From: Dan Carpenter <dan.carpenter@linaro.org>
To: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Cc: mchehab@kernel.org, tfiga@chromium.org, m.szyprowski@samsung.com,
ming.qian@nxp.com, ezequiel@vanguardiasur.com.ar,
p.zabel@pengutronix.de, gregkh@linuxfoundation.org,
hverkuil-cisco@xs4all.nl, nicolas.dufresne@collabora.com,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
linux-arm-msm@vger.kernel.org,
linux-rockchip@lists.infradead.org,
linux-staging@lists.linux.dev, kernel@collabora.com
Subject: Re: [PATCH v3 03/11] media: videobuf2: Remove VB2_MAX_FRAME limit on buffer storage
Date: Thu, 22 Jun 2023 17:11:19 +0300 [thread overview]
Message-ID: <bddd6cb7-cd72-4fb5-8d4a-d02cb9c46dce@kadam.mountain> (raw)
In-Reply-To: <20230622131349.144160-4-benjamin.gaignard@collabora.com>
On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote:
> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
> index f1ff7af34a9f..86e1e926fa45 100644
> --- a/drivers/media/common/videobuf2/videobuf2-core.c
> +++ b/drivers/media/common/videobuf2/videobuf2-core.c
> @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory,
> struct vb2_buffer *vb;
> int ret;
>
> - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */
> + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */
> num_buffers = min_t(unsigned int, num_buffers,
> - VB2_MAX_FRAME - q->num_buffers);
> + UINT_MAX - q->num_buffers);
>
> for (buffer = 0; buffer < num_buffers; ++buffer) {
> /* Allocate vb2 buffer structures */
Ah... Here's one of the integer overflow bugs I was talking about. The
__vb2_queue_alloc() function returns an int so if num_buffers goes over
INT_MAX we are hosed.
regards,
dan carpenter
_______________________________________________
Linux-rockchip mailing list
Linux-rockchip@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-rockchip
next prev parent reply other threads:[~2023-06-22 14:11 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-22 13:13 [PATCH v3 00/11] Add DELETE_BUF ioctl Benjamin Gaignard
2023-06-22 13:13 ` [PATCH v3 01/11] media: videobuf2: Access vb2_queue bufs array through helper functions Benjamin Gaignard
2023-06-23 15:10 ` kernel test robot
2023-06-24 23:34 ` kernel test robot
2023-06-22 13:13 ` [PATCH v3 02/11] media: videobuf2: Use Xarray instead of static buffers array Benjamin Gaignard
2023-06-22 13:13 ` [PATCH v3 03/11] media: videobuf2: Remove VB2_MAX_FRAME limit on buffer storage Benjamin Gaignard
2023-06-22 13:56 ` Dan Carpenter
2023-06-22 14:11 ` Dan Carpenter [this message]
2023-06-22 14:13 ` Benjamin Gaignard
2023-06-23 7:02 ` Hans Verkuil
2023-06-23 7:51 ` Benjamin Gaignard
2023-06-22 13:13 ` [PATCH v3 04/11] media: videobuf2: Stop define VB2_MAX_FRAME as global Benjamin Gaignard
2023-06-30 9:51 ` Hsia-Jun Li
2023-07-03 8:09 ` Benjamin Gaignard
2023-07-03 8:35 ` Hsia-Jun Li
2023-07-03 10:53 ` Benjamin Gaignard
2023-07-03 11:05 ` Hsia-Jun Li
2023-07-12 10:48 ` Tomasz Figa
2023-07-17 7:44 ` Hsia-Jun Li
2023-07-28 6:46 ` Tomasz Figa
2023-07-28 6:55 ` Hsia-Jun Li
2023-07-28 7:03 ` Tomasz Figa
2023-07-28 7:24 ` Hsia-Jun Li
2023-09-07 4:15 ` Tomasz Figa
2023-09-07 6:54 ` Hsia-Jun Li
2023-06-22 13:13 ` [PATCH v3 05/11] media: verisilicon: Refactor postprocessor to store more buffers Benjamin Gaignard
2023-06-22 13:13 ` [PATCH v3 06/11] media: verisilicon: Store chroma and motion vectors offset Benjamin Gaignard
2023-07-02 7:48 ` Markus Elfring
2023-06-22 13:13 ` [PATCH v3 07/11] media: verisilicon: vp9: Use destination buffer height to compute chroma offset Benjamin Gaignard
2023-07-02 9:14 ` Markus Elfring
2023-06-22 13:13 ` [PATCH v3 08/11] media: verisilicon: postproc: Fix down scale test Benjamin Gaignard
2023-06-22 15:27 ` Benjamin Gaignard
2023-06-22 13:13 ` [PATCH v3 09/11] media: verisilicon: vp9: Allow to change resolution while streaming Benjamin Gaignard
2023-07-02 9:33 ` Markus Elfring
2023-06-22 13:13 ` [PATCH v3 10/11] media: v4l2: Add DELETE_BUF ioctl Benjamin Gaignard
2023-06-22 23:12 ` kernel test robot
2023-06-23 0:25 ` kernel test robot
2023-06-26 7:08 ` [EXT] " Ming Qian
2023-06-26 7:48 ` Benjamin Gaignard
2023-06-26 7:50 ` Benjamin Gaignard
2023-06-26 8:13 ` Ming Qian
2023-06-26 8:04 ` Ming Qian
2023-06-27 7:30 ` Hsia-Jun Li
2023-06-27 8:43 ` Benjamin Gaignard
2023-06-27 8:47 ` Hsia-Jun Li
2023-06-30 9:43 ` Hsia-Jun Li
2023-07-03 8:12 ` Benjamin Gaignard
2023-07-03 8:19 ` Hsia-Jun Li
2023-07-03 8:52 ` Benjamin Gaignard
2023-07-03 9:20 ` Hsia-Jun Li
2023-07-03 10:35 ` Benjamin Gaignard
2023-07-03 11:06 ` Hsia-Jun Li
[not found] ` <8ca2f66e-8ff9-e885-274f-51417b581b78@synaptics.com>
2023-07-03 11:17 ` Benjamin Gaignard
2023-07-03 15:42 ` Randy Li
2023-07-13 9:09 ` Tomasz Figa
2023-07-17 2:16 ` Hsia-Jun Li
2023-07-28 6:57 ` Tomasz Figa
2023-07-28 7:26 ` Hsia-Jun Li
2023-07-02 10:20 ` Markus Elfring
2023-06-22 13:13 ` [PATCH v3 11/11] media: v4l2: Add mem2mem helpers for " Benjamin Gaignard
2023-06-27 7:40 ` [PATCH v3 00/11] Add " Hsia-Jun Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bddd6cb7-cd72-4fb5-8d4a-d02cb9c46dce@kadam.mountain \
--to=dan.carpenter@linaro.org \
--cc=benjamin.gaignard@collabora.com \
--cc=ezequiel@vanguardiasur.com.ar \
--cc=gregkh@linuxfoundation.org \
--cc=hverkuil-cisco@xs4all.nl \
--cc=kernel@collabora.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=linux-staging@lists.linux.dev \
--cc=m.szyprowski@samsung.com \
--cc=mchehab@kernel.org \
--cc=ming.qian@nxp.com \
--cc=nicolas.dufresne@collabora.com \
--cc=p.zabel@pengutronix.de \
--cc=tfiga@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox