From 1ffc873ce13d9be9b17a85e1fd24ece2bf599562 Mon Sep 17 00:00:00 2001
From: Ludwig Disterhof <ludwig@disterhof.eu>
Date: Tue, 29 Apr 2025 02:16:50 +0800
Subject: [PATCH] media: usbtv: Lock resolution while streaming

ANBZ: #26417

commit ee7bade8b9244834229b12b6e1e724939bedd484 stable.

commit 7e40e0bb778907b2441bff68d73c3eb6b6cd319f upstream.

When an program is streaming (ffplay) and another program (qv4l2)
changes the TV standard from NTSC to PAL, the kernel crashes due to trying
to copy to unmapped memory.

Changing from NTSC to PAL increases the resolution in the usbtv struct,
but the video plane buffer isn't adjusted, so it overflows.

Fixes: 0e0fe3958fdd13d ("[media] usbtv: Add support for PAL video source")
Cc: stable@vger.kernel.org
Signed-off-by: Ludwig Disterhof <ludwig@disterhof.eu>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
[hverkuil: call vb2_is_busy instead of vb2_is_streaming]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fixes: CVE-2025-39714
Signed-off-by: Xiao Long <xiaolong@openanolis.org>
Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
---
 drivers/media/usb/usbtv/usbtv-video.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/media/usb/usbtv/usbtv-video.c b/drivers/media/usb/usbtv/usbtv-video.c
index 3b4a2e769230..1a4956b5e56d 100644
--- a/drivers/media/usb/usbtv/usbtv-video.c
+++ b/drivers/media/usb/usbtv/usbtv-video.c
@@ -73,6 +73,10 @@ static int usbtv_configure_for_norm(struct usbtv *usbtv, v4l2_std_id norm)
 	}
 
 	if (params) {
+		if (vb2_is_busy(&usbtv->vb2q) &&
+		    (usbtv->width != params->cap_width ||
+		     usbtv->height != params->cap_height))
+			return -EBUSY;
 		usbtv->width = params->cap_width;
 		usbtv->height = params->cap_height;
 		usbtv->n_chunks = usbtv->width * usbtv->height
-- 
Gitee