tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

media: videobuf2-core: copy vb planes unconditionally

Copy the relevant data from userspace to the vb->planes unconditionally
as it's possible some of the fields may have changed after the buffer
has been validated.

Keep the dma_buf_put(planes[plane].dbuf) calls in the first
`if (!reacquired)` case, in order to be close to the plane validation code
where the buffers were got in the first place.

Cc: stable@vger.kernel.org
Fixes: 95af7c00f35b ("media: videobuf2-core: release all planes first in __prepare_dmabuf()")
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Tested-by: Will McVicker <willmcvicker@google.com>
Acked-by: Tomasz Figa <tfiga@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>

authored by

Tudor Ambarus and committed by
Hans Verkuil 702a47ce a4aebaf6

+15 -13
+15 -13
drivers/media/common/videobuf2/videobuf2-core.c
··· 1482 1482 } 1483 1483 vb->planes[plane].dbuf_mapped = 1; 1484 1484 } 1485 + } else { 1486 + for (plane = 0; plane < vb->num_planes; ++plane) 1487 + dma_buf_put(planes[plane].dbuf); 1488 + } 1485 1489 1486 - /* 1487 - * Now that everything is in order, copy relevant information 1488 - * provided by userspace. 1489 - */ 1490 - for (plane = 0; plane < vb->num_planes; ++plane) { 1491 - vb->planes[plane].bytesused = planes[plane].bytesused; 1492 - vb->planes[plane].length = planes[plane].length; 1493 - vb->planes[plane].m.fd = planes[plane].m.fd; 1494 - vb->planes[plane].data_offset = planes[plane].data_offset; 1495 - } 1490 + /* 1491 + * Now that everything is in order, copy relevant information 1492 + * provided by userspace. 1493 + */ 1494 + for (plane = 0; plane < vb->num_planes; ++plane) { 1495 + vb->planes[plane].bytesused = planes[plane].bytesused; 1496 + vb->planes[plane].length = planes[plane].length; 1497 + vb->planes[plane].m.fd = planes[plane].m.fd; 1498 + vb->planes[plane].data_offset = planes[plane].data_offset; 1499 + } 1496 1500 1501 + if (reacquired) { 1497 1502 /* 1498 1503 * Call driver-specific initialization on the newly acquired buffer, 1499 1504 * if provided. ··· 1508 1503 dprintk(q, 1, "buffer initialization failed\n"); 1509 1504 goto err_put_vb2_buf; 1510 1505 } 1511 - } else { 1512 - for (plane = 0; plane < vb->num_planes; ++plane) 1513 - dma_buf_put(planes[plane].dbuf); 1514 1506 } 1515 1507 1516 1508 ret = call_vb_qop(vb, buf_prepare, vb);