| From ea070610db9d484df3462d3b1f4dd08d4b75b63b Mon Sep 17 00:00:00 2001 |
| From: Lucas Stach <l.stach@pengutronix.de> |
| Date: Mon, 4 Nov 2019 15:58:34 -0800 |
| Subject: [PATCH] Input: synaptics-rmi4 - fix video buffer size |
| |
| commit 003f01c780020daa9a06dea1db495b553a868c29 upstream. |
| |
| The video buffer used by the queue is a vb2_v4l2_buffer, not a plain |
| vb2_buffer. Using the wrong type causes the allocation of the buffer |
| storage to be too small, causing a out of bounds write when |
| __init_vb2_v4l2_buffer initializes the buffer. |
| |
| Signed-off-by: Lucas Stach <l.stach@pengutronix.de> |
| Fixes: 3a762dbd5347 ("[media] Input: synaptics-rmi4 - add support for F54 diagnostics") |
| Cc: stable@vger.kernel.org |
| Link: https://lore.kernel.org/r/20191104114454.10500-1-l.stach@pengutronix.de |
| Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/input/rmi4/rmi_f54.c b/drivers/input/rmi4/rmi_f54.c |
| index 710b02595486..4841354af0d7 100644 |
| --- a/drivers/input/rmi4/rmi_f54.c |
| +++ b/drivers/input/rmi4/rmi_f54.c |
| @@ -359,7 +359,7 @@ static const struct vb2_ops rmi_f54_queue_ops = { |
| static const struct vb2_queue rmi_f54_queue = { |
| .type = V4L2_BUF_TYPE_VIDEO_CAPTURE, |
| .io_modes = VB2_MMAP | VB2_USERPTR | VB2_DMABUF | VB2_READ, |
| - .buf_struct_size = sizeof(struct vb2_buffer), |
| + .buf_struct_size = sizeof(struct vb2_v4l2_buffer), |
| .ops = &rmi_f54_queue_ops, |
| .mem_ops = &vb2_vmalloc_memops, |
| .timestamp_flags = V4L2_BUF_FLAG_TIMESTAMP_MONOTONIC, |
| -- |
| 2.7.4 |
| |
