Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-6.0.y 2023-01-07T10:15:55+00:00 2023-01-07T10:15:55+00:00 Maximilian Luz luzmaximilian@gmail.com 2022-09-07T22:44:09+00:00 urn:sha1:611d617bdb6c5d636a9861ec1c98e813fc8a5556 commit dc608edf7d45ba0c2ad14c06eccd66474fec7847 upstream. Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() with a subdev state of NULL leads to a NULL pointer dereference. This can currently happen in imgu_subdev_set_selection() when the state passed in is NULL, as this method first gets pointers to both the "try" and "active" states and only then decides which to use. The same issue has been addressed for imgu_subdev_get_selection() with commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active selection access"). However the issue still persists in imgu_subdev_set_selection(). Therefore, apply a similar fix as done in the aforementioned commit to imgu_subdev_set_selection(). To keep things a bit cleaner, introduce helper functions for "crop" and "compose" access and use them in both imgu_subdev_set_selection() and imgu_subdev_get_selection(). Fixes: 0d346d2a6f54 ("media: v4l2-subdev: add subdev-wide state struct") Cc: stable@vger.kernel.org # for v5.14 and later Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-07T10:15:52+00:00 Luca Ceresoli luca.ceresoli@bootlin.com 2022-11-02T11:01:02+00:00 urn:sha1:6512c9498fcb97e7c760e3ef86b2272f2c0f765f commit c4d344163c3a7f90712525f931a6c016bbb35e18 upstream. At probe time this code path is followed: * tegra_csi_init * tegra_csi_channels_alloc * for_each_child_of_node(node, channel) -- iterates over channels * automatically gets 'channel' * tegra_csi_channel_alloc() * saves into chan->of_node a pointer to the channel OF node * automatically gets and puts 'channel' * now the node saved in chan->of_node has refcount 0, can disappear * tegra_csi_channels_init * iterates over channels * tegra_csi_channel_init -- uses chan->of_node After that, chan->of_node keeps storing the node until the device is removed. of_node_get() the node and of_node_put() it during teardown to avoid any risk. Fixes: 1ebaeb09830f ("media: tegra-video: Add support for external sensor capture") Cc: stable@vger.kernel.org Cc: Sowjanya Komatineni <skomatineni@nvidia.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-07T10:15:52+00:00 Luca Ceresoli luca.ceresoli@bootlin.com 2022-11-02T11:01:01+00:00 urn:sha1:5478dbaeb318b730305d985e5e8fd2570c087ccc commit 10b5ce6743c839fa75336042c64e2479caec9430 upstream. chan->mipi takes the return value of tegra_mipi_request() which can be a valid pointer or an error. However chan->mipi is checked in several places, including error-cleanup code in tegra_csi_channels_cleanup(), as 'if (chan->mipi)', which suggests the initial intent was that chan->mipi should be either NULL or a valid pointer, never an error. As a consequence, cleanup code in case of tegra_mipi_request() errors would dereference an invalid pointer. Fix by ensuring chan->mipi always contains either NULL or a void pointer. Also add that to the documentation. Fixes: 523c857e34ce ("media: tegra-video: Add CSI MIPI pads calibration") Cc: stable@vger.kernel.org Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-12-31T12:26:27+00:00 Chen Zhongjin chenzhongjin@huawei.com 2022-12-05T08:48:05+00:00 urn:sha1:a2a93546d414c7fe4862b87183fb737d1300d9d2 [ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ] In fake_init(), __root_device_register() is possible to fail but it's ignored, which can cause unregistering vme_root fail when exit. general protection fault, probably for non-canonical address 0xdffffc000000008c KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467] RIP: 0010:root_device_unregister+0x26/0x60 Call Trace: <TASK> __x64_sys_delete_module+0x34f/0x540 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Return error when __root_device_register() fails. Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com> Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-12-31T12:26:27+00:00 YueHaibing yuehaibing@huawei.com 2022-11-23T08:12:53+00:00 urn:sha1:ea6bcdf2ebd77386a5dd5862619b9f8bb8d38b8d [ Upstream commit d30f4436f364b4ad915ca2c09be07cd0f93ceb44 ] The skb is delivered to netif_rx() in rtllib_monitor_rx(), which may free it, after calling this, dereferencing skb may trigger use-after-free. Found by Smatch. Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Link: https://lore.kernel.org/r/20221123081253.22296-1-yuehaibing@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-12-31T12:26:27+00:00 Dan Carpenter error27@gmail.com 2022-11-23T06:43:14+00:00 urn:sha1:de174163c0d319ff06d622e79130a0017c8f5a6e [ Upstream commit bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac ] We cannot dereference the "skb" pointer after calling ieee80211_monitor_rx(), because it is a use after free. Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Dan Carpenter <error27@gmail.com> Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kili Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-12-31T12:26:24+00:00 Gaosheng Cui cuigaosheng1@huawei.com 2022-11-17T03:59:14+00:00 urn:sha1:cf138759a7e92c75cfc1b7ba705e4108fe330edf [ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ] Smatch report warning as follows: drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: '&entry->list' not removed from list In tsi148_dma_list_add(), the error path "goto err_dma" will not remove entry->list from list->entries, but entry will be freed, then list traversal may cause UAF. Fix by removeing it from list->entries before free(). Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping") Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-12-31T12:26:24+00:00 Duoming Zhou duoming@zju.edu.cn 2022-10-18T08:34:24+00:00 urn:sha1:0ac6306e997236894f20244209dee6b1fc1a22b6 [ Upstream commit ce8cc75c7419ad54cb99437543a54c97c7446db5 ] The rtw_join_timeout_handler() is a timer handler that runs in atomic context, but it could call msleep(). As a result, the sleep-in-atomic-context bug will happen. The process is shown below: (atomic context) rtw_join_timeout_handler _rtw_join_timeout_handler rtw_do_join rtw_select_and_join_from_scanned_queue rtw_indicate_disconnect rtw_lps_ctrl_wk_cmd lps_ctrl_wk_hdl LPS_Leave LPS_RF_ON_check msleep //sleep in atomic context Fix by removing msleep() and replacing with mdelay(). Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Link: https://lore.kernel.org/r/20221018083424.79741-1-duoming@zju.edu.cn Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-12-31T12:26:11+00:00 Geert Uytterhoeven geert+renesas@glider.be 2022-11-21T15:58:33+00:00 urn:sha1:dfc8f01ebe105f6b929a7f1bf536151955e96464 [ Upstream commit faaf901727eddcfbe889fe172ec9cdb5e63c8236 ] By moving support for the USB Syntek DC1125 Camera to staging, the dependencies on MEDIA_USB_SUPPORT and MEDIA_CAMERA_SUPPORT were lost. Fixes: 56280c64ecac ("media: stkwebcam: deprecate driver, move to staging") Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> Reviewed-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-12-31T12:26:02+00:00 Laurent Pinchart laurent.pinchart@ideasonboard.com 2022-09-07T18:42:16+00:00 urn:sha1:bb9bef24e922b5875e981a67abff8694a4f94b2c [ Upstream commit cccc08a95ca57624563daafd47df5691e8c38995 ] Commit 9babbbaaeb87 ("media: imx: imx7-media-csi: Use dual sampling for YUV 1X16") set BIT_MIPI_DOUBLE_CMPNT in the CR18 register for 16-bit YUV formats in imx7_csi_configure(). The CR18 register is always updated with read-modify-write cycles, so if a 16-bit YUV format is selected, the bit will stay set forever, even if the format is changed. Fix it by clearing the bit at the beginning of the imx7_csi_configure() function. While at it, swap two of the bits being cleared to match the MSB to LSB order. This doesn't cause any functional change. Fixes: 9babbbaaeb87 ("media: imx: imx7-media-csi: Use dual sampling for YUV 1X16") Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Reviewed-by: Paul Elder <paul.elder@ideasonboard.com> Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>