kernel/drivers/media/usb/dvb-usb, branch linux-6.9.y

media: dw2102: fix a potential buffer overflow

2024-07-11T10:51:01Z

[ Upstream commit 1c73d0b29d04bf4082e7beb6a508895e118ee30d ] As pointed by smatch: drivers/media/usb/dvb-usb/dw2102.c:802 su3000_i2c_transfer() error: __builtin_memcpy() '&state->data[4]' too small (64 vs 67) That seemss to be due to a wrong copy-and-paste. Fixes: 0e148a522b84 ("media: dw2102: Don't translate i2c read into write") Reported-by: Hans Verkuil Reviewed-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin

media: dw2102: Don't translate i2c read into write

2024-07-11T10:51:01Z

[ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ] The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed an i2c transaction with a single message must be a write operation and a transaction with two messages would be a read operation. Though this works for the driver code, it leads to problems once the i2c device is exposed to code not knowing this convention. For example, I did "insmod i2c-dev" and issued read requests from userspace, which were translated into write requests and destroyed the EEPROM of my device. So, just check and respect the I2C_M_READ flag, which indicates a read when set on a message. If it is absent, it is a write message. Incidentally, changing from the case statement to a while loop allows the code to lift the limitation to two i2c messages per transaction. There are 4 more *_i2c_transfer functions affected by the same behaviour and limitation that should be fixed in the same way. Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org Signed-off-by: Michael Bunk Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin

media: dvb-usb: dib0700_devices: Add missing release_firmware()

2024-07-11T10:50:56Z

[ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ] Add missing release_firmware on the error paths. drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415. drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497. Signed-off-by: Ricardo Ribalda Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin

media: dvb-usb: Fix kerneldoc

2024-02-05T11:57:45Z

Remove kerneldoc from missing fields. Signed-off-by: Ricardo Ribalda Reviewed-by: Randy Dunlap Signed-off-by: Hans Verkuil

media: videobuf2: core: Rename min_buffers_needed field in vb2_queue

2023-12-13T16:31:27Z

Rename min_buffers_needed into min_queued_buffers and update the documentation about it. Signed-off-by: Benjamin Gaignard Signed-off-by: Hans Verkuil [hverkuil: Drop the change where min_queued_buffers + 1 buffers would be] [hverkuil: allocated. Now this patch only renames this field instead of making] [hverkuil: a functional change as well.] [hverkuil: Renamed 3 remaining min_buffers_needed occurrences.]

media: dvb-usb: gp8psk: Remove an unnecessary ternary operator

2023-09-27T07:39:55Z

There is a ternary operator, the true or false judgement of which is unnecessary in C language semantics. Signed-off-by: Ruan Jinjie Signed-off-by: Hans Verkuil

media: dvb-usb: opera1: fix uninit-value in dvb_usb_adapter_dvb_init

2023-07-19T10:57:50Z

If opera1_xilinx_rw fails, the mac address is not initialized. And opera1_read_mac_address does not handle this failure, which leads to the uninit-value in dvb_usb_adapter_dvb_init. Fix this by handling the failure of opera1_xilinx_rw. Signed-off-by: Zhang Shurong Signed-off-by: Hans Verkuil

media: af9005: Fix null-ptr-deref in af9005_i2c_xfer

2023-07-19T10:57:50Z

In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9005_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") Signed-off-by: Zhang Shurong Signed-off-by: Hans Verkuil

media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()

2023-07-19T10:57:50Z

In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach dw2102_i2c_transfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 950e252cb469 ("[media] dw2102: limit messages to buffer size") Signed-off-by: Zhang Shurong Signed-off-by: Hans Verkuil

media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()

2023-07-19T10:57:47Z

'read' is freed when it is known to be NULL, but not when a read error occurs. Revert the logic to avoid a small leak, should a m920x_read() call fail. Fixes: a2ab06d7c4d6 ("media: m920x: don't use stack on USB reads") Signed-off-by: Christophe JAILLET Signed-off-by: Hans Verkuil