From 73229319b0f83df263863827b600978f57d3613b Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: May 25 2023 06:19:14 +0000 Subject: media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish (git-fixes). --- diff --git a/patches.suse/media-pci-tw68-Fix-null-ptr-deref-bug-in-buf-prepare.patch b/patches.suse/media-pci-tw68-Fix-null-ptr-deref-bug-in-buf-prepare.patch new file mode 100644 index 0000000..5daabea --- /dev/null +++ b/patches.suse/media-pci-tw68-Fix-null-ptr-deref-bug-in-buf-prepare.patch @@ -0,0 +1,91 @@ +From 1634b7adcc5bef645b3666fdd564e5952a9e24e0 Mon Sep 17 00:00:00 2001 +From: harperchen +Date: Fri, 3 Mar 2023 16:30:11 +0100 +Subject: [PATCH] media: pci: tw68: Fix null-ptr-deref bug in buf prepare and finish +Git-commit: 1634b7adcc5bef645b3666fdd564e5952a9e24e0 +Patch-mainline: v6.4-rc1 +References: git-fixes + +When the driver calls tw68_risc_buffer() to prepare the buffer, the +function call dma_alloc_coherent may fail, resulting in a empty buffer +buf->cpu. Later when we free the buffer or access the buffer, null ptr +deref is triggered. + +This bug is similar to the following one: +https://git.linuxtv.org/media_stage.git/commit/?id=2b064d91440b33fba5b452f2d1b31f13ae911d71. + +We believe the bug can be also dynamically triggered from user side. +Similarly, we fix this by checking the return value of tw68_risc_buffer() +and the value of buf->cpu before buffer free. + +Signed-off-by: harperchen +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Takashi Iwai + +--- + drivers/media/pci/tw68/tw68-video.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/media/pci/tw68/tw68-video.c b/drivers/media/pci/tw68/tw68-video.c +index 0cbc5b038073..773a18702d36 100644 +--- a/drivers/media/pci/tw68/tw68-video.c ++++ b/drivers/media/pci/tw68/tw68-video.c +@@ -437,6 +437,7 @@ static void tw68_buf_queue(struct vb2_buffer *vb) + */ + static int tw68_buf_prepare(struct vb2_buffer *vb) + { ++ int ret; + struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); + struct vb2_queue *vq = vb->vb2_queue; + struct tw68_dev *dev = vb2_get_drv_priv(vq); +@@ -452,30 +453,30 @@ static int tw68_buf_prepare(struct vb2_buffer *vb) + bpl = (dev->width * dev->fmt->depth) >> 3; + switch (dev->field) { + case V4L2_FIELD_TOP: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + 0, UNSET, bpl, 0, dev->height); + break; + case V4L2_FIELD_BOTTOM: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + UNSET, 0, bpl, 0, dev->height); + break; + case V4L2_FIELD_SEQ_TB: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + 0, bpl * (dev->height >> 1), + bpl, 0, dev->height >> 1); + break; + case V4L2_FIELD_SEQ_BT: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + bpl * (dev->height >> 1), 0, + bpl, 0, dev->height >> 1); + break; + case V4L2_FIELD_INTERLACED: + default: +- tw68_risc_buffer(dev->pci, buf, dma->sgl, ++ ret = tw68_risc_buffer(dev->pci, buf, dma->sgl, + 0, bpl, bpl, bpl, dev->height >> 1); + break; + } +- return 0; ++ return ret; + } + + static void tw68_buf_finish(struct vb2_buffer *vb) +@@ -485,7 +486,8 @@ static void tw68_buf_finish(struct vb2_buffer *vb) + struct tw68_dev *dev = vb2_get_drv_priv(vq); + struct tw68_buf *buf = container_of(vbuf, struct tw68_buf, vb); + +- dma_free_coherent(&dev->pci->dev, buf->size, buf->cpu, buf->dma); ++ if (buf->cpu) ++ dma_free_coherent(&dev->pci->dev, buf->size, buf->cpu, buf->dma); + } + + static int tw68_start_streaming(struct vb2_queue *q, unsigned int count) +-- +2.35.3 + diff --git a/series.conf b/series.conf index 14d8e54..2d9dddf 100644 --- a/series.conf +++ b/series.conf @@ -19845,6 +19845,7 @@ patches.suse/drm-amd-display-Fix-potential-null-dereference.patch patches.suse/drm-i915-Make-intel_get_crtc_new_encoder-less-oopsy.patch patches.suse/media-cx23885-Fix-a-null-ptr-deref-bug-in-buffer_pre.patch + patches.suse/media-pci-tw68-Fix-null-ptr-deref-bug-in-buf-prepare.patch patches.suse/media-av7110-prevent-underflow-in-write_ts_to_decode.patch patches.suse/media-max9286-Free-control-handler.patch patches.suse/media-rkvdec-fix-use-after-free-bug-in-rkvdec_remove.patch