| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250601233402.3512823-26-sashal@kernel.org>
Date: Sun, 1 Jun 2025 19:32:53 -0400
From: Sasha Levin <sashal@...nel.org>
To: patches@...ts.linux.dev,
stable@...r.kernel.org
Cc: Nas Chung <nas.chung@...psnmedia.com>,
Sebastian Fricke <sebastian.fricke@...labora.com>,
Hans Verkuil <hverkuil@...all.nl>,
Sasha Levin <sashal@...nel.org>,
mchehab@...nel.org,
linux-media@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH AUTOSEL 6.12 26/93] media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition
From: Nas Chung <nas.chung@...psnmedia.com>
[ Upstream commit f81f69a0e3da141bdd73a16b8676f4e542533d87 ]
V4L2_TYPE_IS_OUTPUT() returns true for V4L2_BUF_TYPE_VIDEO_OVERLAY
which definitely belongs to CAPTURE.
Signed-off-by: Nas Chung <nas.chung@...psnmedia.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@...labora.com>
Signed-off-by: Hans Verkuil <hverkuil@...all.nl>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
**YES** This commit should be backported to stable kernel trees.
**Detailed Analysis:** **1. Nature of the Bug:** The commit fixes a
fundamental logic error in the `V4L2_TYPE_IS_OUTPUT` macro that has
existed since 2012 (commit 607ca46e97a1b). The macro incorrectly
classifies `V4L2_BUF_TYPE_VIDEO_OVERLAY` as an OUTPUT buffer type when
it should be classified as a CAPTURE type. This is a clear logical bug
in a core V4L2 API macro. **2. Code Impact Analysis:** The fix removes
this line from the macro: ```c || (type) == V4L2_BUF_TYPE_VIDEO_OVERLAY
``` My investigation shows the macro is used in critical V4L2 core
functions, particularly in: - **Crop/Selection handling**
(`drivers/media/v4l2-core/v4l2-ioctl.c:2517, 2547, 2597`): The macro
determines whether to use `V4L2_SEL_TGT_COMPOSE` (for output) vs
`V4L2_SEL_TGT_CROP` (for capture) targets - **Parameter handling**
(`drivers/media/v4l2-core/v4l2-ioctl.c:2269`): Affects how output vs
capture parameters are processed - **Buffer management** in videobuf2
framework: Affects buffer direction logic **3. User Impact:**
Applications using video overlay functionality have been subject to
incorrect behavior where: - Overlay buffers were processed with output
buffer logic instead of capture buffer logic - Wrong selection targets
were used for crop operations on overlay devices - Parameter handling
followed the wrong code paths **4. Risk Assessment:** - **Low regression
risk**: The fix corrects clearly wrong behavior - there's no valid use
case where VIDEO_OVERLAY should be treated as OUTPUT - **Contained
scope**: Only affects the classification logic for one specific buffer
type - **Clear correctness**: The fix aligns the code with the V4L2
specification and logical expectations **5. Comparison with Similar
Commits:** Looking at the historical commits provided, while they show
refactoring and API improvements that were not backported, this commit
fixes a fundamental logical bug in core API behavior, which is different
from cosmetic or enhancement changes. **6. Backport Suitability:** This
meets all stable backport criteria: - ✅ Fixes a clear bug affecting
users - ✅ Small, contained change with minimal risk - ✅ No new features
or architectural changes - ✅ Affects core V4L2 functionality that could
cause incorrect application behavior - ✅ Logic error that has persisted
for over a decade The fix should be backported to ensure VIDEO_OVERLAY
applications work correctly across all supported kernel versions.
include/uapi/linux/videodev2.h | 1 -
1 file changed, 1 deletion(-)
diff --git a/include/uapi/linux/videodev2.h b/include/uapi/linux/videodev2.h
index 27239cb64065d..9cf6e80a6e459 100644
--- a/include/uapi/linux/videodev2.h
+++ b/include/uapi/linux/videodev2.h
@@ -164,7 +164,6 @@ enum v4l2_buf_type {
#define V4L2_TYPE_IS_OUTPUT(type) \
((type) == V4L2_BUF_TYPE_VIDEO_OUTPUT \
|| (type) == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE \
- || (type) == V4L2_BUF_TYPE_VIDEO_OVERLAY \
|| (type) == V4L2_BUF_TYPE_VIDEO_OUTPUT_OVERLAY \
|| (type) == V4L2_BUF_TYPE_VBI_OUTPUT \
|| (type) == V4L2_BUF_TYPE_SLICED_VBI_OUTPUT \
--
2.39.5
Powered by blists - more mailing lists