aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHans Verkuil <hans.verkuil@tandberg.com>2010-09-07 05:10:45 -0400
committerMauro Carvalho Chehab <mchehab@redhat.com>2010-09-27 21:22:01 -0400
commit2fc11536cf5c0b8eb4eb7e01a2a672a189e9280f (patch)
treef36f0250089dbed08779550f02f78613364bc787
parentc10469c637602c2385e2993d8c730cc44fd47d23 (diff)
V4L/DVB: videobuf-dma-sg: set correct size in last sg element
This fixes a nasty memory corruption bug when using userptr I/O. The function videobuf_pages_to_sg() sets up the scatter-gather list for the DMA transfer to the userspace pages. The first transfer is setup correctly (the size is set to PAGE_SIZE - offset), but all other transfers have size PAGE_SIZE. This is wrong for the last transfer which may be less than PAGE_SIZE. Most, if not all, drivers will program the boards DMA engine correctly, i.e. even though the size in the last sg element is wrong, they will do their own size calculations and make sure the right amount is DMA-ed, and so seemingly prevent memory corruption. However, behind the scenes the dynamic DMA mapping support (in lib/swiotlb.c) may create bounce buffers if the memory pages are not in DMA-able memory. This happens for example on a 64-bit linux with a board that only supports 32-bit DMA. These bounce buffers DO use the information in the sg list to determine the size. So while the DMA engine transfers the correct amount of data, when the data is 'bounced' back too much is copied, causing buffer overwrites. The fix is simple: calculate and set the correct size for the last sg list element. Signed-off-by: Hans Verkuil <hans.verkuil@tandberg.com> Cc: stable@kernel.org Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
-rw-r--r--drivers/media/video/videobuf-dma-sg.c11
-rw-r--r--include/media/videobuf-dma-sg.h1
2 files changed, 8 insertions, 4 deletions
diff --git a/drivers/media/video/videobuf-dma-sg.c b/drivers/media/video/videobuf-dma-sg.c
index 06f9a9c2a39a..2ad0bc252b0e 100644
--- a/drivers/media/video/videobuf-dma-sg.c
+++ b/drivers/media/video/videobuf-dma-sg.c
@@ -94,7 +94,7 @@ err:
94 * must free the memory. 94 * must free the memory.
95 */ 95 */
96static struct scatterlist *videobuf_pages_to_sg(struct page **pages, 96static struct scatterlist *videobuf_pages_to_sg(struct page **pages,
97 int nr_pages, int offset) 97 int nr_pages, int offset, size_t size)
98{ 98{
99 struct scatterlist *sglist; 99 struct scatterlist *sglist;
100 int i; 100 int i;
@@ -110,12 +110,14 @@ static struct scatterlist *videobuf_pages_to_sg(struct page **pages,
110 /* DMA to highmem pages might not work */ 110 /* DMA to highmem pages might not work */
111 goto highmem; 111 goto highmem;
112 sg_set_page(&sglist[0], pages[0], PAGE_SIZE - offset, offset); 112 sg_set_page(&sglist[0], pages[0], PAGE_SIZE - offset, offset);
113 size -= PAGE_SIZE - offset;
113 for (i = 1; i < nr_pages; i++) { 114 for (i = 1; i < nr_pages; i++) {
114 if (NULL == pages[i]) 115 if (NULL == pages[i])
115 goto nopage; 116 goto nopage;
116 if (PageHighMem(pages[i])) 117 if (PageHighMem(pages[i]))
117 goto highmem; 118 goto highmem;
118 sg_set_page(&sglist[i], pages[i], PAGE_SIZE, 0); 119 sg_set_page(&sglist[i], pages[i], min(PAGE_SIZE, size), 0);
120 size -= min(PAGE_SIZE, size);
119 } 121 }
120 return sglist; 122 return sglist;
121 123
@@ -170,7 +172,8 @@ static int videobuf_dma_init_user_locked(struct videobuf_dmabuf *dma,
170 172
171 first = (data & PAGE_MASK) >> PAGE_SHIFT; 173 first = (data & PAGE_MASK) >> PAGE_SHIFT;
172 last = ((data+size-1) & PAGE_MASK) >> PAGE_SHIFT; 174 last = ((data+size-1) & PAGE_MASK) >> PAGE_SHIFT;
173 dma->offset = data & ~PAGE_MASK; 175 dma->offset = data & ~PAGE_MASK;
176 dma->size = size;
174 dma->nr_pages = last-first+1; 177 dma->nr_pages = last-first+1;
175 dma->pages = kmalloc(dma->nr_pages * sizeof(struct page *), GFP_KERNEL); 178 dma->pages = kmalloc(dma->nr_pages * sizeof(struct page *), GFP_KERNEL);
176 if (NULL == dma->pages) 179 if (NULL == dma->pages)
@@ -252,7 +255,7 @@ int videobuf_dma_map(struct device *dev, struct videobuf_dmabuf *dma)
252 255
253 if (dma->pages) { 256 if (dma->pages) {
254 dma->sglist = videobuf_pages_to_sg(dma->pages, dma->nr_pages, 257 dma->sglist = videobuf_pages_to_sg(dma->pages, dma->nr_pages,
255 dma->offset); 258 dma->offset, dma->size);
256 } 259 }
257 if (dma->vaddr) { 260 if (dma->vaddr) {
258 dma->sglist = videobuf_vmalloc_to_sg(dma->vaddr, 261 dma->sglist = videobuf_vmalloc_to_sg(dma->vaddr,
diff --git a/include/media/videobuf-dma-sg.h b/include/media/videobuf-dma-sg.h
index 97e07f46a0fa..aa4ebb42a565 100644
--- a/include/media/videobuf-dma-sg.h
+++ b/include/media/videobuf-dma-sg.h
@@ -48,6 +48,7 @@ struct videobuf_dmabuf {
48 48
49 /* for userland buffer */ 49 /* for userland buffer */
50 int offset; 50 int offset;
51 size_t size;
51 struct page **pages; 52 struct page **pages;
52 53
53 /* for kernel buffers */ 54 /* for kernel buffers */