Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 46eeb8dd authored by Steven Toth's avatar Steven Toth Committed by Mauro Carvalho Chehab
Browse files

[media] saa7164: add guard bytes around critical buffers to detect failure 



If the guard bytes are trampled then we have a memory related problem.

Signed-off-by: default avatarSteven Toth <stoth@kernellabs.com>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@redhat.com>
parent 58acca10

drivers/media/video/saa7164/saa7164-core.c

+20 −2
Original line number Diff line number Diff line
@@ -216,6 +216,7 @@ static void saa7164_work_enchandler(struct work_struct *w) 
	struct saa7164_user_buffer *ubuf;

	struct list_head *c, *n;

	int wp, rp, i = 0;

	u8 *p;



	port->last_svc_msecs_diff = port->last_svc_msecs;

	port->last_svc_msecs = jiffies_to_msecs(jiffies);
@@ -262,6 +263,20 @@ static void saa7164_work_enchandler(struct work_struct *w) 
			break;

		}



		p = (u8 *)buf->cpu;

		if (	(*(p + buf->actual_size + 0) != 0xff) ||

			(*(p + buf->actual_size + 1) != 0xff) ||

			(*(p + buf->actual_size + 2) != 0xff) ||

			(*(p + buf->actual_size + 3) != 0xff) ||

			(*(p + buf->actual_size + 0x10) != 0xff) ||

			(*(p + buf->actual_size + 0x11) != 0xff) ||

			(*(p + buf->actual_size + 0x12) != 0xff) ||

			(*(p + buf->actual_size + 0x13) != 0xff) )

		{

			printk(KERN_ERR "buf %p failed guard check\n", buf);

			saa7164_dumphex16(dev, p + buf->actual_size - 32, 64);

		}



		if (buf->idx == rp) {

			/* Found the buffer, deal with it */

			dprintk(DBGLVL_IRQ, "%s() wp: %d processing: %d\n",
@@ -278,9 +293,12 @@ static void saa7164_work_enchandler(struct work_struct *w) 
				ubuf = list_first_entry(&port->list_buf_free.list,

					struct saa7164_user_buffer, list);



				if (ubuf->actual_size == buf->actual_size)

				if (ubuf->actual_size == buf->actual_size) {

					memcpy(ubuf->data, buf->cpu,

						ubuf->actual_size);

				} else {

					printk(KERN_ERR "buf %p actual fails match\n", buf);

				}



				/* Requeue the buffer on the free list */

				ubuf->pos = 0;
@@ -297,7 +315,7 @@ static void saa7164_work_enchandler(struct work_struct *w) 
			/* Ensure offset into buffer remains 0, fill buffer

			 * with known bad data. */

			saa7164_buffer_zero_offsets(port, rp);

			memset(buf->cpu, 0xDE, buf->pci_size);

			memset(buf->cpu, 0xff, buf->pci_size);



			break;

		}

drivers/media/video/saa7164/saa7164-encoder.c

+17 −4
Original line number Diff line number Diff line
@@ -1038,14 +1038,18 @@ static ssize_t fops_read(struct file *file, char __user *buffer, 
	saa7164_histogram_update(&port->read_interval,

		port->last_read_msecs_diff);



	if (*pos)

	if (*pos) {

		printk(KERN_ERR "%s() ESPIPE\n", __func__);

		return -ESPIPE;

	}



	if (atomic_cmpxchg(&fh->v4l_reading, 0, 1) == 0) {

		if (atomic_inc_return(&port->v4l_reader_count) == 1) {



			if (saa7164_encoder_initialize(port) < 0)

			if (saa7164_encoder_initialize(port) < 0) {

				printk(KERN_ERR "%s() EINVAL\n", __func__);

				return -EINVAL;

			}



			saa7164_encoder_start_streaming(port);

			msleep(200);
@@ -1056,6 +1060,7 @@ static ssize_t fops_read(struct file *file, char __user *buffer, 
	if ((file->f_flags & O_NONBLOCK) == 0) {

		if (wait_event_interruptible(port->wait_read,

			saa7164_enc_next_buf(port))) {

				printk(KERN_ERR "%s() ERESTARTSYS\n", __func__);

				return -ERESTARTSYS;

		}

	}
@@ -1077,8 +1082,10 @@ static ssize_t fops_read(struct file *file, char __user *buffer, 


		if (copy_to_user(buffer, p, cnt)) {

			printk(KERN_ERR "%s() copy_to_user failed\n", __func__);

			if (!ret)

			if (!ret) {

				printk(KERN_ERR "%s() EFAULT\n", __func__);

				ret = -EFAULT;

			}

			goto err;

		}
@@ -1087,6 +1094,10 @@ static ssize_t fops_read(struct file *file, char __user *buffer, 
		buffer += cnt;

		ret += cnt;



		if (ubuf->pos > ubuf->actual_size) {

			printk(KERN_ERR "read() pos > actual, huh?\n");

		}



		if (ubuf->pos == ubuf->actual_size) {



			/* finished with current buffer, take next buffer */
@@ -1109,8 +1120,10 @@ static ssize_t fops_read(struct file *file, char __user *buffer, 
		}

	}

err:

	if (!ret && !ubuf)

	if (!ret && !ubuf) {

		printk(KERN_ERR "%s() EAGAIN\n", __func__);

		ret = -EAGAIN;

	}



	return ret;

}