diff options
author | Sakari Ailus | 2018-12-12 13:44:14 +0100 |
---|---|---|
committer | Greg Kroah-Hartman | 2019-07-26 09:14:24 +0200 |
commit | 87bae91a0fe9e76b69e5110ca35caeba29dcc182 (patch) | |
tree | a52932d49f09bcafcc61df372a66c433e41ed75e | |
parent | media: videobuf2-core: Prevent size alignment wrapping buffer size to 0 (diff) | |
download | kernel-qcow2-linux-87bae91a0fe9e76b69e5110ca35caeba29dcc182.tar.gz kernel-qcow2-linux-87bae91a0fe9e76b69e5110ca35caeba29dcc182.tar.xz kernel-qcow2-linux-87bae91a0fe9e76b69e5110ca35caeba29dcc182.zip |
media: videobuf2-dma-sg: Prevent size from overflowing
commit 14f28f5cea9e3998442de87846d1907a531b6748 upstream.
buf->size is an unsigned long; casting that to int will lead to an
overflow if buf->size exceeds INT_MAX.
Fix this by changing the type to unsigned long instead. This is possible
as the buf->size is always aligned to PAGE_SIZE, and therefore the size
will never have values lesser than 0.
Note on backporting to stable: the file used to be under
drivers/media/v4l2-core, it was moved to the current location after 4.14.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/media/common/videobuf2/videobuf2-dma-sg.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c index 015e737095cd..e9bfea986cc4 100644 --- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c +++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c @@ -59,7 +59,7 @@ static int vb2_dma_sg_alloc_compacted(struct vb2_dma_sg_buf *buf, gfp_t gfp_flags) { unsigned int last_page = 0; - int size = buf->size; + unsigned long size = buf->size; while (size > 0) { struct page *pages; |