github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
7fba5c7a0a
linux/drivers
History
Mauro Carvalho Chehab 7fba5c7a0a media: videobuf2-core: don't go out of the buffer range 
[ Upstream commit df93dc61b0 ]

Currently, there's no check if an invalid buffer range
is passed. However, while testing DVB memory mapped apps,
I got this:

   videobuf2_core: VB: num_buffers -2143943680, buffer 33, index -2143943647
   unable to handle kernel paging request at ffff888b773c0890
   IP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core]
   PGD 4142c7067 P4D 4142c7067 PUD 0
   Oops: 0002 [#1] SMP
   Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc rc_dvbsky sp2 ts2020 intel_rapl x86_pkg_temp_thermal dvb_usb_dvbsky intel_powerclamp dvb_usb_v2 coretemp m88ds3103 kvm_intel i2c_mux dvb_core snd_hda_codec_hdmi crct10dif_pclmul crc32_pclmul videobuf2_vmalloc videobuf2_memops snd_hda_intel ghash_clmulni_intel videobuf2_core snd_hda_codec rc_core mei_me intel_cstate snd_hwdep snd_hda_core videodev intel_uncore snd_pcm mei media tpm_tis tpm_tis_core intel_rapl_perf tpm snd_timer lpc_ich snd soundcore kvm irqbypass libcrc32c i915 i2c_algo_bit drm_kms_helper
   e1000e ptp drm crc32c_intel video pps_core
   CPU: 3 PID: 1776 Comm: dvbv5-zap Not tainted 4.14.0+ #78
   Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
   task: ffff88877c73bc80 task.stack: ffffb7c402418000
   RIP: 0010:__vb2_queue_alloc+0x134/0x4e0 [videobuf2_core]
   RSP: 0018:ffffb7c40241bc60 EFLAGS: 00010246
   RAX: 0000000080360421 RBX: 0000000000000021 RCX: 000000000000000a
   RDX: ffffb7c40241bcf4 RSI: ffff888780362c60 RDI: ffff888796d8e130
   RBP: ffffb7c40241bcc8 R08: 0000000000000316 R09: 0000000000000004
   R10: ffff888780362c00 R11: 0000000000000001 R12: 000000000002f000
   R13: ffff8887758be700 R14: 0000000000021000 R15: 0000000000000001
   FS:  00007f2849024740(0000) GS:ffff888796d80000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: ffff888b773c0890 CR3: 000000043beb2005 CR4: 00000000003606e0
   Call Trace:
    vb2_core_reqbufs+0x226/0x420 [videobuf2_core]
    dvb_vb2_reqbufs+0x2d/0xc0 [dvb_core]
    dvb_dvr_do_ioctl+0x98/0x1d0 [dvb_core]
    dvb_usercopy+0x53/0x1b0 [dvb_core]
    ? dvb_demux_ioctl+0x20/0x20 [dvb_core]
    ? tty_ldisc_deref+0x16/0x20
    ? tty_write+0x1f9/0x310
    ? process_echoes+0x70/0x70
    dvb_dvr_ioctl+0x15/0x20 [dvb_core]
    do_vfs_ioctl+0xa5/0x600
    SyS_ioctl+0x79/0x90
    entry_SYSCALL_64_fastpath+0x1a/0xa5
   RIP: 0033:0x7f28486f7ea7
   RSP: 002b:00007ffc13b2db18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
   RAX: ffffffffffffffda RBX: 000055b10fc06130 RCX: 00007f28486f7ea7
   RDX: 00007ffc13b2db48 RSI: 00000000c0086f3c RDI: 0000000000000007
   RBP: 0000000000000203 R08: 000055b10df1e02c R09: 000000000000002e
   R10: 0036b42415108357 R11: 0000000000000246 R12: 0000000000000000
   R13: 00007f2849062f60 R14: 00000000000001f1 R15: 00007ffc13b2da54
   Code: 74 0a 60 8b 0a 48 83 c0 30 48 83 c2 04 89 48 d0 89 48 d4 48 39 f0 75 eb 41 8b 42 08 83 7d d4 01 41 c7 82 ec 01 00 00 ff ff ff ff <4d> 89 94 c5 88 00 00 00 74 14 83 c3 01 41 39 dc 0f 85 f1 fe ff
   RIP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core] RSP: ffffb7c40241bc60
   CR2: ffff888b773c0890

So, add a sanity check in order to prevent going past array.

Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-04-13 19:50:13 +02:00
..
accessibility
acpi ACPI, PCI, irq: remove redundant check for null string pointer 2018-04-08 11:51:56 +02:00
amba
android binder: add missing binder_unlock() 2018-02-28 10:17:23 +01:00
ata ata: libahci: properly propagate return value of platform_get_irq() 2018-04-13 19:50:06 +02:00
atm atm: horizon: Fix irq release error 2017-12-16 10:33:55 +01:00
auxdisplay
base drivers: base: cacheinfo: fix boot error message when acpi is enabled 2018-01-31 12:06:08 +01:00
bcma bcma: use (get|put)_device when probing/removing device driver 2017-03-12 06:37:30 +01:00
block Revert "mtip32xx: use runtime tag to initialize command header" 2018-04-08 11:52:02 +02:00
bluetooth Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174 2018-03-28 18:40:13 +02:00
bus bus: brcmstb_gisb: correct support for 64-bit address output 2018-04-13 19:50:05 +02:00
cdrom
char fix race in drivers/char/random.c:get_reg() 2018-04-13 19:50:11 +02:00
clk clk: bcm2835: Protect sections updating shared registers 2018-03-28 18:40:13 +02:00
clocksource clockevents/drivers/cs5535: Improve resilience to spurious interrupts 2017-10-27 10:23:17 +02:00
connector
cpufreq Revert "cpufreq: Fix governor module removal race" 2018-04-08 11:52:02 +02:00
cpuidle cpuidle: fix broadcast control when broadcast can not be entered 2017-12-25 14:22:15 +01:00
crypto crypto: s5p-sss - Fix kernel Oops in AES-ECB mode 2018-02-25 11:03:55 +01:00
dca
devfreq PM / devfreq: Propagate error from devfreq_add_device() 2018-02-22 15:44:58 +01:00
dio
dma dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 2018-03-24 10:58:48 +01:00
dma-buf
edac EDAC, octeon: Fix an uninitialized variable warning 2018-02-16 20:09:47 +01:00
eisa
extcon extcon: palmas: Check the parent instance to prevent the NULL 2017-11-21 09:21:18 +01:00
firewire firewire: net: fix fragmented datagram_size off-by-one 2016-11-10 16:36:35 +01:00
firmware efi/esrt: Cleanup bad memory map log messages 2017-12-20 10:04:56 +01:00
fmc
fpga
gpio gpio: xgene: mark PM functions as __maybe_unused 2018-02-25 11:03:50 +01:00
gpu drm: udl: Properly check framebuffer mmap offsets 2018-03-28 18:40:15 +02:00
hid HID: elo: clear BTN_LEFT mapping 2018-03-22 09:23:27 +01:00
hsi HSI: ssi_protocol: double free in ssip_pn_xmit() 2018-03-24 10:58:42 +01:00
hv Drivers: hv: vmbus: fix build warning 2018-02-25 11:03:46 +01:00
hwmon hwmon: (ina2xx) Make calibration register value fixed 2018-04-13 19:50:13 +02:00
hwspinlock
hwtracing coresight: Fix disabling of CoreSight TPIU 2018-03-24 10:58:48 +01:00
i2c i2c: i2c-scmi: add a MS HID 2018-03-24 10:58:41 +01:00
ide
idle idle: i7300: add PCI dependency 2018-02-25 11:03:51 +01:00
iio iio: hi8435: cleanup reset gpio 2018-04-13 19:50:08 +02:00
infiniband IB/srpt: Fix abort handling 2018-04-13 19:50:01 +02:00
input Input: elan_i2c - clear INT before resetting controller 2018-04-13 19:50:11 +02:00
iommu iommu/vt-d: clean up pr_irq if request_threaded_irq fails 2018-03-24 10:58:48 +01:00
ipack
irqchip irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis 2018-03-22 09:23:31 +01:00
isdn isdn: sc: work around type mismatch warning 2018-02-25 11:03:51 +01:00
leds leds: pca955x: Correct I2C Functionality 2018-04-13 19:50:09 +02:00
lguest
lightnvm
macintosh
mailbox mailbox: handle empty message in tx_tick 2017-08-06 19:19:41 -07:00
mcb
md md-cluster: fix potential lock issue in add_new_disk 2018-04-13 19:50:09 +02:00
media media: videobuf2-core: don't go out of the buffer range 2018-04-13 19:50:13 +02:00
memory ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure 2017-12-16 10:33:51 +01:00
memstick
message mptfusion: hide unused seq_mpt_print_ioc_summary function 2018-02-25 11:03:45 +01:00
mfd mfd: palmas: Reset the POWERHOLD mux during power off 2018-03-24 10:58:44 +01:00
misc drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests 2018-04-13 19:50:02 +02:00
mmc mmc: dw_mmc: fix falling from idmac to PIO mode when dw_mci_reset occurs 2018-03-28 18:40:13 +02:00
mtd mtd: jedec_probe: Fix crash in jedec_read_mfr() 2018-04-08 11:51:55 +02:00
net bonding: Don't update slave->link until ready to commit 2018-04-13 19:50:12 +02:00
nfc NFC: nfcmrvl: double free on error path 2018-03-22 09:23:23 +01:00
ntb ntb_transport: fix bug calculating num_qps_mw 2017-08-30 10:19:29 +02:00
nubus
nvdimm libnvdimm, namespace: make 'resource' attribute only readable by root 2017-11-30 08:37:23 +00:00
nvme nvme: Fix managing degraded controllers 2018-02-16 20:09:47 +01:00
nvmem nvmem: imx-ocotp: Fix wrong register size 2017-08-06 19:19:46 -07:00
of of: fix of_device_get_modalias returned length when truncating buffers 2018-03-22 09:23:21 +01:00
oprofile
parisc parisc: Hide Diva-built-in serial aux and graphics card 2018-01-02 20:33:20 +01:00
parport parport_pc: Add support for WCH CH382L PCI-E single parallel port card. 2018-04-08 11:52:00 +02:00
pci Revert "PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()" 2018-04-08 11:52:01 +02:00
pcmcia
perf drivers/perf: arm_pmu: handle no platform_device 2018-03-22 09:23:26 +01:00
phy phy: work around 'phys' references to usb-nop-xceiv devices 2018-01-23 19:50:16 +01:00
pinctrl pinctrl: Really force states during suspend/resume 2018-03-24 10:58:48 +01:00
platform platform/chrome: Use proper protocol transfer function 2018-03-24 10:58:47 +01:00
pnp
power power: supply: pda_power: move from timer to delayed_work 2018-03-24 10:58:45 +01:00
powercap PowerCap: Fix an error code in powercap_register_zone() 2018-04-13 19:50:05 +02:00
pps
ps3
ptp time: Change posix clocks ops interfaces to use timespec64 2018-03-24 10:58:40 +01:00
pwm pwm: tegra: Increase precision in PWM rate calculation 2018-03-22 09:23:27 +01:00
rapidio
ras
regulator regulator: anatop: set default voltage selector for pcie 2018-03-24 10:58:40 +01:00
remoteproc
reset
rpmsg
rtc rtc: snvs: fix an incorrect check of return value 2018-04-13 19:50:01 +02:00
s390 s390/qeth: on channel error, reject further cmd requests 2018-03-31 18:12:34 +02:00
sbus
scsi scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats() 2018-04-13 19:50:11 +02:00
sfi
sh
sn
soc
spi spi: davinci: fix up dma_mapping_error() incorrect patch 2018-04-08 11:52:02 +02:00
spmi spmi: Include OF based modalias in device uevent 2017-07-27 15:06:10 -07:00
ssb ssb: mark ssb_bus_register as __maybe_unused 2018-02-25 11:03:44 +01:00
staging staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning 2018-04-13 19:50:05 +02:00
target tcm_fileio: Prevent information leak for short reads 2018-03-24 10:58:45 +01:00
tc
thermal thermal: power_allocator: fix one race condition issue for thermal_instances list 2018-04-13 19:50:12 +02:00
thunderbolt
tty serial: sh-sci: Fix race condition causing garbage during shutdown 2018-04-13 19:50:07 +02:00
uio uio: fix dmem_region_start computation 2016-10-31 04:13:59 -06:00
usb USB: ene_usb6250: fix SCSI residue overwriting 2018-04-13 19:50:07 +02:00
uwb uwb: ensure that endpoint is interrupt 2017-10-12 11:27:35 +02:00
vfio vfio-pci: Handle error from pci_iomap 2017-08-06 19:19:46 -07:00
vhost vhost_net: stop device during reset owner 2018-02-16 20:09:38 +01:00
video vgacon: Set VGA struct resource types 2018-03-24 10:58:48 +01:00
virt
virtio virtio_balloon: prevent uninitialized variable use 2018-02-25 11:03:42 +01:00
vlynq
vme vme: Fix wrong pointer utilization in ca91cx42_slave_get 2017-01-19 20:17:21 +01:00
w1 w1: ds2490: USB transfer buffers need to be DMAable 2017-03-12 06:37:29 +01:00
watchdog watchdog: hpwdt: fix unused variable warning 2018-03-18 11:17:50 +01:00
xen xen/gntdev: Fix partial gntdev_mmap() cleanup 2018-03-03 10:19:45 +01:00
zorro
Kconfig
Makefile usb: build drivers/usb/common/ when USB_SUPPORT is set 2018-02-25 11:03:38 +01:00