- 30 Jan, 2018 13 commits
-
-
Daniel Mentz authored
The 32-bit compat v4l2 ioctl handling is implemented based on its 64-bit equivalent. It converts 32-bit data structures into its 64-bit equivalents and needs to provide the data to the 64-bit ioctl in user space memory which is commonly allocated using compat_alloc_user_space(). However, due to how that function is implemented, it can only be called a single time for every syscall invocation. Supposedly to avoid this limitation, the existing code uses a mix of memory from the kernel stack and memory allocated through compat_alloc_user_space(). Under normal circumstances, this would not work, because the 64-bit ioctl expects all pointers to point to user space memory. As a workaround, set_fs(KERNEL_DS) is called to temporarily disable this extra safety check and allow kernel pointers. However, this might introduce a security vulnerability: The result of the 32-bit to 64-bit conversion is writeable by user space because the output buffer has been allocated via compat_alloc_user_space(). A malicious user space process could then manipulate pointers inside this output buffer, and due to the previous set_fs(KERNEL_DS) call, functions like get_user() or put_user() no longer prevent kernel memory access. The new approach is to pre-calculate the total amount of user space memory that is needed, allocate it using compat_alloc_user_space() and then divide up the allocated memory to accommodate all data structures that need to be converted. An alternative approach would have been to retain the union type karg that they allocated on the kernel stack in do_video_ioctl(), copy all data from user space into karg and then back to user space. However, we decided against this approach because it does not align with other compat syscall implementations. Instead, we tried to replicate the get_user/put_user pairs as found in other places in the kernel: if (get_user(clipcount, &up->clipcount) || put_user(clipcount, &kp->clipcount)) return -EFAULT; Notes from hans.verkuil@cisco.com: This patch was taken from: https://github.com/LineageOS/android_kernel_samsung_apq8084/commit/97b733953c06e4f0398ade18850f0817778255f7 Clearly nobody could be bothered to upstream this patch or at minimum tell us :-( We only heard about this a week ago. This patch was rebased and cleaned up. Compared to the original I also swapped the order of the convert_in_user arguments so that they matched copy_in_user. It was hard to review otherwise. I also replaced the ALLOC_USER_SPACE/ALLOC_AND_GET by a normal function. Fixes: 6b5a9492 ("v4l: introduce string control support.") Signed-off-by: Daniel Mentz <danielmentz@google.com> Co-developed-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
Some ioctls need to copy back the result even if the ioctl returned an error. However, don't do this for the error code -ENOTTY. It makes no sense in that cases. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
There is nothing wrong with using an unknown buffer type. So stop spamming the kernel log whenever this happens. The kernel will just return -EINVAL to signal this. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
put_v4l2_window32() didn't copy back the clip list to userspace. Drivers can update the clip rectangles, so this should be done. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
ctrl_is_pointer just hardcoded two known string controls, but that caused problems when using e.g. custom controls that use a pointer for the payload. Reimplement this function: it now finds the v4l2_ctrl (if the driver uses the control framework) or it calls vidioc_query_ext_ctrl (if the driver implements that directly). In both cases it can now check if the control is a pointer control or not. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
The struct v4l2_plane32 should set m.userptr as well. The same happens in v4l2_buffer32 and v4l2-compliance tests for this. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
Instead of doing sizeof(struct foo) use sizeof(*up). There even were cases where 4 * sizeof(__u32) was used instead of sizeof(kp->reserved), which is very dangerous when the size of the reserved array changes. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
These helper functions do not really help. Move the code to the __get/put_v4l2_format32 functions. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
The indentation of this source is all over the place. Fix this. This patch only changes whitespace. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
The result of the VIDIOC_PREPARE_BUF ioctl was never copied back to userspace since it was missing in the switch. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
If the ioctl returned -ENOTTY, then don't bother copying back the result as there is no point. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
Don't duplicate the buffer type checks in enum/g/s/try_fmt. The check_fmt function does that already. It is hard to keep the checks in sync for all these functions and in fact the check for VBI was wrong in the _fmt functions as it allowed SDR types as well. This caused a v4l2-compliance failure for /dev/swradio0 using vivid. This simplifies the code and keeps the check in one place and fixes the SDR/VBI bug. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
If the framebuffer is enabled and error injection is disabled, then creating the controls for the video output device would fail with an error. This is because the Clear Framebuffer control uses the 'vivid control class' and that control class isn't added if error injection is disabled. In addition, this control was added to e.g. vbi devices as well, which makes no sense. Move this control to its own control handler and handle it correctly. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Cc: <stable@vger.kernel.org> # for v4.15 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
- 29 Jan, 2018 4 commits
-
-
Mauro Carvalho Chehab authored
Do some cleanup of debug messages, making them cleaner and easier to be used to analyze what's going on. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Mauro Carvalho Chehab authored
When a packet discontinuity happens, it is not just the payload that was lost. The headers are lost too. So, the max size is not 184 but, instead 188. Also, while printing warnings, make a distinction between MPEG-TS indicated discontinuity and detected one. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Mauro Carvalho Chehab authored
The XC2028_I2C_FLUSH only needs to be implemented on a few devices. Others can safely ignore it. That prevents filling the dmesg with lots of messages like: dib0700: stk7700ph_xc3028_callback: unknown command 2, arg 0 Cc: stable@vger.kernel.org Fixes: 4d37ece7 ("[media] tuner/xc2028: Add I2C flush callback") Reported-by: Enrico Mioso <mrkiko.rs@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-
Mauro Carvalho Chehab authored
Before this patch, when compiled for arm32, the signal strength were reported as: Lock (0x1f) Signal= 4294908.66dBm C/N= 12.79dB Because of a 32 bit integer overflow. After it, it is properly reported as: Lock (0x1f) Signal= -58.64dBm C/N= 12.79dB Cc: stable@vger.kernel.org Fixes: 0f91c9d6 ("[media] TS2020: Calculate tuner gain correctly") Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
- 23 Jan, 2018 18 commits
-
-
Arnd Bergmann authored
When built on a platform without gpiolib support, we run into a couple of compile errors in ov7740, including: drivers/media/i2c/ov7740.c: In function 'ov7740_set_power': drivers/media/i2c/ov7740.c:307:4: error: implicit declaration of function 'gpiod_direction_output'; did you mean 'gpio_direction_output'? [-Werror=implicit-function-declaration] gpiod_direction_output(ov7740->pwdn_gpio, 0); drivers/media/i2c/ov7740.c:914:4: error: 'GPIOD_OUT_HIGH' undeclared (first use in this function); did you mean 'GPIOF_INIT_HIGH'? Changing it to use the correct header file solves the problem. Fixes: 39c5c447 ("media: i2c: Add the ov7740 image sensor driver") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sakari Ailus authored
Add nop variant of media_entity_cleanup. This allows calling media_entity_cleanup whether or not Media controller is enabled, simplifying driver code. Also drop #ifdefs on a few drivers around media_entity_cleanup(). Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hugues Fruchet authored
Time to time, stream on is failing with a strange positive error. Error code is returned erroneously by ov5640_set_ctrl_exposure() due to ov5640_get_vts() return value wrongly treated as error. Fix this by forcing ret to 0 after ov5640_get_vts() success call, in order that ret is set to success for rest of code sequence. Signed-off-by: Hugues Fruchet <hugues.fruchet@st.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Yong Zhi authored
With "pages" initialized to vb length + 1 pages, the condition check if(!pages--) will break at one more page than intended, this can result in out-of-bound access to b->lop[i][j] when setting the last dummy page. Fixes: c7cbef1f ("media: intel-ipu3: cio2: fix a crash with out-of-bounds access") Signed-off-by: Yong Zhi <yong.zhi@intel.com> Signed-off-by: Cao Bing Bu <bingbu.cao@intel.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Arnd Bergmann authored
My earlier patch missed two functions, these must be __maybe_unused as well: drivers/media/pci/intel/ipu3/ipu3-cio2.c:1867:12: error: 'cio2_runtime_resume' defined but not used [-Werror=unused-function] drivers/media/pci/intel/ipu3/ipu3-cio2.c:1849:12: error: 'cio2_runtime_suspend' defined but not used [-Werror=unused-function] Fixes: 2086dd35 ("media: intel-ipu3: cio2: mark PM functions as __maybe_unused") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
This directory contains the videobuf2 framework, so name the directory accordingly. The name 'videobuf' typically refers to the old and deprecated videobuf version 1 framework so that was confusing. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Arnd Bergmann authored
The cobalt sound driver has a dependency on ALSA, but not on the PCM helper code, so this can lead to an extremely rare link error in randconfig builds: ERROR: "snd_pcm_period_elapsed" [drivers/media/pci/cobalt/cobalt.ko] undefined! ERROR: "_snd_pcm_stream_lock_irqsave" [drivers/media/pci/cobalt/cobalt.ko] undefined! ERROR: "snd_pcm_hw_constraint_integer" [drivers/media/pci/cobalt/cobalt.ko] undefined! ERROR: "snd_pcm_set_ops" [drivers/media/pci/cobalt/cobalt.ko] undefined! ERROR: "snd_pcm_stream_unlock_irqrestore" [drivers/media/pci/cobalt/cobalt.ko] undefined! ERROR: "snd_pcm_lib_ioctl" [drivers/media/pci/cobalt/cobalt.ko] undefined! ERROR: "snd_pcm_new" [drivers/media/pci/cobalt/cobalt.ko] undefined! The other audio drivers select 'SND_PCM' for this, so let's do the same. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Arnd Bergmann authored
Without CONFIG_DMA_SHARED_BUFFER we run into a link error for the dma_buf_* APIs: ERROR: "dma_buf_map_attachment" [drivers/staging/media/tegra-vde/tegra-vde.ko] undefined! ERROR: "dma_buf_attach" [drivers/staging/media/tegra-vde/tegra-vde.ko] undefined! ERROR: "dma_buf_get" [drivers/staging/media/tegra-vde/tegra-vde.ko] undefined! ERROR: "dma_buf_put" [drivers/staging/media/tegra-vde/tegra-vde.ko] undefined! ERROR: "dma_buf_detach" [drivers/staging/media/tegra-vde/tegra-vde.ko] undefined! ERROR: "dma_buf_unmap_attachment" [drivers/staging/media/tegra-vde/tegra-vde.ko] undefined! Signed-off-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Dmitry Osipenko <digetx@gmail.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hans Verkuil authored
Mention the maximum voltages of the CEC and HPD lines. Since in the example these lines are connected to a Raspberry Pi and the Rpi GPIO lines are 3.3V it is a good idea to warn against directly connecting the HPD to the Raspberry Pi's GPIO line. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Reviewed-by: Rob Herring <robh@kernel.org> Cc: <stable@vger.kernel.org> # for v4.15 Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Mauro Carvalho Chehab authored
As warned: drivers/media/i2c/dw9714.c: warning: incorrect type in initializer (different base types): => 64:19 Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sakari Ailus authored
The client field in driver's struct is redundant. Remove it. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Tested-by: Rajmohan Mani <rajmohan.mani@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sakari Ailus authored
Call pm_runtime_idle() at the end of the driver's probe() function to enable the device to reach low power state once probe() finishes. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Tested-by: Rajmohan Mani <rajmohan.mani@intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
The rc5 protocol does not have a leading pulse or space, but we encode the first bit using a single leading pulse. For other protocols, the leading pulse or space does not represent any bit. So, don't remove the first bit if a leading pulse is present. Cc: Antti Seppälä <a.seppala@gmail.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
The IR rc6 encoder sends the header using manchester encoding using 0 bits, which causes the following: UBSAN: Undefined behaviour in drivers/media/rc/rc-ir-raw.c:247:6 shift exponent 4294967295 is too large for 64-bit type 'long long unsigned int' So, allow the leader code to send a pulse and space and remove the unused pulse_space_start field. Cc: Antti Seppälä <a.seppala@gmail.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
The ioctl change the current mode or return the current mode; they do not tell you which modes are possible (use the lirc features ioctl for that). Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
Since commit 9b619258 ("media: lirc: implement scancode sending"), and commit de142c32 ("media: lirc: implement reading scancode") the lirc features ioctl for raw IR devices advertises two modes for sending and receiving. The lirc daemon now fails to detect a raw IR device, both for transmit and receive. To fix this, do not advertise the scancode mode in the lirc features for raw IR devices (however do keep it for scancode devices). The mode can still be used via the LIRC_SET_{REC,SEND}_MODE ioctl. Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Sean Young authored
Since commit a60d64b1 ("media: lirc: lirc interface should not be a raw decoder"), there is no lirc_dev module any more. On Ubuntu 16.10, the /etc/init.d/lirc startup script attempts to load the lirc_dev module. Since this module does not exist any more, this script fails. Add an alias so the correct module is loaded. Fixes: a60d64b1 ("media: lirc: lirc interface should not be a raw decoder") Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Colin Ian King authored
The current error exit path if ir_raw_encode_scancode fails is via the label out_kfree which kfree's an uninitialized pointer txbuf. Fix this by exiting via a new exit path that does not kfree txbuf. Also exit via this new exit path for a failed allocation of txbuf to avoid a redundant kfree on a NULL pointer (to save a bunch of CPU cycles). Detected by: CoverityScan, CID#1463070 ("Uninitialized pointer read") Fixes: f81a8158 ("media: lirc: release lock before sleep") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
- 05 Jan, 2018 5 commits
-
-
Hugues Fruchet authored
Add RGB565 (LE & BE) and YUV422 YUYV format in addition to existing YUV422 UYVY format. Signed-off-by: Hugues Fruchet <hugues.fruchet@st.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hugues Fruchet authored
Add support of DVP parallel mode in addition of existing MIPI CSI mode. The choice between two modes and configuration is made through device tree. Signed-off-by: Hugues Fruchet <hugues.fruchet@st.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hugues Fruchet authored
Refine CSI-2 endpoint documentation and add bindings for DVP parallel interface support. Signed-off-by: Hugues Fruchet <hugues.fruchet@st.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hugues Fruchet authored
Verify that chip identifier is correct when probing. Signed-off-by: Hugues Fruchet <hugues.fruchet@st.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-
Hugues Fruchet authored
Switch gpiod_set_value to gpiod_set_value_cansleep to avoid warnings when powering sensor. Signed-off-by: Hugues Fruchet <hugues.fruchet@st.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-