5.15-stable patches

added patches:
	media-cx24116-prevent-overflows-on-snr-calculus.patch
	media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch
	media-s5p-jpeg-prevent-buffer-overflows.patch
	media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch
	media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch

diff --git a/queue-5.15/media-cx24116-prevent-overflows-on-snr-calculus.patch b/queue-5.15/media-cx24116-prevent-overflows-on-snr-calculus.patch
new file mode 100644 (file)
index 0000000..92da5b9
--- /dev/null
+++ b/queue-5.15/media-cx24116-prevent-overflows-on-snr-calculus.patch
@@ -0,0 +1,46 @@
+From 576a307a7650bd544fbb24df801b9b7863b85e2f Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 12:14:11 +0200
+Subject: media: cx24116: prevent overflows on SNR calculus
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream.
+
+as reported by Coverity, if reading SNR registers fail, a negative
+number will be returned, causing an underflow when reading SNR
+registers.
+
+Prevent that.
+
+Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/cx24116.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/cx24116.c
++++ b/drivers/media/dvb-frontends/cx24116.c
+@@ -741,6 +741,7 @@ static int cx24116_read_snr_pct(struct d
+ {
+       struct cx24116_state *state = fe->demodulator_priv;
+       u8 snr_reading;
++      int ret;
+       static const u32 snr_tab[] = { /* 10 x Table (rounded up) */
+               0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667,
+               0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667,
+@@ -749,7 +750,11 @@ static int cx24116_read_snr_pct(struct d
+ 
+       dprintk("%s()\n", __func__);
+ 
+-      snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0);
++      ret = cx24116_readreg(state, CX24116_REG_QUALITY0);
++      if (ret  < 0)
++              return ret;
++
++      snr_reading = ret;
+ 
+       if (snr_reading >= 0xa0 /* 100% */)
+               *snr = 0xffff;

diff --git a/queue-5.15/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch b/queue-5.15/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch
new file mode 100644 (file)
index 0000000..1250989
--- /dev/null
+++ b/queue-5.15/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch
@@ -0,0 +1,57 @@
+From ba9cf6b430433e57bfc8072364e944b7c0eca2a4 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Wed, 16 Oct 2024 11:24:15 +0200
+Subject: media: pulse8-cec: fix data timestamp at pulse8_setup()
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit ba9cf6b430433e57bfc8072364e944b7c0eca2a4 upstream.
+
+As pointed by Coverity, there is a hidden overflow condition there.
+As date is signed and u8 is unsigned, doing:
+
+       date = (data[0] << 24)
+
+With a value bigger than 07f will make all upper bits of date
+0xffffffff. This can be demonstrated with this small code:
+
+<code>
+typedef int64_t time64_t;
+typedef uint8_t u8;
+
+int main(void)
+{
+       u8 data[] = { 0xde ,0xad , 0xbe, 0xef };
+       time64_t date;
+
+       date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+       printf("Invalid data = 0x%08lx\n", date);
+
+       date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+       printf("Expected data = 0x%08lx\n", date);
+
+       return 0;
+}
+</code>
+
+Fix it by converting the upper bit calculation to unsigned.
+
+Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/cec/usb/pulse8/pulse8-cec.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/cec/usb/pulse8/pulse8-cec.c
++++ b/drivers/media/cec/usb/pulse8/pulse8-cec.c
+@@ -685,7 +685,7 @@ static int pulse8_setup(struct pulse8 *p
+       err = pulse8_send_and_wait(pulse8, cmd, 1, cmd[0], 4);
+       if (err)
+               return err;
+-      date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
++      date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
+       dev_info(pulse8->dev, "Firmware build date %ptT\n", &date);
+ 
+       dev_dbg(pulse8->dev, "Persistent config:\n");

diff --git a/queue-5.15/media-s5p-jpeg-prevent-buffer-overflows.patch b/queue-5.15/media-s5p-jpeg-prevent-buffer-overflows.patch
new file mode 100644 (file)
index 0000000..d1614b1
--- /dev/null
+++ b/queue-5.15/media-s5p-jpeg-prevent-buffer-overflows.patch
@@ -0,0 +1,87 @@
+From 14a22762c3daeac59a5a534e124acbb4d7a79b3a Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 11:10:31 +0200
+Subject: media: s5p-jpeg: prevent buffer overflows
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream.
+
+The current logic allows word to be less than 2. If this happens,
+there will be buffer overflows, as reported by smatch. Add extra
+checks to prevent it.
+
+While here, remove an unused word = 0 assignment.
+
+Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s5p-jpeg/jpeg-core.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
+@@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_
+               (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
+       jpeg_buffer.curr = 0;
+ 
+-      word = 0;
+-
+       if (get_word_be(&jpeg_buffer, &word))
+               return;
+-      jpeg_buffer.size = (long)word - 2;
++
++      if (word < 2)
++              jpeg_buffer.size = 0;
++      else
++              jpeg_buffer.size = (long)word - 2;
++
+       jpeg_buffer.data += 2;
+       jpeg_buffer.curr = 0;
+ 
+@@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_b
+       if (byte == -1)
+               return -1;
+       *word = (unsigned int)byte | temp;
++
+       return 0;
+ }
+ 
+@@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+                       if (get_word_be(&jpeg_buffer, &word))
+                               break;
+                       length = (long)word - 2;
+-                      if (!length)
++                      if (length <= 0)
+                               return false;
+                       sof = jpeg_buffer.curr; /* after 0xffc0 */
+                       sof_len = length;
+@@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+                       if (get_word_be(&jpeg_buffer, &word))
+                               break;
+                       length = (long)word - 2;
+-                      if (!length)
++                      if (length <= 0)
+                               return false;
+                       if (n_dqt >= S5P_JPEG_MAX_MARKER)
+                               return false;
+@@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+                       if (get_word_be(&jpeg_buffer, &word))
+                               break;
+                       length = (long)word - 2;
+-                      if (!length)
++                      if (length <= 0)
+                               return false;
+                       if (n_dht >= S5P_JPEG_MAX_MARKER)
+                               return false;
+@@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+                       if (get_word_be(&jpeg_buffer, &word))
+                               break;
+                       length = (long)word - 2;
++                      /* No need to check underflows as skip() does it  */
+                       skip(&jpeg_buffer, length);
+                       break;
+               }

diff --git a/queue-5.15/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch b/queue-5.15/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch
new file mode 100644 (file)
index 0000000..f8a7ad3
--- /dev/null
+++ b/queue-5.15/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch
@@ -0,0 +1,68 @@
+From 4c76f331a9a173ac8fe1297a9231c2a38f88e368 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 14:23:38 +0200
+Subject: media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 4c76f331a9a173ac8fe1297a9231c2a38f88e368 upstream.
+
+As detected by Coverity, the error check logic at get_ctrl() is
+broken: if ptr_to_user() fails to fill a control due to an error,
+no errors are returned and v4l2_g_ctrl() returns success on a
+failed operation, which may cause applications to fail.
+
+Add an error check at get_ctrl() and ensure that it will
+be returned to userspace without filling the control value if
+get_ctrl() fails.
+
+Fixes: 71c689dc2e73 ("media: v4l2-ctrls: split up into four source files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-ctrls-api.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c
++++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c
+@@ -712,9 +712,10 @@ static int get_ctrl(struct v4l2_ctrl *ct
+               for (i = 0; i < master->ncontrols; i++)
+                       cur_to_new(master->cluster[i]);
+               ret = call_op(master, g_volatile_ctrl);
+-              new_to_user(c, ctrl);
++              if (!ret)
++                      ret = new_to_user(c, ctrl);
+       } else {
+-              cur_to_user(c, ctrl);
++              ret = cur_to_user(c, ctrl);
+       }
+       v4l2_ctrl_unlock(master);
+       return ret;
+@@ -729,7 +730,10 @@ int v4l2_g_ctrl(struct v4l2_ctrl_handler
+       if (!ctrl || !ctrl->is_int)
+               return -EINVAL;
+       ret = get_ctrl(ctrl, &c);
+-      control->value = c.value;
++
++      if (!ret)
++              control->value = c.value;
++
+       return ret;
+ }
+ EXPORT_SYMBOL(v4l2_g_ctrl);
+@@ -770,10 +774,11 @@ static int set_ctrl_lock(struct v4l2_fh
+       int ret;
+ 
+       v4l2_ctrl_lock(ctrl);
+-      user_to_new(c, ctrl);
+-      ret = set_ctrl(fh, ctrl, 0);
++      ret = user_to_new(c, ctrl);
++      if (!ret)
++              ret = set_ctrl(fh, ctrl, 0);
+       if (!ret)
+-              cur_to_user(c, ctrl);
++              ret = cur_to_user(c, ctrl);
+       v4l2_ctrl_unlock(ctrl);
+       return ret;
+ }

diff --git a/queue-5.15/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch b/queue-5.15/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
new file mode 100644 (file)
index 0000000..84c844c
--- /dev/null
+++ b/queue-5.15/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
@@ -0,0 +1,36 @@
+From e6a3ea83fbe15d4818d01804e904cbb0e64e543b Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Wed, 16 Oct 2024 11:53:15 +0200
+Subject: media: v4l2-tpg: prevent the risk of a division by zero
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit e6a3ea83fbe15d4818d01804e904cbb0e64e543b upstream.
+
+As reported by Coverity, the logic at tpg_precalculate_line()
+blindly rescales the buffer even when scaled_witdh is equal to
+zero. If this ever happens, this will cause a division by zero.
+
+Instead, add a WARN_ON_ONCE() to trigger such cases and return
+without doing any precalculation.
+
+Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/v4l2-tpg/v4l2-tpg-core.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+@@ -1789,6 +1789,9 @@ static void tpg_precalculate_line(struct
+       unsigned p;
+       unsigned x;
+ 
++      if (WARN_ON_ONCE(!tpg->src_width || !tpg->scaled_width))
++              return;
++
+       switch (tpg->pattern) {
+       case TPG_PAT_GREEN:
+               contrast = TPG_COLOR_100_RED;

diff --git a/queue-5.15/series b/queue-5.15/series
index 9fbf58b923c963d287132f74d4ef8dfe67a96196..76cf2207461594c83ed0e172c4bbbf625d4c9908 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -30,3 +30,8 @@ media-adv7604-prevent-underflow-condition-when-repor.patch
 scsi-sd_zbc-use-kvzalloc-to-allocate-report-zones-bu.patch
 alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch
 asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch
+media-s5p-jpeg-prevent-buffer-overflows.patch
+media-cx24116-prevent-overflows-on-snr-calculus.patch
+media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch
+media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
+media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch