From 05c2061f0313de59f801a160f9c95326ea1b9157 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 3 Apr 2025 16:00:13 +0100
Subject: [PATCH] 6.6-stable patches

added patches:
	usb-gadget-uvc-fix-err_ptr-dereference-in-uvc_v4l2.c.patch
---
 queue-6.6/series                              |  1 +
 ...ix-err_ptr-dereference-in-uvc_v4l2.c.patch | 74 +++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 queue-6.6/usb-gadget-uvc-fix-err_ptr-dereference-in-uvc_v4l2.c.patch

diff --git a/queue-6.6/series b/queue-6.6/series
index e97d1fb658..c1e8ff9e83 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -23,3 +23,4 @@ net-usb-qmi_wwan-add-telit-cinterion-fe990b-composition.patch
 net-usb-usbnet-restore-usb-d-name-exception-for-local-mac-addresses.patch
 memstick-rtsx_usb_ms-fix-slab-use-after-free-in-rtsx_usb_ms_drv_remove.patch
 serial-8250_dma-terminate-correct-dma-in-tx_dma_flush.patch
+usb-gadget-uvc-fix-err_ptr-dereference-in-uvc_v4l2.c.patch
diff --git a/queue-6.6/usb-gadget-uvc-fix-err_ptr-dereference-in-uvc_v4l2.c.patch b/queue-6.6/usb-gadget-uvc-fix-err_ptr-dereference-in-uvc_v4l2.c.patch
new file mode 100644
index 0000000000..aabe798b8d
--- /dev/null
+++ b/queue-6.6/usb-gadget-uvc-fix-err_ptr-dereference-in-uvc_v4l2.c.patch
@@ -0,0 +1,74 @@
+From a7bb96b18864225a694e3887ac2733159489e4b0 Mon Sep 17 00:00:00 2001
+From: Abhishek Tamboli <abhishektamboli9@gmail.com>
+Date: Thu, 15 Aug 2024 15:52:02 +0530
+Subject: usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c
+
+From: Abhishek Tamboli <abhishektamboli9@gmail.com>
+
+commit a7bb96b18864225a694e3887ac2733159489e4b0 upstream.
+
+Fix potential dereferencing of ERR_PTR() in find_format_by_pix()
+and uvc_v4l2_enum_format().
+
+Fix the following smatch errors:
+
+drivers/usb/gadget/function/uvc_v4l2.c:124 find_format_by_pix()
+error: 'fmtdesc' dereferencing possible ERR_PTR()
+
+drivers/usb/gadget/function/uvc_v4l2.c:392 uvc_v4l2_enum_format()
+error: 'fmtdesc' dereferencing possible ERR_PTR()
+
+Also, fix similar issue in uvc_v4l2_try_format() for potential
+dereferencing of ERR_PTR().
+
+Signed-off-by: Abhishek Tamboli <abhishektamboli9@gmail.com>
+Link: https://lore.kernel.org/r/20240815102202.594812-1-abhishektamboli9@gmail.com
+Signed-off-by: Jianqi Ren <jianqi.ren.cn@windriver.com>
+Signed-off-by: He Zhe <zhe.he@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/uvc_v4l2.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/uvc_v4l2.c
++++ b/drivers/usb/gadget/function/uvc_v4l2.c
+@@ -121,6 +121,9 @@ static struct uvcg_format *find_format_b
+ 	list_for_each_entry(format, &uvc->header->formats, entry) {
+ 		const struct uvc_format_desc *fmtdesc = to_uvc_format(format->fmt);
+ 
++		if (IS_ERR(fmtdesc))
++			continue;
++
+ 		if (fmtdesc->fcc == pixelformat) {
+ 			uformat = format->fmt;
+ 			break;
+@@ -240,6 +243,7 @@ uvc_v4l2_try_format(struct file *file, v
+ 	struct uvc_video *video = &uvc->video;
+ 	struct uvcg_format *uformat;
+ 	struct uvcg_frame *uframe;
++	const struct uvc_format_desc *fmtdesc;
+ 	u8 *fcc;
+ 
+ 	if (fmt->type != video->queue.queue.type)
+@@ -265,7 +269,10 @@ uvc_v4l2_try_format(struct file *file, v
+ 	fmt->fmt.pix.field = V4L2_FIELD_NONE;
+ 	fmt->fmt.pix.bytesperline = uvc_v4l2_get_bytesperline(uformat, uframe);
+ 	fmt->fmt.pix.sizeimage = uvc_get_frame_size(uformat, uframe);
+-	fmt->fmt.pix.pixelformat = to_uvc_format(uformat)->fcc;
++	fmtdesc = to_uvc_format(uformat);
++	if (IS_ERR(fmtdesc))
++		return PTR_ERR(fmtdesc);
++	fmt->fmt.pix.pixelformat = fmtdesc->fcc;
+ 	fmt->fmt.pix.colorspace = V4L2_COLORSPACE_SRGB;
+ 	fmt->fmt.pix.priv = 0;
+ 
+@@ -375,6 +382,9 @@ uvc_v4l2_enum_format(struct file *file,
+ 		return -EINVAL;
+ 
+ 	fmtdesc = to_uvc_format(uformat);
++	if (IS_ERR(fmtdesc))
++		return PTR_ERR(fmtdesc);
++
+ 	f->pixelformat = fmtdesc->fcc;
+ 
+ 	return 0;
-- 
2.47.3