Re-apply "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"

This was reverted upstream in 4.5.5 due to a regression but we have a fix for
the regression (probably).

debian/changelog

@@ -59,7 +59,6 @@ linux (4.5.5-1) UNRELEASED; urgency=medium
     - atomic_open(): fix the handling of create_error
     - qla1280: Don't allocate 512kb of host tags
     - tools lib traceevent: Do not reassign parg after collapse_tree()
-    - Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
     - [x86] drm/i915: Update CDCLK_FREQ register on BDW after changing cdclk
       frequency
     - drm/radeon: fix PLL sharing on DCE6.1 (v2)
@@ -101,6 +100,8 @@ linux (4.5.5-1) UNRELEASED; urgency=medium
     snd_timer_user_tinterrupt (CVE-2016-4578)
   * dwc3-exynos: Fix deferred probing storm (Closes: #823552; thanks to
     Steinar H. Gunderson)
+  * Re-apply "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing",
+    reverted upstream in 4.5.5
 
   [ Roger Shimizu ]
   * [armhf] Enable SENSORS_PWM_FAN / PWM_SAMSUNG as module, as recommended by

debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch

@@ -0,0 +1,52 @@
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Sun, 3 Apr 2016 16:31:03 -0300
+Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
+Origin: https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab
+
+When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
+which will be dequeued is not known until the buffer has been removed from
+the queue. The number of planes is specific to a buffer, not to the queue.
+
+This does lead to the situation where multi-plane buffers may be requested
+and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
+struct with fewer planes.
+
+__fill_v4l2_buffer() however uses the number of planes from the dequeued
+videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
+in video_usercopy() in v4l2-ioctl.c)  if the user provided fewer
+planes than the dequeued buffer had. Oops!
+
+Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")
+
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
+Cc: stable@vger.kernel.org # for v4.4 and later
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+---
+ drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c
+index 91f552124050..8da7470ca364 100644
+--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
++++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
+@@ -74,6 +74,11 @@ static int __verify_planes_array(struct vb2_buffer *vb, const struct v4l2_buffer
+ 	return 0;
+ }
+ 
++static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
++{
++	return __verify_planes_array(vb, pb);
++}
++
+ /**
+  * __verify_length() - Verify that the bytesused value for each plane fits in
+  * the plane length and that the data offset doesn't exceed the bytesused value.
+@@ -437,6 +442,7 @@ static int __fill_vb2_buffer(struct vb2_buffer *vb,
+ }
+ 
+ static const struct vb2_buf_ops v4l2_buf_ops = {
++	.verify_planes_array	= __verify_planes_array_core,
+ 	.fill_user_buffer	= __fill_v4l2_buffer,
+ 	.fill_vb2_buffer	= __fill_vb2_buffer,
+ 	.copy_timestamp		= __copy_timestamp,

debian/patches/series

@@ -143,6 +143,7 @@ bugfix/all/usb-usbfs-fix-potential-infoleak-in-devio.patch
 bugfix/all/alsa-timer-fix-leak-in-sndrv_timer_ioctl_params.patch
 bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_cca.patch
 bugfix/all/alsa-timer-fix-leak-in-events-via-snd_timer_user_tin.patch
+bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
 
 # ABI maintenance
 debian/ib-fix-abi-change-in-4.5.3.patch