[for,v6.12] media: dvb-core: add missing buffer index check

Commit Message

Hans Verkuil Oct. 1, 2024, 12:11 p.m. UTC

dvb_vb2_expbuf() didn't check if the given buffer index was
for a valid buffer. Add this check.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
Fixes: 7dc866df4012 ("media: dvb-core: Use vb2_get_buffer() instead of directly access to buffers array")
Cc: <stable@vger.kernel.org>
---
Resent, noting that it is a fix for 6.12.
---
 drivers/media/dvb-core/dvb_vb2.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Benjamin Gaignard Oct. 1, 2024, 12:17 p.m. UTC | #1

Le 01/10/2024 à 14:11, Hans Verkuil a écrit :
> dvb_vb2_expbuf() didn't check if the given buffer index was
> for a valid buffer. Add this check.
>
> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
> Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
> Fixes: 7dc866df4012 ("media: dvb-core: Use vb2_get_buffer() instead of directly access to buffers array")
> Cc: <stable@vger.kernel.org>

Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>

> ---
> Resent, noting that it is a fix for 6.12.
> ---
>   drivers/media/dvb-core/dvb_vb2.c | 8 +++++++-
>   1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c
> index 192a8230c4aa..29edaaff7a5c 100644
> --- a/drivers/media/dvb-core/dvb_vb2.c
> +++ b/drivers/media/dvb-core/dvb_vb2.c
> @@ -366,9 +366,15 @@ int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
>   int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
>   {
>   	struct vb2_queue *q = &ctx->vb_q;
> +	struct vb2_buffer *vb2 = vb2_get_buffer(q, exp->index);
>   	int ret;
>
> -	ret = vb2_core_expbuf(&ctx->vb_q, &exp->fd, q->type, q->bufs[exp->index],
> +	if (!vb2) {
> +		dprintk(1, "[%s] invalid buffer index\n", ctx->name);
> +		return -EINVAL;
> +	}
> +
> +	ret = vb2_core_expbuf(&ctx->vb_q, &exp->fd, q->type, vb2,
>   			      0, exp->flags);
>   	if (ret) {
>   		dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,

Patch

diff --git a/drivers/media/dvb-core/dvb_vb2.c b/drivers/media/dvb-core/dvb_vb2.c
index 192a8230c4aa..29edaaff7a5c 100644
--- a/drivers/media/dvb-core/dvb_vb2.c
+++ b/drivers/media/dvb-core/dvb_vb2.c
@@ -366,9 +366,15 @@  int dvb_vb2_querybuf(struct dvb_vb2_ctx *ctx, struct dmx_buffer *b)
 int dvb_vb2_expbuf(struct dvb_vb2_ctx *ctx, struct dmx_exportbuffer *exp)
 {
 	struct vb2_queue *q = &ctx->vb_q;
+	struct vb2_buffer *vb2 = vb2_get_buffer(q, exp->index);
 	int ret;

-	ret = vb2_core_expbuf(&ctx->vb_q, &exp->fd, q->type, q->bufs[exp->index],
+	if (!vb2) {
+		dprintk(1, "[%s] invalid buffer index\n", ctx->name);
+		return -EINVAL;
+	}
+
+	ret = vb2_core_expbuf(&ctx->vb_q, &exp->fd, q->type, vb2,
 			      0, exp->flags);
 	if (ret) {
 		dprintk(1, "[%s] index=%d errno=%d\n", ctx->name,