From patchwork Fri Apr 19 09:46:56 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
X-Patchwork-Id: 2464161
Return-Path: <linux-media-owner@vger.kernel.org>
X-Original-To: patchwork-linux-media@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork2.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork2.kernel.org (Postfix) with ESMTP id 17377DF25A
	for <patchwork-linux-media@patchwork.kernel.org>;
	Fri, 19 Apr 2013 09:47:31 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758555Ab3DSJrO (ORCPT
	<rfc822;patchwork-linux-media@patchwork.kernel.org>);
	Fri, 19 Apr 2013 05:47:14 -0400
Received: from mail-pd0-f172.google.com ([209.85.192.172]:47198 "EHLO
	mail-pd0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1758536Ab3DSJrN (ORCPT
	<rfc822;linux-media@vger.kernel.org>);
	Fri, 19 Apr 2013 05:47:13 -0400
Received: by mail-pd0-f172.google.com with SMTP id 5so2149973pdd.3
	for <multiple recipients>; Fri, 19 Apr 2013 02:47:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=x-received:from:to:cc:subject:date:message-id:x-mailer;
	bh=YFSO2BDaB8wGPfKhxgdR3fYcBWG6CEpiDVgQAasNhfY=;
	b=cSeW33Uyu+1AfTBWMPoYo3uFYjDXhXlOlFtTdu5YryJNUGI8ucN/o9piwXUgtenpHu
	Bd1grU+6M7D+yP985pCLsR6Q0FxB4ueMpf+MFaAG24C99jpO7EsqNZs8Zf6k4AHBIy9B
	wCB4njw3ZSF6/ZRHYZHRNXOhamusnRYxQyHFgQBxves3V1zMaUrRinRm+q/Nw+h+lvfX
	6oowRKZ7bum42j9OJk9WrEpN0kuBoO/aSoXZY4xsEo4M0KVaYi2P2Yk6tzB1L/0PcW0o
	JO+H/48Nc37TMZRsXk5Q0MXiIrcmtvVpTB1NOHLE23nV4Rgr9l1yA77b4amJXyZnClbO
	UzGQ==
X-Received: by 10.68.176.197 with SMTP id ck5mr17893929pbc.165.1366364833359;
	Fri, 19 Apr 2013 02:47:13 -0700 (PDT)
Received: from localhost.localdomain ([59.98.240.95])
	by mx.google.com with ESMTPS id
	t1sm14157156pab.12.2013.04.19.02.47.03
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Fri, 19 Apr 2013 02:47:12 -0700 (PDT)
From: Prabhakar lad <prabhakar.csengg@gmail.com>
To: LMML <linux-media@vger.kernel.org>
Cc: Mauro Carvalho Chehab <mchehab@redhat.com>,
	DLOS <davinci-linux-open-source@linux.davincidsp.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Hans Verkuil <hans.verkuil@cisco.com>, Pawel Osciak <pawel@osciak.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	"Lad, Prabhakar" <prabhakar.csengg@gmail.com>,
	Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
	Marek Szyprowski <m.szyprowski@samsung.com>,
	Seung-Woo Kim <sw0312.kim@samsung.com>
Subject: [PATCH RFC] media: videobuf2: fix the length check for mmap
Date: Fri, 19 Apr 2013 15:16:56 +0530
Message-Id: <1366364816-3567-1-git-send-email-prabhakar.csengg@gmail.com>
X-Mailer: git-send-email 1.7.4.1
Sender: linux-media-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-media.vger.kernel.org>
X-Mailing-List: linux-media@vger.kernel.org

From: Lad, Prabhakar <prabhakar.csengg@gmail.com>

From commit 068a0df76023926af958a336a78bef60468d2033
"[media] media: vb2: add length check for mmap"
patch verifies that the mmap() size requested by userspace
doesn't exceed the buffer size.

As the mmap() size is rounded up to the next page boundary
the check will fail for buffer sizes that are not multiple
of the page size.

This patch fixes the check by aligning the buffer size to page
size during the check. Alongside fixes the vmalloc allocator
to round up the size.

Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Seung-Woo Kim <sw0312.kim@samsung.com>
Cc: Hans Verkuil <hans.verkuil@cisco.com>
Cc: Mauro Carvalho Chehab <mchehab@redhat.com>
---
 drivers/media/v4l2-core/videobuf2-core.c    |    2 +-
 drivers/media/v4l2-core/videobuf2-vmalloc.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
index 58c1744..223fcd4 100644
--- a/drivers/media/v4l2-core/videobuf2-core.c
+++ b/drivers/media/v4l2-core/videobuf2-core.c
@@ -1886,7 +1886,7 @@ int vb2_mmap(struct vb2_queue *q, struct vm_area_struct *vma)
 
 	vb = q->bufs[buffer];
 
-	if (vb->v4l2_planes[plane].length < (vma->vm_end - vma->vm_start)) {
+	if (PAGE_ALIGN(vb->v4l2_planes[plane].length) < (vma->vm_end - vma->vm_start)) {
 		dprintk(1, "Invalid length\n");
 		return -EINVAL;
 	}
diff --git a/drivers/media/v4l2-core/videobuf2-vmalloc.c b/drivers/media/v4l2-core/videobuf2-vmalloc.c
index 313d977..bf3b95c 100644
--- a/drivers/media/v4l2-core/videobuf2-vmalloc.c
+++ b/drivers/media/v4l2-core/videobuf2-vmalloc.c
@@ -44,7 +44,7 @@ static void *vb2_vmalloc_alloc(void *alloc_ctx, unsigned long size, gfp_t gfp_fl
 		return NULL;
 
 	buf->size = size;
-	buf->vaddr = vmalloc_user(buf->size);
+	buf->vaddr = vmalloc_user(PAGE_ALIGN(buf->size));
 	buf->handler.refcount = &buf->refcount;
 	buf->handler.put = vb2_vmalloc_put;
 	buf->handler.arg = buf;