| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
In dvb_input_attach(), whenever a demod driver fails to initialise, or if
frontend registration fails, perform a full input/frontend teardown using
dvb_input_detach() (which can safely be done since the current init state
is tracked in the 'attached' struct member). Claimed resources thus are
freed which aren't needed when an input or a port is not functional.
While at it, in ddb_ports_detach(), detach the secondary input first. Also
increase the kernlog severity of TDA18212 errors and tuner failures in
general.
Signed-off-by: Daniel Scheller <d.scheller@gmx.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Do kfree() on port->en->data instead of port->en. port->en only holds a
ptr to a struct dvb_ca_en50221, which is a member either of a memalloc'ed
struct ddb_ci (DuoFlex CI, Octopus CI Duo) or a struct cxd (CXD2099AR
based Single Flex, allocated by the cxd2099 driver). port->en.data
though holds the ptr to the allocated memory, which must rather be
kfree()'d. Change this accordingly.
Cc: Ralph Metzler <rjkm@metzlerbros.de>
Signed-off-by: Daniel Scheller <d.scheller@gmx.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Currently, rmmod ddbridge on a KASAN enabled kernel yields this report
for hardware that utilises the tda18212 tuner driver:
[ 50.355229] ==================================================================
[ 50.355271] BUG: KASAN: use-after-free in tda18212_remove+0x5c/0xb0 [tda18212]
[ 50.355290] Write of size 288 at addr ffff8800c235cf18 by task rmmod/285
[ 50.355316] CPU: 1 PID: 285 Comm: rmmod Not tainted 4.15.0-rc1-13744-g352a86ad536f #11
[ 50.355318] Hardware name: Gigabyte Technology Co., Ltd. P35-DS3/P35-DS3, BIOS F3 06/11/2007
[ 50.355319] Call Trace:
[ 50.355326] dump_stack+0x46/0x61
[ 50.355332] print_address_description+0x79/0x270
[ 50.355336] ? tda18212_remove+0x5c/0xb0 [tda18212]
[ 50.355339] kasan_report+0x229/0x340
[ 50.355342] memset+0x1f/0x40
[ 50.355345] tda18212_remove+0x5c/0xb0 [tda18212]
[ 50.355350] i2c_device_remove+0x97/0xe0
[ 50.355355] device_release_driver_internal+0x267/0x510
[ 50.355358] bus_remove_device+0x296/0x470
[ 50.355360] device_del+0x35c/0x890
[ 50.355363] ? __device_links_no_driver+0x1c0/0x1c0
[ 50.355367] ? cxd2841er_get_algo+0x10/0x10 [cxd2841er]
[ 50.355371] ? cxd2841er_get_algo+0x10/0x10 [cxd2841er]
[ 50.355374] ? __module_text_address+0xe/0x140
[ 50.355377] device_unregister+0x9/0x20
[ 50.355382] dvb_input_detach.isra.24+0x286/0x480 [ddbridge]
[ 50.355388] ddb_ports_detach+0x15f/0x4f0 [ddbridge]
[ 50.355393] ddb_remove+0x3c/0xb0 [ddbridge]
[ 50.355397] pci_device_remove+0x93/0x1d0
[ 50.355400] device_release_driver_internal+0x267/0x510
[ 50.355403] driver_detach+0xb9/0x1b0
[ 50.355406] bus_remove_driver+0xd0/0x1f0
[ 50.355410] pci_unregister_driver+0x25/0x210
[ 50.355415] module_exit_ddbridge+0xc/0x45 [ddbridge]
[ 50.355418] SyS_delete_module+0x314/0x440
[ 50.355420] ? free_module+0x5b0/0x5b0
[ 50.355423] ? exit_to_usermode_loop+0xa9/0xc0
[ 50.355425] ? free_module+0x5b0/0x5b0
[ 50.355428] do_syscall_64+0x179/0x4c0
[ 50.355432] ? do_page_fault+0x1b/0x60
[ 50.355435] entry_SYSCALL64_slow_path+0x25/0x25
[ 50.355438] RIP: 0033:0x7fe65d08ade7
[ 50.355439] RSP: 002b:00007fff5a6a09a8 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0
[ 50.355443] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe65d08ade7
[ 50.355445] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000000000f4e268
[ 50.355447] RBP: 0000000000f4e200 R08: 0000000000000000 R09: 1999999999999999
[ 50.355449] R10: 0000000000000891 R11: 0000000000000202 R12: 00007fff5a6a14ef
[ 50.355451] R13: 0000000000000000 R14: 0000000000f4e200 R15: 0000000000f4d010
[ 50.355462] Allocated by task 164:
[ 50.355477] cxd2841er_attach+0xc3/0x7f0 [cxd2841er]
[ 50.355482] demod_attach_cxd28xx+0x14c/0x3f0 [ddbridge]
[ 50.355486] dvb_input_attach+0x671/0x1e20 [ddbridge]
[ 50.355490] ddb_ports_attach+0x3d7/0xbf0 [ddbridge]
[ 50.355495] ddb_init+0x4b3/0xa30 [ddbridge]
[ 50.355499] ddb_probe+0xa51/0xfe0 [ddbridge]
[ 50.355501] pci_device_probe+0x279/0x480
[ 50.355504] driver_probe_device+0x46f/0x7a0
[ 50.355506] __driver_attach+0x133/0x170
[ 50.355509] bus_for_each_dev+0x10a/0x190
[ 50.355511] bus_add_driver+0x2a3/0x5a0
[ 50.355513] driver_register+0x182/0x3a0
[ 50.355516] arc4_set_key+0x8f/0x2a0 [arc4]
[ 50.355518] do_one_initcall+0x77/0x1d0
[ 50.355521] do_init_module+0x1c2/0x548
[ 50.355523] load_module+0x5e61/0x8df0
[ 50.355525] SyS_finit_module+0x142/0x150
[ 50.355527] do_syscall_64+0x179/0x4c0
[ 50.355529] return_from_SYSCALL_64+0x0/0x65
[ 50.355539] Freed by task 285:
[ 50.355551] kfree+0x6c/0xa0
[ 50.355558] __dvb_frontend_free+0x81/0xb0 [dvb_core]
[ 50.355562] dvb_input_detach.isra.24+0x17c/0x480 [ddbridge]
[ 50.355566] ddb_ports_detach+0x15f/0x4f0 [ddbridge]
[ 50.355570] ddb_remove+0x3c/0xb0 [ddbridge]
[ 50.355573] pci_device_remove+0x93/0x1d0
[ 50.355576] device_release_driver_internal+0x267/0x510
[ 50.355578] driver_detach+0xb9/0x1b0
[ 50.355580] bus_remove_driver+0xd0/0x1f0
[ 50.355583] pci_unregister_driver+0x25/0x210
[ 50.355587] module_exit_ddbridge+0xc/0x45 [ddbridge]
[ 50.355590] SyS_delete_module+0x314/0x440
[ 50.355592] do_syscall_64+0x179/0x4c0
[ 50.355594] return_from_SYSCALL_64+0x0/0x65
[ 50.355604] The buggy address belongs to the object at ffff8800c235cd80
which belongs to the cache kmalloc-2048 of size 2048
[ 50.355630] The buggy address is located 408 bytes inside of
2048-byte region [ffff8800c235cd80, ffff8800c235d580)
[ 50.355652] The buggy address belongs to the page:
[ 50.355666] page:ffffea0002a7bc20 count:1 mapcount:0 mapping:ffff8800c235c500 index:0x0 compound_mapcount: 0
[ 50.355688] flags: 0x4000000000008100(slab|head)
[ 50.355703] raw: 4000000000008100 ffff8800c235c500 0000000000000000 0000000100000003
[ 50.355720] raw: ffffea000382b4b0 ffffea0002b91550 ffff88010b000800
[ 50.355734] page dumped because: kasan: bad access detected
[ 50.355754] Memory state around the buggy address:
[ 50.355767] ffff8800c235ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.355783] ffff8800c235ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.355800] >ffff8800c235cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.355815] ^
[ 50.355827] ffff8800c235cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.355843] ffff8800c235d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 50.355858] ==================================================================
This is due to dvb_frontend_detach() being called before
i2c_unregister_device() on the TDA18212 tuner client instance, as
dvb_frontend_detach() causes the demod drivers to release all their
resources, and the tuner driver's _remove method does further cleanup on
the now invalid (freed) resources. Fix this by putting the I2C client
deregistration in dvb_input_detach() to state/case 0x30, right before the
call to dvb_frontend_detach(). This also makes sure that any further
(tuner) hardware driven by I2C client drivers unload cleanly.
Fixes: 1502efd2d59 ("media: ddbridge: fix teardown/deregistration order in ddb_input_detach()")
Signed-off-by: Daniel Scheller <d.scheller@gmx.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
This commit uses the new property scrambling_sequence_index
to control PLS.
By default we are using the gold sequence 0 and only gold sequences
expected on the new property.
Please note that all services use PLS, just most with the default
sequence 0 and many demods only support gold 0.
Signed-off-by: Athanasios Oikonomou <athoik@gmail.com>
Acked-by: Ralph Metzler <rjkm@metzlerbros.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
This commit adds a new property DTV_SCRAMBLING_SEQUENCE_INDEX.
This 18 bit field, when present, carries the index of the DVB-S2 physical
layer scrambling sequence as defined in clause 5.5.4 of EN 302 307.
There is no explicit signalling method to convey scrambling sequence index
to the receiver. If S2 satellite delivery system descriptor is available
it can be used to read the scrambling sequence index (EN 300 468 table 41).
By default, gold scrambling sequence index 0 is used. The valid scrambling
sequence index range is from 0 to 262142.
Increase the DVB API version in order userspace to be aware of the changes.
Signed-off-by: Athanasios Oikonomou <athoik@gmail.com>
Acked-by: Ralph Metzler <rjkm@metzlerbros.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Use the existing PCI_EXP_DEVCTL2_COMP_TIMEOUT macro instead of hard-coding
the PCIe Completion Timeout Value mask. No functional change intended.
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Two orthogonal changesets caused a breakage at a printk
inside davinci. Commit a2d17962c9ca
("[media] davinci: Switch from V4L2 OF to V4L2 fwnode")
made davinci to use struct fwnode_handle instead of
struct device_node. Commit 68d9c47b1679
("media: Convert to using %pOF instead of full_name")
changed the printk to not use ->full_name, but, instead,
to rely on %pOF.
With both patches applied, the Kernel will do the wrong
thing, as warned by smatch:
drivers/media/platform/davinci/vpif_capture.c:1399 vpif_async_bound() error: '%pOF' expects argument of type 'struct device_node*', argument 5 has type 'void*'
So, change the logic to actually print the device name
that was obtained before the print logic.
Fixes: 68d9c47b1679 ("media: Convert to using %pOF instead of full_name")
Fixes: a2d17962c9ca ("[media] davinci: Switch from V4L2 OF to V4L2 fwnode")
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Linux 4.15-rc4
Daniel requested it to fix some messy conflicts.
|
|
pr_debug() and netdev_dbg() can be enabled/disabled dynamically
via sysfs. So, stop hidding them under ULE_DEBUG config macro.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
This debug option is there for a long time, but it is only
enabled by editing the source code. Due to that, a breakage
inside its code was only noticed years after a change at
the ULE handling logic.
Make it a Kconfig parameter, as it makes easier for
advanced users to enable, and allow test if the compilation
won't be broken in the future.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
commit efb9ab67255f ("[media] dvb_net: prepare to split a very
complex function") changed the ULE handling logic, simplifying it.
However, it forgot to keep the initialization for .priv and to
zero .ule_hist fields.
The lack of .priv cause crashes if dvb_net_ule() is called, as
the function assuems that .priv field to be initialized.
With regards to .ule_hist, the current logic is broken and don't
even compile if ULE_DEBUG. Fix it by making the debug vars static
again, and be sure to pass iov parameter to dvb_net_ule_check_crc().
Fixes: efb9ab67255f ("[media] dvb_net: prepare to split a very complex function")
Suggested-by: Ron Economos <w6rz@comcast.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Replace the original license statement with the SPDX identifier.
Update also the copyright owner adding myself as co-owner of the
copyright.
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
There is no reason to hold the lock while we wait for the IR to transmit.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
This is code existed for when drivers would send less than the whole
buffer; no driver does this any more, so this is redundant. Drivers
should return -EINVAL if they cannot send the entire buffer.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
If memdup_user() fails, txbuf will be an error pointer and passed
to kfree.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The TX loop is more complex than it should. Simplify it.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The semantics for lirc IR transmit with raw IR is that the write call
should block until the IR is transmitted. Some drivers have no idea
when this actually is (e.g. mceusb), so there is a wait.
This is useful for userspace, as it might want to send a IR button press,
a gap of a predefined number of milliseconds, and then send a repeat
message.
It turns out that for transmitting scancodes this feature is even more
useful, as user space has no idea how long the IR is. So, maintain
the existing semantics for IR scancode transmit.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
rc_keydown() can be called from interrupt context, by e.g. an rc scancode
driver. Since commit b2c96ba352b5 ("media: cec: move cec autorepeat
handling to rc-core"), the del_timer_sync() call is not happy about
being called in interrupt connect. del_timer() will suffice.
WARNING: CPU: 0 PID: 0 at kernel/time/timer.c:1285 del_timer_sync+0x1d/0x40
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 4.15.0-rc1+ #1
Hardware name: /DG45ID, BIOS IDG4510H.86A.0135.2011.0225.1100 02/25/2011
task: ffffffffa3e10480 task.stack: ffffffffa3e00000
RIP: 0010:del_timer_sync+0x1d/0x40
RSP: 0018:ffff8b396bc03db0 EFLAGS: 00010046
RAX: 0000000080010000 RBX: ffff8b394d70e410 RCX: 0000000000000073
RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8b394d70e410
RBP: 0000000000000001 R08: ffffffffc0616000 R09: ffff8b396bfa3000
R10: 0000000000000000 R11: 0000000000000390 R12: ffff8b394f003800
R13: 0000000000000000 R14: ffff8b3771c19630 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8b396bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1944469000 CR3: 00000001ebe09000 CR4: 00000000000006f0
Call Trace:
<IRQ>
ir_do_keyup.part.5+0x22/0x90 [rc_core]
rc_keyup+0x37/0x50 [rc_core]
usb_rx_callback_intf0+0x79/0x90 [imon]
__usb_hcd_giveback_urb+0x90/0x130
uhci_giveback_urb+0xab/0x250
uhci_scan_schedule.part.34+0x806/0xb00
uhci_irq+0xab/0x150
usb_hcd_irq+0x22/0x30
__handle_irq_event_percpu+0x3a/0x180
handle_irq_event_percpu+0x30/0x70
handle_irq_event+0x27/0x50
handle_fasteoi_irq+0x6b/0x110
handle_irq+0xa5/0x100
do_IRQ+0x41/0xc0
common_interrupt+0x96/0x96
</IRQ>
RIP: 0010:cpuidle_enter_state+0x9a/0x2d0
RSP: 0018:ffffffffa3e03e88 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffda
RAX: ffff8b396bc1a000 RBX: 00000010da7bcd63 RCX: 00000010da7bccf6
RDX: 00000010da7bcd63 RSI: 00000010da7bcd63 RDI: 0000000000000000
RBP: ffff8b394f587400 R08: 0000000000000000 R09: 0000000000000002
R10: ffffffffa3e03e48 R11: 0000000000000390 R12: 0000000000000003
R13: ffffffffa3ebf018 R14: 0000000000000000 R15: 00000010da7ba772
? cpuidle_enter_state+0x8d/0x2d0
do_idle+0x17b/0x1d0
cpu_startup_entry+0x6f/0x80
start_kernel+0x4a7/0x4c7
secondary_startup_64+0xa5/0xb0
Code: e7 5b 5d 41 5c e9 84 88 05 00 0f 1f 40 00 66 66 66 66 90 65 8b 05 e4 6f ef 5c a9 00 00 0f 00 53 48 89 fb 74 16 f6 47 22 20 75 10 <0f> ff 48 89 df e8 89 f1 ff ff 85 c0 79 0e f3 90 48 89 df e8 7b
Fixes: b2c96ba352b5 ("media: cec: move cec autorepeat handling to rc-core")
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Since commit 9c7fd60e951d ("media: rc: Replace timeval with ktime_t in
imon.c"), the function tv2int() is no longer used. Remove it.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Another device with the 0xffdc device id, this one with 0x26 in the
config byte. Its an iMON Inside + iMON IR. It does respond to rc-6,
but seems to produce random garbage rather than a scancode.
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The agreed format is to use /* */ comments inside header
files. Unfortunately, I ended by using // on a few ones.
Reported-by: Andi Shyti <andi.shyti@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
s5p_jpeg_runtime_resume() does not call clk_disable_unprepare()
for jpeg->clocks[0] when one of the clk_prepare_enable() fails.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Acked-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Support for Exynos4212 SoCs has been removed by commit bca9085e0ae9
("ARM: dts: exynos: remove Exynos4212 support (dead code)"), so there
is no need to keep remaining dead code related to this SoC version.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Driver calls request_firmware() whenever the device is opened for the
first time. As the device gets opened and closed, dev->num_inst == 1
is true several times. This is not necessary since the firmware is saved
in the fw_buf. s5p_mfc_load_firmware() copies the buffer returned by
the request_firmware() to dev->fw_buf.
fw_buf sticks around until it gets released from s5p_mfc_remove(), hence
there is no need to keep requesting firmware and copying it to fw_buf.
This might have been overlooked when changes are made to free fw_buf from
the device release interface s5p_mfc_release().
Fix s5p_mfc_load_firmware() to call request_firmware() once and keep state.
Change _probe() to load firmware once fw_buf has been allocated.
s5p_mfc_open() and it continues to call s5p_mfc_load_firmware() and init
hardware which is the step where firmware is written to the device.
This addresses the mfc_mutex contention due to repeated request_firmware()
calls from open() in the following circular locking warning:
[ 552.194115] qtdemux0:sink/2710 is trying to acquire lock:
[ 552.199488] (&dev->mfc_mutex){+.+.}, at: [<bf145544>] s5p_mfc_mmap+0x28/0xd4 [s5p_mfc]
[ 552.207459]
but task is already holding lock:
[ 552.213264] (&mm->mmap_sem){++++}, at: [<c01df2e4>] vm_mmap_pgoff+0x44/0xb8
[ 552.220284]
which lock already depends on the new lock.
[ 552.228429]
the existing dependency chain (in reverse order) is:
[ 552.235881]
-> #2 (&mm->mmap_sem){++++}:
[ 552.241259] __might_fault+0x80/0xb0
[ 552.245331] filldir64+0xc0/0x2f8
[ 552.249144] call_filldir+0xb0/0x14c
[ 552.253214] ext4_readdir+0x768/0x90c
[ 552.257374] iterate_dir+0x74/0x168
[ 552.261360] SyS_getdents64+0x7c/0x1a0
[ 552.265608] ret_fast_syscall+0x0/0x28
[ 552.269850]
-> #1 (&type->i_mutex_dir_key#2){++++}:
[ 552.276180] down_read+0x48/0x90
[ 552.279904] lookup_slow+0x74/0x178
[ 552.283889] walk_component+0x1a4/0x2e4
[ 552.288222] link_path_walk+0x174/0x4a0
[ 552.292555] path_openat+0x68/0x944
[ 552.296541] do_filp_open+0x60/0xc4
[ 552.300528] file_open_name+0xe4/0x114
[ 552.304772] filp_open+0x28/0x48
[ 552.308499] kernel_read_file_from_path+0x30/0x78
[ 552.313700] _request_firmware+0x3ec/0x78c
[ 552.318291] request_firmware+0x3c/0x54
[ 552.322642] s5p_mfc_load_firmware+0x54/0x150 [s5p_mfc]
[ 552.328358] s5p_mfc_open+0x4e4/0x550 [s5p_mfc]
[ 552.333394] v4l2_open+0xa0/0x104 [videodev]
[ 552.338137] chrdev_open+0xa4/0x18c
[ 552.342121] do_dentry_open+0x208/0x310
[ 552.346454] path_openat+0x28c/0x944
[ 552.350526] do_filp_open+0x60/0xc4
[ 552.354512] do_sys_open+0x118/0x1c8
[ 552.358586] ret_fast_syscall+0x0/0x28
[ 552.362830]
-> #0 (&dev->mfc_mutex){+.+.}:
-> #0 (&dev->mfc_mutex){+.+.}:
[ 552.368379] lock_acquire+0x6c/0x88
[ 552.372364] __mutex_lock+0x68/0xa34
[ 552.376437] mutex_lock_interruptible_nested+0x1c/0x24
[ 552.382086] s5p_mfc_mmap+0x28/0xd4 [s5p_mfc]
[ 552.386939] v4l2_mmap+0x54/0x88 [videodev]
[ 552.391601] mmap_region+0x3a8/0x638
[ 552.395673] do_mmap+0x330/0x3a4
[ 552.399400] vm_mmap_pgoff+0x90/0xb8
[ 552.403472] SyS_mmap_pgoff+0x90/0xc0
[ 552.407632] ret_fast_syscall+0x0/0x28
[ 552.411876]
other info that might help us debug this:
[ 552.419848] Chain exists of:
&dev->mfc_mutex --> &type->i_mutex_dir_key#2 --> &mm->mmap_sem
[ 552.431200] Possible unsafe locking scenario:
[ 552.437092] CPU0 CPU1
[ 552.441598] ---- ----
[ 552.446104] lock(&mm->mmap_sem);
[ 552.449484] lock(&type->i_mutex_dir_key#2);
[ 552.456329] lock(&mm->mmap_sem);
[ 552.462222] lock(&dev->mfc_mutex);
[ 552.465775]
*** DEADLOCK ***
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
s5p_mfc_load_firmware() will not get called if fw_buf.virt allocation
fails. The allocation happens very early on in the probe routine and
probe fails if allocation fails.
There is no need to check if it is null in s5p_mfc_load_firmware().
Remove the check.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Setting both V4L2_CAP_VIDEO_CAPTURE_MPLANE and V4L2_CAP_VIDEO_OUTPUT_MPLANE
for mem2mem video nodes is obsolete since commit f0476a83d61a ("[media]
V4L: Add capability flags for memory-to-memory devices"). It was enough
time to adapt all users to the new flags, so drop the legacy caps for now
to match other mem2mem drivers.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Setting both V4L2_CAP_VIDEO_CAPTURE_MPLANE and V4L2_CAP_VIDEO_OUTPUT_MPLANE
for mem2mem video nodes is obsolete since commit f0476a83d61a ("[media]
V4L: Add capability flags for memory-to-memory devices"). It was enough
time to adapt all users to the new flags, so drop the legacy caps for now
to match other mem2mem drivers.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
We copy the subdev frame format from a partially initialized
structure, which is not entirely well-defined. Older compilers
like gcc-4.4 can copy uninitialized stack data here and warn
about it:
drivers/media/platform/exynos4-is/fimc-isp.c: In function 'fimc_isp_subdev_open':
drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.reserved[10u]' may be used uninitialized in this function
drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.reserved[9u]' may be used uninitialized in this function
...
drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.reserved[0u]' may be used uninitialized in this function
drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.xfer_func' may be used uninitialized in this function
On newer compilers, only the initialized fields get copied, but
we should not rely on that, so this changes the code to zero-out
the remaining fields first.
Fixes: 9a761e436843 ("[media] exynos4-is: Add Exynos4x12 FIMC-IS driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
This patch fixes the menu_skip_mask field initialization and
addresses a following issue found by the SVACE static analysis:
* NO_EFFECT.SELF: assignment to self in expression 'cfg.menu_skip_mask = cfg.menu_skip_mask'
No effect at drivers/media/platform/s5p-mfc/s5p_mfc_enc.c:2083
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The driver may sleep under a spinlock.
The function call path is:
bdisp_device_run (acquire the spinlock)
bdisp_hw_update
bdisp_hw_save_request
devm_kzalloc(GFP_KERNEL) --> may sleep
To fix it, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool(DSAC) and checked by my code review.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Currently videobuf2-dma-sg checks for dma direction for
every single page and videobuf2-dc lacks any dma direction
checks and calls set_page_dirty_lock unconditionally.
Thus unify and align the invocations of set_page_dirty_lock
for videobuf2-dc, videobuf2-sg memory allocators with
videobuf2-vmalloc, i.e. the pattern used in vmalloc has been
copied to dc and dma-sg.
Suggested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The pvrusb2 code appears to have a some old workaround code for xawtv that causes a
WARN() due to an unrecognized pixelformat 0 in v4l2_ioctl.c.
Since all other MPEG drivers fill this in correctly, it is a safe assumption that
this particular problem no longer exists.
While I'm at it, clean up the code a bit.
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
V4L2_BUF_FLAG_LAST is a signal from the driver to userspace for buffers
on the capture queue. When userspace queues back a capture buffer with
the flag set, we should clear it.
Otherwise, if userspace restarts streaming after EOS, without
reallocating the buffers, mem2mem devices will erroneously signal EOS
prematurely, as soon as the already flagged buffer is dequeued.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The mvcol buffer needs to be placed behind the chroma plane(s) when
decoding MPEG-4, same as for the h.264 decoder. Use the real offset
with the required rounding.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The MPEG-4 decoder mvcol buffer was registered, but its size not added
to a frame buffer allocation. This could cause the decoder to write past
the end of the allocated buffer for large frame sizes.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
We need internal frames to be rounded up to full macroblocks for MPEG-4
decoding as well.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Since bytesperline always fulfills VDOA width requirements, detile the
whole buffer instead of limiting to visible width. This stops TRY_FMT
from returning -EINVAL for YUYV capture buffers that are not a multiple
of 16 wide.
An alternative would be to always round up width to stride, as we report
the valid image rectange via G_SELECTION (V4L2_SEL_TGT_COMPOSE_DEFAULT),
but that would require all applications to handle the compose default
rectangle properly.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The current driver implementation expects at least one buffer on
all queues to start streaming. Properly signal this to the vb2
core, to avoid confusion when streamon is racing with qbuf.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
pxa_camera_probe() was not calling pxa_camera_deactivate(),
responsible to call clk_disable_unprepare(), on the failure path. This
was leading to unbalancing source clock.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
videobuf2 core reports an error when not all buffers have been returned
to the framework:
drivers/media/v4l2-core/videobuf2-core.c:1651
WARN_ON(atomic_read(&q->owned_by_drv_count))
Fix this returning all buffers currently in capture queue.
Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Convert V4L2_SUBDEV_IO_PIN_* to enums, use BIT() and document
via kernel-doc.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The color structs right now are just "color" and "color16".
That may lead into conflicts, and don't define precisely what
they meant. As those are used by two drivers (vivid and vimc),
this is even on a somewhat public header!
So rename them to:
color -> tpg_rbg_color8
color16 -> tpg_rbg_color16
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
The v4l2-tpg*.h headers are meant to be used only internally by
vivid and vimc. There's no sense keeping them together with the
V4L2 kAPI headers. Also, one header includes the other as they're
meant to be used together. So, merge them.
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
In the past, the same I2C address were used on multiple places.
After I2C rebinding changes, this is no longer needed. So, we
can just get rid of this header, placing the I2C address where
they belong, e. g. either at bttv driver or at tvtuner.
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
Using enums makes easier to document, as it can use kernel-doc
markups. It also allows cross-referencing, with increases the
kAPI readability.
Please notice that now cx88_querycap() has to have a default for
the VFL type, as there are more types than supported by the driver.
Acked-By: Mike Isely <isely@pobox.com>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
There are several helper functions that aren't documented.
Document them.
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
This struct is there just two store two arguments of
v4l2_find_nearest_format(). The other two arguments are passed
as parameter.
IMHO, there isn't much sense on doing that, and that will just
add one more struct to document ;)
So, let's get rid of the struct, passing the parameters directly.
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
There are some nested structs on this header, with aren't
properly document them.
This should solve some warnings after the addition of
a patche at kernel-doc adding support for nested structs/unions.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
There are some nested structs on this header, with aren't
properly document them.
This should solve some warnings after the addition of
a patche at kernel-doc adding support for nested structs/unions.
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
|
A typical code fragment was copied across many dvb-frontend drivers and
causes large stack frames when built with with CONFIG_KASAN on gcc-5/6/7:
drivers/media/dvb-frontends/cxd2841er.c:3225:1: error: the frame size of 3992 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]
drivers/media/dvb-frontends/cxd2841er.c:3404:1: error: the frame size of 3136 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]
drivers/media/dvb-frontends/stv0367.c:3143:1: error: the frame size of 4016 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]
drivers/media/dvb-frontends/stv090x.c:3430:1: error: the frame size of 5312 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]
drivers/media/dvb-frontends/stv090x.c:4248:1: error: the frame size of 4872 bytes is larger than 3072 bytes [-Werror=frame-larger-than=]
gcc-8 now solves this by consolidating the stack slots for the argument
variables, but on older compilers we can get the same behavior by taking
the pointer of a local variable rather than the inline function argument.
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
