FEX-Emu/linux
1
0
Fork 0
mirror of https://github.com/FEX-Emu/linux.git synced 2024-12-30 13:38:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2fc11536cf
linux/drivers
History
Hans Verkuil 2fc11536cf V4L/DVB: videobuf-dma-sg: set correct size in last sg element 
This fixes a nasty memory corruption bug when using userptr I/O.
The function videobuf_pages_to_sg() sets up the scatter-gather list for the
DMA transfer to the userspace pages. The first transfer is setup correctly
(the size is set to PAGE_SIZE - offset), but all other transfers have size
PAGE_SIZE. This is wrong for the last transfer which may be less than PAGE_SIZE.

Most, if not all, drivers will program the boards DMA engine correctly, i.e.
even though the size in the last sg element is wrong, they will do their
own size calculations and make sure the right amount is DMA-ed, and so seemingly
prevent memory corruption.

However, behind the scenes the dynamic DMA mapping support (in lib/swiotlb.c)
may create bounce buffers if the memory pages are not in DMA-able memory.
This happens for example on a 64-bit linux with a board that only supports
32-bit DMA.

These bounce buffers DO use the information in the sg list to determine the
size. So while the DMA engine transfers the correct amount of data, when the
data is 'bounced' back too much is copied, causing buffer overwrites.

The fix is simple: calculate and set the correct size for the last sg list
element.

Signed-off-by: Hans Verkuil <hans.verkuil@tandberg.com>
Cc: stable@kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2010-09-27 22:22:01 -03:00
..
accessibility
acpi Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6 2010-09-07 16:00:17 -07:00
amba
ata libata-sff: Reenable Port Multiplier after libata-sff remodeling. 2010-09-09 22:31:55 -04:00
atm
auxdisplay
base PM: Prevent waiting forever on asynchronous resume after failing suspend 2010-09-09 00:49:43 +02:00
block Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block 2010-09-10 07:26:27 -07:00
bluetooth
cdrom
char Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2010-09-08 11:19:18 -07:00
clocksource
connector
cpufreq
cpuidle
crypto
dca dca: disable dca on IOAT ver.3.0 multiple-IOH platforms 2010-09-17 20:08:21 -07:00
dio
dma
edac amd64_edac: Do not report error overflow as a separate error 2010-08-26 12:46:03 +02:00
eisa
firewire firewire: ohci: activate cycle timer register quirk on Ricoh chips 2010-09-08 21:25:55 +02:00
firmware
gpio gpio: sx150x: correct and refine reset-on-probe behavior 2010-09-09 18:57:24 -07:00
gpu drm/radeon/kms: only warn on mipmap size checks in r600 cs checker (v2) 2010-09-15 11:13:09 +10:00
hid HID: fix hiddev's use of usb_find_interface 2010-09-14 10:58:42 +02:00
hwmon hwmon: (lm95241) Replace rate sysfs attribute with update_interval 2010-09-17 17:24:15 +02:00
i2c
ide Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide-2.6 2010-09-19 11:06:34 -07:00
idle
ieee1394
ieee802154
infiniband Merge branches 'cxgb3' and 'nes' into for-linus 2010-09-08 14:43:28 -07:00
input Input: i8042 - fix device removal on unload 2010-08-31 18:28:15 -07:00
isdn
leds
lguest
macintosh
mca
md md: fix v1.x metadata update when a disk is missing. 2010-09-17 13:53:28 +10:00
media V4L/DVB: videobuf-dma-sg: set correct size in last sg element 2010-09-27 22:22:01 -03:00
memstick
message
mfd
misc
mmc drivers/mmc/host/imxmmc.c: adjust confusing if indentation 2010-09-09 18:57:23 -07:00
mtd Merge git://git.infradead.org/mtd-2.6 2010-09-14 17:05:39 -07:00
net Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-09-19 11:05:50 -07:00
nubus
of
oprofile
parisc
parport
pci Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6 2010-09-07 16:00:17 -07:00
pcmcia pcmcia: per-device, not per-socket debug messages 2010-09-15 17:57:09 +02:00
platform
pnp
power apm_power: Add missing break statement 2010-09-08 14:35:10 +04:00
pps
ps3
rapidio
regulator regulator: wm8350-regulator - fix the logic of checking REGULATOR_MODE_STANDBY mode 2010-09-06 11:14:47 +01:00
rtc drivers/rtc/rtc-pl031.c: do not mark PL031 IRQ as shared 2010-09-09 18:57:24 -07:00
s390 Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block 2010-09-10 07:26:27 -07:00
sbus
scsi [SCSI] fix use-after-free in scsi_init_io() 2010-09-09 09:58:18 -05:00
serial serial: mfd: fix bug in serial_hsu_remove() 2010-09-20 16:30:00 -07:00
sfi
sh
sn
spi spi/pl022: move probe call to subsys_initcall() 2010-09-08 22:50:10 -06:00
ssb
staging V4L/DVB: tm6000: depends on IR_CORE 2010-09-27 22:21:43 -03:00
tc
telephony
thermal
uio
usb USB: serial/mos*: prevent reading uninitialized stack memory 2010-09-20 16:05:00 -07:00
uwb
vhost vhost: error handling fix 2010-09-06 09:49:39 +03:00
video Merge branch '2.6.36-fixes' of git://github.com/schandinat/linux-2.6 2010-09-16 12:56:48 -07:00
virtio
vlynq
w1
watchdog watchdog: Enable NXP LPC32XX support in Kconfig (resend) 2010-09-15 18:43:58 +00:00
xen Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2010-08-28 13:55:31 -07:00
zorro
Kconfig
Makefile Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 2010-09-17 10:23:08 -07:00