| Message ID | 1561669769-2498-3-git-send-email-wahrenst@gmx.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | None | expand |
On Thu, Jun 27, 2019 at 11:09:27PM +0200, Stefan Wahren wrote: > From: Dave Stevenson <dave.stevenson@raspberrypi.org> > > Fixes a v4l2-compliance failure when passed a buffer that is > too small. > queue_setup wasn't handling the case where !(*nplanes), as ^^^^^^^^^^^ This is reversed? It wasn't handling where *nplanes is non-zero. > used from CREATE_BUFS and requiring the driver to sanity > check the provided buffer parameters. It was assuming that > it was always being used in the REQBUFS case where it provides > the buffer properties. These patches look really nice. regards, dan carpenter
diff --git a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c index 256667b..705644c 100644 --- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c +++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c @@ -236,6 +236,22 @@ static int queue_setup(struct vb2_queue *vq, return -EINVAL; } + /* Handle CREATE_BUFS situation - *nplanes != 0 */ + if (*nplanes) { + if (*nplanes != 1 || + sizes[0] < dev->capture.port->current_buffer.size) { + v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev, + "%s: dev:%p Invalid buffer request from CREATE_BUFS, size %u < %u, nplanes %u != 1\n", + __func__, dev, sizes[0], + dev->capture.port->current_buffer.size, + *nplanes); + return -EINVAL; + } else { + return 0; + } + } + + /* Handle REQBUFS situation */ size = dev->capture.port->current_buffer.size; if (size == 0) { v4l2_err(&dev->v4l2_dev,