From: Greg Kroah-Hartman Date: Thu, 15 Jul 2021 14:43:36 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.133~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f34e30d8e0a2eded6c3131780c99feaa1010ae22;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: media-dtv5100-fix-control-request-directions.patch media-gspca-sq905-fix-control-request-direction.patch media-gspca-sunplus-fix-zero-length-control-requests.patch media-rtl28xxu-fix-zero-length-control-request.patch media-uvcvideo-fix-pixel-format-change-for-elgato-cam-link-4k.patch media-zr364xx-fix-memory-leak-in-zr364xx_start_readpipe.patch --- diff --git a/queue-5.4/media-dtv5100-fix-control-request-directions.patch b/queue-5.4/media-dtv5100-fix-control-request-directions.patch new file mode 100644 index 00000000000..c8e7d36e9fb --- /dev/null +++ b/queue-5.4/media-dtv5100-fix-control-request-directions.patch @@ -0,0 +1,69 @@ +From 8c8b9a9be2afa8bd6a72ad1130532baab9fab89d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 21 May 2021 15:28:38 +0200 +Subject: media: dtv5100: fix control-request directions + +From: Johan Hovold + +commit 8c8b9a9be2afa8bd6a72ad1130532baab9fab89d upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Fix the control requests which erroneously used usb_rcvctrlpipe(). + +Fixes: 8466028be792 ("V4L/DVB (8734): Initial support for AME DTV-5100 USB2.0 DVB-T") +Cc: stable@vger.kernel.org # 2.6.28 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb/dtv5100.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dtv5100.c ++++ b/drivers/media/usb/dvb-usb/dtv5100.c +@@ -26,6 +26,7 @@ static int dtv5100_i2c_msg(struct dvb_us + u8 *wbuf, u16 wlen, u8 *rbuf, u16 rlen) + { + struct dtv5100_state *st = d->priv; ++ unsigned int pipe; + u8 request; + u8 type; + u16 value; +@@ -34,6 +35,7 @@ static int dtv5100_i2c_msg(struct dvb_us + switch (wlen) { + case 1: + /* write { reg }, read { value } */ ++ pipe = usb_rcvctrlpipe(d->udev, 0); + request = (addr == DTV5100_DEMOD_ADDR ? DTV5100_DEMOD_READ : + DTV5100_TUNER_READ); + type = USB_TYPE_VENDOR | USB_DIR_IN; +@@ -41,6 +43,7 @@ static int dtv5100_i2c_msg(struct dvb_us + break; + case 2: + /* write { reg, value } */ ++ pipe = usb_sndctrlpipe(d->udev, 0); + request = (addr == DTV5100_DEMOD_ADDR ? DTV5100_DEMOD_WRITE : + DTV5100_TUNER_WRITE); + type = USB_TYPE_VENDOR | USB_DIR_OUT; +@@ -54,7 +57,7 @@ static int dtv5100_i2c_msg(struct dvb_us + + memcpy(st->data, rbuf, rlen); + msleep(1); /* avoid I2C errors */ +- return usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), request, ++ return usb_control_msg(d->udev, pipe, request, + type, value, index, st->data, rlen, + DTV5100_USB_TIMEOUT); + } +@@ -141,7 +144,7 @@ static int dtv5100_probe(struct usb_inte + + /* initialize non qt1010/zl10353 part? */ + for (i = 0; dtv5100_init[i].request; i++) { +- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), ++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), + dtv5100_init[i].request, + USB_TYPE_VENDOR | USB_DIR_OUT, + dtv5100_init[i].value, diff --git a/queue-5.4/media-gspca-sq905-fix-control-request-direction.patch b/queue-5.4/media-gspca-sq905-fix-control-request-direction.patch new file mode 100644 index 00000000000..e4d792e82c0 --- /dev/null +++ b/queue-5.4/media-gspca-sq905-fix-control-request-direction.patch @@ -0,0 +1,37 @@ +From 53ae298fde7adcc4b1432bce2dbdf8dac54dfa72 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 21 May 2021 15:28:39 +0200 +Subject: media: gspca/sq905: fix control-request direction + +From: Johan Hovold + +commit 53ae298fde7adcc4b1432bce2dbdf8dac54dfa72 upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Fix the USB_REQ_SYNCH_FRAME request which erroneously used +usb_sndctrlpipe(). + +Fixes: 27d35fc3fb06 ("V4L/DVB (10639): gspca - sq905: New subdriver.") +Cc: stable@vger.kernel.org # 2.6.30 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/gspca/sq905.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/gspca/sq905.c ++++ b/drivers/media/usb/gspca/sq905.c +@@ -116,7 +116,7 @@ static int sq905_command(struct gspca_de + } + + ret = usb_control_msg(gspca_dev->dev, +- usb_sndctrlpipe(gspca_dev->dev, 0), ++ usb_rcvctrlpipe(gspca_dev->dev, 0), + USB_REQ_SYNCH_FRAME, /* request */ + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + SQ905_PING, 0, gspca_dev->usb_buf, 1, diff --git a/queue-5.4/media-gspca-sunplus-fix-zero-length-control-requests.patch b/queue-5.4/media-gspca-sunplus-fix-zero-length-control-requests.patch new file mode 100644 index 00000000000..0efc43bb0c9 --- /dev/null +++ b/queue-5.4/media-gspca-sunplus-fix-zero-length-control-requests.patch @@ -0,0 +1,62 @@ +From b4bb4d425b7b02424afea2dfdcd77b3b4794175e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 24 May 2021 13:09:19 +0200 +Subject: media: gspca/sunplus: fix zero-length control requests + +From: Johan Hovold + +commit b4bb4d425b7b02424afea2dfdcd77b3b4794175e upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Control transfers without a data stage are treated as OUT requests by +the USB stack and should be using usb_sndctrlpipe(). Failing to do so +will now trigger a warning. + +Fix the single zero-length control request which was using the +read-register helper, and update the helper so that zero-length reads +fail with an error message instead. + +Fixes: 6a7eba24e4f0 ("V4L/DVB (8157): gspca: all subdrivers") +Cc: stable@vger.kernel.org # 2.6.27 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/gspca/sunplus.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/gspca/sunplus.c ++++ b/drivers/media/usb/gspca/sunplus.c +@@ -242,6 +242,10 @@ static void reg_r(struct gspca_dev *gspc + gspca_err(gspca_dev, "reg_r: buffer overflow\n"); + return; + } ++ if (len == 0) { ++ gspca_err(gspca_dev, "reg_r: zero-length read\n"); ++ return; ++ } + if (gspca_dev->usb_err < 0) + return; + ret = usb_control_msg(gspca_dev->dev, +@@ -250,7 +254,7 @@ static void reg_r(struct gspca_dev *gspc + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, /* value */ + index, +- len ? gspca_dev->usb_buf : NULL, len, ++ gspca_dev->usb_buf, len, + 500); + if (ret < 0) { + pr_err("reg_r err %d\n", ret); +@@ -727,7 +731,7 @@ static int sd_start(struct gspca_dev *gs + case MegaImageVI: + reg_w_riv(gspca_dev, 0xf0, 0, 0); + spca504B_WaitCmdStatus(gspca_dev); +- reg_r(gspca_dev, 0xf0, 4, 0); ++ reg_w_riv(gspca_dev, 0xf0, 4, 0); + spca504B_WaitCmdStatus(gspca_dev); + break; + default: diff --git a/queue-5.4/media-rtl28xxu-fix-zero-length-control-request.patch b/queue-5.4/media-rtl28xxu-fix-zero-length-control-request.patch new file mode 100644 index 00000000000..d9918db2444 --- /dev/null +++ b/queue-5.4/media-rtl28xxu-fix-zero-length-control-request.patch @@ -0,0 +1,45 @@ +From 25d5ce3a606a1eb23a9265d615a92a876ff9cb5f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 24 May 2021 13:09:20 +0200 +Subject: media: rtl28xxu: fix zero-length control request + +From: Johan Hovold + +commit 25d5ce3a606a1eb23a9265d615a92a876ff9cb5f upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Control transfers without a data stage are treated as OUT requests by +the USB stack and should be using usb_sndctrlpipe(). Failing to do so +will now trigger a warning. + +Fix the zero-length i2c-read request used for type detection by +attempting to read a single byte instead. + +Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com +Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") +Cc: stable@vger.kernel.org # 4.0 +Cc: Antti Palosaari +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +@@ -609,8 +609,9 @@ static int rtl28xxu_read_config(struct d + static int rtl28xxu_identify_state(struct dvb_usb_device *d, const char **name) + { + struct rtl28xxu_dev *dev = d_to_priv(d); ++ u8 buf[1]; + int ret; +- struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 0, NULL}; ++ struct rtl28xxu_req req_demod_i2c = {0x0020, CMD_I2C_DA_RD, 1, buf}; + + dev_dbg(&d->intf->dev, "\n"); + diff --git a/queue-5.4/media-uvcvideo-fix-pixel-format-change-for-elgato-cam-link-4k.patch b/queue-5.4/media-uvcvideo-fix-pixel-format-change-for-elgato-cam-link-4k.patch new file mode 100644 index 00000000000..5d6df04b80c --- /dev/null +++ b/queue-5.4/media-uvcvideo-fix-pixel-format-change-for-elgato-cam-link-4k.patch @@ -0,0 +1,122 @@ +From 4c6e0976295add7f0ed94d276c04a3d6f1ea8f83 Mon Sep 17 00:00:00 2001 +From: Benjamin Drung +Date: Sat, 5 Jun 2021 22:15:36 +0200 +Subject: media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K + +From: Benjamin Drung + +commit 4c6e0976295add7f0ed94d276c04a3d6f1ea8f83 upstream. + +The Elgato Cam Link 4K HDMI video capture card reports to support three +different pixel formats, where the first format depends on the connected +HDMI device. + +``` +$ v4l2-ctl -d /dev/video0 --list-formats-ext +ioctl: VIDIOC_ENUM_FMT + Type: Video Capture + + [0]: 'NV12' (Y/CbCr 4:2:0) + Size: Discrete 3840x2160 + Interval: Discrete 0.033s (29.970 fps) + [1]: 'NV12' (Y/CbCr 4:2:0) + Size: Discrete 3840x2160 + Interval: Discrete 0.033s (29.970 fps) + [2]: 'YU12' (Planar YUV 4:2:0) + Size: Discrete 3840x2160 + Interval: Discrete 0.033s (29.970 fps) +``` + +Changing the pixel format to anything besides the first pixel format +does not work: + +``` +$ v4l2-ctl -d /dev/video0 --try-fmt-video pixelformat=YU12 +Format Video Capture: + Width/Height : 3840/2160 + Pixel Format : 'NV12' (Y/CbCr 4:2:0) + Field : None + Bytes per Line : 3840 + Size Image : 12441600 + Colorspace : sRGB + Transfer Function : Rec. 709 + YCbCr/HSV Encoding: Rec. 709 + Quantization : Default (maps to Limited Range) + Flags : +``` + +User space applications like VLC might show an error message on the +terminal in that case: + +``` +libv4l2: error set_fmt gave us a different result than try_fmt! +``` + +Depending on the error handling of the user space applications, they +might display a distorted video, because they use the wrong pixel format +for decoding the stream. + +The Elgato Cam Link 4K responds to the USB video probe +VS_PROBE_CONTROL/VS_COMMIT_CONTROL with a malformed data structure: The +second byte contains bFormatIndex (instead of being the second byte of +bmHint). The first byte is always zero. The third byte is always 1. + +The firmware bug was reported to Elgato on 2020-12-01 and it was +forwarded by the support team to the developers as feature request. +There is no firmware update available since then. The latest firmware +for Elgato Cam Link 4K as of 2021-03-23 has MCU 20.02.19 and FPGA 67. + +Therefore correct the malformed data structure for this device. The +change was successfully tested with VLC, OBS, and Chromium using +different pixel formats (YUYV, NV12, YU12), resolutions (3840x2160, +1920x1080), and frame rates (29.970 and 59.940 fps). + +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Drung +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -124,10 +124,37 @@ int uvc_query_ctrl(struct uvc_device *de + static void uvc_fixup_video_ctrl(struct uvc_streaming *stream, + struct uvc_streaming_control *ctrl) + { ++ static const struct usb_device_id elgato_cam_link_4k = { ++ USB_DEVICE(0x0fd9, 0x0066) ++ }; + struct uvc_format *format = NULL; + struct uvc_frame *frame = NULL; + unsigned int i; + ++ /* ++ * The response of the Elgato Cam Link 4K is incorrect: The second byte ++ * contains bFormatIndex (instead of being the second byte of bmHint). ++ * The first byte is always zero. The third byte is always 1. ++ * ++ * The UVC 1.5 class specification defines the first five bits in the ++ * bmHint bitfield. The remaining bits are reserved and should be zero. ++ * Therefore a valid bmHint will be less than 32. ++ * ++ * Latest Elgato Cam Link 4K firmware as of 2021-03-23 needs this fix. ++ * MCU: 20.02.19, FPGA: 67 ++ */ ++ if (usb_match_one_id(stream->dev->intf, &elgato_cam_link_4k) && ++ ctrl->bmHint > 255) { ++ u8 corrected_format_index = ctrl->bmHint >> 8; ++ ++ /* uvc_dbg(stream->dev, VIDEO, ++ "Correct USB video probe response from {bmHint: 0x%04x, bFormatIndex: %u} to {bmHint: 0x%04x, bFormatIndex: %u}\n", ++ ctrl->bmHint, ctrl->bFormatIndex, ++ 1, corrected_format_index); */ ++ ctrl->bmHint = 1; ++ ctrl->bFormatIndex = corrected_format_index; ++ } ++ + for (i = 0; i < stream->nformats; ++i) { + if (stream->format[i].index == ctrl->bFormatIndex) { + format = &stream->format[i]; diff --git a/queue-5.4/media-zr364xx-fix-memory-leak-in-zr364xx_start_readpipe.patch b/queue-5.4/media-zr364xx-fix-memory-leak-in-zr364xx_start_readpipe.patch new file mode 100644 index 00000000000..671bd508ebd --- /dev/null +++ b/queue-5.4/media-zr364xx-fix-memory-leak-in-zr364xx_start_readpipe.patch @@ -0,0 +1,43 @@ +From 0a045eac8d0427b64577a24d74bb8347c905ac65 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Mon, 17 May 2021 21:18:14 +0200 +Subject: media: zr364xx: fix memory leak in zr364xx_start_readpipe + +From: Pavel Skripkin + +commit 0a045eac8d0427b64577a24d74bb8347c905ac65 upstream. + +syzbot reported memory leak in zr364xx driver. +The problem was in non-freed urb in case of +usb_submit_urb() fail. + +backtrace: + [] kmalloc include/linux/slab.h:561 [inline] + [] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74 + [] zr364xx_start_readpipe+0x78/0x130 drivers/media/usb/zr364xx/zr364xx.c:1022 + [] zr364xx_board_init drivers/media/usb/zr364xx/zr364xx.c:1383 [inline] + [] zr364xx_probe+0x6a3/0x851 drivers/media/usb/zr364xx/zr364xx.c:1516 + [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 + [] really_probe+0x159/0x500 drivers/base/dd.c:576 + +Fixes: ccbf035ae5de ("V4L/DVB (12278): zr364xx: implement V4L2_CAP_STREAMING") +Cc: stable@vger.kernel.org +Reported-by: syzbot+af4fa391ef18efdd5f69@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/zr364xx/zr364xx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -1037,6 +1037,7 @@ static int zr364xx_start_readpipe(struct + DBG("submitting URB %p\n", pipe_info->stream_urb); + retval = usb_submit_urb(pipe_info->stream_urb, GFP_KERNEL); + if (retval) { ++ usb_free_urb(pipe_info->stream_urb); + printk(KERN_ERR KBUILD_MODNAME ": start read pipe failed\n"); + return retval; + } diff --git a/queue-5.4/series b/queue-5.4/series index 7316256383d..7bd5c99f87f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -111,3 +111,9 @@ pci-leave-apple-thunderbolt-controllers-on-for-s2idle-or-standby.patch pci-aardvark-fix-checking-for-pio-non-posted-request.patch pci-aardvark-implement-workaround-for-the-readback-value-of-vend_id.patch media-subdev-disallow-ioctl-for-saa6588-davinci.patch +media-dtv5100-fix-control-request-directions.patch +media-zr364xx-fix-memory-leak-in-zr364xx_start_readpipe.patch +media-gspca-sq905-fix-control-request-direction.patch +media-gspca-sunplus-fix-zero-length-control-requests.patch +media-rtl28xxu-fix-zero-length-control-request.patch +media-uvcvideo-fix-pixel-format-change-for-elgato-cam-link-4k.patch