- 03 Jun, 2019 1 commit
-
-
Kefeng Wang authored
X-Originating-IP: [10.175.113.25] X-CFilter-Loop: Reflected The fm_v4l2_init_video_device() forget to unregister v4l2/video device in the error path, it could lead to UAF issue, eg, BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline] BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206 Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659 CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa9/0x10e lib/dump_stack.c:113 print_address_description+0x65/0x270 mm/kasan/report.c:187 kasan_report+0x149/0x18d mm/kasan/report.c:317 atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline] atomic_long_read include/asm-generic/atomic-long.h:28 [inline] __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206 fm_v4l2_fops_open+0xac/0x120 [fm_drv] v4l2_open+0x191/0x390 [videodev] chrdev_open+0x20d/0x570 fs/char_dev.c:417 do_dentry_open+0x700/0xf30 fs/open.c:777 do_last fs/namei.c:3416 [inline] path_openat+0x7c4/0x2a90 fs/namei.c:3532 do_filp_open+0x1a5/0x2b0 fs/namei.c:3563 do_sys_open+0x302/0x490 fs/open.c:1069 do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f8180c17c8e ... Allocated by task 3642: set_track mm/kasan/common.c:87 [inline] __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497 fm_drv_init+0x13/0x1000 [fm_drv] do_one_initcall+0xbc/0x47d init/main.c:901 do_init_module+0x1b5/0x547 kernel/module.c:3456 load_module+0x6405/0x8c10 kernel/module.c:3804 __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 3642: set_track mm/kasan/common.c:87 [inline] __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459 slab_free_hook mm/slub.c:1429 [inline] slab_free_freelist_hook mm/slub.c:1456 [inline] slab_free mm/slub.c:3003 [inline] kfree+0xe1/0x270 mm/slub.c:3958 fm_drv_init+0x1e6/0x1000 [fm_drv] do_one_initcall+0xbc/0x47d init/main.c:901 do_init_module+0x1b5/0x547 kernel/module.c:3456 load_module+0x6405/0x8c10 kernel/module.c:3804 __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Add relevant unregister functions to fix it. Cc: Hans Verkuil <hans.verkuil@cisco.com> Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
- 29 May, 2019 39 commits
-
-
Christophe JAILLET authored
'res' is reassigned several times in the function and if we 'goto error_unmap', its value is not the returned value of 'request_mem_region()' anymore. Introduce a new 'struct resource *' variable (i.e. res2) to keep a pointer to the right resource, if needed in the error handling path. Fixes: 4b4eda00 ("Staging: media: Unmap and release region obtained by ioremap_nocache") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Arvind Yadav authored
platform_device_id are not supposed to change at runtime. All functions working with platform_device_id provided by <linux/platform_device.h> work with const platform_device_id. So mark the non-const structs as const. Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Diwakar Sharma authored
Checkpatch reported warnings for use of embedded function names. Use __func__ instead of embedded function names. [mchehab+samsung@kernel.org: rebased on the top of upstream] Signed-off-by: Diwakar Sharma <sharmalxmail@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Sakari Ailus authored
video_unregister_device() can be called on a never or an already unregistered device. Drop the redundant check. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Sakari Ailus authored
devm functions are fine for managing resources that are directly related to the device at hand and that have no other dependencies. However, a process holding a file handle to a device created by a driver for a device may result in the file handle left behind after the device is long gone. This will result in accessing released (and potentially reallocated) memory. Instead, manage the memory resources in the driver. Releasing the resources can be later on bound to e.g. by releasing a reference. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Arushi Singhal authored
This patch replaces bit shifting on 1 with the BIT(x) macro. This was done with coccinelle: @@ constant c; @@ -1 << c +BIT(c) [mchehab+samsung@kernel.org: rebase on the top of upstream] Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Shailendra Verma authored
Fix to avoid possible memory leak if the decoder initialization got failed.Free the allocated memory for file handle object before return in case decoder initialization fails. Signed-off-by: Shailendra Verma <shailendra.v@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Andrew F. Davis authored
The size of the vma can be larger than the size of the backing buffer. Use the buffer size over vma size to prevent exposing extra memory to userspace. Signed-off-by: Andrew F. Davis <afd@ti.com> Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Young Xiao authored
In dvb_init(), dev->dvb is allocated by kzalloc. Therefore, it must be freed being set to NULL. Signed-off-by: Young Xiao <92siuyang@gmail.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Sean Young authored
This also populates the version member correctly. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Sean Young authored
Tested on WinTV-HVR-930C. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Sean Young authored
Give the RC device the name of the board rather than "1-2:1.0 IR". Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Chen-Yu Tsai authored
The A83T SoC has a camera sensor interface (known as CSI in Allwinner lingo), which is similar to the one found on the A64 and H3. The only difference seems to be that support of MIPI CSI through a connected MIPI CSI-2 bridge. Add support for this variant. Signed-off-by: Chen-Yu Tsai <wens@csie.org> Acked-by: Maxime Ripard <maxime.ripard@bootlin.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Chen-Yu Tsai authored
The A83T SoC has a camera sensor interface (known as CSI in Allwinner lingo), which is similar to the one found on the A64 and H3. The only difference seems to be that support of MIPI CSI through a connected MIPI CSI-2 bridge. Add a compatible string for this variant. Signed-off-by: Chen-Yu Tsai <wens@csie.org> Acked-by: Maxime Ripard <maxime.ripard@bootlin.com> Reviewed-by: Rob Herring <robh@kernel.org> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Shawn Tu authored
modify registers to fix bayer order in test pattern mode Signed-off-by: Shawn Tu <shawnx.tu@intel.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Sakari Ailus authored
The hardware only supports 4ki pages; drop support for other sizes. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Tested-by: Rajmohan Mani <rajmohan.mani@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Sakari Ailus authored
Address C compiler, sparse and smatch warnings and little style issues in the IMGU MMU code. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Tested-by: Rajmohan Mani <rajmohan.mani@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Sakari Ailus authored
Remove redundant checks for less than zero on unsigned variables. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Tested-by: Rajmohan Mani <rajmohan.mani@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Sakari Ailus authored
Address a compiler warnings on alignment of struct ipu3_uapi_awb_fr_config_s by adding __attribute__((aligned(32))) to a struct member of that type as well. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Tested-by: Rajmohan Mani <rajmohan.mani@intel.com> Reviewed-by: Jacopo Mondi <jacopo@jmondi.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Jonas Karlman authored
Add necessary bits to support MPEG2 decoding on RK3288. Signed-off-by: Jonas Karlman <jonas@kwiboo.se> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Jonas Karlman authored
Add the necessary bits to support MPEG2 decoding on RK3399. Signed-off-by: Jonas Karlman <jonas@kwiboo.se> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Jonas Karlman authored
Only adds structs and helpers to allow supporting MPEG-2 decoding on rockchip SoCs. Support for RK3399 and RK3288 will be added in separate commits Signed-off-by: Jonas Karlman <jonas@kwiboo.se> Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Ezequiel Garcia authored
Rework the way controls are registered by the driver, so it can support non-standard controls, such as those used by stateless codecs. Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Ezequiel Garcia authored
This commit adds the needed boilerplate code to support the VPU in decoding operation. Two v4l2 interfaces are exposed, one for encoding and one for decoding, but a single m2m device is shared by them, so jobs are properly serialized. Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Boris Brezillon authored
The code in rockchip_vpu_v4l2 was hardcoded for encoder support. Modify it more generic to support the decoder case so that we can re-use the same vb2/v4l2 ops for both devices. Co-developed-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Boris Brezillon authored
When initializing a context, the core wants to reset both src and dst formats. Right now the order doesn't matter, but if we want to have a valid default width/height on the non-coded/raw format side (src in case of encoders, dst in case of decoders), we need to reset those formats in the right order: first the coded-format side, then the other, such that width and height on the raw format side can be taken from the coded format. Let's provide a helper that will reset both formats and make sure this is done in the right order. Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Boris Brezillon authored
The V4L2/VB2 implementation for the encoder and decoder logic are very similar, so let's rename rockchip_vpu_enc.c file into rockchip_vpu_v4l2.c and remove the _enc_ part in objects/functions exposed in rockchip_vpu_v4l2.h. We also rename the enc_queue_init() function (in rockchip_vpu_drv.c) queue_init() since it will be used to initialize both type of queues. The implementation itself will be patched to support the decoding case when decoder support is added. Suggested-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Boris Brezillon authored
We're about to add prototypes for the vb2/v4l2 helpers shared by the encoder/decoder logic in this file, so let's pick a name that reflects that (rockchip_vpu_common.h was a bit to generic). Suggested-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Ezequiel Garcia authored
Introduce support for the Request API. Although the JPEG encoder does not mandate using the Request API, it's perfectly possible to use it, if the application wants to. Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Ezequiel Garcia authored
In preparation to support decoders, using a single memory-to-memory device, we need to roll our own media controller entities registration. To do that, we define a rockchip_vpu_func object that embeds the video_device object plus all the elements that are needed to attach this vdev to the media device. Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Boris Brezillon authored
Use the v4l2_apply_frmsize_constraints() helper instead of open-coding it. Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Boris Brezillon authored
The rockchip VPU driver is open-coding this logic which seems pretty generic. Let's provide an helper to apply the min/max and alignment constraints on width/height. Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Boris Brezillon authored
Width/height and 4CC formats are expressed using u32 types everywhere, let's fix the v4l2_fill_pixfmt[_mp]() prototypes to do the same. Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Hans Verkuil authored
Commit b6c96e15 inadvertently also dropped the 'msg->len > 1' test from the preceding sanity check. This caused compliance test failures. Fixes: b6c96e15 ("media: cec: allow any initiator for Ping and Image/Text View On") Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Kefeng Wang authored
if saa7164_proc_create() fails, saa7164_fini() will trigger a warning, name 'saa7164' WARNING: CPU: 1 PID: 6311 at fs/proc/generic.c:672 remove_proc_entry+0x1e8/0x3a0 ? remove_proc_entry+0x1e8/0x3a0 ? try_stop_module+0x7b/0x240 ? proc_readdir+0x70/0x70 ? rcu_read_lock_sched_held+0xd7/0x100 saa7164_fini+0x13/0x1f [saa7164] __x64_sys_delete_module+0x30c/0x480 ? __ia32_sys_delete_module+0x480/0x480 ? __x64_sys_clock_gettime+0x11e/0x1c0 ? __x64_sys_timer_create+0x1a0/0x1a0 ? trace_hardirqs_off_caller+0x40/0x180 ? do_syscall_64+0x18/0x450 do_syscall_64+0x9f/0x450 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fix it by checking the return of proc_create_single() before calling remove_proc_entry(). Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> [hverkuil-cisco@xs4all.nl: use 0444 instead of S_IRUGO] [hverkuil-cisco@xs4all.nl: use pr_info instead of KERN_INFO] Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Hans Verkuil authored
You can't memset the contents of a __user pointer. Instead, call copy_to_user to copy links.reserved (which is zeroed) to the user memory. This fixes this sparse warning: SPARSE:drivers/media/mc/mc-device.c drivers/media/mc/mc-device.c:521:16: warning: incorrect type in argument 1 (different address spaces) Fixes: f4930887 ("media: media_device_enum_links32: clean a reserved field") Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Hans Verkuil authored
The reserved field array for struct media_link_desc has length 2, not 4. And the reserved field array of struct media_links_enum was never documented at all. Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Wen Yang authored
The call to of_find_device_by_node returns a node pointer with refcount incremented thus it must be explicitly decremented after the last usage. Detected by coccinelle with the following warnings: drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c:60:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding object release within this function. drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c:63:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding object release within this function. drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c:72:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding object release within this function. Signed-off-by: Wen Yang <wen.yang99@zte.com.cn> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-
Wen Yang authored
The call to of_parse_phandle returns a node pointer with refcount incremented thus it must be explicitly decremented after the last usage. Detected by coccinelle with the following warnings: drivers/media/platform/mtk-vpu/mtk_vpu.c:477:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 464, but without a corresponding object release within this function. Signed-off-by: Wen Yang <wen.yang99@zte.com.cn> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
-