From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: Prabhakar lad <prabhakar.csengg@gmail.com>,
LMML <linux-media@vger.kernel.org>,
DLOS <davinci-linux-open-source@linux.davincidsp.com>,
LKML <linux-kernel@vger.kernel.org>,
Hans Verkuil <hans.verkuil@cisco.com>,
Pawel Osciak <pawel@osciak.com>,
Kyungmin Park <kyungmin.park@samsung.com>,
Marek Szyprowski <m.szyprowski@samsung.com>,
Seung-Woo Kim <sw0312.kim@samsung.com>
Subject: Re: [PATCH RFC] media: videobuf2: fix the length check for mmap
Date: Mon, 22 Apr 2013 14:57:54 +0200 [thread overview]
Message-ID: <2366802.YUrXa9z2HG@avalon> (raw)
In-Reply-To: <20130419081801.0af7ad73@redhat.com>
Hi Mauro,
On Friday 19 April 2013 08:18:01 Mauro Carvalho Chehab wrote:
[snip]
> [media] videobuf2: fix the length check for mmap
>
> Memory maps typically require that the buffer size to be page
s/that the/the/
> aligned. Currently, two memops drivers do such alignment
> internally, but videobuf-vmalloc doesn't.
>
> Also, the buffer overflow check doesn't take it into account.
>
> So, instead of doing it at each memops driver, enforce it at
> VB2 core.
>
> Reported-by: Prabhakar lad <prabhakar.csengg@gmail.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> diff --git a/drivers/media/v4l2-core/videobuf2-core.c
> b/drivers/media/v4l2-core/videobuf2-core.c index 58c1744..7d833ee 100644
> --- a/drivers/media/v4l2-core/videobuf2-core.c
> +++ b/drivers/media/v4l2-core/videobuf2-core.c
> @@ -54,10 +54,15 @@ static int __vb2_buf_mem_alloc(struct vb2_buffer *vb)
> void *mem_priv;
> int plane;
>
> - /* Allocate memory for all planes in this buffer */
> + /*
> + * Allocate memory for all planes in this buffer
> + * NOTE: mmapped areas should be page aligned
> + */
> for (plane = 0; plane < vb->num_planes; ++plane) {
> + unsigned long size = PAGE_ALIGN(q->plane_sizes[plane]);
> +
> mem_priv = call_memop(q, alloc, q->alloc_ctx[plane],
> - q->plane_sizes[plane], q->gfp_flags);
> + size, q->gfp_flags);
> if (IS_ERR_OR_NULL(mem_priv))
> goto free;
>
> @@ -1852,6 +1857,7 @@ int vb2_mmap(struct vb2_queue *q, struct
> vm_area_struct *vma) struct vb2_buffer *vb;
> unsigned int buffer, plane;
> int ret;
> + unsigned long length;
>
> if (q->memory != V4L2_MEMORY_MMAP) {
> dprintk(1, "Queue is not currently set up for mmap\n");
> @@ -1886,8 +1892,15 @@ int vb2_mmap(struct vb2_queue *q, struct
> vm_area_struct *vma)
>
> vb = q->bufs[buffer];
>
> - if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) {
> - dprintk(1, "Invalid length\n");
> + /*
> + * MMAP requires page_aligned buffers.
> + * The buffer length was page_aligned at __vb2_buf_mem_alloc(),
> + * so, we need to do the same here.
> + */
> + length = PAGE_ALIGN(vb->v4l2_planes[plane].length);
> + if (length < (vma->vm_end - vma->vm_start)) {
> + dprintk(1,
> + "MMAP invalid, as it would overflow buffer length\n");
> return -EINVAL;
> }
>
> diff --git a/drivers/media/v4l2-core/videobuf2-dma-contig.c
> b/drivers/media/v4l2-core/videobuf2-dma-contig.c index ae35d25..fd56f25
> 100644
> --- a/drivers/media/v4l2-core/videobuf2-dma-contig.c
> +++ b/drivers/media/v4l2-core/videobuf2-dma-contig.c
> @@ -162,9 +162,6 @@ static void *vb2_dc_alloc(void *alloc_ctx, unsigned long
> size, gfp_t gfp_flags) if (!buf)
> return ERR_PTR(-ENOMEM);
>
> - /* align image size to PAGE_SIZE */
> - size = PAGE_ALIGN(size);
> -
> buf->vaddr = dma_alloc_coherent(dev, size, &buf->dma_addr,
> GFP_KERNEL | gfp_flags);
> if (!buf->vaddr) {
> diff --git a/drivers/media/v4l2-core/videobuf2-dma-sg.c
> b/drivers/media/v4l2-core/videobuf2-dma-sg.c index 59522b2..16ae3dc 100644
> --- a/drivers/media/v4l2-core/videobuf2-dma-sg.c
> +++ b/drivers/media/v4l2-core/videobuf2-dma-sg.c
> @@ -55,7 +55,8 @@ static void *vb2_dma_sg_alloc(void *alloc_ctx, unsigned
> long size, gfp_t gfp_fla buf->write = 0;
> buf->offset = 0;
> buf->sg_desc.size = size;
> - buf->sg_desc.num_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
> + /* size is already page aligned */
> + buf->sg_desc.num_pages = size >> PAGE_SHIFT;
>
> buf->sg_desc.sglist = vzalloc(buf->sg_desc.num_pages *
> sizeof(*buf->sg_desc.sglist));
--
Regards,
Laurent Pinchart
prev parent reply other threads:[~2013-04-22 12:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-19 9:46 [PATCH RFC] media: videobuf2: fix the length check for mmap Prabhakar lad
2013-04-19 11:18 ` Mauro Carvalho Chehab
2013-04-21 22:38 ` Laurent Pinchart
2013-04-22 11:52 ` Mauro Carvalho Chehab
2013-04-22 5:33 ` Prabhakar Lad
2013-04-22 12:57 ` Laurent Pinchart [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2366802.YUrXa9z2HG@avalon \
--to=laurent.pinchart@ideasonboard.com \
--cc=davinci-linux-open-source@linux.davincidsp.com \
--cc=hans.verkuil@cisco.com \
--cc=kyungmin.park@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=m.szyprowski@samsung.com \
--cc=mchehab@redhat.com \
--cc=pawel@osciak.com \
--cc=prabhakar.csengg@gmail.com \
--cc=sw0312.kim@samsung.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.