summaryrefslogtreecommitdiffstats
path: root/drivers/media/media-device.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* media: move drivers/media/media-* to drivers/media/mc/mc-*Hans Verkuil2019-05-281-909/+0
| | | | | | | | | | | | | | It is really weird that the media controller sources are all top-level in drivers/media. It is a bit of a left-over from long ago when most media sources were all at the top-level. At some point we reorganized the directory structure, but the media-*.c sources where never moved to their own directory. So create a new mc directory and move all sources there. Also rename the prefix from media- to mc-. Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* media: media_device_enum_links32: clean a reserved fieldJungo Lin2019-05-231-1/+8
| | | | | | | | | | | | | | | | In v4l2-compliance utility, test MEDIA_IOC_ENUM_ENTITIES will check whether reserved field of media_links_enum filled with zero. However, for 32 bit program, the reserved field is missing copy from kernel space to user space in media_device_enum_links32 function. This patch adds the cleaning a reserved field logic in media_device_enum_links32 function. Signed-off-by: Jungo Lin <jungo.lin@mediatek.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* media: Add a Kconfig option for the Request APISakari Ailus2018-12-051-0/+4
| | | | | | | | | | | | | | | | The Request API is now merged to the kernel but the confidence on the stability of that API is not great, especially regarding the interaction with V4L2. Add a Kconfig option for the API, with a scary-looking warning. The patch itself disables request creation as well as does not advertise them as buffer flags. The driver requiring requests (cedrus) now depends on the Kconfig option as well. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* Merge tag 'media/v4.20-2' of ↵Linus Torvalds2018-10-311-4/+20
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull new experimental media request API from Mauro Carvalho Chehab: "A new media request API This API is needed to support device drivers that can dynamically change their parameters for each new frame. The latest versions of Google camera and codec HAL depends on such feature. At this stage, it supports only stateless codecs. It has been discussed for a long time (at least over the last 3-4 years), and we finally reached to something that seem to work. This series contain both the API and core changes required to support it and a new m2m decoder driver (cedrus). As the current API is still experimental, the only real driver using it (cedrus) was added at staging[1]. We intend to keep it there for a while, in order to test the API. Only when we're sure that this API works for other cases (like encoders), we'll move this driver out of staging and set the API into a stone. [1] We added support for the vivid virtual driver (used only for testing) to it too, as it makes easier to test the API for the ones that don't have the cedrus hardware" * tag 'media/v4.20-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (53 commits) media: dt-bindings: Document the Rockchip VPU bindings media: platform: Add Cedrus VPU decoder driver media: dt-bindings: media: Document bindings for the Cedrus VPU driver media: v4l: Add definition for the Sunxi tiled NV12 format media: v4l: Add definitions for MPEG-2 slice format and metadata media: videobuf2-core: Rework and rename helper for request buffer count media: v4l2-ctrls.c: initialize an error return code with zero media: v4l2-compat-ioctl32.c: add missing documentation for a field media: media-request: update documentation media: media-request: EPERM -> EACCES/EBUSY media: v4l2-ctrls: improve media_request_(un)lock_for_update media: v4l2-ctrls: use media_request_(un)lock_for_access media: media-request: add media_request_(un)lock_for_access media: vb2: set reqbufs/create_bufs capabilities media: videodev2.h: add new capabilities for buffer types media: buffer.rst: only set V4L2_BUF_FLAG_REQUEST_FD for QBUF media: v4l2-ctrls: return -EACCES if request wasn't completed media: media-request: return -EINVAL for invalid request_fds media: vivid: add request support media: vivid: add mc ...
| * media: media-request: implement media requestsHans Verkuil2018-08-311-4/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add initial media request support: 1) Add MEDIA_IOC_REQUEST_ALLOC ioctl support to media-device.c 2) Add struct media_request to store request objects. 3) Add struct media_request_object to represent a request object. 4) Add MEDIA_REQUEST_IOC_QUEUE/REINIT ioctl support. Basic lifecycle: the application allocates a request, adds objects to it, queues the request, polls until it is completed and can then read the final values of the objects at the time of completion. When it closes the file descriptor the request memory will be freed (actually, when the last user of that request releases the request). Drivers will bind an object to a request (the 'adds objects to it' phase), when MEDIA_REQUEST_IOC_QUEUE is called the request is validated (req_validate op), then queued (the req_queue op). When done with an object it can either be unbound from the request (e.g. when the driver has finished with a vb2 buffer) or marked as completed (e.g. for controls associated with a buffer). When all objects in the request are completed (or unbound), then the request fd will signal an exception (poll). Co-developed-by: Sakari Ailus <sakari.ailus@linux.intel.com> Co-developed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Co-developed-by: Alexandre Courbot <acourbot@chromium.org> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reviewed-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* | media: use strscpy() instead of strlcpy()Mauro Carvalho Chehab2018-09-111-14/+14
|/ | | | | | | | | | | The implementation of strscpy() is more robust and safer. That's now the recommended way to copy NUL terminated strings. Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-daxLinus Torvalds2018-08-261-11/+5
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pull IDA updates from Matthew Wilcox: "A better IDA API: id = ida_alloc(ida, GFP_xxx); ida_free(ida, id); rather than the cumbersome ida_simple_get(), ida_simple_remove(). The new IDA API is similar to ida_simple_get() but better named. The internal restructuring of the IDA code removes the bitmap preallocation nonsense. I hope the net -200 lines of code is convincing" * 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax: (29 commits) ida: Change ida_get_new_above to return the id ida: Remove old API test_ida: check_ida_destroy and check_ida_alloc test_ida: Convert check_ida_conv to new API test_ida: Move ida_check_max test_ida: Move ida_check_leaf idr-test: Convert ida_check_nomem to new API ida: Start new test_ida module target/iscsi: Allocate session IDs from an IDA iscsi target: fix session creation failure handling drm/vmwgfx: Convert to new IDA API dmaengine: Convert to new IDA API ppc: Convert vas ID allocation to new IDA API media: Convert entity ID allocation to new IDA API ppc: Convert mmu context allocation to new IDA API Convert net_namespace to new IDA API cb710: Convert to new IDA API rsxx: Convert to new IDA API osd: Convert to new IDA API sd: Convert to new IDA API ...
| * media: Convert entity ID allocation to new IDA APIMatthew Wilcox2018-08-221-11/+5
| | | | | | | | | | | | | | | | Removes a call to ida_pre_get(). Signed-off-by: Matthew Wilcox <willy@infradead.org> Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* | media: media.h: remove linux/version.h includeHans Verkuil2018-07-271-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | The media.h public header is one of only three public headers that include linux/version.h. Drop it from media.h. It was only used for an obsolete define. It has to be added to media-device.c, since that source relied on media.h to include it. Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* | media: add flags field to struct media_v2_entityHans Verkuil2018-07-251-0/+1
| | | | | | | | | | | | | | | | | | | | | | The v2 entity structure never exposed the entity flags, which made it impossible to detect connector or default entities. It is really trivial to just expose this information, so implement this. Signed-off-by: Hans Verkuil <hansverk@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* | media: add 'index' to struct media_v2_padHans Verkuil2018-07-251-0/+1
| | | | | | | | | | | | | | | | | | | | | | The v2 pad structure never exposed the pad index, which made it impossible to call the MEDIA_IOC_SETUP_LINK ioctl, which needs that information. It is really trivial to just expose this information, so implement this. Signed-off-by: Hans Verkuil <hansverk@cisco.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* | media: media.h: remove __NEED_MEDIA_LEGACY_APIHans Verkuil2018-06-281-3/+10
|/ | | | | | | | | | | | The __NEED_MEDIA_LEGACY_API define is 1) ugly and 2) dangerous since it is all too easy for drivers to define it to get hold of legacy defines. Instead just define what we need in media-device.c which is the only place where we need the legacy define (MEDIA_ENT_T_DEVNODE_UNKNOWN). Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* media: media-device: fix ioctl function typesSami Tolvanen2018-05-091-10/+11
| | | | | | | | | | This change fixes function types for media device ioctls to avoid indirect call mismatches with Control-Flow Integrity checking. Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
* media: zero reservedX fields in media_v2_topologyHans Verkuil2018-02-261-0/+4
| | | | | | | | | | The MEDIA_IOC_G_TOPOLOGY implementation did not zero the reservedX fields. Fix this. Found with v4l2-compliance. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* media: media-device.c: zero reserved fieldsHans Verkuil2018-02-261-0/+3
| | | | | | | | | | | MEDIA_IOC_SETUP_LINK didn't zero the reserved field of the media_link_desc struct. Do so in media_device_setup_link(). MEDIA_IOC_ENUM_LINKS didn't zero the reserved field of the media_links_enum struct. Do so in media_device_enum_links(). Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* media: media-device: use strlcpy() instead of strncpy()Xiongfeng Wang2018-02-261-1/+1
| | | | | | | | | | | | | | | gcc-8 reports drivers/media/media-device.c: In function 'media_device_get_topology': ./include/linux/string.h:245:9: warning: '__builtin_strncpy' specified bound 64 equals destination size [-Wstringop-truncation] We need to use strlcpy() to make sure the dest string is nul-terminated. Signed-off-by: Xiongfeng Wang <xiongfeng.wang@linaro.org> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* media: drop use of MEDIA_API_VERSIONHans Verkuil2017-08-081-2/+2
| | | | | | | | | | | | | | | | Set media_version to LINUX_VERSION_CODE, just as we did for driver_version. Nobody ever rememebers to update the version number, but LINUX_VERSION_CODE will always be updated. Move the MEDIA_API_VERSION define to the ifndef __KERNEL__ section of the media.h header. That way kernelspace can't accidentally start to use it again. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* media: media-device: remove driver_versionHans Verkuil2017-08-081-3/+0
| | | | | | | | | Since the driver_version field in struct media_device is no longer used, just remove it. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* media: media-device: set driver_version directlyHans Verkuil2017-08-081-1/+1
| | | | | | | | | | | | Don't use driver_version from struct media_device, just return LINUX_VERSION_CODE as the other media subsystems do. The driver_version field in struct media_device will be removed in the following patches. Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* media: devnode: Rename mdev argument as devnodeSakari Ailus2017-07-201-2/+2
| | | | | | | | | | | | | | Historically, mdev argument name was being used on both struct media_device and struct media_devnode. Recently most occurrences of mdev referring to struct media_devnode were replaced by devnode, which makes more sense. Fix the last remaining occurrence. Fixes: 163f1e93e9950 ("[media] media-devnode: fix namespace mess") Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* media: Remove useless curly braces and parenthesesSakari Ailus2017-07-201-3/+2
| | | | | | | | | Simplify the code to satisfy Linux coding style. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media: Rename graph and pipeline structs and functionsSakari Ailus2017-01-271-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The media_entity_pipeline_start() and media_entity_pipeline_stop() functions are renamed as media_pipeline_start() and media_pipeline_stop(), respectively. The reason is two-fold: the pipeline struct is, rightly, already called media_pipeline (rather than media_entity_pipeline) and what this really is about is a pipeline. A pipeline consists of entities --- and, well, other objects embedded in these entities. As the pipeline object will be in the future moved from entities to pads in order to support multiple pipelines through a single entity, do the renaming now. Similarly, functions operating on struct media_entity_graph as well as the struct itself are renamed by dropping the "entity_" part from the prefix of the function family and the data structure. The graph traversal which is what the functions are about is not specifically about entities only and will operate on pads for the same reason as the media pipeline. The patch has been generated using the following command: git grep -l media_entity |xargs perl -i -pe ' s/media_entity_pipeline/media_pipeline/g; s/media_entity_graph/media_graph/g' And a few manual edits related to line start alignment and line wrapping. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media: Drop FSF's postal address from the source code filesSakari Ailus2017-01-271-4/+0
| | | | | | | | | | | | | | | | | | | | | Drop the FSF's postal address from the source code files that typically contain mostly the license text. Of the 628 removed instances, 578 are outdated. The patch has been created with the following command without manual edits: git grep -l "675 Mass Ave\|59 Temple Place\|51 Franklin St" -- \ drivers/media/ include/media|while read i; do i=$i perl -e ' open(F,"< $ENV{i}"); $a=join("", <F>); $a =~ s/[ \t]*\*\n.*You should.*\n.*along with.*\n.*(\n.*USA.*$)?\n//m && $a =~ s/(^.*)Or, (point your browser to) /$1To obtain the license, $2\n$1/m; close(F); open(F, "> $ENV{i}"); print F $a; close(F);'; done Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
* [media] media: Properly pass through media entity types in entity enumerationSakari Ailus2017-01-271-1/+1
| | | | | | | | | | | | | | | When the functions replaced media entity types, the range which was allowed for the types was incorrect. This meant that media entity types for specific devices were not passed correctly to the userspace through MEDIA_IOC_ENUM_ENTITIES. Fix it. Fixes: commit b2cd27448b33 ("[media] media-device: map new functions into old types for legacy API") Reported-and-tested-by: Antti Laakso <antti.laakso@intel.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Cc: stable@vger.kernel.org # For v4.5 and up Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media: remove obsolete Media Device Managed resource interfacesShuah Khan2016-11-251-26/+0
| | | | | | | | | Remove obsolete media_device_get_devres(), media_device_find_devres(), and media_device_release_devres() interfaces. These interfaces are now obsolete. Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] drivers/media/media-device: fix double free bug in _unregister()Max Kellermann2016-11-181-1/+5
| | | | | | | | | | | | | | | While removing all interfaces in media_device_unregister(), all media_interface pointers are freed. This is illegal and results in double kfree() if any media_interface is still linked at this point; maybe because a userspace process still has a file handle. Once the process closes the file handle, dvb_media_device_free() gets called, which frees the dvb_device.intf_devnode again. This patch removes the unnecessary kfree() call, and documents who's responsible for really freeing it. Signed-off-by: Max Kellermann <max.kellermann@gmail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media: Add flags to tell whether to take graph mutex for an IOCTLSakari Ailus2016-09-221-14/+23
| | | | | | | | | | New IOCTLs (especially for the request API) do not necessarily need the graph mutex acquired. Leave this up to the drivers. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media: Refactor copying IOCTL arguments from and to user spaceSakari Ailus2016-09-221-93/+83
| | | | | | | | | | | | | Refactor copying the IOCTL argument structs from the user space and back, in order to reduce code copied around and make the implementation more robust. As a result, the copying is done while not holding the graph mutex. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media: Unify IOCTL handler callingSakari Ailus2016-09-221-36/+15
| | | | | | | | | | Each IOCTL handler can be listed in an array instead of using a large and cumbersome switch. Do that. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media: Determine early whether an IOCTL is supportedSakari Ailus2016-09-221-0/+20
| | | | | | | | | Preparation for refactoring media IOCTL handling to unify common parts. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media: fix media devnode ioctl/syscall and unregister raceShuah Khan2016-06-151-7/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Media devnode open/ioctl could be in progress when media device unregister is initiated. System calls and ioctls check media device registered status at the beginning, however, there is a window where unregister could be in progress without changing the media devnode status to unregistered. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (returns true here) media_device_unregister() (unregister is in progress and devnode isn't unregistered yet) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (returns true here) ... media_devnode_unregister() ... (driver releases the media device memory) media_device_ioctl() (By this point devnode->media_dev does not point to allocated memory. use-after free in in mutex_lock_nested) BUG: KASAN: use-after-free in mutex_lock_nested+0x79c/0x800 at addr ffff8801ebe914f0 Fix it by clearing register bit when unregister starts to avoid the race. process 1 process 2 fd = open(/dev/media0) media_devnode_is_registered() (could return true here) media_device_unregister() (clear the register bit, then start unregister.) ... ioctl(fd, ...) __media_ioctl() media_devnode_is_registered() (return false here, ioctl returns I/O error, and will not access media device memory) ... media_devnode_unregister() ... (driver releases the media device memory) Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Suggested-by: Sakari Ailus <sakari.ailus@linux.intel.com> Reported-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media: fix use-after-free in cdev_put() when app exits after driver ↵Shuah Khan2016-06-151-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | unbind When driver unbinds while media_ioctl is in progress, cdev_put() fails with when app exits after driver unbinds. Add devnode struct device kobj as the cdev parent kobject. cdev_add() gets a reference to it and releases it in cdev_del() ensuring that the devnode is not deallocated as long as the application has the device file open. media_devnode_register() initializes the struct device kobj before calling cdev_add(). media_devnode_unregister() does cdev_del() and then deletes the device. devnode is released when the last reference to the struct device is gone. This problem is found on uvcvideo, em28xx, and au0828 drivers and fix has been tested on all three. kernel: [ 193.599736] BUG: KASAN: use-after-free in cdev_put+0x4e/0x50 kernel: [ 193.599745] Read of size 8 by task media_device_te/1851 kernel: [ 193.599792] INFO: Allocated in __media_device_register+0x54 kernel: [ 193.599951] INFO: Freed in media_devnode_release+0xa4/0xc0 kernel: [ 193.601083] Call Trace: kernel: [ 193.601093] [<ffffffff81aecac3>] dump_stack+0x67/0x94 kernel: [ 193.601102] [<ffffffff815359b2>] print_trailer+0x112/0x1a0 kernel: [ 193.601111] [<ffffffff8153b5e4>] object_err+0x34/0x40 kernel: [ 193.601119] [<ffffffff8153d9d4>] kasan_report_error+0x224/0x530 kernel: [ 193.601128] [<ffffffff814a2c3d>] ? kzfree+0x2d/0x40 kernel: [ 193.601137] [<ffffffff81539d72>] ? kfree+0x1d2/0x1f0 kernel: [ 193.601154] [<ffffffff8157ca7e>] ? cdev_put+0x4e/0x50 kernel: [ 193.601162] [<ffffffff8157ca7e>] cdev_put+0x4e/0x50 kernel: [ 193.601170] [<ffffffff815767eb>] __fput+0x52b/0x6c0 kernel: [ 193.601179] [<ffffffff8117743a>] ? switch_task_namespaces+0x2a kernel: [ 193.601188] [<ffffffff815769ee>] ____fput+0xe/0x10 kernel: [ 193.601196] [<ffffffff81170023>] task_work_run+0x133/0x1f0 kernel: [ 193.601204] [<ffffffff8117746e>] ? switch_task_namespaces+0x5e kernel: [ 193.601213] [<ffffffff8111b50c>] do_exit+0x72c/0x2c20 kernel: [ 193.601224] [<ffffffff8111ade0>] ? release_task+0x1250/0x1250 - - - kernel: [ 193.601360] [<ffffffff81003587>] ? exit_to_usermode_loop+0xe7 kernel: [ 193.601368] [<ffffffff810035c0>] exit_to_usermode_loop+0x120 kernel: [ 193.601376] [<ffffffff810061da>] syscall_return_slowpath+0x16a kernel: [ 193.601386] [<ffffffff82848b33>] entry_SYSCALL_64_fastpath+0xa6 Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Tested-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* [media] media-device: dynamically allocate struct media_devnodeMauro Carvalho Chehab2016-06-151-14/+30
| | | | | | | | | | | | | | | | | | | | struct media_devnode is currently embedded at struct media_device. While this works fine during normal usage, it leads to a race condition during devnode unregister. the problem is that drivers assume that, after calling media_device_unregister(), the struct that contains media_device can be freed. This is not true, as it can't be freed until userspace closes all opened /dev/media devnodes. In other words, if the media devnode is still open, and media_device gets freed, any call to an ioctl will make the core to try to access struct media_device, with will cause an use-after-free and even GPF. Fix this by dynamically allocating the struct media_devnode and only freeing it when it is safe. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
* Merge tag 'v4.6-rc7' into patchworkMauro Carvalho Chehab2016-05-091-4/+4
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Linux 4.6-rc7 * tag 'v4.6-rc7': (185 commits) Linux 4.6-rc7 parisc: fix a bug when syscall number of tracee is __NR_Linux_syscalls x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO mailmap: add John Paul Adrian Glaubitz byteswap: try to avoid __builtin_constant_p gcc bug lib/stackdepot: avoid to return 0 handle mm: fix kcompactd hang during memory offlining modpost: fix module autoloading for OF devices with generic compatible property proc: prevent accessing /proc/<PID>/environ until it's ready mm/zswap: provide unique zpool name mm: thp: kvm: fix memory corruption in KVM with THP enabled MAINTAINERS: fix Rajendra Nayak's address mm, cma: prevent nr_isolated_* counters from going negative mm: update min_free_kbytes from khugepaged after core initialization huge pagecache: mmap_sem is unlocked when truncation splits pmd rapidio/mport_cdev: fix uapi type definitions mm: memcontrol: let v2 cgroups follow changes in system swappiness mm: thp: correct split_huge_pages file permission maintainers: update rmk's email address(es) writeback: Fix performance regression in wb_over_bg_thresh() ...
| * [media] media-device: fix builds when USB or PCI is compiled as moduleMauro Carvalho Chehab2016-05-051-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Just checking ifdef CONFIG_USB is not enough, if the USB is compiled as module. The same applies to PCI. Tested with the following .config alternatives: CONFIG_USB=m CONFIG_MEDIA_CONTROLLER=y CONFIG_MEDIA_SUPPORT=m CONFIG_VIDEO_AU0828=m CONFIG_USB=m CONFIG_MEDIA_CONTROLLER=y CONFIG_MEDIA_SUPPORT=y CONFIG_VIDEO_AU0828=m CONFIG_USB=y CONFIG_MEDIA_CONTROLLER=y CONFIG_MEDIA_SUPPORT=y CONFIG_VIDEO_AU0828=m CONFIG_USB=y CONFIG_MEDIA_CONTROLLER=y CONFIG_MEDIA_SUPPORT=y CONFIG_VIDEO_AU0828=y Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
* | [media] media-device: Simplify compat32 logicMauro Carvalho Chehab2016-05-071-7/+1
| | | | | | | | | | | | | | | | | | | | | | Only MEDIA_IOC_ENUM_LINKS32 require an special logic when userspace is 32 bits and Kernel is 64 bits. For the rest, media_device_ioctl() will do the right thing, and will return -ENOIOCTLCMD if the ioctl is unknown. Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
* | [media] drivers/media/media-device: move debug log before _devnode_unregister()Max Kellermann2016-05-071-2/+1
| | | | | | | | | | | | | | | | After media_devnode_unregister(), the struct media_device may be freed already, and dereferencing it may crash. Signed-off-by: Max Kellermann <max@duempel.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
* | [media] media-device: get rid of the spinlockMauro Carvalho Chehab2016-04-201-26/+13
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Right now, the lock schema for media_device struct is messy, since sometimes, it is protected via a spin lock, while, for media graph traversal, it is protected by a mutex. Solve this conflict by always using a mutex. As a side effect, this prevents a bug when the media notifiers is called at atomic context, while running the notifier callback: BUG: sleeping function called from invalid context at mm/slub.c:1289 in_atomic(): 1, irqs_disabled(): 0, pid: 3479, name: modprobe 4 locks held by modprobe/3479: #0: (&dev->mutex){......}, at: [<ffffffff81ce8933>] __driver_attach+0xa3/0x160 #1: (&dev->mutex){......}, at: [<ffffffff81ce8941>] __driver_attach+0xb1/0x160 #2: (register_mutex#5){+.+.+.}, at: [<ffffffffa10596c7>] usb_audio_probe+0x257/0x1c90 [snd_usb_audio] #3: (&(&mdev->lock)->rlock){+.+.+.}, at: [<ffffffffa0e6051b>] media_device_register_entity+0x1cb/0x700 [media] CPU: 2 PID: 3479 Comm: modprobe Not tainted 4.5.0-rc3+ #49 Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015 0000000000000000 ffff8803b3f6f288 ffffffff81933901 ffff8803c4bae000 ffff8803c4bae5c8 ffff8803b3f6f2b0 ffffffff811c6af5 ffff8803c4bae000 ffffffff8285d7f6 0000000000000509 ffff8803b3f6f2f0 ffffffff811c6ce5 Call Trace: [<ffffffff81933901>] dump_stack+0x85/0xc4 [<ffffffff811c6af5>] ___might_sleep+0x245/0x3a0 [<ffffffff811c6ce5>] __might_sleep+0x95/0x1a0 [<ffffffff8155aade>] kmem_cache_alloc_trace+0x20e/0x300 [<ffffffffa0e66e3d>] ? media_add_link+0x4d/0x140 [media] [<ffffffffa0e66e3d>] media_add_link+0x4d/0x140 [media] [<ffffffffa0e69931>] media_create_pad_link+0xa1/0x600 [media] [<ffffffffa0fe11b3>] au0828_media_graph_notify+0x173/0x360 [au0828] [<ffffffffa0e68a6a>] ? media_gobj_create+0x1ba/0x480 [media] [<ffffffffa0e606fb>] media_device_register_entity+0x3ab/0x700 [media] Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com> Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Hans Verkuil <hans.verkuil@cisco.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
* Merge commit '840f5b0572ea' into v4l_for_linusMauro Carvalho Chehab2016-03-151-11/+134
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * commit '840f5b0572ea': (381 commits) media: au0828 disable tuner to demod link in au0828_media_device_register() [media] touptek: cast char types on %x printk [media] touptek: don't DMA at the stack [media] mceusb: use %*ph for small buffer dumps [media] v4l: exynos4-is: Drop unneeded check when setting up fimc-lite links [media] v4l: vsp1: Check if an entity is a subdev with the right function [media] hide unused functions for !MEDIA_CONTROLLER [media] em28xx: fix Terratec Grabby AC97 codec detection [media] media: add prefixes to interface types [media] media: rc: nuvoton: switch attribute wakeup_data to text [media] v4l2-ioctl: fix YUV422P pixel format description [media] media: fix null pointer dereference in v4l_vb2q_enable_media_source() [media] v4l2-mc.h: fix yet more compiler errors [media] staging/media: add missing TODO files [media] media.h: always start with 1 for the audio entities [media] sound/usb: Use meaninful names for goto labels [media] v4l2-mc.h: fix compiler warnings [media] media: au0828 audio mixer isn't connected to decoder [media] sound/usb: Use Media Controller API to share media resources [media] dw2102: add support for TeVii S662 ...
| * [media] media: Properly handle user pointersSakari Ailus2016-03-031-4/+4
| | | | | | | | | | | | | | | | Mark pointers containing user pointers as such. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
| * [media] media: Move media_get_uptr() macro out of the media.h user space headerSakari Ailus2016-03-031-0/+5
| | | | | | | | | | | | | | | | | | The media_get_uptr() macro is mostly useful only for the IOCTL handling code in media-device.c so move it there. Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
| * [media] media: Always keep a graph walk large enough aroundSakari Ailus2016-03-031-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | Re-create the graph walk object as needed in order to have one large enough available for all entities in the graph. This enumeration is used for pipeline power management in the future. [mchehab@osg.samsung.com: fix documentation bug: " warning: bad line: graph_mutex"] Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
| * [media] media: Media Controller register/unregister entity_notify APIShuah Khan2016-02-271-0/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Add new interfaces to register and unregister entity_notify hook to media device. These interfaces allow drivers to add hooks to take appropriate actions when new entities get added to a shared media device. For example, au0828 bridge driver registers an entity_notify hook to create links as needed between media graph nodes. [mchehab@osg.samsung.com: simple comments should be /* and not /**] Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
| * [media] media_device: move allocation out of media_device_*_initMauro Carvalho Chehab2016-02-231-25/+7
| | | | | | | | | | | | | | | | | | | | Right now, media_device_pci_init and media_device_usb_init does media_device allocation internaly. That preents its usage when the media_device struct is embedded on some other structure. Move memory allocation outside it, to make it more generic. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
| * [media] media-device: move PCI/USB helper functions from v4l2-mcMauro Carvalho Chehab2016-02-231-0/+74
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Those ancillary functions could be called even when compiled without V4L2 support, as warned by ktest build robot: All errors (new ones prefixed by >>): >> ERROR: "__v4l2_mc_usb_media_device_init" [drivers/media/usb/dvb-usb/dvb-usb.ko] undefined! >> ERROR: "__v4l2_mc_usb_media_device_init" [drivers/media/usb/dvb-usb-v2/dvb_usb_v2.ko] undefined! >> ERROR: "__v4l2_mc_usb_media_device_init" [drivers/media/usb/au0828/au0828.ko] undefined! Also, there's nothing there that are specific to V4L2. So, move those ancillary functions to MC core. No functional changes. Just function rename. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
| * [media] allow overriding the driver nameMauro Carvalho Chehab2016-02-161-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | On USB drivers, the dev struct is usually filled with the USB device. That would mean that the name of the driver specified by media_device.dev.driver.name would be "usb", instead of the name of the actual driver that created the media entity. Add an optional field at the internal struct to allow drivers to override the driver name. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
| * Revert "[media] Postpone the addition of MEDIA_IOC_G_TOPOLOGY"Mauro Carvalho Chehab2016-01-251-6/+1
| | | | | | | | | | | | | | | | Enable MEDIA_IOC_G_TOPOLOGY ioctl for Kernel 4.6. This reverts commit be0270ec89e6b9b49de7e533dd1f3a89ad34d205. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
* | [media] media-device: map new functions into old types for legacy APIMauro Carvalho Chehab2016-03-101-0/+23
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | The legacy media controller userspace API exposes entity types that carry both type and function information. The new API replaces the type with a function. It preserves backward compatibility by defining legacy functions for the existing types and using them in drivers. This works fine, as long as newer entity functions won't be added. Unfortunately, some tools, like media-ctl with --print-dot argument rely on the now legacy MEDIA_ENT_T_V4L2_SUBDEV and MEDIA_ENT_T_DEVNODE numeric ranges to identify what entities will be shown. Also, if the entity doesn't match those ranges, it will ignore the major/minor information on devnodes, and won't be getting the devnode name via udev or sysfs. As we're now adding devices outside the old range, the legacy ioctl needs to map the new entity functions into a type at the old range, or otherwise we'll have a regression. Detected on all released media-ctl versions (e. g. versions <= 1.10). Fix this by deriving the type from the function to emulate the legacy API if the function isn't in the legacy functions range. Reported-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
* [media] Postpone the addition of MEDIA_IOC_G_TOPOLOGYMauro Carvalho Chehab2016-01-111-1/+6
| | | | | | | | | | | | There are a few discussions left with regards to this ioctl: 1) the name of the new structs will contain _v2_ on it? 2) what's the best alternative to avoid compat32 issues? Due to that, let's postpone the addition of this new ioctl to the next Kernel version, to give people more time to discuss it. Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
* [media] media-entity: don't sleep at media_device_register_entity()Mauro Carvalho Chehab2016-01-111-4/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | media_device_register_entity() is protected by a spin_lock. Calling ida_pre_get() with GFP_KERNEL may put it to sleep, with is a bad idea and causes this warning: [ 8812.397195] BUG: sleeping function called from invalid context at mm/slub.c:1287 [ 8812.397203] in_atomic(): 1, irqs_disabled(): 0, pid: 15179, name: modprobe [ 8812.397207] INFO: lockdep is turned off. [ 8812.397213] CPU: 2 PID: 15179 Comm: modprobe Tainted: G B 4.4.0-rc2+ #41 [ 8812.397218] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015 [ 8812.397222] 0000000000000000 ffff880314c77268 ffffffff818f8ba7 ffff8803b17dde00 [ 8812.397232] ffff880314c77290 ffffffff811c2ee5 ffff8803b17dde00 ffffffff8284dbc9 [ 8812.397241] 0000000000000507 ffff880314c772d0 ffffffff811c30d5 0000000041b58ab3 [ 8812.397250] Call Trace: [ 8812.397258] [<ffffffff818f8ba7>] dump_stack+0x4b/0x64 [ 8812.397265] [<ffffffff811c2ee5>] ___might_sleep+0x245/0x3a0 [ 8812.397270] [<ffffffff811c30d5>] __might_sleep+0x95/0x1a0 [ 8812.397276] [<ffffffff818fd083>] ? ida_pre_get+0x113/0x250 [ 8812.397282] [<ffffffff8153bb77>] kmem_cache_alloc+0x197/0x250 [ 8812.397288] [<ffffffff818fd083>] ida_pre_get+0x113/0x250 [ 8812.397293] [<ffffffff818fd265>] ida_simple_get+0xa5/0x170 [ 8812.397298] [<ffffffff818fd1c0>] ? ida_pre_get+0x250/0x250 [ 8812.397306] [<ffffffffa07382d1>] media_device_register_entity+0x171/0x420 [media] [ 8812.397318] [<ffffffffa129e76f>] v4l2_device_register_subdev+0x34f/0x640 [videodev] [ 8812.397324] [<ffffffffa0768dea>] v4l2_i2c_new_subdev_board+0x12a/0x250 [v4l2_common] [ 8812.397330] [<ffffffffa0768fe7>] v4l2_i2c_new_subdev+0xd7/0x110 [v4l2_common] [ 8812.397337] [<ffffffffa0768f10>] ? v4l2_i2c_new_subdev_board+0x250/0x250 [v4l2_common] [ 8812.397347] [<ffffffffa13d2f76>] au0828_card_analog_fe_setup+0x2e6/0x3f0 [au0828] [ 8812.397352] [<ffffffff814450cc>] ? power_down+0xc4/0xc4 [ 8812.397361] [<ffffffffa13d2c90>] ? au0828_tuner_callback+0x160/0x160 [au0828] [ 8812.397370] [<ffffffffa13d319f>] au0828_card_setup+0x11f/0x340 [au0828] [ 8812.397378] [<ffffffffa13d3080>] ? au0828_card_analog_fe_setup+0x3f0/0x3f0 [au0828] [ 8812.397384] [<ffffffff812a575b>] ? msleep+0x7b/0xc0 [ 8812.397393] [<ffffffffa13d0d79>] au0828_usb_probe+0x679/0xcf0 [au0828] [ 8812.397399] [<ffffffff81d7619d>] usb_probe_interface+0x45d/0x940 [ 8812.397406] [<ffffffff81ca7004>] driver_probe_device+0x454/0xd90 [ 8812.397411] [<ffffffff81ca7940>] ? driver_probe_device+0xd90/0xd90 [ 8812.397417] [<ffffffff81ca7940>] ? driver_probe_device+0xd90/0xd90 [ 8812.397422] [<ffffffff81ca7a61>] __driver_attach+0x121/0x160 [ 8812.397427] [<ffffffff81ca141f>] bus_for_each_dev+0x11f/0x1a0 [ 8812.397433] [<ffffffff81ca1300>] ? subsys_dev_iter_exit+0x10/0x10 [ 8812.397439] [<ffffffff822917d7>] ? _raw_spin_unlock+0x27/0x40 [ 8812.397445] [<ffffffff81ca5d4d>] driver_attach+0x3d/0x50 [ 8812.397450] [<ffffffff81ca5039>] bus_add_driver+0x4c9/0x770 [ 8812.397456] [<ffffffff81ca944c>] driver_register+0x18c/0x3b0 [ 8812.397462] [<ffffffff8124c952>] ? __raw_spin_lock_init+0x32/0x100 [ 8812.397468] [<ffffffff81d71e58>] usb_register_driver+0x1f8/0x440 [ 8812.397473] [<ffffffffa0208000>] ? 0xffffffffa0208000 [ 8812.397481] [<ffffffffa02080b7>] au0828_init+0xb7/0x1000 [au0828] [ 8812.397486] [<ffffffff810021b1>] do_one_initcall+0x141/0x300 [ 8812.397492] [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40 [ 8812.397497] [<ffffffff8123bbf6>] ? trace_hardirqs_on_caller+0x16/0x590 [ 8812.397502] [<ffffffff815406e6>] ? kasan_unpoison_shadow+0x36/0x50 [ 8812.397507] [<ffffffff815406e6>] ? kasan_unpoison_shadow+0x36/0x50 [ 8812.397512] [<ffffffff815406e6>] ? kasan_unpoison_shadow+0x36/0x50 [ 8812.397517] [<ffffffff815407f7>] ? __asan_register_globals+0x87/0xa0 [ 8812.397524] [<ffffffff814454e5>] do_init_module+0x1d0/0x5a4 [ 8812.397530] [<ffffffff812ed7e8>] load_module+0x6648/0x9d70 [ 8812.397535] [<ffffffff812e4b70>] ? symbol_put_addr+0x50/0x50 [ 8812.397546] [<ffffffff812e71a0>] ? module_frob_arch_sections+0x20/0x20 [ 8812.397552] [<ffffffff8158e950>] ? open_exec+0x50/0x50 [ 8812.397559] [<ffffffff811648db>] ? ns_capable+0x5b/0xd0 [ 8812.397565] [<ffffffff812f1208>] SyS_finit_module+0x108/0x130 [ 8812.397571] [<ffffffff812f1100>] ? SyS_init_module+0x1f0/0x1f0 [ 8812.397576] [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14 [ 8812.397582] [<ffffffff82292236>] entry_SYSCALL_64_fastpath+0x16/0x7a Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>