- Linux-stable-mirror - lists.linaro.org

[PATCH 3/5] drm/mediatek: fix probe device leaks

by Johan Hovold

Make sure to drop the reference taken to each component device during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: 6ea6f8276725 ("drm/mediatek: Use correct device pointer to get CMDQ client register") Cc: stable(a)vger.kernel.org # 5.12 Cc: Chun-Kuang Hu <chunkuang.hu(a)kernel.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index 31d67a131c50..9672ea1f91a2 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -621,6 +621,13 @@ int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev) return ret; } +static void mtk_ddp_comp_put_device(void *_dev) +{ + struct device *dev = _dev; + + put_device(dev); +} + static void mtk_ddp_comp_clk_put(void *_clk) { struct clk *clk = _clk; @@ -656,6 +663,10 @@ int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_d } comp->dev = &comp_pdev->dev; + ret = devm_add_action_or_reset(dev, mtk_ddp_comp_put_device, comp->dev); + if (ret) + return ret; + if (type == MTK_DISP_AAL || type == MTK_DISP_BLS || type == MTK_DISP_CCORR || -- 2.49.1

1 month, 3 weeks

1
0
0 0

[PATCH 2/5] drm/mediatek: fix probe memory leak

by Johan Hovold

The Mediatek DRM driver allocates private data for components without a platform driver but as the lifetime is tied to each component device, the memory is never freed. Tie the allocation lifetime to the DRM platform device so that the memory is released on probe failure (e.g. probe deferral) and when the driver is unbound. Fixes: c0d36de868a6 ("drm/mediatek: Move clk info from struct mtk_ddp_comp to sub driver private data") Cc: stable(a)vger.kernel.org # 5.12 Cc: CK Hu <ck.hu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index 0264017806ad..31d67a131c50 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -671,7 +671,7 @@ int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_d type == MTK_DSI) return 0; - priv = devm_kzalloc(comp->dev, sizeof(*priv), GFP_KERNEL); + priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL); if (!priv) return -ENOMEM; -- 2.49.1

1 month, 3 weeks

1
0
0 0

[PATCH 1/5] drm/mediatek: fix probe resource leaks

by Johan Hovold

Make sure to unmap and release the component iomap and clock on probe failure (e.g. probe deferral) and on driver unbind. Note that unlike of_iomap(), devm_of_iomap() also checks whether the region is already mapped. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Cc: stable(a)vger.kernel.org # 4.7 Cc: CK Hu <ck.hu(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 20 ++++++++++++++++---- drivers/gpu/drm/mediatek/mtk_ddp_comp.h | 2 +- drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 ++-- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c index ac6620e10262..0264017806ad 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c @@ -621,15 +621,20 @@ int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev) return ret; } -int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp, +static void mtk_ddp_comp_clk_put(void *_clk) +{ + struct clk *clk = _clk; + + clk_put(clk); +} + +int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_ddp_comp *comp, unsigned int comp_id) { struct platform_device *comp_pdev; enum mtk_ddp_comp_type type; struct mtk_ddp_comp_dev *priv; -#if IS_REACHABLE(CONFIG_MTK_CMDQ) int ret; -#endif if (comp_id >= DDP_COMPONENT_DRM_ID_MAX) return -EINVAL; @@ -670,11 +675,18 @@ int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp, if (!priv) return -ENOMEM; - priv->regs = of_iomap(node, 0); + priv->regs = devm_of_iomap(dev, node, 0, NULL); + if (IS_ERR(priv->regs)) + return PTR_ERR(priv->regs); + priv->clk = of_clk_get(node, 0); if (IS_ERR(priv->clk)) return PTR_ERR(priv->clk); + ret = devm_add_action_or_reset(dev, mtk_ddp_comp_clk_put, priv->clk); + if (ret) + return ret; + #if IS_REACHABLE(CONFIG_MTK_CMDQ) ret = cmdq_dev_get_client_reg(comp->dev, &priv->cmdq_reg, 0); if (ret) diff --git a/drivers/gpu/drm/mediatek/mtk_ddp_comp.h b/drivers/gpu/drm/mediatek/mtk_ddp_comp.h index 7289b3dcf22f..3f3d43f4330d 100644 --- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.h +++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.h @@ -350,7 +350,7 @@ static inline void mtk_ddp_comp_encoder_index_set(struct mtk_ddp_comp *comp) int mtk_ddp_comp_get_id(struct device_node *node, enum mtk_ddp_comp_type comp_type); int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev); -int mtk_ddp_comp_init(struct device_node *comp_node, struct mtk_ddp_comp *comp, +int mtk_ddp_comp_init(struct device *dev, struct device_node *comp_node, struct mtk_ddp_comp *comp, unsigned int comp_id); enum mtk_ddp_comp_type mtk_ddp_comp_get_type(unsigned int comp_id); void mtk_ddp_write(struct cmdq_pkt *cmdq_pkt, unsigned int value, diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c index eb5537f0ac90..384b0510272c 100644 --- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c +++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c @@ -1133,7 +1133,7 @@ static int mtk_drm_probe(struct platform_device *pdev) (void *)private->mmsys_dev, sizeof(*private->mmsys_dev)); private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR].dev = &ovl_adaptor->dev; - mtk_ddp_comp_init(NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR], + mtk_ddp_comp_init(dev, NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR], DDP_COMPONENT_DRM_OVL_ADAPTOR); component_match_add(dev, &match, compare_dev, &ovl_adaptor->dev); } @@ -1199,7 +1199,7 @@ static int mtk_drm_probe(struct platform_device *pdev) node); } - ret = mtk_ddp_comp_init(node, &private->ddp_comp[comp_id], comp_id); + ret = mtk_ddp_comp_init(dev, node, &private->ddp_comp[comp_id], comp_id); if (ret) { of_node_put(node); goto err_node; -- 2.49.1

1 month, 3 weeks

1
0
0 0

[PATCH] fbcon: fix buffer overflow in fbcon_set_font

by Simon Richter

Commit 1a194e6c8e1ee745e914b0b7f50fa86c89ed13fe introduced overflow checking for the font allocation size calculation, but in doing so moved the addition of the size for font housekeeping data out of the kmalloc call. As a result, the calculated size now includes those extra bytes, which marks the same number of bytes beyond the allocation as valid font data. The crc32() call and the later memcmp() in fbcon_set_font() already perform an out-of-bounds read, the latter is flagged on ppc64el: memcmp: detected buffer overflow: 4112 byte read of buffer size 4096 when loading Lat15-Fixed16.psf.gz. Since the addition of the extra size should only go into the kmalloc() call, calculate this size in a separate variable. Signed-off-by: Simon Richter <Simon.Richter(a)hogyros.de> Fixes: 1a194e6c8e1e ("fbcon: fix integer overflow in fbcon_do_set_font") Cc: stable <stable(a)vger.kernel.org> #v5.9+ --- drivers/video/fbdev/core/fbcon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/video/fbdev/core/fbcon.c b/drivers/video/fbdev/core/fbcon.c index 5fade44931b8..a3fbf42c57d9 100644 --- a/drivers/video/fbdev/core/fbcon.c +++ b/drivers/video/fbdev/core/fbcon.c @@ -2518,7 +2518,7 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, unsigned charcount = font->charcount; int w = font->width; int h = font->height; - int size; + int size, allocsize; int i, csum; u8 *new_data, *data = font->data; int pitch = PITCH(font->width); @@ -2551,10 +2551,10 @@ static int fbcon_set_font(struct vc_data *vc, const struct console_font *font, return -EINVAL; /* Check for overflow in allocation size calculation */ - if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &size)) + if (check_add_overflow(FONT_EXTRA_WORDS * sizeof(int), size, &allocsize)) return -EINVAL; - new_data = kmalloc(size, GFP_USER); + new_data = kmalloc(allocsize, GFP_USER); if (!new_data) return -ENOMEM; -- 2.47.3

1 month, 3 weeks

2
1
0 0

[PATCH v2] irqchip/sifive-plic: avoid interrupt ID 0 handling during suspend/resume

by Lucas Zampieri

According to the PLIC specification[1], global interrupt sources are assigned small unsigned integer identifiers beginning at the value 1. An interrupt ID of 0 is reserved to mean "no interrupt". The current plic_irq_resume() and plic_irq_suspend() functions incorrectly start the loop from index 0, which accesses the register space for the reserved interrupt ID 0. Change the loop to start from index 1, skipping the reserved interrupt ID 0 as per the PLIC specification. This prevents potential undefined behavior when accessing the reserved register space during suspend/resume cycles. Link: https://github.com/riscv/riscv-plic-spec/releases/tag/1.0.0 Fixes: e80f0b6a2cf3 ("irqchip/irq-sifive-plic: Add syscore callbacks for hibernation") Co-developed-by: Jia Wang <wangjia(a)ultrarisc.com> Signed-off-by: Jia Wang <wangjia(a)ultrarisc.com> Co-developed-by: Charles Mirabile <cmirabil(a)redhat.com> Signed-off-by: Charles Mirabile <cmirabil(a)redhat.com> Signed-off-by: Lucas Zampieri <lzampier(a)redhat.com> --- drivers/irqchip/irq-sifive-plic.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/irqchip/irq-sifive-plic.c b/drivers/irqchip/irq-sifive-plic.c index bf69a4802b71e..9c4af7d588463 100644 --- a/drivers/irqchip/irq-sifive-plic.c +++ b/drivers/irqchip/irq-sifive-plic.c @@ -252,7 +252,8 @@ static int plic_irq_suspend(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + /* irq ID 0 is reserved */ + for (i = 1; i < priv->nr_irqs; i++) { __assign_bit(i, priv->prio_save, readl(priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID)); } @@ -283,7 +284,8 @@ static void plic_irq_resume(void) priv = per_cpu_ptr(&plic_handlers, smp_processor_id())->priv; - for (i = 0; i < priv->nr_irqs; i++) { + /* irq ID 0 is reserved */ + for (i = 1; i < priv->nr_irqs; i++) { index = BIT_WORD(i); writel((priv->prio_save[index] & BIT_MASK(i)) ? 1 : 0, priv->regs + PRIORITY_BASE + i * PRIORITY_PER_ID); -- 2.51.0

1 month, 3 weeks

2
1
0 0

[PATCH] tpm: Use -EPERM as fallback error code in tpm_ret_to_err

by Jarkko Sakkinen

From: Jarkko Sakkinen <jarkko.sakkinen(a)opinsys.com> Using -EFAULT here was not the best idea for tpm_ret_to_err as the fallback error code as it is no concise with trusted keys. Change the fallback as -EPERM, process TPM_RC_HASH also in tpm_ret_to_err, and by these changes make the helper applicable for trusted keys. Cc: stable(a)vger.kernel.org # v6.15+ Fixes: 539fbab37881 ("tpm: Mask TPM RC in tpm2_start_auth_session()") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)opinsys.com> --- include/linux/tpm.h | 9 +++++--- security/keys/trusted-keys/trusted_tpm2.c | 26 ++++++----------------- 2 files changed, 13 insertions(+), 22 deletions(-) diff --git a/include/linux/tpm.h b/include/linux/tpm.h index dc0338a783f3..667d290789ca 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h @@ -449,13 +449,16 @@ static inline ssize_t tpm_ret_to_err(ssize_t ret) if (ret < 0) return ret; - switch (tpm2_rc_value(ret)) { - case TPM2_RC_SUCCESS: + if (!ret) return 0; + + switch (tpm2_rc_value(ret)) { case TPM2_RC_SESSION_MEMORY: return -ENOMEM; + case TPM2_RC_HASH: + return -EINVAL; default: - return -EFAULT; + return -EPERM; } } diff --git a/security/keys/trusted-keys/trusted_tpm2.c b/security/keys/trusted-keys/trusted_tpm2.c index 024be262702f..e165b117bbca 100644 --- a/security/keys/trusted-keys/trusted_tpm2.c +++ b/security/keys/trusted-keys/trusted_tpm2.c @@ -348,25 +348,19 @@ int tpm2_seal_trusted(struct tpm_chip *chip, } blob_len = tpm2_key_encode(payload, options, &buf.data[offset], blob_len); + if (blob_len < 0) + rc = blob_len; out: tpm_buf_destroy(&sized); tpm_buf_destroy(&buf); - if (rc > 0) { - if (tpm2_rc_value(rc) == TPM2_RC_HASH) - rc = -EINVAL; - else - rc = -EPERM; - } - if (blob_len < 0) - rc = blob_len; - else + if (!rc) payload->blob_len = blob_len; out_put: tpm_put_ops(chip); - return rc; + return tpm_ret_to_err(rc); } /** @@ -468,10 +462,7 @@ static int tpm2_load_cmd(struct tpm_chip *chip, kfree(blob); tpm_buf_destroy(&buf); - if (rc > 0) - rc = -EPERM; - - return rc; + return tpm_ret_to_err(rc); } /** @@ -534,8 +525,6 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, tpm_buf_fill_hmac_session(chip, &buf); rc = tpm_transmit_cmd(chip, &buf, 6, "unsealing"); rc = tpm_buf_check_hmac_response(chip, &buf, rc); - if (rc > 0) - rc = -EPERM; if (!rc) { data_len = be16_to_cpup( @@ -568,7 +557,7 @@ static int tpm2_unseal_cmd(struct tpm_chip *chip, out: tpm_buf_destroy(&buf); - return rc; + return tpm_ret_to_err(rc); } /** @@ -600,6 +589,5 @@ int tpm2_unseal_trusted(struct tpm_chip *chip, out: tpm_put_ops(chip); - - return rc; + return tpm_ret_to_err(rc); } -- 2.39.5

1 month, 3 weeks

2
2
0 0

[PATCH v3] powerpc/smp: Add check for kcalloc() failure in parse_thread_groups()

by Guangshuo Li

As kcalloc() may fail, check its return value to avoid a NULL pointer dereference when passing it to of_property_read_u32_array(). Fixes: 790a1662d3a26 ("powerpc/smp: Parse ibm,thread-groups with multiple properties") Cc: stable(a)vger.kernel.org Reviewed-by: Christophe Leroy <christophe.leroy(a)csgroup.eu> Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- changelog: v3: - Move Signed-off-by above the '---' separator. - No code changes. changelog: v2: - Return -ENOMEM directly on allocation failure. --- arch/powerpc/kernel/smp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c index 5ac7084eebc0..cfccb9389760 100644 --- a/arch/powerpc/kernel/smp.c +++ b/arch/powerpc/kernel/smp.c @@ -822,6 +822,8 @@ static int parse_thread_groups(struct device_node *dn, count = of_property_count_u32_elems(dn, "ibm,thread-groups"); thread_group_array = kcalloc(count, sizeof(u32), GFP_KERNEL); + if (!thread_group_array) + return -ENOMEM; ret = of_property_read_u32_array(dn, "ibm,thread-groups", thread_group_array, count); if (ret) -- 2.43.0

1 month, 3 weeks

1
0
0 0

[PATCH v3 0/2] dc395x: fix compiler warnings and improve formatting of the macros

by Xinhui Yang

This series of patches clears the compiler warnings for the dc395x driver. The first patch introduces a new macro that casts the value returned by a read operation to void, since some values returned by some specific read operations (which just simply clears the FIFO buffer or resets the interrupt status) can be ignored. Creating a new macro that casts the return value to void to fix the warning. During the fix, checkpatch.pl complained about missing whitespace between macro arguments and missing parentheses around complex expressions. To align with the changes in the first patch, the formatting of macros above and below the introduced macro are also fixed. Since in Patch v2 [1] Bart pointed out that such change can't be made to the stable tree, the patch is splitted to two parts. --- Changes since v2 [1]: - Split the patch into two parts, the first one fixes the warning, and the second one improves the formatting of the surrounding macros. - Make the description of the formatting changes more clear. Changes since v1 [2]: - Add Cc: tag to include this patch to the stable tree. - Add additional description about the formatting changes. [1]: https://lore.kernel.org/linux-scsi/20250922152609.827311-1-cyan@cyano.uk/ [2]: https://lore.kernel.org/linux-scsi/20250922143619.824129-1-cyan@cyano.uk/ --- Xinhui Yang (2): scsi: dc395x: correctly discard the return value in certain reads scsi: dc395x: improve code formatting for the macros drivers/scsi/dc395x.c | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) -- 2.51.0

1 month, 3 weeks

3
5
0 0

[PATCH v4] ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()

by Ma Ke

wcd934x_codec_parse_data() contains a device reference count leak in of_slim_get_device() where device_find_child() increases the reference count of the device but this reference is not properly decreased in the success path. Add put_device() in wcd934x_codec_parse_data() and add devm_add_action_or_reset() in the probe function, which ensures that the reference count of the device is correctly managed. Memory leak in regmap_init_slimbus() as the allocated regmap is not released when the device is removed. Using devm_regmap_init_slimbus() instead of regmap_init_slimbus() to ensure automatic regmap cleanup on device removal. Calling path: of_slim_get_device() -> of_find_slim_device() -> device_find_child(). As comment of device_find_child() says, 'NOTE: you will need to drop the reference with put_device() after use.'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v4: - removed the redundant NULL check as put_device() can handle the NULL dev; Changes in v3: - added a wrapper function due to the warning report from kernel test robot; Changes in v2: - modified the handling in the success path and fixed the memory leak for regmap as suggestions. --- sound/soc/codecs/wcd934x.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c index 1bb7e1dc7e6b..e92939068bf7 100644 --- a/sound/soc/codecs/wcd934x.c +++ b/sound/soc/codecs/wcd934x.c @@ -5831,6 +5831,13 @@ static const struct snd_soc_component_driver wcd934x_component_drv = { .endianness = 1, }; +static void wcd934x_put_device_action(void *data) +{ + struct device *dev = data; + + put_device(dev); +} + static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) { struct device *dev = &wcd->sdev->dev; @@ -5847,11 +5854,13 @@ static int wcd934x_codec_parse_data(struct wcd934x_codec *wcd) return dev_err_probe(dev, -EINVAL, "Unable to get SLIM Interface device\n"); slim_get_logical_addr(wcd->sidev); - wcd->if_regmap = regmap_init_slimbus(wcd->sidev, + wcd->if_regmap = devm_regmap_init_slimbus(wcd->sidev, &wcd934x_ifc_regmap_config); - if (IS_ERR(wcd->if_regmap)) + if (IS_ERR(wcd->if_regmap)) { + put_device(&wcd->sidev->dev); return dev_err_probe(dev, PTR_ERR(wcd->if_regmap), "Failed to allocate ifc register map\n"); + } of_property_read_u32(dev->parent->of_node, "qcom,dmic-sample-rate", &wcd->dmic_sample_rate); @@ -5893,6 +5902,10 @@ static int wcd934x_codec_probe(struct platform_device *pdev) if (ret) return ret; + ret = devm_add_action_or_reset(dev, wcd934x_put_device_action, &wcd->sidev->dev); + if (ret) + return ret; + /* set default rate 9P6MHz */ regmap_update_bits(wcd->regmap, WCD934X_CODEC_RPM_CLK_MCLK_CFG, WCD934X_CODEC_RPM_CLK_MCLK_CFG_MCLK_MASK, -- 2.17.1

1 month, 3 weeks

3
2
0 0

[PATCH 0/2] media: verisilicon: Fix Hantro G2 handling of invalid DPB index

by Nicolas Dufresne

First patch hardens the IRQ handler so the driver can resume after hitting bus errors (presumably AXI errors). This will reduce the risk of having to reboot the system in order to recover. The second patch actually fix the issue, ensuring the decoder won't be instructed to use address 0x0 as a reference anymore. The issues was discovered using GStreamer. A bug in the userspace lead to skippable (RASL) frames not being skipped if its past reference are missing. This will happen when seeking inside a video that makes use of this GOP configuration. The probably could also have been hit in lossy streaming use cases, such as WebRTC. The JCT-VC-HEVC_V1 ITU tests still results in 141/147 with two concurrent decoders. Signed-off-by: Nicolas Dufresne <nicolas.dufresne(a)collabora.com> --- Nicolas Dufresne (2): media: verisilicon: Fix CPU stalls on G2 bus error media: verisilicon: Protect G2 HEVC decoder against invalid DPB index drivers/media/platform/verisilicon/hantro_g2.c | 88 +++++++++++++++++----- .../platform/verisilicon/hantro_g2_hevc_dec.c | 17 ++++- .../media/platform/verisilicon/hantro_g2_regs.h | 13 ++++ .../media/platform/verisilicon/hantro_g2_vp9_dec.c | 2 - drivers/media/platform/verisilicon/hantro_hw.h | 1 + drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2 + 6 files changed, 98 insertions(+), 25 deletions(-) --- base-commit: 40b7a19f321e65789612ebaca966472055dab48c change-id: 20250919-imx8mq-hantro-g2-hang-cb04dcd07a84 Best regards, -- Nicolas Dufresne <nicolas.dufresne(a)collabora.com>

1 month, 3 weeks

2
4
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror