As reported by smatch:
drivers/media/common/videobuf2/videobuf2-core.c: drivers/media/common/videobuf2/videobuf2-core.c:2159 vb2_mmap() warn: inconsistent returns 'mutex:&q->mmap_lock'.
Locked on: line 2148
Unlocked on: line 2100
line 2108
line 2113
line 2118
line 2156
line 2159
There is one error condition that doesn't unlock a mutex.
Hans Verkuil [Mon, 19 Nov 2018 15:33:44 +0000 (10:33 -0500)]
media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused()
Userspace shouldn't set bytesused to 0 for output buffers.
vb2_warn_zero_bytesused() warns about this (only once!), but it also
calls WARN_ON(1), which is confusing since it is not immediately clear
that it warns about a 0 value for bytesused.
John Sheu [Thu, 15 Nov 2018 15:57:16 +0000 (10:57 -0500)]
media: vb2: Allow reqbufs(0) with "in use" MMAP buffers
Videobuf2 presently does not allow VIDIOC_REQBUFS to destroy outstanding
buffers if the queue is of type V4L2_MEMORY_MMAP, and if the buffers are
considered "in use". This is different behavior than for other memory
types and prevents us from deallocating buffers in following two cases:
1) There are outstanding mmap()ed views on the buffer. However even if
we put the buffer in reqbufs(0), there will be remaining references,
due to vma .open/close() adjusting vb2 buffer refcount appropriately.
This means that the buffer will be in fact freed only when the last
mmap()ed view is unmapped.
2) Buffer has been exported as a DMABUF. Refcount of the vb2 buffer
is managed properly by VB2 DMABUF ops, i.e. incremented on DMABUF
get and decremented on DMABUF release. This means that the buffer
will be alive until all importers release it.
Considering both cases above, there does not seem to be any need to
prevent reqbufs(0) operation, because buffer lifetime is already
properly managed by both mmap() and DMABUF code paths. Let's remove it
and allow userspace freeing the queue (and potentially allocating a new
one) even though old buffers might be still in processing.
To let userspace know that the kernel now supports orphaning buffers
that are still in use, add a new V4L2_BUF_CAP_SUPPORTS_ORPHANED_BUFS
to be set by reqbufs and create_bufs.
[p.zabel@pengutronix.de: added V4L2_BUF_CAP_SUPPORTS_ORPHANED_BUFS,
updated documentation, and added back debug message]
Signed-off-by: John Sheu <sheu@chromium.org> Reviewed-by: Pawel Osciak <posciak@chromium.org> Signed-off-by: Tomasz Figa <tfiga@chromium.org> Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil-cisco@xs4all.nl: added V4L2-BUF-CAP-SUPPORTS-ORPHANED-BUFS ref] Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Ezequiel Garcia [Thu, 18 Oct 2018 18:02:24 +0000 (14:02 -0400)]
media: cedrus: Get rid of interrupt bottom-half
Now that the mem2mem framework guarantees that .device_run
won't be called from interrupt context, it is safe to call
v4l2_m2m_job_finish directly in the top-half.
So this means the bottom-half is no longer needed and we
can get rid of it.
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com> Acked-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Ezequiel Garcia [Thu, 18 Oct 2018 18:02:23 +0000 (14:02 -0400)]
media: v4l2-mem2mem: Avoid calling .device_run in v4l2_m2m_job_finish
v4l2_m2m_job_finish() is typically called when
DMA operations complete, in interrupt handlers or DMA
completion callbacks. Calling .device_run from v4l2_m2m_job_finish
creates a nasty re-entrancy path into the driver.
Moreover, some implementation of .device_run might need to sleep,
as is the case for drivers supporting the Request API,
where controls are applied via v4l2_ctrl_request_setup,
which takes the ctrl handler mutex.
This commit adds a deferred context that calls v4l2_m2m_try_run,
and gets scheduled by v4l2_m2m_job_finish().
Before this change, device_run would be called from these
paths:
vb2_m2m_request_queue, or
v4l2_m2m_streamon, or
v4l2_m2m_qbuf
v4l2_m2m_try_schedule
v4l2_m2m_try_run
.device_run
v4l2_m2m_job_finish
v4l2_m2m_try_run
.device_run
After this change, the latter is now gone and instead:
Sakari Ailus [Thu, 18 Oct 2018 18:02:22 +0000 (14:02 -0400)]
media: v4l2-mem2mem: Simplify exiting the function in __v4l2_m2m_try_schedule
The __v4l2_m2m_try_schedule function acquires and releases multiple
spinlocks. Simplify unlocking the job lock by adding labels to unlock
the lock and exit the function.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Vikash Garodia [Wed, 17 Oct 2018 13:18:22 +0000 (09:18 -0400)]
media: venus: firmware: add no TZ boot and shutdown routine
Video hardware is mainly comprised of vcodec subsystem and video
control subsystem. Video control has ARM9 which executes the video
firmware instructions whereas vcodec does the video frame processing.
This change adds support to load the video firmware and bring ARM9
out of reset for platforms which does not have trustzone.
An iommu domain is associated and managed with the firmware device.
Vikash Garodia [Wed, 17 Oct 2018 13:18:19 +0000 (09:18 -0400)]
media: venus: firmware: add routine to reset ARM9
Add routine to reset the ARM9 and brings it out of reset. Also
abstract the Venus CPU state handling with a new function. This
is in preparation to add PIL functionality in venus driver.
Hans Verkuil [Fri, 9 Nov 2018 13:37:44 +0000 (08:37 -0500)]
media: vivid: free bitmap_cap when updating std/timings/etc.
When vivid_update_format_cap() is called it should free any overlay
bitmap since the compose size will change.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Reported-by: syzbot+0cc8e3cc63ca373722c6@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> # for v3.18 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Hans Verkuil [Thu, 8 Nov 2018 16:12:47 +0000 (11:12 -0500)]
media: v4l2-tpg: array index could become negative
text[s] is a signed char, so using that as index into the font8x16 array
can result in negative indices. Cast it to u8 to be safe.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Reported-by: syzbot+ccf0a61ed12f2a7313ee@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> # for v4.7 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Hans Verkuil [Thu, 8 Nov 2018 12:23:37 +0000 (07:23 -0500)]
media: vb2: check memory model for VIDIOC_CREATE_BUFS
vb2_core_create_bufs did not check if the memory model for newly added
buffers is the same as for already existing buffers. It should return an
error if they aren't the same.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Reported-by: syzbot+e1fb118a2ebb88031d21@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> # for v4.16 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Hans Verkuil [Thu, 8 Nov 2018 09:51:51 +0000 (04:51 -0500)]
media: adv*/tc358743/ths8200: fill in min width/height/pixelclock
The v4l2_dv_timings_cap struct is used to do sanity checks when setting and
enumerating DV timings, ensuring that only valid timings as per the HW
capabilities are allowed.
However, many drivers just filled in 0 for the minimum width, height or
pixelclock frequency. This can cause timings with e.g. 0 as width and height
to be accepted, which will in turn lead to a potential division by zero.
Fill in proper values are minimum boundaries. 640x350 was chosen since it is
the smallest resolution in v4l2-dv-timings.h. Same for 13 MHz as the lowest
pixelclock frequency (it's slightly below the minimum of 13.5 MHz in the
v4l2-dv-timings.h header).
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Hans Verkuil [Wed, 7 Nov 2018 14:04:54 +0000 (09:04 -0500)]
media: vim2m: use cancel_delayed_work_sync instead of flush_schedule_work
The use of flush_schedule_work() made no sense and caused a syzkaller error.
Replace with the correct cancel_delayed_work_sync().
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Reported-by: syzbot+69780d144754b8071f4b@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> # for v4.20 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Hans Verkuil [Mon, 29 Oct 2018 17:32:38 +0000 (13:32 -0400)]
media: vivid: set min width/height to a value > 0
The capture DV timings capabilities allowed for a minimum width and
height of 0. So passing a timings struct with 0 values is allowed
and will later cause a division by zero.
Ensure that the width and height must be >= 16 to avoid this.
Julia Lawall [Sat, 27 Oct 2018 12:16:39 +0000 (08:16 -0400)]
media: vicodec: constify v4l2_ctrl_ops structure
The v4l2_ctrl_ops structure is only stored in the ops field of a
v4l2_ctrl_config structure, and this field is const, or passed as the
second argument of v4l2_ctrl_new_std, and the corresponding parameter
is declared as const. Accordingly, the structure can also be const.
Done with the help of Coccinelle.
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Sean Young [Fri, 26 Oct 2018 12:18:33 +0000 (08:18 -0400)]
media: v4l uapi docs: few minor corrections and typos
Do a series of minor corrections at the V4L2 uAPI documentation.
Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Hans Verkuil [Fri, 19 Oct 2018 07:55:34 +0000 (03:55 -0400)]
media: cec: keep track of outstanding transmits
I noticed that repeatedly running 'cec-ctl --playback' would occasionally
select 'Playback Device 2' instead of 'Playback Device 1', even though there
were no other Playback devices in the HDMI topology. This happened both with
'real' hardware and with the vivid CEC emulation, suggesting that this was an
issue in the core code that claims a logical address.
What 'cec-ctl --playback' does is to first clear all existing logical addresses,
and immediately after that configure the new desired device type.
The core code will poll the logical addresses trying to find a free address.
When found it will issue a few standard messages as per the CEC spec and return.
Those messages are queued up and will be transmitted asynchronously.
What happens is that if you run two 'cec-ctl --playback' commands in quick
succession, there is still a message of the first cec-ctl command being transmitted
when you reconfigure the adapter again in the second cec-ctl command.
When the logical addresses are cleared, then all information about outstanding
transmits inside the CEC core is also cleared, and the core is no longer aware
that there is still a transmit in flight.
When the hardware finishes the transmit it calls transmit_done and the CEC core
thinks it is actually in response of a POLL messages that is trying to find a
free logical address. The result of all this is that the core thinks that the
logical address for Playback Device 1 is in use, when it is really an earlier
transmit that ended.
The main transmit thread looks at adap->transmitting to check if a transmit
is in progress, but that is set to NULL when the adapter is unconfigured.
adap->transmitting represents the view of userspace, not that of the hardware.
So when unconfiguring the adapter the message is marked aborted from the point
of view of userspace, but seen from the PoV of the hardware it is still ongoing.
So introduce a new bool transmit_in_progress that represents the hardware state
and use that instead of adap->transmitting. Now the CEC core waits until the
hardware finishes the transmit before starting a new transmit.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Cc: <stable@vger.kernel.org> # for v4.18 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Hans Verkuil [Wed, 17 Oct 2018 11:05:41 +0000 (07:05 -0400)]
media: cec: add debug_phys_addr module option
If debug_phys_addr is set, then CEC_CAP_PHYS_ADDR is added to the CEC
adapter capabilities.
This allows for testing CEC even if the physical address isn't set. This
makes it possible to connect two HDMI outputs together and still use CEC.
Very useful for testing CEC if you don't have access to an HDMI receiver
under linux.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Hans Verkuil [Tue, 13 Nov 2018 14:06:46 +0000 (09:06 -0500)]
media: vb2: vb2_mmap: move lock up
If a filehandle is dup()ped, then it is possible to close it from one fd
and call mmap from the other. This creates a race condition in vb2_mmap
where it is using queue data that __vb2_queue_free (called from close())
is in the process of releasing.
By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided
since __vb2_queue_free is called with the same mutex locked. So vb2_mmap
now reads consistent buffer data.
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com Signed-off-by: Hans Verkuil <hansverk@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
If the tx_ignore_nack_until_eom error injection was activated,
then tx_nacked was never set instead of setting it when the last
byte of the message was transmitted.
As a result the transmit was marked as OK, when it should have
been NACKed.
Modify the condition so that it always sets tx_nacked when the
last byte of the message was transmitted.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Cc: <stable@vger.kernel.org> # for v4.17 and up Signed-off-by: Hans Verkuil <hansverk@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Improve the pxp_soft_reset() error message by moving it to the
caller function, associating it with a proper device and also
by displaying the error code.
Signed-off-by: Fabio Estevam <festevam@gmail.com> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hansverk@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Philipp Zabel [Mon, 5 Nov 2018 15:25:12 +0000 (10:25 -0500)]
media: coda: normalise debug output
Consistently add the context index to debug output, which otherwise is
impossible to make sense of when two contexts are running concurrently.
For this purpose, add a convenience macro coda_dbg(). Use the function
name with the coda_ prefix stripped as keyword where applicable, and
consistently use vid-out and vid-cap names for the queues. Add sequence
counters to the decoder job finished message and correctly indicate B
frames. Add a start streaming message to complement the stop streaming
message and a start encoding message to complement the existing start
decoding message.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hansverk@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Philipp Zabel [Mon, 5 Nov 2018 15:25:07 +0000 (10:25 -0500)]
media: coda: implement ENUM_FRAMEINTERVALS
v4l2-compliance complains about S_PARM being supported, but not
ENUM_FRAMEINTERVALS.
Report a continuous frame interval even though the hardware only
supports 16-bit numerator and denominator, with min/max values
that can be programmed into the mailbox registers.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hansverk@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Philipp Zabel [Mon, 5 Nov 2018 15:25:03 +0000 (10:25 -0500)]
media: coda: reduce minimum frame size to 48x16 pixels.
Three macroblocks seem to be the minimum resolution that can be encoded
and decoded by the CODA960 h.264 codec. Picture run commands fail for
smaller resolutions.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hansverk@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Lucas Stach [Mon, 5 Nov 2018 15:25:02 +0000 (10:25 -0500)]
media: coda: limit queueing into internal bitstream buffer
The ringbuffer used to hold the bitstream is very conservatively sized,
as keyframes can get very large and still need to fit into this buffer.
This means that the buffer is way oversized for the average stream to
the extend that it will hold a few hundred frames when the video data
is compressing well.
The current strategy of queueing as much bitstream data as possible
leads to large delays when draining the decoder. In order to keep the
drain latency to a reasonable bound, try to only queue a full reorder
window of buffers. We can't always hit this low target for very well
compressible video data, as we might end up with less than the minimum
amount of data that needs to be available to the bitstream prefetcher,
so we must take this into account and allow more buffers to be queued
in this case.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de> Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hansverk@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Philipp Zabel [Mon, 5 Nov 2018 15:25:01 +0000 (10:25 -0500)]
media: coda: always hold back decoder jobs until we have enough bitstream payload
The bitstream prefetch unit reads data in 256 byte blocks with some kind
of queueing. For the decoder to see data up to a desired position in the
next run, the bitstream has to be filled for 2 256 byte blocks past that
position aligned up to the next 256 byte boundary.
This should make sure we never run into a buffer underrun condition if
userspace does not supply new input buffers fast enough.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hansverk@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Philipp Zabel [Tue, 6 Nov 2018 10:40:54 +0000 (05:40 -0500)]
media: coda: fix memory corruption in case more than 32 instances are opened
The ffz() return value is undefined if the instance mask does not
contain any zeros. If it returned 32, the following set_bit would
corrupt the debugfs_root pointer.
Switch to IDA for context index allocation. This also removes the
artificial 32 instance limit for all except CodaDx6.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Hans Verkuil <hansverk@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Rui Miguel Silva [Wed, 21 Nov 2018 10:59:55 +0000 (05:59 -0500)]
media: ov2680: fix null dereference at power on
Swapping the order between v4l2 subdevice registration and checking chip
id in b7a417628abf ("media: ov2680: don't register the v4l2 subdevice
before checking chip ID") makes the mode restore to use the sensor
controls before they are set, so move the mode restore call to s_power
after the handler setup for controls is done.
This remove also the need for the error code path in power on function.
Fixes: b7a417628abf ("media: ov2680: don't register the v4l2 subdevice before checking chip ID") Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Maxime Ripard [Wed, 14 Nov 2018 14:59:31 +0000 (09:59 -0500)]
media: dt-bindings: media: sun6i: Add A31 and H3 compatibles
The H3 has a slightly different CSI controller (no BT656, no CCI) which
looks a lot like the original A31 controller. Add a compatible for the A31,
and more specific compatible the for the H3 to be used in combination for
the A31.
Reviewed-by: Rob Herring <robh@kernel.org> Signed-off-by: Maxime Ripard <maxime.ripard@bootlin.com> Reviewed-by: Chen-Yu Tsai <wens@csie.org> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Yong Deng [Tue, 30 Oct 2018 08:18:10 +0000 (04:18 -0400)]
media: sun6i: Add support for Allwinner CSI V3s
Allwinner V3s SoC features a CSI module with parallel interface.
This patch implement a v4l2 framework driver for it.
Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com> Reviewed-by: Maxime Ripard <maxime.ripard@bootlin.com> Tested-by: Maxime Ripard <maxime.ripard@bootlin.com> Signed-off-by: Yong Deng <yong.deng@magewell.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Dafna Hirschfeld [Thu, 15 Nov 2018 11:23:30 +0000 (06:23 -0500)]
media: vicodec: prepare support for various number of planes
Add fields to the structs `fwht_raw_frame`, `v4l2_fwht_pixfmts`
to support various number of planes - formats
with alpha channel that have 4 planes and greyscale formats
that have 1 plane.
Malathi Gottam [Mon, 12 Nov 2018 09:06:02 +0000 (04:06 -0500)]
media: venus: change the default value of GOP size
When the client doesn't explicitly set any GOP size, current
default value is low and overshoots bitrate beyond tolerance.
Hence default value is modified so as to have intra period of 1sec.
Alexey Khoroshilov [Sat, 20 Oct 2018 17:50:19 +0000 (13:50 -0400)]
media: mtk-vcodec: Release device nodes in mtk_vcodec_init_enc_pm()
of_parse_phandle() returns the device node with refcount incremented.
There are two nodes that are used temporary in mtk_vcodec_init_enc_pm(),
but their refcounts are not decremented.
The patch adds one of_node_put() and fixes returning error codes.
Found by Linux Driver Verification project (linuxtesting.org).
Akinobu Mita [Sat, 20 Oct 2018 14:26:25 +0000 (10:26 -0400)]
media: v4l2-common: add V4L2_FRACT_COMPARE
Add macro to compare two v4l2_fract values in v4l2 common internal API.
The same macro FRACT_CMP() is used by vivid and bcm2835-camera. This just
renames it to V4L2_FRACT_COMPARE in order to avoid namespace collision.
Cc: Matt Ranostay <matt.ranostay@konsulko.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Akinobu Mita [Sat, 20 Oct 2018 14:26:24 +0000 (10:26 -0400)]
media: video-i2c: use i2c regmap
Use regmap for i2c register access. This simplifies register accesses and
chooses suitable access commands based on the functionality that the
adapter supports.
Acked-by: Matt Ranostay <matt.ranostay@konsulko.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Akinobu Mita [Sat, 20 Oct 2018 14:26:23 +0000 (10:26 -0400)]
media: video-i2c: avoid accessing released memory area when removing driver
The video device release() callback for video-i2c driver frees the whole
struct video_i2c_data. If there is no user left for the video device
when video_unregister_device() is called, the release callback is executed.
However, in video_i2c_remove() some fields (v4l2_dev, lock, and queue_lock)
in struct video_i2c_data are still accessed after video_unregister_device()
is called.
This fixes the use after free by moving the code from video_i2c_remove()
to the release() callback.
Fixes: 5cebaac60974 ("media: video-i2c: add video-i2c driver") Reviewed-by: Matt Ranostay <matt.ranostay@konsulko.com> Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Sean Young [Sun, 4 Nov 2018 10:12:09 +0000 (05:12 -0500)]
media: rc: ensure close() is called on rc_unregister_device
If userspace has an open file descriptor on the rc input device or lirc
device when rc_unregister_device() is called, then the rc close() is
never called.
This ensures that the receiver is turned off on the nuvoton-cir driver
during shutdown.
Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Sean Young [Sat, 27 Oct 2018 14:44:22 +0000 (10:44 -0400)]
media: saa7134: hvr1110 can decode rc6
The function get_key_hvr1110 can only decode rc5, however this is a
standard hauppauge z8f0811 which can decode rc6 as well. Use
get_key_haup_xvr() instead.
Tested on a HVR 1110.
Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
projects / users / jedix / linux-maple.git / log