- 08 Feb, 2023 40 commits
-
-
Laurent Pinchart authored
There's no need to use threaded IRQs with the PXP, as the interrupt handler doesn't need to sleep and doesn't perform any time-consuming operation. Switch to regular IRQ handler. This fixes lockups of the PXP noticed on i.MX7, where the PXP would stop generating interrupts after a variable number of frames (from a few dozens to a few hundreds). The root cause is however unknown. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
Add pxp_read() and pxp_write() functions to wrap readl() and writel() respectively. This can be useful for debugging register accesses. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
Implement support for the VIDIOC_ENUM_FRAMESIZES ioctl. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The find_format() function looks up format information for a given pixel format. It takes a v4l2_format pointer, but only uses the contained pixel format value. To prepare it for being used by callers that don't have v4l2_format, modify it to take the pixel format value directly. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
Register a media device for the PXP, using the v4l2-mem2mem MC infrastructure to populate the media graph. No media device operation is implemented, the main use of the MC API is to allow consistent discovery of media devices for userspace. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The v4l2_capability.bus_info field is set by the V4L2 core when left empty by the .querycap() handler. This is the recommended practice, in order to ensure bus_info coherence between drivers. Don't set it manually. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
Sorting headers alphabetically helps locating duplicates, and make it easier to figure out where to insert new headers. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Michael Tretter authored
The i.MX7D needs a different data path configuration than the i.MX6ULL. Configure the data path as close as possible to the data path on the i.MX6ULL. Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Michael Tretter authored
Unfortunately, the PXP_HW_VERSION register reports the PXP on the i.MX7D and on the i.MX6ULL as version 3.0, although the PXP versions on these SoCs have significant differences. Use the compatible to configure the ctrl0 register as required dependent on the platform. Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Michael Tretter authored
The LUT block is always configured in bypass mode. Take it entirely out of the pipeline by disabling it and routing the data path around the LUT. Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Michael Tretter authored
Various multiplexers in the pipeline are not used with the currently configured data path. Disable all unused multiplexers by selecting the "no output" (3) option. The datasheet doesn't explicitly require this, but the PXP has been seen to hang after processing a few hundreds of frames otherwise. As at it, add documentation for the multiplexers that are actually relevant for the data path. Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Michael Tretter authored
The driver must configure the data path through the Pixel Pipeline. Currently, the driver is using a fixed setup, but once there are different pipeline configurations, it is helpful to have a dedicated function for determining the register value for the data path. Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Michael Tretter authored
Different versions of the Pixel Pipeline have different blocks and their routing may be different. Read the PXP_HW_VERSION register to determine the version of the PXP and print it to the log for debugging purposes. Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Michael Tretter authored
Convert the bindings of the Freescale Pixel Pipeline to YAML. The conversion drops the previously listed compatibles for several SoCs. It is unclear, if the PXP on these SoCs is compatible to any of the PXPs on the existing SoCs and would allow to reuse the already defined compatibles. The missing compatibles should be brought back when the support for the PXP on these SoCs is added. Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Michael Tretter <m.tretter@pengutronix.de> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The .set_fmt() handler is responsible for adjusting the requested format based on the device limitations. Implement .init_cfg() as a wrapper of .set_fmt(), to ensure that the initial configuration always matches the rules implemented in .set_fmt(), should they ever change. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mn-beacon Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
Use the V4L2 subdev active state API to store the active format. This simplifies the driver not only by dropping the mipi_csis_device csis_fmt and format_mbus fields, but it also allows dropping the device lock, replaced with the state lock. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mn-beacon Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
To prepare for usage of the subdev active state that will replace the csis_fmt and format_mbus fields stored in the mipi_csis_device structure, pass the format explicitly to the functions called when starting streaming to avoid accessing those two fields. Not functional change intended. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mn-beacon Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The runtime PM handlers don't need manual locking as - they are serialized by the runtime PM core - they can't race with other functions taking the same lock, as they don't access any data protect by that lock Drop the locking. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mn-beacon Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
It is customary to prefix error labels with 'err_' to make their purpose clearer. Do so in the probe function. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mn-beacon Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
Use the V4L2 subdev active state API to store the active format. This simplifies the driver not only by dropping the state stored in the imx7_csi structure, but also by replacing the manual lock with the state lock. The is_streaming field is now protected by the active state lock, either explicitly in .s_stream(), where the active state is locked manually, or implicitly in .set_fmt(), which is called with the state locked. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mm-beacon-kit Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Tested-by: Martin Kepplinger <martin.kepplinger@puri.sm> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The v4l2_subdev_format structure passed to the .get_fmt() subdev operation in imx7_csi_video_validate_fmt() isn't zeroed, which can cause undefined behaviour. Fix it. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mm-beacon-kit Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Tested-by: Martin Kepplinger <martin.kepplinger@puri.sm> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
It's good practice for functions to perform error cleanup internally when they fail, in order to not leave the device in a half-initialized state. Move the async notifier cleanup from the probe error path to the imx7_csi_async_register(), and drop the v4l2_async_nf_unregister() call as there is no error path after the async notifier gets registered. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mm-beacon-kit Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Tested-by: Martin Kepplinger <martin.kepplinger@puri.sm> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The subdev core guarantees that the .set_fmt() operation is always called with a valid pad. Drop the unneeded pad checks. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mm-beacon-kit Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Tested-by: Martin Kepplinger <martin.kepplinger@puri.sm> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The .s_stream() and .link_validate() operations can't be called with a NULL src_sd, as subdev nodes are not registered before the async notifier completes. Remove the unneeded checks. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mm-beacon-kit Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Tested-by: Martin Kepplinger <martin.kepplinger@puri.sm> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The .s_stream() operation is guaranteed not to be called to start/stop an already started/stopped subdev. Remove the unneeded check. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mm-beacon-kit Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Tested-by: Martin Kepplinger <martin.kepplinger@puri.sm> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The imx7_csi_video_init_format() function instantiates a v4l2_subdev_format on the stack, to only use the .format field of that structure. Replace it with a v4l2_mbus_framefmt instance. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mm-beacon-kit Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Tested-by: Martin Kepplinger <martin.kepplinger@puri.sm> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Laurent Pinchart authored
The imx7_csi.cc field is set but never used. Drop it. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Adam Ford <aford173@gmail.com> #imx8mm-beacon-kit Acked-by: Rui Miguel Silva <rmfrfs@gmail.com> Tested-by: Martin Kepplinger <martin.kepplinger@puri.sm> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Tasos Sahanidis authored
The radio device doesn't use vb2, thus calling vb2_video_unregister_device() which results in the following warning being printed on module unload. WARNING: CPU: 1 PID: 215963 at drivers/media/common/videobuf2/videobuf2-v4l2.c:1236 vb2_video_unregister_device+0xc6/0xe0 [videobuf2_v4l2] Fixes: 11788d9b ("media: media/pci: use vb2_video_unregister_device()") Signed-off-by: Tasos Sahanidis <tasos@tasossah.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Brent Pappas authored
Replace the macro icap_enabled() with a static function to comply with Linux coding style standards. Signed-off-by: Brent Pappas <bpappas@pappasbrent.com> Reviewed-by: Marco Felsch <m.felsch@pengutronix.de> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Benjamin Roszak authored
Checking if sess->fmt_out->pixfmt is V4L2_PIX_FMT_VP9 was already done as a condition to enter the if statement where this additional check is made. Signed-off-by: Benjamin Roszak <benjamin545@gmail.com> Signed-off-by: Christian Hewitt <christianshewitt@gmail.com> Acked-by: Neil Armstrong <neil.armstrong@linaro.org> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Duoming Zhou authored
There are UAF bugs caused by do_submit_urb(). One of the KASan reports is shown below: [ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 [ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 [ 36.408316] [ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237a-dir8 [ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.416157] Workqueue: 0x0 (events) [ 36.417654] Call Trace: [ 36.418546] <TASK> [ 36.419320] dump_stack_lvl+0x96/0xd0 [ 36.420522] print_address_description+0x75/0x350 [ 36.421992] print_report+0x11b/0x250 [ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 [ 36.424806] ? __virt_addr_valid+0xcf/0x170 [ 36.426069] ? worker_thread+0x4a2/0x890 [ 36.427355] kasan_report+0x131/0x160 [ 36.428556] ? worker_thread+0x4a2/0x890 [ 36.430053] worker_thread+0x4a2/0x890 [ 36.431297] ? worker_clr_flags+0x90/0x90 [ 36.432479] kthread+0x166/0x190 [ 36.433493] ? kthread_blkcg+0x50/0x50 [ 36.434669] ret_from_fork+0x22/0x30 [ 36.435923] </TASK> [ 36.436684] [ 36.437215] Allocated by task 24: [ 36.438289] kasan_set_track+0x50/0x80 [ 36.439436] __kasan_kmalloc+0x89/0xa0 [ 36.440566] smsusb_probe+0x374/0xc90 [ 36.441920] usb_probe_interface+0x2d1/0x4c0 [ 36.443253] really_probe+0x1d5/0x580 [ 36.444539] __driver_probe_device+0xe3/0x130 [ 36.446085] driver_probe_device+0x49/0x220 [ 36.447423] __device_attach_driver+0x19e/0x1b0 [ 36.448931] bus_for_each_drv+0xcb/0x110 [ 36.450217] __device_attach+0x132/0x1f0 [ 36.451470] bus_probe_device+0x59/0xf0 [ 36.452563] device_add+0x4ec/0x7b0 [ 36.453830] usb_set_configuration+0xc63/0xe10 [ 36.455230] usb_generic_driver_probe+0x3b/0x80 [ 36.456166] printk: console [ttyGS0] disabled [ 36.456569] usb_probe_device+0x90/0x110 [ 36.459523] really_probe+0x1d5/0x580 [ 36.461027] __driver_probe_device+0xe3/0x130 [ 36.462465] driver_probe_device+0x49/0x220 [ 36.463847] __device_attach_driver+0x19e/0x1b0 [ 36.465229] bus_for_each_drv+0xcb/0x110 [ 36.466466] __device_attach+0x132/0x1f0 [ 36.467799] bus_probe_device+0x59/0xf0 [ 36.469010] device_add+0x4ec/0x7b0 [ 36.470125] usb_new_device+0x863/0xa00 [ 36.471374] hub_event+0x18c7/0x2220 [ 36.472746] process_one_work+0x34c/0x5b0 [ 36.474041] worker_thread+0x4b7/0x890 [ 36.475216] kthread+0x166/0x190 [ 36.476267] ret_from_fork+0x22/0x30 [ 36.477447] [ 36.478160] Freed by task 24: [ 36.479239] kasan_set_track+0x50/0x80 [ 36.480512] kasan_save_free_info+0x2b/0x40 [ 36.481808] ____kasan_slab_free+0x122/0x1a0 [ 36.483173] __kmem_cache_free+0xc4/0x200 [ 36.484563] smsusb_term_device+0xcd/0xf0 [ 36.485896] smsusb_probe+0xc85/0xc90 [ 36.486976] usb_probe_interface+0x2d1/0x4c0 [ 36.488303] really_probe+0x1d5/0x580 [ 36.489498] __driver_probe_device+0xe3/0x130 [ 36.491140] driver_probe_device+0x49/0x220 [ 36.492475] __device_attach_driver+0x19e/0x1b0 [ 36.493988] bus_for_each_drv+0xcb/0x110 [ 36.495171] __device_attach+0x132/0x1f0 [ 36.496617] bus_probe_device+0x59/0xf0 [ 36.497875] device_add+0x4ec/0x7b0 [ 36.498972] usb_set_configuration+0xc63/0xe10 [ 36.500264] usb_generic_driver_probe+0x3b/0x80 [ 36.501740] usb_probe_device+0x90/0x110 [ 36.503084] really_probe+0x1d5/0x580 [ 36.504241] __driver_probe_device+0xe3/0x130 [ 36.505548] driver_probe_device+0x49/0x220 [ 36.506766] __device_attach_driver+0x19e/0x1b0 [ 36.508368] bus_for_each_drv+0xcb/0x110 [ 36.509646] __device_attach+0x132/0x1f0 [ 36.510911] bus_probe_device+0x59/0xf0 [ 36.512103] device_add+0x4ec/0x7b0 [ 36.513215] usb_new_device+0x863/0xa00 [ 36.514736] hub_event+0x18c7/0x2220 [ 36.516130] process_one_work+0x34c/0x5b0 [ 36.517396] worker_thread+0x4b7/0x890 [ 36.518591] kthread+0x166/0x190 [ 36.519599] ret_from_fork+0x22/0x30 [ 36.520851] [ 36.521405] Last potentially related work creation: [ 36.523143] kasan_save_stack+0x3f/0x60 [ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.525831] insert_work+0x25/0x130 [ 36.527039] __queue_work+0x4d4/0x620 [ 36.528236] queue_work_on+0x72/0xb0 [ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.530819] dummy_timer+0x350/0x1a40 [ 36.532149] call_timer_fn+0x2c/0x190 [ 36.533567] expire_timers+0x69/0x1f0 [ 36.534736] __run_timers+0x289/0x2d0 [ 36.535841] run_timer_softirq+0x2d/0x60 [ 36.537110] __do_softirq+0x116/0x380 [ 36.538377] [ 36.538950] Second to last potentially related work creation: [ 36.540855] kasan_save_stack+0x3f/0x60 [ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0 [ 36.543592] insert_work+0x25/0x130 [ 36.544891] __queue_work+0x4d4/0x620 [ 36.546168] queue_work_on+0x72/0xb0 [ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0 [ 36.548805] dummy_timer+0x350/0x1a40 [ 36.550116] call_timer_fn+0x2c/0x190 [ 36.551570] expire_timers+0x69/0x1f0 [ 36.552762] __run_timers+0x289/0x2d0 [ 36.553916] run_timer_softirq+0x2d/0x60 [ 36.555118] __do_softirq+0x116/0x380 [ 36.556239] [ 36.556807] The buggy address belongs to the object at ffff888005960000 [ 36.556807] which belongs to the cache kmalloc-4k of size 4096 [ 36.560652] The buggy address is located 232 bytes inside of [ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000) [ 36.564791] [ 36.565355] The buggy address belongs to the physical page: [ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00 [ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0 [ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1) [ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000 [ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 36.580175] page dumped because: kasan: bad access detected [ 36.581994] [ 36.582548] Memory state around the buggy address: [ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.591071] ^ [ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.598026] ================================================================== [ 36.600224] Disabling lock debugging due to kernel taint [ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I [ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8 [ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 [ 36.615026] Workqueue: events do_submit_urb [ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.643411] Call Trace: [ 36.644215] <TASK> [ 36.644902] smscore_getbuffer+0x3e/0x1e0 [ 36.646147] do_submit_urb+0x4f/0x190 [ 36.647449] process_one_work+0x34c/0x5b0 [ 36.648777] worker_thread+0x4b7/0x890 [ 36.649984] ? worker_clr_flags+0x90/0x90 [ 36.651166] kthread+0x166/0x190 [ 36.652151] ? kthread_blkcg+0x50/0x50 [ 36.653547] ret_from_fork+0x22/0x30 [ 36.655051] </TASK> [ 36.655733] Modules linked in: [ 36.656787] ---[ end trace 0000000000000000 ]--- [ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 [ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 [ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 [ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 [ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 [ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f [ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 [ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 [ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 [ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 [ 36.685733] Kernel panic - not syncing: Fatal exception [ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff) [ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]--- When the siano device is plugged in, it may call the following functions to initialize the device. smsusb_probe()-->smsusb_init_device()-->smscore_start_device(). When smscore_start_device() gets failed, the function smsusb_term_device() will be called and smsusb_device_t will be deallocated. Although we use usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests and wait for them to finish, the worker threads that are scheduled by smsusb_onresponse() may be still running. As a result, the UAF bugs could happen. We add cancel_work_sync() in smsusb_stop_streaming() in order that the worker threads could finish before the smsusb_device_t is deallocated. Fixes: dd47fbd4 ("[media] smsusb: don't sleep while atomic") Signed-off-by: Duoming Zhou <duoming@zju.edu.cn> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
If the message length was wrong, the dprintk() after the 'err' label was bypassed. Fix that, and fix a smatch warning at the same time: mb86a16.c:1514 mb86a16_send_diseqc_msg() warn: missing unwind goto? Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
If the media bus is unsupported, then return -EINVAL. Instead it returned 'ret' which happened to be 0. This fixes a smatch warning: ov7670.c:1843 ov7670_parse_dt() warn: missing error code? 'ret' Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Fixes: 01b84448 ("media: v4l2: i2c: ov7670: Implement OF mbus configuration") Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
Since 'ret' is known to be 0, just return '0'. This fixes a smatch warning: vpbe_display.c:1152 vpbe_display_open() warn: missing error code? 'err' Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Cc: "Lad, Prabhakar" <prabhakar.csengg@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
Since 'ret' is known to be 0, just return '0'. This fixes a smatch warning: venc_h264_if.c:568 h264_encode_frame() warn: missing error code? 'ret' Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Cc: Andrew-CT Chen <andrew-ct.chen@mediatek.com> Cc: Yunfei Dong <yunfei.dong@mediatek.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
An error was returned at one point without going through the goto label for proper unwinding. This fixes a smatch warning: mtk-mdp3-comp.c:1005 mdp_comp_config() warn: missing unwind goto? Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Cc: Moudy Ho <moudy.ho@mediatek.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
In three places there was a return instead of a goto to the unwind code. This fixes three smatch warnings: drxj.c:9542 ctrl_get_qam_sig_quality() warn: missing unwind goto? drxj.c:10919 ctrl_set_standard() warn: missing unwind goto? drxj.c:11466 drxj_open() warn: missing unwind goto? Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
The probe function used 'goto out' everywhere, except in one place where it returned an error. That too should be a 'goto out'. This fixes a smatch warning: mmp-driver.c:257 mmpcam_probe() warn: missing unwind goto? Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
Since 'ret' is known to be 0, just return '0'. This fixes 10 smatch warnings: cxd2880_tnrdmd_dvbt.c:836 cxd2880_tnrdmd_dvbt_check_demod_lock() warn: missing error code? 'ret' cxd2880_tnrdmd_dvbt.c:841 cxd2880_tnrdmd_dvbt_check_demod_lock() warn: missing error code? 'ret' cxd2880_tnrdmd_dvbt.c:896 cxd2880_tnrdmd_dvbt_check_ts_lock() warn: missing error code? 'ret' cxd2880_tnrdmd_dvbt.c:901 cxd2880_tnrdmd_dvbt_check_ts_lock() warn: missing error code? 'ret' cxd2880_tnrdmd_dvbt.c:904 cxd2880_tnrdmd_dvbt_check_ts_lock() warn: missing error code? 'ret' cxd2880_tnrdmd_dvbt2.c:1027 cxd2880_tnrdmd_dvbt2_check_demod_lock() warn: missing error code? 'ret' cxd2880_tnrdmd_dvbt2.c:1032 cxd2880_tnrdmd_dvbt2_check_demod_lock() warn: missing error code? 'ret' cxd2880_tnrdmd_dvbt2.c:1087 cxd2880_tnrdmd_dvbt2_check_ts_lock() warn: missing error code? 'ret' cxd2880_tnrdmd_dvbt2.c:1092 cxd2880_tnrdmd_dvbt2_check_ts_lock() warn: missing error code? 'ret' cxd2880_tnrdmd_dvbt2.c:1095 cxd2880_tnrdmd_dvbt2_check_ts_lock() warn: missing error code? 'ret' Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Cc: Yasunari Takiguchi <Yasunari.Takiguchi@sony.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-
Hans Verkuil authored
Since 'ret' is known to be 0, just return '0'. This fixes two smatch warnings: af9015.c:1168 af9015_rc_query() warn: missing error code? 'ret' af9015.c:1177 af9015_rc_query() warn: missing error code? 'ret' Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Cc: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-