* [PATCH v2 0/2] media: videobuf2: make sure bytesused is smaller than the buffer size @ 2021-11-11 15:26 Dafna Hirschfeld 2021-11-11 15:26 ` [PATCH v2 1/2] media: replace setting of bytesused with vb2_set_plane_payload Dafna Hirschfeld 2021-11-11 15:26 ` [PATCH v2 2/2] media: videobuf2: add WARN_ON if bytesused is bigger than buffer length Dafna Hirschfeld 0 siblings, 2 replies; 7+ messages in thread From: Dafna Hirschfeld @ 2021-11-11 15:26 UTC (permalink / raw) To: linux-media Cc: Dafna Hirschfeld, kernel, laurent.pinchart, hverkuil, dafna3, sakari.ailus, mchehab Add a WARN_ON_ONCE in vb2_set_plane_payload if bytesused is bigger than length and clamp the bytesused to lenth. Also change places where bytesused is set directly with that function. This help find/eliminate possible buffer overflow. chnages since v2: * replace WARN_ON with WARN_ON_ONCE * clamp the bytesused to the buffer length if it is bigger * add inline doc Dafna Hirschfeld (2): media: replace setting of bytesused with vb2_set_plane_payload media: videobuf2: add WARN_ON if bytesused is bigger than buffer length drivers/media/platform/allegro-dvt/allegro-core.c | 2 +- drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 10 +++++----- drivers/media/test-drivers/vicodec/vicodec-core.c | 2 +- drivers/media/usb/go7007/go7007-driver.c | 2 +- drivers/staging/media/meson/vdec/vdec_helpers.c | 10 +++++----- include/media/videobuf2-core.h | 8 +++++++- 6 files changed, 20 insertions(+), 14 deletions(-) -- 2.17.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 1/2] media: replace setting of bytesused with vb2_set_plane_payload 2021-11-11 15:26 [PATCH v2 0/2] media: videobuf2: make sure bytesused is smaller than the buffer size Dafna Hirschfeld @ 2021-11-11 15:26 ` Dafna Hirschfeld 2021-11-16 2:24 ` kernel test robot 2021-11-11 15:26 ` [PATCH v2 2/2] media: videobuf2: add WARN_ON if bytesused is bigger than buffer length Dafna Hirschfeld 1 sibling, 1 reply; 7+ messages in thread From: Dafna Hirschfeld @ 2021-11-11 15:26 UTC (permalink / raw) To: linux-media Cc: Dafna Hirschfeld, kernel, laurent.pinchart, hverkuil, dafna3, sakari.ailus, mchehab In many places the bytesused field of struct vb2_buffer is set directly. Replace that with the function call vb2_set_plane_payload Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> --- drivers/media/platform/allegro-dvt/allegro-core.c | 2 +- drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 10 +++++----- drivers/media/test-drivers/vicodec/vicodec-core.c | 2 +- drivers/media/usb/go7007/go7007-driver.c | 2 +- drivers/staging/media/meson/vdec/vdec_helpers.c | 10 +++++----- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/drivers/media/platform/allegro-dvt/allegro-core.c b/drivers/media/platform/allegro-dvt/allegro-core.c index c8156da33043..4a3d06c70e34 100644 --- a/drivers/media/platform/allegro-dvt/allegro-core.c +++ b/drivers/media/platform/allegro-dvt/allegro-core.c @@ -2815,7 +2815,7 @@ static void allegro_buf_queue(struct vb2_buffer *vb) unsigned int i; for (i = 0; i < vb->num_planes; i++) - vb->planes[i].bytesused = 0; + vb2_set_plane_payload(vb, i, 0); vbuf->field = V4L2_FIELD_NONE; vbuf->sequence = channel->csequence++; diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c index bfad1103e606..c92883e86bcc 100644 --- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c +++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c @@ -965,7 +965,7 @@ static void vb2ops_venc_stop_streaming(struct vb2_queue *q) if (q->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) { while ((dst_buf = v4l2_m2m_dst_buf_remove(ctx->m2m_ctx))) { - dst_buf->vb2_buf.planes[0].bytesused = 0; + vb2_set_plane_payload(&dst_buf->vb2_buf, 0, 0); v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_ERROR); } /* STREAMOFF on the CAPTURE queue completes any ongoing flush */ @@ -1078,7 +1078,7 @@ static int mtk_venc_encode_header(void *priv) NULL, &bs_buf, &enc_result); if (ret) { - dst_buf->vb2_buf.planes[0].bytesused = 0; + vb2_set_plane_payload(&dst_buf->vb2_buf, 0, 0); ctx->state = MTK_STATE_ABORT; v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_ERROR); mtk_v4l2_err("venc_if_encode failed=%d", ret); @@ -1093,7 +1093,7 @@ static int mtk_venc_encode_header(void *priv) } ctx->state = MTK_STATE_HEADER; - dst_buf->vb2_buf.planes[0].bytesused = enc_result.bs_size; + vb2_set_plane_payload(&dst_buf->vb2_buf, 0, enc_result.bs_size); v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_DONE); return 0; @@ -1242,12 +1242,12 @@ static void mtk_venc_worker(struct work_struct *work) if (ret) { v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_ERROR); - dst_buf->vb2_buf.planes[0].bytesused = 0; + vb2_set_plane_payload(&dst_buf->vb2_buf, 0, 0); v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_ERROR); mtk_v4l2_err("venc_if_encode failed=%d", ret); } else { v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_DONE); - dst_buf->vb2_buf.planes[0].bytesused = enc_result.bs_size; + vb2_set_plane_payload(&dst_buf->vb2_buf, 0, enc_result.bs_size); v4l2_m2m_buf_done(dst_buf, VB2_BUF_STATE_DONE); mtk_v4l2_debug(2, "venc_if_encode bs size=%d", enc_result.bs_size); diff --git a/drivers/media/test-drivers/vicodec/vicodec-core.c b/drivers/media/test-drivers/vicodec/vicodec-core.c index 33f1c893c1b6..be43f7d32df9 100644 --- a/drivers/media/test-drivers/vicodec/vicodec-core.c +++ b/drivers/media/test-drivers/vicodec/vicodec-core.c @@ -1443,7 +1443,7 @@ static void vicodec_buf_queue(struct vb2_buffer *vb) unsigned int i; for (i = 0; i < vb->num_planes; i++) - vb->planes[i].bytesused = 0; + vb2_set_plane_payload(vb, i, 0); vbuf->field = V4L2_FIELD_NONE; vbuf->sequence = diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c index 6650eab913d8..0c24e2984304 100644 --- a/drivers/media/usb/go7007/go7007-driver.c +++ b/drivers/media/usb/go7007/go7007-driver.c @@ -516,7 +516,7 @@ void go7007_parse_video_stream(struct go7007 *go, u8 *buf, int length) if (vb && vb->vb.vb2_buf.planes[0].bytesused >= GO7007_BUF_SIZE - 3) { v4l2_info(&go->v4l2_dev, "dropping oversized frame\n"); - vb->vb.vb2_buf.planes[0].bytesused = 0; + vb2_set_plane_payload(&vb->vb.vb2_buf, 0, 0); vb->frame_offset = 0; vb->modet_active = 0; vb = go->active_buf = NULL; diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c index b9125c295d1d..1ade7485d5a6 100644 --- a/drivers/staging/media/meson/vdec/vdec_helpers.c +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c @@ -276,13 +276,13 @@ static void dst_buf_done(struct amvdec_session *sess, switch (sess->pixfmt_cap) { case V4L2_PIX_FMT_NV12M: - vbuf->vb2_buf.planes[0].bytesused = output_size; - vbuf->vb2_buf.planes[1].bytesused = output_size / 2; + vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); + vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 2); break; case V4L2_PIX_FMT_YUV420M: - vbuf->vb2_buf.planes[0].bytesused = output_size; - vbuf->vb2_buf.planes[1].bytesused = output_size / 4; - vbuf->vb2_buf.planes[2].bytesused = output_size / 4; + vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); + vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 4); + vb2_set_plane_payload(vbuf->vb2_buf, 2, output_size / 4); break; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/2] media: replace setting of bytesused with vb2_set_plane_payload 2021-11-11 15:26 ` [PATCH v2 1/2] media: replace setting of bytesused with vb2_set_plane_payload Dafna Hirschfeld @ 2021-11-16 2:24 ` kernel test robot 0 siblings, 0 replies; 7+ messages in thread From: kernel test robot @ 2021-11-16 2:24 UTC (permalink / raw) To: Dafna Hirschfeld, linux-media Cc: kbuild-all, Dafna Hirschfeld, kernel, laurent.pinchart, hverkuil, dafna3, sakari.ailus, mchehab [-- Attachment #1: Type: text/plain, Size: 8187 bytes --] Hi Dafna, I love your patch! Yet something to improve: [auto build test ERROR on media-tree/master] [also build test ERROR on v5.16-rc1 next-20211115] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Dafna-Hirschfeld/media-videobuf2-make-sure-bytesused-is-smaller-than-the-buffer-size/20211111-232720 base: git://linuxtv.org/media_tree.git master config: microblaze-randconfig-r013-20211115 (attached as .config) compiler: microblaze-linux-gcc (GCC) 11.2.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/6934ed79a3550b00a9f9a6ae14a283a59a10f566 git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Dafna-Hirschfeld/media-videobuf2-make-sure-bytesused-is-smaller-than-the-buffer-size/20211111-232720 git checkout 6934ed79a3550b00a9f9a6ae14a283a59a10f566 # save the attached .config to linux build tree mkdir build_dir COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=microblaze SHELL=/bin/bash drivers/staging/media/meson/vdec/ If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): drivers/staging/media/meson/vdec/vdec_helpers.c: In function 'dst_buf_done': >> drivers/staging/media/meson/vdec/vdec_helpers.c:279:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 279 | vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ drivers/staging/media/meson/vdec/vdec_helpers.c:280:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 280 | vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 2); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ drivers/staging/media/meson/vdec/vdec_helpers.c:283:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 283 | vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ drivers/staging/media/meson/vdec/vdec_helpers.c:284:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 284 | vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 4); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ drivers/staging/media/meson/vdec/vdec_helpers.c:285:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 285 | vb2_set_plane_payload(vbuf->vb2_buf, 2, output_size / 4); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ vim +/vb2_set_plane_payload +279 drivers/staging/media/meson/vdec/vdec_helpers.c 268 269 static void dst_buf_done(struct amvdec_session *sess, 270 struct vb2_v4l2_buffer *vbuf, 271 u32 field, u64 timestamp, 272 struct v4l2_timecode timecode, u32 flags) 273 { 274 struct device *dev = sess->core->dev_dec; 275 u32 output_size = amvdec_get_output_size(sess); 276 277 switch (sess->pixfmt_cap) { 278 case V4L2_PIX_FMT_NV12M: > 279 vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); 280 vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 2); 281 break; 282 case V4L2_PIX_FMT_YUV420M: 283 vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); 284 vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 4); 285 vb2_set_plane_payload(vbuf->vb2_buf, 2, output_size / 4); 286 break; 287 } 288 289 vbuf->vb2_buf.timestamp = timestamp; 290 vbuf->sequence = sess->sequence_cap++; 291 vbuf->flags = flags; 292 vbuf->timecode = timecode; 293 294 if (sess->should_stop && 295 atomic_read(&sess->esparser_queued_bufs) <= 1) { 296 const struct v4l2_event ev = { .type = V4L2_EVENT_EOS }; 297 298 dev_dbg(dev, "Signaling EOS, sequence_cap = %u\n", 299 sess->sequence_cap - 1); 300 v4l2_event_queue_fh(&sess->fh, &ev); 301 vbuf->flags |= V4L2_BUF_FLAG_LAST; 302 } else if (sess->status == STATUS_NEEDS_RESUME) { 303 /* Mark LAST for drained show frames during a source change */ 304 vbuf->flags |= V4L2_BUF_FLAG_LAST; 305 sess->sequence_cap = 0; 306 } else if (sess->should_stop) 307 dev_dbg(dev, "should_stop, %u bufs remain\n", 308 atomic_read(&sess->esparser_queued_bufs)); 309 310 dev_dbg(dev, "Buffer %u done, ts = %llu, flags = %08X\n", 311 vbuf->vb2_buf.index, timestamp, flags); 312 vbuf->field = field; 313 v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_DONE); 314 315 /* Buffer done probably means the vififo got freed */ 316 schedule_work(&sess->esparser_queue_work); 317 } 318 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org [-- Attachment #2: .config.gz --] [-- Type: application/gzip, Size: 35840 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 1/2] media: replace setting of bytesused with vb2_set_plane_payload @ 2021-11-16 2:24 ` kernel test robot 0 siblings, 0 replies; 7+ messages in thread From: kernel test robot @ 2021-11-16 2:24 UTC (permalink / raw) To: kbuild-all [-- Attachment #1: Type: text/plain, Size: 8334 bytes --] Hi Dafna, I love your patch! Yet something to improve: [auto build test ERROR on media-tree/master] [also build test ERROR on v5.16-rc1 next-20211115] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/Dafna-Hirschfeld/media-videobuf2-make-sure-bytesused-is-smaller-than-the-buffer-size/20211111-232720 base: git://linuxtv.org/media_tree.git master config: microblaze-randconfig-r013-20211115 (attached as .config) compiler: microblaze-linux-gcc (GCC) 11.2.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/0day-ci/linux/commit/6934ed79a3550b00a9f9a6ae14a283a59a10f566 git remote add linux-review https://github.com/0day-ci/linux git fetch --no-tags linux-review Dafna-Hirschfeld/media-videobuf2-make-sure-bytesused-is-smaller-than-the-buffer-size/20211111-232720 git checkout 6934ed79a3550b00a9f9a6ae14a283a59a10f566 # save the attached .config to linux build tree mkdir build_dir COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=microblaze SHELL=/bin/bash drivers/staging/media/meson/vdec/ If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): drivers/staging/media/meson/vdec/vdec_helpers.c: In function 'dst_buf_done': >> drivers/staging/media/meson/vdec/vdec_helpers.c:279:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 279 | vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ drivers/staging/media/meson/vdec/vdec_helpers.c:280:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 280 | vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 2); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ drivers/staging/media/meson/vdec/vdec_helpers.c:283:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 283 | vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ drivers/staging/media/meson/vdec/vdec_helpers.c:284:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 284 | vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 4); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ drivers/staging/media/meson/vdec/vdec_helpers.c:285:43: error: incompatible type for argument 1 of 'vb2_set_plane_payload' 285 | vb2_set_plane_payload(vbuf->vb2_buf, 2, output_size / 4); | ~~~~^~~~~~~~~ | | | struct vb2_buffer In file included from include/media/videobuf2-v4l2.h:16, from include/media/v4l2-mem2mem.h:16, from drivers/staging/media/meson/vdec/vdec_helpers.c:8: include/media/videobuf2-core.h:1155:61: note: expected 'struct vb2_buffer *' but argument is of type 'struct vb2_buffer' 1155 | static inline void vb2_set_plane_payload(struct vb2_buffer *vb, | ~~~~~~~~~~~~~~~~~~~^~ vim +/vb2_set_plane_payload +279 drivers/staging/media/meson/vdec/vdec_helpers.c 268 269 static void dst_buf_done(struct amvdec_session *sess, 270 struct vb2_v4l2_buffer *vbuf, 271 u32 field, u64 timestamp, 272 struct v4l2_timecode timecode, u32 flags) 273 { 274 struct device *dev = sess->core->dev_dec; 275 u32 output_size = amvdec_get_output_size(sess); 276 277 switch (sess->pixfmt_cap) { 278 case V4L2_PIX_FMT_NV12M: > 279 vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); 280 vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 2); 281 break; 282 case V4L2_PIX_FMT_YUV420M: 283 vb2_set_plane_payload(vbuf->vb2_buf, 0, output_size); 284 vb2_set_plane_payload(vbuf->vb2_buf, 1, output_size / 4); 285 vb2_set_plane_payload(vbuf->vb2_buf, 2, output_size / 4); 286 break; 287 } 288 289 vbuf->vb2_buf.timestamp = timestamp; 290 vbuf->sequence = sess->sequence_cap++; 291 vbuf->flags = flags; 292 vbuf->timecode = timecode; 293 294 if (sess->should_stop && 295 atomic_read(&sess->esparser_queued_bufs) <= 1) { 296 const struct v4l2_event ev = { .type = V4L2_EVENT_EOS }; 297 298 dev_dbg(dev, "Signaling EOS, sequence_cap = %u\n", 299 sess->sequence_cap - 1); 300 v4l2_event_queue_fh(&sess->fh, &ev); 301 vbuf->flags |= V4L2_BUF_FLAG_LAST; 302 } else if (sess->status == STATUS_NEEDS_RESUME) { 303 /* Mark LAST for drained show frames during a source change */ 304 vbuf->flags |= V4L2_BUF_FLAG_LAST; 305 sess->sequence_cap = 0; 306 } else if (sess->should_stop) 307 dev_dbg(dev, "should_stop, %u bufs remain\n", 308 atomic_read(&sess->esparser_queued_bufs)); 309 310 dev_dbg(dev, "Buffer %u done, ts = %llu, flags = %08X\n", 311 vbuf->vb2_buf.index, timestamp, flags); 312 vbuf->field = field; 313 v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_DONE); 314 315 /* Buffer done probably means the vififo got freed */ 316 schedule_work(&sess->esparser_queue_work); 317 } 318 --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org [-- Attachment #2: config.gz --] [-- Type: application/gzip, Size: 35840 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2 2/2] media: videobuf2: add WARN_ON if bytesused is bigger than buffer length 2021-11-11 15:26 [PATCH v2 0/2] media: videobuf2: make sure bytesused is smaller than the buffer size Dafna Hirschfeld 2021-11-11 15:26 ` [PATCH v2 1/2] media: replace setting of bytesused with vb2_set_plane_payload Dafna Hirschfeld @ 2021-11-11 15:26 ` Dafna Hirschfeld 2021-11-12 0:10 ` Laurent Pinchart 2021-11-24 15:47 ` Hans Verkuil 1 sibling, 2 replies; 7+ messages in thread From: Dafna Hirschfeld @ 2021-11-11 15:26 UTC (permalink / raw) To: linux-media Cc: Dafna Hirschfeld, kernel, laurent.pinchart, hverkuil, dafna3, sakari.ailus, mchehab In function vb2_set_plane_payload, report if the given bytesused is bigger than the buffer size, and clamp it to the buffer size. Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com> --- include/media/videobuf2-core.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/media/videobuf2-core.h b/include/media/videobuf2-core.h index 2467284e5f26..e06c190265f0 100644 --- a/include/media/videobuf2-core.h +++ b/include/media/videobuf2-core.h @@ -1155,8 +1155,14 @@ static inline void *vb2_get_drv_priv(struct vb2_queue *q) static inline void vb2_set_plane_payload(struct vb2_buffer *vb, unsigned int plane_no, unsigned long size) { - if (plane_no < vb->num_planes) + /* + * size must never be larger than the buffer length, so + * warn and clamp to the buffer length if that's the case. + */ + if (plane_no < vb->num_planes) { + WARN_ON_ONCE(size > vb->planes[plane_no].length); vb->planes[plane_no].bytesused = size; + } } /** -- 2.17.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2 2/2] media: videobuf2: add WARN_ON if bytesused is bigger than buffer length 2021-11-11 15:26 ` [PATCH v2 2/2] media: videobuf2: add WARN_ON if bytesused is bigger than buffer length Dafna Hirschfeld @ 2021-11-12 0:10 ` Laurent Pinchart 2021-11-24 15:47 ` Hans Verkuil 1 sibling, 0 replies; 7+ messages in thread From: Laurent Pinchart @ 2021-11-12 0:10 UTC (permalink / raw) To: Dafna Hirschfeld Cc: linux-media, kernel, hverkuil, dafna3, sakari.ailus, mchehab Hi Dafna, Thank you for the patch. On Thu, Nov 11, 2021 at 05:26:40PM +0200, Dafna Hirschfeld wrote: > In function vb2_set_plane_payload, report if the > given bytesused is bigger than the buffer size, > and clamp it to the buffer size. > > Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > --- > include/media/videobuf2-core.h | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/include/media/videobuf2-core.h b/include/media/videobuf2-core.h > index 2467284e5f26..e06c190265f0 100644 > --- a/include/media/videobuf2-core.h > +++ b/include/media/videobuf2-core.h > @@ -1155,8 +1155,14 @@ static inline void *vb2_get_drv_priv(struct vb2_queue *q) > static inline void vb2_set_plane_payload(struct vb2_buffer *vb, > unsigned int plane_no, unsigned long size) > { > - if (plane_no < vb->num_planes) > + /* > + * size must never be larger than the buffer length, so > + * warn and clamp to the buffer length if that's the case. > + */ > + if (plane_no < vb->num_planes) { > + WARN_ON_ONCE(size > vb->planes[plane_no].length); > vb->planes[plane_no].bytesused = size; > + } > } > > /** -- Regards, Laurent Pinchart ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2 2/2] media: videobuf2: add WARN_ON if bytesused is bigger than buffer length 2021-11-11 15:26 ` [PATCH v2 2/2] media: videobuf2: add WARN_ON if bytesused is bigger than buffer length Dafna Hirschfeld 2021-11-12 0:10 ` Laurent Pinchart @ 2021-11-24 15:47 ` Hans Verkuil 1 sibling, 0 replies; 7+ messages in thread From: Hans Verkuil @ 2021-11-24 15:47 UTC (permalink / raw) To: Dafna Hirschfeld, linux-media Cc: kernel, laurent.pinchart, dafna3, sakari.ailus, mchehab On 11/11/2021 16:26, Dafna Hirschfeld wrote: > In function vb2_set_plane_payload, report if the > given bytesused is bigger than the buffer size, > and clamp it to the buffer size. > > Signed-off-by: Dafna Hirschfeld <dafna.hirschfeld@collabora.com> > --- > include/media/videobuf2-core.h | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/include/media/videobuf2-core.h b/include/media/videobuf2-core.h > index 2467284e5f26..e06c190265f0 100644 > --- a/include/media/videobuf2-core.h > +++ b/include/media/videobuf2-core.h > @@ -1155,8 +1155,14 @@ static inline void *vb2_get_drv_priv(struct vb2_queue *q) > static inline void vb2_set_plane_payload(struct vb2_buffer *vb, > unsigned int plane_no, unsigned long size) > { > - if (plane_no < vb->num_planes) > + /* > + * size must never be larger than the buffer length, so > + * warn and clamp to the buffer length if that's the case. > + */ > + if (plane_no < vb->num_planes) { > + WARN_ON_ONCE(size > vb->planes[plane_no].length); This doesn't clamp size to the buffer length, so this needs to be added. Also, the subject talks about WARN_ON instead of WARN_ON_ONCE. Regards, Hans > vb->planes[plane_no].bytesused = size; > + } > } > > /** > ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-11-24 15:47 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-11-11 15:26 [PATCH v2 0/2] media: videobuf2: make sure bytesused is smaller than the buffer size Dafna Hirschfeld 2021-11-11 15:26 ` [PATCH v2 1/2] media: replace setting of bytesused with vb2_set_plane_payload Dafna Hirschfeld 2021-11-16 2:24 ` kernel test robot 2021-11-16 2:24 ` kernel test robot 2021-11-11 15:26 ` [PATCH v2 2/2] media: videobuf2: add WARN_ON if bytesused is bigger than buffer length Dafna Hirschfeld 2021-11-12 0:10 ` Laurent Pinchart 2021-11-24 15:47 ` Hans Verkuil
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.