- 19 Dec, 2017 9 commits
-
-
Daniel Scheller authored
Do kfree() on port->en->data instead of port->en. port->en only holds a ptr to a struct dvb_ca_en50221, which is a member either of a memalloc'ed struct ddb_ci (DuoFlex CI, Octopus CI Duo) or a struct cxd (CXD2099AR based Single Flex, allocated by the cxd2099 driver). port->en.data though holds the ptr to the allocated memory, which must rather be kfree()'d. Change this accordingly. Cc: Ralph Metzler <rjkm@metzlerbros.de> Signed-off-by: Daniel Scheller <d.scheller@gmx.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Daniel Scheller authored
Currently, rmmod ddbridge on a KASAN enabled kernel yields this report for hardware that utilises the tda18212 tuner driver: [ 50.355229] ================================================================== [ 50.355271] BUG: KASAN: use-after-free in tda18212_remove+0x5c/0xb0 [tda18212] [ 50.355290] Write of size 288 at addr ffff8800c235cf18 by task rmmod/285 [ 50.355316] CPU: 1 PID: 285 Comm: rmmod Not tainted 4.15.0-rc1-13744-g352a86ad536f #11 [ 50.355318] Hardware name: Gigabyte Technology Co., Ltd. P35-DS3/P35-DS3, BIOS F3 06/11/2007 [ 50.355319] Call Trace: [ 50.355326] dump_stack+0x46/0x61 [ 50.355332] print_address_description+0x79/0x270 [ 50.355336] ? tda18212_remove+0x5c/0xb0 [tda18212] [ 50.355339] kasan_report+0x229/0x340 [ 50.355342] memset+0x1f/0x40 [ 50.355345] tda18212_remove+0x5c/0xb0 [tda18212] [ 50.355350] i2c_device_remove+0x97/0xe0 [ 50.355355] device_release_driver_internal+0x267/0x510 [ 50.355358] bus_remove_device+0x296/0x470 [ 50.355360] device_del+0x35c/0x890 [ 50.355363] ? __device_links_no_driver+0x1c0/0x1c0 [ 50.355367] ? cxd2841er_get_algo+0x10/0x10 [cxd2841er] [ 50.355371] ? cxd2841er_get_algo+0x10/0x10 [cxd2841er] [ 50.355374] ? __module_text_address+0xe/0x140 [ 50.355377] device_unregister+0x9/0x20 [ 50.355382] dvb_input_detach.isra.24+0x286/0x480 [ddbridge] [ 50.355388] ddb_ports_detach+0x15f/0x4f0 [ddbridge] [ 50.355393] ddb_remove+0x3c/0xb0 [ddbridge] [ 50.355397] pci_device_remove+0x93/0x1d0 [ 50.355400] device_release_driver_internal+0x267/0x510 [ 50.355403] driver_detach+0xb9/0x1b0 [ 50.355406] bus_remove_driver+0xd0/0x1f0 [ 50.355410] pci_unregister_driver+0x25/0x210 [ 50.355415] module_exit_ddbridge+0xc/0x45 [ddbridge] [ 50.355418] SyS_delete_module+0x314/0x440 [ 50.355420] ? free_module+0x5b0/0x5b0 [ 50.355423] ? exit_to_usermode_loop+0xa9/0xc0 [ 50.355425] ? free_module+0x5b0/0x5b0 [ 50.355428] do_syscall_64+0x179/0x4c0 [ 50.355432] ? do_page_fault+0x1b/0x60 [ 50.355435] entry_SYSCALL64_slow_path+0x25/0x25 [ 50.355438] RIP: 0033:0x7fe65d08ade7 [ 50.355439] RSP: 002b:00007fff5a6a09a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0 [ 50.355443] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe65d08ade7 [ 50.355445] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000000000f4e268 [ 50.355447] RBP: 0000000000f4e200 R08: 0000000000000000 R09: 1999999999999999 [ 50.355449] R10: 0000000000000891 R11: 0000000000000202 R12: 00007fff5a6a14ef [ 50.355451] R13: 0000000000000000 R14: 0000000000f4e200 R15: 0000000000f4d010 [ 50.355462] Allocated by task 164: [ 50.355477] cxd2841er_attach+0xc3/0x7f0 [cxd2841er] [ 50.355482] demod_attach_cxd28xx+0x14c/0x3f0 [ddbridge] [ 50.355486] dvb_input_attach+0x671/0x1e20 [ddbridge] [ 50.355490] ddb_ports_attach+0x3d7/0xbf0 [ddbridge] [ 50.355495] ddb_init+0x4b3/0xa30 [ddbridge] [ 50.355499] ddb_probe+0xa51/0xfe0 [ddbridge] [ 50.355501] pci_device_probe+0x279/0x480 [ 50.355504] driver_probe_device+0x46f/0x7a0 [ 50.355506] __driver_attach+0x133/0x170 [ 50.355509] bus_for_each_dev+0x10a/0x190 [ 50.355511] bus_add_driver+0x2a3/0x5a0 [ 50.355513] driver_register+0x182/0x3a0 [ 50.355516] arc4_set_key+0x8f/0x2a0 [arc4] [ 50.355518] do_one_initcall+0x77/0x1d0 [ 50.355521] do_init_module+0x1c2/0x548 [ 50.355523] load_module+0x5e61/0x8df0 [ 50.355525] SyS_finit_module+0x142/0x150 [ 50.355527] do_syscall_64+0x179/0x4c0 [ 50.355529] return_from_SYSCALL_64+0x0/0x65 [ 50.355539] Freed by task 285: [ 50.355551] kfree+0x6c/0xa0 [ 50.355558] __dvb_frontend_free+0x81/0xb0 [dvb_core] [ 50.355562] dvb_input_detach.isra.24+0x17c/0x480 [ddbridge] [ 50.355566] ddb_ports_detach+0x15f/0x4f0 [ddbridge] [ 50.355570] ddb_remove+0x3c/0xb0 [ddbridge] [ 50.355573] pci_device_remove+0x93/0x1d0 [ 50.355576] device_release_driver_internal+0x267/0x510 [ 50.355578] driver_detach+0xb9/0x1b0 [ 50.355580] bus_remove_driver+0xd0/0x1f0 [ 50.355583] pci_unregister_driver+0x25/0x210 [ 50.355587] module_exit_ddbridge+0xc/0x45 [ddbridge] [ 50.355590] SyS_delete_module+0x314/0x440 [ 50.355592] do_syscall_64+0x179/0x4c0 [ 50.355594] return_from_SYSCALL_64+0x0/0x65 [ 50.355604] The buggy address belongs to the object at ffff8800c235cd80 which belongs to the cache kmalloc-2048 of size 2048 [ 50.355630] The buggy address is located 408 bytes inside of 2048-byte region [ffff8800c235cd80, ffff8800c235d580) [ 50.355652] The buggy address belongs to the page: [ 50.355666] page:ffffea0002a7bc20 count:1 mapcount:0 mapping:ffff8800c235c500 index:0x0 compound_mapcount: 0 [ 50.355688] flags: 0x4000000000008100(slab|head) [ 50.355703] raw: 4000000000008100 ffff8800c235c500 0000000000000000 0000000100000003 [ 50.355720] raw: ffffea000382b4b0 ffffea0002b91550 ffff88010b000800 [ 50.355734] page dumped because: kasan: bad access detected [ 50.355754] Memory state around the buggy address: [ 50.355767] ffff8800c235ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.355783] ffff8800c235ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.355800] >ffff8800c235cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.355815] ^ [ 50.355827] ffff8800c235cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.355843] ffff8800c235d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.355858] ================================================================== This is due to dvb_frontend_detach() being called before i2c_unregister_device() on the TDA18212 tuner client instance, as dvb_frontend_detach() causes the demod drivers to release all their resources, and the tuner driver's _remove method does further cleanup on the now invalid (freed) resources. Fix this by putting the I2C client deregistration in dvb_input_detach() to state/case 0x30, right before the call to dvb_frontend_detach(). This also makes sure that any further (tuner) hardware driven by I2C client drivers unload cleanly. Fixes: 1502efd2 ("media: ddbridge: fix teardown/deregistration order in ddb_input_detach()") Signed-off-by: Daniel Scheller <d.scheller@gmx.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Athanasios Oikonomou authored
This commit uses the new property scrambling_sequence_index to control PLS. By default we are using the gold sequence 0 and only gold sequences expected on the new property. Please note that all services use PLS, just most with the default sequence 0 and many demods only support gold 0. Signed-off-by: Athanasios Oikonomou <athoik@gmail.com> Acked-by: Ralph Metzler <rjkm@metzlerbros.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Athanasios Oikonomou authored
This commit adds a new property DTV_SCRAMBLING_SEQUENCE_INDEX. This 18 bit field, when present, carries the index of the DVB-S2 physical layer scrambling sequence as defined in clause 5.5.4 of EN 302 307. There is no explicit signalling method to convey scrambling sequence index to the receiver. If S2 satellite delivery system descriptor is available it can be used to read the scrambling sequence index (EN 300 468 table 41). By default, gold scrambling sequence index 0 is used. The valid scrambling sequence index range is from 0 to 262142. Increase the DVB API version in order userspace to be aware of the changes. Signed-off-by: Athanasios Oikonomou <athoik@gmail.com> Acked-by: Ralph Metzler <rjkm@metzlerbros.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Bjorn Helgaas authored
Use the existing PCI_EXP_DEVCTL2_COMP_TIMEOUT macro instead of hard-coding the PCIe Completion Timeout Value mask. No functional change intended. Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
Two orthogonal changesets caused a breakage at a printk inside davinci. Commit a2d17962 ("[media] davinci: Switch from V4L2 OF to V4L2 fwnode") made davinci to use struct fwnode_handle instead of struct device_node. Commit 68d9c47b ("media: Convert to using %pOF instead of full_name") changed the printk to not use ->full_name, but, instead, to rely on %pOF. With both patches applied, the Kernel will do the wrong thing, as warned by smatch: drivers/media/platform/davinci/vpif_capture.c:1399 vpif_async_bound() error: '%pOF' expects argument of type 'struct device_node*', argument 5 has type 'void*' So, change the logic to actually print the device name that was obtained before the print logic. Fixes: 68d9c47b ("media: Convert to using %pOF instead of full_name") Fixes: a2d17962 ("[media] davinci: Switch from V4L2 OF to V4L2 fwnode") Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
pr_debug() and netdev_dbg() can be enabled/disabled dynamically via sysfs. So, stop hidding them under ULE_DEBUG config macro. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
This debug option is there for a long time, but it is only enabled by editing the source code. Due to that, a breakage inside its code was only noticed years after a change at the ULE handling logic. Make it a Kconfig parameter, as it makes easier for advanced users to enable, and allow test if the compilation won't be broken in the future. Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
commit efb9ab67 ("[media] dvb_net: prepare to split a very complex function") changed the ULE handling logic, simplifying it. However, it forgot to keep the initialization for .priv and to zero .ule_hist fields. The lack of .priv cause crashes if dvb_net_ule() is called, as the function assuems that .priv field to be initialized. With regards to .ule_hist, the current logic is broken and don't even compile if ULE_DEBUG. Fix it by making the debug vars static again, and be sure to pass iov parameter to dvb_net_ule_check_crc(). Fixes: efb9ab67 ("[media] dvb_net: prepare to split a very complex function") Suggested-by: Ron Economos <w6rz@comcast.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
- 18 Dec, 2017 31 commits
-
-
Andi Shyti authored
Replace the original license statement with the SPDX identifier. Update also the copyright owner adding myself as co-owner of the copyright. Signed-off-by: Andi Shyti <andi.shyti@samsung.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
There is no reason to hold the lock while we wait for the IR to transmit. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
This is code existed for when drivers would send less than the whole buffer; no driver does this any more, so this is redundant. Drivers should return -EINVAL if they cannot send the entire buffer. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
If memdup_user() fails, txbuf will be an error pointer and passed to kfree. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
The TX loop is more complex than it should. Simplify it. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
The semantics for lirc IR transmit with raw IR is that the write call should block until the IR is transmitted. Some drivers have no idea when this actually is (e.g. mceusb), so there is a wait. This is useful for userspace, as it might want to send a IR button press, a gap of a predefined number of milliseconds, and then send a repeat message. It turns out that for transmitting scancodes this feature is even more useful, as user space has no idea how long the IR is. So, maintain the existing semantics for IR scancode transmit. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
rc_keydown() can be called from interrupt context, by e.g. an rc scancode driver. Since commit b2c96ba352b5 ("media: cec: move cec autorepeat handling to rc-core"), the del_timer_sync() call is not happy about being called in interrupt connect. del_timer() will suffice. WARNING: CPU: 0 PID: 0 at kernel/time/timer.c:1285 del_timer_sync+0x1d/0x40 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 4.15.0-rc1+ #1 Hardware name: /DG45ID, BIOS IDG4510H.86A.0135.2011.0225.1100 02/25/2011 task: ffffffffa3e10480 task.stack: ffffffffa3e00000 RIP: 0010:del_timer_sync+0x1d/0x40 RSP: 0018:ffff8b396bc03db0 EFLAGS: 00010046 RAX: 0000000080010000 RBX: ffff8b394d70e410 RCX: 0000000000000073 RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8b394d70e410 RBP: 0000000000000001 R08: ffffffffc0616000 R09: ffff8b396bfa3000 R10: 0000000000000000 R11: 0000000000000390 R12: ffff8b394f003800 R13: 0000000000000000 R14: ffff8b3771c19630 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8b396bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1944469000 CR3: 00000001ebe09000 CR4: 00000000000006f0 Call Trace: <IRQ> ir_do_keyup.part.5+0x22/0x90 [rc_core] rc_keyup+0x37/0x50 [rc_core] usb_rx_callback_intf0+0x79/0x90 [imon] __usb_hcd_giveback_urb+0x90/0x130 uhci_giveback_urb+0xab/0x250 uhci_scan_schedule.part.34+0x806/0xb00 uhci_irq+0xab/0x150 usb_hcd_irq+0x22/0x30 __handle_irq_event_percpu+0x3a/0x180 handle_irq_event_percpu+0x30/0x70 handle_irq_event+0x27/0x50 handle_fasteoi_irq+0x6b/0x110 handle_irq+0xa5/0x100 do_IRQ+0x41/0xc0 common_interrupt+0x96/0x96 </IRQ> RIP: 0010:cpuidle_enter_state+0x9a/0x2d0 RSP: 0018:ffffffffa3e03e88 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffda RAX: ffff8b396bc1a000 RBX: 00000010da7bcd63 RCX: 00000010da7bccf6 RDX: 00000010da7bcd63 RSI: 00000010da7bcd63 RDI: 0000000000000000 RBP: ffff8b394f587400 R08: 0000000000000000 R09: 0000000000000002 R10: ffffffffa3e03e48 R11: 0000000000000390 R12: 0000000000000003 R13: ffffffffa3ebf018 R14: 0000000000000000 R15: 00000010da7ba772 ? cpuidle_enter_state+0x8d/0x2d0 do_idle+0x17b/0x1d0 cpu_startup_entry+0x6f/0x80 start_kernel+0x4a7/0x4c7 secondary_startup_64+0xa5/0xb0 Code: e7 5b 5d 41 5c e9 84 88 05 00 0f 1f 40 00 66 66 66 66 90 65 8b 05 e4 6f ef 5c a9 00 00 0f 00 53 48 89 fb 74 16 f6 47 22 20 75 10 <0f> ff 48 89 df e8 89 f1 ff ff 85 c0 79 0e f3 90 48 89 df e8 7b Fixes: b2c96ba352b5 ("media: cec: move cec autorepeat handling to rc-core") Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
Since commit 9c7fd60e951d ("media: rc: Replace timeval with ktime_t in imon.c"), the function tv2int() is no longer used. Remove it. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
Another device with the 0xffdc device id, this one with 0x26 in the config byte. Its an iMON Inside + iMON IR. It does respond to rc-6, but seems to produce random garbage rather than a scancode. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
The agreed format is to use /* */ comments inside header files. Unfortunately, I ended by using // on a few ones. Reported-by: Andi Shyti <andi.shyti@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Flavio Ceolin authored
s5p_jpeg_runtime_resume() does not call clk_disable_unprepare() for jpeg->clocks[0] when one of the clk_prepare_enable() fails. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com> Acked-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Simon Shields authored
If the subdev is not yet present (probably because the subdev module has not yet been loaded), the pipe will be NULL. Make sure that this is not the case before attempting to call the op. Signed-off-by: Simon Shields <simon@lineageos.org> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Marek Szyprowski authored
Support for Exynos4212 SoCs has been removed by commit bca9085e ("ARM: dts: exynos: remove Exynos4212 support (dead code)"), so there is no need to keep remaining dead code related to this SoC version. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Krzysztof Kozlowski <krzk@kernel.org> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Shuah Khan authored
Driver calls request_firmware() whenever the device is opened for the first time. As the device gets opened and closed, dev->num_inst == 1 is true several times. This is not necessary since the firmware is saved in the fw_buf. s5p_mfc_load_firmware() copies the buffer returned by the request_firmware() to dev->fw_buf. fw_buf sticks around until it gets released from s5p_mfc_remove(), hence there is no need to keep requesting firmware and copying it to fw_buf. This might have been overlooked when changes are made to free fw_buf from the device release interface s5p_mfc_release(). Fix s5p_mfc_load_firmware() to call request_firmware() once and keep state. Change _probe() to load firmware once fw_buf has been allocated. s5p_mfc_open() and it continues to call s5p_mfc_load_firmware() and init hardware which is the step where firmware is written to the device. This addresses the mfc_mutex contention due to repeated request_firmware() calls from open() in the following circular locking warning: [ 552.194115] qtdemux0:sink/2710 is trying to acquire lock: [ 552.199488] (&dev->mfc_mutex){+.+.}, at: [<bf145544>] s5p_mfc_mmap+0x28/0xd4 [s5p_mfc] [ 552.207459] but task is already holding lock: [ 552.213264] (&mm->mmap_sem){++++}, at: [<c01df2e4>] vm_mmap_pgoff+0x44/0xb8 [ 552.220284] which lock already depends on the new lock. [ 552.228429] the existing dependency chain (in reverse order) is: [ 552.235881] -> #2 (&mm->mmap_sem){++++}: [ 552.241259] __might_fault+0x80/0xb0 [ 552.245331] filldir64+0xc0/0x2f8 [ 552.249144] call_filldir+0xb0/0x14c [ 552.253214] ext4_readdir+0x768/0x90c [ 552.257374] iterate_dir+0x74/0x168 [ 552.261360] SyS_getdents64+0x7c/0x1a0 [ 552.265608] ret_fast_syscall+0x0/0x28 [ 552.269850] -> #1 (&type->i_mutex_dir_key#2){++++}: [ 552.276180] down_read+0x48/0x90 [ 552.279904] lookup_slow+0x74/0x178 [ 552.283889] walk_component+0x1a4/0x2e4 [ 552.288222] link_path_walk+0x174/0x4a0 [ 552.292555] path_openat+0x68/0x944 [ 552.296541] do_filp_open+0x60/0xc4 [ 552.300528] file_open_name+0xe4/0x114 [ 552.304772] filp_open+0x28/0x48 [ 552.308499] kernel_read_file_from_path+0x30/0x78 [ 552.313700] _request_firmware+0x3ec/0x78c [ 552.318291] request_firmware+0x3c/0x54 [ 552.322642] s5p_mfc_load_firmware+0x54/0x150 [s5p_mfc] [ 552.328358] s5p_mfc_open+0x4e4/0x550 [s5p_mfc] [ 552.333394] v4l2_open+0xa0/0x104 [videodev] [ 552.338137] chrdev_open+0xa4/0x18c [ 552.342121] do_dentry_open+0x208/0x310 [ 552.346454] path_openat+0x28c/0x944 [ 552.350526] do_filp_open+0x60/0xc4 [ 552.354512] do_sys_open+0x118/0x1c8 [ 552.358586] ret_fast_syscall+0x0/0x28 [ 552.362830] -> #0 (&dev->mfc_mutex){+.+.}: -> #0 (&dev->mfc_mutex){+.+.}: [ 552.368379] lock_acquire+0x6c/0x88 [ 552.372364] __mutex_lock+0x68/0xa34 [ 552.376437] mutex_lock_interruptible_nested+0x1c/0x24 [ 552.382086] s5p_mfc_mmap+0x28/0xd4 [s5p_mfc] [ 552.386939] v4l2_mmap+0x54/0x88 [videodev] [ 552.391601] mmap_region+0x3a8/0x638 [ 552.395673] do_mmap+0x330/0x3a4 [ 552.399400] vm_mmap_pgoff+0x90/0xb8 [ 552.403472] SyS_mmap_pgoff+0x90/0xc0 [ 552.407632] ret_fast_syscall+0x0/0x28 [ 552.411876] other info that might help us debug this: [ 552.419848] Chain exists of: &dev->mfc_mutex --> &type->i_mutex_dir_key#2 --> &mm->mmap_sem [ 552.431200] Possible unsafe locking scenario: [ 552.437092] CPU0 CPU1 [ 552.441598] ---- ---- [ 552.446104] lock(&mm->mmap_sem); [ 552.449484] lock(&type->i_mutex_dir_key#2); [ 552.456329] lock(&mm->mmap_sem); [ 552.462222] lock(&dev->mfc_mutex); [ 552.465775] *** DEADLOCK *** Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Shuah Khan authored
s5p_mfc_load_firmware() will not get called if fw_buf.virt allocation fails. The allocation happens very early on in the probe routine and probe fails if allocation fails. There is no need to check if it is null in s5p_mfc_load_firmware(). Remove the check. Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Marek Szyprowski authored
Setting both V4L2_CAP_VIDEO_CAPTURE_MPLANE and V4L2_CAP_VIDEO_OUTPUT_MPLANE for mem2mem video nodes is obsolete since commit f0476a83 ("[media] V4L: Add capability flags for memory-to-memory devices"). It was enough time to adapt all users to the new flags, so drop the legacy caps for now to match other mem2mem drivers. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Marek Szyprowski authored
Setting both V4L2_CAP_VIDEO_CAPTURE_MPLANE and V4L2_CAP_VIDEO_OUTPUT_MPLANE for mem2mem video nodes is obsolete since commit f0476a83 ("[media] V4L: Add capability flags for memory-to-memory devices"). It was enough time to adapt all users to the new flags, so drop the legacy caps for now to match other mem2mem drivers. Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Arnd Bergmann authored
We copy the subdev frame format from a partially initialized structure, which is not entirely well-defined. Older compilers like gcc-4.4 can copy uninitialized stack data here and warn about it: drivers/media/platform/exynos4-is/fimc-isp.c: In function 'fimc_isp_subdev_open': drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.reserved[10u]' may be used uninitialized in this function drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.reserved[9u]' may be used uninitialized in this function ... drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.reserved[0u]' may be used uninitialized in this function drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.xfer_func' may be used uninitialized in this function On newer compilers, only the initialized fields get copied, but we should not rely on that, so this changes the code to zero-out the remaining fields first. Fixes: 9a761e43 ("[media] exynos4-is: Add Exynos4x12 FIMC-IS driver") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sylwester Nawrocki authored
This patch fixes the menu_skip_mask field initialization and addresses a following issue found by the SVACE static analysis: * NO_EFFECT.SELF: assignment to self in expression 'cfg.menu_skip_mask = cfg.menu_skip_mask' No effect at drivers/media/platform/s5p-mfc/s5p_mfc_enc.c:2083 Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Jia-Ju Bai authored
The driver may sleep under a spinlock. The function call path is: bdisp_device_run (acquire the spinlock) bdisp_hw_update bdisp_hw_save_request devm_kzalloc(GFP_KERNEL) --> may sleep To fix it, GFP_KERNEL is replaced with GFP_ATOMIC. This bug is found by my static analysis tool(DSAC) and checked by my code review. Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Stanimir Varbanov authored
Currently videobuf2-dma-sg checks for dma direction for every single page and videobuf2-dc lacks any dma direction checks and calls set_page_dirty_lock unconditionally. Thus unify and align the invocations of set_page_dirty_lock for videobuf2-dc, videobuf2-sg memory allocators with videobuf2-vmalloc, i.e. the pattern used in vmalloc has been copied to dc and dma-sg. Suggested-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org> Acked-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
The pvrusb2 code appears to have a some old workaround code for xawtv that causes a WARN() due to an unrecognized pixelformat 0 in v4l2_ioctl.c. Since all other MPEG drivers fill this in correctly, it is a safe assumption that this particular problem no longer exists. While I'm at it, clean up the code a bit. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Philipp Zabel authored
V4L2_BUF_FLAG_LAST is a signal from the driver to userspace for buffers on the capture queue. When userspace queues back a capture buffer with the flag set, we should clear it. Otherwise, if userspace restarts streaming after EOS, without reallocating the buffers, mem2mem devices will erroneously signal EOS prematurely, as soon as the already flagged buffer is dequeued. Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Philipp Zabel authored
The mvcol buffer needs to be placed behind the chroma plane(s) when decoding MPEG-4, same as for the h.264 decoder. Use the real offset with the required rounding. Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Philipp Zabel authored
The MPEG-4 decoder mvcol buffer was registered, but its size not added to a frame buffer allocation. This could cause the decoder to write past the end of the allocated buffer for large frame sizes. Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Philipp Zabel authored
We need internal frames to be rounded up to full macroblocks for MPEG-4 decoding as well. Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Philipp Zabel authored
Since bytesperline always fulfills VDOA width requirements, detile the whole buffer instead of limiting to visible width. This stops TRY_FMT from returning -EINVAL for YUYV capture buffers that are not a multiple of 16 wide. An alternative would be to always round up width to stride, as we report the valid image rectange via G_SELECTION (V4L2_SEL_TGT_COMPOSE_DEFAULT), but that would require all applications to handle the compose default rectangle properly. Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Lucas Stach authored
The current driver implementation expects at least one buffer on all queues to start streaming. Properly signal this to the vb2 core, to avoid confusion when streamon is racing with qbuf. Signed-off-by: Lucas Stach <l.stach@pengutronix.de> Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Flavio Ceolin authored
pxa_camera_probe() was not calling pxa_camera_deactivate(), responsible to call clk_disable_unprepare(), on the failure path. This was leading to unbalancing source clock. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Jacopo Mondi authored
videobuf2 core reports an error when not all buffers have been returned to the framework: drivers/media/v4l2-core/videobuf2-core.c:1651 WARN_ON(atomic_read(&q->owned_by_drv_count)) Fix this returning all buffers currently in capture queue. Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
When we split VB2 into an independent streaming module and a V4L2 one, some vb2-core functions started to have a wrong description: they're meant to be used only by the API-specific parts of VB2, like vb2-v4l2, as the functions that V4L2 drivers should use are all under videobuf2-v4l2.h. Correct their descriptions. Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-