summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSakari Ailus2018-12-12 13:44:14 +0100
committerGreg Kroah-Hartman2019-07-26 09:14:24 +0200
commit87bae91a0fe9e76b69e5110ca35caeba29dcc182 (patch)
treea52932d49f09bcafcc61df372a66c433e41ed75e
parentmedia: videobuf2-core: Prevent size alignment wrapping buffer size to 0 (diff)
downloadkernel-qcow2-linux-87bae91a0fe9e76b69e5110ca35caeba29dcc182.tar.gz
kernel-qcow2-linux-87bae91a0fe9e76b69e5110ca35caeba29dcc182.tar.xz
kernel-qcow2-linux-87bae91a0fe9e76b69e5110ca35caeba29dcc182.zip
media: videobuf2-dma-sg: Prevent size from overflowing
commit 14f28f5cea9e3998442de87846d1907a531b6748 upstream. buf->size is an unsigned long; casting that to int will lead to an overflow if buf->size exceeds INT_MAX. Fix this by changing the type to unsigned long instead. This is possible as the buf->size is always aligned to PAGE_SIZE, and therefore the size will never have values lesser than 0. Note on backporting to stable: the file used to be under drivers/media/v4l2-core, it was moved to the current location after 4.14. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: stable@vger.kernel.org Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/media/common/videobuf2/videobuf2-dma-sg.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
index 015e737095cd..e9bfea986cc4 100644
--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c
+++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c
@@ -59,7 +59,7 @@ static int vb2_dma_sg_alloc_compacted(struct vb2_dma_sg_buf *buf,
gfp_t gfp_flags)
{
unsigned int last_page = 0;
- int size = buf->size;
+ unsigned long size = buf->size;
while (size > 0) {
struct page *pages;