= 256) + bclk_div = 0; + else +- return -EINVAL; ++ goto error; + regmap_update_bits(nau8824->regmap, + NAU8824_REG_PORT0_I2S_PCM_CTRL_2, + NAU8824_I2S_LRC_DIV_MASK | NAU8824_I2S_BLK_DIV_MASK, +@@ -1143,15 +1144,17 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + val_len |= NAU8824_I2S_DL_32; + break; + default: +- return -EINVAL; ++ goto error; + } + + regmap_update_bits(nau8824->regmap, NAU8824_REG_PORT0_I2S_PCM_CTRL_1, + NAU8824_I2S_DL_MASK, val_len); ++ err = 0; + ++ error: + nau8824_sema_release(nau8824); + +- return 0; ++ return err; + } + + static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) +@@ -1160,8 +1163,6 @@ static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + struct nau8824 *nau8824 = snd_soc_component_get_drvdata(component); + unsigned int ctrl1_val = 0, ctrl2_val = 0; + +- nau8824_sema_acquire(nau8824, HZ); +- + switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) { + case SND_SOC_DAIFMT_CBM_CFM: + ctrl2_val |= NAU8824_I2S_MS_MASTER; +@@ -1203,6 +1204,8 @@ static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + return -EINVAL; + } + ++ nau8824_sema_acquire(nau8824, HZ); ++ + regmap_update_bits(nau8824->regmap, NAU8824_REG_PORT0_I2S_PCM_CTRL_1, + NAU8824_I2S_DF_MASK | NAU8824_I2S_BP_MASK | + NAU8824_I2S_PCMB_EN, ctrl1_val); +-- +2.35.1 + diff --git a/queue-4.19/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch b/queue-4.19/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch new file mode 100644 index 00000000000..5f38df016f6 --- /dev/null +++ b/queue-4.19/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch @@ -0,0 +1,61 @@ +From a5e8365fc17bf403d81142b4ceec6ee15ee07cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 11:59:43 +0200 +Subject: MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() + +From: Alexander Sverdlin + +[ Upstream commit ba912afbd611d3a5f22af247721a071ad1d5b9e0 ] + +For irq_domain_associate() to work the virq descriptor has to be +pre-allocated in advance. Otherwise the following happens: + +WARNING: CPU: 0 PID: 0 at .../kernel/irq/irqdomain.c:527 irq_domain_associate+0x298/0x2e8 +error: virq128 is not allocated +Modules linked in: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.78-... #1 + ... +Call Trace: +[] show_stack+0x9c/0x130 +[] dump_stack+0x90/0xd0 +[] __warn+0x118/0x130 +[] warn_slowpath_fmt+0x4c/0x70 +[] irq_domain_associate+0x298/0x2e8 +[] octeon_irq_init_ciu+0x4c8/0x53c +[] of_irq_init+0x1e0/0x388 +[] init_IRQ+0x4c/0xf4 +[] start_kernel+0x404/0x698 + +Use irq_alloc_desc_at() to avoid the above problem. + +Signed-off-by: Alexander Sverdlin +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/octeon-irq.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/mips/cavium-octeon/octeon-irq.c b/arch/mips/cavium-octeon/octeon-irq.c +index 43e4fc1b373c..3e5cf5515c01 100644 +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -127,6 +127,16 @@ static void octeon_irq_free_cd(struct irq_domain *d, unsigned int irq) + static int octeon_irq_force_ciu_mapping(struct irq_domain *domain, + int irq, int line, int bit) + { ++ struct device_node *of_node; ++ int ret; ++ ++ of_node = irq_domain_get_of_node(domain); ++ if (!of_node) ++ return -EINVAL; ++ ret = irq_alloc_desc_at(irq, of_node_to_nid(of_node)); ++ if (ret < 0) ++ return ret; ++ + return irq_domain_associate(domain, irq, line << 6 | bit); + } + +-- +2.35.1 + diff --git a/queue-4.19/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch b/queue-4.19/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch new file mode 100644 index 00000000000..257e35b1a30 --- /dev/null +++ b/queue-4.19/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch @@ -0,0 +1,39 @@ +From 0afbdad15f485a076b9804242d3014df312d2158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 19:10:59 +0800 +Subject: mksysmap: Fix the mismatch of 'L0' symbols in System.map + +From: Youling Tang + +[ Upstream commit c17a2538704f926ee4d167ba625e09b1040d8439 ] + +When System.map was generated, the kernel used mksysmap to filter the +kernel symbols, we need to filter "L0" symbols in LoongArch architecture. + +$ cat System.map | grep L0 +9000000000221540 t L0 + +The L0 symbol exists in System.map, but not in .tmp_System.map. When +"cmp -s System.map .tmp_System.map" will show "Inconsistent kallsyms +data" error message in link-vmlinux.sh script. + +Signed-off-by: Youling Tang +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mksysmap | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mksysmap b/scripts/mksysmap +index 9aa23d15862a..ad8bbc52267d 100755 +--- a/scripts/mksysmap ++++ b/scripts/mksysmap +@@ -41,4 +41,4 @@ + # so we just ignore them to let readprofile continue to work. + # (At least sparc64 has __crc_ in the middle). + +-$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)' > $2 ++$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)\|\( L0\)' > $2 +-- +2.35.1 + diff --git a/queue-4.19/net-usb-qmi_wwan-add-quectel-rm520n.patch b/queue-4.19/net-usb-qmi_wwan-add-quectel-rm520n.patch new file mode 100644 index 00000000000..d9941bf9bff --- /dev/null +++ b/queue-4.19/net-usb-qmi_wwan-add-quectel-rm520n.patch @@ -0,0 +1,67 @@ +From d756eebd7fdf9f1df454991cc0d2ed26f45db42f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 09:24:52 +0800 +Subject: net: usb: qmi_wwan: add Quectel RM520N +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: jerry.meng + +[ Upstream commit e1091e226a2bab4ded1fe26efba2aee1aab06450 ] + +add support for Quectel RM520N which is based on Qualcomm SDX62 chip. + +0x0801: DIAG + NMEA + AT + MODEM + RMNET + +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 10 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0801 Rev= 5.04 +S: Manufacturer=Quectel +S: Product=RM520N-GL +S: SerialNumber=384af524 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: jerry.meng +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/tencent_E50CA8A206904897C2D20DDAE90731183C05@qq.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index fcf21a1ca776..8d10c29ba176 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1049,6 +1049,7 @@ static const struct usb_device_id products[] = { + {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0512)}, /* Quectel EG12/EM12 */ + {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0620)}, /* Quectel EM160R-GL */ + {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0800)}, /* Quectel RM500Q-GL */ ++ {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0801)}, /* Quectel RM520N */ + + /* 3. Combined interface devices matching on interface number */ + {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */ +-- +2.35.1 + diff --git a/queue-4.19/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch b/queue-4.19/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch new file mode 100644 index 00000000000..90e0c5cbc2a --- /dev/null +++ b/queue-4.19/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch @@ -0,0 +1,42 @@ +From 572d770d2cace91105a97f949c6cde52648762cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 19:19:22 +0800 +Subject: regulator: pfuze100: Fix the global-out-of-bounds access in + pfuze100_regulator_probe() + +From: Xiaolei Wang + +[ Upstream commit 78e1e867f44e6bdc72c0e6a2609a3407642fb30b ] + +The pfuze_chip::regulator_descs is an array of size +PFUZE100_MAX_REGULATOR, the pfuze_chip::pfuze_regulators +is the pointer to the real regulators of a specific device. +The number of real regulator is supposed to be less than +the PFUZE100_MAX_REGULATOR, so we should use the size of +'regulator_num * sizeof(struct pfuze_regulator)' in memcpy(). +This fixes the out of bounds access bug reported by KASAN. + +Signed-off-by: Xiaolei Wang +Link: https://lore.kernel.org/r/20220825111922.1368055-1-xiaolei.wang@windriver.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pfuze100-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c +index 8b1940110561..b1d73a6c7809 100644 +--- a/drivers/regulator/pfuze100-regulator.c ++++ b/drivers/regulator/pfuze100-regulator.c +@@ -710,7 +710,7 @@ static int pfuze100_regulator_probe(struct i2c_client *client, + ((pfuze_chip->chip_id == PFUZE3000) ? "3000" : "3001")))); + + memcpy(pfuze_chip->regulator_descs, pfuze_chip->pfuze_regulators, +- sizeof(pfuze_chip->regulator_descs)); ++ regulator_num * sizeof(struct pfuze_regulator)); + + ret = pfuze_parse_regulators_dt(pfuze_chip); + if (ret) +-- +2.35.1 + diff --git a/queue-4.19/rxrpc-fix-local-destruction-being-repeated.patch b/queue-4.19/rxrpc-fix-local-destruction-being-repeated.patch new file mode 100644 index 00000000000..d73848c4e8a --- /dev/null +++ b/queue-4.19/rxrpc-fix-local-destruction-being-repeated.patch @@ -0,0 +1,38 @@ +From 47b812d77586575ddaf3af8923010c47cc6cbfc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 23:55:21 +0100 +Subject: rxrpc: Fix local destruction being repeated + +From: David Howells + +[ Upstream commit d3d863036d688313f8d566b87acd7d99daf82749 ] + +If the local processor work item for the rxrpc local endpoint gets requeued +by an event (such as an incoming packet) between it getting scheduled for +destruction and the UDP socket being closed, the rxrpc_local_destroyer() +function can get run twice. The second time it can hang because it can end +up waiting for cleanup events that will never happen. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/local_object.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c +index fe190a691872..5a01479aae3f 100644 +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -452,6 +452,9 @@ static void rxrpc_local_processor(struct work_struct *work) + container_of(work, struct rxrpc_local, processor); + bool again; + ++ if (local->dead) ++ return; ++ + trace_rxrpc_local(local->debug_id, rxrpc_local_processing, + atomic_read(&local->usage), NULL); + +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 66b7297d223..359e4b1101c 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -8,3 +8,11 @@ nvmet-fix-a-use-after-free.patch mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch cifs-don-t-send-down-the-destination-address-to-sendmsg-for-a-sock_stream.patch +asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch +regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch +rxrpc-fix-local-destruction-being-repeated.patch +alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch +net-usb-qmi_wwan-add-quectel-rm520n.patch +mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch +mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch +video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch diff --git a/queue-4.19/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch b/queue-4.19/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch new file mode 100644 index 00000000000..b7ac77f39b5 --- /dev/null +++ b/queue-4.19/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch @@ -0,0 +1,36 @@ +From 4e79975ccc426150cf182788efcb2375430afcf3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 07:17:46 -0700 +Subject: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write + +From: Hyunwoo Kim + +[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ] + +In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of +type int. Then, copy_from_user() may cause a heap overflow because it is used +as the third argument of copy_from_user(). + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa3xx-gcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c +index 43695a33f062..aec0b85db5bf 100644 +--- a/drivers/video/fbdev/pxa3xx-gcu.c ++++ b/drivers/video/fbdev/pxa3xx-gcu.c +@@ -394,7 +394,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, + struct pxa3xx_gcu_batch *buffer; + struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); + +- int words = count / 4; ++ size_t words = count / 4; + + /* Does not need to be atomic. There's a lock in user space, + * but anyhow, this is just for statistics. */ +-- +2.35.1 +