[thirdparty/kernel/stable-queue.git] / releases / 4.19.31 / media-uvcvideo-avoid-null-pointer-dereference-at-the-end-of-streaming.patch

From 9dd0627d8d62a7ddb001a75f63942d92b5336561 Mon Sep 17 00:00:00 2001
From: Sakari Ailus <sakari.ailus@linux.intel.com>
Date: Wed, 30 Jan 2019 05:09:41 -0500
Subject: media: uvcvideo: Avoid NULL pointer dereference at the end of streaming

From: Sakari Ailus <sakari.ailus@linux.intel.com>

commit 9dd0627d8d62a7ddb001a75f63942d92b5336561 upstream.

The UVC video driver converts the timestamp from hardware specific unit
to one known by the kernel at the time when the buffer is dequeued. This
is fine in general, but the streamoff operation consists of the
following steps (among other things):

1. uvc_video_clock_cleanup --- the hardware clock sample array is
   released and the pointer to the array is set to NULL,

2. buffers in active state are returned to the user and

3. buf_finish callback is called on buffers that are prepared.
   buf_finish includes calling uvc_video_clock_update that accesses the
   hardware clock sample array.

The above is serialised by a queue specific mutex. Address the problem
by skipping the clock conversion if the hardware clock sample array is
already released.

Fixes: 9c0863b1cc48 ("[media] vb2: call buf_finish from __queue_cancel")

Reported-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
Tested-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/uvc/uvc_video.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -676,6 +676,14 @@ void uvc_video_clock_update(struct uvc_s
 	if (!uvc_hw_timestamps_param)
 		return;
 
+	/*
+	 * We will get called from __vb2_queue_cancel() if there are buffers
+	 * done but not dequeued by the user, but the sample array has already
+	 * been released at that time. Just bail out in that case.
+	 */
+	if (!clock->samples)
+		return;
+
 	spin_lock_irqsave(&clock->lock, flags);
 
 	if (clock->count < clock->size)
Commit	Line	Data
7ffa1129 GKH	1	From 9dd0627d8d62a7ddb001a75f63942d92b5336561 Mon Sep 17 00:00:00 2001
	2	From: Sakari Ailus <sakari.ailus@linux.intel.com>
	3	Date: Wed, 30 Jan 2019 05:09:41 -0500
	4	Subject: media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
	5
	6	From: Sakari Ailus <sakari.ailus@linux.intel.com>
	7
	8	commit 9dd0627d8d62a7ddb001a75f63942d92b5336561 upstream.
	9
	10	The UVC video driver converts the timestamp from hardware specific unit
	11	to one known by the kernel at the time when the buffer is dequeued. This
	12	is fine in general, but the streamoff operation consists of the
	13	following steps (among other things):
	14
	15	1. uvc_video_clock_cleanup --- the hardware clock sample array is
	16	released and the pointer to the array is set to NULL,
	17
	18	2. buffers in active state are returned to the user and
	19
	20	3. buf_finish callback is called on buffers that are prepared.
	21	buf_finish includes calling uvc_video_clock_update that accesses the
	22	hardware clock sample array.
	23
	24	The above is serialised by a queue specific mutex. Address the problem
	25	by skipping the clock conversion if the hardware clock sample array is
	26	already released.
	27
	28	Fixes: 9c0863b1cc48 ("[media] vb2: call buf_finish from __queue_cancel")
	29
	30	Reported-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
	31	Tested-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
	32	Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
	33	Cc: stable@vger.kernel.org
	34	Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
	35	Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
	36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	37
	38	---
	39	drivers/media/usb/uvc/uvc_video.c \| 8 ++++++++
	40	1 file changed, 8 insertions(+)
	41
	42	--- a/drivers/media/usb/uvc/uvc_video.c
	43	+++ b/drivers/media/usb/uvc/uvc_video.c
	44	@@ -676,6 +676,14 @@ void uvc_video_clock_update(struct uvc_s
	45	if (!uvc_hw_timestamps_param)
	46	return;
	47
	48	+ /*
	49	+ * We will get called from __vb2_queue_cancel() if there are buffers
	50	+ * done but not dequeued by the user, but the sample array has already
	51	+ * been released at that time. Just bail out in that case.
	52	+ */
	53	+ if (!clock->samples)
	54	+ return;
	55	+
	56	spin_lock_irqsave(&clock->lock, flags);
	57
	58	if (clock->count < clock->size)