1. 21 Jun, 2024 6 commits
    • Ivan Bornyakov's avatar
      media: chips-media: wave5: support decoding HEVC Main10 profile · 143e7ab4
      Ivan Bornyakov authored
      Add support for decoding HEVC Main10 profile by scaling the FBC
      buffer stride and size by a factor of (bitdepth / 8).
      Signed-off-by: default avatarIvan Bornyakov <brnkv.i1@gmail.com>
      Signed-off-by: default avatarSebastian Fricke <sebastian.fricke@collabora.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      143e7ab4
    • Ming Qian's avatar
      media: imx-jpeg: Drop initial source change event if capture has been setup · a8fb5fce
      Ming Qian authored
      In section 4.5.1.5. Initialization, the step 4 may be skipped and
      continue with the Capture Setup sequence, so if the capture has been
      setup, there is no need to trigger the initial source change event, just
      start decoding, and follow the dynamic resolution change flow if the
      configured values do not match those parsed by the decoder.
      
      And it won't fail the gstreamer pipeline.
      
      Fixes: b833b178 ("media: imx-jpeg: notify source chagne event when the first picture parsed")
      Signed-off-by: default avatarMing Qian <ming.qian@nxp.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      a8fb5fce
    • Ming Qian's avatar
      media: imx-jpeg: Remove some redundant error logs · f10edd83
      Ming Qian authored
      If the picture size parsed by decoder is different from those previously
      established, it's a normal flow of dynamic resolution change, not an
      error case, the log may mislead that some error occurs in decoding, so
      remove the error log in this case.
      
      Fixes: 2db16c6e ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder")
      Signed-off-by: default avatarMing Qian <ming.qian@nxp.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      f10edd83
    • Allen Pais's avatar
      media: Convert from tasklet to BH workqueue · 1021dd01
      Allen Pais authored
      The only generic interface to execute asynchronously in the BH context is
      tasklet; however, it's marked deprecated and has some design flaws. To
      replace tasklets, BH workqueue support was recently added. A BH workqueue
      behaves similarly to regular workqueues except that the queued work items
      are executed in the BH context.
      
      This patch converts drivers/media/* from tasklet to BH workqueue.
      
      Based on the work done by Tejun Heo <tj@kernel.org>
      Signed-off-by: default avatarAllen Pais <allen.lkml@gmail.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      1021dd01
    • Christophe JAILLET's avatar
      media: cx231xx: Constify struct vb2_ops · d2ae63c2
      Christophe JAILLET authored
      "struct vb2_ops" are not modified in this driver.
      
      Constifying this structure moves some data to a read-only section, so
      increase overall security.
      
      On a x86_64, with allmodconfig:
      Before:
      ======
         text	   data	    bss	    dec	    hex	filename
        36607	   1156	      0	  37763	   9383	drivers/media/usb/cx231xx/cx231xx-417.o
      
      After:
      =====
         text	   data	    bss	    dec	    hex	filename
        36735	   1016	      0	  37751	   9377	drivers/media/usb/cx231xx/cx231xx-417.o
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      d2ae63c2
    • Chi Zhiling's avatar
      media: xc2028: avoid use-after-free in load_firmware_cb() · 68594cec
      Chi Zhiling authored
      syzkaller reported use-after-free in load_firmware_cb() [1].
      The reason is because the module allocated a struct tuner in tuner_probe(),
      and then the module initialization failed, the struct tuner was released.
      A worker which created during module initialization accesses this struct
      tuner later, it caused use-after-free.
      
      The process is as follows:
      
      task-6504           worker_thread
      tuner_probe                             <= alloc dvb_frontend [2]
      ...
      request_firmware_nowait                 <= create a worker
      ...
      tuner_remove                            <= free dvb_frontend
      ...
                          request_firmware_work_func  <= the firmware is ready
                          load_firmware_cb    <= but now the dvb_frontend has been freed
      
      To fix the issue, check the dvd_frontend in load_firmware_cb(), if it is
      null, report a warning and just return.
      
      [1]:
          ==================================================================
           BUG: KASAN: use-after-free in load_firmware_cb+0x1310/0x17a0
           Read of size 8 at addr ffff8000d7ca2308 by task kworker/2:3/6504
      
           Call trace:
            load_firmware_cb+0x1310/0x17a0
            request_firmware_work_func+0x128/0x220
            process_one_work+0x770/0x1824
            worker_thread+0x488/0xea0
            kthread+0x300/0x430
            ret_from_fork+0x10/0x20
      
           Allocated by task 6504:
            kzalloc
            tuner_probe+0xb0/0x1430
            i2c_device_probe+0x92c/0xaf0
            really_probe+0x678/0xcd0
            driver_probe_device+0x280/0x370
            __device_attach_driver+0x220/0x330
            bus_for_each_drv+0x134/0x1c0
            __device_attach+0x1f4/0x410
            device_initial_probe+0x20/0x30
            bus_probe_device+0x184/0x200
            device_add+0x924/0x12c0
            device_register+0x24/0x30
            i2c_new_device+0x4e0/0xc44
            v4l2_i2c_new_subdev_board+0xbc/0x290
            v4l2_i2c_new_subdev+0xc8/0x104
            em28xx_v4l2_init+0x1dd0/0x3770
      
           Freed by task 6504:
            kfree+0x238/0x4e4
            tuner_remove+0x144/0x1c0
            i2c_device_remove+0xc8/0x290
            __device_release_driver+0x314/0x5fc
            device_release_driver+0x30/0x44
            bus_remove_device+0x244/0x490
            device_del+0x350/0x900
            device_unregister+0x28/0xd0
            i2c_unregister_device+0x174/0x1d0
            v4l2_device_unregister+0x224/0x380
            em28xx_v4l2_init+0x1d90/0x3770
      
           The buggy address belongs to the object at ffff8000d7ca2000
            which belongs to the cache kmalloc-2k of size 2048
           The buggy address is located 776 bytes inside of
            2048-byte region [ffff8000d7ca2000, ffff8000d7ca2800)
           The buggy address belongs to the page:
           page:ffff7fe00035f280 count:1 mapcount:0 mapping:ffff8000c001f000 index:0x0
           flags: 0x7ff800000000100(slab)
           raw: 07ff800000000100 ffff7fe00049d880 0000000300000003 ffff8000c001f000
           raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
           page dumped because: kasan: bad access detected
      
           Memory state around the buggy address:
            ffff8000d7ca2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
            ffff8000d7ca2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
           >ffff8000d7ca2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                 ^
            ffff8000d7ca2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
            ffff8000d7ca2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
           ==================================================================
      
      [2]
          Actually, it is allocated for struct tuner, and dvb_frontend is inside.
      Signed-off-by: default avatarChi Zhiling <chizhiling@kylinos.cn>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      68594cec
  2. 20 Jun, 2024 4 commits
  3. 17 Jun, 2024 8 commits
  4. 16 Jun, 2024 10 commits
  5. 15 Jun, 2024 12 commits