- Linux-stable-mirror - lists.linaro.org

[PATCH] media: iris: Fix ffmpeg corrupted frame error

by Vishnu Reddy

When the ffmpeg decoder is running, the driver receives the V4L2_BUF_FLAG_KEYFRAME flag in the input buffer. The driver then forwards this flag information to the firmware. The firmware, in turn, copies the input buffer flags directly into the output buffer flags. Upon receiving the output buffer from the firmware, the driver observes that the buffer contains the HFI_BUFFERFLAG_DATACORRUPT flag. The root cause is that both V4L2_BUF_FLAG_KEYFRAME and HFI_BUFFERFLAG_DATACORRUPT are the same value. As a result, the driver incorrectly interprets the output frame as corrupted, even though the frame is actually valid. This misinterpretation causes the driver to report an error and skip good frames, leading to missing frames in the final video output and triggering ffmpeg's "corrupt decoded frame" error. To resolve this issue, the input buffer flags should not be sent to the firmware during decoding, since the firmware does not require this information. Fixes: 17f2a485ca67 ("media: iris: implement vb2 ops for buf_queue and firmware response") Cc: stable(a)vger.kernel.org Signed-off-by: Vishnu Reddy <quic_bvisredd(a)quicinc.com> --- drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c b/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c index e1788c266bb1..4de03f31eaf3 100644 --- a/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c +++ b/drivers/media/platform/qcom/iris/iris_hfi_gen1_command.c @@ -282,7 +282,7 @@ static int iris_hfi_gen1_queue_input_buffer(struct iris_inst *inst, struct iris_ com_ip_pkt.shdr.session_id = inst->session_id; com_ip_pkt.time_stamp_hi = upper_32_bits(buf->timestamp); com_ip_pkt.time_stamp_lo = lower_32_bits(buf->timestamp); - com_ip_pkt.flags = buf->flags; + com_ip_pkt.flags = 0; com_ip_pkt.mark_target = 0; com_ip_pkt.mark_data = 0; com_ip_pkt.offset = buf->data_offset; -- 2.34.1

1 week, 4 days

4
4
0 0

[PATCH] drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()

by Sanjay Yadav

In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, freeing oa_config before we dereference it, leading to a potential use-after-free. Fix this by caching the id in a local variable while holding the lock. Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6614 Fixes: cdf02fe1a94a7 ("drm/xe/oa/uapi: Add/remove OA config perf ops") Cc: <stable(a)vger.kernel.org> # v6.11+ Suggested-by: Matthew Auld <matthew.auld(a)intel.com> Signed-off-by: Sanjay Yadav <sanjay.kumar.yadav(a)intel.com> --- drivers/gpu/drm/xe/xe_oa.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c index 87a2bf53d661..8f954bc3eed5 100644 --- a/drivers/gpu/drm/xe/xe_oa.c +++ b/drivers/gpu/drm/xe/xe_oa.c @@ -2403,11 +2403,13 @@ int xe_oa_add_config_ioctl(struct drm_device *dev, u64 data, struct drm_file *fi goto sysfs_err; } - mutex_unlock(&oa->metrics_lock); + id = oa_config->id; + + drm_dbg(&oa->xe->drm, "Added config %s id=%i\n", oa_config->uuid, id); - drm_dbg(&oa->xe->drm, "Added config %s id=%i\n", oa_config->uuid, oa_config->id); + mutex_unlock(&oa->metrics_lock); - return oa_config->id; + return id; sysfs_err: mutex_unlock(&oa->metrics_lock); @@ -2461,10 +2463,10 @@ int xe_oa_remove_config_ioctl(struct drm_device *dev, u64 data, struct drm_file sysfs_remove_group(oa->metrics_kobj, &oa_config->sysfs_metric); idr_remove(&oa->metrics_idr, arg); - mutex_unlock(&oa->metrics_lock); - drm_dbg(&oa->xe->drm, "Removed config %s id=%i\n", oa_config->uuid, oa_config->id); + mutex_unlock(&oa->metrics_lock); + xe_oa_config_put(oa_config); return 0; -- 2.43.0

1 week, 4 days

3
2
0 0

[PATCH -stable,5.10 0/1] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains backported fixes for 5.10 -stable. The following list shows the backported patch: 1) cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates") This only includes the flowtable chunk because chain cannot be updated in this kernel version. Please, apply, Thanks Pablo Neira Ayuso (1): netfilter: nf_tables: reject duplicate device on updates net/netfilter/nf_tables_api.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- 2.47.3

1 week, 4 days

2
3
0 0

[PATCH -stable,5.15 0/1] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains backported fixes for 5.15 -stable. The following list shows the backported patch: 1) cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates") This only includes the flowtable chunk because chain cannot be updated in this kernel version. Please, apply, Thanks Pablo Neira Ayuso (1): netfilter: nf_tables: reject duplicate device on updates net/netfilter/nf_tables_api.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- 2.47.3

1 week, 4 days

2
2
0 0

[PATCH -stable,6.1 0/1] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains backported fixes for 6.1 -stable. The following list shows the backported patch: 1) cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates") This only includes the flowtable chunk because chain cannot be updated in this kernel version. Please, apply, Thanks Pablo Neira Ayuso (1): netfilter: nf_tables: reject duplicate device on updates net/netfilter/nf_tables_api.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -- 2.47.3

1 week, 4 days

2
2
0 0

[PATCH] e1000: fix OOB in e1000_tbi_should_accept()

by Guangshuo Li

In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and can hit unrelated slab objects. The issue is observed from the NAPI receive path (e1000_clean_rx_irq): ================================================================== BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790 Read of size 1 at addr ffff888014114e54 by task sshd/363 CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: <IRQ> dump_stack_lvl+0x5a/0x74 print_address_description+0x7b/0x440 print_report+0x101/0x200 kasan_report+0xc1/0xf0 e1000_tbi_should_accept+0x610/0x790 e1000_clean_rx_irq+0xa8c/0x1110 e1000_clean+0xde2/0x3c10 __napi_poll+0x98/0x380 net_rx_action+0x491/0xa20 __do_softirq+0x2c9/0x61d do_softirq+0xd1/0x120 </IRQ> <TASK> __local_bh_enable_ip+0xfe/0x130 ip_finish_output2+0x7d5/0xb00 __ip_queue_xmit+0xe24/0x1ab0 __tcp_transmit_skb+0x1bcb/0x3340 tcp_write_xmit+0x175d/0x6bd0 __tcp_push_pending_frames+0x7b/0x280 tcp_sendmsg_locked+0x2e4f/0x32d0 tcp_sendmsg+0x24/0x40 sock_write_iter+0x322/0x430 vfs_write+0x56c/0xa60 ksys_write+0xd1/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f511b476b10 Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24 RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10 RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003 RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00 R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003 </TASK> Allocated by task 1: __kasan_krealloc+0x131/0x1c0 krealloc+0x90/0xc0 add_sysfs_param+0xcb/0x8a0 kernel_add_sysfs_param+0x81/0xd4 param_sysfs_builtin+0x138/0x1a6 param_sysfs_init+0x57/0x5b do_one_initcall+0x104/0x250 do_initcall_level+0x102/0x132 do_initcalls+0x46/0x74 kernel_init_freeable+0x28f/0x393 kernel_init+0x14/0x1a0 ret_from_fork+0x22/0x30 The buggy address belongs to the object at ffff888014114000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1620 bytes to the right of 2048-byte region [ffff888014114000, ffff888014114800] The buggy address belongs to the physical page: page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110 head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected ================================================================== This happens because the TBI check unconditionally dereferences the last byte without validating the reported length first: u8 last_byte = *(data + length - 1); Fix by rejecting the frame early if the length is zero, or if it exceeds adapter->rx_buffer_len. This preserves the TBI workaround semantics for valid frames and prevents touching memory beyond the RX buffer. Fixes: 2037110c96d5 ("e1000: move tbi workaround code into helper function") Cc: stable(a)vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244(a)gmail.com> --- drivers/net/ethernet/intel/e1000/e1000_main.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c index 3f5feb55cfba..2d2ed5e2c3c8 100644 --- a/drivers/net/ethernet/intel/e1000/e1000_main.c +++ b/drivers/net/ethernet/intel/e1000/e1000_main.c @@ -4090,6 +4090,12 @@ static bool e1000_tbi_should_accept(struct e1000_adapter *adapter, u8 status, u8 errors, u32 length, const u8 *data) { + /* Guard against OOB on data[length - 1] */ + if (unlikely(!length)) + return false; + /* Upper bound: length must not exceed rx_buffer_len */ + if (unlikely(length > adapter->rx_buffer_len)) + return false; struct e1000_hw *hw = &adapter->hw; u8 last_byte = *(data + length - 1); -- 2.43.0

1 week, 4 days

3
2
0 0

[PATCH -stable,6.6 0/1] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains backported fixes for 6.6 -stable. The following list shows the backported patch: 1) cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates") Please, apply, Thanks Pablo Neira Ayuso (1): netfilter: nf_tables: reject duplicate device on updates net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) -- 2.47.3

1 week, 4 days

2
2
0 0

[PATCH -stable,6.12 0/2] Netfilter fixes for -stable

by Pablo Neira Ayuso

Hi Greg, Sasha, This batch contains backported fixes for 6.12 -stable. The following list shows the backported patches: 1) Partial revert of commit dbe85d3115c7e6b5124c8b028f4f602856ea51dd in -stable 6.12, this patch does not exist upstream. This unbreaks old nft userspace binaries which cannot parse this shortened deletion event. 2) cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates") Please, apply, Thanks. Pablo Neira Ayuso (2): Revert "netfilter: nf_tables: Reintroduce shortened deletion notifications" netfilter: nf_tables: reject duplicate device on updates net/netfilter/nf_tables_api.c | 66 +++++++++++++++++------------------ 1 file changed, 32 insertions(+), 34 deletions(-) -- 2.47.3

1 week, 4 days

2
4
0 0

[PATCH] nouveau/firmware: Add missing kfree() of nvkm_falcon_fw::boot

by Nam Cao

nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a kmemleak warning. Make sure this data is deallocated. Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs") Signed-off-by: Nam Cao <namcao(a)linutronix.de> Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c index cac6d64ab67d..4e8b3f1c7e25 100644 --- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c +++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c @@ -159,6 +159,8 @@ nvkm_falcon_fw_dtor(struct nvkm_falcon_fw *fw) nvkm_memory_unref(&fw->inst); nvkm_falcon_fw_dtor_sigs(fw); nvkm_firmware_dtor(&fw->fw); + kfree(fw->boot); + fw->boot = NULL; } static const struct nvkm_firmware_func -- 2.51.0

1 week, 4 days

2
1
0 0

[PATCH] drm/radeon: delete radeon_fence_process in is_signaled, no deadlock

by Robert McClinton

Delete the attempt to progress the queue when checking if fence is signaled. This avoids deadlock. dma-fence_ops::signaled can be called with the fence lock in unknown state. For radeon, the fence lock is also the wait queue lock. This can cause a self deadlock when signaled() tries to make forward progress on the wait queue. But advancing the queue is unneeded because incorrectly returning false from signaled() is perfectly acceptable. Link: https://github.com/brave/brave-browser/issues/49182 Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4641 Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: stable(a)vger.kernel.org Signed-off-by: Robert McClinton <rbmccav(a)gmail.com> --- drivers/gpu/drm/radeon/radeon_fence.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/drivers/gpu/drm/radeon/radeon_fence.c b/drivers/gpu/drm/radeon/radeon_fence.c index 5b5b54e876d4..167d6f122b8e 100644 --- a/drivers/gpu/drm/radeon/radeon_fence.c +++ b/drivers/gpu/drm/radeon/radeon_fence.c @@ -360,13 +360,6 @@ static bool radeon_fence_is_signaled(struct dma_fence *f) if (atomic64_read(&rdev->fence_drv[ring].last_seq) >= seq) return true; - if (down_read_trylock(&rdev->exclusive_lock)) { - radeon_fence_process(rdev, ring); - up_read(&rdev->exclusive_lock); - - if (atomic64_read(&rdev->fence_drv[ring].last_seq) >= seq) - return true; - } return false; } -- 2.51.2

1 week, 4 days

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror