Hi Hangyu,
On 27/09/2022 10:10, Hans Verkuil wrote:
> On 27/09/2022 04:01, Hangyu Hua wrote:
>> On 19/5/2022 10:17, Hangyu Hua wrote:
>>> vb2_core_qbuf and vb2_core_querybuf don't check the range of b->index
>>> controlled by the user.
>>>
>>> Fix this by adding range checking code before using them.
>>>
>>> Fixes: 57868acc369a ("media: videobuf2: Add new uAPI for DVB streaming I/O")
>>> Signed-off-by: Hangyu Hua <hbh25y@xxxxxxxxx>
>>> Reviewed-by: Sergey Senozhatsky <senozhatsky@xxxxxxxxxxxx>
>>> ---
>>>
>>> v2:
>>> 1. fix inappropriate use of dprintk.
>>> 2. add "fixes" tag
>>>
>>> drivers/media/dvb-core/dvb_vb2.c | 11 +++++++++++
>>> 1 file changed, 11 insertions(+)
>>>
>>> diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c
>>> index a1bd6d9c9223..909df82fed33 100644
>>> --- a/drivers/media/dvb-core/dvb_vb2.c
>>> +++ b/drivers/media/dvb-core/dvb_vb2.c
>>> @@ -354,6 +354,12 @@ int dvb_vb2_reqbufs(struct dvb_vb2_ctx *ctx, struct dmx_requestbuffers *req)
>>> int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>>> {
>>> + struct vb2_queue *q = &ctx->vb_q;
>>> +
>>> + if (b->index >= q->num_buffers) {
>>> + dprintk(1, "[%s] buffer index out of range\n", ctx->name);
>>> + return -EINVAL;
>>> + }
>>> vb2_core_querybuf(&ctx->vb_q, b->index, b);
>>> dprintk(3, "[%s] index=%d\n", ctx->name, b->index);
>>> return 0;
>>> @@ -378,8 +384,13 @@ int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
>>> int dvb_vb2_qbuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>>> {
>>> + struct vb2_queue *q = &ctx->vb_q;
>>> int ret;
>>> + if (b->index >= q->num_buffers) {
>>> + dprintk(1, "[%s] buffer index out of range\n", ctx->name);
>>> + return -EINVAL;
>>> + }
>>> ret = vb2_core_qbuf(&ctx->vb_q, b->index, b, NULL);
>>> if (ret) {
>>> dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,
>>
>> Hi guys,
>>
>> Looks like this patch was forgotten to to merge into master branch. This bug still in:
>> https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n355
>> and
>> https://git.linuxtv.org/media_tree.git/tree/drivers/media/dvb-core/dvb_vb2.c#n379
>>
>> Thanks,
>> Hangyu
>
> That's weird, it was part of this pull request:
>
> https://patchwork.linuxtv.org/project/linux-media/patch/2eeaad13-091d-6547-cdeb-0a7a15dc5c3f@xxxxxxxxx/
>
> But none of the patches in that PR ever made it to upstream. Something went very wrong
> with that PR.
>
> I'm preparing a new pull request.
>
> Thank you very much for notifying me!
Mauro discovered that a small number of patches were never pushed to our git trees,
and so indeed got lost. They have now been merged. This patch has been really unlucky:
it took a long time for the original patch to be reviewed, and then the PR itself
fell through the cracks :-(
Again, thank you very much for double checking this!
Regards,
Hans
