Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp819802imu; Tue, 11 Dec 2018 08:04:50 -0800 (PST) X-Google-Smtp-Source: AFSGD/X1K5lC6h9Ds68920FKSkzGVvwMzidZtCV02D3+OaMaBqob50j5ArIwZJc8w3eL6+6LVMsJ X-Received: by 2002:a17:902:6bc7:: with SMTP id m7mr16877115plt.106.1544544290320; Tue, 11 Dec 2018 08:04:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544544290; cv=none; d=google.com; s=arc-20160816; b=W2MnzJNvxKDdM8FLzJRDkwHa1uIUddtEvc90pE7YQOio2ALyYyIP7w3qVqgj5FT6fG 2tMa5ti+AhZts8CaFSvEBKyYEJ2HD7cSTGrescHQgNBTjCHst8rS/uuQJjigC3tYGuV8 r1Tfb6upgdwvKSvoeSuoV6m2lp1ijEQS6PSD7yDmujsfuGI9VNkV++CPqjTFBxZEN3AP ZJo1CeqT1lZ60Qa3IkT+fV8n60GXerkIvnwllQ6aWYrOAIP+KYejA7yrNniOmqKgGwuU dWav4VVi7wNf8r7BMicSp6x6JZJupObKpYk7tUIKOiP6Brdo+7qSMhGJSF237NOL2PHw Wudg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=D2YG3UFQ5mJm2tTFrBe38+vCLGQXKemBTQK9A3dHpQY=; b=VOqu/suBCtd9Im7GlKh2rz+FmGynSeElI8vWcp9sS2jszJWjdk9KXqb/8b+KtXDIcP ZOORtJgwHyiAOr6lk4RuaNXC5/H8N6z/CMP+Cb5cOjTM+z+YRIXAZKjeQd3M0m07d86V 6qbYBDwrkgGYvQi+3xdCspA9Z0EE8d/bG6hCV+bMFMF5cP3oxZypl1NLYzV8FQG+BVYR tYOsETHnNkp55MKNowRfTeSpKdnlhAWSlN2rvxyAvhlg9/Uu8QANiOXhzRswmbn4Ml6D KTDJ0n1IjcHWQ1eOv30FSCgHeSOfdwPz2GzgdGbc71Z4Bl+IcU5PFfpM73NdJ+yCstZl hnrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IzT58bp4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i1si11735663pgr.569.2018.12.11.08.04.35; Tue, 11 Dec 2018 08:04:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=IzT58bp4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730998AbeLKQCr (ORCPT + 99 others); Tue, 11 Dec 2018 11:02:47 -0500 Received: from mail.kernel.org ([198.145.29.99]:45636 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730663AbeLKP4t (ORCPT ); Tue, 11 Dec 2018 10:56:49 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6D8C1205C9; Tue, 11 Dec 2018 15:56:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544543808; bh=rZL1l33+ONbVdmj271/gue21RB2yhpPTuRbNGiu8cac=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IzT58bp4t9EZbiT9ZySQUL9Iz8hdr0R8qfwRfci0hZw1djR5IxkMU4j7+MEaz29h0 Irl4q1XU961PxUvpqBXAZAU3PDr8sylaH3KuZYFHNm/dnk2eIlayxXILJidpcofXns a9PRBEpElYz2JgpIeAVl7xscFJFb9vvUxRkLyZ2I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hans Verkuil , softwarebugs , Mauro Carvalho Chehab Subject: [PATCH 4.19 071/118] media: gspca: fix frame overflow error Date: Tue, 11 Dec 2018 16:41:30 +0100 Message-Id: <20181211151647.115849635@linuxfoundation.org> X-Mailer: git-send-email 2.20.0 In-Reply-To: <20181211151644.216668863@linuxfoundation.org> References: <20181211151644.216668863@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Hans Verkuil commit f96d84488f7d5f9123428c700cea82a292bca53e upstream. When converting gspca to vb2 I missed that fact that the buffer sizes were rounded up to the next page size. As a result some gspca drivers (spca561 being one of them) reported frame overflows. Modify the code to align the buffer sizes to the next page size, just as the original code did. Fixes: 1f5965c4dfd7 ("media: gspca: convert to vb2") Tested-off-by: Hans Verkuil Signed-off-by: Hans Verkuil Reported-by: softwarebugs Cc: # for v4.18 and up Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman --- drivers/media/usb/gspca/gspca.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/drivers/media/usb/gspca/gspca.c +++ b/drivers/media/usb/gspca/gspca.c @@ -426,10 +426,10 @@ void gspca_frame_add(struct gspca_dev *g /* append the packet to the frame buffer */ if (len > 0) { - if (gspca_dev->image_len + len > gspca_dev->pixfmt.sizeimage) { + if (gspca_dev->image_len + len > PAGE_ALIGN(gspca_dev->pixfmt.sizeimage)) { gspca_err(gspca_dev, "frame overflow %d > %d\n", gspca_dev->image_len + len, - gspca_dev->pixfmt.sizeimage); + PAGE_ALIGN(gspca_dev->pixfmt.sizeimage)); packet_type = DISCARD_PACKET; } else { /* !! image is NULL only when last pkt is LAST or DISCARD @@ -1297,18 +1297,19 @@ static int gspca_queue_setup(struct vb2_ unsigned int sizes[], struct device *alloc_devs[]) { struct gspca_dev *gspca_dev = vb2_get_drv_priv(vq); + unsigned int size = PAGE_ALIGN(gspca_dev->pixfmt.sizeimage); if (*nplanes) - return sizes[0] < gspca_dev->pixfmt.sizeimage ? -EINVAL : 0; + return sizes[0] < size ? -EINVAL : 0; *nplanes = 1; - sizes[0] = gspca_dev->pixfmt.sizeimage; + sizes[0] = size; return 0; } static int gspca_buffer_prepare(struct vb2_buffer *vb) { struct gspca_dev *gspca_dev = vb2_get_drv_priv(vb->vb2_queue); - unsigned long size = gspca_dev->pixfmt.sizeimage; + unsigned long size = PAGE_ALIGN(gspca_dev->pixfmt.sizeimage); if (vb2_plane_size(vb, 0) < size) { gspca_err(gspca_dev, "buffer too small (%lu < %lu)\n",