media: videobuf2: improve max_num_buffers sanity checks

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Ensure that drivers set max_num_buffers to a value >= 32.
For now there is no reason for drivers to request a lower
limit and doing so might potentially cause userspace issues.
Note that the old check of > MAX_BUFFER_INDEX was pointless
since q->max_num_buffers was already limited to MAX_BUFFER_INDEX
or less.

Also add a sanity check in __vb2_init_fileio(), returning
-ENOSPC if a driver returns more than 32 buffers from
VIDIOC_REQBUFS with count = q->min_reqbufs_allocation.

The vb2_fileio_data struct only supports up to 32 buffers,
so we need a check there.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

Hans Verkuil 2 years ago 1df7b8cd e85bfd15

+7 -1

1 changed file

expand all

drivers

media

common

videobuf2

videobuf2-core.c

+7 -1

drivers/media/common/videobuf2/videobuf2-core.c

··· 2584 2584 WARN_ON(!q->ops->buf_queue)) 2585 2585 return -EINVAL; 2586 2586 2587 - if (WARN_ON(q->max_num_buffers > MAX_BUFFER_INDEX) || 2587 + if (WARN_ON(q->max_num_buffers < VB2_MAX_FRAME) || 2588 2588 WARN_ON(q->min_queued_buffers > q->max_num_buffers)) 2589 2589 return -EINVAL; 2590 2590 ··· 2855 2855 ret = vb2_core_reqbufs(q, fileio->memory, 0, &fileio->count); 2856 2856 if (ret) 2857 2857 goto err_kfree; 2858 + /* vb2_fileio_data supports max VB2_MAX_FRAME buffers */ 2859 + if (fileio->count > VB2_MAX_FRAME) { 2860 + dprintk(q, 1, "fileio: more than VB2_MAX_FRAME buffers requested\n"); 2861 + ret = -ENOSPC; 2862 + goto err_reqbufs; 2863 + } 2858 2864 2859 2865 /* 2860 2866 * Userspace can never add or delete buffers later, so there