From: Sasha Levin Date: Sat, 9 Nov 2024 11:37:23 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v5.15.172~71 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b32f6126834a48a39c60c54a3451456a939b34e4;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch b/queue-5.4/alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch new file mode 100644 index 00000000000..a201c53ad55 --- /dev/null +++ b/queue-5.4/alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch @@ -0,0 +1,41 @@ +From fab4ae543ac5a6169d364169d4e8896df837f86f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Nov 2024 21:55:13 +0300 +Subject: ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() + +From: Murad Masimov + +[ Upstream commit 8abbf1f01d6a2ef9f911f793e30f7382154b5a3a ] + +If amdtp_stream_init() fails in amdtp_tscm_init(), the latter returns zero, +though it's supposed to return error code, which is checked inside +init_stream() in file tascam-stream.c. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 47faeea25ef3 ("ALSA: firewire-tascam: add data block processing layer") +Signed-off-by: Murad Masimov +Reviewed-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Link: https://patch.msgid.link/20241101185517.1819-1-m.masimov@maxima.ru +Signed-off-by: Sasha Levin +--- + sound/firewire/tascam/amdtp-tascam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/firewire/tascam/amdtp-tascam.c b/sound/firewire/tascam/amdtp-tascam.c +index f823a2ab3544b..8ffc065b77f95 100644 +--- a/sound/firewire/tascam/amdtp-tascam.c ++++ b/sound/firewire/tascam/amdtp-tascam.c +@@ -244,7 +244,7 @@ int amdtp_tscm_init(struct amdtp_stream *s, struct fw_unit *unit, + CIP_NONBLOCKING | CIP_SKIP_DBC_ZERO_CHECK, fmt, + process_ctx_payloads, sizeof(struct amdtp_tscm)); + if (err < 0) +- return 0; ++ return err; + + if (dir == AMDTP_OUT_STREAM) { + // Use fixed value for FDF field. +-- +2.43.0 + diff --git a/queue-5.4/media-adv7604-prevent-underflow-condition-when-repor.patch b/queue-5.4/media-adv7604-prevent-underflow-condition-when-repor.patch new file mode 100644 index 00000000000..1ac39f85dab --- /dev/null +++ b/queue-5.4/media-adv7604-prevent-underflow-condition-when-repor.patch @@ -0,0 +1,74 @@ +From 4aca45f83a7a7e7e8d47ce96a1fc6dfcbcdeca69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 12:25:09 +0200 +Subject: media: adv7604: prevent underflow condition when reporting colorspace + +From: Mauro Carvalho Chehab + +[ Upstream commit 50b9fa751d1aef5d262bde871c70a7f44262f0bc ] + +Currently, adv76xx_log_status() reads some date using +io_read() which may return negative values. The current logic +doesn't check such errors, causing colorspace to be reported +on a wrong way at adv76xx_log_status(), as reported by Coverity. + +If I/O error happens there, print a different message, instead +of reporting bogus messages to userspace. + +Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder") +Signed-off-by: Mauro Carvalho Chehab +Reviewed-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/adv7604.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c +index 1cee69919e1b9..d0b2d960c7847 100644 +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -2477,10 +2477,10 @@ static int adv76xx_log_status(struct v4l2_subdev *sd) + const struct adv76xx_chip_info *info = state->info; + struct v4l2_dv_timings timings; + struct stdi_readback stdi; +- u8 reg_io_0x02 = io_read(sd, 0x02); ++ int ret; ++ u8 reg_io_0x02; + u8 edid_enabled; + u8 cable_det; +- + static const char * const csc_coeff_sel_rb[16] = { + "bypassed", "YPbPr601 -> RGB", "reserved", "YPbPr709 -> RGB", + "reserved", "RGB -> YPbPr601", "reserved", "RGB -> YPbPr709", +@@ -2579,13 +2579,21 @@ static int adv76xx_log_status(struct v4l2_subdev *sd) + v4l2_info(sd, "-----Color space-----\n"); + v4l2_info(sd, "RGB quantization range ctrl: %s\n", + rgb_quantization_range_txt[state->rgb_quantization_range]); +- v4l2_info(sd, "Input color space: %s\n", +- input_color_space_txt[reg_io_0x02 >> 4]); +- v4l2_info(sd, "Output color space: %s %s, alt-gamma %s\n", +- (reg_io_0x02 & 0x02) ? "RGB" : "YCbCr", +- (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ? +- "(16-235)" : "(0-255)", +- (reg_io_0x02 & 0x08) ? "enabled" : "disabled"); ++ ++ ret = io_read(sd, 0x02); ++ if (ret < 0) { ++ v4l2_info(sd, "Can't read Input/Output color space\n"); ++ } else { ++ reg_io_0x02 = ret; ++ ++ v4l2_info(sd, "Input color space: %s\n", ++ input_color_space_txt[reg_io_0x02 >> 4]); ++ v4l2_info(sd, "Output color space: %s %s, alt-gamma %s\n", ++ (reg_io_0x02 & 0x02) ? "RGB" : "YCbCr", ++ (((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ? ++ "(16-235)" : "(0-255)", ++ (reg_io_0x02 & 0x08) ? "enabled" : "disabled"); ++ } + v4l2_info(sd, "Color space conversion: %s\n", + csc_coeff_sel_rb[cp_read(sd, info->cp_csc) >> 4]); + +-- +2.43.0 + diff --git a/queue-5.4/media-dvb_frontend-don-t-play-tricks-with-underflow-.patch b/queue-5.4/media-dvb_frontend-don-t-play-tricks-with-underflow-.patch new file mode 100644 index 00000000000..1df9b99ec4b --- /dev/null +++ b/queue-5.4/media-dvb_frontend-don-t-play-tricks-with-underflow-.patch @@ -0,0 +1,44 @@ +From 8ca5268dac58100dd00f13e413cf34dfaeb1bdc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 16:05:16 +0200 +Subject: media: dvb_frontend: don't play tricks with underflow values + +From: Mauro Carvalho Chehab + +[ Upstream commit 9883a4d41aba7612644e9bb807b971247cea9b9d ] + +fepriv->auto_sub_step is unsigned. Setting it to -1 is just a +trick to avoid calling continue, as reported by Coverity. + +It relies to have this code just afterwards: + + if (!ready) fepriv->auto_sub_step++; + +Simplify the code by simply setting it to zero and use +continue to return to the while loop. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_frontend.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c +index ad3e42a4eaf73..01efb4bd260d9 100644 +--- a/drivers/media/dvb-core/dvb_frontend.c ++++ b/drivers/media/dvb-core/dvb_frontend.c +@@ -442,8 +442,8 @@ static int dvb_frontend_swzigzag_autotune(struct dvb_frontend *fe, int check_wra + + default: + fepriv->auto_step++; +- fepriv->auto_sub_step = -1; /* it'll be incremented to 0 in a moment */ +- break; ++ fepriv->auto_sub_step = 0; ++ continue; + } + + if (!ready) fepriv->auto_sub_step++; +-- +2.43.0 + diff --git a/queue-5.4/media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch b/queue-5.4/media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch new file mode 100644 index 00000000000..032d43f4130 --- /dev/null +++ b/queue-5.4/media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch @@ -0,0 +1,80 @@ +From e101e4c14032210900b332b60053e0aa455c991b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Oct 2024 15:23:01 +0200 +Subject: media: dvbdev: prevent the risk of out of memory access + +From: Mauro Carvalho Chehab + +[ Upstream commit 972e63e895abbe8aa1ccbdbb4e6362abda7cd457 ] + +The dvbdev contains a static variable used to store dvb minors. + +The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set +or not. When not set, dvb_register_device() won't check for +boundaries, as it will rely that a previous call to +dvb_register_adapter() would already be enforcing it. + +On a similar way, dvb_device_open() uses the assumption +that the register functions already did the needed checks. + +This can be fragile if some device ends using different +calls. This also generate warnings on static check analysers +like Coverity. + +So, add explicit guards to prevent potential risk of OOM issues. + +Fixes: 5dd3f3071070 ("V4L/DVB (9361): Dynamic DVB minor allocation") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvbdev.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c +index ba91c6f8fe1d8..4a6e8a6b36f45 100644 +--- a/drivers/media/dvb-core/dvbdev.c ++++ b/drivers/media/dvb-core/dvbdev.c +@@ -96,10 +96,15 @@ static DECLARE_RWSEM(minor_rwsem); + static int dvb_device_open(struct inode *inode, struct file *file) + { + struct dvb_device *dvbdev; ++ unsigned int minor = iminor(inode); ++ ++ if (minor >= MAX_DVB_MINORS) ++ return -ENODEV; + + mutex_lock(&dvbdev_mutex); + down_read(&minor_rwsem); +- dvbdev = dvb_minors[iminor(inode)]; ++ ++ dvbdev = dvb_minors[minor]; + + if (dvbdev && dvbdev->fops) { + int err = 0; +@@ -539,7 +544,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + for (minor = 0; minor < MAX_DVB_MINORS; minor++) + if (dvb_minors[minor] == NULL) + break; +- if (minor == MAX_DVB_MINORS) { ++ if (minor >= MAX_DVB_MINORS) { + if (new_node) { + list_del (&new_node->list_head); + kfree(dvbdevfops); +@@ -554,6 +559,14 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, + } + #else + minor = nums2minor(adap->num, type, id); ++ if (minor >= MAX_DVB_MINORS) { ++ dvb_media_device_free(dvbdev); ++ list_del(&dvbdev->list_head); ++ kfree(dvbdev); ++ *pdvbdev = NULL; ++ mutex_unlock(&dvbdev_register_lock); ++ return ret; ++ } + #endif + dvbdev->minor = minor; + dvb_minors[minor] = dvb_device_get(dvbdev); +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 718eb4a9ed2..bc260d298b3 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -14,3 +14,7 @@ sctp-properly-validate-chunk-size-in-sctp_sf_ootb.patch can-c_can-fix-rx-tx-_errors-statistics.patch net-hns3-fix-kernel-crash-when-uninstalling-driver.patch media-stb0899_algo-initialize-cfr-before-using-it.patch +media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch +media-dvb_frontend-don-t-play-tricks-with-underflow-.patch +media-adv7604-prevent-underflow-condition-when-repor.patch +alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch