From: Dave Stevenson <dave.stevenson@xxxxxxxxxxxxxxx>
Fixes a v4l2-compliance failure when passed a buffer that is
too small.
queue_setup wasn't handling the case where *nplanes != 0, as
used from CREATE_BUFS and requiring the driver to sanity
check the provided buffer parameters. It was assuming that
it was always being used in the REQBUFS case where it provides
the buffer properties.
Signed-off-by: Dave Stevenson <dave.stevenson@xxxxxxxxxxxxxxx>
Signed-off-by: Stefan Wahren <wahrenst@xxxxxxx>
Acked-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Acked-by: Mauro Carvalho Chehab <mchehab+samsung@xxxxxxxxxx>
---
.../vc04_services/bcm2835-camera/bcm2835-camera.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
index 1ad65dd..9c90d9b 100644
--- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
+++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c
@@ -236,6 +236,22 @@ static int queue_setup(struct vb2_queue *vq,
return -EINVAL;
}
+ /* Handle CREATE_BUFS situation - *nplanes != 0 */
+ if (*nplanes) {
+ if (*nplanes != 1 ||
+ sizes[0] < dev->capture.port->current_buffer.size) {
+ v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev,
+ "%s: dev:%p Invalid buffer request from CREATE_BUFS, size %u < %u, nplanes %u != 1\n",
+ __func__, dev, sizes[0],
+ dev->capture.port->current_buffer.size,
+ *nplanes);
+ return -EINVAL;
+ } else {
+ return 0;
+ }
+ }
+
+ /* Handle REQBUFS situation */
size = dev->capture.port->current_buffer.size;
if (size == 0) {
v4l2_err(&dev->v4l2_dev,
--
2.7.4
