- 23 Jan, 2020 3 commits
-
-
Will Deacon authored
Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked up the following WARNING from the UVC chain scanning code: | list_add double add: new=ffff880069084010, prev=ffff880069084010, | next=ffff880067d22298. | ------------[ cut here ]------------ | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0 | Modules linked in: | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted | 4.14.0-rc2-42613-g1488251d1a98 #238 | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 | Workqueue: usb_hub_wq hub_event | task: ffff88006b01ca40 task.stack: ffff880064358000 | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29 | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286 | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000 | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000 | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010 | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0 | FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 | CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0 | Call Trace: | __list_add ./include/linux/list.h:59 | list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92 | uvc_scan_chain_forward.isra.8+0x373/0x416 | drivers/media/usb/uvc/uvc_driver.c:1471 | uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585 | uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769 | uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104 Looking into the output from usbmon, the interesting part is the following data packet: ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080 00090403 00000e01 00000924 03000103 7c003328 010204db If we drop the lead configuration and interface descriptors, we're left with an output terminal descriptor describing a generic display: /* Output terminal descriptor */ buf[0] 09 buf[1] 24 buf[2] 03 /* UVC_VC_OUTPUT_TERMINAL */ buf[3] 00 /* ID */ buf[4] 01 /* type == 0x0301 (UVC_OTT_DISPLAY) */ buf[5] 03 buf[6] 7c buf[7] 00 /* source ID refers to self! */ buf[8] 33 The problem with this descriptor is that it is self-referential: the source ID of 0 matches itself! This causes the 'struct uvc_entity' representing the display to be added to its chain list twice during 'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is processed directly from the 'dev->entities' list and then again immediately afterwards when trying to follow the source ID in 'uvc_scan_chain_forward()' Add a check before adding an entity to a chain list to ensure that the entity is not already part of a chain. Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/ Cc: <stable@vger.kernel.org> Fixes: c0efd232 ("V4L/DVB (8145a): USB Video Class driver") Reported-by:
Andrey Konovalov <andreyknvl@google.com> Signed-off-by:
Will Deacon <will@kernel.org> Signed-off-by:
Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by:
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
-
Jonas Karlman authored
The RK3399 variant does not have postproc_regs declared, this can cause a NULL pointer dereference trying to decode: [ 89.331359] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 89.352804] Call trace: [ 89.353191] hantro_postproc_disable+0x20/0xe8 [hantro_vpu] [ 89.354056] hantro_start_prepare_run+0x58/0x68 [hantro_vpu] [ 89.354923] hantro_h264_dec_prepare_run+0x30/0x6f0 [hantro_vpu] [ 89.355846] rk3399_vpu_h264_dec_run+0x1c/0x14a8 [hantro_vpu] [ 89.356748] device_run+0xa4/0xb8 [hantro_vpu] Fix this by adding a NULL check in hantro_postproc_enable/disable. Fixes: 8c2d66b0 ("media: hantro: Support color conversion via post-processing") Signed-off-by:
Jonas Karlman <jonas@kwiboo.se> Signed-off-by:
Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by:
-
Niklas Söderlund authored
When aligning the format the pixel format that is being processed shall be used to figure out alignment constraints, not the currently active pixel format. The alignment might be part of a try operation and shall not be effected by the active format. Fix this by looking at the correct pixel format. Signed-off-by:
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se> Reviewed-by:
-
- 09 Jan, 2020 33 commits
-
-
Helen Koike authored
Add MAINTAINERS entry for the rockchip isp1 driver. Signed-off-by:
Helen Koike <helen.koike@collabora.com> Signed-off-by:
-
Helen Koike authored
Add TODO file with requirements to move this driver out of staging. Signed-off-by:
-
Jacob Chen authored
This commit add document for rkisp1 meta buffer format Signed-off-by:
Jacob Chen <jacob2.chen@rock-chips.com> Signed-off-by:
-
Jacob Chen authored
Add the output video driver that accept parameters from userspace. Signed-off-by:
Shunqian Zheng <zhengsq@rock-chips.com> Signed-off-by:
Yichong Zhong <zyc@rock-chips.com> Signed-off-by:
Jacob Chen <cc@rock-chips.com> Signed-off-by:
Eddie Cai <eddie.cai.linux@gmail.com> Signed-off-by:
Jeffy Chen <jeffy.chen@rock-chips.com> Signed-off-by:
Allon Huang <allon.huang@rock-chips.com> Signed-off-by:
Tomasz Figa <tfiga@chromium.org> Signed-off-by:
-
Jacob Chen authored
Add the capture video driver for rockchip isp1 statistics block. Signed-off-by:
-
Jeffy Chen authored
Add the header for userspace Signed-off-by:
-
Helen Koike authored
Add v4l2 capture device interface to rkisp1 driver, allowing users to get frames from ISP1. ISP1 has two major streaming paths, mainpah and selfpah, with different capabilities. Each one has an independent crop and resizer, thus add a capture video device and a resizer subdevice for each of the paths. Signed-off-by:
Ezequiel Garcia <ezequiel@collabora.com> Signed-off-by:
-
Helen Koike authored
Add base driver for Rockchip Image Signal Processing v1 Unit, with isp subdevice and sensor biddings. [fixed compilation and run time errors regarding new v4l2 async API] Signed-off-by:
-
Ezequiel Garcia authored
Add driver for Rockchip MIPI Synopsys DPHY driver Signed-off-by:
-
Helen Koike authored
Add yaml DT bindings for Rockchip MIPI D-PHY RX This was tested and verified with: mv drivers/staging/media/phy-rockchip-dphy-rx0/Documentation/devicetree/bindings/phy/rockchip-mipi-dphy-rx0.yaml Documentation/devicetree/bindings/phy/ make dt_binding_check DT_SCHEMA_FILES=Documentation/devicetree/bindings/phy/rockchip-mipi-dphy-rx0.yaml make dtbs_check DT_SCHEMA_FILES=Documentation/devicetree/bindings/phy/rockchip-mipi-dphy-rx0.yaml Signed-off-by:
Rob Herring <robh@kernel.org> Signed-off-by:
-
Helen Koike authored
Add yaml DT bindings for Rockchip ISP1. This was tested and verified with: mv drivers/staging/media/rkisp1/Documentation/devicetree/bindings/media/rockchip-isp1.yaml Documentation/devicetree/bindings/media/ make dt_binding_check DT_SCHEMA_FILES=Documentation/devicetree/bindings/media/rockchip-isp1.yaml make dtbs_check DT_SCHEMA_FILES=Documentation/devicetree/bindings/media/rockchip-isp1.yaml Signed-off-by:
-
Johan Hovold authored
Make sure to use the current alternate setting, which need not be the first one by index, when verifying the endpoint descriptors and initialising the URBs. Failing to do so could cause the driver to misbehave or trigger a WARN() in usb_submit_urb() that kernels with panic_on_warn set would choke on. Fixes: 26ff6313 ("[media] Add support for the IguanaWorks USB IR Transceiver") Fixes: ab1cbdf1 ("media: iguanair: add sanity checks") Cc: stable <stable@vger.kernel.org> # 3.6 Cc: Oliver Neukum <oneukum@suse.com> Signed-off-by:
Johan Hovold <johan@kernel.org> Signed-off-by:
Sean Young <sean@mess.org> Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
Wolfram Sang <wsa+renesas@sang-engineering.com> Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Reviewed-by:
Patrice Chotard <patrice.chotard@st.com> Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Wolfram Sang authored
Use the newer API returning an ERRPTR and use the new helper to bail out. Signed-off-by:
-
Dan Carpenter authored
This can't be NULL and we've already dereferenced it so let's remove the check. Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Colin Ian King authored
In the case where v4l2_event_dequeue fails the structure ev is not being filled and this garbage data from the stack is being copied to the ev32 structure and being copied back to userspace on the VIDIOC_DQEVENT_TIME32 ioctl. Fix this by ensuring the ev structure is zero'd to ensure uninitialized data is not leaked back. Addresses-Coverity: ("Uninitialized scalar variable") Fixes: 1a6c0b36 ("media: v4l2-core: fix VIDIOC_DQEVENT for time64 ABI") Signed-off-by:Colin Ian King <colin.king@canonical.com> Acked-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
Alexandre Courbot authored
Despite using M2M in both the decoder and encoder, this driver used vb2_v4l2_buffer as its base buffer structure, and placed a list_head right after the buffer declaration in order to match the layout of a v4l2_m2m_buffer. This is very dangerous as it means the driver will break should the layout of v4l2_m2m_buffer change. Fix this by directly using v4l2_m2m_buffer and updating the sites that accessed the buffer accordingly. Signed-off-by:
Alexandre Courbot <acourbot@chromium.org> Signed-off-by:
-
Aditya Pakki authored
In vpfe_register_ccdc_device(), failure to allocate dev->hw_ops fields calls BUG_ON(). This patch returns the error to callers instead of crashing. The issue was identified by a static analysis tool, written by us. Signed-off-by:
Aditya Pakki <pakki001@umn.edu> Signed-off-by:
-
Jernej Skrabec authored
Add luma bit depth. Signed-off-by:
Jernej Skrabec <jernej.skrabec@siol.net> Acked-by:
Paul Kocialkowski <paul.kocialkowski@bootlin.com> Signed-off-by:
-
Jernej Skrabec authored
It seems that for some HEVC videos at least one bitstream parsing trigger must be called in order to be decoded correctly. There is no explanation why this helps, but it was observed that several videos with this fix are now decoded correctly and there is no regression with others. Without this fix, those same videos totally crash HEVC decoder (other decoder engines are unaffected). After decoding those problematic videos, HEVC decoder always returns only green image (all zeros). Only complete HW reset helps. This fix is similar to that for H264. Signed-off-by:
-
- 08 Jan, 2020 4 commits
-
-
Hans Verkuil authored
Remove several functions that are no longer used now that the conversion of cec drivers to cec_notifier_conn_(un)register() and cec_notifier_cec_adap_(un)register() is complete. Signed-off-by:
-
Jia-Ju Bai authored
The driver may sleep while holding a spinlock. The function call path (from bottom to top) in Linux 4.19 is: drivers/media/platform/sti/bdisp/bdisp-hw.c, 385: msleep in bdisp_hw_reset drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 341: bdisp_hw_reset in bdisp_device_run drivers/media/platform/sti/bdisp/bdisp-v4l2.c, 317: _raw_spin_lock_irqsave in bdisp_device_run To fix this bug, msleep() is replaced with udelay(). This bug is found by a static analysis tool STCheck written by myself. Signed-off-by:Jia-Ju Bai <baijiaju1990@gmail.com> Reviewed-by:
Fabien Dessenne <fabien.dessenne@st.com> Signed-off-by:
-
Ma Feng authored
Fixes coccicheck warning: drivers/media/usb/pvrusb2/pvrusb2-encoder.c:288:2-3: Unneeded semicolon Reported-by:
Hulk Robot <hulkci@huawei.com> Signed-off-by:
Ma Feng <mafeng.ma@huawei.com> Signed-off-by:
-
Helen Koike authored
boundary->width and boundary->height are sizes relative to boundary->left and boundary->top coordinates, but they were not being taken into consideration to adjust r->left and r->top, leading to the following error: Consider the follow as initial values for boundary and r: struct v4l2_rect boundary = { .left = 100, .top = 100, .width = 800, .height = 600, } struct v4l2_rect r = { .left = 0, .top = 0, .width = 1920, .height = 960, } calling v4l2_rect_map_inside(&r, &boundary) was modifying r to: r = { .left = 0, .top = 0, .width = 800, .height = 600, } Which is wrongly outside the boundary rectangle, because: v4l2_rect_set_max_size(r, boundary); // r->width = 800, r->height = 600 ... if (r->left + r->width > boundary->width) // true r->left = boundary->width - r->width; // r->left = 800 - 800 if (r->top + r->height > boundary->height) // true r->top = boundary->height - r->height; // r->height = 600 - 600 Fix this by considering top/left coordinates from boundary. Fixes: ac49de8c ("[media] v4l2-rect.h: new header with struct v4l2_rect helper functions") Signed-off-by:
-
