From bec2ddfd39f07ac2c1dec9fd5299424ad75c0a9d Mon Sep 17 00:00:00 2001 From: Laurent Pinchart Date: Sun, 23 Aug 2020 07:02:57 +0200 Subject: [PATCH 01/10] media: ti-vpe: cal: Fix compilation on 32-bit ARM When compiled on 32-bit ARM, the CAL driver fails with the FIELD_PREP() macro complaining that the mask is not constant. While all callers of the inline cal_write_field() function pass a constant mask, the mask parameter itself is a variable, which likely doesn't please the compiler. Fix it by replacing FIELD_PREP() with a manual implementation. Fixes: 50797fb30b95 ("media: ti-vpe: cal: Turn reg_(read|write)_field() into inline functions") Signed-off-by: Laurent Pinchart Reviewed-by: Sakari Ailus Reported-by: Sakari Ailus Reviewed-by: Tomi Valkeinen Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/media/platform/ti-vpe/cal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/ti-vpe/cal.h b/drivers/media/platform/ti-vpe/cal.h index e496083715d2..4123405ee0cf 100644 --- a/drivers/media/platform/ti-vpe/cal.h +++ b/drivers/media/platform/ti-vpe/cal.h @@ -226,7 +226,7 @@ static inline void cal_write_field(struct cal_dev *cal, u32 offset, u32 value, u32 val = cal_read(cal, offset); val &= ~mask; - val |= FIELD_PREP(mask, value); + val |= (value << __ffs(mask)) & mask; cal_write(cal, offset, val); } From 4ffb879ea648c2b42da4ca992ed3db87e564af69 Mon Sep 17 00:00:00 2001 From: Peilin Ye Date: Mon, 27 Jul 2020 10:00:02 +0200 Subject: [PATCH 02/10] media: media/v4l2-core: Fix kernel-infoleak in video_put_user() video_put_user() is copying uninitialized stack memory to userspace due to the compiler not initializing holes in the structures declared on the stack. Fix it by initializing `ev32` and `vb32` using memset(). Reported-and-tested-by: syzbot+79d751604cb6f29fbf59@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=79d751604cb6f29fbf59 Cc: stable@vger.kernel.org Fixes: 1a6c0b36dd19 ("media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI") Fixes: 577c89b0ce72 ("media: v4l2-core: fix v4l2_buffer handling for time64 ABI") Reviewed-by: Laurent Pinchart Reviewed-by: Arnd Bergmann Signed-off-by: Peilin Ye Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/media/v4l2-core/v4l2-ioctl.c | 50 +++++++++++++++------------- 1 file changed, 27 insertions(+), 23 deletions(-) diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index a556880f225a..e3a25ea913ac 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -3189,14 +3189,16 @@ static int video_put_user(void __user *arg, void *parg, unsigned int cmd) #ifdef CONFIG_COMPAT_32BIT_TIME case VIDIOC_DQEVENT_TIME32: { struct v4l2_event *ev = parg; - struct v4l2_event_time32 ev32 = { - .type = ev->type, - .pending = ev->pending, - .sequence = ev->sequence, - .timestamp.tv_sec = ev->timestamp.tv_sec, - .timestamp.tv_nsec = ev->timestamp.tv_nsec, - .id = ev->id, - }; + struct v4l2_event_time32 ev32; + + memset(&ev32, 0, sizeof(ev32)); + + ev32.type = ev->type; + ev32.pending = ev->pending; + ev32.sequence = ev->sequence; + ev32.timestamp.tv_sec = ev->timestamp.tv_sec; + ev32.timestamp.tv_nsec = ev->timestamp.tv_nsec; + ev32.id = ev->id; memcpy(&ev32.u, &ev->u, sizeof(ev->u)); memcpy(&ev32.reserved, &ev->reserved, sizeof(ev->reserved)); @@ -3210,21 +3212,23 @@ static int video_put_user(void __user *arg, void *parg, unsigned int cmd) case VIDIOC_DQBUF_TIME32: case VIDIOC_PREPARE_BUF_TIME32: { struct v4l2_buffer *vb = parg; - struct v4l2_buffer_time32 vb32 = { - .index = vb->index, - .type = vb->type, - .bytesused = vb->bytesused, - .flags = vb->flags, - .field = vb->field, - .timestamp.tv_sec = vb->timestamp.tv_sec, - .timestamp.tv_usec = vb->timestamp.tv_usec, - .timecode = vb->timecode, - .sequence = vb->sequence, - .memory = vb->memory, - .m.userptr = vb->m.userptr, - .length = vb->length, - .request_fd = vb->request_fd, - }; + struct v4l2_buffer_time32 vb32; + + memset(&vb32, 0, sizeof(vb32)); + + vb32.index = vb->index; + vb32.type = vb->type; + vb32.bytesused = vb->bytesused; + vb32.flags = vb->flags; + vb32.field = vb->field; + vb32.timestamp.tv_sec = vb->timestamp.tv_sec; + vb32.timestamp.tv_usec = vb->timestamp.tv_usec; + vb32.timecode = vb->timecode; + vb32.sequence = vb->sequence; + vb32.memory = vb->memory; + vb32.m.userptr = vb->m.userptr; + vb32.length = vb->length; + vb32.request_fd = vb->request_fd; if (copy_to_user(arg, &vb32, sizeof(vb32))) return -EFAULT; From 2e7c8fb8942773f412fe12f3b63e8bb92c18ab3f Mon Sep 17 00:00:00 2001 From: Hans Verkuil Date: Wed, 12 Aug 2020 12:30:33 +0200 Subject: [PATCH 03/10] media: vicodec: add missing v4l2_ctrl_request_hdl_put() The check for a required control in the request was missing a call to v4l2_ctrl_request_hdl_put(), so the control request object was never released. Signed-off-by: Hans Verkuil Fixes: 997deb811bf5 ("media: vicodec: Add support for stateless decoder.") Reviewed-by: Ezequiel Garcia Signed-off-by: Mauro Carvalho Chehab --- drivers/media/test-drivers/vicodec/vicodec-core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/test-drivers/vicodec/vicodec-core.c b/drivers/media/test-drivers/vicodec/vicodec-core.c index 8941d73f6611..71928e30dae8 100644 --- a/drivers/media/test-drivers/vicodec/vicodec-core.c +++ b/drivers/media/test-drivers/vicodec/vicodec-core.c @@ -1994,6 +1994,7 @@ static int vicodec_request_validate(struct media_request *req) } ctrl = v4l2_ctrl_request_hdl_ctrl_find(hdl, vicodec_ctrl_stateless_state.id); + v4l2_ctrl_request_hdl_put(hdl); if (!ctrl) { v4l2_info(&ctx->dev->v4l2_dev, "Missing required codec control\n"); From b30063976f29fc221a99d18d37d22ca035068aa9 Mon Sep 17 00:00:00 2001 From: Ezequiel Garcia Date: Thu, 13 Aug 2020 21:18:33 +0200 Subject: [PATCH 04/10] media: cedrus: Add missing v4l2_ctrl_request_hdl_put() The check for a required control in the request was missing a call to v4l2_ctrl_request_hdl_put() in the error path. Fix it. Fixes: 50e761516f2b8c ("media: platform: Add Cedrus VPU decoder driver") Signed-off-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab --- drivers/staging/media/sunxi/cedrus/cedrus.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c index bc27f9430eeb..7c6b91f0e780 100644 --- a/drivers/staging/media/sunxi/cedrus/cedrus.c +++ b/drivers/staging/media/sunxi/cedrus/cedrus.c @@ -199,6 +199,7 @@ static int cedrus_request_validate(struct media_request *req) struct v4l2_ctrl *ctrl_test; unsigned int count; unsigned int i; + int ret = 0; list_for_each_entry(obj, &req->objects, list) { struct vb2_buffer *vb; @@ -243,12 +244,16 @@ static int cedrus_request_validate(struct media_request *req) if (!ctrl_test) { v4l2_info(&ctx->dev->v4l2_dev, "Missing required codec control\n"); - return -ENOENT; + ret = -ENOENT; + break; } } v4l2_ctrl_request_hdl_put(hdl); + if (ret) + return ret; + return vb2_request_validate(req); } From bca82e3557ee1fbfbdacb09033a2d81ac76c86eb Mon Sep 17 00:00:00 2001 From: Jacopo Mondi Date: Mon, 22 Jun 2020 18:43:52 +0200 Subject: [PATCH 05/10] media: i2c: imx214: select V4L2_FWNODE After the recent conversion of the media build infrastructure to select V4L2 components instead of depending on their presence, which took place in: 32a363d0b0b14 ("media: Kconfig files: use select for V4L2 subdevs and MC") imx214 stands out as being the (only?) media I2C driver that still depends on a V4L2 core symbol instead of selecting it. This confuses the build system which claims it has detected a circular dependency when other drivers select the same symbol as the imx214 driver does. drivers/media/i2c/Kconfig:728:error: recursive dependency detected! drivers/media/i2c/Kconfig:728: symbol VIDEO_IMX214 depends on V4L2_FWNODE drivers/media/v4l2-core/Kconfig:71: symbol V4L2_FWNODE is selected by VIDEO_BCM2835_UNICAM drivers/media/platform/bcm2835/Kconfig:3: symbol VIDEO_BCM2835_UNICAM depends on VIDEO_V4L2_SUBDEV_API drivers/media/v4l2-core/Kconfig:19: symbol VIDEO_V4L2_SUBDEV_API depends on MEDIA_CONTROLLER drivers/media/Kconfig:168: symbol MEDIA_CONTROLLER is selected by VIDEO_IMX214 Fix this by making the imx214 driver select V4L2_FWNODE instead of depending on it and align it with all the other drivers. Fixes: 32a363d0b0b14 ("media: Kconfig files: use select for V4L2 subdevs and MC") Reviewed-by: Laurent Pinchart Signed-off-by: Jacopo Mondi Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab --- drivers/media/i2c/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig index 48ae60a2c603..fa5b7e04d1fc 100644 --- a/drivers/media/i2c/Kconfig +++ b/drivers/media/i2c/Kconfig @@ -741,7 +741,7 @@ config VIDEO_HI556 config VIDEO_IMX214 tristate "Sony IMX214 sensor support" depends on GPIOLIB && I2C && VIDEO_V4L2 - depends on V4L2_FWNODE + select V4L2_FWNODE select MEDIA_CONTROLLER select VIDEO_V4L2_SUBDEV_API select REGMAP_I2C From 8a30c017c99603b216907c2f7aa22d3afe4137c3 Mon Sep 17 00:00:00 2001 From: Sakari Ailus Date: Mon, 3 Aug 2020 11:07:06 +0200 Subject: [PATCH 06/10] media: max9286: Depend on OF_GPIO The driver expects struct gpio_chip has of_node field and that field is only there if CONFIG_OF_GPIO is defined. Fix this by changing the OF dependency to OF_GPIO. Reported-by: kernel test robot Signed-off-by: Sakari Ailus Reviewed-by: Kieran Bingham Signed-off-by: Mauro Carvalho Chehab --- drivers/media/i2c/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig index fa5b7e04d1fc..c7ba76fee599 100644 --- a/drivers/media/i2c/Kconfig +++ b/drivers/media/i2c/Kconfig @@ -467,7 +467,7 @@ config VIDEO_VPX3220 config VIDEO_MAX9286 tristate "Maxim MAX9286 GMSL deserializer support" depends on I2C && I2C_MUX - depends on OF + depends on OF_GPIO select V4L2_FWNODE select VIDEO_V4L2_SUBDEV_API select MEDIA_CONTROLLER From 4f0835d6677dc69263f90f976524cb92b257d9f4 Mon Sep 17 00:00:00 2001 From: Sean Young Date: Sat, 8 Aug 2020 13:19:12 +0200 Subject: [PATCH 07/10] media: rc: uevent sysfs file races with rc_unregister_device() Only report uevent file contents if device still registered, else we might read freed memory. Reported-by: syzbot+ceef16277388d6f24898@syzkaller.appspotmail.com Cc: Hillf Danton Cc: # 4.16+ Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab --- drivers/media/rc/rc-main.c | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c index 7b53066d9d07..e1cda80a4b25 100644 --- a/drivers/media/rc/rc-main.c +++ b/drivers/media/rc/rc-main.c @@ -1601,25 +1601,25 @@ static void rc_dev_release(struct device *device) kfree(dev); } -#define ADD_HOTPLUG_VAR(fmt, val...) \ - do { \ - int err = add_uevent_var(env, fmt, val); \ - if (err) \ - return err; \ - } while (0) - static int rc_dev_uevent(struct device *device, struct kobj_uevent_env *env) { struct rc_dev *dev = to_rc_dev(device); + int ret = 0; - if (dev->rc_map.name) - ADD_HOTPLUG_VAR("NAME=%s", dev->rc_map.name); - if (dev->driver_name) - ADD_HOTPLUG_VAR("DRV_NAME=%s", dev->driver_name); - if (dev->device_name) - ADD_HOTPLUG_VAR("DEV_NAME=%s", dev->device_name); + mutex_lock(&dev->lock); - return 0; + if (!dev->registered) + ret = -ENODEV; + if (ret == 0 && dev->rc_map.name) + ret = add_uevent_var(env, "NAME=%s", dev->rc_map.name); + if (ret == 0 && dev->driver_name) + ret = add_uevent_var(env, "DRV_NAME=%s", dev->driver_name); + if (ret == 0 && dev->device_name) + ret = add_uevent_var(env, "DEV_NAME=%s", dev->device_name); + + mutex_unlock(&dev->lock); + + return ret; } /* @@ -2011,14 +2011,14 @@ void rc_unregister_device(struct rc_dev *dev) del_timer_sync(&dev->timer_keyup); del_timer_sync(&dev->timer_repeat); - rc_free_rx_device(dev); - mutex_lock(&dev->lock); if (dev->users && dev->close) dev->close(dev); dev->registered = false; mutex_unlock(&dev->lock); + rc_free_rx_device(dev); + /* * lirc device should be freed with dev->registered = false, so * that userspace polling will get notified. From a2e2d73fa28136598e84db9d021091f1b98cbb1a Mon Sep 17 00:00:00 2001 From: Sean Young Date: Sat, 8 Aug 2020 13:38:02 +0200 Subject: [PATCH 08/10] media: rc: do not access device via sysfs after rc_unregister_device() Device drivers do not expect to have change_protocol or wakeup re-programming to be accesed after rc_unregister_device(). This can cause the device driver to access deallocated resources. Cc: # 4.16+ Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab --- drivers/media/rc/rc-main.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c index e1cda80a4b25..dee8a9f3d80a 100644 --- a/drivers/media/rc/rc-main.c +++ b/drivers/media/rc/rc-main.c @@ -1292,6 +1292,10 @@ static ssize_t store_protocols(struct device *device, } mutex_lock(&dev->lock); + if (!dev->registered) { + mutex_unlock(&dev->lock); + return -ENODEV; + } old_protocols = *current_protocols; new_protocols = old_protocols; @@ -1430,6 +1434,10 @@ static ssize_t store_filter(struct device *device, return -EINVAL; mutex_lock(&dev->lock); + if (!dev->registered) { + mutex_unlock(&dev->lock); + return -ENODEV; + } new_filter = *filter; if (fattr->mask) @@ -1544,6 +1552,10 @@ static ssize_t store_wakeup_protocols(struct device *device, int i; mutex_lock(&dev->lock); + if (!dev->registered) { + mutex_unlock(&dev->lock); + return -ENODEV; + } allowed = dev->allowed_wakeup_protocols; From 1451b93223bbe3b4e9c91fca6b451d00667c5bf0 Mon Sep 17 00:00:00 2001 From: Sean Young Date: Thu, 13 Aug 2020 11:08:49 +0200 Subject: [PATCH 09/10] media: gpio-ir-tx: spinlock is not needed to disable interrupts During bit-banging the IR on a gpio pin, we cannot be scheduled or have anything interrupt us, else the generated signal will be incorrect. Therefore, we need to disable interrupts on the local cpu. This also disables preemption. local_irq_disable() does exactly what we need and does not require a spinlock. Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab --- drivers/media/rc/gpio-ir-tx.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/drivers/media/rc/gpio-ir-tx.c b/drivers/media/rc/gpio-ir-tx.c index f33b443bfa47..c6cd2e6d8e65 100644 --- a/drivers/media/rc/gpio-ir-tx.c +++ b/drivers/media/rc/gpio-ir-tx.c @@ -19,8 +19,6 @@ struct gpio_ir { struct gpio_desc *gpio; unsigned int carrier; unsigned int duty_cycle; - /* we need a spinlock to hold the cpu while transmitting */ - spinlock_t lock; }; static const struct of_device_id gpio_ir_tx_of_match[] = { @@ -53,12 +51,11 @@ static int gpio_ir_tx_set_carrier(struct rc_dev *dev, u32 carrier) static void gpio_ir_tx_unmodulated(struct gpio_ir *gpio_ir, uint *txbuf, uint count) { - unsigned long flags; ktime_t edge; s32 delta; int i; - spin_lock_irqsave(&gpio_ir->lock, flags); + local_irq_disable(); edge = ktime_get(); @@ -72,14 +69,11 @@ static void gpio_ir_tx_unmodulated(struct gpio_ir *gpio_ir, uint *txbuf, } gpiod_set_value(gpio_ir->gpio, 0); - - spin_unlock_irqrestore(&gpio_ir->lock, flags); } static void gpio_ir_tx_modulated(struct gpio_ir *gpio_ir, uint *txbuf, uint count) { - unsigned long flags; ktime_t edge; /* * delta should never exceed 0.5 seconds (IR_MAX_DURATION) and on @@ -95,7 +89,7 @@ static void gpio_ir_tx_modulated(struct gpio_ir *gpio_ir, uint *txbuf, space = DIV_ROUND_CLOSEST((100 - gpio_ir->duty_cycle) * (NSEC_PER_SEC / 100), gpio_ir->carrier); - spin_lock_irqsave(&gpio_ir->lock, flags); + local_irq_disable(); edge = ktime_get(); @@ -128,19 +122,20 @@ static void gpio_ir_tx_modulated(struct gpio_ir *gpio_ir, uint *txbuf, edge = last; } } - - spin_unlock_irqrestore(&gpio_ir->lock, flags); } static int gpio_ir_tx(struct rc_dev *dev, unsigned int *txbuf, unsigned int count) { struct gpio_ir *gpio_ir = dev->priv; + unsigned long flags; + local_irq_save(flags); if (gpio_ir->carrier) gpio_ir_tx_modulated(gpio_ir, txbuf, count); else gpio_ir_tx_unmodulated(gpio_ir, txbuf, count); + local_irq_restore(flags); return count; } @@ -176,7 +171,6 @@ static int gpio_ir_tx_probe(struct platform_device *pdev) gpio_ir->carrier = 38000; gpio_ir->duty_cycle = 50; - spin_lock_init(&gpio_ir->lock); rc = devm_rc_register_device(&pdev->dev, rcdev); if (rc < 0) From ddecfc76979d5585847c76c4c489dcac389f86dd Mon Sep 17 00:00:00 2001 From: Christophe JAILLET Date: Sat, 15 Aug 2020 08:12:37 +0200 Subject: [PATCH 10/10] media: mceusb: Avoid GFP_ATOMIC where it is not needed There is no point in using GFP_ATOMIC here. It is a probe function, and GFP_KERNEL is already used the line before and the line after. Use GFP_KERNEL instead. Signed-off-by: Christophe JAILLET Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab --- drivers/media/rc/mceusb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c index f9616158bcf4..98681ba10428 100644 --- a/drivers/media/rc/mceusb.c +++ b/drivers/media/rc/mceusb.c @@ -1726,7 +1726,7 @@ static int mceusb_dev_probe(struct usb_interface *intf, goto mem_alloc_fail; ir->pipe_in = pipe; - ir->buf_in = usb_alloc_coherent(dev, maxp, GFP_ATOMIC, &ir->dma_in); + ir->buf_in = usb_alloc_coherent(dev, maxp, GFP_KERNEL, &ir->dma_in); if (!ir->buf_in) goto buf_in_alloc_fail;