From: Greg Kroah-Hartman Date: Sat, 9 Nov 2024 12:02:24 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.15.172~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=63f01217a860cc6c82e906c1c94da091acd6c63b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: media-cx24116-prevent-overflows-on-snr-calculus.patch media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch media-s5p-jpeg-prevent-buffer-overflows.patch media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch --- diff --git a/queue-5.15/media-cx24116-prevent-overflows-on-snr-calculus.patch b/queue-5.15/media-cx24116-prevent-overflows-on-snr-calculus.patch new file mode 100644 index 00000000000..92da5b91ff7 --- /dev/null +++ b/queue-5.15/media-cx24116-prevent-overflows-on-snr-calculus.patch @@ -0,0 +1,46 @@ +From 576a307a7650bd544fbb24df801b9b7863b85e2f Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 12:14:11 +0200 +Subject: media: cx24116: prevent overflows on SNR calculus + +From: Mauro Carvalho Chehab + +commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream. + +as reported by Coverity, if reading SNR registers fail, a negative +number will be returned, causing an underflow when reading SNR +registers. + +Prevent that. + +Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/cx24116.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/cx24116.c ++++ b/drivers/media/dvb-frontends/cx24116.c +@@ -741,6 +741,7 @@ static int cx24116_read_snr_pct(struct d + { + struct cx24116_state *state = fe->demodulator_priv; + u8 snr_reading; ++ int ret; + static const u32 snr_tab[] = { /* 10 x Table (rounded up) */ + 0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667, + 0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667, +@@ -749,7 +750,11 @@ static int cx24116_read_snr_pct(struct d + + dprintk("%s()\n", __func__); + +- snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0); ++ ret = cx24116_readreg(state, CX24116_REG_QUALITY0); ++ if (ret < 0) ++ return ret; ++ ++ snr_reading = ret; + + if (snr_reading >= 0xa0 /* 100% */) + *snr = 0xffff; diff --git a/queue-5.15/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch b/queue-5.15/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch new file mode 100644 index 00000000000..1250989104a --- /dev/null +++ b/queue-5.15/media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch @@ -0,0 +1,57 @@ +From ba9cf6b430433e57bfc8072364e944b7c0eca2a4 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 16 Oct 2024 11:24:15 +0200 +Subject: media: pulse8-cec: fix data timestamp at pulse8_setup() + +From: Mauro Carvalho Chehab + +commit ba9cf6b430433e57bfc8072364e944b7c0eca2a4 upstream. + +As pointed by Coverity, there is a hidden overflow condition there. +As date is signed and u8 is unsigned, doing: + + date = (data[0] << 24) + +With a value bigger than 07f will make all upper bits of date +0xffffffff. This can be demonstrated with this small code: + + +typedef int64_t time64_t; +typedef uint8_t u8; + +int main(void) +{ + u8 data[] = { 0xde ,0xad , 0xbe, 0xef }; + time64_t date; + + date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + printf("Invalid data = 0x%08lx\n", date); + + date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + printf("Expected data = 0x%08lx\n", date); + + return 0; +} + + +Fix it by converting the upper bit calculation to unsigned. + +Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/usb/pulse8/pulse8-cec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/cec/usb/pulse8/pulse8-cec.c ++++ b/drivers/media/cec/usb/pulse8/pulse8-cec.c +@@ -685,7 +685,7 @@ static int pulse8_setup(struct pulse8 *p + err = pulse8_send_and_wait(pulse8, cmd, 1, cmd[0], 4); + if (err) + return err; +- date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; ++ date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; + dev_info(pulse8->dev, "Firmware build date %ptT\n", &date); + + dev_dbg(pulse8->dev, "Persistent config:\n"); diff --git a/queue-5.15/media-s5p-jpeg-prevent-buffer-overflows.patch b/queue-5.15/media-s5p-jpeg-prevent-buffer-overflows.patch new file mode 100644 index 00000000000..d1614b174c6 --- /dev/null +++ b/queue-5.15/media-s5p-jpeg-prevent-buffer-overflows.patch @@ -0,0 +1,87 @@ +From 14a22762c3daeac59a5a534e124acbb4d7a79b3a Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 11:10:31 +0200 +Subject: media: s5p-jpeg: prevent buffer overflows + +From: Mauro Carvalho Chehab + +commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream. + +The current logic allows word to be less than 2. If this happens, +there will be buffer overflows, as reported by smatch. Add extra +checks to prevent it. + +While here, remove an unused word = 0 assignment. + +Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Jacek Anaszewski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s5p-jpeg/jpeg-core.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c ++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c +@@ -775,11 +775,14 @@ static void exynos4_jpeg_parse_decode_h_ + (unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2; + jpeg_buffer.curr = 0; + +- word = 0; +- + if (get_word_be(&jpeg_buffer, &word)) + return; +- jpeg_buffer.size = (long)word - 2; ++ ++ if (word < 2) ++ jpeg_buffer.size = 0; ++ else ++ jpeg_buffer.size = (long)word - 2; ++ + jpeg_buffer.data += 2; + jpeg_buffer.curr = 0; + +@@ -1058,6 +1061,7 @@ static int get_word_be(struct s5p_jpeg_b + if (byte == -1) + return -1; + *word = (unsigned int)byte | temp; ++ + return 0; + } + +@@ -1145,7 +1149,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; +- if (!length) ++ if (length <= 0) + return false; + sof = jpeg_buffer.curr; /* after 0xffc0 */ + sof_len = length; +@@ -1176,7 +1180,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; +- if (!length) ++ if (length <= 0) + return false; + if (n_dqt >= S5P_JPEG_MAX_MARKER) + return false; +@@ -1189,7 +1193,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; +- if (!length) ++ if (length <= 0) + return false; + if (n_dht >= S5P_JPEG_MAX_MARKER) + return false; +@@ -1214,6 +1218,7 @@ static bool s5p_jpeg_parse_hdr(struct s5 + if (get_word_be(&jpeg_buffer, &word)) + break; + length = (long)word - 2; ++ /* No need to check underflows as skip() does it */ + skip(&jpeg_buffer, length); + break; + } diff --git a/queue-5.15/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch b/queue-5.15/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch new file mode 100644 index 00000000000..f8a7ad3b04c --- /dev/null +++ b/queue-5.15/media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch @@ -0,0 +1,68 @@ +From 4c76f331a9a173ac8fe1297a9231c2a38f88e368 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Tue, 15 Oct 2024 14:23:38 +0200 +Subject: media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() + +From: Mauro Carvalho Chehab + +commit 4c76f331a9a173ac8fe1297a9231c2a38f88e368 upstream. + +As detected by Coverity, the error check logic at get_ctrl() is +broken: if ptr_to_user() fails to fill a control due to an error, +no errors are returned and v4l2_g_ctrl() returns success on a +failed operation, which may cause applications to fail. + +Add an error check at get_ctrl() and ensure that it will +be returned to userspace without filling the control value if +get_ctrl() fails. + +Fixes: 71c689dc2e73 ("media: v4l2-ctrls: split up into four source files") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ctrls-api.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c +@@ -712,9 +712,10 @@ static int get_ctrl(struct v4l2_ctrl *ct + for (i = 0; i < master->ncontrols; i++) + cur_to_new(master->cluster[i]); + ret = call_op(master, g_volatile_ctrl); +- new_to_user(c, ctrl); ++ if (!ret) ++ ret = new_to_user(c, ctrl); + } else { +- cur_to_user(c, ctrl); ++ ret = cur_to_user(c, ctrl); + } + v4l2_ctrl_unlock(master); + return ret; +@@ -729,7 +730,10 @@ int v4l2_g_ctrl(struct v4l2_ctrl_handler + if (!ctrl || !ctrl->is_int) + return -EINVAL; + ret = get_ctrl(ctrl, &c); +- control->value = c.value; ++ ++ if (!ret) ++ control->value = c.value; ++ + return ret; + } + EXPORT_SYMBOL(v4l2_g_ctrl); +@@ -770,10 +774,11 @@ static int set_ctrl_lock(struct v4l2_fh + int ret; + + v4l2_ctrl_lock(ctrl); +- user_to_new(c, ctrl); +- ret = set_ctrl(fh, ctrl, 0); ++ ret = user_to_new(c, ctrl); ++ if (!ret) ++ ret = set_ctrl(fh, ctrl, 0); + if (!ret) +- cur_to_user(c, ctrl); ++ ret = cur_to_user(c, ctrl); + v4l2_ctrl_unlock(ctrl); + return ret; + } diff --git a/queue-5.15/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch b/queue-5.15/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch new file mode 100644 index 00000000000..84c844cf0f1 --- /dev/null +++ b/queue-5.15/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch @@ -0,0 +1,36 @@ +From e6a3ea83fbe15d4818d01804e904cbb0e64e543b Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Wed, 16 Oct 2024 11:53:15 +0200 +Subject: media: v4l2-tpg: prevent the risk of a division by zero + +From: Mauro Carvalho Chehab + +commit e6a3ea83fbe15d4818d01804e904cbb0e64e543b upstream. + +As reported by Coverity, the logic at tpg_precalculate_line() +blindly rescales the buffer even when scaled_witdh is equal to +zero. If this ever happens, this will cause a division by zero. + +Instead, add a WARN_ON_ONCE() to trigger such cases and return +without doing any precalculation. + +Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator") +Cc: stable@vger.kernel.org +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +@@ -1789,6 +1789,9 @@ static void tpg_precalculate_line(struct + unsigned p; + unsigned x; + ++ if (WARN_ON_ONCE(!tpg->src_width || !tpg->scaled_width)) ++ return; ++ + switch (tpg->pattern) { + case TPG_PAT_GREEN: + contrast = TPG_COLOR_100_RED; diff --git a/queue-5.15/series b/queue-5.15/series index 9fbf58b923c..76cf2207461 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -30,3 +30,8 @@ media-adv7604-prevent-underflow-condition-when-repor.patch scsi-sd_zbc-use-kvzalloc-to-allocate-report-zones-bu.patch alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch asoc-stm32-spdifrx-fix-dma-channel-release-in-stm32_.patch +media-s5p-jpeg-prevent-buffer-overflows.patch +media-cx24116-prevent-overflows-on-snr-calculus.patch +media-pulse8-cec-fix-data-timestamp-at-pulse8_setup.patch +media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch +media-v4l2-ctrls-api-fix-error-handling-for-v4l2_g_ctrl.patch