From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 2 Oct 2022 15:08:49 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v5.19.13~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5dd19adba566a054498fa781f9ce0524d63f72a6;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	media-dvb_vb2-fix-possible-out-of-bound-access.patch
	media-rkvdec-disable-h.264-error-detection.patch
	media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch
---

diff --git a/queue-5.15/media-dvb_vb2-fix-possible-out-of-bound-access.patch b/queue-5.15/media-dvb_vb2-fix-possible-out-of-bound-access.patch
new file mode 100644
index 00000000000..da3da5b905b
--- /dev/null
+++ b/queue-5.15/media-dvb_vb2-fix-possible-out-of-bound-access.patch
@@ -0,0 +1,53 @@
+From 37238699073e7e93f05517e529661151173cd458 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Thu, 19 May 2022 03:17:43 +0100
+Subject: media: dvb_vb2: fix possible out of bound access
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 37238699073e7e93f05517e529661151173cd458 upstream.
+
+vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index
+controlled by the user.
+
+Fix this by adding range checking code before using them.
+
+Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvb_vb2.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/media/dvb-core/dvb_vb2.c
++++ b/drivers/media/dvb-core/dvb_vb2.c
+@@ -358,6 +358,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *
+ 
+ int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
+ {
++	struct vb2_queue *q = &ctx->vb_q;
++
++	if (b->index >= q->num_buffers) {
++		dprintk(1, "[%s] buffer index out of range\n", ctx->name);
++		return -EINVAL;
++	}
+ 	vb2_core_querybuf(&ctx->vb_q, b->index, b);
+ 	dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
+ 	return 0;
+@@ -382,8 +388,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *c
+ 
+ int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
+ {
++	struct vb2_queue *q = &ctx->vb_q;
+ 	int ret;
+ 
++	if (b->index >= q->num_buffers) {
++		dprintk(1, "[%s] buffer index out of range\n", ctx->name);
++		return -EINVAL;
++	}
+ 	ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
+ 	if (ret) {
+ 		dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,
diff --git a/queue-5.15/media-rkvdec-disable-h.264-error-detection.patch b/queue-5.15/media-rkvdec-disable-h.264-error-detection.patch
new file mode 100644
index 00000000000..1f8da3e4c45
--- /dev/null
+++ b/queue-5.15/media-rkvdec-disable-h.264-error-detection.patch
@@ -0,0 +1,43 @@
+From 3a99c4474112f49a5459933d8758614002ca0ddc Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Fri, 10 Jun 2022 13:52:11 +0100
+Subject: media: rkvdec: Disable H.264 error detection
+
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+
+commit 3a99c4474112f49a5459933d8758614002ca0ddc upstream.
+
+Quite often, the HW get stuck in error condition if a stream error
+was detected. As documented, the HW should stop immediately and self
+reset. There is likely a problem or a miss-understanding of the self
+reset mechanism, as unless we make a long pause, the next command
+will then report an error even if there is no error in it.
+
+Disabling error detection fixes the issue, and let the decoder continue
+after an error. This patch is safe for backport into older kernels.
+
+Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Reviewed-by: Brian Norris <briannorris@chromium.org>
+Tested-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/rkvdec/rkvdec-h264.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/media/rkvdec/rkvdec-h264.c
++++ b/drivers/staging/media/rkvdec/rkvdec-h264.c
+@@ -1124,8 +1124,8 @@ static int rkvdec_h264_run(struct rkvdec
+ 
+ 	schedule_delayed_work(&rkvdec->watchdog_work, msecs_to_jiffies(2000));
+ 
+-	writel(0xffffffff, rkvdec->regs + RKVDEC_REG_STRMD_ERR_EN);
+-	writel(0xffffffff, rkvdec->regs + RKVDEC_REG_H264_ERR_E);
++	writel(0, rkvdec->regs + RKVDEC_REG_STRMD_ERR_EN);
++	writel(0, rkvdec->regs + RKVDEC_REG_H264_ERR_E);
+ 	writel(1, rkvdec->regs + RKVDEC_REG_PREF_LUMA_CACHE_COMMAND);
+ 	writel(1, rkvdec->regs + RKVDEC_REG_PREF_CHR_CACHE_COMMAND);
+ 
diff --git a/queue-5.15/media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch b/queue-5.15/media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch
new file mode 100644
index 00000000000..9718d2b2494
--- /dev/null
+++ b/queue-5.15/media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch
@@ -0,0 +1,33 @@
+From 4e768c8e34e639cff66a0f175bc4aebf472e4305 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Date: Mon, 21 Mar 2022 08:33:56 +0000
+Subject: media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args()
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+commit 4e768c8e34e639cff66a0f175bc4aebf472e4305 upstream.
+
+The v4l2_compat_get_array_args() function can leave uninitialized memory in the
+buffer it is passed. So zero it before copying array elements from userspace
+into the buffer.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: syzbot+ff18193ff05f3f87f226@syzkaller.appspotmail.com
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -1033,6 +1033,8 @@ int v4l2_compat_get_array_args(struct fi
+ {
+ 	int err = 0;
+ 
++	memset(mbuf, 0, array_size);
++
+ 	switch (cmd) {
+ 	case VIDIOC_G_FMT32:
+ 	case VIDIOC_S_FMT32:
diff --git a/queue-5.15/series b/queue-5.15/series
index a1a6b068255..76b2c6df9cc 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -32,3 +32,6 @@ mm-fix-dereferencing-possible-err_ptr.patch
 mm-migrate_device.c-flush-tlb-while-holding-ptl.patch
 mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch
 mm-hwpoison-check-mm-when-killing-accessing-process.patch
+media-dvb_vb2-fix-possible-out-of-bound-access.patch
+media-rkvdec-disable-h.264-error-detection.patch
+media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch