提交 46eeb8dd 编写于 作者: S Steven Toth 提交者: Mauro Carvalho Chehab

[media] saa7164: add guard bytes around critical buffers to detect failure

If the guard bytes are trampled then we have a memory related problem.
Signed-off-by: NSteven Toth <stoth@kernellabs.com>
Signed-off-by: NMauro Carvalho Chehab <mchehab@redhat.com>
上级 58acca10
......@@ -216,6 +216,7 @@ static void saa7164_work_enchandler(struct work_struct *w)
struct saa7164_user_buffer *ubuf;
struct list_head *c, *n;
int wp, rp, i = 0;
u8 *p;
port->last_svc_msecs_diff = port->last_svc_msecs;
port->last_svc_msecs = jiffies_to_msecs(jiffies);
......@@ -262,6 +263,20 @@ static void saa7164_work_enchandler(struct work_struct *w)
break;
}
p = (u8 *)buf->cpu;
if ( (*(p + buf->actual_size + 0) != 0xff) ||
(*(p + buf->actual_size + 1) != 0xff) ||
(*(p + buf->actual_size + 2) != 0xff) ||
(*(p + buf->actual_size + 3) != 0xff) ||
(*(p + buf->actual_size + 0x10) != 0xff) ||
(*(p + buf->actual_size + 0x11) != 0xff) ||
(*(p + buf->actual_size + 0x12) != 0xff) ||
(*(p + buf->actual_size + 0x13) != 0xff) )
{
printk(KERN_ERR "buf %p failed guard check\n", buf);
saa7164_dumphex16(dev, p + buf->actual_size - 32, 64);
}
if (buf->idx == rp) {
/* Found the buffer, deal with it */
dprintk(DBGLVL_IRQ, "%s() wp: %d processing: %d\n",
......@@ -278,9 +293,12 @@ static void saa7164_work_enchandler(struct work_struct *w)
ubuf = list_first_entry(&port->list_buf_free.list,
struct saa7164_user_buffer, list);
if (ubuf->actual_size == buf->actual_size)
if (ubuf->actual_size == buf->actual_size) {
memcpy(ubuf->data, buf->cpu,
ubuf->actual_size);
} else {
printk(KERN_ERR "buf %p actual fails match\n", buf);
}
/* Requeue the buffer on the free list */
ubuf->pos = 0;
......@@ -297,7 +315,7 @@ static void saa7164_work_enchandler(struct work_struct *w)
/* Ensure offset into buffer remains 0, fill buffer
* with known bad data. */
saa7164_buffer_zero_offsets(port, rp);
memset(buf->cpu, 0xDE, buf->pci_size);
memset(buf->cpu, 0xff, buf->pci_size);
break;
}
......
......@@ -1038,14 +1038,18 @@ static ssize_t fops_read(struct file *file, char __user *buffer,
saa7164_histogram_update(&port->read_interval,
port->last_read_msecs_diff);
if (*pos)
if (*pos) {
printk(KERN_ERR "%s() ESPIPE\n", __func__);
return -ESPIPE;
}
if (atomic_cmpxchg(&fh->v4l_reading, 0, 1) == 0) {
if (atomic_inc_return(&port->v4l_reader_count) == 1) {
if (saa7164_encoder_initialize(port) < 0)
if (saa7164_encoder_initialize(port) < 0) {
printk(KERN_ERR "%s() EINVAL\n", __func__);
return -EINVAL;
}
saa7164_encoder_start_streaming(port);
msleep(200);
......@@ -1056,6 +1060,7 @@ static ssize_t fops_read(struct file *file, char __user *buffer,
if ((file->f_flags & O_NONBLOCK) == 0) {
if (wait_event_interruptible(port->wait_read,
saa7164_enc_next_buf(port))) {
printk(KERN_ERR "%s() ERESTARTSYS\n", __func__);
return -ERESTARTSYS;
}
}
......@@ -1077,8 +1082,10 @@ static ssize_t fops_read(struct file *file, char __user *buffer,
if (copy_to_user(buffer, p, cnt)) {
printk(KERN_ERR "%s() copy_to_user failed\n", __func__);
if (!ret)
if (!ret) {
printk(KERN_ERR "%s() EFAULT\n", __func__);
ret = -EFAULT;
}
goto err;
}
......@@ -1087,6 +1094,10 @@ static ssize_t fops_read(struct file *file, char __user *buffer,
buffer += cnt;
ret += cnt;
if (ubuf->pos > ubuf->actual_size) {
printk(KERN_ERR "read() pos > actual, huh?\n");
}
if (ubuf->pos == ubuf->actual_size) {
/* finished with current buffer, take next buffer */
......@@ -1109,8 +1120,10 @@ static ssize_t fops_read(struct file *file, char __user *buffer,
}
}
err:
if (!ret && !ubuf)
if (!ret && !ubuf) {
printk(KERN_ERR "%s() EAGAIN\n", __func__);
ret = -EAGAIN;
}
return ret;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册