| Message ID | 20230622131349.144160-4-benjamin.gaignard@collabora.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Add DELETE_BUF ioctl | expand |
On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote: > diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c > index f1ff7af34a9f..86e1e926fa45 100644 > --- a/drivers/media/common/videobuf2/videobuf2-core.c > +++ b/drivers/media/common/videobuf2/videobuf2-core.c > @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, > struct vb2_buffer *vb; > int ret; > > - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ > + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ > num_buffers = min_t(unsigned int, num_buffers, > - VB2_MAX_FRAME - q->num_buffers); > + UINT_MAX - q->num_buffers); The UINT_MAX limit adds a level of danger. It would be safer to do what the vfs layer does for MAX_RW_COUNT and use "INT_MAX - PAGE_SIZE". That way you can take size + sizeof() and it's only very rarely going to turn negative. Or at least just INT_MAX. I would keep the VB2_MAX_FRAME and define it as: #define VB2_MAX_FRAME (INT_MAX & PAGE_MASK) /* The mask prevents 85% of integer overflows */ > > for (buffer = 0; buffer < num_buffers; ++buffer) { > /* Allocate vb2 buffer structures */ > @@ -858,9 +858,9 @@ int vb2_core_reqbufs(struct vb2_queue *q, enum vb2_memory memory, > /* > * Make sure the requested values and current defaults are sane. > */ > - WARN_ON(q->min_buffers_needed > VB2_MAX_FRAME); > + WARN_ON(q->min_buffers_needed > UINT_MAX); This will trigger a static checker warning because the condition is impossible. regards, dan carpenter
On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote: > diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c > index f1ff7af34a9f..86e1e926fa45 100644 > --- a/drivers/media/common/videobuf2/videobuf2-core.c > +++ b/drivers/media/common/videobuf2/videobuf2-core.c > @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, > struct vb2_buffer *vb; > int ret; > > - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ > + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ > num_buffers = min_t(unsigned int, num_buffers, > - VB2_MAX_FRAME - q->num_buffers); > + UINT_MAX - q->num_buffers); > > for (buffer = 0; buffer < num_buffers; ++buffer) { > /* Allocate vb2 buffer structures */ Ah... Here's one of the integer overflow bugs I was talking about. The __vb2_queue_alloc() function returns an int so if num_buffers goes over INT_MAX we are hosed. regards, dan carpenter
Le 22/06/2023 à 16:11, Dan Carpenter a écrit : > On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote: >> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c >> index f1ff7af34a9f..86e1e926fa45 100644 >> --- a/drivers/media/common/videobuf2/videobuf2-core.c >> +++ b/drivers/media/common/videobuf2/videobuf2-core.c >> @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, >> struct vb2_buffer *vb; >> int ret; >> >> - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ >> + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ >> num_buffers = min_t(unsigned int, num_buffers, >> - VB2_MAX_FRAME - q->num_buffers); >> + UINT_MAX - q->num_buffers); >> >> for (buffer = 0; buffer < num_buffers; ++buffer) { >> /* Allocate vb2 buffer structures */ > Ah... Here's one of the integer overflow bugs I was talking about. The > __vb2_queue_alloc() function returns an int so if num_buffers goes over > INT_MAX we are hosed. I will limit it to: #define VB2_QUEUE_MAX_BUFFERS (INT_MAX & PAGE_MASK) /* The mask prevents 85% of integer overflows */ as you have suggest it. That will be in version 4. Thanks, Benjamin > > regards, > dan carpenter >
On 22/06/2023 16:13, Benjamin Gaignard wrote: > > Le 22/06/2023 à 16:11, Dan Carpenter a écrit : >> On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote: >>> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c >>> index f1ff7af34a9f..86e1e926fa45 100644 >>> --- a/drivers/media/common/videobuf2/videobuf2-core.c >>> +++ b/drivers/media/common/videobuf2/videobuf2-core.c >>> @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, >>> struct vb2_buffer *vb; >>> int ret; >>> - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ >>> + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ >>> num_buffers = min_t(unsigned int, num_buffers, >>> - VB2_MAX_FRAME - q->num_buffers); >>> + UINT_MAX - q->num_buffers); >>> for (buffer = 0; buffer < num_buffers; ++buffer) { >>> /* Allocate vb2 buffer structures */ >> Ah... Here's one of the integer overflow bugs I was talking about. The >> __vb2_queue_alloc() function returns an int so if num_buffers goes over >> INT_MAX we are hosed. > > I will limit it to: > #define VB2_QUEUE_MAX_BUFFERS (INT_MAX & PAGE_MASK) /* The mask prevents 85% of integer overflows */ > as you have suggest it. IMHO INT_MAX is way overkill. How about (1U << 20)? I would like some sort of sanity check here. 1048576 buffers of 640x480 and 4 bytes per pixel is 1.2 TB. Since a TB of memory is doable these days, I think this is a reasonable value for MAX_BUFFERS without allowing just anything. An alternative is to make this a kernel config. Regards, Hans > > That will be in version 4. > > Thanks, > Benjamin > >> >> regards, >> dan carpenter >>
Le 23/06/2023 à 09:02, Hans Verkuil a écrit : > On 22/06/2023 16:13, Benjamin Gaignard wrote: >> Le 22/06/2023 à 16:11, Dan Carpenter a écrit : >>> On Thu, Jun 22, 2023 at 03:13:41PM +0200, Benjamin Gaignard wrote: >>>> diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c >>>> index f1ff7af34a9f..86e1e926fa45 100644 >>>> --- a/drivers/media/common/videobuf2/videobuf2-core.c >>>> +++ b/drivers/media/common/videobuf2/videobuf2-core.c >>>> @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, >>>> struct vb2_buffer *vb; >>>> int ret; >>>> - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ >>>> + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ >>>> num_buffers = min_t(unsigned int, num_buffers, >>>> - VB2_MAX_FRAME - q->num_buffers); >>>> + UINT_MAX - q->num_buffers); >>>> for (buffer = 0; buffer < num_buffers; ++buffer) { >>>> /* Allocate vb2 buffer structures */ >>> Ah... Here's one of the integer overflow bugs I was talking about. The >>> __vb2_queue_alloc() function returns an int so if num_buffers goes over >>> INT_MAX we are hosed. >> I will limit it to: >> #define VB2_QUEUE_MAX_BUFFERS (INT_MAX & PAGE_MASK) /* The mask prevents 85% of integer overflows */ >> as you have suggest it. > IMHO INT_MAX is way overkill. How about (1U << 20)? I would like some sort of > sanity check here. 1048576 buffers of 640x480 and 4 bytes per pixel is 1.2 TB. I will go for (1U << 20) in next version. Regards, Benjamin > > Since a TB of memory is doable these days, I think this is a reasonable > value for MAX_BUFFERS without allowing just anything. > > An alternative is to make this a kernel config. > > Regards, > > Hans > >> That will be in version 4. >> >> Thanks, >> Benjamin >> >>> regards, >>> dan carpenter >>>
diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c index f1ff7af34a9f..86e1e926fa45 100644 --- a/drivers/media/common/videobuf2/videobuf2-core.c +++ b/drivers/media/common/videobuf2/videobuf2-core.c @@ -455,9 +455,9 @@ static int __vb2_queue_alloc(struct vb2_queue *q, enum vb2_memory memory, struct vb2_buffer *vb; int ret; - /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ + /* Ensure that q->num_buffers + num_buffers is UINT_MAX */ num_buffers = min_t(unsigned int, num_buffers, - VB2_MAX_FRAME - q->num_buffers); + UINT_MAX - q->num_buffers); for (buffer = 0; buffer < num_buffers; ++buffer) { /* Allocate vb2 buffer structures */ @@ -858,9 +858,9 @@ int vb2_core_reqbufs(struct vb2_queue *q, enum vb2_memory memory, /* * Make sure the requested values and current defaults are sane. */ - WARN_ON(q->min_buffers_needed > VB2_MAX_FRAME); + WARN_ON(q->min_buffers_needed > UINT_MAX); num_buffers = max_t(unsigned int, *count, q->min_buffers_needed); - num_buffers = min_t(unsigned int, num_buffers, VB2_MAX_FRAME); + num_buffers = min_t(unsigned int, num_buffers, UINT_MAX); memset(q->alloc_devs, 0, sizeof(q->alloc_devs)); /* * Set this now to ensure that drivers see the correct q->memory value @@ -976,11 +976,6 @@ int vb2_core_create_bufs(struct vb2_queue *q, enum vb2_memory memory, bool no_previous_buffers = !q->num_buffers; int ret; - if (q->num_buffers == VB2_MAX_FRAME) { - dprintk(q, 1, "maximum number of buffers already allocated\n"); - return -ENOBUFS; - } - if (no_previous_buffers) { if (q->waiting_in_dqbuf && *count) { dprintk(q, 1, "another dup()ped fd is waiting for a buffer\n"); @@ -1005,7 +1000,7 @@ int vb2_core_create_bufs(struct vb2_queue *q, enum vb2_memory memory, return -EINVAL; } - num_buffers = min(*count, VB2_MAX_FRAME - q->num_buffers); + num_buffers = min(*count, UINT_MAX - q->num_buffers); if (requested_planes && requested_sizes) { num_planes = requested_planes;
Remove VB2_MAX_FRAME buffer limit since Xarray allows to store more than that. Signed-off-by: Benjamin Gaignard <benjamin.gaignard@collabora.com> --- drivers/media/common/videobuf2/videobuf2-core.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-)