| Message ID | 20190329173427.18238-1-afd@ti.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [media] videobuf-dma-contig: Use size of buffer in mmap not vma size | expand |
On Fri, Mar 29, 2019 at 12:34:27PM -0500, Andrew F. Davis wrote: > The size of the vma can be larger than the size of the backing buffer. > Use the buffer size over vma size to prevent exposing extra memory > to userspace. > > Signed-off-by: Andrew F. Davis <afd@ti.com> Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com> > --- > drivers/media/v4l2-core/videobuf-dma-contig.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > > diff --git a/drivers/media/v4l2-core/videobuf-dma-contig.c b/drivers/media/v4l2-core/videobuf-dma-contig.c > index e1bf50df4c70..65e2655d22b7 100644 > --- a/drivers/media/v4l2-core/videobuf-dma-contig.c > +++ b/drivers/media/v4l2-core/videobuf-dma-contig.c > @@ -280,7 +280,6 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q, > struct videobuf_dma_contig_memory *mem; > struct videobuf_mapping *map; > int retval; > - unsigned long size; > > dev_dbg(q->dev, "%s\n", __func__); > > @@ -303,7 +302,6 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q, > goto error; > > /* Try to remap memory */ > - size = vma->vm_end - vma->vm_start; > vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); > > /* the "vm_pgoff" is just used in v4l2 to find the > @@ -314,7 +312,7 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q, > */ > vma->vm_pgoff = 0; > > - retval = vm_iomap_memory(vma, mem->dma_handle, size); > + retval = vm_iomap_memory(vma, mem->dma_handle, mem->size); > if (retval) { > dev_err(q->dev, "mmap: remap failed with error %d. ", > retval); > -- > 2.21.0 >
diff --git a/drivers/media/v4l2-core/videobuf-dma-contig.c b/drivers/media/v4l2-core/videobuf-dma-contig.c index e1bf50df4c70..65e2655d22b7 100644 --- a/drivers/media/v4l2-core/videobuf-dma-contig.c +++ b/drivers/media/v4l2-core/videobuf-dma-contig.c @@ -280,7 +280,6 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q, struct videobuf_dma_contig_memory *mem; struct videobuf_mapping *map; int retval; - unsigned long size; dev_dbg(q->dev, "%s\n", __func__); @@ -303,7 +302,6 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q, goto error; /* Try to remap memory */ - size = vma->vm_end - vma->vm_start; vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); /* the "vm_pgoff" is just used in v4l2 to find the @@ -314,7 +312,7 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q, */ vma->vm_pgoff = 0; - retval = vm_iomap_memory(vma, mem->dma_handle, size); + retval = vm_iomap_memory(vma, mem->dma_handle, mem->size); if (retval) { dev_err(q->dev, "mmap: remap failed with error %d. ", retval);
The size of the vma can be larger than the size of the backing buffer. Use the buffer size over vma size to prevent exposing extra memory to userspace. Signed-off-by: Andrew F. Davis <afd@ti.com> --- drivers/media/v4l2-core/videobuf-dma-contig.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)