<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/media/usb, branch linux-4.6.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>media: fix airspy usb probe error path</title>
<updated>2016-08-10T10:54:49+00:00</updated>
<author>
<name>James Patrick-Evans</name>
<email>james@jmp-e.com</email>
</author>
<published>2016-07-15T15:40:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1031db3dff78793352bbda8ab5391def6f372aa4'/>
<id>1031db3dff78793352bbda8ab5391def6f372aa4</id>
<content type='text'>
commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream.

Fix a memory leak on probe error of the airspy usb device driver.

The problem is triggered when more than 64 usb devices register with
v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

A badusb device can emulate 64 of these devices, and then through
continual emulated connect/disconnect of the 65th device, cause the
kernel to run out of RAM and crash the kernel, thus causing a local DOS
vulnerability.

Fixes CVE-2016-5400

Signed-off-by: James Patrick-Evans &lt;james@jmp-e.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream.

Fix a memory leak on probe error of the airspy usb device driver.

The problem is triggered when more than 64 usb devices register with
v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

A badusb device can emulate 64 of these devices, and then through
continual emulated connect/disconnect of the 65th device, cause the
kernel to run out of RAM and crash the kernel, thus causing a local DOS
vulnerability.

Fixes CVE-2016-5400

Signed-off-by: James Patrick-Evans &lt;james@jmp-e.com&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>uvc: Forward compat ioctls to their handlers directly</title>
<updated>2016-07-27T15:42:11+00:00</updated>
<author>
<name>Andy Lutomirski</name>
<email>luto@kernel.org</email>
</author>
<published>2016-05-24T22:13:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c9abd3376c581e18d1878435daf9dcfafc75dd3b'/>
<id>c9abd3376c581e18d1878435daf9dcfafc75dd3b</id>
<content type='text'>
commit a44323e2a8f342848bb77e8e04fcd85fcb91b3b4 upstream.

The current code goes through a lot of indirection just to call a
known handler.  Simplify it: just call the handlers directly.

Signed-off-by: Andy Lutomirski &lt;luto@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a44323e2a8f342848bb77e8e04fcd85fcb91b3b4 upstream.

The current code goes through a lot of indirection just to call a
known handler.  Simplify it: just call the handlers directly.

Signed-off-by: Andy Lutomirski &lt;luto@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>[media] usbvision: revert commit 588afcc1</title>
<updated>2016-04-20T18:58:54+00:00</updated>
<author>
<name>Vladis Dronov</name>
<email>vdronov@redhat.com</email>
</author>
<published>2016-01-31T16:14:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d5468d7afaa9c9e961e150f0455a14a9f4872a98'/>
<id>d5468d7afaa9c9e961e150f0455a14a9f4872a98</id>
<content type='text'>
Commit 588afcc1c0e4 ("[media] usbvision fix overflow of interfaces
array")' should be reverted, because:

* "!dev-&gt;actconfig-&gt;interface[ifnum]" won't catch a case where the value
is not NULL but some garbage. This way the system may crash later with
GPF.

* "(ifnum &gt;= USB_MAXINTERFACES)" does not cover all the error
conditions. "ifnum" should be compared to "dev-&gt;actconfig-&gt;
desc.bNumInterfaces", i.e. compared to the number of "struct
usb_interface" kzalloc()-ed, not to USB_MAXINTERFACES.

* There is a "struct usb_device" leak in this error path, as there is
usb_get_dev(), but no usb_put_dev() on this path.

* There is a bug of the same type several lines below with number of
endpoints. The code is accessing hard-coded second endpoint
("interface-&gt;endpoint[1].desc") which may not exist. It would be great
to handle this in the same patch too.

* All the concerns above are resolved by already-accepted commit fa52bd50
("[media] usbvision: fix crash on detecting device with invalid
configuration")

* Mailing list message:
http://www.spinics.net/lists/linux-media/msg94832.html

Signed-off-by: Vladis Dronov &lt;vdronov@redhat.com&gt;
Signed-off-by: Hans Verkuil &lt;hans.verkuil@cisco.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;      # for v4.5
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Commit 588afcc1c0e4 ("[media] usbvision fix overflow of interfaces
array")' should be reverted, because:

* "!dev-&gt;actconfig-&gt;interface[ifnum]" won't catch a case where the value
is not NULL but some garbage. This way the system may crash later with
GPF.

* "(ifnum &gt;= USB_MAXINTERFACES)" does not cover all the error
conditions. "ifnum" should be compared to "dev-&gt;actconfig-&gt;
desc.bNumInterfaces", i.e. compared to the number of "struct
usb_interface" kzalloc()-ed, not to USB_MAXINTERFACES.

* There is a "struct usb_device" leak in this error path, as there is
usb_get_dev(), but no usb_put_dev() on this path.

* There is a bug of the same type several lines below with number of
endpoints. The code is accessing hard-coded second endpoint
("interface-&gt;endpoint[1].desc") which may not exist. It would be great
to handle this in the same patch too.

* All the concerns above are resolved by already-accepted commit fa52bd50
("[media] usbvision: fix crash on detecting device with invalid
configuration")

* Mailing list message:
http://www.spinics.net/lists/linux-media/msg94832.html

Signed-off-by: Vladis Dronov &lt;vdronov@redhat.com&gt;
Signed-off-by: Hans Verkuil &lt;hans.verkuil@cisco.com&gt;
Cc: &lt;stable@vger.kernel.org&gt;      # for v4.5
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[media] Revert "[media] media: au0828 change to use Managed Media Controller API"</title>
<updated>2016-03-31T18:09:04+00:00</updated>
<author>
<name>Mauro Carvalho Chehab</name>
<email>mchehab@osg.samsung.com</email>
</author>
<published>2016-03-31T13:54:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=405ddbfa68177b6169d09bc2308a39196a8eb64a'/>
<id>405ddbfa68177b6169d09bc2308a39196a8eb64a</id>
<content type='text'>
Extending the lifetime of the media_device struct is not handled well
by the core, as it will erase some data from the struct, when
media_device_cleanup() is called after unregistering it.

While we have a fixup patch for it already, the usage of those new
functions are needed only when we share data with other drivers.

So, better to revert the changes.

This reverts commit 182dde7c5d4c ("[media] media: au0828 change
to use Managed Media Controller API")

Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Extending the lifetime of the media_device struct is not handled well
by the core, as it will erase some data from the struct, when
media_device_cleanup() is called after unregistering it.

While we have a fixup patch for it already, the usage of those new
functions are needed only when we share data with other drivers.

So, better to revert the changes.

This reverts commit 182dde7c5d4c ("[media] media: au0828 change
to use Managed Media Controller API")

Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[media] au0828: Fix dev_state handling</title>
<updated>2016-03-31T18:01:35+00:00</updated>
<author>
<name>Mauro Carvalho Chehab</name>
<email>mchehab@osg.samsung.com</email>
</author>
<published>2016-03-22T12:21:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e8e3039f5b941f7825d335f8ca11c12a8104db11'/>
<id>e8e3039f5b941f7825d335f8ca11c12a8104db11</id>
<content type='text'>
The au0828 dev_state is actually a bit mask. It should not be
checking with "==" but, instead, with a logic and. There are some
places where it was doing it wrong.

Fix that by replacing the dev_state set/clear/test with the
bitops.

As reviewed by Shuah:
	"Looks good. Tested running bind/unbind au0828 loop for 1000 times.
	Didn't see any problems and the v4l2_querycap() problem has been
	fixed with this patch.

	After the above test, ran bind/unbind snd_usb_audio 1000 times.
	Didn't see any problems. Generated media graph and the graph
	looks good."

Cc: stable@vger.kernel.org
Reviewed-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Tested-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The au0828 dev_state is actually a bit mask. It should not be
checking with "==" but, instead, with a logic and. There are some
places where it was doing it wrong.

Fix that by replacing the dev_state set/clear/test with the
bitops.

As reviewed by Shuah:
	"Looks good. Tested running bind/unbind au0828 loop for 1000 times.
	Didn't see any problems and the v4l2_querycap() problem has been
	fixed with this patch.

	After the above test, ran bind/unbind snd_usb_audio 1000 times.
	Didn't see any problems. Generated media graph and the graph
	looks good."

Cc: stable@vger.kernel.org
Reviewed-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Tested-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[media] au0828: fix au0828_v4l2_close() dev_state race condition</title>
<updated>2016-03-31T18:01:08+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2016-03-22T04:04:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ed940cd27416f9887864b95e1f8f8845aa9d6391'/>
<id>ed940cd27416f9887864b95e1f8f8845aa9d6391</id>
<content type='text'>
au0828_v4l2_close() check for dev_state == DEV_DISCONNECTED will fail to
detect the device disconnected state correctly, if au0828_v4l2_open() runs
to set the DEV_INITIALIZED bit. A loop test of bind/unbind found this bug
by increasing the likelihood of au0828_v4l2_open() occurring while unbind
is in progress. When au0828_v4l2_close() fails to detect that the device
is in disconnect state, it attempts to power down the device and fails with
the following general protection fault:

[  260.992962] Call Trace:
[  260.993008]  [&lt;ffffffffa0f80f0f&gt;] ? xc5000_sleep+0x8f/0xd0 [xc5000]
[  260.993095]  [&lt;ffffffffa0f6803c&gt;] ? fe_standby+0x3c/0x50 [tuner]
[  260.993186]  [&lt;ffffffffa0ef541c&gt;] au0828_v4l2_close+0x53c/0x620 [au0828]
[  260.993298]  [&lt;ffffffffa0d08ec0&gt;] v4l2_release+0xf0/0x210 [videodev]
[  260.993382]  [&lt;ffffffff81570f9c&gt;] __fput+0x1fc/0x6c0
[  260.993449]  [&lt;ffffffff815714ce&gt;] ____fput+0xe/0x10
[  260.993519]  [&lt;ffffffff8116eb83&gt;] task_work_run+0x133/0x1f0
[  260.993602]  [&lt;ffffffff810035d0&gt;] exit_to_usermode_loop+0x140/0x170
[  260.993681]  [&lt;ffffffff810061ca&gt;] syscall_return_slowpath+0x16a/0x1a0
[  260.993754]  [&lt;ffffffff82835fb3&gt;] entry_SYSCALL_64_fastpath+0xa6/0xa8

Cc: stable@vger.kernel.org
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
au0828_v4l2_close() check for dev_state == DEV_DISCONNECTED will fail to
detect the device disconnected state correctly, if au0828_v4l2_open() runs
to set the DEV_INITIALIZED bit. A loop test of bind/unbind found this bug
by increasing the likelihood of au0828_v4l2_open() occurring while unbind
is in progress. When au0828_v4l2_close() fails to detect that the device
is in disconnect state, it attempts to power down the device and fails with
the following general protection fault:

[  260.992962] Call Trace:
[  260.993008]  [&lt;ffffffffa0f80f0f&gt;] ? xc5000_sleep+0x8f/0xd0 [xc5000]
[  260.993095]  [&lt;ffffffffa0f6803c&gt;] ? fe_standby+0x3c/0x50 [tuner]
[  260.993186]  [&lt;ffffffffa0ef541c&gt;] au0828_v4l2_close+0x53c/0x620 [au0828]
[  260.993298]  [&lt;ffffffffa0d08ec0&gt;] v4l2_release+0xf0/0x210 [videodev]
[  260.993382]  [&lt;ffffffff81570f9c&gt;] __fput+0x1fc/0x6c0
[  260.993449]  [&lt;ffffffff815714ce&gt;] ____fput+0xe/0x10
[  260.993519]  [&lt;ffffffff8116eb83&gt;] task_work_run+0x133/0x1f0
[  260.993602]  [&lt;ffffffff810035d0&gt;] exit_to_usermode_loop+0x140/0x170
[  260.993681]  [&lt;ffffffff810061ca&gt;] syscall_return_slowpath+0x16a/0x1a0
[  260.993754]  [&lt;ffffffff82835fb3&gt;] entry_SYSCALL_64_fastpath+0xa6/0xa8

Cc: stable@vger.kernel.org
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[media] media: au0828 fix to clear enable/disable/change source handlers</title>
<updated>2016-03-31T17:50:39+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2016-03-13T03:57:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ffa8576a5380e098c4f066f50c5ec812b9abef43'/>
<id>ffa8576a5380e098c4f066f50c5ec812b9abef43</id>
<content type='text'>
Fix to clear enable/disable/change source handlers in the media device
when media device is unregistered in au0828_unregister_media_device().
When au0828 module is removed, snd-usb-audio shouldn't call the handlers.
Clearing will ensure snd-usb-audio won't call them once au0828 is removed.

[mchehab@osg.samsung.com: fix a compilation breakage]
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix to clear enable/disable/change source handlers in the media device
when media device is unregistered in au0828_unregister_media_device().
When au0828 module is removed, snd-usb-audio shouldn't call the handlers.
Clearing will ensure snd-usb-audio won't call them once au0828 is removed.

[mchehab@osg.samsung.com: fix a compilation breakage]
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[media] au0828: disable tuner links and cache tuner/decoder</title>
<updated>2016-03-31T17:50:38+00:00</updated>
<author>
<name>Mauro Carvalho Chehab</name>
<email>mchehab@osg.samsung.com</email>
</author>
<published>2016-03-11T19:02:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2e208c64e3aa7abe7b79963bb29f5d14a4b96e58'/>
<id>2e208c64e3aa7abe7b79963bb29f5d14a4b96e58</id>
<content type='text'>
For au0828_enable_source() to work, the tuner links should be
disabled and the tuner/decoder should be cached at au0828 struct.

While here, put dev-&gt;decoder cache together with dev-&gt;tuner, as
it makes easier to drop both latter if/when we move the enable
routines to the V4L2 core.

Fixes: 9822f4173f84 ('[media] au0828: use v4l2_mc_create_media_graph()')

Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
Reviewed-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Tested-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
For au0828_enable_source() to work, the tuner links should be
disabled and the tuner/decoder should be cached at au0828 struct.

While here, put dev-&gt;decoder cache together with dev-&gt;tuner, as
it makes easier to drop both latter if/when we move the enable
routines to the V4L2 core.

Fixes: 9822f4173f84 ('[media] au0828: use v4l2_mc_create_media_graph()')

Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
Reviewed-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Tested-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>media: au0828 disable tuner to demod link in au0828_media_device_register()</title>
<updated>2016-03-10T16:44:10+00:00</updated>
<author>
<name>Shuah Khan</name>
<email>shuahkh@osg.samsung.com</email>
</author>
<published>2016-03-10T02:15:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=840f5b0572ea9ddaca2bf5540a171013e92c97bd'/>
<id>840f5b0572ea9ddaca2bf5540a171013e92c97bd</id>
<content type='text'>
Disable tuner to demod link in au0828_media_device_register(). This step
should be done after dvb graph is created.

[mchehab@osg.samsung.com: Solve conflictst to apply it upstream]
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Disable tuner to demod link in au0828_media_device_register(). This step
should be done after dvb graph is created.

[mchehab@osg.samsung.com: Solve conflictst to apply it upstream]
Signed-off-by: Shuah Khan &lt;shuahkh@osg.samsung.com&gt;
Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>[media] touptek: cast char types on %x printk</title>
<updated>2016-03-10T16:37:45+00:00</updated>
<author>
<name>Mauro Carvalho Chehab</name>
<email>mchehab@osg.samsung.com</email>
</author>
<published>2016-03-06T13:15:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=778f2a3c1644bf446c4069477fbdf99b7a40a55a'/>
<id>778f2a3c1644bf446c4069477fbdf99b7a40a55a</id>
<content type='text'>
This fixes those two smatch warnings:
	drivers/media/usb/gspca/touptek.c:206 val_reply() warn: argument 3 to %02x specifier has type 'char'
	drivers/media/usb/gspca/touptek.c:222 reg_w() warn: argument 4 to %02x specifier has type 'char'

Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This fixes those two smatch warnings:
	drivers/media/usb/gspca/touptek.c:206 val_reply() warn: argument 3 to %02x specifier has type 'char'
	drivers/media/usb/gspca/touptek.c:222 reg_w() warn: argument 4 to %02x specifier has type 'char'

Signed-off-by: Mauro Carvalho Chehab &lt;mchehab@osg.samsung.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
