[media] s5p-mfc: use vb2_is_streaming() to check vb2 queue status
The streaming field in struct vb2_queue is meant to be private and should
not be used by drivers directly, instead the vb2_is_streaming() function
should be used to check the videobuf2 queue streaming status.
[media] s5p-mfc: don't print errors on VIDIOC_REQBUFS unsupported mem type
The V4L2 documentation says that applications must call the VIDIOC_REQBUFS
ioctl to determine if a memory mapped, user pointer or DMABUF based I/O is
supported by the driver.
For example GStreamer does this by first calling VIDIOC_REQBUFS with count
zero for all the possible streaming I/O methods and then finally doing the
real VIDIOC_REQBUFS with count N using a known to be supported memory type.
But the driver prints an error on VIDIOC_REQBUFS if the memory type is not
supported which leads to the following errors that can confuse the users:
[ 178.704390] vidioc_reqbufs:575: Only V4L2_MEMORY_MMAP is supported
[ 178.704666] vidioc_reqbufs:575: Only V4L2_MEMORY_MMAP is supported
[ 178.714956] vidioc_reqbufs:575: Only V4L2_MEMORY_MMAP is supported
[ 178.715229] vidioc_reqbufs:575: Only V4L2_MEMORY_MMAP is supported
Shuah Khan [Tue, 28 Jun 2016 19:17:18 +0000 (16:17 -0300)]
[media] s5p-mfc: fix null pointer deference in clk_core_enable()
Fix null pointer deference in clk_core_enable() when driver unbind is run
when there is an application has an active pipeline playing.
s5p_mfc_release() gets called after s5p_mfc_final_pm() disables and does
clk_put() and s5p_mfc_release() attempts to enable clock and runs into
null pointer deference accessing invalid pointer.
Shuah Khan [Tue, 28 Jun 2016 19:17:16 +0000 (16:17 -0300)]
[media] s5p-mfc: fix video device release double release in probe error path
Fix Decoder and encoder video device double release in probe error path.
video_device_release(dev->vfd_dec) get called twice if decoder register
fails. Also, video_device_release(dev->vfd_enc) get called twice if encoder
register fails.
Tiffany Lin [Tue, 3 May 2016 10:11:24 +0000 (07:11 -0300)]
[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver
Add v4l2 layer encoder driver for MT8173
Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
[hans.verkuil@cisco.com: drop unnecessary ARM || ARM64 dependency] Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Andrew-CT Chen [Tue, 3 May 2016 10:11:21 +0000 (07:11 -0300)]
[media] VPU: mediatek: support Mediatek VPU
The VPU driver for hw video codec embedded in Mediatek's MT8173 SOCs.
It is able to handle video decoding/encoding of in a range of formats.
The driver provides with VPU firmware download, memory management and
the communication interface between CPU and VPU.
For VPU initialization, it will create virtual memory for CPU access and
IOMMU address for vcodec hw device access. When a decode/encode instance
opens a device node, vpu driver will download vpu firmware to the device.
A decode/encode instant will decode/encode a frame using VPU
interface to interrupt vpu to handle decoding/encoding jobs.
Signed-off-by: Andrew-CT Chen <andrew-ct.chen@mediatek.com> Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
[hans.verkuil@cisco.com: drop unnecessary ARM || ARM64 dependency] Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Laurent Pinchart [Wed, 15 Jun 2016 23:27:58 +0000 (20:27 -0300)]
[media] videodev2.h: Group YUV 3 planes formats together
The formats are interleaved with the YUV packed and miscellaneous
formats, making the result confusing especially with the YUV444 format
being packed and not planar like YUV410 or YUV420. Move them to their
own group as the 2 planes or 3 non-contiguous planes formats to clarify
the header.
Add detection of source pad number for drivers aware of the media controller
API, so that rcar-vin can create device nodes to support modern drivers such
as adv7604.c (for HDMI on Lager) and the converted adv7180.c (for composite)
underneath.
Building rcar_vin gains a dependency on CONFIG_MEDIA_CONTROLLER, in
line with requirements for building the drivers associated with it.
Signed-off-by: William Towle <william.towle@codethink.co.uk> Signed-off-by: Rob Taylor <rob.taylor@codethink.co.uk>
[ulrich.hecht+renesas@gmail.com: adapted to rcar-vin rewrite] Signed-off-by: Ulrich Hecht <ulrich.hecht+renesas@gmail.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Laurent Pinchart [Tue, 24 May 2016 11:53:39 +0000 (08:53 -0300)]
[media] adv7604: Don't ignore pad number in subdev DV timings pad operations
The dv_timings_cap() and enum_dv_timings() pad operations take a pad
number as an input argument and return the DV timings capabilities and
list of supported DV timings for that pad.
Commit bd3e275f3ec0 ("[media] media: i2c: adv7604: Use v4l2-dv-timings
helpers") broke this as it started ignoring the pad number, always
returning the information associated with the currently selected input.
Fix it.
Markus Pargmann [Mon, 14 Dec 2015 14:41:53 +0000 (12:41 -0200)]
[media] v4l: mt9v032: Add V4L2 controls for AEC and AGC
This patch adds V4L2 controls for Auto Exposure Control and Auto Gain
Control settings. These settings include low pass filter, update
frequency of these settings and the update interval for those units.
[Avoid forward declarations]
[Fix 80 columns limit violation]
[Rename controls to avoid underscores in names]
[Fix the AEC maximum shutter width on MT9V032]
Markus Pargmann [Mon, 14 Dec 2015 14:41:52 +0000 (12:41 -0200)]
[media] v4l: mt9v032: Do not unset master_mode
The power_on function of the driver resets the chip and sets the
CHIP_CONTROL register to 0. This switches the operating mode to slave.
The s_stream function sets the correct mode. But this caused problems on
a board where the camera chip is operated as master. The camera started
after a random amount of time streaming an image, I observed between 10
and 300 seconds.
The STRFM_OUT and STLN_OUT pins are not connected on this board which
may cause some issues in slave mode. I could not find any documentation
about this.
Keeping the chip in master mode after the reset helped to fix this
issue for me.
Axel Lin [Sun, 10 Aug 2014 09:41:49 +0000 (06:41 -0300)]
[media] v4l: mt9v032: Remove duplicate test for I2C_FUNC_SMBUS_WORD_DATA functionality
Since commit b42261078a91 ("regmap: i2c: fallback to SMBus if the adapter
does not support standard I2C"), regmap-i2c will check the
I2C_FUNC_SMBUS_[BYTE|WORD]_DATA functionality based on the regmap_config
setting if the adapter does not support standard I2C.
So remove the I2C_FUNC_SMBUS_WORD_DATA functionality check in the driver code.
Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Ezequiel Garcia [Sat, 4 Jun 2016 23:47:20 +0000 (20:47 -0300)]
[media] tw686x: audio: Prevent hw param changes while busy
Audio hw params are shared across all DMA channels,
so if the user changes any of these while any DMA channel is
enabled, it will impact the enabled channels, potentially causing
serious instability issues.
This commit avoids such situation, by preventing any hw param
change (on any DMA channel) if any other DMA audio channel is capturing.
Ezequiel Garcia [Sat, 4 Jun 2016 23:47:19 +0000 (20:47 -0300)]
[media] tw686x: audio: Allow to configure the period size
Currently, the driver has a fixed period size of 4096 bytes
(2048 frames). Since this hardware can configure the audio
capture size, this commit allows a period size range of [512-4096].
Now that we've introduced the dma_mode parameter to pick the
DMA operation, let's use it to also select the audio DMA
operation.
When dma_mode != memcpy, the driver will avoid using memcpy
in the audio capture path, and the DMA hardware operation
will act directly on the ALSA buffers.
Ezequiel Garcia [Sat, 4 Jun 2016 23:47:16 +0000 (20:47 -0300)]
[media] tw686x: Add support for DMA contiguous interlaced frame mode
Now that the driver has the infrastructure to support more
DMA modes, let's add the DMA contiguous interlaced frame mode.
In this mode, the DMA P and B buffers are programmed with
the user-provided buffers. When a P (or B) frame is ready,
a new buffer is dequeued into P (or B).
In addition to interlaced fields, the device can also be
programmed to deliver alternate fields. Only interlaced
mode is supported for now.
Tested-by: Tim Harvey <tharvey@gateworks.com> Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Ezequiel Garcia [Sat, 4 Jun 2016 23:47:15 +0000 (20:47 -0300)]
[media] tw686x: Introduce an interface to support multiple DMA modes
Let's set the corner stone to support all the DMA modes
available on this device.
For stability reasons, the driver is currently setting DMA frame
mode, and using single DMA buffers to get the P and B buffers.
Each frame is then memcpy'ed into the user buffer.
However, other platforms might be interested in avoiding this
memcpy, or in taking advantage of the chip's DMA scatter-gather
capabilities.
To achieve this, this commit introduces a "dma_mode" module parameter,
and a tw686x_dma_ops struct. This will allow to define functions to
alloc/free DMA buffers, and to return the frames to userspace.
The memcpy-based method described above is named as dma_mode="memcpy".
Current alloc/free functions are renamed as tw686x_memcpy_xxx,
and are now used through a memcpy_dma_ops.
Tested-by: Tim Harvey <tharvey@gateworks.com> Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Those structs are used only at bdisp-hw, so they shouldn't be
there in a header file that it is used elsewhere.
This fixes the following Gcc 6.1 warnings:
In file included from drivers/media/platform/sti/bdisp/bdisp-debug.c:11:0:
drivers/media/platform/sti/bdisp/bdisp-filter.h:207:65: warning: ‘bdisp_v_spec’ defined but not used [-Wunused-const-variable=]
static const struct __maybe_unused bdisp_filter_v_spec bdisp_v_spec[] = {
^~~~~~~~~
In file included from drivers/media/platform/sti/bdisp/bdisp-debug.c:11:0:
drivers/media/platform/sti/bdisp/bdisp-filter.h:23:65: warning: ‘bdisp_h_spec’ defined but not used [-Wunused-const-variable=]
static const struct __maybe_unused bdisp_filter_h_spec bdisp_h_spec[] = {
^~~~~~~~~
drivers/media/i2c/adv7842.c:2400:27: warning: 'prim_mode_txt' defined but not used [-Wunused-const-variable=]
static const char * const prim_mode_txt[] = {
^~~~~~~~~~~~~
That seems to be useful for debug, and likely were used before.
While we could simply remove, let's comment it out, for now.
drivers/media/usb/em28xx/em28xx-dvb.c:907:38: warning: 'pctv_461e_m88ds3103_config' defined but not used [-Wunused-const-variable=]
static const struct m88ds3103_config pctv_461e_m88ds3103_config = {
^~~~~~~~~~~~~~~~~~~~~~~~~~
That's a left over of patch 76b91be3d360a ('em28xx: PCTV 461e use I2C
client for demod and SEC').
Gcc 6.1 warns about some unused vars. Remove them:
drivers/media/platform/vivid/vivid-vid-cap.c:40:2: warning: 'tpf_default' defined but not used [-Wunused-const-variable=]
tpf_default = {.numerator = 1, .denominator = 30};
^~~~~~~~~~~
drivers/media/platform/vivid/vivid-sdr-cap.c:54:27: warning: 'NUM_FORMATS' defined but not used [-Wunused-const-variable=]
static const unsigned int NUM_FORMATS = ARRAY_SIZE(formats);
^~~~~~~~~~~
drivers/media/pci/zoran/zr36016.c:251:18: warning: 'zr016_yoff' defined but not used [-Wunused-const-variable=]
static const int zr016_yoff[] = { 8, 9, 7 };
^~~~~~~~~~
drivers/media/pci/zoran/zr36016.c:250:18: warning: 'zr016_xoff' defined but not used [-Wunused-const-variable=]
static const int zr016_xoff[] = { 20, 20, 20 };
^~~~~~~~~~
Those tables aren't used anywere. So, remove them.
As Gcc6.1 warned, those tables are currently unused:
drivers/media/tuners/r820t.c:349:18: warning: 'r820t_mixer_gain_steps' defined but not used [-Wunused-const-variable=]
static const int r820t_mixer_gain_steps[] = {
^~~~~~~~~~~~~~~~~~~~~~
drivers/media/tuners/r820t.c:345:18: warning: 'r820t_lna_gain_steps' defined but not used [-Wunused-const-variable=]
static const int r820t_lna_gain_steps[] = {
^~~~~~~~~~~~~~~~~~~~
They're actually used only by a routine that it is currently
commented out. So, move those tables to be together with such
code and comment them out.
Those tables are currently unused, so comment them out:
drivers/media/dvb-frontends/dib0090.c:852:18: warning: 'rf_ramp_pwm_sband' defined but not used [-Wunused-const-variable=]
static const u16 rf_ramp_pwm_sband[] = {
^~~~~~~~~~~~~~~~~
drivers/media/dvb-frontends/dib0090.c:800:18: warning: 'bb_ramp_pwm_boost' defined but not used [-Wunused-const-variable=]
static const u16 bb_ramp_pwm_boost[] = {
^~~~~~~~~~~~~~~~~
drxj: comment out the unused nicam_presc_table_val table
Avoid this warning:
drivers/media/dvb-frontends/drx39xyj/drxj.c:1243:18: warning: 'nicam_presc_table_val' defined but not used [-Wunused-const-variable=]
static const u16 nicam_presc_table_val[43] = {
^~~~~~~~~~~~~~~~~~~~~
The PCI device ID table is only used if compiled with modules
support. When compiled with modules disabled, this is now
producing this bogus warning:
drivers/media/pci/cx25821/cx25821-alsa.c:696:35: warning: 'cx25821_audio_pci_tbl' defined but not used [-Wunused-const-variable=]
static const struct pci_device_id cx25821_audio_pci_tbl[] = {
^~~~~~~~~~~~~~~~~~~~~
Fix it by annotating that the function may not be used.
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
The header file has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
The mc5602_s5k4aa.h has some private static structures that
are used only by the C file. Move those structures to the C file,
in order to shut up gcc 6.1 warnings.
The mc5602_brigde.h is included at m5602 submodules. This
causes Gcc 6.1 to complain:
drivers/media/usb/gspca/m5602/m5602_bridge.h:124:28: warning: 'sensor_urb_skeleton' defined but not used [-Wunused-const-variable=]
static const unsigned char sensor_urb_skeleton[] = {
^~~~~~~~~~~~~~~~~~~
drivers/media/usb/gspca/m5602/m5602_bridge.h:119:28: warning: 'bridge_urb_skeleton' defined but not used [-Wunused-const-variable=]
static const unsigned char bridge_urb_skeleton[] = {
^~~~~~~~~~~~~~~~~~~
Let's shut up gcc 6.1 warnings by moving those data structures
to the core, as they're used only there.
drivers/media/pci/cx18/cx18-driver.h:497:18: warning: 'vbi_hblank_samples_50Hz' defined but not used [-Wunused-const-variable=]
static const u32 vbi_hblank_samples_50Hz = 284; /* 4 byte EAV + 280 anc/fill */
^~~~~~~~~~~~~~~~~~~~~~~
drivers/media/pci/cx18/cx18-driver.h:496:18: warning: 'vbi_hblank_samples_60Hz' defined but not used [-Wunused-const-variable=]
static const u32 vbi_hblank_samples_60Hz = 272; /* 4 byte EAV + 268 anc/fill */
^~~~~~~~~~~~~~~~~~~~~~~
In file included from drivers/media/pci/cx18/cx18-cards.c:25:0:
drivers/media/pci/cx18/cx18-driver.h:497:18: warning: 'vbi_hblank_samples_50Hz' defined but not used [-Wunused-const-variable=]
static const u32 vbi_hblank_samples_50Hz = 284; /* 4 byte EAV + 280 anc/fill */
^~~~~~~~~~~~~~~~~~~~~~~
drivers/media/pci/cx18/cx18-driver.h:496:18: warning: 'vbi_hblank_samples_60Hz' defined but not used [-Wunused-const-variable=]
static const u32 vbi_hblank_samples_60Hz = 272; /* 4 byte EAV + 268 anc/fill */
^~~~~~~~~~~~~~~~~~~~~~~
drivers/media/pci/cx18/cx18-driver.h:495:18: warning: 'vbi_active_samples' defined but not used [-Wunused-const-variable=]
static const u32 vbi_active_samples = 1444; /* 4 byte SAV + 720 Y + 720 U/V */
^~~~~~~~~~~~~~~~~~
In this specific case, this is somewhat intentional, as those
values are actually used in parts of the driver. The code assumes
that gcc optimizer it and not actually create any var, but convert
it to immediate access at the routines.
Yet, as we want to shut up gcc warnings, let's use #define, with
is the standard way to store values that will use assembler's
immediate access code.
Gcc 6.1 warns about some unused vars and functions. Remove them:
drivers/media/platform/exynos4-is/mipi-csis.c:665:46: warning: 's5pcsis_sd_internal_ops' defined but not used [-Wunused-const-variable=]
static const struct v4l2_subdev_internal_ops s5pcsis_sd_internal_ops = {
^~~~~~~~~~~~~~~~~~~~~~~
drivers/media/platform/exynos4-is/mipi-csis.c:652:12: warning: 's5pcsis_open' defined but not used [-Wunused-function]
static int s5pcsis_open(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
^~~~~~~~~~~~
Gcc 6.1 warns about some unused vars. Remove them:
drivers/media/usb/usbvision/usbvision-core.c:94:18: warning: 'min_imgheight' defined but not used [-Wunused-const-variable=]
static const int min_imgheight = MIN_FRAME_HEIGHT;
^~~~~~~~~~~~~
drivers/media/usb/usbvision/usbvision-core.c:93:18: warning: 'min_imgwidth' defined but not used [-Wunused-const-variable=]
static const int min_imgwidth = MIN_FRAME_WIDTH;
^~~~~~~~~~~~
drivers/media/usb/usbvision/usbvision-core.c:92:18: warning: 'max_imgheight' defined but not used [-Wunused-const-variable=]
static const int max_imgheight = MAX_FRAME_HEIGHT;
^~~~~~~~~~~~~
drivers/media/usb/usbvision/usbvision-core.c:91:18: warning: 'max_imgwidth' defined but not used [-Wunused-const-variable=]
static const int max_imgwidth = MAX_FRAME_WIDTH;
^~~~~~~~~~~~
Two parameters were documented with a wrong name, and a struct
device pointer description was missing.
That caused the following warnings, when building documentation:
include/media/media-devnode.h:102: warning: No description found for parameter 'media_dev'
include/media/media-devnode.h:126: warning: No description found for parameter 'mdev'
include/media/media-devnode.h:126: warning: Excess function parameter 'media_dev' description in 'media_devnode_register'
Rename the description, to match the function parameter and fix
Documentation.
drivers/media/platform/rcar-vin/rcar-core.c: In function 'rvin_graph_notify_complete':
drivers/media/platform/rcar-vin/rcar-core.c:65:22: warning: variable 'sd' set but not used [-Wunused-but-set-variable]
struct v4l2_subdev *sd;
^
Sakari Ailus [Sun, 3 Apr 2016 19:31:03 +0000 (16:31 -0300)]
[media] videobuf2-v4l2: Verify planes array in buffer dequeueing
When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
which will be dequeued is not known until the buffer has been removed from
the queue. The number of planes is specific to a buffer, not to the queue.
This does lead to the situation where multi-plane buffers may be requested
and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
struct with fewer planes.
__fill_v4l2_buffer() however uses the number of planes from the dequeued
videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
in video_usercopy() in v4l2-ioctl.c) if the user provided fewer
planes than the dequeued buffer had. Oops!
Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2") Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Cc: stable@vger.kernel.org # for v4.4 and later Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Sakari Ailus [Wed, 11 May 2016 21:44:32 +0000 (18:44 -0300)]
[media] vb2: core: Skip planes array verification if pb is NULL
An earlier patch fixing an input validation issue introduced another
issue: vb2_core_dqbuf() is called with pb argument value NULL in some
cases, causing a NULL pointer dereference. Fix this by skipping the
verification as there's nothing to verify.
Fixes: e7e0c3e26587 ("[media] videobuf2-core: Check user space planes array in dqbuf") Signed-off-by: David R <david@unsolicited.net> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com> Cc: stable@vger.kernel.org # for v4.4 and later Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Shuah Khan [Fri, 10 Jun 2016 17:37:23 +0000 (14:37 -0300)]
[media] media: fix media devnode ioctl/syscall and unregister race
Media devnode open/ioctl could be in progress when media device unregister
is initiated. System calls and ioctls check media device registered status
at the beginning, however, there is a window where unregister could be in
progress without changing the media devnode status to unregistered.
process 1 process 2
fd = open(/dev/media0)
media_devnode_is_registered()
(returns true here)
media_device_unregister()
(unregister is in progress
and devnode isn't
unregistered yet)
...
ioctl(fd, ...)
__media_ioctl()
media_devnode_is_registered()
(returns true here)
...
media_devnode_unregister()
...
(driver releases the media device
memory)
media_device_ioctl()
(By this point
devnode->media_dev does not
point to allocated memory.
use-after free in in mutex_lock_nested)
BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr ffff8801ebe914f0
Fix it by clearing register bit when unregister starts to avoid the race.
process 1 process 2
fd = open(/dev/media0)
media_devnode_is_registered()
(could return true here)
media_device_unregister()
(clear the register bit,
then start unregister.)
...
ioctl(fd, ...)
__media_ioctl()
media_devnode_is_registered()
(return false here, ioctl
returns I/O error, and
will not access media
device memory)
...
media_devnode_unregister()
...
(driver releases the media device
memory)
Shuah Khan [Wed, 4 May 2016 19:48:28 +0000 (16:48 -0300)]
[media] media: fix use-after-free in cdev_put() when app exits after driver unbind
When driver unbinds while media_ioctl is in progress, cdev_put() fails with
when app exits after driver unbinds.
Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets
a reference to it and releases it in cdev_del() ensuring that the devnode
is not deallocated as long as the application has the device file open.
media_devnode_register() initializes the struct device kobj before calling
cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the
device. devnode is released when the last reference to the struct device is
gone.
This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has
been tested on all three.
kernel: [ 193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50
kernel: [ 193.599745] Read of size 8 by task media_device_te/1851
kernel: [ 193.599792] INFO: Allocated in __media_device_register+0x54
kernel: [ 193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0
struct media_devnode is currently embedded at struct media_device.
While this works fine during normal usage, it leads to a race
condition during devnode unregister. the problem is that drivers
assume that, after calling media_device_unregister(), the struct
that contains media_device can be freed. This is not true, as it
can't be freed until userspace closes all opened /dev/media devnodes.
In other words, if the media devnode is still open, and media_device
gets freed, any call to an ioctl will make the core to try to access
struct media_device, with will cause an use-after-free and even GPF.
Fix this by dynamically allocating the struct media_devnode and only
freeing it when it is safe.
For the third time in three years, I'm changing my e-mail at
Samsung. That's bad, as it may stop communications with me for
a while. So, this time, I'll also the mchehab@kernel.org e-mail,
as it remains stable since ever.
Colin Ian King [Tue, 10 May 2016 05:40:22 +0000 (02:40 -0300)]
[media] m88rs2000: initialize status to zero
status is not initialized so it can contain garbage. The
check for status containing the FE_HAS_LOCK bit may randomly pass
or fail if the read of register 0x8c fails to set status after 25
read attempts. Fix this by initializing status to 0.
Issue found with CoverityScan, CID#986738
Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
[media] af9035: fix for MXL5007T devices with I2C read issues
The MXL5007T tuner will lock-up on some devices after an I2C read
transaction. This patch works around this issue by inhibiting such
operations and emulating a 0x00 response. The workaround is only
applied to USB devices known to exhibit this flaw.
This patch will modify the af9035 driver to use the register address
fields of the I2C read command for the combined write/read transaction
case. Without this change, the firmware issues just a I2C read
transaction without the preceding write transaction to select the
register.
[media] of: reserved_mem: restore old behavior when no region is defined
Change return value back to -ENODEV when no region is defined for given
device. This restores old behavior of this function, as some drivers rely
on such error code.
Fixes: 59ce4039727ef40 ("of: reserved_mem: add support for using more than
one region for given device")
[media] rtl28xxu: auto-select more DVB-frontends and tuners
This adds the missing auto-select bits for DVB-frontends and tuners
(if MEDIA_SUBDRV_AUTOSELECT is enabled) which are used by the various
rtl28xxu devices.
The driver itself probes for three more tuners, but it's not actually
using any of them:
- MEDIA_TUNER_MT2063
- MEDIA_TUNER_MT2266
- MEDIA_TUNER_MXL5007T
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
ayaka [Sat, 7 May 2016 05:05:24 +0000 (02:05 -0300)]
[media] s5p-mfc: Add handling of buffer freeing reqbufs request
The encoder forget the work to call hardware to release its buffers.
This patch came from chromium project. I just change its code
style and make the API match with new kernel.
[media] helene: fix a warning when printing sizeof()
drivers/media/dvb-frontends/helene.c: In function 'helene_write_regs':
drivers/media/dvb-frontends/helene.c:312:5: warning: format '%lu' expects argument of type 'long unsigned int', but argument 5 has type 'unsigned int' [-Wformat=]
"wr reg=%04x: len=%d vs %lu is too big!\n",
^