Applications may set data_offset when it refers to an output queue. So
driver need to account for it when getting the start address of input
image in the plane.
Meanwhile data_offset is included in bytesused. So the data_offset
should be subtracted from the payload of input image.
Signed-off-by: Ming Qian <ming.qian@nxp.com>
Reviewed-by: Zhou Peng <eagle.zhou@nxp.com>
Acked-by: Jason Liu <jason.hui.liu@nxp.com>
Currently, if streamon/streamoff calls are imbalanced we can either end up
with a negative ISI m2m usage_count (if streamoff() is called more times
than streamon()) in which case we'll not be able to restart the ISI pipe
next time, or the usage_count never gets to 0 and the pipe is never
switched off.
To avoid that, add a 'streaming' flag to mxc_isi_m2m_ctx_queue_data and use it
in the streamon/streamoff to avoid incrementing/decrementing the usage_count
uselessly, if called multiple times from the same context.
Fixes: cf21f328fc ("media: nxp: Add i.MX8 ISI driver")
Suggested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Tested-by: Guoniu Zhou <guoniu.zhou@nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
Acked-by: Jason Liu <jason.hui.liu@nxp.com>
Running the v4l2-compliance (1.27.0-5208, SHA: af114250d48d) on the m2m
device fails on the MMAP streaming tests, with the following messages:
fail: v4l2-test-buffers.cpp(240): g_field() == V4L2_FIELD_ANY
fail: v4l2-test-buffers.cpp(1508): buf.qbuf(node)
Apparently, the driver does not properly set the field member of
vb2_v4l2_buffer struct, returning the default V4L2_FIELD_ANY value which
is against the guidelines.
Fixes: cf21f328fc ("media: nxp: Add i.MX8 ISI driver")
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Guoniu Zhou <guoniu.zhou@nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
Acked-by: Jason Liu <jason.hui.liu@nxp.com>
Currently, interrogating the controls, before they're set for the first
time, will return all-zero values. To fix this, use the init() callback
in the v4l2_ctrl_type_ops structure to populate the initial control
values.
Also, when running the sensor initialization sequence, make sure we
don't cache the settings for the embedded data because they do not
contain register values. They contain ranges. Otherwise we'll end up
with wrong register values in the regmap cache.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
Reviewed-by: Mirela Rabulea <mirela.rabulea@nxp.com>
Tested-by: Celine Laurencin <celine.laurencin@nxp.com>
Reviewed-by: Celine Laurencin <celine.laurencin@nxp.com>
Acked-by: Jason Liu <jason.hui.liu@nxp.com>
Currently, the registers returned in the embedded data contain RW
registers for gains and exposure. That affects the way the registers are
updated which does not follow the specifications. Using the RO registers
fixes the problem. Also, move the embedded data initialization sequence
to the end and add a comment to be easier to find it out in the future.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Mirela Rabulea <Mirela.rabulea@nxp.com>
Tested-by: Celine Laurencin <celine.laurencin@nxp.com>
Reviewed-by: Celine Laurencin <celine.laurencin@nxp.com>
Acked-by: Jason Liu <jason.hui.liu@nxp.com>
As mentioned in reference manual, ISI actual output line
value will be rounded up to an integer. For example, if
the input line value equal to 800 and the output line
value equal to 720, you must set [Y_SCALE] to a value
such that the theoretical output line value (800/[Y_SCALE])
is equal to or less than 720, which means:
1. If [Y_SCALE] is set to 1C8h, the theoretical output line
value equal to 719.859375 which will be rounded up to 720.
2. If [Y_SCALE] is set to 1C7h, the theoretical output line
value equal to 720.017578 which will be rounded up to 721.
There will be one excessive line in the actual output, So
adjust scale factor to make them equal.
Signed-off-by: Guoniu Zhou <guoniu.zhou@nxp.com>
Reviewed-by: Robby Cai <robby.cai@nxp.com>
Keep subdev name as v4l2 core set since libcamera camera module
model identification heuristic does not work properly, it will
identify camera modules by parsing the default name.
Signed-off-by: Guoniu Zhou <guoniu.zhou@nxp.com>
Reviewed-by: Robby Cai <robby.cai@nxp.com>
A CMA leak is observed when interrupting the process abnormally. Before
the process stopped, if another interrupt signal is sent, the process
will be forcefully terminated without cleaning properly. This is
preventing any_buf to be released properly and context to be reset
to default as VIDIOC_STREAMOFF could not be sent.
This patch aims to perform cleaning before terminating the process
by using stop_streaming callback to release any_buf and reset context.
This callback is waiting for all buffers to be given back before
terminating, allowing to perform cleaning without being interrupted.
The streamon and streamoff callback will be managed by default video
buffer 2 core framework, while neoisp implementation will be performed
in start_streaming and stop_streaming callback.
Signed-off-by: Alexi Birlinger <alexi.birlinger@nxp.com>
Reviewed-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Adds dump methods to get isp memory status for Lookup tables.
The Vignetting, Global and Local DRC tonemap tables could be now dumped
using debugfs.
Signed-off-by: Alexi Birlinger <alexi.birlinger@nxp.com>
Reviewed-by: Aymen Sghaier <aymen.sghaier@nxp.com>
Fix Coverity issue: CID 5484434 of "dereference null return value".
The function pxp_get_format could return NULL, so add the check before use.
Signed-off-by: Robby Cai <robby.cai@nxp.com>
Reviewed-by: Guoniu Zhou <guoniu.zhou@nxp.com>
Add V4L2_CID_CAMERA_ORIENTATION and V4L2_CID_CAMERA_SENSOR_ROTATION
support for AP1302 device by adding "orientation" and "rotation" two
fwnode properityes to fix libcamera warning since they are recommended
V4L2 control in libcamera.
Signed-off-by: Guoniu.zhou <guoniu.zhou@nxp.com>
Reviewed-by: Robby Cai <robby.cai@nxp.com>
The mx95mbcam_ctrl_type_ops structure is not used anywhere. Remove it.
Also, remove the mx95mbcam_ctrl_type_op_validate() which was only
referenced in the structure.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
The issue can happen with csi2_video_pipe_mask array accesses if
csi_of_ep.port < MAX96724_SRC_PAD or higher than MAX96724_N_PADS. Add a
check to make sure we don't get there. Since the function can now return
-EINVAL, add also a check in the caller function to handle this
situation.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
The v4l2_subdev_state_get_opposite_stream_format() function can return
NULL. Add a check before continuing.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
There is a valid issue inside the function where ret is assigned the
returned value of max96724_xlate_streams() in case of error and then we
jump to 'unlock' only to return 0. So, let's use that ret value this
time. Also, initialize ret to 0 to avoid returning wrong value if
pos == -1 in the while loop.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
This patch covers multiple Coverity "uninitialized scalar variable"
issues, all of them false positives since they'll get written in
subsequent function calls when their address is passed on as arguments
to those functions. However, I don't see any issues with initializing
those variables first and Coverity will be happy about it.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
This is a false positive Coverity issue as reg_val will be written when
calling regmap_read(). However, there's nothing inherently wrong with
initializing the variable to 0 and this will also make Coverity happy.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
The error revealed a hidden bug with setting the WB registers for LCG,
SPD and VS. They all replicated the HCG values because of incorrect
pointer arithmetic in the for loop initialization.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
The issue reported in ox03c10_streaming_start() is genuine. Variable
'ret' was not initialized which could lead to reporting that starting
streaming failed.
The issue reported in ox03c10_otp_correction_get() is a false positive.
Even though the regmap_bulk_read() will overwrite all the array values
with the ones read from the sensor, let's initialize the array to 0 to
silence Coverity.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
Reviewed-by: Robert Chiras <robert.chiras@nxp.com>
Remove format member from sensor structure, the sensor subdevice will
not track the state internally, instead it will use the managed
subdev active state, in ox05b1s_set_fmt for example.
Remove ox05b1s_get_fmt and use v4l2_subdev_get_fmt instead.
Use v4l2_subdev_init_finalize to opt-in for managed state, use the same
sensor lock, and initialize it sooner.
Do not lock in set_fmt and get_selection, as these ioctls, among others,
are called from a wrapper that already takes the lock if the subdev
uses active state, see DEFINE_STATE_WRAPPER.
Signed-off-by: Mirela Rabulea <mirela.rabulea@nxp.com>
Reviewed-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
The current setting of the hdr_mode control is not working properly.
Cannot count on ox05b1s_update_controls() to actually write the
sensor registers, as the sensor may be suspended. Remove the
setting of hdr_mode from ox05b1s_update_controls(), as it is not
useful here, and it was wrong anyway, it should not be set to
the default value, that will overwrite what was set by user.
Instead, use __v4l2_ctrl_handler_setup in ox05b1s_apply_current_mode(),
to ensure control values are written in sensor registers
before streaming starts.
Also, update some comments.
Fixes: 17597cc375 ("LF-12210-2: media: ox05b1s: Add omnivision OX05B1S raw sensor driver")
Signed-off-by: Mirela Rabulea <mirela.rabulea@nxp.com>
Reviewed-by: Laurentiu Palcu <laurentiu.palcu@oss.nxp.com>
ISI may exceed its bounds by accessing memory that does not
belong to it when work with 7 VPU instance at same time. It
maybe a IC bug(TKT0661750), so specifies the maximum size
(in bytes) for the memory location. Tentative write out of
this max size range is not allowed. The feature of ISI is
introduced in iMX95 ISI version.
Reproduce steps:
Setup media pipeline for camera and run commands as bellow:
gst-launch-1.0 v4l2src device=/dev/video0 ! video/x-raw,width=1280,height=800,format=YUY2 ! queue ! waylandsink window-width=320 window-height=240 &
gst-launch-1.0 videotestsrc ! video/x-raw,width=1280,height=576 ! v4l2h264enc ! h264parse ! v4l2h264dec ! waylandsink window-width=320 window-height=240 &
gst-launch-1.0 videotestsrc ! video/x-raw,width=1280,height=576 ! v4l2h264enc ! h264parse ! v4l2h264dec ! waylandsink window-width=320 window-height=240 &
gst-launch-1.0 videotestsrc ! video/x-raw,width=1280,height=576 ! v4l2h264enc ! h264parse ! v4l2h264dec ! waylandsink window-width=320 window-height=240 &
gst-launch-1.0 videotestsrc ! video/x-raw,width=1280,height=576 ! v4l2h264enc ! h264parse ! v4l2h264dec ! waylandsink window-width=320 window-height=240 &
gst-launch-1.0 videotestsrc ! video/x-raw,width=1280,height=576 ! v4l2h264enc ! h264parse ! v4l2h264dec ! waylandsink window-width=320 window-height=240 &
gst-launch-1.0 videotestsrc ! video/x-raw,width=1280,height=576 ! v4l2h264enc ! h264parse ! v4l2h264dec ! waylandsink window-width=320 window-height=240 &
gst-launch-1.0 videotestsrc ! video/x-raw,width=1280,height=576 ! v4l2h264enc ! h264parse ! v4l2h264dec ! waylandsink window-width=320 window-height=240 &
Signed-off-by: Guoniu.zhou <guoniu.zhou@nxp.com>
Reviewed-by: Robby Cai <robby.cai@nxp.com>
the video drvdata should be set before the video device is registered,
otherwise video_drvdata() may return NULL in the open() file ops, and led
to oops.
Signed-off-by: Ming Qian <ming.qian@nxp.com>
Reviewed-by: TaoJiang <tao.jiang_2@nxp.com>
the video drvdata should be set before the video device is registered,
otherwise video_drvdata() may return NULL in the open() file ops, and led
to oops.
Signed-off-by: Ming Qian <ming.qian@nxp.com>
Reviewed-by: TaoJiang <tao.jiang_2@nxp.com>
Currently, IOMMU was not enabled, so SWIOTLB was used.
But the default maximum size of one singe bounce is 256KB
So we need to limit codec buffer size.
When IOMMU is enabled, we can revert this patch.
Signed-off-by: TaoJiang <tao.jiang_2@nxp.com>
Reviewed-by: MingQian <ming.qian@nxp.com>
This adds a Virtio based video driver for video streaming device that
operates input and output data buffers to share video devices with
several guests. The current implementation consist of V4L2 based video
driver supporting video functions of decoder and encoder. The device
uses command structures to advertise and negotiate stream formats and
controls. This allows the driver to modify the processing logic of the
device on a per stream basis.
from https://github.com/aesteve-rh/linux,
align with 80c89869c3f7 ("virtio_video: add vicodec support and config")
Signed-off-by: Albert Esteve <aesteve@redhat.com>
Signed-off-by: Dmitry Sepp <dmitry.sepp@opensynergy.com>
Signed-off-by: Kiran Pawar <Kiran.Pawar@opensynergy.com>
Signed-off-by: Nikolay Martyanov <Nikolay.Martyanov@opensynergy.com>
Signed-off-by: Samiullah Khawaja <samiullah.khawaja@opensynergy.com>
Signed-off-by: Keiichi Watanabe <keiichiw@chromium.org>
[ Upstream commit 4caf6d93d9 ]
Add check for the return value of v4l2_fwnode_endpoint_parse() and
return the error if it fails in order to catch the error.
Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 17763960b1 ]
When setting the EDID it would attempt to update two controls
that are only present if there is an HDMI output configured.
If there isn't any (e.g. when the vivid module is loaded with
node_types=1), then calling VIDIOC_S_EDID would crash.
Fix this by first checking if outputs are present.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0fd7c0c2c1 ]
In several places a division by fmt->vdownsampling[p] was
missing in the sizeimage[p] calculation, causing incorrect
behavior for multiplanar formats were some planes are smaller
than the first plane.
Found by new v4l2-compliance tests.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit c8931ef55b ]
Struct uvc_frame and interval (u32*) are packaged together on
streaming->formats on a single contiguous allocation.
Right now they are allocated right after uvc_format, without taking into
consideration their required alignment.
This is working fine because both structures have a field with a
pointer, but it will stop working when the sizeof() of any of those
structs is not a multiple of the sizeof(void*).
Enforce that alignment during the allocation.
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20240404-uvc-align-v2-1-9e104b0ecfbd@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 7417b1b1f3 ]
Always assign *val to 0 in cci_read(). This has the benefit of not
requiring initialisation of the variables data is read to using
cci_read(). Once smatch is fixed, it could catch the use of uninitialised
reads.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Tested-by: Benjamin Mugnier <benjamin.mugnier@foss.st.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 102fb77c2d ]
At several positions in dvb_frontend.c, memdup_user() is utilized to
copy userspace arrays. This is done without overflow checks.
Use the new wrapper memdup_array_user() to copy the arrays more safely.
Link: https://lore.kernel.org/linux-media/20231102191633.52592-2-pstanner@redhat.com
Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 15126b916e ]
cx23885_vdev_init() can return a NULL pointer, but that pointer
is used in the next line without a check.
Add a NULL pointer check and go to the error unwind if it is NULL.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: Sicong Huang <huangsicong@iie.ac.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 51b74c09ac ]
'pd' can be NULL, and in that case it shouldn't be passed to
PTR_ERR. Fixes a smatch warning:
drivers/media/platform/qcom/venus/pm_helpers.c:873 vcodec_domains_get() warn: passing zero to 'PTR_ERR'
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 04d19e6513 ]
As &dev->condlock is acquired under irq context along the following
call chain from s5p_mfc_irq(), other acquisition of the same lock
inside process context or softirq context should disable irq avoid double
lock. enc_post_frame_start() seems to be one such function that execute
under process context or softirq context.
<deadlock #1>
enc_post_frame_start()
--> clear_work_bit()
--> spin_loc(&dev->condlock)
<interrupt>
--> s5p_mfc_irq()
--> s5p_mfc_handle_frame()
--> clear_work_bit()
--> spin_lock(&dev->condlock)
This flaw was found by an experimental static analysis tool I am
developing for irq-related deadlock.
To prevent the potential deadlock, the patch change clear_work_bit()
inside enc_post_frame_start() to clear_work_bit_irqsave().
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 8b7f3cf4eb ]
This fixes this warning:
drivers/media/radio/radio-isa.c: In function 'radio_isa_querycap':
drivers/media/radio/radio-isa.c:39:57: warning: '%s' directive output may be truncated writing up to 35 bytes into a region of size 28 [-Wformat-truncation=]
39 | snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", isa->v4l2_dev.name);
| ^~
drivers/media/radio/radio-isa.c:39:9: note: 'snprintf' output between 5 and 40 bytes into a destination of size 32
39 | snprintf(v->bus_info, sizeof(v->bus_info), "ISA:%s", isa->v4l2_dev.name);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
The first run with libcamera does not work because the pixel rate
control value is not updated after set_fmt, it is only updated during
the first streamon. This is causing libcamerasrc negotiation failure
with the downstream caps filter on the fps.
So, update control values to reflect the current format upon
set_fmt.
Signed-off-by: Mirela Rabulea <mirela.rabulea@oss.nxp.com>
Reviewed-by: Alexi Birlinger <alexi.birlinger@nxp.com>
Tested-by: Alexi Birlinger <alexi.birlinger@nxp.com>
Acked-by: Jason Liu <jason.hui.liu@nxp.com>
commit 0c84bde4f3 upstream.
This reverts commit 2052138b7d.
This breaks the TeVii s480 dual DVB-S2 S660. The device has a bulk in
endpoint but no corresponding out endpoint, so the device does not pass
the "has both receive and send bulk endpoint" test.
Seemingly this device does not use dvb_usb_generic_rw() so I have tried
removing the generic_bulk_ctrl_endpoint entry, but this resulted in
different problems.
As we have no explanation yet, revert.
$ dmesg | grep -i -e dvb -e dw21 -e usb\ 4
[ 0.999122] usb 1-1: new high-speed USB device number 2 using ehci-pci
[ 1.023123] usb 4-1: new high-speed USB device number 2 using ehci-pci
[ 1.130247] usb 1-1: New USB device found, idVendor=9022, idProduct=d482,
+bcdDevice= 0.01
[ 1.130257] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 1.152323] usb 4-1: New USB device found, idVendor=9022, idProduct=d481,
+bcdDevice= 0.01
[ 1.152329] usb 4-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 6.701033] dvb-usb: found a 'TeVii S480.2 USB' in cold state, will try to
+load a firmware
[ 6.701178] dvb-usb: downloading firmware from file 'dvb-usb-s660.fw'
[ 6.701179] dw2102: start downloading DW210X firmware
[ 6.703715] dvb-usb: found a 'Microsoft Xbox One Digital TV Tuner' in cold
+state, will try to load a firmware
[ 6.703974] dvb-usb: downloading firmware from file 'dvb-usb-dib0700-1.20.fw'
[ 6.756432] usb 1-1: USB disconnect, device number 2
[ 6.862119] dvb-usb: found a 'TeVii S480.2 USB' in warm state.
[ 6.862194] dvb-usb: TeVii S480.2 USB error while loading driver (-22)
[ 6.862209] dvb-usb: found a 'TeVii S480.1 USB' in cold state, will try to
+load a firmware
[ 6.862244] dvb-usb: downloading firmware from file 'dvb-usb-s660.fw'
[ 6.862245] dw2102: start downloading DW210X firmware
[ 6.914811] usb 4-1: USB disconnect, device number 2
[ 7.014131] dvb-usb: found a 'TeVii S480.1 USB' in warm state.
[ 7.014487] dvb-usb: TeVii S480.1 USB error while loading driver (-22)
[ 7.014538] usbcore: registered new interface driver dw2102
Closes: https://lore.kernel.org/stable/20240801165146.38991f60@mir/
Fixes: 2052138b7d ("media: dvb-usb: Fix unexpected infinite loop in dvb_usb_read_remote_control()")
Reported-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 68594cec29 ]
syzkaller reported use-after-free in load_firmware_cb() [1].
The reason is because the module allocated a struct tuner in tuner_probe(),
and then the module initialization failed, the struct tuner was released.
A worker which created during module initialization accesses this struct
tuner later, it caused use-after-free.
The process is as follows:
task-6504 worker_thread
tuner_probe <= alloc dvb_frontend [2]
...
request_firmware_nowait <= create a worker
...
tuner_remove <= free dvb_frontend
...
request_firmware_work_func <= the firmware is ready
load_firmware_cb <= but now the dvb_frontend has been freed
To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is
null, report a warning and just return.
[1]:
==================================================================
BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0
Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504
Call trace:
load_firmware_cb+0x1310/0x17a0
request_firmware_work_func+0x128/0x220
process_one_work+0x770/0x1824
worker_thread+0x488/0xea0
kthread+0x300/0x430
ret_from_fork+0x10/0x20
Allocated by task 6504:
kzalloc
tuner_probe+0xb0/0x1430
i2c_device_probe+0x92c/0xaf0
really_probe+0x678/0xcd0
driver_probe_device+0x280/0x370
__device_attach_driver+0x220/0x330
bus_for_each_drv+0x134/0x1c0
__device_attach+0x1f4/0x410
device_initial_probe+0x20/0x30
bus_probe_device+0x184/0x200
device_add+0x924/0x12c0
device_register+0x24/0x30
i2c_new_device+0x4e0/0xc44
v4l2_i2c_new_subdev_board+0xbc/0x290
v4l2_i2c_new_subdev+0xc8/0x104
em28xx_v4l2_init+0x1dd0/0x3770
Freed by task 6504:
kfree+0x238/0x4e4
tuner_remove+0x144/0x1c0
i2c_device_remove+0xc8/0x290
__device_release_driver+0x314/0x5fc
device_release_driver+0x30/0x44
bus_remove_device+0x244/0x490
device_del+0x350/0x900
device_unregister+0x28/0xd0
i2c_unregister_device+0x174/0x1d0
v4l2_device_unregister+0x224/0x380
em28xx_v4l2_init+0x1d90/0x3770
The buggy address belongs to the object at ffff8000d7ca2000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 776 bytes inside of
2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)
The buggy address belongs to the page:
page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0
flags: 0x7ff800000000100(slab)
raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
[2]
Actually, it is allocated for struct tuner, and dvb_frontend is inside.
Signed-off-by: Chi Zhiling <chizhiling@kylinos.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 9e3d55fbd1 ]
The bandwidth fixup quirk doesn't know that SuperSpeed exists and has
the same 8 service intervals per millisecond as High Speed, hence its
calculations are wrong.
Assume that all speeds from HS up use 8 intervals per millisecond.
No further changes are needed, updated code has been confirmed to work
with all speeds from FS to SS.
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/r/20240414190040.2255a0bc@foxbook
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 5cd7c25f6f ]
Some SunplusIT cameras took a borderline interpretation of the UVC 1.5
standard, and fill the PTS and SCR fields with invalid data if the
package does not contain data.
"STC must be captured when the first video data of a video frame is put
on the USB bus."
Some SunplusIT devices send, e.g.,
buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000
buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000
buffer: 0xa7755c00 len 000668 header:0x8c stc 73779dba sof 070c pts 7376d37a
While the UVC specification meant that the first two packets shouldn't
have had the SCR bit set in the header.
This borderline/buggy interpretation has been implemented in a variety
of devices, from directly SunplusIT and from other OEMs that rebrand
SunplusIT products. So quirking based on VID:PID will be problematic.
All the affected modules have the following extension unit:
VideoControl Interface Descriptor:
guidExtensionCode {82066163-7050-ab49-b8cc-b3855e8d221d}
But the vendor plans to use that GUID in the future and fix the bug,
this means that we should use heuristic to figure out the broken
packets.
This patch takes care of this.
lsusb of one of the affected cameras:
Bus 001 Device 003: ID 1bcf:2a01 Sunplus Innovation Technology Inc.
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 2.01
bDeviceClass 239 Miscellaneous Device
bDeviceSubClass 2 ?
bDeviceProtocol 1 Interface Association
bMaxPacketSize0 64
idVendor 0x1bcf Sunplus Innovation Technology Inc.
idProduct 0x2a01
bcdDevice 0.02
iManufacturer 1 SunplusIT Inc
iProduct 2 HanChen Wise Camera
iSerial 3 01.00.00
bNumConfigurations 1
Tested-by: HungNien Chen <hn.chen@sunplusit.com>
Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Link: https://lore.kernel.org/r/20240323-resend-hwtimestamp-v10-2-b08e590d97c7@chromium.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 065927b51e ]
There is no need to add a lock in s_ctrl callback, it has been
synchronized by the ctrl_handler's lock, otherwise it may led to
a deadlock if the driver calls v4l2_ctrl_s_ctrl().
Signed-off-by: Ming Qian <ming.qian@nxp.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
