kernel/drivers/media/usb/dvb-usb-v2, branch linux-6.9.y Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-6.9.y 2023-10-13T09:33:21Z media: dvb-usb-v2: af9035: fix missing unlock 2023-10-13T09:33:21Z Hans Verkuil hverkuil-cisco@xs4all.nl 2023-10-06T10:08:45Z urn:sha1:f31b2cb85f0ee165d78e1c43f6d69f82cc3b2145 Instead of returning an error, goto the mutex unlock at the end of the function. Fixes smatch warning: drivers/media/usb/dvb-usb-v2/af9035.c:467 af9035_i2c_master_xfer() warn: inconsistent returns '&d->i2c_mutex'. Locked on : 326,387 Unlocked on: 465,467 Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Fixes: 7bf744f2de0a ("media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer") Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer 2023-07-19T10:57:50Z Zhang Shurong zhang_shurong@foxmail.com 2023-07-10T05:32:13Z urn:sha1:b97719a66970601cd3151a3e2020f4454a1c4ff6 In gl861_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach gl861_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() 2023-07-19T10:57:50Z Zhang Shurong zhang_shurong@foxmail.com 2023-07-08T16:28:17Z urn:sha1:1047f9343011f2cedc73c64829686206a7e9fc3f In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> media: anysee: fix null-ptr-deref in anysee_master_xfer 2023-07-19T10:57:50Z Zhang Shurong zhang_shurong@foxmail.com 2023-07-08T16:02:20Z urn:sha1:c30411266fd67ea3c02a05c157231654d5a3bdc9 In anysee_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach anysee_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> [hverkuil: add spaces around +] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer 2023-07-19T10:57:48Z Zhang Shurong zhang_shurong@foxmail.com 2023-07-05T16:06:54Z urn:sha1:7bf744f2de0a848fb1d717f5831b03db96feae89 In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> media: usb: remove unnecessary (void*) conversions 2023-05-25T14:21:20Z Su Hui suhui@nfschina.com 2023-05-09T07:40:01Z urn:sha1:eff540df5f80667eadf7a4a117b8a7655a47c7ea No need cast (void*) to (struct dvb_usb_device *) or (struct filter_info *). Signed-off-by: Su Hui <suhui@nfschina.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> [hverkuil: drop the obsolete dvb-usb/az6027.c and dvb-usb/pctv452e.c changes] media: usb: Check az6007_read() return value 2023-05-25T14:21:19Z Daniil Dulov d.dulov@aladdin.ru 2023-03-14T17:04:49Z urn:sha1:fdaca63186f59fc664b346c45b76576624b48e57 If az6007_read() returns error, there is no sence to continue. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 3af2f4f15a61 ("[media] az6007: Change the az6007 read/write routine parameter") Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> media: dvb-usb-v2: rtl28xxu: fix null-ptr-deref in rtl28xxu_i2c_xfer 2023-05-14T05:30:03Z Zhang Shurong zhang_shurong@foxmail.com 2023-05-07T14:52:47Z urn:sha1:aa4a447b81b84f69c1a89ad899df157f386d7636 In rtl28xxu_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach rtl28xxu_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Link: https://lore.kernel.org/linux-media/tencent_3623572106754AC2F266B316798B0F6CCA05@qq.com Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> media: dvb-usb-v2: ce6230: fix null-ptr-deref in ce6230_i2c_master_xfer() 2023-05-14T05:30:01Z Wei Chen harperchen1110@gmail.com 2023-03-13T09:27:51Z urn:sha1:dff919090155fb22679869e8469168f270dcd97f In ce6230_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach ce6230_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Link: https://lore.kernel.org/linux-media/20230313092751.209496-1-harperchen1110@gmail.com Signed-off-by: Wei Chen <harperchen1110@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org> media: dvb-usb-v2: ec168: fix null-ptr-deref in ec168_i2c_xfer() 2023-05-14T05:29:59Z Wei Chen harperchen1110@gmail.com 2023-03-13T08:58:53Z urn:sha1:a6dcefcc08eca1bf4e3d213c97c3cfb75f377935 In ec168_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. If accessing msg[i].buf[0] without sanity check, null pointer deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Link: https://lore.kernel.org/linux-media/20230313085853.3252349-1-harperchen1110@gmail.com Signed-off-by: Wei Chen <harperchen1110@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>