From 4a287cfeea7056dc71d2bc352ae490a2a5bcceb0 Mon Sep 17 00:00:00 2001 From: Duncan Sands Date: Mon, 27 Feb 2006 00:09:48 -0300 Subject: V4L/DVB (3394): Bttv: correct bttv_risc_packed buffer size This patch fixes the strange crashes I was seeing after using bttv card, caused by a buffer overflow in bttv_risc_packed. The instruction buffer size calculation contains two errors: (a) a non-zero padding value can push the start of the next bpl section to just before a page border, leading to more scanline splits and thus additional instructions. (b) the first DMA region can be smaller than one page, so there can be a scanline split even if bpl*lines is smaller than PAGE_SIZE. For example, consider the case where offset is 0, bpl is 2, padding is 4094, lines is smaller than 2048, the first DMA region has size 1 and all others have size PAGE_SIZE, assumed to equal 4096. Then all bpl regions cross page borders and the number of instructions written is 2*lines+2, rather than lines+2 (the current estimate). With this patch the number of instructions for this example is estimated to be 2*lines+3. Also, the BUG_ON that was supposed to catch buffer overflows contained a thinko causing it fire only if the buffer was overrun by a factor of 16 or more, so it fixes the the BUG_ON's (using sizeof rather than "4"). Signed-off-by: Duncan Sands Signed-off-by: Mauro Carvalho Chehab --- drivers/media/video/bttv-risc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'drivers/media/video/bttv-risc.c') diff --git a/drivers/media/video/bttv-risc.c b/drivers/media/video/bttv-risc.c index b40e9734bf0..a60c211c9e3 100644 --- a/drivers/media/video/bttv-risc.c +++ b/drivers/media/video/bttv-risc.c @@ -51,8 +51,10 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc, int rc; /* estimate risc mem: worst case is one write per page border + - one write per scan line + sync + jump (all 2 dwords) */ - instructions = (bpl * lines) / PAGE_SIZE + lines; + one write per scan line + sync + jump (all 2 dwords). padding + can cause next bpl to start close to a page border. First DMA + region may be smaller than PAGE_SIZE */ + instructions = 1 + ((bpl + padding) * lines) / PAGE_SIZE + lines; instructions += 2; if ((rc = btcx_riscmem_alloc(btv->c.pci,risc,instructions*8)) < 0) return rc; @@ -104,7 +106,7 @@ bttv_risc_packed(struct bttv *btv, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; - BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); + BUG_ON((risc->jmp - risc->cpu + 2) * sizeof(*risc->cpu) > risc->size); return 0; } @@ -222,7 +224,7 @@ bttv_risc_planar(struct bttv *btv, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; - BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); + BUG_ON((risc->jmp - risc->cpu + 2) * sizeof(*risc->cpu) > risc->size); return 0; } @@ -307,7 +309,7 @@ bttv_risc_overlay(struct bttv *btv, struct btcx_riscmem *risc, /* save pointer to jmp instruction address */ risc->jmp = rp; - BUG_ON((risc->jmp - risc->cpu + 2) / 4 > risc->size); + BUG_ON((risc->jmp - risc->cpu + 2) * sizeof(*risc->cpu) > risc->size); kfree(skips); return 0; } -- cgit v1.2.3-70-g09d2 From 99ca99915068806552d1f90ce50bed4c7387d65a Mon Sep 17 00:00:00 2001 From: Duncan Sands Date: Thu, 9 Mar 2006 11:20:14 -0300 Subject: V4L/DVB (3420): Nskips maybe used uninitialized in bttv_risc_overlay The Coverity checker (previously Stanford checker) noticed that the value of nskips could be read even if it was never written. Signed-off-by: Duncan Sands Signed-off-by: Mauro Carvalho Chehab --- drivers/media/video/bttv-risc.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers/media/video/bttv-risc.c') diff --git a/drivers/media/video/bttv-risc.c b/drivers/media/video/bttv-risc.c index a60c211c9e3..5c746110df6 100644 --- a/drivers/media/video/bttv-risc.c +++ b/drivers/media/video/bttv-risc.c @@ -276,6 +276,8 @@ bttv_risc_overlay(struct bttv *btv, struct btcx_riscmem *risc, if (line > maxy) btcx_calc_skips(line, ov->w.width, &maxy, skips, &nskips, ov->clips, ov->nclips); + else + nskips = 0; /* write out risc code */ for (start = 0, skip = 0; start < ov->w.width; start = end) { -- cgit v1.2.3-70-g09d2 From ae24601b47c3f4a56545ef4cd4e7c821ac1db598 Mon Sep 17 00:00:00 2001 From: Eric Sesterhenn Date: Mon, 13 Mar 2006 13:17:11 -0300 Subject: V4L/DVB (3485): BUG_ON() Conversion in drivers/video/media Signed-off-by: Eric Sesterhenn Signed-off-by: Mauro Carvalho Chehab --- drivers/media/common/saa7146_core.c | 3 +-- drivers/media/common/saa7146_fops.c | 6 ++---- drivers/media/dvb/ttpci/av7110.c | 6 ++---- drivers/media/dvb/ttusb-budget/dvb-ttusb-budget.c | 3 +-- drivers/media/video/bttv-risc.c | 3 +-- drivers/media/video/cx88/cx88-core.c | 3 +-- drivers/media/video/cx88/cx88-video.c | 3 +-- drivers/media/video/saa7134/saa7134-alsa.c | 3 +-- drivers/media/video/saa7134/saa7134-core.c | 3 +-- drivers/media/video/saa7134/saa7134-oss.c | 6 ++---- drivers/media/video/saa7134/saa7134-video.c | 3 +-- drivers/media/video/video-buf.c | 3 +-- 12 files changed, 15 insertions(+), 30 deletions(-) (limited to 'drivers/media/video/bttv-risc.c') diff --git a/drivers/media/common/saa7146_core.c b/drivers/media/common/saa7146_core.c index ee16c042ef6..8cdd4d265ff 100644 --- a/drivers/media/common/saa7146_core.c +++ b/drivers/media/common/saa7146_core.c @@ -116,8 +116,7 @@ static struct scatterlist* vmalloc_to_sg(unsigned char *virt, int nr_pages) pg = vmalloc_to_page(virt); if (NULL == pg) goto err; - if (PageHighMem(pg)) - BUG(); + BUG_ON(PageHighMem(pg)); sglist[i].page = pg; sglist[i].length = PAGE_SIZE; } diff --git a/drivers/media/common/saa7146_fops.c b/drivers/media/common/saa7146_fops.c index dc7fb20f47b..3870fa948cc 100644 --- a/drivers/media/common/saa7146_fops.c +++ b/drivers/media/common/saa7146_fops.c @@ -37,8 +37,7 @@ void saa7146_res_free(struct saa7146_fh *fh, unsigned int bits) struct saa7146_dev *dev = fh->dev; struct saa7146_vv *vv = dev->vv_data; - if ((fh->resources & bits) != bits) - BUG(); + BUG_ON((fh->resources & bits) != bits); mutex_lock(&dev->lock); fh->resources &= ~bits; @@ -55,8 +54,7 @@ void saa7146_dma_free(struct saa7146_dev *dev,struct saa7146_buf *buf) { DEB_EE(("dev:%p, buf:%p\n",dev,buf)); - if (in_interrupt()) - BUG(); + BUG_ON(in_interrupt()); videobuf_waiton(&buf->vb,0,0); videobuf_dma_pci_unmap(dev->pci, &buf->vb.dma); diff --git a/drivers/media/dvb/ttpci/av7110.c b/drivers/media/dvb/ttpci/av7110.c index aef4f58d712..7497b1e8d88 100644 --- a/drivers/media/dvb/ttpci/av7110.c +++ b/drivers/media/dvb/ttpci/av7110.c @@ -1090,11 +1090,9 @@ static int dvb_get_stc(struct dmx_demux *demux, unsigned int num, struct av7110 *av7110; /* pointer casting paranoia... */ - if (!demux) - BUG(); + BUG_ON(!demux); dvbdemux = (struct dvb_demux *) demux->priv; - if (!dvbdemux) - BUG(); + BUG_ON(!dvbdemux); av7110 = (struct av7110 *) dvbdemux->priv; dprintk(4, "%p\n", av7110); diff --git a/drivers/media/dvb/ttusb-budget/dvb-ttusb-budget.c b/drivers/media/dvb/ttusb-budget/dvb-ttusb-budget.c index ecb15d4ecf8..248fdc7accf 100644 --- a/drivers/media/dvb/ttusb-budget/dvb-ttusb-budget.c +++ b/drivers/media/dvb/ttusb-budget/dvb-ttusb-budget.c @@ -688,8 +688,7 @@ static void ttusb_process_frame(struct ttusb *ttusb, u8 * data, int len) memcpy(ttusb->muxpack + ttusb->muxpack_ptr, data, avail); ttusb->muxpack_ptr += avail; - if (ttusb->muxpack_ptr > 264) - BUG(); + BUG_ON(ttusb->muxpack_ptr > 264); data += avail; len -= avail; /* determine length */ diff --git a/drivers/media/video/bttv-risc.c b/drivers/media/video/bttv-risc.c index 5c746110df6..344f84e9af0 100644 --- a/drivers/media/video/bttv-risc.c +++ b/drivers/media/video/bttv-risc.c @@ -511,8 +511,7 @@ bttv_risc_hook(struct bttv *btv, int slot, struct btcx_riscmem *risc, void bttv_dma_free(struct bttv *btv, struct bttv_buffer *buf) { - if (in_interrupt()) - BUG(); + BUG_ON(in_interrupt()); videobuf_waiton(&buf->vb,0,0); videobuf_dma_pci_unmap(btv->c.pci, &buf->vb.dma); videobuf_dma_free(&buf->vb.dma); diff --git a/drivers/media/video/cx88/cx88-core.c b/drivers/media/video/cx88/cx88-core.c index 25be3a976d0..c2cdbafdb77 100644 --- a/drivers/media/video/cx88/cx88-core.c +++ b/drivers/media/video/cx88/cx88-core.c @@ -215,8 +215,7 @@ int cx88_risc_stopper(struct pci_dev *pci, struct btcx_riscmem *risc, void cx88_free_buffer(struct pci_dev *pci, struct cx88_buffer *buf) { - if (in_interrupt()) - BUG(); + BUG_ON(in_interrupt()); videobuf_waiton(&buf->vb,0,0); videobuf_dma_pci_unmap(pci, &buf->vb.dma); videobuf_dma_free(&buf->vb.dma); diff --git a/drivers/media/video/cx88/cx88-video.c b/drivers/media/video/cx88/cx88-video.c index b1892dff0fe..6c97aa740d2 100644 --- a/drivers/media/video/cx88/cx88-video.c +++ b/drivers/media/video/cx88/cx88-video.c @@ -366,8 +366,7 @@ static void res_free(struct cx8800_dev *dev, struct cx8800_fh *fh, unsigned int bits) { struct cx88_core *core = dev->core; - if ((fh->resources & bits) != bits) - BUG(); + BUG_ON((fh->resources & bits) != bits); mutex_lock(&core->lock); fh->resources &= ~bits; diff --git a/drivers/media/video/saa7134/saa7134-alsa.c b/drivers/media/video/saa7134/saa7134-alsa.c index 614f7b92340..64e2c108df3 100644 --- a/drivers/media/video/saa7134/saa7134-alsa.c +++ b/drivers/media/video/saa7134/saa7134-alsa.c @@ -308,8 +308,7 @@ static int dsp_buffer_init(struct saa7134_dev *dev) static int dsp_buffer_free(struct saa7134_dev *dev) { - if (!dev->dmasound.blksize) - BUG(); + BUG_ON(!dev->dmasound.blksize); videobuf_dma_free(&dev->dmasound.dma); diff --git a/drivers/media/video/saa7134/saa7134-core.c b/drivers/media/video/saa7134/saa7134-core.c index f5f2cf5d150..be85e0b0cbb 100644 --- a/drivers/media/video/saa7134/saa7134-core.c +++ b/drivers/media/video/saa7134/saa7134-core.c @@ -256,8 +256,7 @@ void saa7134_pgtable_free(struct pci_dev *pci, struct saa7134_pgtable *pt) void saa7134_dma_free(struct saa7134_dev *dev,struct saa7134_buf *buf) { - if (in_interrupt()) - BUG(); + BUG_ON(in_interrupt()); videobuf_waiton(&buf->vb,0,0); videobuf_dma_pci_unmap(dev->pci, &buf->vb.dma); diff --git a/drivers/media/video/saa7134/saa7134-oss.c b/drivers/media/video/saa7134/saa7134-oss.c index 80e34a5fdcc..d79d05f8870 100644 --- a/drivers/media/video/saa7134/saa7134-oss.c +++ b/drivers/media/video/saa7134/saa7134-oss.c @@ -84,8 +84,7 @@ static int dsp_buffer_init(struct saa7134_dev *dev) { int err; - if (!dev->dmasound.bufsize) - BUG(); + BUG_ON(!dev->dmasound.bufsize); videobuf_dma_init(&dev->dmasound.dma); err = videobuf_dma_init_kernel(&dev->dmasound.dma, PCI_DMA_FROMDEVICE, (dev->dmasound.bufsize + PAGE_SIZE) >> PAGE_SHIFT); @@ -96,8 +95,7 @@ static int dsp_buffer_init(struct saa7134_dev *dev) static int dsp_buffer_free(struct saa7134_dev *dev) { - if (!dev->dmasound.blksize) - BUG(); + BUG_ON(!dev->dmasound.blksize); videobuf_dma_free(&dev->dmasound.dma); dev->dmasound.blocks = 0; dev->dmasound.blksize = 0; diff --git a/drivers/media/video/saa7134/saa7134-video.c b/drivers/media/video/saa7134/saa7134-video.c index 72f389a51a1..600c3c7e3dc 100644 --- a/drivers/media/video/saa7134/saa7134-video.c +++ b/drivers/media/video/saa7134/saa7134-video.c @@ -489,8 +489,7 @@ int res_locked(struct saa7134_dev *dev, unsigned int bit) static void res_free(struct saa7134_dev *dev, struct saa7134_fh *fh, unsigned int bits) { - if ((fh->resources & bits) != bits) - BUG(); + BUG_ON((fh->resources & bits) != bits); mutex_lock(&dev->lock); fh->resources &= ~bits; diff --git a/drivers/media/video/video-buf.c b/drivers/media/video/video-buf.c index cb1c228e29f..a8918e839f6 100644 --- a/drivers/media/video/video-buf.c +++ b/drivers/media/video/video-buf.c @@ -59,8 +59,7 @@ videobuf_vmalloc_to_sg(unsigned char *virt, int nr_pages) pg = vmalloc_to_page(virt); if (NULL == pg) goto err; - if (PageHighMem(pg)) - BUG(); + BUG_ON(PageHighMem(pg)); sglist[i].page = pg; sglist[i].length = PAGE_SIZE; } -- cgit v1.2.3-70-g09d2