* [PATCH] Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
@ 2016-05-11 16:27 Mauro Carvalho Chehab
2016-05-12 6:59 ` Nicolas Dufresne
0 siblings, 1 reply; 3+ messages in thread
From: Mauro Carvalho Chehab @ 2016-05-11 16:27 UTC (permalink / raw)
Cc: Mauro Carvalho Chehab, Linux Media Mailing List,
Mauro Carvalho Chehab, Pawel Osciak, Marek Szyprowski,
Kyungmin Park, Sakari Ailus, Hans Verkuil, stable
This patch causes a Kernel panic when called on a DVB driver.
This reverts commit 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab.
Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: Hans Verkuil <hans.verkuil@cisco.com>
Cc: stable@vgar.kernel.org
Fixes: 2c1f6951a8a8 ("[media] videobuf2-v4l2: Verify planes array in buffer dequeueing")
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c
index 7f366f1b0377..0b1b8c7b6ce5 100644
--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
+++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
@@ -74,11 +74,6 @@ static int __verify_planes_array(struct vb2_buffer *vb, const struct v4l2_buffer
return 0;
}
-static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
-{
- return __verify_planes_array(vb, pb);
-}
-
/**
* __verify_length() - Verify that the bytesused value for each plane fits in
* the plane length and that the data offset doesn't exceed the bytesused value.
@@ -442,7 +437,6 @@ static int __fill_vb2_buffer(struct vb2_buffer *vb,
}
static const struct vb2_buf_ops v4l2_buf_ops = {
- .verify_planes_array = __verify_planes_array_core,
.fill_user_buffer = __fill_v4l2_buffer,
.fill_vb2_buffer = __fill_vb2_buffer,
.copy_timestamp = __copy_timestamp,
--
2.5.5
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
2016-05-11 16:27 [PATCH] Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing" Mauro Carvalho Chehab
@ 2016-05-12 6:59 ` Nicolas Dufresne
2016-05-12 7:05 ` Sakari Ailus
0 siblings, 1 reply; 3+ messages in thread
From: Nicolas Dufresne @ 2016-05-12 6:59 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Linux Media Mailing List, Mauro Carvalho Chehab, Pawel Osciak,
Marek Szyprowski, Kyungmin Park, Sakari Ailus, Hans Verkuil,
stable
Le mercredi 11 mai 2016 à 13:27 -0300, Mauro Carvalho Chehab a écrit :
> This patch causes a Kernel panic when called on a DVB driver.
>
> This reverts commit 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab.
Seems rather tricky, since this commit fixed a possible (user induced)
buffer overflow according to Sakari comment. Would be nice to fix and
resubmit.
>
> Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
> Cc: Hans Verkuil <hans.verkuil@cisco.com>
> Cc: stable@vgar.kernel.org
> Fixes: 2c1f6951a8a8 ("[media] videobuf2-v4l2: Verify planes array in
> buffer dequeueing")
> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
> ---
> drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ------
> 1 file changed, 6 deletions(-)
>
> diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c
> b/drivers/media/v4l2-core/videobuf2-v4l2.c
> index 7f366f1b0377..0b1b8c7b6ce5 100644
> --- a/drivers/media/v4l2-core/videobuf2-v4l2.c
> +++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
> @@ -74,11 +74,6 @@ static int __verify_planes_array(struct vb2_buffer
> *vb, const struct v4l2_buffer
> return 0;
> }
>
> -static int __verify_planes_array_core(struct vb2_buffer *vb, const
> void *pb)
> -{
> - return __verify_planes_array(vb, pb);
> -}
> -
> /**
> * __verify_length() - Verify that the bytesused value for each
> plane fits in
> * the plane length and that the data offset doesn't exceed the
> bytesused value.
> @@ -442,7 +437,6 @@ static int __fill_vb2_buffer(struct vb2_buffer
> *vb,
> }
>
> static const struct vb2_buf_ops v4l2_buf_ops = {
> - .verify_planes_array = __verify_planes_array_core,
> .fill_user_buffer = __fill_v4l2_buffer,
> .fill_vb2_buffer = __fill_vb2_buffer,
> .copy_timestamp = __copy_timestamp,
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
2016-05-12 6:59 ` Nicolas Dufresne
@ 2016-05-12 7:05 ` Sakari Ailus
0 siblings, 0 replies; 3+ messages in thread
From: Sakari Ailus @ 2016-05-12 7:05 UTC (permalink / raw)
To: nicolas, Mauro Carvalho Chehab
Cc: Linux Media Mailing List, Mauro Carvalho Chehab, Pawel Osciak,
Marek Szyprowski, Kyungmin Park, Hans Verkuil, stable
Hi Nicolas,
Nicolas Dufresne wrote:
> Le mercredi 11 mai 2016 à 13:27 -0300, Mauro Carvalho Chehab a écrit :
>> This patch causes a Kernel panic when called on a DVB driver.
>>
>> This reverts commit 2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab.
>
> Seems rather tricky, since this commit fixed a possible (user induced)
> buffer overflow according to Sakari comment. Would be nice to fix and
> resubmit.
I have updated patches here:
<URL:https://git.linuxtv.org/sailus/media_tree.git/log/?h=vb2-overwrite-fix-error-on-fixes-v2>
These are tested on V4L2 streaming API only so far, I'll test file I/O
today but with DVB I'd need some help with testing. I'd very much
appreciate test reports if someone has a chance to test the two patches
with a DVB adapter using VB2.
Thanks.
--
Kind regards,
Sakari Ailus
sakari.ailus@linux.intel.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-05-12 7:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-11 16:27 [PATCH] Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing" Mauro Carvalho Chehab
2016-05-12 6:59 ` Nicolas Dufresne
2016-05-12 7:05 ` Sakari Ailus
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).