[1/5] : OMAP_VOUT: Fix check in reqbuf & mmap for buf_size allocation
Commit Message
The commit 383e4f69879d11c86ebdd38b3356f6d0690fb4cc makes reqbuf and mmap prevent
requesting a larger size buffer than what is allocated at kernel boot during
omap_vout_probe.
The requested size is compared with vout->buffer_size, this isn't correct as
vout->buffer_size is later set to the size requested in reqbuf. When the video
device is opened the next time, this check will prevent us to allocate a buffer
which is larger than what we requested the last time.
Don't use vout->buffer_size, always check with the parameters video1_bufsize
or video2_bufsize.
Signed-off-by: Archit Taneja <archit@ti.com>
---
drivers/media/video/omap/omap_vout.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
Comments
> -----Original Message-----
> From: Taneja, Archit
> Sent: Friday, September 16, 2011 3:30 PM
> To: Hiremath, Vaibhav
> Cc: Valkeinen, Tomi; linux-omap@vger.kernel.org; Semwal, Sumit; linux-
> media@vger.kernel.org; Taneja, Archit
> Subject: [PATCH 1/5] [media]: OMAP_VOUT: Fix check in reqbuf & mmap for
> buf_size allocation
>
> The commit 383e4f69879d11c86ebdd38b3356f6d0690fb4cc makes reqbuf and mmap
> prevent
> requesting a larger size buffer than what is allocated at kernel boot
> during
> omap_vout_probe.
>
> The requested size is compared with vout->buffer_size, this isn't correct
> as
> vout->buffer_size is later set to the size requested in reqbuf. When the
> video
> device is opened the next time, this check will prevent us to allocate a
> buffer
> which is larger than what we requested the last time.
>
> Don't use vout->buffer_size, always check with the parameters
> video1_bufsize
> or video2_bufsize.
>
> Signed-off-by: Archit Taneja <archit@ti.com>
> ---
> drivers/media/video/omap/omap_vout.c | 10 ++++++++--
> 1 files changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/media/video/omap/omap_vout.c
> b/drivers/media/video/omap/omap_vout.c
> index 95daf98..e14c82b 100644
> --- a/drivers/media/video/omap/omap_vout.c
> +++ b/drivers/media/video/omap/omap_vout.c
> @@ -664,10 +664,14 @@ static int omap_vout_buffer_setup(struct
> videobuf_queue *q, unsigned int *count,
> u32 phy_addr = 0, virt_addr = 0;
> struct omap_vout_device *vout = q->priv_data;
> struct omapvideo_info *ovid = &vout->vid_info;
> + int vid_max_buf_size;
>
> if (!vout)
> return -EINVAL;
>
> + vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
> + video2_bufsize;
> +
> if (V4L2_BUF_TYPE_VIDEO_OUTPUT != q->type)
> return -EINVAL;
>
> @@ -690,7 +694,7 @@ static int omap_vout_buffer_setup(struct
> videobuf_queue *q, unsigned int *count,
> video1_numbuffers : video2_numbuffers;
>
> /* Check the size of the buffer */
> - if (*size > vout->buffer_size) {
> + if (*size > vid_max_buf_size) {
Good catch !!!
> v4l2_err(&vout->vid_dev->v4l2_dev,
> "buffer allocation mismatch [%u] [%u]\n",
> *size, vout->buffer_size);
> @@ -865,6 +869,8 @@ static int omap_vout_mmap(struct file *file, struct
> vm_area_struct *vma)
> unsigned long size = (vma->vm_end - vma->vm_start);
> struct omap_vout_device *vout = file->private_data;
> struct videobuf_queue *q = &vout->vbq;
> + int vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
> + video2_bufsize;
>
> v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev,
> " %s pgoff=0x%lx, start=0x%lx, end=0x%lx\n", __func__,
> @@ -887,7 +893,7 @@ static int omap_vout_mmap(struct file *file, struct
> vm_area_struct *vma)
> return -EINVAL;
> }
> /* Check the size of the buffer */
> - if (size > vout->buffer_size) {
> + if (size > vid_max_buf_size) {
Don't you think in case of mmap we should still check for the
vout->buffer_size, since this is the size user has requested in req_buf.
Thanks,
Vaibhav
> v4l2_err(&vout->vid_dev->v4l2_dev,
> "insufficient memory [%lu] [%u]\n",
> size, vout->buffer_size);
> --
> 1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi,
On Wednesday 21 September 2011 02:10 PM, Hiremath, Vaibhav wrote:
>
>> -----Original Message-----
>> From: Taneja, Archit
>> Sent: Friday, September 16, 2011 3:30 PM
>> To: Hiremath, Vaibhav
>> Cc: Valkeinen, Tomi; linux-omap@vger.kernel.org; Semwal, Sumit; linux-
>> media@vger.kernel.org; Taneja, Archit
>> Subject: [PATCH 1/5] [media]: OMAP_VOUT: Fix check in reqbuf& mmap for
>> buf_size allocation
>>
>> The commit 383e4f69879d11c86ebdd38b3356f6d0690fb4cc makes reqbuf and mmap
>> prevent
>> requesting a larger size buffer than what is allocated at kernel boot
>> during
>> omap_vout_probe.
>>
>> The requested size is compared with vout->buffer_size, this isn't correct
>> as
>> vout->buffer_size is later set to the size requested in reqbuf. When the
>> video
>> device is opened the next time, this check will prevent us to allocate a
>> buffer
>> which is larger than what we requested the last time.
>>
>> Don't use vout->buffer_size, always check with the parameters
>> video1_bufsize
>> or video2_bufsize.
>>
>> Signed-off-by: Archit Taneja<archit@ti.com>
>> ---
>> drivers/media/video/omap/omap_vout.c | 10 ++++++++--
>> 1 files changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/media/video/omap/omap_vout.c
>> b/drivers/media/video/omap/omap_vout.c
>> index 95daf98..e14c82b 100644
>> --- a/drivers/media/video/omap/omap_vout.c
>> +++ b/drivers/media/video/omap/omap_vout.c
>> @@ -664,10 +664,14 @@ static int omap_vout_buffer_setup(struct
>> videobuf_queue *q, unsigned int *count,
>> u32 phy_addr = 0, virt_addr = 0;
>> struct omap_vout_device *vout = q->priv_data;
>> struct omapvideo_info *ovid =&vout->vid_info;
>> + int vid_max_buf_size;
>>
>> if (!vout)
>> return -EINVAL;
>>
>> + vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
>> + video2_bufsize;
>> +
>> if (V4L2_BUF_TYPE_VIDEO_OUTPUT != q->type)
>> return -EINVAL;
>>
>> @@ -690,7 +694,7 @@ static int omap_vout_buffer_setup(struct
>> videobuf_queue *q, unsigned int *count,
>> video1_numbuffers : video2_numbuffers;
>>
>> /* Check the size of the buffer */
>> - if (*size> vout->buffer_size) {
>> + if (*size> vid_max_buf_size) {
> Good catch !!!
>
>> v4l2_err(&vout->vid_dev->v4l2_dev,
>> "buffer allocation mismatch [%u] [%u]\n",
>> *size, vout->buffer_size);
>> @@ -865,6 +869,8 @@ static int omap_vout_mmap(struct file *file, struct
>> vm_area_struct *vma)
>> unsigned long size = (vma->vm_end - vma->vm_start);
>> struct omap_vout_device *vout = file->private_data;
>> struct videobuf_queue *q =&vout->vbq;
>> + int vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
>> + video2_bufsize;
>>
>> v4l2_dbg(1, debug,&vout->vid_dev->v4l2_dev,
>> " %s pgoff=0x%lx, start=0x%lx, end=0x%lx\n", __func__,
>> @@ -887,7 +893,7 @@ static int omap_vout_mmap(struct file *file, struct
>> vm_area_struct *vma)
>> return -EINVAL;
>> }
>> /* Check the size of the buffer */
>> - if (size> vout->buffer_size) {
>> + if (size> vid_max_buf_size) {
> Don't you think in case of mmap we should still check for the
> vout->buffer_size, since this is the size user has requested in req_buf.
Ah, you are right, the check for the maximum size should only be in the
reqbuf path. vout->buffer_size would have been updated correctly at time
of mmap. I'll change this back to vout->buffer_size.
Thanks,
Archit
>
> Thanks,
> Vaibhav
>
>
>> v4l2_err(&vout->vid_dev->v4l2_dev,
>> "insufficient memory [%lu] [%u]\n",
>> size, vout->buffer_size);
>> --
>> 1.7.1
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
@@ -664,10 +664,14 @@ static int omap_vout_buffer_setup(struct videobuf_queue *q, unsigned int *count,
u32 phy_addr = 0, virt_addr = 0;
struct omap_vout_device *vout = q->priv_data;
struct omapvideo_info *ovid = &vout->vid_info;
+ int vid_max_buf_size;
if (!vout)
return -EINVAL;
+ vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
+ video2_bufsize;
+
if (V4L2_BUF_TYPE_VIDEO_OUTPUT != q->type)
return -EINVAL;
@@ -690,7 +694,7 @@ static int omap_vout_buffer_setup(struct videobuf_queue *q, unsigned int *count,
video1_numbuffers : video2_numbuffers;
/* Check the size of the buffer */
- if (*size > vout->buffer_size) {
+ if (*size > vid_max_buf_size) {
v4l2_err(&vout->vid_dev->v4l2_dev,
"buffer allocation mismatch [%u] [%u]\n",
*size, vout->buffer_size);
@@ -865,6 +869,8 @@ static int omap_vout_mmap(struct file *file, struct vm_area_struct *vma)
unsigned long size = (vma->vm_end - vma->vm_start);
struct omap_vout_device *vout = file->private_data;
struct videobuf_queue *q = &vout->vbq;
+ int vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
+ video2_bufsize;
v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev,
" %s pgoff=0x%lx, start=0x%lx, end=0x%lx\n", __func__,
@@ -887,7 +893,7 @@ static int omap_vout_mmap(struct file *file, struct vm_area_struct *vma)
return -EINVAL;
}
/* Check the size of the buffer */
- if (size > vout->buffer_size) {
+ if (size > vid_max_buf_size) {
v4l2_err(&vout->vid_dev->v4l2_dev,
"insufficient memory [%lu] [%u]\n",
size, vout->buffer_size);