From patchwork Thu Jul 15 18:39:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 477442 Delivered-To: patch@linaro.org Received: by 2002:a02:c94a:0:0:0:0:0 with SMTP id u10csp554659jao; Thu, 15 Jul 2021 11:45:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwh41y5oyMcZ7kAEijYGl7Kp4KtbX5E1p7Iv9nfE9YdeAkmg8g/VbgcfDDHUPs9mi+W9m3r X-Received: by 2002:a05:6402:3192:: with SMTP id di18mr9245976edb.186.1626374747416; Thu, 15 Jul 2021 11:45:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626374747; cv=none; d=google.com; s=arc-20160816; b=sADa/KfuPT3Ttu/a00dx81Pz25BVW/MGKfp55hlux4WDX6JRFmw/GJV37MnWChwlKm Rl5OP25Xqe0Xik3BXhKrZrNhoCbjqVSZYajPWwA7b8IErCgPKUJhZDb2wm++n65OWNaR yPwxGvDp3V2oiFJhF39R9hkpq1y13jhKSA9f3kwvEMzu08+5TToBwwbHqaSklK4RkGXq 5+fI5jcmNJsrsAyfTkikFVDgAKf95bNcZTyuR40oXMFlwuxIYtVEFEjpzzNqTfbhQ3Ek vuaoIFYcVZVbDJmq1M50owStiMTD6LnnDCzHhtDEI0b4OBZ0rq4Rinkv3E3k5Xy0L1Vd Xllw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ej32PSXkc883wFB/4IE7JwrfbedydhHMLgyabkI6+tg=; b=069l1sfWawSkk98A0HMwW+bJE7jjn0QrgynSS3cuEfw83k+LxuvOchwsKp8tQzu0Wg Jx5U7oG5b77p4e9QcqfljEYKtQsx/I0taNAFV0CnLA4WGkW6bEHzaHAQEELt/Z1GcfPE 6b4vhSFL9bxQdbBKBieJzl2TFG3RRmEbValmQDarWYI8mxHW0HwoIHXWDXydKpWY5O7z 7hKNPx1h3gBpC0BEzsYNn/X3IVaGJsPoHxLhbN9XR8F1fXQ04CCoaKaVNlC6HXW2TDHa wfSB3s+Ir+tQIrEy2+SInJZDEgxobcEAElOPkGtpQjk+vYTASVkAKu6mejrFuEAyiDMB 79wA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xPZo5Y64; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i18si8146833edq.588.2021.07.15.11.45.47; Thu, 15 Jul 2021 11:45:47 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xPZo5Y64; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239682AbhGOSsh (ORCPT + 12 others); Thu, 15 Jul 2021 14:48:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:50318 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239085AbhGOSsD (ORCPT ); Thu, 15 Jul 2021 14:48:03 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A896A613E0; Thu, 15 Jul 2021 18:45:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626374710; bh=BwfWCyzyNYtoBfZMw/jFYR4AI9oBoO7Jf7CTFsF+zlU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xPZo5Y641534/DaqkdS5C4FyLAWGpHTZa3SsBAY1jWKEUMRC1bYg2w00VF3Bmq6oF OfH0bb4vbcQGYLhkRnKkNyfzueLgh7mg1ZdWNBxAxIl8JonjcLglSf3b8Va+JnYHVF vzqUmxt4tgBMVX2O+mD6L0gzrHLQUTnVBSyiGlSM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Arnd Bergmann , Laurent Pinchart , Hans Verkuil , Mauro Carvalho Chehab Subject: [PATCH 5.4 113/122] media: subdev: disallow ioctl for saa6588/davinci Date: Thu, 15 Jul 2021 20:39:20 +0200 Message-Id: <20210715182521.533436365@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210715182448.393443551@linuxfoundation.org> References: <20210715182448.393443551@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Arnd Bergmann commit 0a7790be182d32b9b332a37cb4206e24fe94b728 upstream. The saa6588_ioctl() function expects to get called from other kernel functions with a 'saa6588_command' pointer, but I found nothing stops it from getting called from user space instead, which seems rather dangerous. The same thing happens in the davinci vpbe driver with its VENC_GET_FLD command. As a quick fix, add a separate .command() callback pointer for this driver and change the two callers over to that. This change can easily get backported to stable kernels if necessary, but since there are only two drivers, we may want to eventually replace this with a set of more specialized callbacks in the long run. Fixes: c3fda7f835b0 ("V4L/DVB (10537): saa6588: convert to v4l2_subdev.") Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann Reviewed-by: Laurent Pinchart Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/i2c/saa6588.c | 4 ++-- drivers/media/pci/bt8xx/bttv-driver.c | 6 +++--- drivers/media/pci/saa7134/saa7134-video.c | 6 +++--- drivers/media/platform/davinci/vpbe_display.c | 2 +- drivers/media/platform/davinci/vpbe_venc.c | 6 ++---- include/media/v4l2-subdev.h | 4 ++++ 6 files changed, 15 insertions(+), 13 deletions(-) --- a/drivers/media/i2c/saa6588.c +++ b/drivers/media/i2c/saa6588.c @@ -380,7 +380,7 @@ static void saa6588_configure(struct saa /* ---------------------------------------------------------------------- */ -static long saa6588_ioctl(struct v4l2_subdev *sd, unsigned int cmd, void *arg) +static long saa6588_command(struct v4l2_subdev *sd, unsigned int cmd, void *arg) { struct saa6588 *s = to_saa6588(sd); struct saa6588_command *a = arg; @@ -433,7 +433,7 @@ static int saa6588_s_tuner(struct v4l2_s /* ----------------------------------------------------------------------- */ static const struct v4l2_subdev_core_ops saa6588_core_ops = { - .ioctl = saa6588_ioctl, + .command = saa6588_command, }; static const struct v4l2_subdev_tuner_ops saa6588_tuner_ops = { --- a/drivers/media/pci/bt8xx/bttv-driver.c +++ b/drivers/media/pci/bt8xx/bttv-driver.c @@ -3187,7 +3187,7 @@ static int radio_release(struct file *fi btv->radio_user--; - bttv_call_all(btv, core, ioctl, SAA6588_CMD_CLOSE, &cmd); + bttv_call_all(btv, core, command, SAA6588_CMD_CLOSE, &cmd); if (btv->radio_user == 0) btv->has_radio_tuner = 0; @@ -3268,7 +3268,7 @@ static ssize_t radio_read(struct file *f cmd.result = -ENODEV; radio_enable(btv); - bttv_call_all(btv, core, ioctl, SAA6588_CMD_READ, &cmd); + bttv_call_all(btv, core, command, SAA6588_CMD_READ, &cmd); return cmd.result; } @@ -3289,7 +3289,7 @@ static __poll_t radio_poll(struct file * cmd.instance = file; cmd.event_list = wait; cmd.poll_mask = res; - bttv_call_all(btv, core, ioctl, SAA6588_CMD_POLL, &cmd); + bttv_call_all(btv, core, command, SAA6588_CMD_POLL, &cmd); return cmd.poll_mask; } --- a/drivers/media/pci/saa7134/saa7134-video.c +++ b/drivers/media/pci/saa7134/saa7134-video.c @@ -1179,7 +1179,7 @@ static int video_release(struct file *fi saa_call_all(dev, tuner, standby); if (vdev->vfl_type == VFL_TYPE_RADIO) - saa_call_all(dev, core, ioctl, SAA6588_CMD_CLOSE, &cmd); + saa_call_all(dev, core, command, SAA6588_CMD_CLOSE, &cmd); mutex_unlock(&dev->lock); return 0; @@ -1198,7 +1198,7 @@ static ssize_t radio_read(struct file *f cmd.result = -ENODEV; mutex_lock(&dev->lock); - saa_call_all(dev, core, ioctl, SAA6588_CMD_READ, &cmd); + saa_call_all(dev, core, command, SAA6588_CMD_READ, &cmd); mutex_unlock(&dev->lock); return cmd.result; @@ -1214,7 +1214,7 @@ static __poll_t radio_poll(struct file * cmd.event_list = wait; cmd.poll_mask = 0; mutex_lock(&dev->lock); - saa_call_all(dev, core, ioctl, SAA6588_CMD_POLL, &cmd); + saa_call_all(dev, core, command, SAA6588_CMD_POLL, &cmd); mutex_unlock(&dev->lock); return rc | cmd.poll_mask; --- a/drivers/media/platform/davinci/vpbe_display.c +++ b/drivers/media/platform/davinci/vpbe_display.c @@ -48,7 +48,7 @@ static int venc_is_second_field(struct v ret = v4l2_subdev_call(vpbe_dev->venc, core, - ioctl, + command, VENC_GET_FLD, &val); if (ret < 0) { --- a/drivers/media/platform/davinci/vpbe_venc.c +++ b/drivers/media/platform/davinci/vpbe_venc.c @@ -521,9 +521,7 @@ static int venc_s_routing(struct v4l2_su return ret; } -static long venc_ioctl(struct v4l2_subdev *sd, - unsigned int cmd, - void *arg) +static long venc_command(struct v4l2_subdev *sd, unsigned int cmd, void *arg) { u32 val; @@ -542,7 +540,7 @@ static long venc_ioctl(struct v4l2_subde } static const struct v4l2_subdev_core_ops venc_core_ops = { - .ioctl = venc_ioctl, + .command = venc_command, }; static const struct v4l2_subdev_video_ops venc_video_ops = { --- a/include/media/v4l2-subdev.h +++ b/include/media/v4l2-subdev.h @@ -162,6 +162,9 @@ struct v4l2_subdev_io_pin_config { * @s_gpio: set GPIO pins. Very simple right now, might need to be extended with * a direction argument if needed. * + * @command: called by in-kernel drivers in order to call functions internal + * to subdev drivers driver that have a separate callback. + * * @ioctl: called at the end of ioctl() syscall handler at the V4L2 core. * used to provide support for private ioctls used on the driver. * @@ -193,6 +196,7 @@ struct v4l2_subdev_core_ops { int (*load_fw)(struct v4l2_subdev *sd); int (*reset)(struct v4l2_subdev *sd, u32 val); int (*s_gpio)(struct v4l2_subdev *sd, u32 val); + long (*command)(struct v4l2_subdev *sd, unsigned int cmd, void *arg); long (*ioctl)(struct v4l2_subdev *sd, unsigned int cmd, void *arg); #ifdef CONFIG_COMPAT long (*compat_ioctl32)(struct v4l2_subdev *sd, unsigned int cmd,