From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Cc: Mauro Carvalho Chehab <mchehab@s-opensource.com>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.14 27/97] media: videobuf2-core: don't go out of the buffer range
Date: Mon, 19 Mar 2018 15:54:59 +0000 [thread overview]
Message-ID: <20180319155411.12348-27-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180319155411.12348-1-alexander.levin@microsoft.com>
From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[ Upstream commit df93dc61b0d8b19a5c9db545cf3fcc24f88dfde4 ]
Currently, there's no check if an invalid buffer range
is passed. However, while testing DVB memory mapped apps,
I got this:
videobuf2_core: VB: num_buffers -2143943680, buffer 33, index -2143943647
unable to handle kernel paging request at ffff888b773c0890
IP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core]
PGD 4142c7067 P4D 4142c7067 PUD 0
Oops: 0002 [#1] SMP
Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc rc_dvbsky sp2 ts2020 intel_rapl x86_pkg_temp_thermal dvb_usb_dvbsky intel_powerclamp dvb_usb_v2 coretemp m88ds3103 kvm_intel i2c_mux dvb_core snd_hda_codec_hdmi crct10dif_pclmul crc32_pclmul videobuf2_vmalloc videobuf2_memops snd_hda_intel ghash_clmulni_intel videobuf2_core snd_hda_codec rc_core mei_me intel_cstate snd_hwdep snd_hda_core videodev intel_uncore snd_pcm mei media tpm_tis tpm_tis_core intel_rapl_perf tpm snd_timer lpc_ich snd soundcore kvm irqbypass libcrc32c i915 i2c_algo_bit drm_kms_helper
e1000e ptp drm crc32c_intel video pps_core
CPU: 3 PID: 1776 Comm: dvbv5-zap Not tainted 4.14.0+ #78
Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
task: ffff88877c73bc80 task.stack: ffffb7c402418000
RIP: 0010:__vb2_queue_alloc+0x134/0x4e0 [videobuf2_core]
RSP: 0018:ffffb7c40241bc60 EFLAGS: 00010246
RAX: 0000000080360421 RBX: 0000000000000021 RCX: 000000000000000a
RDX: ffffb7c40241bcf4 RSI: ffff888780362c60 RDI: ffff888796d8e130
RBP: ffffb7c40241bcc8 R08: 0000000000000316 R09: 0000000000000004
R10: ffff888780362c00 R11: 0000000000000001 R12: 000000000002f000
R13: ffff8887758be700 R14: 0000000000021000 R15: 0000000000000001
FS: 00007f2849024740(0000) GS:ffff888796d80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff888b773c0890 CR3: 000000043beb2005 CR4: 00000000003606e0
Call Trace:
vb2_core_reqbufs+0x226/0x420 [videobuf2_core]
dvb_vb2_reqbufs+0x2d/0xc0 [dvb_core]
dvb_dvr_do_ioctl+0x98/0x1d0 [dvb_core]
dvb_usercopy+0x53/0x1b0 [dvb_core]
? dvb_demux_ioctl+0x20/0x20 [dvb_core]
? tty_ldisc_deref+0x16/0x20
? tty_write+0x1f9/0x310
? process_echoes+0x70/0x70
dvb_dvr_ioctl+0x15/0x20 [dvb_core]
do_vfs_ioctl+0xa5/0x600
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x1a/0xa5
RIP: 0033:0x7f28486f7ea7
RSP: 002b:00007ffc13b2db18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000055b10fc06130 RCX: 00007f28486f7ea7
RDX: 00007ffc13b2db48 RSI: 00000000c0086f3c RDI: 0000000000000007
RBP: 0000000000000203 R08: 000055b10df1e02c R09: 000000000000002e
R10: 0036b42415108357 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2849062f60 R14: 00000000000001f1 R15: 00007ffc13b2da54
Code: 74 0a 60 8b 0a 48 83 c0 30 48 83 c2 04 89 48 d0 89 48 d4 48 39 f0 75 eb 41 8b 42 08 83 7d d4 01 41 c7 82 ec 01 00 00 ff ff ff ff <4d> 89 94 c5 88 00 00 00 74 14 83 c3 01 41 39 dc 0f 85 f1 fe ff
RIP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core] RSP: ffffb7c40241bc60
CR2: ffff888b773c0890
So, add a sanity check in order to prevent going past array.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
drivers/media/v4l2-core/videobuf2-core.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index cb115ba6a1d2..6d9adcaa26ba 100644
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -332,6 +332,10 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory,
struct vb2_buffer *vb;
int ret;
+ /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */
+ num_buffers = min_t(unsigned int, num_buffers,
+ VB2_MAX_FRAME - q->num_buffers);
+
for (buffer = 0; buffer < num_buffers; ++buffer) {
/* Allocate videobuf buffer structures */
vb = kzalloc(q->buf_struct_size, GFP_KERNEL);
--
2.14.1
next prev parent reply other threads:[~2018-03-19 22:06 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-19 15:54 [PATCH AUTOSEL for 4.14 01/97] i40iw: Fix sequence number for the first partial FPDU Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 02/97] i40iw: Correct Q1/XF object count equation Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 03/97] i40iw: Validate correct IRD/ORD connection parameters Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 04/97] clk: meson: mpll: use 64-bit maths in params_from_rate Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 05/97] ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 06/97] Bluetooth: Add a new 04ca:3015 QCA_ROME device Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 07/97] ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 08/97] thermal: power_allocator: fix one race condition issue for thermal_instances list Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 09/97] perf probe: Find versioned symbols from map Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 10/97] perf probe: Add warning message if there is unexpected event name Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 11/97] perf evsel: Enable ignore_missing_thread for pid option Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 12/97] net: hns3: free the ring_data structrue when change tqps Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 13/97] net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 14/97] l2tp: fix missing print session offset info Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 15/97] rds; Reset rs->rs_bound_addr in rds_add_bound() failure path Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 16/97] ACPI / video: Default lcd_only to true on Win8-ready and newer machines Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 17/97] net/mlx4_en: Change default QoS settings Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 18/97] VFS: close race between getcwd() and d_move() Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 19/97] watchdog: dw_wdt: add stop watchdog operation Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 20/97] clk: divider: fix incorrect usage of container_of Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 21/97] clk: sunxi-ng: fix the A64/H5 clock description of DE2 CCU Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 22/97] PM / devfreq: Fix potential NULL pointer dereference in governor_store Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 23/97] selftests/net: fix bugs in address and port initialization Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 24/97] RDMA/cma: Mark end of CMA ID messages Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 25/97] hwmon: (ina2xx) Make calibration register value fixed Sasha Levin
2018-03-19 15:54 ` [PATCH AUTOSEL for 4.14 26/97] clk: sunxi-ng: a83t: Add M divider to TCON1 clock Sasha Levin
2018-03-19 15:54 ` Sasha Levin [this message]
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 28/97] ASoC: Intel: Skylake: Disable clock gating during firmware and library download Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 29/97] ASoC: Intel: cht_bsw_rt5645: Analog Mic support Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 30/97] spi: sh-msiof: Fix timeout failures for TX-only DMA transfers Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 31/97] scsi: libiscsi: Allow sd_shutdown on bad transport Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 32/97] scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 33/97] scsi: qla2xxx: Fix NULL pointer access for fcport structure Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 34/97] irqchip/gic-v3: Fix the driver probe() fail due to disabled GICC entry Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 35/97] ACPI: EC: Fix debugfs_create_*() usage Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 36/97] mac80211: Fix setting TX power on monitor interfaces Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 37/97] vfb: fix video mode and line_length being set when loaded Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 38/97] ACPICA: Recognize the Windows 10 version 1607 and 1703 OSI strings Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 39/97] gpio: label descriptors using the device name Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 40/97] powernv-cpufreq: Add helper to extract pstate from PMSR Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 41/97] IB/rdmavt: Allocate CQ memory on the correct node Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 42/97] blk-mq: avoid to map CPU into stale hw queue Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 43/97] blk-mq: fix race between updating nr_hw_queues and switching io sched Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 44/97] ipv6: Set nexthop flags during route creation Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 45/97] backlight: tdo24m: Fix the SPI CS between transfers Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 46/97] pinctrl: baytrail: Enable glitch filter for GPIOs used as interrupts Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 47/97] nvme_fcloop: disassocate local port structs Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 48/97] nvme_fcloop: fix abort race condition Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 49/97] tpm: return a TPM_RC_COMMAND_CODE response if command is not implemented Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 50/97] perf report: Fix a no annotate browser displayed issue Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 51/97] iio: imu: st_lsm6dsx: fix endianness in st_lsm6dsx_read_oneshot() Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 52/97] staging: lustre: disable preempt while sampling processor id Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 53/97] ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 54/97] netfilter: core: only allow one nat hook per hook point Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 55/97] power: supply: axp288_charger: Properly stop work on probe-error / remove Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 56/97] rt2x00: do not pause queue unconditionally on error path Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 57/97] wl1251: check return from call to wl1251_acx_arp_ip_filter Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 58/97] xfs: include inobt buffers in ifree tx log reservation Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 59/97] xfs: fix up agi unlinked list reservations Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 60/97] net/mlx5: Fix race for multiple RoCE enable Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 61/97] net: hns3: Fix an error of total drop packet statistics Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 62/97] net: hns3: Fix a loop index error of tqp statistics query Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 63/97] net: hns3: Fix an error macro definition of HNS3_TQP_STAT Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 64/97] net: hns3: fix for changing MTU Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 65/97] bcache: ret IOERR when read meets metadata error Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 66/97] bcache: stop writeback thread after detaching Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 67/97] bcache: segregate flash only volume write streams Sasha Levin
2018-03-19 15:55 ` [PATCH AUTOSEL for 4.14 68/97] scsi: libsas: fix memory leak in sas_smp_get_phy_events() Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 69/97] scsi: libsas: fix error when getting phy events Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 70/97] scsi: libsas: initialize sas_phy status according to response of DISCOVER Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 71/97] blk-mq: fix kernel oops in blk_mq_tag_idle() Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 72/97] tty: n_gsm: Allow ADM response in addition to UA for control dlci Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 73/97] block, bfq: put async queues for root bfq groups too Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 74/97] EDAC, mv64x60: Fix an error handling path Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 75/97] uio_hv_generic: check that host supports monitor page Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 76/97] i40evf: don't rely on netif_running() outside rtnl_lock() Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 77/97] cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 78/97] clk: fix reentrancy of clk_enable() on UP systems Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 79/97] scsi: megaraid_sas: Error handling for invalid ldcount provided by firmware in RAID map Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 80/97] scsi: megaraid_sas: unload flag should be set after scsi_remove_host is called Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 81/97] RDMA/cma: Fix rdma_cm path querying for RoCE Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 82/97] gpio: thunderx: fix error return code in thunderx_gpio_probe() Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 83/97] x86/gart: Exclude GART aperture from vmcore Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 84/97] sdhci: Advertise 2.0v supply on SDIO host controller Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 85/97] ibmvnic: Don't handle RX interrupts when not up Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 86/97] Input: goodix - disable IRQs while suspended Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 87/97] mtd: mtd_oobtest: Handle bitflips during reads Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 88/97] crypto: aes-generic - build with -Os on gcc-7+ Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 89/97] genirq/affinity: assign vectors to all possible CPUs Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 90/97] perf tools: Fix copyfile_offset update of output offset Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 91/97] signal/parisc: Document a conflict with SI_USER with SIGFPE Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 92/97] signal/metag: " Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 93/97] signal/powerpc: Document conflicts with SI_USER and SIGFPE and SIGTRAP Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 94/97] signal/arm: Document conflicts with SI_USER and SIGFPE Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 95/97] xfs: account finobt blocks properly in perag reservation Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 96/97] tcmu: release blocks for partially setup cmds Sasha Levin
2018-03-19 15:56 ` [PATCH AUTOSEL for 4.14 97/97] thermal: int3400_thermal: fix error handling in int3400_thermal_probe() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180319155411.12348-27-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mchehab@s-opensource.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox