26 lines
1007 B
Diff
26 lines
1007 B
Diff
From: Ben Hutchings <ben@decadent.org.uk>
|
|
Date: Mon, 16 May 2016 03:26:30 +0100
|
|
Subject: videobuf2-core: Fix crash after fixing CVE-2016-4568
|
|
|
|
Commit 2c1f6951a8a8 "[media] videobuf2-v4l2: Verify planes array in buffer
|
|
dequeueing" was reverted upstream by commit 93f0750dcdae.
|
|
|
|
It's obvious from the log in the revert commit message that pb == NULL
|
|
in __verify_planes_array(). We should treat this case as successful
|
|
because vb2_core_dqbuf() won't attempt to copy anything to user
|
|
buffers.
|
|
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
---
|
|
--- a/drivers/media/v4l2-core/videobuf2-core.c
|
|
+++ b/drivers/media/v4l2-core/videobuf2-core.c
|
|
@@ -1665,7 +1665,7 @@ static int __vb2_get_done_vb(struct vb2_
|
|
* Only remove the buffer from done_list if v4l2_buffer can handle all
|
|
* the planes.
|
|
*/
|
|
- ret = call_bufop(q, verify_planes_array, *vb, pb);
|
|
+ ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
|
|
if (!ret)
|
|
list_del(&(*vb)->done_entry);
|
|
spin_unlock_irqrestore(&q->done_lock, flags);
|