* [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
@ 2023-09-09 0:40 Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 02/14] media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() Sasha Levin
` (12 more replies)
0 siblings, 13 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhang Shurong, Hans Verkuil, Sasha Levin, crope, mchehab, linux-media
From: Zhang Shurong <zhang_shurong@foxmail.com>
[ Upstream commit 7bf744f2de0a848fb1d717f5831b03db96feae89 ]
In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.
Similar commit:
commit 0ed554fd769a
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb-v2/af9035.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/af9035.c b/drivers/media/usb/dvb-usb-v2/af9035.c
index 3afd18733614a..3a7e5f2f6e951 100644
--- a/drivers/media/usb/dvb-usb-v2/af9035.c
+++ b/drivers/media/usb/dvb-usb-v2/af9035.c
@@ -321,6 +321,8 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap,
ret = -EOPNOTSUPP;
} else if ((msg[0].addr == state->af9033_i2c_addr[0]) ||
(msg[0].addr == state->af9033_i2c_addr[1])) {
+ if (msg[0].len < 3 || msg[1].len < 1)
+ return -EOPNOTSUPP;
/* demod access via firmware interface */
u32 reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 |
msg[0].buf[2];
@@ -380,6 +382,8 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap,
ret = -EOPNOTSUPP;
} else if ((msg[0].addr == state->af9033_i2c_addr[0]) ||
(msg[0].addr == state->af9033_i2c_addr[1])) {
+ if (msg[0].len < 3)
+ return -EOPNOTSUPP;
/* demod access via firmware interface */
u32 reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 |
msg[0].buf[2];
@@ -387,10 +391,7 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap,
if (msg[0].addr == state->af9033_i2c_addr[1])
reg |= 0x100000;
- ret = (msg[0].len >= 3) ? af9035_wr_regs(d, reg,
- &msg[0].buf[3],
- msg[0].len - 3)
- : -EOPNOTSUPP;
+ ret = af9035_wr_regs(d, reg, &msg[0].buf[3], msg[0].len - 3);
} else {
/* I2C write */
u8 buf[MAX_XFER_SIZE];
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 02/14] media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 03/14] media: af9005: Fix null-ptr-deref in af9005_i2c_xfer Sasha Levin
` (11 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhang Shurong, Hans Verkuil, Sasha Levin, mchehab,
harperchen1110, yuzhe, linux-media
From: Zhang Shurong <zhang_shurong@foxmail.com>
[ Upstream commit 5ae544d94abc8ff77b1b9bf8774def3fa5689b5b ]
In dw2102_i2c_transfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach dw2102_i2c_transfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.
Similar commit:
commit 950e252cb469
("[media] dw2102: limit messages to buffer size")
Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb/dw2102.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
index f8f589ebab74b..924a6478007a8 100644
--- a/drivers/media/usb/dvb-usb/dw2102.c
+++ b/drivers/media/usb/dvb-usb/dw2102.c
@@ -128,6 +128,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
switch (num) {
case 2:
+ if (msg[0].len < 1) {
+ num = -EOPNOTSUPP;
+ break;
+ }
/* read stv0299 register */
value = msg[0].buf[0];/* register */
for (i = 0; i < msg[1].len; i++) {
@@ -139,6 +143,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
case 1:
switch (msg[0].addr) {
case 0x68:
+ if (msg[0].len < 2) {
+ num = -EOPNOTSUPP;
+ break;
+ }
/* write to stv0299 register */
buf6[0] = 0x2a;
buf6[1] = msg[0].buf[0];
@@ -148,6 +156,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
break;
case 0x60:
if (msg[0].flags == 0) {
+ if (msg[0].len < 4) {
+ num = -EOPNOTSUPP;
+ break;
+ }
/* write to tuner pll */
buf6[0] = 0x2c;
buf6[1] = 5;
@@ -159,6 +171,10 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
dw210x_op_rw(d->udev, 0xb2, 0, 0,
buf6, 7, DW210X_WRITE_MSG);
} else {
+ if (msg[0].len < 1) {
+ num = -EOPNOTSUPP;
+ break;
+ }
/* read from tuner */
dw210x_op_rw(d->udev, 0xb5, 0, 0,
buf6, 1, DW210X_READ_MSG);
@@ -166,12 +182,20 @@ static int dw2102_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
}
break;
case (DW2102_RC_QUERY):
+ if (msg[0].len < 2) {
+ num = -EOPNOTSUPP;
+ break;
+ }
dw210x_op_rw(d->udev, 0xb8, 0, 0,
buf6, 2, DW210X_READ_MSG);
msg[0].buf[0] = buf6[0];
msg[0].buf[1] = buf6[1];
break;
case (DW2102_VOLTAGE_CTRL):
+ if (msg[0].len < 1) {
+ num = -EOPNOTSUPP;
+ break;
+ }
buf6[0] = 0x30;
buf6[1] = msg[0].buf[0];
dw210x_op_rw(d->udev, 0xb2, 0, 0,
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 03/14] media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 02/14] media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 04/14] media: anysee: fix null-ptr-deref in anysee_master_xfer Sasha Levin
` (10 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhang Shurong, Hans Verkuil, Sasha Levin, mchehab, linux-media
From: Zhang Shurong <zhang_shurong@foxmail.com>
[ Upstream commit f4ee84f27625ce1fdf41e8483fa0561a1b837d10 ]
In af9005_i2c_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach af9005_i2c_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.
Similar commit:
commit 0ed554fd769a
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb/af9005.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/media/usb/dvb-usb/af9005.c b/drivers/media/usb/dvb-usb/af9005.c
index 89b4b5d84cdff..827f9db16aa10 100644
--- a/drivers/media/usb/dvb-usb/af9005.c
+++ b/drivers/media/usb/dvb-usb/af9005.c
@@ -422,6 +422,10 @@ static int af9005_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
if (ret == 0)
ret = 2;
} else {
+ if (msg[0].len < 2) {
+ ret = -EOPNOTSUPP;
+ goto unlock;
+ }
/* write one or more registers */
reg = msg[0].buf[0];
addr = msg[0].addr;
@@ -431,6 +435,7 @@ static int af9005_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[],
ret = 1;
}
+unlock:
mutex_unlock(&d->i2c_mutex);
return ret;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 04/14] media: anysee: fix null-ptr-deref in anysee_master_xfer
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 02/14] media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 03/14] media: af9005: Fix null-ptr-deref in af9005_i2c_xfer Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 05/14] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() Sasha Levin
` (9 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhang Shurong, Hans Verkuil, Sasha Levin, crope, mchehab, linux-media
From: Zhang Shurong <zhang_shurong@foxmail.com>
[ Upstream commit c30411266fd67ea3c02a05c157231654d5a3bdc9 ]
In anysee_master_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach anysee_master_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.
Similar commit:
commit 0ed554fd769a
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil: add spaces around +]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb-v2/anysee.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb-v2/anysee.c b/drivers/media/usb/dvb-usb-v2/anysee.c
index fb6d99dea31aa..08fdb9e5e3a22 100644
--- a/drivers/media/usb/dvb-usb-v2/anysee.c
+++ b/drivers/media/usb/dvb-usb-v2/anysee.c
@@ -202,7 +202,7 @@ static int anysee_master_xfer(struct i2c_adapter *adap, struct i2c_msg *msg,
while (i < num) {
if (num > i + 1 && (msg[i+1].flags & I2C_M_RD)) {
- if (msg[i].len > 2 || msg[i+1].len > 60) {
+ if (msg[i].len != 2 || msg[i + 1].len > 60) {
ret = -EOPNOTSUPP;
break;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 05/14] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
` (2 preceding siblings ...)
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 04/14] media: anysee: fix null-ptr-deref in anysee_master_xfer Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 06/14] iio: core: Use min() instead of min_t() to make code more robust Sasha Levin
` (8 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhang Shurong, Hans Verkuil, Sasha Levin, mchehab, linux-media
From: Zhang Shurong <zhang_shurong@foxmail.com>
[ Upstream commit 1047f9343011f2cedc73c64829686206a7e9fc3f ]
In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf
is null and msg[i].len is zero, former checks on msg[i].buf would be
passed. Malicious data finally reach az6007_i2c_xfer. If accessing
msg[i].buf[0] without sanity check, null ptr deref would happen.
We add check on msg[i].len to prevent crash.
Similar commit:
commit 0ed554fd769a
("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")
Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb-v2/az6007.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 7524c90f5da61..6cbfe75791c21 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -788,6 +788,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
if (az6007_xfer_debug)
printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
addr, msgs[i].len);
+ if (msgs[i].len < 1) {
+ ret = -EIO;
+ goto err;
+ }
req = AZ6007_I2C_WR;
index = msgs[i].buf[0];
value = addr | (1 << 8);
@@ -802,6 +806,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
if (az6007_xfer_debug)
printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
addr, msgs[i].len);
+ if (msgs[i].len < 1) {
+ ret = -EIO;
+ goto err;
+ }
req = AZ6007_I2C_RD;
index = msgs[i].buf[0];
value = addr;
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 06/14] iio: core: Use min() instead of min_t() to make code more robust
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
` (3 preceding siblings ...)
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 05/14] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 07/14] media: tuners: qt1010: replace BUG_ON with a regular error Sasha Levin
` (7 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Andy Shevchenko, Nuno Sa, Jonathan Cameron, Sasha Levin, jic23,
linux-iio
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit cb1d17535061ca295903f97f5cb0af9db719c02c ]
min() has strict type checking and preferred over min_t() for
unsigned types to avoid overflow. Here it's unclear why min_t()
was chosen since both variables are of the same type. In any
case update to use min().
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Nuno Sa <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20230721170022.3461-5-andriy.shevchenko@linux.intel.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/industrialio-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index 485b2e6748c59..52e10df70c079 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -328,7 +328,7 @@ static ssize_t iio_debugfs_write_reg(struct file *file,
char buf[80];
int ret;
- count = min_t(size_t, count, (sizeof(buf)-1));
+ count = min(count, sizeof(buf) - 1);
if (copy_from_user(buf, userbuf, count))
return -EFAULT;
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 07/14] media: tuners: qt1010: replace BUG_ON with a regular error
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
` (4 preceding siblings ...)
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 06/14] iio: core: Use min() instead of min_t() to make code more robust Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 08/14] media: pci: cx23885: replace BUG with error return Sasha Levin
` (6 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hans Verkuil, Sasha Levin, crope, mchehab, linux-media
From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[ Upstream commit ee630b29ea44d1851bb6c903f400956604834463 ]
BUG_ON is unnecessary here, and in addition it confuses smatch.
Replacing this with an error return help resolve this smatch
warning:
drivers/media/tuners/qt1010.c:350 qt1010_init() error: buffer overflow 'i2c_data' 34 <= 34
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/tuners/qt1010.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/media/tuners/qt1010.c b/drivers/media/tuners/qt1010.c
index e48faf942830c..624499fb71b92 100644
--- a/drivers/media/tuners/qt1010.c
+++ b/drivers/media/tuners/qt1010.c
@@ -342,11 +342,12 @@ static int qt1010_init(struct dvb_frontend *fe)
else
valptr = &tmpval;
- BUG_ON(i >= ARRAY_SIZE(i2c_data) - 1);
-
- err = qt1010_init_meas1(priv, i2c_data[i+1].reg,
- i2c_data[i].reg,
- i2c_data[i].val, valptr);
+ if (i >= ARRAY_SIZE(i2c_data) - 1)
+ err = -EIO;
+ else
+ err = qt1010_init_meas1(priv, i2c_data[i + 1].reg,
+ i2c_data[i].reg,
+ i2c_data[i].val, valptr);
i++;
break;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 08/14] media: pci: cx23885: replace BUG with error return
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
` (5 preceding siblings ...)
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 07/14] media: tuners: qt1010: replace BUG_ON with a regular error Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` Sasha Levin
` (5 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hans Verkuil, Sasha Levin, mchehab, harperchen1110, linux-media
From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[ Upstream commit 2e1796fd4904fdd6062a8e4589778ea899ea0c8d ]
It was completely unnecessary to use BUG in buffer_prepare().
Just replace it with an error return. This also fixes a smatch warning:
drivers/media/pci/cx23885/cx23885-video.c:422 buffer_prepare() error: uninitialized symbol 'ret'.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/cx23885/cx23885-video.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c
index 7fc408ee4934f..f56b271db8bea 100644
--- a/drivers/media/pci/cx23885/cx23885-video.c
+++ b/drivers/media/pci/cx23885/cx23885-video.c
@@ -409,7 +409,7 @@ static int buffer_prepare(struct vb2_buffer *vb)
dev->height >> 1);
break;
default:
- BUG();
+ return -EINVAL; /* should not happen */
}
dprintk(2, "[%p/%d] buffer_init - %dx%d %dbpp 0x%08x - dma=0x%08lx\n",
buf, buf->vb.vb2_buf.index,
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 09/14] usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 03/14] media: af9005: Fix null-ptr-deref in af9005_i2c_xfer Sasha Levin
` (11 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Sasha Levin, Greg Kroah-Hartman, linux-usb, Ma Ke, Li Yang, linuxppc-dev
From: Ma Ke <make_ruc2021@163.com>
[ Upstream commit ce9daa2efc0872a9a68ea51dc8000df05893ef2e ]
We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.
Signed-off-by: Ma Ke <make_ruc2021@163.com>
Acked-by: Li Yang <leoyang.li@nxp.com>
Link: https://lore.kernel.org/r/20230628081511.186850-1-make_ruc2021@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/udc/fsl_qe_udc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/gadget/udc/fsl_qe_udc.c b/drivers/usb/gadget/udc/fsl_qe_udc.c
index 2707be6282988..63109c6e55068 100644
--- a/drivers/usb/gadget/udc/fsl_qe_udc.c
+++ b/drivers/usb/gadget/udc/fsl_qe_udc.c
@@ -1950,6 +1950,8 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value,
} else if ((request_type & USB_RECIP_MASK) == USB_RECIP_ENDPOINT) {
/* Get endpoint status */
int pipe = index & USB_ENDPOINT_NUMBER_MASK;
+ if (pipe >= USB_MAX_ENDPOINTS)
+ goto stall;
struct qe_ep *target_ep = &udc->eps[pipe];
u16 usep;
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 09/14] usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
@ 2023-09-09 0:40 ` Sasha Levin
0 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Ma Ke, Li Yang, Greg Kroah-Hartman, Sasha Levin, linux-usb, linuxppc-dev
From: Ma Ke <make_ruc2021@163.com>
[ Upstream commit ce9daa2efc0872a9a68ea51dc8000df05893ef2e ]
We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.
Signed-off-by: Ma Ke <make_ruc2021@163.com>
Acked-by: Li Yang <leoyang.li@nxp.com>
Link: https://lore.kernel.org/r/20230628081511.186850-1-make_ruc2021@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/udc/fsl_qe_udc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/gadget/udc/fsl_qe_udc.c b/drivers/usb/gadget/udc/fsl_qe_udc.c
index 2707be6282988..63109c6e55068 100644
--- a/drivers/usb/gadget/udc/fsl_qe_udc.c
+++ b/drivers/usb/gadget/udc/fsl_qe_udc.c
@@ -1950,6 +1950,8 @@ static void ch9getstatus(struct qe_udc *udc, u8 request_type, u16 value,
} else if ((request_type & USB_RECIP_MASK) == USB_RECIP_ENDPOINT) {
/* Get endpoint status */
int pipe = index & USB_ENDPOINT_NUMBER_MASK;
+ if (pipe >= USB_MAX_ENDPOINTS)
+ goto stall;
struct qe_ep *target_ep = &udc->eps[pipe];
u16 usep;
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 10/14] scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
` (7 preceding siblings ...)
2023-09-09 0:40 ` Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 11/14] serial: cpm_uart: Avoid suspicious locking Sasha Levin
` (3 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Konstantin Shelekhin, Martin K . Petersen, Sasha Levin, mlombard,
michael.christie, linux-scsi, target-devel
From: Konstantin Shelekhin <k.shelekhin@yadro.com>
[ Upstream commit 801f287c93ff95582b0a2d2163f12870a2f076d4 ]
The function lio_target_nacl_info_show() uses sprintf() in a loop to print
details for every iSCSI connection in a session without checking for the
buffer length. With enough iSCSI connections it's possible to overflow the
buffer provided by configfs and corrupt the memory.
This patch replaces sprintf() with sysfs_emit_at() that checks for buffer
boundries.
Signed-off-by: Konstantin Shelekhin <k.shelekhin@yadro.com>
Link: https://lore.kernel.org/r/20230722152657.168859-2-k.shelekhin@yadro.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/iscsi/iscsi_target_configfs.c | 54 ++++++++++----------
1 file changed, 27 insertions(+), 27 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target_configfs.c b/drivers/target/iscsi/iscsi_target_configfs.c
index 0fa1d57b26fa8..3cd671bbb9a41 100644
--- a/drivers/target/iscsi/iscsi_target_configfs.c
+++ b/drivers/target/iscsi/iscsi_target_configfs.c
@@ -508,102 +508,102 @@ static ssize_t lio_target_nacl_info_show(struct config_item *item, char *page)
spin_lock_bh(&se_nacl->nacl_sess_lock);
se_sess = se_nacl->nacl_sess;
if (!se_sess) {
- rb += sprintf(page+rb, "No active iSCSI Session for Initiator"
+ rb += sysfs_emit_at(page, rb, "No active iSCSI Session for Initiator"
" Endpoint: %s\n", se_nacl->initiatorname);
} else {
sess = se_sess->fabric_sess_ptr;
- rb += sprintf(page+rb, "InitiatorName: %s\n",
+ rb += sysfs_emit_at(page, rb, "InitiatorName: %s\n",
sess->sess_ops->InitiatorName);
- rb += sprintf(page+rb, "InitiatorAlias: %s\n",
+ rb += sysfs_emit_at(page, rb, "InitiatorAlias: %s\n",
sess->sess_ops->InitiatorAlias);
- rb += sprintf(page+rb,
+ rb += sysfs_emit_at(page, rb,
"LIO Session ID: %u ISID: 0x%6ph TSIH: %hu ",
sess->sid, sess->isid, sess->tsih);
- rb += sprintf(page+rb, "SessionType: %s\n",
+ rb += sysfs_emit_at(page, rb, "SessionType: %s\n",
(sess->sess_ops->SessionType) ?
"Discovery" : "Normal");
- rb += sprintf(page+rb, "Session State: ");
+ rb += sysfs_emit_at(page, rb, "Session State: ");
switch (sess->session_state) {
case TARG_SESS_STATE_FREE:
- rb += sprintf(page+rb, "TARG_SESS_FREE\n");
+ rb += sysfs_emit_at(page, rb, "TARG_SESS_FREE\n");
break;
case TARG_SESS_STATE_ACTIVE:
- rb += sprintf(page+rb, "TARG_SESS_STATE_ACTIVE\n");
+ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_ACTIVE\n");
break;
case TARG_SESS_STATE_LOGGED_IN:
- rb += sprintf(page+rb, "TARG_SESS_STATE_LOGGED_IN\n");
+ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_LOGGED_IN\n");
break;
case TARG_SESS_STATE_FAILED:
- rb += sprintf(page+rb, "TARG_SESS_STATE_FAILED\n");
+ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_FAILED\n");
break;
case TARG_SESS_STATE_IN_CONTINUE:
- rb += sprintf(page+rb, "TARG_SESS_STATE_IN_CONTINUE\n");
+ rb += sysfs_emit_at(page, rb, "TARG_SESS_STATE_IN_CONTINUE\n");
break;
default:
- rb += sprintf(page+rb, "ERROR: Unknown Session"
+ rb += sysfs_emit_at(page, rb, "ERROR: Unknown Session"
" State!\n");
break;
}
- rb += sprintf(page+rb, "---------------------[iSCSI Session"
+ rb += sysfs_emit_at(page, rb, "---------------------[iSCSI Session"
" Values]-----------------------\n");
- rb += sprintf(page+rb, " CmdSN/WR : CmdSN/WC : ExpCmdSN"
+ rb += sysfs_emit_at(page, rb, " CmdSN/WR : CmdSN/WC : ExpCmdSN"
" : MaxCmdSN : ITT : TTT\n");
max_cmd_sn = (u32) atomic_read(&sess->max_cmd_sn);
- rb += sprintf(page+rb, " 0x%08x 0x%08x 0x%08x 0x%08x"
+ rb += sysfs_emit_at(page, rb, " 0x%08x 0x%08x 0x%08x 0x%08x"
" 0x%08x 0x%08x\n",
sess->cmdsn_window,
(max_cmd_sn - sess->exp_cmd_sn) + 1,
sess->exp_cmd_sn, max_cmd_sn,
sess->init_task_tag, sess->targ_xfer_tag);
- rb += sprintf(page+rb, "----------------------[iSCSI"
+ rb += sysfs_emit_at(page, rb, "----------------------[iSCSI"
" Connections]-------------------------\n");
spin_lock(&sess->conn_lock);
list_for_each_entry(conn, &sess->sess_conn_list, conn_list) {
- rb += sprintf(page+rb, "CID: %hu Connection"
+ rb += sysfs_emit_at(page, rb, "CID: %hu Connection"
" State: ", conn->cid);
switch (conn->conn_state) {
case TARG_CONN_STATE_FREE:
- rb += sprintf(page+rb,
+ rb += sysfs_emit_at(page, rb,
"TARG_CONN_STATE_FREE\n");
break;
case TARG_CONN_STATE_XPT_UP:
- rb += sprintf(page+rb,
+ rb += sysfs_emit_at(page, rb,
"TARG_CONN_STATE_XPT_UP\n");
break;
case TARG_CONN_STATE_IN_LOGIN:
- rb += sprintf(page+rb,
+ rb += sysfs_emit_at(page, rb,
"TARG_CONN_STATE_IN_LOGIN\n");
break;
case TARG_CONN_STATE_LOGGED_IN:
- rb += sprintf(page+rb,
+ rb += sysfs_emit_at(page, rb,
"TARG_CONN_STATE_LOGGED_IN\n");
break;
case TARG_CONN_STATE_IN_LOGOUT:
- rb += sprintf(page+rb,
+ rb += sysfs_emit_at(page, rb,
"TARG_CONN_STATE_IN_LOGOUT\n");
break;
case TARG_CONN_STATE_LOGOUT_REQUESTED:
- rb += sprintf(page+rb,
+ rb += sysfs_emit_at(page, rb,
"TARG_CONN_STATE_LOGOUT_REQUESTED\n");
break;
case TARG_CONN_STATE_CLEANUP_WAIT:
- rb += sprintf(page+rb,
+ rb += sysfs_emit_at(page, rb,
"TARG_CONN_STATE_CLEANUP_WAIT\n");
break;
default:
- rb += sprintf(page+rb,
+ rb += sysfs_emit_at(page, rb,
"ERROR: Unknown Connection State!\n");
break;
}
- rb += sprintf(page+rb, " Address %pISc %s", &conn->login_sockaddr,
+ rb += sysfs_emit_at(page, rb, " Address %pISc %s", &conn->login_sockaddr,
(conn->network_transport == ISCSI_TCP) ?
"TCP" : "SCTP");
- rb += sprintf(page+rb, " StatSN: 0x%08x\n",
+ rb += sysfs_emit_at(page, rb, " StatSN: 0x%08x\n",
conn->stat_sn);
}
spin_unlock(&sess->conn_lock);
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 11/14] serial: cpm_uart: Avoid suspicious locking
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
` (8 preceding siblings ...)
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 10/14] scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 12/14] workqueue: Call wq_update_unbound_numa() on all CPUs in NUMA node on CPU hotplug Sasha Levin
` (2 subsequent siblings)
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Christophe Leroy, Greg Kroah-Hartman, Sasha Levin, jirislaby,
ilpo.jarvinen, u.kleine-koenig, linux-serial
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 36ef11d311f405e55ad8e848c19b212ff71ef536 ]
CHECK drivers/tty/serial/cpm_uart/cpm_uart_core.c
drivers/tty/serial/cpm_uart/cpm_uart_core.c:1271:39: warning: context imbalance in 'cpm_uart_console_write' - unexpected unlock
Allthough 'nolock' is not expected to change, sparse find the following
form suspicious:
if (unlikely(nolock)) {
local_irq_save(flags);
} else {
spin_lock_irqsave(&pinfo->port.lock, flags);
}
cpm_uart_early_write(pinfo, s, count, true);
if (unlikely(nolock)) {
local_irq_restore(flags);
} else {
spin_unlock_irqrestore(&pinfo->port.lock, flags);
}
Rewrite it a more obvious form:
if (unlikely(oops_in_progress)) {
local_irq_save(flags);
cpm_uart_early_write(pinfo, s, count, true);
local_irq_restore(flags);
} else {
spin_lock_irqsave(&pinfo->port.lock, flags);
cpm_uart_early_write(pinfo, s, count, true);
spin_unlock_irqrestore(&pinfo->port.lock, flags);
}
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Link: https://lore.kernel.org/r/f7da5cdc9287960185829cfef681a7d8614efa1f.1691068700.git.christophe.leroy@csgroup.eu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/cpm_uart/cpm_uart_core.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/drivers/tty/serial/cpm_uart/cpm_uart_core.c b/drivers/tty/serial/cpm_uart/cpm_uart_core.c
index de6d02f7abe2b..c37036fee231d 100644
--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c
+++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c
@@ -1267,19 +1267,14 @@ static void cpm_uart_console_write(struct console *co, const char *s,
{
struct uart_cpm_port *pinfo = &cpm_uart_ports[co->index];
unsigned long flags;
- int nolock = oops_in_progress;
- if (unlikely(nolock)) {
+ if (unlikely(oops_in_progress)) {
local_irq_save(flags);
- } else {
- spin_lock_irqsave(&pinfo->port.lock, flags);
- }
-
- cpm_uart_early_write(pinfo, s, count, true);
-
- if (unlikely(nolock)) {
+ cpm_uart_early_write(pinfo, s, count, true);
local_irq_restore(flags);
} else {
+ spin_lock_irqsave(&pinfo->port.lock, flags);
+ cpm_uart_early_write(pinfo, s, count, true);
spin_unlock_irqrestore(&pinfo->port.lock, flags);
}
}
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 12/14] workqueue: Call wq_update_unbound_numa() on all CPUs in NUMA node on CPU hotplug
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
` (9 preceding siblings ...)
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 11/14] serial: cpm_uart: Avoid suspicious locking Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 13/14] media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 14/14] kobject: Add sanity check for kset->kobj.ktype in kset_register() Sasha Levin
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Tejun Heo, Sasha Levin
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 4cbfd3de737b9d00544ff0f673cb75fc37bffb6a ]
When a CPU went online or offline, wq_update_unbound_numa() was called only
on the CPU which was going up or down. This works fine because all CPUs on
the same NUMA node share the same pool_workqueue slot - one CPU updating it
updates it for everyone in the node.
However, future changes will make each CPU use a separate pool_workqueue
even when they're sharing the same worker_pool, which requires updating
pool_workqueue's for all CPUs which may be sharing the same pool_workqueue
on hotplug.
To accommodate the planned changes, this patch updates
workqueue_on/offline_cpu() so that they call wq_update_unbound_numa() for
all CPUs sharing the same NUMA node as the CPU going up or down. In the
current code, the second+ calls would be noops and there shouldn't be any
behavior changes.
* As wq_update_unbound_numa() is now called on multiple CPUs per each
hotplug event, @cpu is renamed to @hotplug_cpu and another @cpu argument
is added. The former indicates the CPU being hot[un]plugged and the latter
the CPU whose pool_workqueue is being updated.
* In wq_update_unbound_numa(), cpu_off is renamed to off_cpu for consistency
with the new @hotplug_cpu.
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/workqueue.c | 34 +++++++++++++++++++++++++---------
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 856188b0681af..c7f9b3efcac96 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -4083,7 +4083,8 @@ int apply_workqueue_attrs(struct workqueue_struct *wq,
/**
* wq_update_unbound_numa - update NUMA affinity of a wq for CPU hot[un]plug
* @wq: the target workqueue
- * @cpu: the CPU coming up or going down
+ * @cpu: the CPU to update pool association for
+ * @hotplug_cpu: the CPU coming up or going down
* @online: whether @cpu is coming up or going down
*
* This function is to be called from %CPU_DOWN_PREPARE, %CPU_ONLINE and
@@ -4103,10 +4104,10 @@ int apply_workqueue_attrs(struct workqueue_struct *wq,
* CPU_DOWN_PREPARE.
*/
static void wq_update_unbound_numa(struct workqueue_struct *wq, int cpu,
- bool online)
+ int hotplug_cpu, bool online)
{
int node = cpu_to_node(cpu);
- int cpu_off = online ? -1 : cpu;
+ int off_cpu = online ? -1 : hotplug_cpu;
struct pool_workqueue *old_pwq = NULL, *pwq;
struct workqueue_attrs *target_attrs;
cpumask_t *cpumask;
@@ -4134,7 +4135,7 @@ static void wq_update_unbound_numa(struct workqueue_struct *wq, int cpu,
* and create a new one if they don't match. If the target cpumask
* equals the default pwq's, the default pwq should be used.
*/
- if (wq_calc_node_cpumask(wq->dfl_pwq->pool->attrs, node, cpu_off, cpumask)) {
+ if (wq_calc_node_cpumask(wq->dfl_pwq->pool->attrs, node, off_cpu, cpumask)) {
if (cpumask_equal(cpumask, pwq->pool->attrs->cpumask))
return;
} else {
@@ -5062,8 +5063,15 @@ int workqueue_online_cpu(unsigned int cpu)
}
/* update NUMA affinity of unbound workqueues */
- list_for_each_entry(wq, &workqueues, list)
- wq_update_unbound_numa(wq, cpu, true);
+ list_for_each_entry(wq, &workqueues, list) {
+ int tcpu;
+
+ for_each_possible_cpu(tcpu) {
+ if (cpu_to_node(tcpu) == cpu_to_node(cpu)) {
+ wq_update_unbound_numa(wq, tcpu, cpu, true);
+ }
+ }
+ }
mutex_unlock(&wq_pool_mutex);
return 0;
@@ -5081,8 +5089,15 @@ int workqueue_offline_cpu(unsigned int cpu)
/* update NUMA affinity of unbound workqueues */
mutex_lock(&wq_pool_mutex);
- list_for_each_entry(wq, &workqueues, list)
- wq_update_unbound_numa(wq, cpu, false);
+ list_for_each_entry(wq, &workqueues, list) {
+ int tcpu;
+
+ for_each_possible_cpu(tcpu) {
+ if (cpu_to_node(tcpu) == cpu_to_node(cpu)) {
+ wq_update_unbound_numa(wq, tcpu, cpu, false);
+ }
+ }
+ }
mutex_unlock(&wq_pool_mutex);
return 0;
@@ -6033,7 +6048,8 @@ int __init workqueue_init(void)
}
list_for_each_entry(wq, &workqueues, list) {
- wq_update_unbound_numa(wq, smp_processor_id(), true);
+ wq_update_unbound_numa(wq, smp_processor_id(), smp_processor_id(),
+ true);
WARN(init_rescuer(wq),
"workqueue: failed to create early rescuer for %s",
wq->name);
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 13/14] media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
` (10 preceding siblings ...)
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 12/14] workqueue: Call wq_update_unbound_numa() on all CPUs in NUMA node on CPU hotplug Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 14/14] kobject: Add sanity check for kset->kobj.ktype in kset_register() Sasha Levin
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Sakari Ailus, Hans Verkuil, Sasha Levin, yong.zhi, bingbu.cao,
djrscally, mchehab, linux-media
From: Sakari Ailus <sakari.ailus@linux.intel.com>
[ Upstream commit 9d7531be3085a8f013cf173ccc4e72e3cf493538 ]
Initialise timing struct in cio2_hw_init() to zero in order to avoid a
compiler warning. The warning was a false positive.
Reported-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/intel/ipu3/ipu3-cio2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/pci/intel/ipu3/ipu3-cio2.c b/drivers/media/pci/intel/ipu3/ipu3-cio2.c
index 3457f0f545c48..9c0d117e093b1 100644
--- a/drivers/media/pci/intel/ipu3/ipu3-cio2.c
+++ b/drivers/media/pci/intel/ipu3/ipu3-cio2.c
@@ -359,7 +359,7 @@ static int cio2_hw_init(struct cio2_device *cio2, struct cio2_queue *q)
void __iomem *const base = cio2->base;
u8 lanes, csi2bus = q->csi2.port;
u8 sensor_vc = SENSOR_VIR_CH_DFLT;
- struct cio2_csi2_timing timing;
+ struct cio2_csi2_timing timing = { 0 };
int i, r;
fmt = cio2_find_format(NULL, &q->subdev_fmt.code);
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH AUTOSEL 5.4 14/14] kobject: Add sanity check for kset->kobj.ktype in kset_register()
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
` (11 preceding siblings ...)
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 13/14] media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning Sasha Levin
@ 2023-09-09 0:40 ` Sasha Levin
12 siblings, 0 replies; 15+ messages in thread
From: Sasha Levin @ 2023-09-09 0:40 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Zhen Lei, Greg Kroah-Hartman, Sasha Levin
From: Zhen Lei <thunder.leizhen@huawei.com>
[ Upstream commit 4d0fe8c52bb3029d83e323c961221156ab98680b ]
When I register a kset in the following way:
static struct kset my_kset;
kobject_set_name(&my_kset.kobj, "my_kset");
ret = kset_register(&my_kset);
A null pointer dereference exception is occurred:
[ 4453.568337] Unable to handle kernel NULL pointer dereference at \
virtual address 0000000000000028
... ...
[ 4453.810361] Call trace:
[ 4453.813062] kobject_get_ownership+0xc/0x34
[ 4453.817493] kobject_add_internal+0x98/0x274
[ 4453.822005] kset_register+0x5c/0xb4
[ 4453.825820] my_kobj_init+0x44/0x1000 [my_kset]
... ...
Because I didn't initialize my_kset.kobj.ktype.
According to the description in Documentation/core-api/kobject.rst:
- A ktype is the type of object that embeds a kobject. Every structure
that embeds a kobject needs a corresponding ktype.
So add sanity check to make sure kset->kobj.ktype is not NULL.
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20230805084114.1298-2-thunder.leizhen@huaweicloud.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/kobject.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/kobject.c b/lib/kobject.c
index 0c6d17503a113..c4025a880d753 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -877,6 +877,11 @@ int kset_register(struct kset *k)
if (!k)
return -EINVAL;
+ if (!k->kobj.ktype) {
+ pr_err("must have a ktype to be initialized properly!\n");
+ return -EINVAL;
+ }
+
kset_init(k);
err = kobject_add_internal(&k->kobj);
if (err)
--
2.40.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
end of thread, other threads:[~2023-09-09 1:37 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-09 0:40 [PATCH AUTOSEL 5.4 01/14] media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 02/14] media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 03/14] media: af9005: Fix null-ptr-deref in af9005_i2c_xfer Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 04/14] media: anysee: fix null-ptr-deref in anysee_master_xfer Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 05/14] media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 06/14] iio: core: Use min() instead of min_t() to make code more robust Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 07/14] media: tuners: qt1010: replace BUG_ON with a regular error Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 08/14] media: pci: cx23885: replace BUG with error return Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 09/14] usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc Sasha Levin
2023-09-09 0:40 ` Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 10/14] scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 11/14] serial: cpm_uart: Avoid suspicious locking Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 12/14] workqueue: Call wq_update_unbound_numa() on all CPUs in NUMA node on CPU hotplug Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 13/14] media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning Sasha Levin
2023-09-09 0:40 ` [PATCH AUTOSEL 5.4 14/14] kobject: Add sanity check for kset->kobj.ktype in kset_register() Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.