diff --git a/drivers/gpu/arm/bv_r32p1/mmu/mali_kbase_mmu.c b/drivers/gpu/arm/bv_r32p1/mmu/mali_kbase_mmu.c index 68eda00b16a6..edb3d94478b3 100644 --- a/drivers/gpu/arm/bv_r32p1/mmu/mali_kbase_mmu.c +++ b/drivers/gpu/arm/bv_r32p1/mmu/mali_kbase_mmu.c @@ -1922,7 +1922,15 @@ int kbase_mmu_insert_pages_no_flush(struct kbase_device *kbdev, if (count > remain) count = remain; - if (!vindex && is_huge_head(*phys)) + /* There are 3 conditions to satisfy in order to create a level 2 ATE: + * + * - The GPU VA is aligned to 2 MB. + * - The physical address is tagged as the head of a 2 MB region, + * which guarantees a contiguous physical address range. + * - There are actually 2 MB of virtual and physical pages to map, + * i.e. 512 entries for the MMU page table. + */ + if (!vindex && is_huge_head(*phys) && (count == KBASE_MMU_PAGE_ENTRIES)) cur_level = MIDGARD_MMU_LEVEL(2); else cur_level = MIDGARD_MMU_BOTTOMLEVEL; diff --git a/drivers/gpu/arm/bv_r38p1/mali_kbase_mem.c b/drivers/gpu/arm/bv_r38p1/mali_kbase_mem.c index 2ed908ed0c56..98f3c222abda 100644 --- a/drivers/gpu/arm/bv_r38p1/mali_kbase_mem.c +++ b/drivers/gpu/arm/bv_r38p1/mali_kbase_mem.c @@ -1859,16 +1859,21 @@ int kbase_gpu_munmap(struct kbase_context *kctx, struct kbase_va_region *reg) * separately. */ for (i = 0; i < alloc->imported.alias.nents; i++) { - if (alloc->imported.alias.aliased[i].alloc) { - int err_loop = kbase_mmu_teardown_pages( - kctx->kbdev, &kctx->mmu, - reg->start_pfn + (i * alloc->imported.alias.stride), - alloc->pages + (i * alloc->imported.alias.stride), - alloc->imported.alias.aliased[i].length, - kctx->as_nr); - if (WARN_ON_ONCE(err_loop)) - err = err_loop; - } + struct tagged_addr *phys_alloc = NULL; + int err_loop; + + if (alloc->imported.alias.aliased[i].alloc != NULL) + phys_alloc = alloc->imported.alias.aliased[i].alloc->pages + + alloc->imported.alias.aliased[i].offset; + + err_loop = kbase_mmu_teardown_pages( + kctx->kbdev, &kctx->mmu, + reg->start_pfn + (i * alloc->imported.alias.stride), + phys_alloc, alloc->imported.alias.aliased[i].length, + kctx->as_nr); + + if (WARN_ON_ONCE(err_loop)) + err = err_loop; } } break; diff --git a/drivers/gpu/arm/bv_r38p1/mmu/mali_kbase_mmu.c b/drivers/gpu/arm/bv_r38p1/mmu/mali_kbase_mmu.c index f82f77de2c4c..2ce7c38395c1 100644 --- a/drivers/gpu/arm/bv_r38p1/mmu/mali_kbase_mmu.c +++ b/drivers/gpu/arm/bv_r38p1/mmu/mali_kbase_mmu.c @@ -1932,7 +1932,15 @@ int kbase_mmu_insert_pages_no_flush(struct kbase_device *kbdev, struct kbase_mmu if (count > remain) count = remain; - if (!vindex && is_huge_head(*phys)) + /* There are 3 conditions to satisfy in order to create a level 2 ATE: + * + * - The GPU VA is aligned to 2 MB. + * - The physical address is tagged as the head of a 2 MB region, + * which guarantees a contiguous physical address range. + * - There are actually 2 MB of virtual and physical pages to map, + * i.e. 512 entries for the MMU page table. + */ + if (!vindex && is_huge_head(*phys) && (count == KBASE_MMU_PAGE_ENTRIES)) cur_level = MIDGARD_MMU_LEVEL(2); else cur_level = MIDGARD_MMU_BOTTOMLEVEL; @@ -2663,7 +2671,7 @@ static void mmu_teardown_level(struct kbase_device *kbdev, pgd_page = kmap_atomic(pfn_to_page(PFN_DOWN(pgd))); /* kmap_atomic should NEVER fail. */ - if (WARN_ON(pgd_page == NULL)) + if (WARN_ON_ONCE(pgd_page == NULL)) return; if (level != MIDGARD_MMU_BOTTOMLEVEL) { diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c index 54abb99db2d4..911dec557bf2 100644 --- a/drivers/hid/hid-input.c +++ b/drivers/hid/hid-input.c @@ -176,6 +176,9 @@ static int hidinput_setkeycode(struct input_dev *dev, usage->code : KEY_RESERVED; usage->code = ke->keycode; + if (usage->code > KEY_MAX || *old_keycode > KEY_MAX) + return -EINVAL; + clear_bit(*old_keycode, dev->keybit); set_bit(usage->code, dev->keybit); dbg_hid("Assigned keycode %d to HID usage code %x\n", diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index a60fdbde4624..5726b88b75b2 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -395,7 +395,7 @@ static int uvc_parse_format(struct uvc_device *dev, unsigned int width_multiplier = 1; unsigned int interval; unsigned int i, n; - __u8 ftype; + u8 ftype = UVC_VS_UNDEFINED; format->type = buffer[2]; format->index = buffer[3]; @@ -532,7 +532,7 @@ static int uvc_parse_format(struct uvc_device *dev, * based formats have frame descriptors. */ while (buflen > 2 && buffer[1] == USB_DT_CS_INTERFACE && - buffer[2] == ftype) { + buffer[2] == ftype && buffer[2] != UVC_VS_UNDEFINED) { frame = &format->frame[format->nframes]; if (ftype != UVC_VS_FRAME_FRAME_BASED) n = buflen > 25 ? buffer[25] : 0; diff --git a/sound/usb/clock.c b/sound/usb/clock.c index 70e74895b113..a7a0d6250dc1 100644 --- a/sound/usb/clock.c +++ b/sound/usb/clock.c @@ -220,6 +220,13 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip, return -EINVAL; } + if ((size_t)&selector->baCSourceID[ret - 1] >= + (size_t)(chip->ctrl_intf->extra + chip->ctrl_intf->extralen)) { + usb_audio_err(chip, + "%s(): error. out of boundary, ret %d\n", + __func__, ret); + return -EINVAL; + } cur = ret; ret = __uac_clock_find_source(chip, selector->baCSourceID[ret - 1], visited, validate); @@ -233,6 +240,13 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip, if (i == cur) continue; + if ((size_t)&selector->baCSourceID[i - 1] >= + (size_t)(chip->ctrl_intf->extra + chip->ctrl_intf->extralen)) { + usb_audio_err(chip, + "%s(): error. out of boundary, i %d\n", + __func__, i); + break; + } ret = __uac_clock_find_source(chip, selector->baCSourceID[i - 1], visited, true); if (ret < 0)