Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-12-29 17:25:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
linux-6.1.y
linux-stable/include/media
History
Hans Verkuil 71f9c0f1e3 media: v4l2-core: v4l2-dv-timings: check cvt/gtf result 
commit 9f070b1862 upstream.

The v4l2_detect_cvt/gtf functions should check the result against the
timing capabilities: these functions calculate the timings, so if they
are out of bounds, they should be rejected.

To do this, add the struct v4l2_dv_timings_cap as argument to those
functions.

This required updates to the adv7604 and adv7842 drivers since the
prototype of these functions has now changed. The timings struct
that is passed to v4l2_detect_cvt/gtf in those two drivers is filled
with the timings detected by the hardware.

The vivid driver was also updated, but an additional check was added:
the width and height specified by VIDIOC_S_DV_TIMINGS has to match the
calculated result, otherwise something went wrong. Note that vivid
*emulates* hardware, so all the values passed to the v4l2_detect_cvt/gtf
functions came from the timings struct that was filled by userspace
and passed on to the driver via VIDIOC_S_DV_TIMINGS. So these fields
can contain random data. Both the constraints check via
struct v4l2_dv_timings_cap and the additional width/height check
ensure that the resulting timings are sane and not messed up by the
v4l2_detect_cvt/gtf calculations.

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Fixes: 2576415846 ("[media] v4l2: move dv-timings related code to v4l2-dv-timings.c")
Cc: stable@vger.kernel.org
Reported-by: syzbot+a828133770f62293563e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-media/000000000000013050062127830a@google.com/
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-12-14 19:54:04 +01:00
..
davinci media: davinci: deprecate dm644x_ccdc, dm355_cddc and dm365_isif 2022-08-29 16:45:34 +02:00
drv-intf media: saa7146: deprecate hexium_gemini/orion, mxb and ttpci 2022-08-29 16:46:38 +02:00
i2c media: cx88: add IR remote support for NotOnlyTV LV3H 2022-09-24 11:21:43 +02:00
tpg media: v4l2-tpg: add HDMI Video Guard Band test pattern 2022-06-20 10:30:30 +01:00
cec-notifier.h Update rmk's email address in various drivers 2020-04-21 17:50:09 +01:00
cec-pin.h media: cec-gpio: handle gpiod_get_value errors correctly 2020-04-29 12:04:38 +02:00
cec.h media: cec: core: avoid recursive cec_claim_log_addrs 2024-06-12 11:03:48 +02:00
demux.h media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
dmxdev.h media: dmxdev: drop unneeded <linux/kernel.h> inclusion from other headers 2021-12-14 16:19:04 +01:00
dvb_ca_en50221.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_demux.h media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
dvb_frontend.h media: media dvb_frontend: add suspend and resume callbacks to dvb_frontend_ops 2021-11-19 15:57:22 +00:00
dvb_math.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_net.h media: dvb-core: Fix use-after-free due on race condition at dvb_net 2023-06-09 10:34:12 +02:00
dvb_ringbuffer.h media: move dvb kAPI headers to include/media 2017-12-28 13:16:01 -05:00
dvb_vb2.h media: dvb: update buffer mmaped flags and frame counter 2018-02-23 11:44:08 -05:00
dvb-usb-ids.h media: dvb-usb: dib0700_devices: use an enum for the device number 2022-04-18 07:36:44 +02:00
dvbdev.h media: dvb-core: Fix use-after-free due to race at dvb_register_device() 2023-06-09 10:34:12 +02:00
frame_vector.h media: videobuf2: Move frame_vector into media subsystem 2021-01-12 14:15:31 +01:00
imx.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
media-dev-allocator.h media: Fix Media Controller API config checks 2021-06-24 14:26:00 +02:00
media-device.h media: mc: entity: Merge media_entity_enum_init and __media_entity_enum_init 2022-09-24 09:10:38 +02:00
media-devnode.h media: media-devnode.h: drop duplicated word in comment 2020-07-19 14:00:12 +02:00
media-entity.h media: mc: Add num_links flag to media_pad 2024-04-03 15:19:25 +02:00
media-request.h media: media requests: return EBADR instead of EACCES 2019-03-25 13:26:10 -04:00
mipi-csi2.h media: Add MIPI CSI-2 28 bits per pixel raw data type 2022-05-17 09:17:26 +02:00
rc-core.h media: rc-core: rename ir_raw_event_reset to ir_raw_event_overflow 2022-01-28 19:32:50 +01:00
rc-map.h media: rc: add keymap for Toshiba CT-90405 remote 2021-06-08 15:56:58 +02:00
rcar-fcp.h media: rcar-fcp: convert to SPDX identifiers 2018-09-12 09:29:03 -04:00
tuner-types.h media: tuner-types: add kernel-doc markups for struct tunertype 2017-12-18 09:06:40 -05:00
tuner.h Linux 5.15-rc4 2021-10-04 07:52:13 +02:00
tveeprom.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
v4l2-async.h media: v4l2-async: Add notifier operation to destroy asd instances 2022-07-17 11:20:08 +01:00
v4l2-common.h media fixes for v6.1-rc2 2022-10-22 15:30:15 -07:00
v4l2-ctrls.h media: v4l2-ctrls: drop 'elems' argument from control type ops. 2022-09-24 08:49:06 +02:00
v4l2-dev.h media: mc: convert pipeline funcs to take media_pad 2022-09-24 09:22:30 +02:00
v4l2-device.h media: fix kernel-doc markups 2020-11-16 10:31:16 +01:00
v4l2-dv-timings.h media: v4l2-core: v4l2-dv-timings: check cvt/gtf result 2024-12-14 19:54:04 +01:00
v4l2-event.h media: v4l2-dev/event: add v4l2_event_wake_all() 2021-01-04 13:14:25 +01:00
v4l2-fh.h media: v4l2-fh: define v4l2_fh struct regardless of condition 2020-04-21 13:40:06 +02:00
v4l2-flash-led-class.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
v4l2-fwnode.h media: Remove incorrect comment from struct v4l2_fwnode_endpoint 2022-09-24 09:06:49 +02:00
v4l2-h264.h media: h264: Sort p/b reflist using frame_num 2022-05-17 10:02:29 +02:00
v4l2-image-sizes.h media: v4l2-image-sizes: add HD and Full-HD definitions 2020-04-21 17:21:51 +02:00
v4l2-ioctl.h media: v4l2: prepare compat-ioctl rework 2020-11-16 10:31:05 +01:00
v4l2-jpeg.h media: Add parsing for APP14 data segment in jpeg helpers 2021-03-22 10:35:36 +01:00
v4l2-mc.h media: v4l2-mc: Add link flags to v4l2_create_fwnode_links_to_pad() 2021-03-11 11:59:52 +01:00
v4l2-mediabus.h media: media/v4l2-core: Add enum V4L2_FWNODE_BUS_TYPE_DPI 2022-05-17 09:09:59 +02:00
v4l2-mem2mem.h media: v4l2-mem2mem: add lock to protect parameter num_rdy 2023-08-23 17:52:23 +02:00
v4l2-rect.h media: v4l2-rect.h: add enclosed rectangle helper 2020-07-04 12:29:38 +02:00
v4l2-subdev.h media: subdev: increase V4L2_FRAME_DESC_ENTRY_MAX to 8 2022-09-24 09:08:28 +02:00
v4l2-uvc.h media: uvcvideo: Add GUID for BGRA/X 8:8:8:8 2023-03-11 13:55:35 +01:00
v4l2-vp9.h media: Add VP9 v4l2 library 2021-11-22 07:47:13 +00:00
videobuf2-core.h media: vb2: videobuf -> videobuf2 2022-08-29 15:38:09 +02:00
videobuf2-dma-contig.h media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size 2020-06-11 19:20:55 +02:00
videobuf2-dma-sg.h media: Change Andrzej Pietrasiewicz's e-mail address 2019-01-16 11:21:07 -05:00
videobuf2-dvb.h media: vb2: videobuf -> videobuf2 2022-08-29 15:38:09 +02:00
videobuf2-memops.h media: videobuf2-vmalloc: get_userptr: buffers are always writable 2019-05-29 08:05:58 -04:00
videobuf2-v4l2.h media: videobuf2: Remove vb2_find_timestamp() 2022-08-30 14:44:45 +02:00
videobuf2-vmalloc.h [media] media: videobuf2: Replace videobuf2-core with videobuf2-v4l2 2015-10-01 08:48:18 -03:00
videobuf-core.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 2019-06-19 17:09:07 +02:00
videobuf-dma-contig.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 2019-06-19 17:09:07 +02:00
videobuf-dma-sg.h media: videobuf-dma-sg: number of pages should be unsigned long 2020-09-03 11:12:20 +02:00
videobuf-vmalloc.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 237 2019-06-19 17:09:07 +02:00
vsp1.h media: vsp1: Add premultiplied alpha support 2022-09-07 23:48:39 +03:00