From: Greg Kroah-Hartman Date: Sat, 26 Aug 2023 20:27:47 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v6.1.49~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b685e0d29445c928082ad49f48bcfc0db9ff4f94;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch batman-adv-trigger-events-for-auto-adjusted-mtu.patch lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch --- diff --git a/queue-4.14/batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch b/queue-4.14/batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch new file mode 100644 index 00000000000..4a04d9d92ab --- /dev/null +++ b/queue-4.14/batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch @@ -0,0 +1,122 @@ +From eac27a41ab641de074655d2932fc7f8cdb446881 Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Fri, 28 Jul 2023 15:38:50 +0200 +Subject: batman-adv: Do not get eth header before batadv_check_management_packet + +From: Remi Pommarel + +commit eac27a41ab641de074655d2932fc7f8cdb446881 upstream. + +If received skb in batadv_v_elp_packet_recv or batadv_v_ogm_packet_recv +is either cloned or non linearized then its data buffer will be +reallocated by batadv_check_management_packet when skb_cow or +skb_linearize get called. Thus geting ethernet header address inside +skb data buffer before batadv_check_management_packet had any chance to +reallocate it could lead to the following kernel panic: + + Unable to handle kernel paging request at virtual address ffffff8020ab069a + Mem abort info: + ESR = 0x96000007 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x07: level 3 translation fault + Data abort info: + ISV = 0, ISS = 0x00000007 + CM = 0, WnR = 0 + swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000040f45000 + [ffffff8020ab069a] pgd=180000007fffa003, p4d=180000007fffa003, pud=180000007fffa003, pmd=180000007fefe003, pte=0068000020ab0706 + Internal error: Oops: 96000007 [#1] SMP + Modules linked in: ahci_mvebu libahci_platform libahci dvb_usb_af9035 dvb_usb_dib0700 dib0070 dib7000m dibx000_common ath11k_pci ath10k_pci ath10k_core mwl8k_new nf_nat_sip nf_conntrack_sip xhci_plat_hcd xhci_hcd nf_nat_pptp nf_conntrack_pptp at24 sbsa_gwdt + CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.15.42-00066-g3242268d425c-dirty #550 + Hardware name: A8k (DT) + pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : batadv_is_my_mac+0x60/0xc0 + lr : batadv_v_ogm_packet_recv+0x98/0x5d0 + sp : ffffff8000183820 + x29: ffffff8000183820 x28: 0000000000000001 x27: ffffff8014f9af00 + x26: 0000000000000000 x25: 0000000000000543 x24: 0000000000000003 + x23: ffffff8020ab0580 x22: 0000000000000110 x21: ffffff80168ae880 + x20: 0000000000000000 x19: ffffff800b561000 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 x15: 00dc098924ae0032 + x14: 0f0405433e0054b0 x13: ffffffff00000080 x12: 0000004000000001 + x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 + x8 : 0000000000000000 x7 : ffffffc076dae000 x6 : ffffff8000183700 + x5 : ffffffc00955e698 x4 : ffffff80168ae000 x3 : ffffff80059cf000 + x2 : ffffff800b561000 x1 : ffffff8020ab0696 x0 : ffffff80168ae880 + Call trace: + batadv_is_my_mac+0x60/0xc0 + batadv_v_ogm_packet_recv+0x98/0x5d0 + batadv_batman_skb_recv+0x1b8/0x244 + __netif_receive_skb_core.isra.0+0x440/0xc74 + __netif_receive_skb_one_core+0x14/0x20 + netif_receive_skb+0x68/0x140 + br_pass_frame_up+0x70/0x80 + br_handle_frame_finish+0x108/0x284 + br_handle_frame+0x190/0x250 + __netif_receive_skb_core.isra.0+0x240/0xc74 + __netif_receive_skb_list_core+0x6c/0x90 + netif_receive_skb_list_internal+0x1f4/0x310 + napi_complete_done+0x64/0x1d0 + gro_cell_poll+0x7c/0xa0 + __napi_poll+0x34/0x174 + net_rx_action+0xf8/0x2a0 + _stext+0x12c/0x2ac + run_ksoftirqd+0x4c/0x7c + smpboot_thread_fn+0x120/0x210 + kthread+0x140/0x150 + ret_from_fork+0x10/0x20 + Code: f9403844 eb03009f 54fffee1 f94 + +Thus ethernet header address should only be fetched after +batadv_check_management_packet has been called. + +Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure") +Cc: stable@vger.kernel.org +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_elp.c | 3 ++- + net/batman-adv/bat_v_ogm.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -507,7 +507,7 @@ int batadv_v_elp_packet_recv(struct sk_b + struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface); + struct batadv_elp_packet *elp_packet; + struct batadv_hard_iface *primary_if; +- struct ethhdr *ethhdr = (struct ethhdr *)skb_mac_header(skb); ++ struct ethhdr *ethhdr; + bool res; + int ret = NET_RX_DROP; + +@@ -515,6 +515,7 @@ int batadv_v_elp_packet_recv(struct sk_b + if (!res) + goto free_skb; + ++ ethhdr = eth_hdr(skb); + if (batadv_is_my_mac(bat_priv, ethhdr->h_source)) + goto free_skb; + +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -831,7 +831,7 @@ int batadv_v_ogm_packet_recv(struct sk_b + { + struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface); + struct batadv_ogm2_packet *ogm_packet; +- struct ethhdr *ethhdr = eth_hdr(skb); ++ struct ethhdr *ethhdr; + int ogm_offset; + u8 *packet_pos; + int ret = NET_RX_DROP; +@@ -845,6 +845,7 @@ int batadv_v_ogm_packet_recv(struct sk_b + if (!batadv_check_management_packet(skb, if_incoming, BATADV_OGM2_HLEN)) + goto free_skb; + ++ ethhdr = eth_hdr(skb); + if (batadv_is_my_mac(bat_priv, ethhdr->h_source)) + goto free_skb; + diff --git a/queue-4.14/batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch b/queue-4.14/batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch new file mode 100644 index 00000000000..759a5016b20 --- /dev/null +++ b/queue-4.14/batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch @@ -0,0 +1,56 @@ +From 421d467dc2d483175bad4fb76a31b9e5a3d744cf Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Wed, 9 Aug 2023 17:29:13 +0200 +Subject: batman-adv: Fix batadv_v_ogm_aggr_send memory leak + +From: Remi Pommarel + +commit 421d467dc2d483175bad4fb76a31b9e5a3d744cf upstream. + +When batadv_v_ogm_aggr_send is called for an inactive interface, the skb +is silently dropped by batadv_v_ogm_send_to_if() but never freed causing +the following memory leak: + + unreferenced object 0xffff00000c164800 (size 512): + comm "kworker/u8:1", pid 2648, jiffies 4295122303 (age 97.656s) + hex dump (first 32 bytes): + 00 80 af 09 00 00 ff ff e1 09 00 00 75 01 60 83 ............u.`. + 1f 00 00 00 b8 00 00 00 15 00 05 00 da e3 d3 64 ...............d + backtrace: + [<0000000007ad20f6>] __kmalloc_track_caller+0x1a8/0x310 + [<00000000d1029e55>] kmalloc_reserve.constprop.0+0x70/0x13c + [<000000008b9d4183>] __alloc_skb+0xec/0x1fc + [<00000000c7af5051>] __netdev_alloc_skb+0x48/0x23c + [<00000000642ee5f5>] batadv_v_ogm_aggr_send+0x50/0x36c + [<0000000088660bd7>] batadv_v_ogm_aggr_work+0x24/0x40 + [<0000000042fc2606>] process_one_work+0x3b0/0x610 + [<000000002f2a0b1c>] worker_thread+0xa0/0x690 + [<0000000059fae5d4>] kthread+0x1fc/0x210 + [<000000000c587d3a>] ret_from_fork+0x10/0x20 + +Free the skb in that case to fix this leak. + +Cc: stable@vger.kernel.org +Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure") +Signed-off-by: Remi Pommarel +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v_ogm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -118,8 +118,10 @@ static void batadv_v_ogm_send_to_if(stru + { + struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface); + +- if (hard_iface->if_status != BATADV_IF_ACTIVE) ++ if (hard_iface->if_status != BATADV_IF_ACTIVE) { ++ kfree_skb(skb); + return; ++ } + + batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_TX); + batadv_add_counter(bat_priv, BATADV_CNT_MGMT_TX_BYTES, diff --git a/queue-4.14/batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch b/queue-4.14/batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch new file mode 100644 index 00000000000..d7944a67fb3 --- /dev/null +++ b/queue-4.14/batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch @@ -0,0 +1,85 @@ +From d25ddb7e788d34cf27ff1738d11a87cb4b67d446 Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Fri, 4 Aug 2023 11:39:36 +0200 +Subject: batman-adv: Fix TT global entry leak when client roamed back + +From: Remi Pommarel + +commit d25ddb7e788d34cf27ff1738d11a87cb4b67d446 upstream. + +When a client roamed back to a node before it got time to destroy the +pending local entry (i.e. within the same originator interval) the old +global one is directly removed from hash table and left as such. + +But because this entry had an extra reference taken at lookup (i.e using +batadv_tt_global_hash_find) there is no way its memory will be reclaimed +at any time causing the following memory leak: + + unreferenced object 0xffff0000073c8000 (size 18560): + comm "softirq", pid 0, jiffies 4294907738 (age 228.644s) + hex dump (first 32 bytes): + 06 31 ac 12 c7 7a 05 00 01 00 00 00 00 00 00 00 .1...z.......... + 2c ad be 08 00 80 ff ff 6c b6 be 08 00 80 ff ff ,.......l....... + backtrace: + [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300 + [<000000000ff2fdbc>] batadv_tt_global_add+0x700/0xe20 + [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790 + [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110 + [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10 + [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0 + [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4 + [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0 + [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90 + [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74 + [<000000000f39a009>] __netif_receive_skb+0x48/0xe0 + [<00000000f2cd8888>] process_backlog+0x174/0x344 + [<00000000507d6564>] __napi_poll+0x58/0x1f4 + [<00000000b64ef9eb>] net_rx_action+0x504/0x590 + [<00000000056fa5e4>] _stext+0x1b8/0x418 + [<00000000878879d6>] run_ksoftirqd+0x74/0xa4 + unreferenced object 0xffff00000bae1a80 (size 56): + comm "softirq", pid 0, jiffies 4294910888 (age 216.092s) + hex dump (first 32 bytes): + 00 78 b1 0b 00 00 ff ff 0d 50 00 00 00 00 00 00 .x.......P...... + 00 00 00 00 00 00 00 00 50 c8 3c 07 00 00 ff ff ........P.<..... + backtrace: + [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300 + [<00000000d9aaa49e>] batadv_tt_global_add+0x53c/0xe20 + [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790 + [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110 + [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10 + [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0 + [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4 + [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0 + [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90 + [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74 + [<000000000f39a009>] __netif_receive_skb+0x48/0xe0 + [<00000000f2cd8888>] process_backlog+0x174/0x344 + [<00000000507d6564>] __napi_poll+0x58/0x1f4 + [<00000000b64ef9eb>] net_rx_action+0x504/0x590 + [<00000000056fa5e4>] _stext+0x1b8/0x418 + [<00000000878879d6>] run_ksoftirqd+0x74/0xa4 + +Releasing the extra reference from batadv_tt_global_hash_find even at +roam back when batadv_tt_global_free is called fixes this memory leak. + +Cc: stable@vger.kernel.org +Fixes: 068ee6e204e1 ("batman-adv: roaming handling mechanism redesign") +Signed-off-by: Remi Pommarel +Signed-off-by; Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/translation-table.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/batman-adv/translation-table.c ++++ b/net/batman-adv/translation-table.c +@@ -791,7 +791,6 @@ check_roaming: + if (roamed_back) { + batadv_tt_global_free(bat_priv, tt_global, + "Roaming canceled"); +- tt_global = NULL; + } else { + /* The global entry has to be marked as ROAMING and + * has to be kept for consistency purpose diff --git a/queue-4.14/batman-adv-trigger-events-for-auto-adjusted-mtu.patch b/queue-4.14/batman-adv-trigger-events-for-auto-adjusted-mtu.patch new file mode 100644 index 00000000000..b29dab5581a --- /dev/null +++ b/queue-4.14/batman-adv-trigger-events-for-auto-adjusted-mtu.patch @@ -0,0 +1,38 @@ +From c6a953cce8d0438391e6da48c8d0793d3fbfcfa6 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 19 Jul 2023 09:29:29 +0200 +Subject: batman-adv: Trigger events for auto adjusted MTU + +From: Sven Eckelmann + +commit c6a953cce8d0438391e6da48c8d0793d3fbfcfa6 upstream. + +If an interface changes the MTU, it is expected that an NETDEV_PRECHANGEMTU +and NETDEV_CHANGEMTU notification events is triggered. This worked fine for +.ndo_change_mtu based changes because core networking code took care of it. +But for auto-adjustments after hard-interfaces changes, these events were +simply missing. + +Due to this problem, non-batman-adv components weren't aware of MTU changes +and thus couldn't perform their own tasks correctly. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/hard-interface.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/hard-interface.c ++++ b/net/batman-adv/hard-interface.c +@@ -625,7 +625,7 @@ out: + /* adjusts the MTU if a new interface with a smaller MTU appeared. */ + void batadv_update_min_mtu(struct net_device *soft_iface) + { +- soft_iface->mtu = batadv_hardif_min_mtu(soft_iface); ++ dev_set_mtu(soft_iface, batadv_hardif_min_mtu(soft_iface)); + + /* Check if the local translate table should be cleaned up to match a + * new (and smaller) MTU. diff --git a/queue-4.14/lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch b/queue-4.14/lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch new file mode 100644 index 00000000000..48246bee79f --- /dev/null +++ b/queue-4.14/lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch @@ -0,0 +1,120 @@ +From 382d4cd1847517ffcb1800fd462b625db7b2ebea Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 25 Aug 2023 21:50:33 +0200 +Subject: lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels + +From: Helge Deller + +commit 382d4cd1847517ffcb1800fd462b625db7b2ebea upstream. + +The gcc compiler translates on some architectures the 64-bit +__builtin_clzll() function to a call to the libgcc function __clzdi2(), +which should take a 64-bit parameter on 32- and 64-bit platforms. + +But in the current kernel code, the built-in __clzdi2() function is +defined to operate (wrongly) on 32-bit parameters if BITS_PER_LONG == +32, thus the return values on 32-bit kernels are in the range from +[0..31] instead of the expected [0..63] range. + +This patch fixes the in-kernel functions __clzdi2() and __ctzdi2() to +take a 64-bit parameter on 32-bit kernels as well, thus it makes the +functions identical for 32- and 64-bit kernels. + +This bug went unnoticed since kernel 3.11 for over 10 years, and here +are some possible reasons for that: + + a) Some architectures have assembly instructions to count the bits and + which are used instead of calling __clzdi2(), e.g. on x86 the bsr + instruction and on ppc cntlz is used. On such architectures the + wrong __clzdi2() implementation isn't used and as such the bug has + no effect and won't be noticed. + + b) Some architectures link to libgcc.a, and the in-kernel weak + functions get replaced by the correct 64-bit variants from libgcc.a. + + c) __builtin_clzll() and __clzdi2() doesn't seem to be used in many + places in the kernel, and most likely only in uncritical functions, + e.g. when printing hex values via seq_put_hex_ll(). The wrong return + value will still print the correct number, but just in a wrong + formatting (e.g. with too many leading zeroes). + + d) 32-bit kernels aren't used that much any longer, so they are less + tested. + +A trivial testcase to verify if the currently running 32-bit kernel is +affected by the bug is to look at the output of /proc/self/maps: + +Here the kernel uses a correct implementation of __clzdi2(): + + root@debian:~# cat /proc/self/maps + 00010000-00019000 r-xp 00000000 08:05 787324 /usr/bin/cat + 00019000-0001a000 rwxp 00009000 08:05 787324 /usr/bin/cat + 0001a000-0003b000 rwxp 00000000 00:00 0 [heap] + f7551000-f770d000 r-xp 00000000 08:05 794765 /usr/lib/hppa-linux-gnu/libc.so.6 + ... + +and this kernel uses the broken implementation of __clzdi2(): + + root@debian:~# cat /proc/self/maps + 0000000010000-0000000019000 r-xp 00000000 000000008:000000005 787324 /usr/bin/cat + 0000000019000-000000001a000 rwxp 000000009000 000000008:000000005 787324 /usr/bin/cat + 000000001a000-000000003b000 rwxp 00000000 00:00 0 [heap] + 00000000f73d1000-00000000f758d000 r-xp 00000000 000000008:000000005 794765 /usr/lib/hppa-linux-gnu/libc.so.6 + ... + +Signed-off-by: Helge Deller +Fixes: 4df87bb7b6a22 ("lib: add weak clz/ctz functions") +Cc: Chanho Min +Cc: Geert Uytterhoeven +Cc: stable@vger.kernel.org # v3.11+ +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + lib/clz_ctz.c | 32 ++++++-------------------------- + 1 file changed, 6 insertions(+), 26 deletions(-) + +--- a/lib/clz_ctz.c ++++ b/lib/clz_ctz.c +@@ -30,36 +30,16 @@ int __weak __clzsi2(int val) + } + EXPORT_SYMBOL(__clzsi2); + +-int __weak __clzdi2(long val); +-int __weak __ctzdi2(long val); +-#if BITS_PER_LONG == 32 +- +-int __weak __clzdi2(long val) ++int __weak __clzdi2(u64 val); ++int __weak __clzdi2(u64 val) + { +- return 32 - fls((int)val); ++ return 64 - fls64(val); + } + EXPORT_SYMBOL(__clzdi2); + +-int __weak __ctzdi2(long val) ++int __weak __ctzdi2(u64 val); ++int __weak __ctzdi2(u64 val) + { +- return __ffs((u32)val); ++ return __ffs64(val); + } + EXPORT_SYMBOL(__ctzdi2); +- +-#elif BITS_PER_LONG == 64 +- +-int __weak __clzdi2(long val) +-{ +- return 64 - fls64((u64)val); +-} +-EXPORT_SYMBOL(__clzdi2); +- +-int __weak __ctzdi2(long val) +-{ +- return __ffs64((u64)val); +-} +-EXPORT_SYMBOL(__ctzdi2); +- +-#else +-#error BITS_PER_LONG not 32 or 64 +-#endif diff --git a/queue-4.14/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch b/queue-4.14/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch new file mode 100644 index 00000000000..e198b023a1a --- /dev/null +++ b/queue-4.14/media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch @@ -0,0 +1,37 @@ +From e7f2e65699e2290fd547ec12a17008764e5d9620 Mon Sep 17 00:00:00 2001 +From: Wei Chen +Date: Thu, 10 Aug 2023 08:23:33 +0000 +Subject: media: vcodec: Fix potential array out-of-bounds in encoder queue_setup + +From: Wei Chen + +commit e7f2e65699e2290fd547ec12a17008764e5d9620 upstream. + +variable *nplanes is provided by user via system call argument. The +possible value of q_data->fmt->num_planes is 1-3, while the value +of *nplanes can be 1-8. The array access by index i can cause array +out-of-bounds. + +Fix this bug by checking *nplanes against the array size. + +Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver") +Signed-off-by: Wei Chen +Cc: stable@vger.kernel.org +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c +@@ -766,6 +766,8 @@ static int vb2ops_venc_queue_setup(struc + return -EINVAL; + + if (*nplanes) { ++ if (*nplanes != q_data->fmt->num_planes) ++ return -EINVAL; + for (i = 0; i < *nplanes; i++) + if (sizes[i] < q_data->sizeimage[i]) + return -EINVAL; diff --git a/queue-4.14/series b/queue-4.14/series index f05a8fc2139..ad65d7d7652 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -44,3 +44,9 @@ igb-avoid-starting-unnecessary-workqueues.patch ipvs-improve-robustness-to-the-ipvs-sysctl.patch ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch ibmveth-use-dcbf-rather-than-dcbfl.patch +batman-adv-trigger-events-for-auto-adjusted-mtu.patch +batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch +batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch +batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch +lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch +media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch