Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp13342828ybl; Sun, 29 Dec 2019 09:42:42 -0800 (PST) X-Google-Smtp-Source: APXvYqx1iRT3G958MLOxpvPsQWaJfADaHLTLH5c4+XNRhPCT4eFdG2pG76y0Hi5m52r9orguO8ca X-Received: by 2002:a05:6830:1116:: with SMTP id w22mr71309440otq.63.1577641362875; Sun, 29 Dec 2019 09:42:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1577641362; cv=none; d=google.com; s=arc-20160816; b=jlG1On/4ltvBOkfR7wAV7JxsbjpUbb48Bbbf5Xp+S/eBdNQcze+q5ejYepqix1Nwde R88qihiab4a9RfBqb62IHCOGVpNfwaBtpHTYD8dhUKJQ+myEWrY3t6QWGBktjSCbpmFU e9iLUJAr3AstaeIbE1AKQida1Vq5jQpIUk2SbRJZXYlUSV1d+vtlmx/7Pik74Thyrf70 WuNq3Fl5tCtNTpu38hzvV6/mE2pDasuaZG2a2gvDm7C77pho9xTsYRy7thhaaF5tWyrO sb3VdjM3L0DungAgFu1G6yo5LcJhBdq2J7nLciL89HB9EYGAZ+io8YWgCIyHrQIsftrj 0Xrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=saRYatLyu2CJSNFoRTKGIaJyagkceetcXvk3Ss9zyWU=; b=LHk3zgXtrisTd7jYklD0XrbirsO/HtHQVEUqwVvB86I2lCKH/0746kLKXc4Uu6pHGH NKmHcIAfjvllkdssBzijNvG+tZoTE1ebML/jF4RGphxFVqg30yoTZcI+VlEUsdjQhwnC GZqPaf+DvrXqQzfBm6NHo/F1CyRxQ8G+wfp9/Wo2op7jM7dMoche7C3lVPFLLqaFd8vv da4Y1bjSjQZ4GdBY780XfQ7P7xnuAQ2vi4QwfyuNahHtEerUdtBWGGfMhopb7njNcYRw sDt0/5Uzh8/UnXeUn8qQpbyee/J8c+nNkH0KQ5Fgv+FD+Nf0mAIf63Ej/q7SwgV+Ud8g Y2rA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="m/5G3/AQ"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q6si26115208otg.248.2019.12.29.09.42.32; Sun, 29 Dec 2019 09:42:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="m/5G3/AQ"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730189AbfL2Rlc (ORCPT + 99 others); Sun, 29 Dec 2019 12:41:32 -0500 Received: from mail.kernel.org ([198.145.29.99]:56116 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728699AbfL2RaQ (ORCPT ); Sun, 29 Dec 2019 12:30:16 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 51D3D20722; Sun, 29 Dec 2019 17:30:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1577640615; bh=m4hHI7jDlSWB/FgJnp1KCl5obLxNslWCKCOV9FQzl+Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=m/5G3/AQGndqYF7yzc0gbWL3AWuhcLWp8JXx+TvNNUoJcZnmp7fvP+hm2blhKIsRg PKIx8aTAazAWu3z38x5J5V1x9hiKmskh12pjk/2YOrYVrLys+Ffsz4DOmdJCaXl6If YlaS1ZldmxouJKJp0sKVaTmPyuLIPVn6+NMVbW34= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Benoit Parrot , Tomi Valkeinen , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 4.19 068/219] media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel panic Date: Sun, 29 Dec 2019 18:17:50 +0100 Message-Id: <20191229162516.852303393@linuxfoundation.org> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20191229162508.458551679@linuxfoundation.org> References: <20191229162508.458551679@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Benoit Parrot [ Upstream commit a37980ac5be29b83da67bf7d571c6bd9f90f8e45 ] v4l2-compliance fails with this message: warn: v4l2-test-formats.cpp(717): \ TRY_FMT cannot handle an invalid pixelformat. test VIDIOC_TRY_FMT: FAIL This causes the following kernel panic: Unable to handle kernel paging request at virtual address 56595561 pgd = ecd80e00 *pgd=00000000 Internal error: Oops: 205 [#1] PREEMPT SMP ARM ... CPU: 0 PID: 930 Comm: v4l2-compliance Not tainted \ 4.14.62-01715-gc8cd67f49a19 #1 Hardware name: Generic DRA72X (Flattened Device Tree) task: ece44d80 task.stack: ecc6e000 PC is at __vpe_try_fmt+0x18c/0x2a8 [ti_vpe] LR is at 0x8 Because the driver fails to properly check the 'num_planes' values for proper ranges it ends up accessing out of bound data causing the kernel panic. Since this driver only handle single or dual plane pixel format, make sure the provided value does not exceed 2 planes. Signed-off-by: Benoit Parrot Reviewed-by: Tomi Valkeinen Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/platform/ti-vpe/vpe.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c index ca9095b80309..54f0d9d3cc49 100644 --- a/drivers/media/platform/ti-vpe/vpe.c +++ b/drivers/media/platform/ti-vpe/vpe.c @@ -1646,7 +1646,7 @@ static int __vpe_try_fmt(struct vpe_ctx *ctx, struct v4l2_format *f, &pix->height, MIN_H, MAX_H, H_ALIGN, S_ALIGN); - if (!pix->num_planes) + if (!pix->num_planes || pix->num_planes > 2) pix->num_planes = fmt->coplanar ? 2 : 1; else if (pix->num_planes > 1 && !fmt->coplanar) pix->num_planes = 1; -- 2.20.1