From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 13 Dec 2022 19:36:58 +0000 (-0800)
Subject: Merge tag 'media/v6.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab... 
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=cdb9d3537711939e4d8fd0de2889c966f88346eb;p=linux.git

Merge tag 'media/v6.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media updates from Mauro Carvalho Chehab:

 - DVB core changes to avoid refcount troubles and UAF

 - DVB API/core has gained support for DVB-C2 and DVB-S2X

 - New sensor drivers: ov08x40, ov4689.c, st-vgxy61 and tc358746.c

 - Removal of an unused sensor driver: s5k4ecgx

 - Move microchip_csi2dc to a new directory, named after the
   manufacturer

 - Add media controller support to Microship drivers

 - Old Atmel/Microship drivers that don't use media controler got moved
   to staging

 - New drivers added for Renesas RZ/G2L CRU and MIPI CSI-2 support

 - Allwinner A31 camera sensor driver code was now split into a bridge
   and a separate processor driver

 - Added a virtual stateless decoder driver in order to test core
   support for stateless drivers and test userspace apps using it

 - removed platform-based support for ov9650, as this is not used
   anymore

 - atomisp now uses videobuf2 and supports normal mmap mode

 - the imx7-media-csi driver got promoted from staging

 - rcar-vin driver has gained support for gen3 UDS (Up Down Scaler)

 - most i2c drivers now use I2C .probe_new() kAPI

 - lots of drivers fixes, cleanups and improvements

* tag 'media/v6.2-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (544 commits)
  media: s5c73m3: Switch to GPIO descriptors
  media: i2c: s5k5baf: switch to using gpiod API
  media: i2c: s5k6a3: switch to using gpiod API
  media: imx: remove code for non-existing config IMX_GPT_ICAP
  media: si470x: Fix use-after-free in si470x_int_in_callback()
  media: staging: stkwebcam: Restore MEDIA_{USB,CAMERA}_SUPPORT dependencies
  media: coda: Add check for kmalloc
  media: coda: Add check for dcoda_iram_alloc
  dt-bindings: media: s5c73m3: Fix reset-gpio descriptor
  media: dt-bindings: allwinner: h6-vpu-g2: Add IOMMU reference property
  media: s5k4ecgx: Delete driver
  media: s5k4ecgx: Switch to GPIO descriptors
  media: Switch to use dev_err_probe() helper
  headers: Remove some left-over license text in include/uapi/linux/v4l2-*
  headers: Remove some left-over license text in include/uapi/linux/dvb/
  media: usb: pwc-uncompress: Use flex array destination for memcpy()
  media: s5p-mfc: Fix to handle reference queue during finishing
  media: s5p-mfc: Clear workbit to handle error condition
  media: s5p-mfc: Fix in register read and write for H264
  media: imx: Use get_mbus_config instead of parsing upstream DT endpoints
  ...
---

cdb9d3537711939e4d8fd0de2889c966f88346eb
diff --cc drivers/media/common/videobuf2/frame_vector.c
index 144027035892,aad72640f055..89eebc3341b8
--- a/drivers/media/common/videobuf2/frame_vector.c
+++ b/drivers/media/common/videobuf2/frame_vector.c
@@@ -32,10 -33,15 +33,11 @@@
   *
   * This function takes care of grabbing mmap_lock as necessary.
   */
- int get_vaddr_frames(unsigned long start, unsigned int nr_frames,
+ int get_vaddr_frames(unsigned long start, unsigned int nr_frames, bool write,
  		     struct frame_vector *vec)
  {
 -	struct mm_struct *mm = current->mm;
 -	struct vm_area_struct *vma;
 -	int ret_pin_user_pages_fast = 0;
 -	int ret = 0;
 -	int err;
 +	int ret;
+ 	unsigned int gup_flags = FOLL_FORCE | FOLL_LONGTERM;
  
  	if (nr_frames == 0)
  		return 0;
@@@ -45,20 -51,62 +47,22 @@@
  
  	start = untagged_addr(start);
  
- 	ret = pin_user_pages_fast(start, nr_frames,
- 				  FOLL_FORCE | FOLL_WRITE | FOLL_LONGTERM,
+ 	if (write)
+ 		gup_flags |= FOLL_WRITE;
+ 
+ 	ret = pin_user_pages_fast(start, nr_frames, gup_flags,
  				  (struct page **)(vec->ptrs));
 -	if (ret > 0) {
 -		vec->got_ref = true;
 -		vec->is_pfns = false;
 -		goto out_unlocked;
 -	}
 -	ret_pin_user_pages_fast = ret;
 +	vec->got_ref = true;
 +	vec->is_pfns = false;
 +	vec->nr_frames = ret;
  
 -	mmap_read_lock(mm);
 -	vec->got_ref = false;
 -	vec->is_pfns = true;
 -	ret = 0;
 -	do {
 -		unsigned long *nums = frame_vector_pfns(vec);
 +	if (likely(ret > 0))
 +		return ret;
  
 -		vma = vma_lookup(mm, start);
 -		if (!vma)
 -			break;
 -
 -		while (ret < nr_frames && start + PAGE_SIZE <= vma->vm_end) {
 -			err = follow_pfn(vma, start, &nums[ret]);
 -			if (err) {
 -				if (ret)
 -					goto out;
 -				// If follow_pfn() returns -EINVAL, then this
 -				// is not an IO mapping or a raw PFN mapping.
 -				// In that case, return the original error from
 -				// pin_user_pages_fast(). Otherwise this
 -				// function would return -EINVAL when
 -				// pin_user_pages_fast() returned -ENOMEM,
 -				// which makes debugging hard.
 -				if (err == -EINVAL && ret_pin_user_pages_fast)
 -					ret = ret_pin_user_pages_fast;
 -				else
 -					ret = err;
 -				goto out;
 -			}
 -			start += PAGE_SIZE;
 -			ret++;
 -		}
 -		/* Bail out if VMA doesn't completely cover the tail page. */
 -		if (start < vma->vm_end)
 -			break;
 -	} while (ret < nr_frames);
 -out:
 -	mmap_read_unlock(mm);
 -out_unlocked:
 -	if (!ret)
 -		ret = -EFAULT;
 -	if (ret > 0)
 -		vec->nr_frames = ret;
 -	return ret;
 +	/* This used to (racily) return non-refcounted pfns. Let people know */
 +	WARN_ONCE(1, "get_vaddr_frames() cannot follow VM_IO mapping");
 +	vec->nr_frames = 0;
 +	return ret ? ret : -EFAULT;
  }
  EXPORT_SYMBOL(get_vaddr_frames);