From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 9 Nov 2024 12:01:48 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v5.15.172~68
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f97f880b9cc371918dfda223fbd639e225c4e58e;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	media-cx24116-prevent-overflows-on-snr-calculus.patch
	media-s5p-jpeg-prevent-buffer-overflows.patch
	media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
---

diff --git a/queue-4.19/media-cx24116-prevent-overflows-on-snr-calculus.patch b/queue-4.19/media-cx24116-prevent-overflows-on-snr-calculus.patch
new file mode 100644
index 00000000000..da1564422da
--- /dev/null
+++ b/queue-4.19/media-cx24116-prevent-overflows-on-snr-calculus.patch
@@ -0,0 +1,46 @@
+From 576a307a7650bd544fbb24df801b9b7863b85e2f Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 12:14:11 +0200
+Subject: media: cx24116: prevent overflows on SNR calculus
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream.
+
+as reported by Coverity, if reading SNR registers fail, a negative
+number will be returned, causing an underflow when reading SNR
+registers.
+
+Prevent that.
+
+Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-frontends/cx24116.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/cx24116.c
++++ b/drivers/media/dvb-frontends/cx24116.c
+@@ -753,6 +753,7 @@ static int cx24116_read_snr_pct(struct d
+ {
+ 	struct cx24116_state *state = fe->demodulator_priv;
+ 	u8 snr_reading;
++	int ret;
+ 	static const u32 snr_tab[] = { /* 10 x Table (rounded up) */
+ 		0x00000, 0x0199A, 0x03333, 0x04ccD, 0x06667,
+ 		0x08000, 0x0999A, 0x0b333, 0x0cccD, 0x0e667,
+@@ -761,7 +762,11 @@ static int cx24116_read_snr_pct(struct d
+ 
+ 	dprintk("%s()\n", __func__);
+ 
+-	snr_reading = cx24116_readreg(state, CX24116_REG_QUALITY0);
++	ret = cx24116_readreg(state, CX24116_REG_QUALITY0);
++	if (ret  < 0)
++		return ret;
++
++	snr_reading = ret;
+ 
+ 	if (snr_reading >= 0xa0 /* 100% */)
+ 		*snr = 0xffff;
diff --git a/queue-4.19/media-s5p-jpeg-prevent-buffer-overflows.patch b/queue-4.19/media-s5p-jpeg-prevent-buffer-overflows.patch
new file mode 100644
index 00000000000..f81d29b412f
--- /dev/null
+++ b/queue-4.19/media-s5p-jpeg-prevent-buffer-overflows.patch
@@ -0,0 +1,87 @@
+From 14a22762c3daeac59a5a534e124acbb4d7a79b3a Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Tue, 15 Oct 2024 11:10:31 +0200
+Subject: media: s5p-jpeg: prevent buffer overflows
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream.
+
+The current logic allows word to be less than 2. If this happens,
+there will be buffer overflows, as reported by smatch. Add extra
+checks to prevent it.
+
+While here, remove an unused word = 0 assignment.
+
+Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/s5p-jpeg/jpeg-core.c |   17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
++++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
+@@ -803,11 +803,14 @@ static void exynos4_jpeg_parse_decode_h_
+ 		(unsigned long)vb2_plane_vaddr(&vb->vb2_buf, 0) + ctx->out_q.sos + 2;
+ 	jpeg_buffer.curr = 0;
+ 
+-	word = 0;
+-
+ 	if (get_word_be(&jpeg_buffer, &word))
+ 		return;
+-	jpeg_buffer.size = (long)word - 2;
++
++	if (word < 2)
++		jpeg_buffer.size = 0;
++	else
++		jpeg_buffer.size = (long)word - 2;
++
+ 	jpeg_buffer.data += 2;
+ 	jpeg_buffer.curr = 0;
+ 
+@@ -1086,6 +1089,7 @@ static int get_word_be(struct s5p_jpeg_b
+ 	if (byte == -1)
+ 		return -1;
+ 	*word = (unsigned int)byte | temp;
++
+ 	return 0;
+ }
+ 
+@@ -1173,7 +1177,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ 			if (get_word_be(&jpeg_buffer, &word))
+ 				break;
+ 			length = (long)word - 2;
+-			if (!length)
++			if (length <= 0)
+ 				return false;
+ 			sof = jpeg_buffer.curr; /* after 0xffc0 */
+ 			sof_len = length;
+@@ -1204,7 +1208,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ 			if (get_word_be(&jpeg_buffer, &word))
+ 				break;
+ 			length = (long)word - 2;
+-			if (!length)
++			if (length <= 0)
+ 				return false;
+ 			if (n_dqt >= S5P_JPEG_MAX_MARKER)
+ 				return false;
+@@ -1217,7 +1221,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ 			if (get_word_be(&jpeg_buffer, &word))
+ 				break;
+ 			length = (long)word - 2;
+-			if (!length)
++			if (length <= 0)
+ 				return false;
+ 			if (n_dht >= S5P_JPEG_MAX_MARKER)
+ 				return false;
+@@ -1242,6 +1246,7 @@ static bool s5p_jpeg_parse_hdr(struct s5
+ 			if (get_word_be(&jpeg_buffer, &word))
+ 				break;
+ 			length = (long)word - 2;
++			/* No need to check underflows as skip() does it  */
+ 			skip(&jpeg_buffer, length);
+ 			break;
+ 		}
diff --git a/queue-4.19/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch b/queue-4.19/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
new file mode 100644
index 00000000000..02daf114acd
--- /dev/null
+++ b/queue-4.19/media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch
@@ -0,0 +1,36 @@
+From e6a3ea83fbe15d4818d01804e904cbb0e64e543b Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Wed, 16 Oct 2024 11:53:15 +0200
+Subject: media: v4l2-tpg: prevent the risk of a division by zero
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit e6a3ea83fbe15d4818d01804e904cbb0e64e543b upstream.
+
+As reported by Coverity, the logic at tpg_precalculate_line()
+blindly rescales the buffer even when scaled_witdh is equal to
+zero. If this ever happens, this will cause a division by zero.
+
+Instead, add a WARN_ON_ONCE() to trigger such cases and return
+without doing any precalculation.
+
+Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/v4l2-tpg/v4l2-tpg-core.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c
+@@ -1639,6 +1639,9 @@ static void tpg_precalculate_line(struct
+ 	unsigned p;
+ 	unsigned x;
+ 
++	if (WARN_ON_ONCE(!tpg->src_width || !tpg->scaled_width))
++		return;
++
+ 	switch (tpg->pattern) {
+ 	case TPG_PAT_GREEN:
+ 		contrast = TPG_COLOR_100_RED;
diff --git a/queue-4.19/series b/queue-4.19/series
index c43d2b5bbe4..d11f2132701 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -12,3 +12,6 @@ media-dvbdev-prevent-the-risk-of-out-of-memory-acces.patch
 media-dvb_frontend-don-t-play-tricks-with-underflow-.patch
 media-adv7604-prevent-underflow-condition-when-repor.patch
 alsa-firewire-lib-fix-return-value-on-fail-in-amdtp_.patch
+media-s5p-jpeg-prevent-buffer-overflows.patch
+media-cx24116-prevent-overflows-on-snr-calculus.patch
+media-v4l2-tpg-prevent-the-risk-of-a-division-by-zero.patch