From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 16 Nov 2021 14:12:03 +0000 (+0100)
Subject: 5.14-stable patches
X-Git-Tag: v5.4.160~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2feac8eda492514e402f9dfc5e94e1cbf6199065;p=thirdparty%2Fkernel%2Fstable-queue.git

5.14-stable patches

added patches:
	media-videobuf2-always-set-buffer-vb2-pointer.patch
	media-videobuf2-dma-sg-fix-buf-vb-null-pointer-dereference.patch
---

diff --git a/queue-5.14/media-videobuf2-always-set-buffer-vb2-pointer.patch b/queue-5.14/media-videobuf2-always-set-buffer-vb2-pointer.patch
new file mode 100644
index 00000000000..4cb1b7839b7
--- /dev/null
+++ b/queue-5.14/media-videobuf2-always-set-buffer-vb2-pointer.patch
@@ -0,0 +1,41 @@
+From 67f85135c57c8ea20b5417b28ae65e53dc2ec2c3 Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+Date: Tue, 28 Sep 2021 04:46:34 +0100
+Subject: media: videobuf2: always set buffer vb2 pointer
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+commit 67f85135c57c8ea20b5417b28ae65e53dc2ec2c3 upstream.
+
+We need to always link allocated vb2_dc_buf back to vb2_buffer because
+we dereference vb2 in prepare() and finish() callbacks.
+
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Tested-by: Chen-Yu Tsai <wenst@chromium.org>
+Acked-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/videobuf2/videobuf2-dma-contig.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c
++++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
+@@ -497,6 +497,7 @@ static void *vb2_dc_get_userptr(struct v
+ 
+ 	buf->dev = dev;
+ 	buf->dma_dir = vb->vb2_queue->dma_dir;
++	buf->vb = vb;
+ 
+ 	offset = lower_32_bits(offset_in_page(vaddr));
+ 	vec = vb2_create_framevec(vaddr, size);
+@@ -683,6 +684,8 @@ static void *vb2_dc_attach_dmabuf(struct
+ 		return ERR_PTR(-ENOMEM);
+ 
+ 	buf->dev = dev;
++	buf->vb = vb;
++
+ 	/* create attachment for the dmabuf with the user device */
+ 	dba = dma_buf_attach(dbuf, buf->dev);
+ 	if (IS_ERR(dba)) {
diff --git a/queue-5.14/media-videobuf2-dma-sg-fix-buf-vb-null-pointer-dereference.patch b/queue-5.14/media-videobuf2-dma-sg-fix-buf-vb-null-pointer-dereference.patch
new file mode 100644
index 00000000000..2dedb7dcefe
--- /dev/null
+++ b/queue-5.14/media-videobuf2-dma-sg-fix-buf-vb-null-pointer-dereference.patch
@@ -0,0 +1,50 @@
+From d55c3ee6b4c7b76326eb257403762f8bd7cc48c2 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 1 Nov 2021 14:53:55 +0000
+Subject: media: videobuf2-dma-sg: Fix buf->vb NULL pointer dereference
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit d55c3ee6b4c7b76326eb257403762f8bd7cc48c2 upstream.
+
+Commit a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
+added a new vb member to struct vb2_dma_sg_buf, but it only added
+code setting this to the vb2_dma_sg_alloc() function and not to the
+vb2_dma_sg_get_userptr() and vb2_dma_sg_attach_dmabuf() which also
+create vb2_dma_sg_buf objects.
+
+This is causing a crash due to a NULL pointer deref when using
+libcamera on devices with an Intel IPU3 (qcam app).
+
+Fix these crashes by assigning buf->vb in the other 2 functions too,
+note libcamera tests the vb2_dma_sg_get_userptr() path, the change
+to the vb2_dma_sg_attach_dmabuf() path is untested.
+
+Fixes: a4b83deb3e76 ("media: videobuf2: rework vb2_mem_ops API")
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/videobuf2/videobuf2-dma-sg.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
++++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
+@@ -235,6 +235,7 @@ static void *vb2_dma_sg_get_userptr(stru
+ 	buf->offset = vaddr & ~PAGE_MASK;
+ 	buf->size = size;
+ 	buf->dma_sgt = &buf->sg_table;
++	buf->vb = vb;
+ 	vec = vb2_create_framevec(vaddr, size);
+ 	if (IS_ERR(vec))
+ 		goto userptr_fail_pfnvec;
+@@ -636,6 +637,7 @@ static void *vb2_dma_sg_attach_dmabuf(st
+ 	buf->dma_dir = vb->vb2_queue->dma_dir;
+ 	buf->size = size;
+ 	buf->db_attach = dba;
++	buf->vb = vb;
+ 
+ 	return buf;
+ }
diff --git a/queue-5.14/series b/queue-5.14/series
index 0a286f66079..3d2ddde5eaf 100644
--- a/queue-5.14/series
+++ b/queue-5.14/series
@@ -854,3 +854,5 @@ ima-reject-unknown-hash-algorithms-in-ima_get_hash_algo.patch
 arch-cc-introduce-a-function-to-check-for-confidential-computing-features.patch
 x86-sev-add-an-x86-version-of-cc_platform_has.patch
 x86-sev-make-the-vc-exception-stacks-part-of-the-default-stacks-storage.patch
+media-videobuf2-always-set-buffer-vb2-pointer.patch
+media-videobuf2-dma-sg-fix-buf-vb-null-pointer-dereference.patch