Skip to content

L
linux
Switch branch/tag
  1. 17 Jun, 2021 10 commits
    • Mauro Carvalho Chehab's avatar
      media: xilinx: simplify get fourcc logic · 12891698
      Mauro Carvalho Chehab authored 
      Right now, there are two calls for xvip_get_format_by_fourcc().
If the first one fails, it is called again in order to pick
the first available format: V4L2_PIX_FMT_YUYV.

This ends by producing a smatch warnings:
	drivers/media/platform/xilinx/xilinx-dma.c:555 __xvip_dma_try_format() error: 'info' dereferencing possible ERR_PTR()
	drivers/media/platform/xilinx/xilinx-dma.c: drivers/media/platform/xilinx/xilinx-dma.c:664 xvip_dma_init() error: 'dma->fmtinfo' dereferencing possible ERR_PTR()

as it is hard for an static analyzer to ensure that calling
xvip_get_format_by_fourcc(XVIP_DMA_DEF_FORMAT) won't return an
error.

So, better to optimize the logic, ensuring that the function
will never return an error.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      12891698
    • Mauro Carvalho Chehab's avatar
      media: dvb-core: frontend: make GET/SET safer · 60f0618d
      Mauro Carvalho Chehab authored 
      The implementation for FE_SET_PROPERTY/FE_GET_PROPERTY has
a debug code that might be explored via spectre.
Improve the logic in order to mitigate such risk.

It should be noticed that, before this patch, the logic
which implements FE_GET_PROPERTY doesn't check the length passed
by the user, which might lead to expose some information. This
is probably not exploitable, though, as the frontend drivers
won't rely on the buffer length value set by userspace, but
it helps to return a valid value back to userspace.

The code was changed to only try to access an array based on
userspace values only when DVB debug is turned on, helping to
reduce the attack surface, as a speculation attack would work
only if DVB dev_dbg() macros are enabled, which is usually
enabled only on test Kernels or by the root user.

As a side effect, a const array size can now be reduced by
~570 bytes, as it now needs to contain just the name of each
DTV command.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      60f0618d
    • Mauro Carvalho Chehab's avatar
      media: ttusb-dec: cleanup an error handling logic · dba328ba
      Mauro Carvalho Chehab authored 
      Simplify the logic at ttusb_dec_send_command().

Besides avoiding some code duplication, as a side effect,
this could remove this false positive return with spatch:

	drivers/media/usb/ttusb-dec/ttusb_dec.c:380 ttusb_dec_send_command() warn: inconsistent returns '&dec->usb_mutex'.
	  Locked on  : 330
	  Unlocked on: 354,365,380
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      dba328ba
    • Mauro Carvalho Chehab's avatar
      media: siano: fix device register error path · 5368b1ee
      Mauro Carvalho Chehab authored 
      As reported by smatch:
	drivers/media/common/siano/smsdvb-main.c:1231 smsdvb_hotplug() warn: '&client->entry' not removed from list

If an error occur at the end of the registration logic, it won't
drop the device from the list.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      5368b1ee
    • Mauro Carvalho Chehab's avatar
      media: saa7134: fix saa7134_initdev error handling logic · 235406dc
      Mauro Carvalho Chehab authored 
      Smatch reported an issue there:
	drivers/media/pci/saa7134/saa7134-core.c:1302 saa7134_initdev() warn: '&dev->devlist' not removed from list

But besides freeing the list, the media controller graph also
needs to be cleaned up on errors. Address those issues.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      235406dc
    • Mauro Carvalho Chehab's avatar
      media: saa7134: use more meaninful goto labels · 7f9197f1
      Mauro Carvalho Chehab authored 
      Instead of just numbering fail0 to fail4, use more meaninful
goto labels.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      7f9197f1
    • Mauro Carvalho Chehab's avatar
      media: sun6i-csi: add a missing return code · ba913911
      Mauro Carvalho Chehab authored 
      As pointed by smatch, there's a missing return code:

	drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c:485 sun6i_video_open() warn: missing error code 'ret'
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      ba913911
    • Mauro Carvalho Chehab's avatar
      media: dvbdev: fix error logic at dvb_register_device() · 1fec2ecc
      Mauro Carvalho Chehab authored 
      As reported by smatch:

	drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:510 dvb_register_device() warn: '&dvbdev->list_head' not removed from list
	drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:530 dvb_register_device() warn: '&dvbdev->list_head' not removed from list
	drivers/media/dvb-core/dvbdev.c: drivers/media/dvb-core/dvbdev.c:545 dvb_register_device() warn: '&dvbdev->list_head' not removed from list

The error logic inside dvb_register_device() doesn't remove
devices from the dvb_adapter_list in case of errors.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      1fec2ecc
    • Mauro Carvalho Chehab's avatar
      media: dvb_net: avoid speculation from net slot · abc0226d
      Mauro Carvalho Chehab authored 
      The risk of especulation is actually almost-non-existing here,
as there are very few users of TCP/IP using the DVB stack,
as, this is mainly used with DVB-S/S2 cards, and only by people
that receives TCP/IP from satellite connections, which limits
a lot the number of users of such feature(*).

(*) In thesis, DVB-C cards could also benefit from it, but I'm
yet to see a hardware that supports it.

Yet, fixing it is trivial.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      abc0226d
    • Mauro Carvalho Chehab's avatar
      media: dvb_ca_en50221: avoid speculation from CA slot · d382c5be
      Mauro Carvalho Chehab authored 
      As warned by smatch:
	drivers/media/dvb-core/dvb_ca_en50221.c:1392 dvb_ca_en50221_io_do_ioctl() warn: potential spectre issue 'ca->slot_info' [r] (local cap)

There's a potential of using a CAM ioctl for speculation.

The risk here is minimum, as only a small subset of DVB
boards have CI, with a CAM module installed. Also, exploiting
it would require a user capable of starting a DVB application.

There are probably a lot of easier ways to try to exploit.

Yet, it doesn't harm addressing it.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      d382c5be
  3. 16 Jun, 2021 4 commits
  5. 11 Jun, 2021 1 commit
    • Benjamin Drung's avatar
      media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K · 4c6e0976
      Benjamin Drung authored 
      The Elgato Cam Link 4K HDMI video capture card reports to support three
different pixel formats, where the first format depends on the connected
HDMI device.

```
$ v4l2-ctl -d /dev/video0 --list-formats-ext
ioctl: VIDIOC_ENUM_FMT
	Type: Video Capture

	[0]: 'NV12' (Y/CbCr 4:2:0)
		Size: Discrete 3840x2160
			Interval: Discrete 0.033s (29.970 fps)
	[1]: 'NV12' (Y/CbCr 4:2:0)
		Size: Discrete 3840x2160
			Interval: Discrete 0.033s (29.970 fps)
	[2]: 'YU12' (Planar YUV 4:2:0)
		Size: Discrete 3840x2160
			Interval: Discrete 0.033s (29.970 fps)
```

Changing the pixel format to anything besides the first pixel format
does not work:

```
$ v4l2-ctl -d /dev/video0 --try-fmt-video pixelformat=YU12
Format Video Capture:
	Width/Height      : 3840/2160
	Pixel Format      : 'NV12' (Y/CbCr 4:2:0)
	Field             : None
	Bytes per Line    : 3840
	Size Image        : 12441600
	Colorspace        : sRGB
	Transfer Function : Rec. 709
	YCbCr/HSV Encoding: Rec. 709
	Quantization      : Default (maps to Limited Range)
	Flags             :
```

User space applications like VLC might show an error message on the
terminal in that case:

```
libv4l2: error set_fmt gave us a different result than try_fmt!
```

Depending on the error handling of the user space applications, they
might display a distorted video, because they use the wrong pixel format
for decoding the stream.

The Elgato Cam Link 4K responds to the USB video probe
VS_PROBE_CONTROL/VS_COMMIT_CONTROL with a malformed data structure: The
second byte contains bFormatIndex (instead of being the second byte of
bmHint). The first byte is always zero. The third byte is always 1.

The firmware bug was reported to Elgato on 2020-12-01 and it was
forwarded by the support team to the developers as feature request.
There is no firmware update available since then. The latest firmware
for Elgato Cam Link 4K as of 2021-03-23 has MCU 20.02.19 and FPGA 67.

Therefore correct the malformed data structure for this device. The
change was successfully tested with VLC, OBS, and Chromium using
different pixel formats (YUYV, NV12, YU12), resolutions (3840x2160,
1920x1080), and frame rates (29.970 and 59.940 fps).

Cc: stable@vger.kernel.org
Signed-off-by: default avatarBenjamin Drung <bdrung@posteo.de>
Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      4c6e0976
  7. 09 Jun, 2021 1 commit
    • Mauro Carvalho Chehab's avatar
      media: dmxdev: change the check for problems allocing secfeed · 3d42c93e
      Mauro Carvalho Chehab authored 
      While the logic there is right, it tricks static check analyzers,
like smatch:

	drivers/media/dvb-core/dmxdev.c:729 dvb_dmxdev_filter_start() error: we previously assumed '*secfeed' could be null (see line 719)

Because the implementation of the filter itself is made via
a callback, with its real implementation at the
dvbdmx_allocate_section_feed() inside dvb_demux.c.

So, change the check logic to make it clear that the function
will not try to use *secfeed == NULL.
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      3d42c93e
  9. 08 Jun, 2021 24 commits
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7