From: Greg Kroah-Hartman Date: Sun, 2 Oct 2022 15:08:54 +0000 (+0200) Subject: 5.19-stable patches X-Git-Tag: v5.19.13~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=77f2d07a6dcc1c493d287af832529f114f326593;p=thirdparty%2Fkernel%2Fstable-queue.git 5.19-stable patches added patches: media-dvb_vb2-fix-possible-out-of-bound-access.patch media-mediatek-vcodec-drop-platform_get_resource-ioresource_irq.patch media-rkvdec-disable-h.264-error-detection.patch media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch --- diff --git a/queue-5.19/media-dvb_vb2-fix-possible-out-of-bound-access.patch b/queue-5.19/media-dvb_vb2-fix-possible-out-of-bound-access.patch new file mode 100644 index 00000000000..dbf0d2c051a --- /dev/null +++ b/queue-5.19/media-dvb_vb2-fix-possible-out-of-bound-access.patch @@ -0,0 +1,53 @@ +From 37238699073e7e93f05517e529661151173cd458 Mon Sep 17 00:00:00 2001 +From: Hangyu Hua +Date: Thu, 19 May 2022 03:17:43 +0100 +Subject: media: dvb_vb2: fix possible out of bound access + +From: Hangyu Hua + +commit 37238699073e7e93f05517e529661151173cd458 upstream. + +vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index +controlled by the user. + +Fix this by adding range checking code before using them. + +Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O") +Signed-off-by: Hangyu Hua +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvb_vb2.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/media/dvb-core/dvb_vb2.c ++++ b/drivers/media/dvb-core/dvb_vb2.c +@@ -354,6 +354,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx * + + int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b) + { ++ struct vb2_queue *q = &ctx->vb_q; ++ ++ if (b->index >= q->num_buffers) { ++ dprintk(1, "[%s] buffer index out of range\n", ctx->name); ++ return -EINVAL; ++ } + vb2_core_querybuf(&ctx->vb_q, b->index, b); + dprintk(3, "[%s] index=%d\n", ctx->name, b->index); + return 0; +@@ -378,8 +384,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *c + + int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b) + { ++ struct vb2_queue *q = &ctx->vb_q; + int ret; + ++ if (b->index >= q->num_buffers) { ++ dprintk(1, "[%s] buffer index out of range\n", ctx->name); ++ return -EINVAL; ++ } + ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL); + if (ret) { + dprintk(1, "[%s] index=%d errno=%d\n", ctx->name, diff --git a/queue-5.19/media-mediatek-vcodec-drop-platform_get_resource-ioresource_irq.patch b/queue-5.19/media-mediatek-vcodec-drop-platform_get_resource-ioresource_irq.patch new file mode 100644 index 00000000000..f2ce2f0b7c6 --- /dev/null +++ b/queue-5.19/media-mediatek-vcodec-drop-platform_get_resource-ioresource_irq.patch @@ -0,0 +1,65 @@ +From a2d2e593d39bc2f29a1cd5e3779af457fd26490c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?N=C3=ADcolas=20F=2E=20R=2E=20A=2E=20Prado?= + +Date: Fri, 17 Jun 2022 21:39:06 +0100 +Subject: media: mediatek: vcodec: Drop platform_get_resource(IORESOURCE_IRQ) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +commit a2d2e593d39bc2f29a1cd5e3779af457fd26490c upstream. + +Commit a1a2b7125e10 ("of/platform: Drop static setup of IRQ resource +from DT core") removed support for calling platform_get_resource(..., +IORESOURCE_IRQ, ...) on DT-based drivers, but the probe() function of +mtk-vcodec's encoder was still making use of it. This caused the encoder +driver to fail probe. + +Since the platform_get_resource() call was only being used to check for +the presence of the interrupt (its returned resource wasn't even used) +and platform_get_irq() was already being used to get the IRQ, simply +drop the use of platform_get_resource(IORESOURCE_IRQ) and handle the +failure of platform_get_irq(), to get the driver probing again. + +[hverkuil: drop unused struct resource *res] + +Fixes: a1a2b7125e10 ("of/platform: Drop static setup of IRQ resource from DT core") +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc_drv.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc_drv.c ++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc_drv.c +@@ -228,7 +228,6 @@ static int mtk_vcodec_probe(struct platf + { + struct mtk_vcodec_dev *dev; + struct video_device *vfd_enc; +- struct resource *res; + phandle rproc_phandle; + enum mtk_vcodec_fw_type fw_type; + int ret; +@@ -272,14 +271,12 @@ static int mtk_vcodec_probe(struct platf + goto err_res; + } + +- res = platform_get_resource(pdev, IORESOURCE_IRQ, 0); +- if (res == NULL) { +- dev_err(&pdev->dev, "failed to get irq resource"); +- ret = -ENOENT; ++ dev->enc_irq = platform_get_irq(pdev, 0); ++ if (dev->enc_irq < 0) { ++ ret = dev->enc_irq; + goto err_res; + } + +- dev->enc_irq = platform_get_irq(pdev, 0); + irq_set_status_flags(dev->enc_irq, IRQ_NOAUTOEN); + ret = devm_request_irq(&pdev->dev, dev->enc_irq, + mtk_vcodec_enc_irq_handler, diff --git a/queue-5.19/media-rkvdec-disable-h.264-error-detection.patch b/queue-5.19/media-rkvdec-disable-h.264-error-detection.patch new file mode 100644 index 00000000000..d901c202e73 --- /dev/null +++ b/queue-5.19/media-rkvdec-disable-h.264-error-detection.patch @@ -0,0 +1,43 @@ +From 3a99c4474112f49a5459933d8758614002ca0ddc Mon Sep 17 00:00:00 2001 +From: Nicolas Dufresne +Date: Fri, 10 Jun 2022 13:52:11 +0100 +Subject: media: rkvdec: Disable H.264 error detection + +From: Nicolas Dufresne + +commit 3a99c4474112f49a5459933d8758614002ca0ddc upstream. + +Quite often, the HW get stuck in error condition if a stream error +was detected. As documented, the HW should stop immediately and self +reset. There is likely a problem or a miss-understanding of the self +reset mechanism, as unless we make a long pause, the next command +will then report an error even if there is no error in it. + +Disabling error detection fixes the issue, and let the decoder continue +after an error. This patch is safe for backport into older kernels. + +Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver") +Signed-off-by: Nicolas Dufresne +Reviewed-by: Brian Norris +Tested-by: Brian Norris +Reviewed-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/rkvdec/rkvdec-h264.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/media/rkvdec/rkvdec-h264.c ++++ b/drivers/staging/media/rkvdec/rkvdec-h264.c +@@ -1175,8 +1175,8 @@ static int rkvdec_h264_run(struct rkvdec + + schedule_delayed_work(&rkvdec->watchdog_work, msecs_to_jiffies(2000)); + +- writel(0xffffffff, rkvdec->regs + RKVDEC_REG_STRMD_ERR_EN); +- writel(0xffffffff, rkvdec->regs + RKVDEC_REG_H264_ERR_E); ++ writel(0, rkvdec->regs + RKVDEC_REG_STRMD_ERR_EN); ++ writel(0, rkvdec->regs + RKVDEC_REG_H264_ERR_E); + writel(1, rkvdec->regs + RKVDEC_REG_PREF_LUMA_CACHE_COMMAND); + writel(1, rkvdec->regs + RKVDEC_REG_PREF_CHR_CACHE_COMMAND); + diff --git a/queue-5.19/media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch b/queue-5.19/media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch new file mode 100644 index 00000000000..6c2503edbe2 --- /dev/null +++ b/queue-5.19/media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch @@ -0,0 +1,33 @@ +From 4e768c8e34e639cff66a0f175bc4aebf472e4305 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 21 Mar 2022 08:33:56 +0000 +Subject: media: v4l2-compat-ioctl32.c: zero buffer passed to v4l2_compat_get_array_args() + +From: Hans Verkuil + +commit 4e768c8e34e639cff66a0f175bc4aebf472e4305 upstream. + +The v4l2_compat_get_array_args() function can leave uninitialized memory in the +buffer it is passed. So zero it before copying array elements from userspace +into the buffer. + +Signed-off-by: Hans Verkuil +Reported-by: syzbot+ff18193ff05f3f87f226@syzkaller.appspotmail.com +Reviewed-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -1040,6 +1040,8 @@ int v4l2_compat_get_array_args(struct fi + { + int err = 0; + ++ memset(mbuf, 0, array_size); ++ + switch (cmd) { + case VIDIOC_G_FMT32: + case VIDIOC_S_FMT32: diff --git a/queue-5.19/series b/queue-5.19/series index 5bf92397224..1941e3183f3 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -44,3 +44,7 @@ mm-fix-madivse_pageout-mishandling-on-non-lru-page.patch mm-bring-back-update_mmu_cache-to-finish_fault.patch mm-hugetlb-correct-demote-page-offset-logic.patch mm-hwpoison-check-mm-when-killing-accessing-process.patch +media-dvb_vb2-fix-possible-out-of-bound-access.patch +media-rkvdec-disable-h.264-error-detection.patch +media-mediatek-vcodec-drop-platform_get_resource-ioresource_irq.patch +media-v4l2-compat-ioctl32.c-zero-buffer-passed-to-v4l2_compat_get_array_args.patch