Max Kellermann [Tue, 9 Aug 2016 21:33:03 +0000 (18:33 -0300)]
[media] drivers/media/media-device: fix double free bug in _unregister()
While removing all interfaces in media_device_unregister(), all
media_interface pointers are freed. This is illegal and results in
double kfree() if any media_interface is still linked at this point;
maybe because a userspace process still has a file handle. Once the
process closes the file handle, dvb_media_device_free() gets called,
which frees the dvb_device.intf_devnode again.
This patch removes the unnecessary kfree() call, and documents who's
responsible for really freeing it.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Max Kellermann [Tue, 9 Aug 2016 21:32:57 +0000 (23:32 +0200)]
[media] media-entity: clear media_gobj.mdev in _destroy()
media_gobj_destroy() may be called twice on one instance - once by
media_device_unregister() and again by dvb_media_device_free(). The
function media_remove_intf_links() establishes and documents the
convention that mdev==NULL means that the object is not registered,
but nobody ever NULLs this variable. So this patch really implements
this behavior, and adds another mdev==NULL check to
media_gobj_destroy() to protect against double removal.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Max Kellermann [Tue, 9 Aug 2016 21:32:51 +0000 (18:32 -0300)]
[media] dvb_frontend: move kref to struct dvb_frontend
This commit amends my old commit fe35637b0a9f ("[media] dvb_frontend:
eliminate blocking wait in dvb_unregister_frontend()"), which added
kref to struct dvb_frontend_private. It turned out that there are
several use-after-free bugs left, which affect the struct
dvb_frontend. Protecting it with kref also protects struct
dvb_frontend_private, so we can simply move it.
This is how the use-after-free looks like in KASAN:
Max Kellermann [Tue, 9 Aug 2016 21:32:41 +0000 (18:32 -0300)]
[media] dvb_frontend: add "detach" callback
Prepare for making "release" asynchronous (via kref). Some operations
may need to be run synchronously in dvb_frontend_detach(), and that's
why we need a "detach" callback.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
It is not clear what this return value means. All implemenations
return 0, and the one caller ignores the value. Let's remove this
useless return value completely.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Most release callback functions are identical: free the "tuner_priv"
and clear it. Let's eliminate some bloat by providing this simple
implementation in the dvb_frontend library.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Max Kellermann [Tue, 9 Aug 2016 21:32:16 +0000 (18:32 -0300)]
[media] dvb-core/en50221: use dvb_remove_device()
Commit da677fe14364 ("[media] dvb-core/en50221: use kref to manage
struct dvb_ca_private") moved the dvb_unregister_device() call to the
kref callback, but that left lots of stale device state visible to
userspace (e.g. in sysfs). By using dvb_remove_device() and
dvb_free_device() instead of dvb_unregister_device(), we can avoid
that.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Max Kellermann [Tue, 9 Aug 2016 21:32:11 +0000 (18:32 -0300)]
[media] dvbdev: split dvb_unregister_device()
dvb_unregister_device() has a major problem: it combines unregistering
with memory disposal. Sometimes, it is necessary to unregister a
device, but no memory can be freed yet, because a process still has a
(stale) file handle. Therefore, we need to split
dvb_unregister_device(). This will allow sanitizing a few callers.
With my new design, dvb_unregister_device() appears misnamed, but to
reduce patch noise, I'm not renaming it just yet.
Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Max Kellermann [Tue, 9 Aug 2016 21:32:06 +0000 (18:32 -0300)]
[media] rc-main: clear rc_map.name in ir_free_table()
rc_unregister_device() will first call ir_free_table(), and later
device_del(); however, the latter causes a call to rc_dev_uevent(),
which prints rc_map.name, which at this point has already bee freed.
This fixes a use-after-free bug found with KASAN.
As reported by Shuah:
"I am seeing the following when I do rmmod on au0828
Dan Carpenter [Thu, 14 Jul 2016 10:18:14 +0000 (07:18 -0300)]
[media] blackfin: check devm_pinctrl_get() for errors
devm_pinctrl_get() can fail so we should check for that.
Fixes: 0a6824bc10de ('[media] v4l2: blackfin: select proper pinctrl state in ppi_set_params if CONFIG_PINCTRL is enabled') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
When saa7134 module driving a Medion 7134 card is reloaded reads of this
card EEPROM (required for automatic detection of tuner model) will be
corrupted due to I2C gate in DVB-T demod being left closed.
This sometimes also happens on first saa7134 module load after a warm
reboot.
Fix this by opening this I2C gate before doing EEPROM read during i2c
initialization.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Now that CLK_PROC_STFE is defined as a critical clock in
DT, we can remove the commented clk_disable_unprepare from
the c8sectpfe driver. This means we now have balanced
clk*enable/disable calls in the driver, but on STiH407
family the clock in reality will never actually be disabled.
This is due to a HW bug where once the IP has been configured
and the SLIM core is running, disabling the clock causes a
unrecoverable bus lockup.
Markus Elfring [Fri, 14 Oct 2016 05:19:00 +0000 (02:19 -0300)]
[media] winbond-cir: Use kmalloc_array() in wbcir_tx()
A multiplication for the size determination of a memory allocation
indicated that an array data structure should be processed.
Thus use the corresponding function "kmalloc_array".
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: David Härdeman <david@hardeman.nu> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Markus Elfring [Thu, 13 Oct 2016 11:23:22 +0000 (08:23 -0300)]
[media] RedRat3: Improve another size determination in redrat3_reset()
Replace the specification of a data type by a pointer dereference
as the parameter for the operator "sizeof" to make the corresponding size
determination a bit safer.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Markus Elfring [Thu, 13 Oct 2016 06:35:57 +0000 (03:35 -0300)]
[media] RedRat3: Use kcalloc() in two functions
* Multiplications for the size determination of memory allocations
indicated that array data structures should be processed.
Thus use the corresponding function "kcalloc".
This issue was detected by using the Coccinelle software.
* Replace the specification of data types by pointer dereferences
to make the corresponding size determination a bit safer according to
the Linux coding style convention.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[media] tvp5150: Get rid of direct calls to printk()
When returning results via v4l2_subdev_core_ops.log_status,
use dev_foo() call, instead of just calling printk()
directly, without even specifying the log message level.
[media] em28xx: convert it from pr_foo() to dev_foo()
Instead of using pr_foo(), use dev_foo(), with provides a
better output. As this device is a multi-interface one,
we'll set the device name to show the chipset and the driver
used.
While here, get rid of printk continuation messages.
[media] v4l2-common: add a debug macro to be used with dev_foo()
Currently, there's a mess at the V4L2 printk macros: some drivers
use their own macros, others use pr_foo() or v4l_foo() macros,
while more modern drivers use dev_foo() macros.
The best is to get rid of v4l_foo() macros, as they can be
replaced by either dev_foo() or pr_foo(). Yet, such change can
be disruptive, as dev_foo() cannot use KERN_CONT. So, the best
is to do such change driver by driver.
There are replacements for most v4l_foo() macros, but it lacks
a way to enable debug messages per level. So, add such macro,
in order to make the conversion easier.
[media] af9005: remove a printk that would require a KERN_CONT
The dvb-usb system has its own macro to print hexa dumps
(debug_dump). Such macro doesn't support messages with
KERN_CONT after commit 563873318d32 ("Merge branch 'printk-cleanups'").
So, let's get rid of a printk() that would be assuming that
this would work.
[media] dibx000_common: use pr_foo() instead of printk()
The dprintk() macro relies on continuation lines. This is not
a good practice and will break after commit 563873318d32
("Merge branch 'printk-cleanups'").
So, instead of directly calling printk(), use pr_foo() macros,
adding a \n leading char on each macro call.
The dprintk() macro relies on continuation lines. This is not
a good practice and will break after commit 563873318d32
("Merge branch 'printk-cleanups'").
So, instead of directly calling printk(), use pr_foo() macros,
adding a\n leading char on each macro call.
The dprintk() macro relies on continuation lines. This is not
a good practice and will break after commit 563873318d32
("Merge branch 'printk-cleanups'").
So, instead of directly calling printk(), use pr_foo() macros,
adding a\n leading char on each macro call.
[media] dib7000p: use pr_foo() instead of printk()
The dprintk() macro relies on continuation lines. This is not
a good practice and will break after commit 563873318d32
("Merge branch 'printk-cleanups'").
So, instead of directly calling printk(), use pr_foo() macros,
adding a \n leading char on each macro call.
[media] dib7000m: use pr_foo() instead of printk()
The dprintk() macro relies on continuation lines. This is not
a good practice and will break after commit 563873318d32
("Merge branch 'printk-cleanups'").
So, instead of directly calling printk(), use pr_foo() macros,
adding a \n leading char on each macro call.
[media] dib3000mc: use pr_foo() instead of printk()
The dprintk() macro relies on continuation lines. This is not
a good practice and will break after commit 563873318d32
("Merge branch 'printk-cleanups'").
So, instead of directly calling printk(), use pr_foo() macros,
adding a \n leading char on each macro call.
[media] dib3000mb: use pr_foo() instead of printk()
The dprintk() macro relies on continuation lines. This is not
a good practice and will break after commit 563873318d32
("Merge branch 'printk-cleanups'").
So, instead of directly calling printk(), use pr_foo() macros,
adding a \n leading char on each macro call.
The frontend settings also rely on continuation lines. Change
it to avoid the need of adding pr_cont() calls.
The dprintk() macro relies on continuation lines. This is not
a good practice and will break after commit 563873318d32
("Merge branch 'printk-cleanups").
So, instead of directly calling printk(), use pr_foo() macros,
adding a \n leading char on each macro call.
The dprintk() macro relies on continuation lines. This is not
a good practice and will break after commit 563873318d32
("Merge branch 'printk-cleanups").
So, instead of directly calling printk(), use pr_foo() macros,
adding a \n leading char on each macro call.
[media] ttpci: cleanup debug macros and remove dead code
Continuation lines without KERN_CONT won't work anymore.
However, the way dprintk() was defined leads to the usage
of continuation lines, with should be avoided when possible.
So, redefine those macros.
While hre, remove some dead code at av7110.c with also
relies on continuation lines.
This driver is old, and have lots of checkpatch violations.
As we're touching a lot on this driver due to the printk
conversions, let's run checkpatch --fix on it, in order to
solve some of those issues.
Also, do a few manual adjustments:
- remove the FSF address and use the usual coding style
for the initial comments;
- use WARN_ON() instead of BUG_ON();
- remove an unused typedef;
- break a few long lines.
This file was converted to a separate module at commit 7a0786c19d65
("gp8psk: Fix DVB frontend attach"), because the DVB attach routines
require it to work. However, I forgot to copy the MODULE_foo() macros
from the original module, causing this warning:
WARNING: modpost: missing MODULE_LICENSE() in drivers/media/dvb-frontends/gp8psk-fe.o
This driver has printk continuation lines for debugging purposes.
Since commit 563873318d32 ("Merge branch 'printk-cleanups'")',
this won't work as expected anymore.
[media] stb0899_drv: get rid of continuation lines
This driver has printk continuation lines for debugging purposes.
Since commit 563873318d32 ("Merge branch 'printk-cleanups'")',
this won't work as expected anymore.
Marek Szyprowski [Mon, 14 Nov 2016 14:09:26 +0000 (12:09 -0200)]
[media] s5p-mfc: Fix clock management in s5p_mfc_release() function
Clock control indirectly requires access to MFC device, so call it only
if we are sure that the device exists in s5p_mfc_release function.
s5p_mfc_remove() calls s5p_mfc_final_pm(), which releases all PM related
resources, including clocks, so any call to clocks related functions
is not valid after s5p_mfc_final_pm().
Marek Szyprowski [Thu, 10 Nov 2016 10:31:23 +0000 (08:31 -0200)]
[media] s5p-mfc: Use clock gating only on MFC v5 hardware
Newer MFC hardware have internal clock gating feature, so additional
software-triggered clock gating sometimes causes misbehavior of the MFC
firmware and results in freeze or crash. This patch changes the driver
to use software-triggered clock gating only when working with v5 MFC
hardware, where it has been proven to work properly.
Donghwa Lee [Thu, 10 Nov 2016 10:31:22 +0000 (08:31 -0200)]
[media] s5p-mfc: Skip incomplete frame
Currently, when incomplete frame is received in the middle of
decoding, driver treats it as an error, so src/dst queue and
clock are cleaned. Although it is obviously error case, it is
needed to maintain video decoding in case of necessity. This
patch supports skip incomplete frame to next.
Signed-off-by: Donghwa Lee <dh09.lee@samsung.com> Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com> Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[media] exynos-gsc: Add support for Exynos5433 specific version
This patch adds support for Exynos5433 specific version of the GScaler
module. The main difference between Exynos 5433 and earlier is addition
of new clocks that have to be controlled.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com> Tested-by: Javier Martinez Canillas <javier@osg.samsung.com> Acked-by: Krzysztof Kozlowski <krzk@kernel.org> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Ulf Hansson [Wed, 9 Nov 2016 14:23:52 +0000 (12:23 -0200)]
[media] exynos-gsc: Make driver functional when CONFIG_PM is unset
The driver depended on CONFIG_PM to be functional. Let's remove that
dependency, by enable the runtime PM resourses during ->probe() and
update the device's runtime PM status to reflect this.
[media] exynos-gsc: unregister video device node on driver removal
The driver doesn't unregister the video device node when the driver is
removed, this keeps video device nodes that makes the machine to crash
with a NULL pointer dereference when nodes are attempted to be opened:
[ 36.530006] Unable to handle kernel paging request at virtual address bf1f8200
[ 36.535985] pgd = edbbc000
[ 36.538486] [bf1f8200] *pgd=6d99a811, *pte=00000000, *ppte=00000000
[ 36.544727] Internal error: Oops: 7 [#1] PREEMPT SMP ARM
[ 36.550016] Modules linked in: s5p_jpeg s5p_mfc v4l2_mem2mem videobuf2_dma_contig
[ 36.566303] CPU: 6 PID: 533 Comm: v4l2-ctl Not tainted 4.8.0
[ 36.574466] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[ 36.580526] task: ee3cc600 task.stack: ed626000
[ 36.585046] PC is at try_module_get+0x1c/0xac
[ 36.589364] LR is at try_module_get+0x1c/0xac
[ 36.593698] pc : [<c0187a60>] lr : [<c0187a60>] psr: 80070013
[ 36.593698] sp : ed627de0 ip : a0070013 fp : 00000000
[ 36.605156] r10: 00000002 r9 : ed627ed0 r8 : 00000000
[ 36.610331] r7 : c01e5f14 r6 : ed57be00 r5 : bf1f8200 r4 : bf1f8200
[ 36.616834] r3 : 00000002 r2 : 00000002 r1 : 01930192 r0 : 00000001
..
[ 36.785004] [<c0187a60>] (try_module_get) from [<c01e5c10>] (cdev_get+0x1c/0x4c)
[ 36.792362] [<c01e5c10>] (cdev_get) from [<c01e5f40>] (chrdev_open+0x2c/0x178)
[ 36.799555] [<c01e5f40>] (chrdev_open) from [<c01df5d4>] (do_dentry_open+0x1e0/0x300)
[ 36.807360] [<c01df5d4>] (do_dentry_open) from [<c01eecdc>] (path_openat+0x35c/0xf58)
[ 36.815154] [<c01eecdc>] (path_openat) from [<c01f0668>] (do_filp_open+0x5c/0xc0)
[ 36.822606] [<c01f0668>] (do_filp_open) from [<c01e09ac>] (do_sys_open+0x10c/0x1bc)
[ 36.830235] [<c01e09ac>] (do_sys_open) from [<c01078c0>] (ret_fast_syscall+0x0/0x3c)
[ 36.837942] Code: 0a00001ce1a04000e3a00001ebfec92d (e5943000)
[media] exynos-gsc: don't release a non-dynamically allocated video_device
The struct v4l2_device instance for the G-Scaler is not dyanmically
allocated but a member of the struct gsc_dev. In fact, the assigned
.release callback is video_device_release_empty().
But gsc_register_m2m_device() attempts to release the v4l2_device by
calling video_device_release() in its error path. This is wrong since
the v4l2_device wasn't allocated directly and will be freed once its
parent struct gsc_dev is freed.
While being there, rename the remaining goto label in the error path
to something that better explains the error path cleanup.
[media] exynos-gsc: do proper bytesperline and sizeimage calculation
The driver don't take into account the differences between packed, semi
planar and multi planar formats when calculating the pixel format bytes
per lines and image size values. This makes GStreamer to fail when the
following formats are used NV12, NV21, NV16, NV61, YV12, I420 and Y42B:
"gst_video_frame_map_id: failed to map video frame plane 1"
Nicolas suggested to use the logic found in the Exynos FIMC v4l2 driver
since does this correctly. So this patch changes the bytes per line and
image size calculation according to what's done in this media driver.
After this patch most supported formats work correctly. There are still
issues with the NV21 and NV61 formats, but that seems to be a separate
problem since NV12 and NV16 work and these formats use the same values.
So this can be fixed as a follow-up and shouldn't be a blocker for this
change that improves the driver's support.
Suggested-by: Nicolas Dufresne <nicolas.dufresne@collabora.com> Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com> Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[media] exynos-gsc: fix supported RGB pixel format
The driver exposes 32-bit A/XRGB 8-8-8-8 as supported format but testing
shows that using this format produces frames with wrong colors. The test
was done with the following GStreamer pipeline:
The manual seems to state that the Pixel Format are in Little Endianness
so instead use the 32-bit BGRA/X 8-8-8-8 pixel format. This format works
correctly when using the following pipeline:
[media] exynos-gsc: don't clear format when freeing buffers with REQBUFS(0)
User-space applications can use the VIDIOC_REQBUFS ioctl to determine if a
memory mapped, user pointer or DMABUF based I/O is supported by a driver.
For example, GStreamer attempts to determine the I/O methods supported by
the driver by doing many VIDIOC_REQBUFS ioctl calls with different memory
types and count 0. And then the real VIDIOC_REQBUFS call with count == n
is be made to allocate the buffers. But for count 0, the driver not only
frees the buffers but also clears the format set before with VIDIOC_S_FMT.
This is a problem since STREAMON fails if a format isn't set but GStreamer
first sets a format and then tries to determine the supported I/O methods,
so the format will be cleared on REQBUFS(0), before the call to STREAMON.
To avoid this issue, only free the buffers on VIDIOC_REQBUFS(0) but don't
clear the format. Since is completely valid to set the format and then do
different calls to REQBUFS before a call to STREAMON.
[media] exynos-gsc: change spamming try_fmt log message to debug
The driver try_fmt handler prints a message each time that the image
size has been changed due the maximum and minimum width and height.
Since user-space can try different format and sizes, this logs a lot
of unnecessary messages. Change the message log level to debug and
while being there, also add a new line to the message.
Nicolas Dufresne [Wed, 26 Mar 2014 22:48:39 +0000 (19:48 -0300)]
[media] exynos4-is: fimc: Roundup imagesize to row size for tiled formats
For tiled format, we need to allocated a multiple of the row size. A
good example is for 1280x720, wich get adjusted to 1280x736. In tiles,
this mean Y plane is 20x23 and UV plane 20x12. Because of the rounding,
the previous code would only have enough space to fit half of the last
row.
The FDP1 is a de-interlacing module which converts interlaced video to
progressive video. It is also capable of performing pixel format conversion
between YCbCr/YUV formats and RGB formats.