[1/5] : OMAP_VOUT: Fix check in reqbuf & mmap for buf_size allocation

  The commit 383e4f69879d11c86ebdd38b3356f6d0690fb4cc makes reqbuf and mmap prevent
requesting a larger size buffer than what is allocated at kernel boot during
omap_vout_probe.

The requested size is compared with vout->buffer_size, this isn't correct as
vout->buffer_size is later set to the size requested in reqbuf. When the video
device is opened the next time, this check will prevent us to allocate a buffer
which is larger than what we requested the last time.

Don't use vout->buffer_size, always check with the parameters video1_bufsize
or video2_bufsize.

Signed-off-by: Archit Taneja <archit@ti.com>
---
 drivers/media/video/omap/omap_vout.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)
  

> -----Original Message-----
> From: Taneja, Archit
> Sent: Friday, September 16, 2011 3:30 PM
> To: Hiremath, Vaibhav
> Cc: Valkeinen, Tomi; linux-omap@vger.kernel.org; Semwal, Sumit; linux-
> media@vger.kernel.org; Taneja, Archit
> Subject: [PATCH 1/5] [media]: OMAP_VOUT: Fix check in reqbuf & mmap for
> buf_size allocation
> 
> The commit 383e4f69879d11c86ebdd38b3356f6d0690fb4cc makes reqbuf and mmap
> prevent
> requesting a larger size buffer than what is allocated at kernel boot
> during
> omap_vout_probe.
> 
> The requested size is compared with vout->buffer_size, this isn't correct
> as
> vout->buffer_size is later set to the size requested in reqbuf. When the
> video
> device is opened the next time, this check will prevent us to allocate a
> buffer
> which is larger than what we requested the last time.
> 
> Don't use vout->buffer_size, always check with the parameters
> video1_bufsize
> or video2_bufsize.
> 
> Signed-off-by: Archit Taneja <archit@ti.com>
> ---
>  drivers/media/video/omap/omap_vout.c |   10 ++++++++--
>  1 files changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/media/video/omap/omap_vout.c
> b/drivers/media/video/omap/omap_vout.c
> index 95daf98..e14c82b 100644
> --- a/drivers/media/video/omap/omap_vout.c
> +++ b/drivers/media/video/omap/omap_vout.c
> @@ -664,10 +664,14 @@ static int omap_vout_buffer_setup(struct
> videobuf_queue *q, unsigned int *count,
>  	u32 phy_addr = 0, virt_addr = 0;
>  	struct omap_vout_device *vout = q->priv_data;
>  	struct omapvideo_info *ovid = &vout->vid_info;
> +	int vid_max_buf_size;
> 
>  	if (!vout)
>  		return -EINVAL;
> 
> +	vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
> +		video2_bufsize;
> +
>  	if (V4L2_BUF_TYPE_VIDEO_OUTPUT != q->type)
>  		return -EINVAL;
> 
> @@ -690,7 +694,7 @@ static int omap_vout_buffer_setup(struct
> videobuf_queue *q, unsigned int *count,
>  		video1_numbuffers : video2_numbuffers;
> 
>  	/* Check the size of the buffer */
> -	if (*size > vout->buffer_size) {
> +	if (*size > vid_max_buf_size) {
Good catch !!!

>  		v4l2_err(&vout->vid_dev->v4l2_dev,
>  				"buffer allocation mismatch [%u] [%u]\n",
>  				*size, vout->buffer_size);
> @@ -865,6 +869,8 @@ static int omap_vout_mmap(struct file *file, struct
> vm_area_struct *vma)
>  	unsigned long size = (vma->vm_end - vma->vm_start);
>  	struct omap_vout_device *vout = file->private_data;
>  	struct videobuf_queue *q = &vout->vbq;
> +	int vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
> +		video2_bufsize;
> 
>  	v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev,
>  			" %s pgoff=0x%lx, start=0x%lx, end=0x%lx\n", __func__,
> @@ -887,7 +893,7 @@ static int omap_vout_mmap(struct file *file, struct
> vm_area_struct *vma)
>  		return -EINVAL;
>  	}
>  	/* Check the size of the buffer */
> -	if (size > vout->buffer_size) {
> +	if (size > vid_max_buf_size) {
Don't you think in case of mmap we should still check for the 
vout->buffer_size, since this is the size user has requested in req_buf.

Thanks,
Vaibhav


>  		v4l2_err(&vout->vid_dev->v4l2_dev,
>  				"insufficient memory [%lu] [%u]\n",
>  				size, vout->buffer_size);
> --
> 1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
  

Hi,

On Wednesday 21 September 2011 02:10 PM, Hiremath, Vaibhav wrote:
>
>> -----Original Message-----
>> From: Taneja, Archit
>> Sent: Friday, September 16, 2011 3:30 PM
>> To: Hiremath, Vaibhav
>> Cc: Valkeinen, Tomi; linux-omap@vger.kernel.org; Semwal, Sumit; linux-
>> media@vger.kernel.org; Taneja, Archit
>> Subject: [PATCH 1/5] [media]: OMAP_VOUT: Fix check in reqbuf&  mmap for
>> buf_size allocation
>>
>> The commit 383e4f69879d11c86ebdd38b3356f6d0690fb4cc makes reqbuf and mmap
>> prevent
>> requesting a larger size buffer than what is allocated at kernel boot
>> during
>> omap_vout_probe.
>>
>> The requested size is compared with vout->buffer_size, this isn't correct
>> as
>> vout->buffer_size is later set to the size requested in reqbuf. When the
>> video
>> device is opened the next time, this check will prevent us to allocate a
>> buffer
>> which is larger than what we requested the last time.
>>
>> Don't use vout->buffer_size, always check with the parameters
>> video1_bufsize
>> or video2_bufsize.
>>
>> Signed-off-by: Archit Taneja<archit@ti.com>
>> ---
>>   drivers/media/video/omap/omap_vout.c |   10 ++++++++--
>>   1 files changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/media/video/omap/omap_vout.c
>> b/drivers/media/video/omap/omap_vout.c
>> index 95daf98..e14c82b 100644
>> --- a/drivers/media/video/omap/omap_vout.c
>> +++ b/drivers/media/video/omap/omap_vout.c
>> @@ -664,10 +664,14 @@ static int omap_vout_buffer_setup(struct
>> videobuf_queue *q, unsigned int *count,
>>   	u32 phy_addr = 0, virt_addr = 0;
>>   	struct omap_vout_device *vout = q->priv_data;
>>   	struct omapvideo_info *ovid =&vout->vid_info;
>> +	int vid_max_buf_size;
>>
>>   	if (!vout)
>>   		return -EINVAL;
>>
>> +	vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
>> +		video2_bufsize;
>> +
>>   	if (V4L2_BUF_TYPE_VIDEO_OUTPUT != q->type)
>>   		return -EINVAL;
>>
>> @@ -690,7 +694,7 @@ static int omap_vout_buffer_setup(struct
>> videobuf_queue *q, unsigned int *count,
>>   		video1_numbuffers : video2_numbuffers;
>>
>>   	/* Check the size of the buffer */
>> -	if (*size>  vout->buffer_size) {
>> +	if (*size>  vid_max_buf_size) {
> Good catch !!!
>
>>   		v4l2_err(&vout->vid_dev->v4l2_dev,
>>   				"buffer allocation mismatch [%u] [%u]\n",
>>   				*size, vout->buffer_size);
>> @@ -865,6 +869,8 @@ static int omap_vout_mmap(struct file *file, struct
>> vm_area_struct *vma)
>>   	unsigned long size = (vma->vm_end - vma->vm_start);
>>   	struct omap_vout_device *vout = file->private_data;
>>   	struct videobuf_queue *q =&vout->vbq;
>> +	int vid_max_buf_size = vout->vid == OMAP_VIDEO1 ? video1_bufsize :
>> +		video2_bufsize;
>>
>>   	v4l2_dbg(1, debug,&vout->vid_dev->v4l2_dev,
>>   			" %s pgoff=0x%lx, start=0x%lx, end=0x%lx\n", __func__,
>> @@ -887,7 +893,7 @@ static int omap_vout_mmap(struct file *file, struct
>> vm_area_struct *vma)
>>   		return -EINVAL;
>>   	}
>>   	/* Check the size of the buffer */
>> -	if (size>  vout->buffer_size) {
>> +	if (size>  vid_max_buf_size) {
> Don't you think in case of mmap we should still check for the
> vout->buffer_size, since this is the size user has requested in req_buf.

Ah, you are right, the check for the maximum size should only be in the 
reqbuf path. vout->buffer_size would have been updated correctly at time 
of mmap. I'll change this back to vout->buffer_size.

Thanks,
Archit

>
> Thanks,
> Vaibhav
>
>
>>   		v4l2_err(&vout->vid_dev->v4l2_dev,
>>   				"insufficient memory [%lu] [%u]\n",
>>   				size, vout->buffer_size);
>> --
>> 1.7.1
>
>

--
To unsubscribe from this list: send the line "unsubscribe linux-media" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html