Re: [PATCH 4.4 058/103] [media] ttusb2: limit messages to buffer size
[Dropped cc to stable and LKML.]
On Tue, 2017-05-23 at 22:09 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch. If anyone has any objections, please let me know.
>
> --
>
> From: Alyssa Milburn <amilb...@zall.org>
>
> commit a12b8ab8c5ff7ccd7b107a564743507c850a441d upstream.
>
> Otherwise ttusb2_i2c_xfer can read or write beyond the end of static and
> heap buffers.
This function has another problem: it uses per-device mutexes to guard
access to static buffers. This only works as long as there's a single
device. It should be using per-device buffers (or a static mutex, but
that's less good).
Ben.
> Signed-off-by: Alyssa Milburn <amilb...@zall.org>
> Signed-off-by: Mauro Carvalho Chehab <mche...@s-opensource.com>
> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
>
> ---
> drivers/media/usb/dvb-usb/ttusb2.c | 19 +++
> 1 file changed, 19 insertions(+)
>
> --- a/drivers/media/usb/dvb-usb/ttusb2.c
> +++ b/drivers/media/usb/dvb-usb/ttusb2.c
> @@ -78,6 +78,9 @@ static int ttusb2_msg(struct dvb_usb_dev
> u8 *s, *r = NULL;
> int ret = 0;
>
> + if (4 + rlen > 64)
> + return -EIO;
> +
> s = kzalloc(wlen+4, GFP_KERNEL);
> if (!s)
> return -ENOMEM;
> @@ -381,6 +384,22 @@ static int ttusb2_i2c_xfer(struct i2c_ad
> write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD);
> read = msg[i].flags & I2C_M_RD;
>
> + if (3 + msg[i].len > sizeof(obuf)) {
> + err("i2c wr len=%d too high", msg[i].len);
> + break;
> + }
> + if (write_read) {
> + if (3 + msg[i+1].len > sizeof(ibuf)) {
> + err("i2c rd len=%d too high", msg[i+1].len);
> + break;
> + }
> + } else if (read) {
> + if (3 + msg[i].len > sizeof(ibuf)) {
> + err("i2c rd len=%d too high", msg[i].len);
> + break;
> + }
> + }
> +
> obuf[0] = (msg[i].addr << 1) | (write_read | read);
> if (read)
> obuf[1] = 0;
>
>
>
--
Ben Hutchings
Software Developer, Codethink Ltd.
Re: [PATCH] v4l2-dv-timings.h: fix polarity for 4k formats
On Mon, 2016-05-02 at 10:11 +0200, Hans Verkuil wrote: > Backport to 3.16-4.0 of mainline commit > 3020ca711871fdaf0c15c8bab677a6bc302e28fe > > The VSync polarity was negative instead of positive for the 4k CEA formats. > I probably copy-and-pasted these from the DMT 4k format, which does have a > negative VSync polarity. > > Signed-off-by: Hans Verkuil <hans.verk...@cisco.com> > Reported-by: Martin Bugge <marbu...@cisco.com> > Signed-off-by: Mauro Carvalho Chehab <mche...@osg.samsung.com> [...] I've belatedly queued this up for 3.16. Ben. -- Ben Hutchings compatible: Gracefully accepts erroneous data from any source signature.asc Description: This is a digitally signed message part
Re: [PATCH 1/1] s2255drv: f2255usb: firmware version 1.2.8
On Fri, 2017-11-03 at 13:33 -0700, Dean Anderson wrote: > Updates the firmware for the s2255drv driver. > Adds support for NTSC4.43, horizontal/vertical adjustments and > Motion JPEG capture mode improvements. > > Signed-off-by: Dean Anderson <d...@sensoray.com> > --- > f2255usb.bin | Bin 180776 -> 181312 bytes > 1 file changed, 0 insertions(+), 0 deletions(-) [...] Applied, thanks. Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson signature.asc Description: This is a digitally signed message part
[PATCH] Documentation/media: uapi: Explicitly say there are no Invariant Sections
The GNU Free Documentation License allows for a work to specify Invariant Sections that are not allowed to be modified. (Debian considers that this makes such works non-free.) The Linux Media Infrastructure userspace API documentation does not specify any such sections, but it also doesn't say there are none (as is recommended by the license text). Make it explicit that there are none. References: https://bugs.debian.org/698668 Signed-off-by: Ben Hutchings --- Documentation/media/media_uapi.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Documentation/media/media_uapi.rst b/Documentation/media/media_uapi.rst index 28eb35a1f965..5198ff24a094 100644 --- a/Documentation/media/media_uapi.rst +++ b/Documentation/media/media_uapi.rst @@ -10,9 +10,9 @@ Linux Media Infrastructure userspace API Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or -any later version published by the Free Software Foundation. A copy of -the license is included in the chapter entitled "GNU Free Documentation -License". +any later version published by the Free Software Foundation, with no +Invariant Sections. A copy of the license is included in the chapter +entitled "GNU Free Documentation License". .. only:: html signature.asc Description: Digital signature
Re: [PATCH] Documentation/media: uapi: Explicitly say there are no Invariant Sections
Are you still waiting for agreement from any contributors, or is this ready to apply? Ben. On Fri, 2018-08-03 at 15:41 +0100, Ben Hutchings wrote: > The GNU Free Documentation License allows for a work to specify > Invariant Sections that are not allowed to be modified. (Debian > considers that this makes such works non-free.) > > The Linux Media Infrastructure userspace API documentation does not > specify any such sections, but it also doesn't say there are none (as > is recommended by the license text). Make it explicit that there are > none. > > References: https://bugs.debian.org/698668 > Signed-off-by: Ben Hutchings > --- > Documentation/media/media_uapi.rst | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/Documentation/media/media_uapi.rst > b/Documentation/media/media_uapi.rst > index 28eb35a1f965..5198ff24a094 100644 > --- a/Documentation/media/media_uapi.rst > +++ b/Documentation/media/media_uapi.rst > @@ -10,9 +10,9 @@ Linux Media Infrastructure userspace API > > Permission is granted to copy, distribute and/or modify this document > under the terms of the GNU Free Documentation License, Version 1.1 or > -any later version published by the Free Software Foundation. A copy of > -the license is included in the chapter entitled "GNU Free Documentation > -License". > +any later version published by the Free Software Foundation, with no > +Invariant Sections. A copy of the license is included in the chapter > +entitled "GNU Free Documentation License". > > .. only:: html > -- Ben Hutchings I'm always amazed by the number of people who take up solipsism because they heard someone else explain it. - E*Borg on alt.fan.pratchett signature.asc Description: This is a digitally signed message part
Re: [PATCH for v3.16 00/14] v4l2-compat-ioctl32.c: remove set_fs(KERNEL_DS)
On Wed, 2018-02-14 at 12:59 +0100, Hans Verkuil wrote: > From: Hans Verkuil <hans.verk...@cisco.com> > > This patch series fixes a number of bugs and culminates in the removal > of the set_fs(KERNEL_DS) call in v4l2-compat-ioctl32.c. > > This was tested with a VM running 3.16, the vivi driver (a poor substitute for > the much improved vivid driver that's available in later kernels, but it's the > best I had) since that emulates the more common V4L2 ioctls that need to pass > through v4l2-compat-ioctl32.c) and the 32-bit v4l2-compliance + 32-bit > v4l2-ctl > utilities that together exercised the most common ioctls. > > Most of the v4l2-compat-ioctl32.c do cleanups and fix subtle issues that > v4l2-compliance complained about. The purpose is to 1) make it easy to > verify that the final patch didn't introduce errors by first eliminating > errors caused by other known bugs, and 2) keep the final patch at least > somewhat readable. > > While compiling the media drivers for 3.16 I also came across a bug > introduced in the 3.16 stable series that caused a compile error in the > adv7604 driver. That's fixed in the first patch. Call it a bonus patch :-) Thanks, I've queued up all of these. However, I rebased these on top of some earlier fixes to v4l2-compat-ioctl32.c which you incorporated into your backports. Ben. -- Ben Hutchings If the facts do not conform to your theory, they must be disposed of. signature.asc Description: This is a digitally signed message part
Re: [PATCH for v3.2 00/12] v4l2-compat-ioctl32.c: remove set_fs(KERNEL_DS)
On Wed, 2018-02-14 at 13:03 +0100, Hans Verkuil wrote: > From: Hans Verkuil <hans.verk...@cisco.com> > > This patch series fixes a number of bugs and culminates in the removal > of the set_fs(KERNEL_DS) call in v4l2-compat-ioctl32.c. > > This was tested with a VM running 3.2, the vivi driver (a poor substitute for > the much improved vivid driver that's available in later kernels, but it's the > best I had) since that emulates the more common V4L2 ioctls that need to pass > through v4l2-compat-ioctl32.c) and the 32-bit v4l2-compliance + 32-bit > v4l2-ctl > utilities that together exercised the most common ioctls. > > Most of the v4l2-compat-ioctl32.c do cleanups and fix subtle issues that > v4l2-compliance complained about. The purpose is to 1) make it easy to > verify that the final patch didn't introduce errors by first eliminating > errors caused by other known bugs, and 2) keep the final patch at least > somewhat readable. Thanks, I've queued up all of these. Again, I rebased these on top of some earlier fixes to v4l2-compat-ioctl32.c which you incorporated into your backports. Ben. > Regards, > > Hans > > Daniel Mentz (2): > media: v4l2-compat-ioctl32: Copy v4l2_window->global_alpha > media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic > > Hans Verkuil (10): > media: v4l2-ioctl.c: don't copy back the result for -ENOTTY > media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF > media: v4l2-compat-ioctl32.c: fix the indentation > media: v4l2-compat-ioctl32.c: move 'helper' functions to > __get/put_v4l2_format32 > media: v4l2-compat-ioctl32.c: avoid sizeof(type) > media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32 > media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer > media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32 > media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type > media: v4l2-compat-ioctl32.c: don't copy back the result for certain > errors > > drivers/media/video/Makefile | 7 +- > drivers/media/video/v4l2-compat-ioctl32.c | 966 > ++++++ > drivers/media/video/v4l2-ioctl.c | 6 +- > 3 files changed, 597 insertions(+), 382 deletions(-) > -- Ben Hutchings If the facts do not conform to your theory, they must be disposed of. signature.asc Description: This is a digitally signed message part
Re: [PATCH v3.16 0/2] V4L2 event subscription fixes
On Thu, 2018-11-08 at 14:03 +0200, Sakari Ailus wrote: > Hi Ben, > > The two patches fix a use-after-free issue in V4L2 event handling. The > first patch that fixes that issue is already in the other stable trees (as > well as Linus's tree) whereas the second that fixes a bug in the first > one, is in the media tree only as of yet. Thanks. I'll apply the first now and hold the second until the corresponding commit gets into Linus's tree. Ben. > https://git.linuxtv.org/media_tree.git/commit/?id=92539d3eda2c090b382699bbb896d4b54e9bdece> > > Sakari Ailus (2): > v4l: event: Prevent freeing event subscriptions while accessed > v4l: event: Add subscription to list before calling "add" operation > > drivers/media/v4l2-core/v4l2-event.c | 63 > > drivers/media/v4l2-core/v4l2-fh.c| 2 ++ > include/media/v4l2-fh.h | 1 + > 3 files changed, 38 insertions(+), 28 deletions(-) > -- Ben Hutchings Knowledge is power. France is bacon. signature.asc Description: This is a digitally signed message part
