From: Greg Kroah-Hartman Date: Thu, 6 Feb 2020 16:15:01 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.19.103~132 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fd698387b56b382ec812e0c2702fd49e2b98728b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch --- diff --git a/queue-4.9/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch b/queue-4.9/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch new file mode 100644 index 00000000000..3c1f99fee07 --- /dev/null +++ b/queue-4.9/lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch @@ -0,0 +1,39 @@ +From 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Thu, 30 Jan 2020 22:13:51 -0800 +Subject: lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() + +From: Gustavo A. R. Silva + +commit 3e21d9a501bf99aee2e5835d7f34d8c823f115b5 upstream. + +In case memory resources for _ptr2_ were allocated, release them before +return. + +Notice that in case _ptr1_ happens to be NULL, krealloc() behaves +exactly like kmalloc(). + +Addresses-Coverity-ID: 1490594 ("Resource leak") +Link: http://lkml.kernel.org/r/20200123160115.GA4202@embeddedor +Fixes: 3f15801cdc23 ("lib: add kasan test module") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Dmitry Vyukov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/test_kasan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/test_kasan.c ++++ b/lib/test_kasan.c +@@ -124,6 +124,7 @@ static noinline void __init kmalloc_oob_ + if (!ptr1 || !ptr2) { + pr_err("Allocation failed\n"); + kfree(ptr1); ++ kfree(ptr2); + return; + } + diff --git a/queue-4.9/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch b/queue-4.9/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch new file mode 100644 index 00000000000..64ddf10bea9 --- /dev/null +++ b/queue-4.9/media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch @@ -0,0 +1,64 @@ +From 3c7470b6f68434acae459482ab920d1e3fabd1c7 Mon Sep 17 00:00:00 2001 +From: John Hubbard +Date: Thu, 30 Jan 2020 22:12:50 -0800 +Subject: media/v4l2-core: set pages dirty upon releasing DMA buffers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John Hubbard + +commit 3c7470b6f68434acae459482ab920d1e3fabd1c7 upstream. + +After DMA is complete, and the device and CPU caches are synchronized, +it's still required to mark the CPU pages as dirty, if the data was +coming from the device. However, this driver was just issuing a bare +put_page() call, without any set_page_dirty*() call. + +Fix the problem, by calling set_page_dirty_lock() if the CPU pages were +potentially receiving data from the device. + +Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.com +Signed-off-by: John Hubbard +Reviewed-by: Christoph Hellwig +Acked-by: Hans Verkuil +Cc: Mauro Carvalho Chehab +Cc: +Cc: Alex Williamson +Cc: Aneesh Kumar K.V +Cc: Björn Töpel +Cc: Daniel Vetter +Cc: Dan Williams +Cc: Ira Weiny +Cc: Jan Kara +Cc: Jason Gunthorpe +Cc: Jason Gunthorpe +Cc: Jens Axboe +Cc: Jerome Glisse +Cc: Jonathan Corbet +Cc: Kirill A. Shutemov +Cc: Leon Romanovsky +Cc: Mike Rapoport +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/videobuf-dma-sg.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/videobuf-dma-sg.c ++++ b/drivers/media/v4l2-core/videobuf-dma-sg.c +@@ -352,8 +352,11 @@ int videobuf_dma_free(struct videobuf_dm + BUG_ON(dma->sglen); + + if (dma->pages) { +- for (i = 0; i < dma->nr_pages; i++) ++ for (i = 0; i < dma->nr_pages; i++) { ++ if (dma->direction == DMA_FROM_DEVICE) ++ set_page_dirty_lock(dma->pages[i]); + put_page(dma->pages[i]); ++ } + kfree(dma->pages); + dma->pages = NULL; + } diff --git a/queue-4.9/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch b/queue-4.9/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch new file mode 100644 index 00000000000..12a9b63bc26 --- /dev/null +++ b/queue-4.9/media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch @@ -0,0 +1,78 @@ +From f51e50db4c20d46930b33be3f208851265694f3e Mon Sep 17 00:00:00 2001 +From: Helen Koike +Date: Tue, 17 Dec 2019 21:00:22 +0100 +Subject: media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments + +From: Helen Koike + +commit f51e50db4c20d46930b33be3f208851265694f3e upstream. + +boundary->width and boundary->height are sizes relative to +boundary->left and boundary->top coordinates, but they were not being +taken into consideration to adjust r->left and r->top, leading to the +following error: + +Consider the follow as initial values for boundary and r: + +struct v4l2_rect boundary = { + .left = 100, + .top = 100, + .width = 800, + .height = 600, +} + +struct v4l2_rect r = { + .left = 0, + .top = 0, + .width = 1920, + .height = 960, +} + +calling v4l2_rect_map_inside(&r, &boundary) was modifying r to: + +r = { + .left = 0, + .top = 0, + .width = 800, + .height = 600, +} + +Which is wrongly outside the boundary rectangle, because: + + v4l2_rect_set_max_size(r, boundary); // r->width = 800, r->height = 600 + ... + if (r->left + r->width > boundary->width) // true + r->left = boundary->width - r->width; // r->left = 800 - 800 + if (r->top + r->height > boundary->height) // true + r->top = boundary->height - r->height; // r->height = 600 - 600 + +Fix this by considering top/left coordinates from boundary. + +Fixes: ac49de8c49d7 ("[media] v4l2-rect.h: new header with struct v4l2_rect helper functions") +Signed-off-by: Helen Koike +Cc: # for v4.7 and up +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + include/media/v4l2-rect.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/include/media/v4l2-rect.h ++++ b/include/media/v4l2-rect.h +@@ -75,10 +75,10 @@ static inline void v4l2_rect_map_inside( + r->left = boundary->left; + if (r->top < boundary->top) + r->top = boundary->top; +- if (r->left + r->width > boundary->width) +- r->left = boundary->width - r->width; +- if (r->top + r->height > boundary->height) +- r->top = boundary->height - r->height; ++ if (r->left + r->width > boundary->left + boundary->width) ++ r->left = boundary->left + boundary->width - r->width; ++ if (r->top + r->height > boundary->top + boundary->height) ++ r->top = boundary->top + boundary->height - r->height; + } + + /** diff --git a/queue-4.9/series b/queue-4.9/series index 677ca620b3b..05cac6bcda1 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -19,3 +19,6 @@ usb-gadget-legacy-set-max_speed-to-super-speed.patch usb-gadget-f_ncm-use-atomic_t-to-track-in-flight-request.patch usb-gadget-f_ecm-use-atomic_t-to-track-in-flight-request.patch alsa-dummy-fix-pcm-format-loop-in-proc-output.patch +media-v4l2-core-set-pages-dirty-upon-releasing-dma-buffers.patch +media-v4l2-rect.h-fix-v4l2_rect_map_inside-top-left-adjustments.patch +lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch