15 May, 2019
1 commit
-
Convert to use vm_map_pages() to map range of kernel memory to user vma.
vm_pgoff is treated in V4L2 API as a 'cookie' to select a buffer, not as a
in-buffer offset by design and it always want to mmap a whole buffer from
its beginning.Link: http://lkml.kernel.org/r/a953fe6b3056de1cc6eab654effdd4a22f125375.1552921225.git.jrdr.linux@gmail.com
Signed-off-by: Souptick Joarder
Suggested-by: Marek Szyprowski
Reviewed-by: Marek Szyprowski
Cc: Boris Ostrovsky
Cc: David Airlie
Cc: Heiko Stuebner
Cc: Joerg Roedel
Cc: Joonsoo Kim
Cc: Juergen Gross
Cc: Kees Cook
Cc: "Kirill A. Shutemov"
Cc: Kyungmin Park
Cc: Matthew Wilcox
Cc: Mauro Carvalho Chehab
Cc: Michal Hocko
Cc: Mike Rapoport
Cc: Oleksandr Andrushchenko
Cc: Pawel Osciak
Cc: Peter Zijlstra
Cc: Rik van Riel
Cc: Robin Murphy
Cc: Russell King
Cc: Sandy Huang
Cc: Stefan Richter
Cc: Stephen Rothwell
Cc: Thierry Reding
Cc: Vlastimil Babka
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
22 Apr, 2019
3 commits
-
Calling VIDIOC_DQBUF can release the core serialization lock pointed to
by vb2_queue->lock if it has to wait for a new buffer to arrive.However, if userspace dup()ped the video device filehandle, then it is
possible to read or call DQBUF from two filehandles at the same time.It is also possible to call REQBUFS from one filehandle while the other
is waiting for a buffer. This will remove all the buffers and reallocate
new ones. Removing all the buffers isn't the problem here (that's already
handled correctly by DQBUF), but the reallocating part is: DQBUF isn't
aware that the buffers have changed.This is fixed by setting a flag whenever the lock is released while waiting
for a buffer to arrive. And checking the flag where needed so we can return
-EBUSY.Signed-off-by: Hans Verkuil
Reported-by: Syzbot
Reviewed-by: Tomasz Figa
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
If a buffer is queued to a request, followed by an attempt to queue
the same buffer again, then the second qbuf returns an error since
the buffer is not in the DEQUEUED state anymore.However, before it gets to that check it executes the code under the
'if (!vb->prepared)' condition. This clears previously set data needed
for request handling, and now querybuf will no longer report that this
buffer is part of a request.Move the state check to before the 'if' and make sure to only do the
state check when called from QBUF and if V4L2_BUF_FLAG_REQUEST_FD is
set.Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
Minor fix for helper function and comment, s/v4l2_vb2_buffer/vb2_v4l2_buffer.
Signed-off-by: Ezequiel Garcia
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
26 Mar, 2019
3 commits
-
There are some macros at cx2341x_update() with seemed to
be introduced in order to ensure that lines would be less
than 80 columns.Well, the thing is that they make the code harder to be analized,
not only by humans, but also for static code analyzers:drivers/media/common/cx2341x.c:1116 cx2341x_update() error: we previously assumed 'old' could be null (see line 1047)
So, remove the "force" var, and replace the NEQ macro to a
better designed one that makes clearer about what it is doing.While here, also remove the "temporal" var, as it is just another
way of doing the same type of check as the new CMP_FIELD() macro
already does.Finally, fix coding style at the block code.
remove such macros.Signed-off-by: Mauro Carvalho Chehab
-
If requests are used when they shouldn't, or not used when they should,
then return EBADR (Invalid request descriptor) instead of EACCES.The reason for this change is that EACCES has more to do with permissions
(not being the owner of the resource), but in this case the request file
descriptor is just wrong for the current mode of the device.Update the documentation accordingly.
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
Stateless codecs require the use of the Request API as opposed of it
being optional.So add a bit to indicate this and let vb2 check for this.
If an attempt is made to queue a buffer without an associated request,
then the EBADR error is returned to userspace.Doing this check in the vb2 core simplifies drivers, since they
don't have to check for this, they can just set this flag.Signed-off-by: Hans Verkuil
Reviewed-by: Paul Kocialkowski
Signed-off-by: Mauro Carvalho Chehab
20 Mar, 2019
3 commits
-
Checkpatch wants to use 'help' instead of '---help---':
WARNING: prefer 'help' over '---help---' for new help texts
Let's change it globally at the media subsystem, as otherwise people
would keep using the old way.Signed-off-by: Mauro Carvalho Chehab
-
There is no point to continuing assignment after memory allocation
failed, rather throw error immediately.Signed-off-by: Souptick Joarder
Signed-off-by: Hans Verkuil
[hverkuil-cisco@xs4all.nl: rebase and remove empty line before the if]
Signed-off-by: Mauro Carvalho Chehab -
The last user of this state has been converted, so we can now drop
this. Requeueing causes the queue to become unordered, which causes
problems with requests and (in the future) fences.Since it is no longer needed, just get rid of this.
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
11 Mar, 2019
1 commit
-
Pull DMA mapping updates from Christoph Hellwig:
- add debugfs support for dumping dma-debug information (Corentin
Labbe)- Kconfig cleanups (Andy Shevchenko and me)
- debugfs cleanups (Greg Kroah-Hartman)
- improve dma_map_resource and use it in the media code
- arch_setup_dma_ops / arch_teardown_dma_ops cleanups
- various small cleanups and improvements for the per-device coherent
allocator- make the DMA mask an upper bound and don't fail "too large" dma mask
in the remaning two architectures - this will allow big driver
cleanups in the following merge windows* tag 'dma-mapping-5.1' of git://git.infradead.org/users/hch/dma-mapping: (21 commits)
Documentation/DMA-API-HOWTO: update dma_mask sections
sparc64/pci_sun4v: allow large DMA masks
sparc64/iommu: allow large DMA masks
sparc64: refactor the ali DMA quirk
ccio: allow large DMA masks
dma-mapping: remove the DMA_MEMORY_EXCLUSIVE flag
dma-mapping: remove dma_mark_declared_memory_occupied
dma-mapping: move CONFIG_DMA_CMA to kernel/dma/Kconfig
dma-mapping: improve selection of dma_declare_coherent availability
dma-mapping: remove an incorrect __iommem annotation
of: select OF_RESERVED_MEM automatically
device.h: dma_mem is only needed for HAVE_GENERIC_DMA_COHERENT
mfd/sm501: depend on HAS_DMA
dma-mapping: add a kconfig symbol for arch_teardown_dma_ops availability
dma-mapping: add a kconfig symbol for arch_setup_dma_ops availability
dma-mapping: move debug configuration options to kernel/dma
dma-debug: add dumping facility via debugfs
dma: debug: no need to check return value of debugfs_create functions
videobuf2: replace a layering violation with dma_map_resource
dma-mapping: don't BUG when calling dma_map_resource on RAM
...
01 Mar, 2019
1 commit
-
Use codespell to fix lots of typos over frontends.
Manually verified to avoid false-positives.
Signed-off-by: Mauro Carvalho Chehab
19 Feb, 2019
4 commits
-
The epoll function expects that whenever the poll file op is
called, the poll_wait function is also called. That didn't
always happen in vb2_core_poll() and vb2_poll(). Fix this,
otherwise epoll() would timeout when it shouldn't.Signed-off-by: Hans Verkuil
Reported-by: Yi Qingliang
Signed-off-by: Mauro Carvalho Chehab -
If a stream is stopped, or if a USERPTR/DMABUF buffer is queued
backed by a different user address or dmabuf fd, then the timestamp
should be skipped by vb2_find_timestamp since the memory it refers
to is no longer valid.So keep track of a 'copied_timestamp' state: it is set when the
timestamp is copied from an output to a capture buffer, and is
cleared when it is no longer valid.Signed-off-by: Hans Verkuil
Reviewed-by: Paul Kocialkowski
Signed-off-by: Mauro Carvalho Chehab -
The bool type is not recommended for use in structs, so replace these
by bitfields.Signed-off-by: Hans Verkuil
Reviewed-by: Paul Kocialkowski
Signed-off-by: Mauro Carvalho Chehab -
Add support for the following formats to tpg:
V4L2_PIX_FMT_AYUV32
V4L2_PIX_FMT_XYUV32
V4L2_PIX_FMT_VUYA32
V4L2_PIX_FMT_VUYX32Changes from v1:
Remove the duplicate case valueSigned-off-by: Vivek Kasireddy
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
08 Feb, 2019
2 commits
-
Just like vb2 does, use u64 internally to store the timestamps
of the buffers. Only convert to timeval when interfacing with
userspace.Signed-off-by: Hans Verkuil
Acked-by: Sakari Ailus
Signed-off-by: Mauro Carvalho Chehab -
Commit 2cc1802f62e5 ("media: vb2: Keep dma-buf buffers mapped until
they are freed") removed code leaving a local variable unused.Remove it to avoid a compiler warning.
Fixes: 2cc1802f62e5 ("media: vb2: Keep dma-buf buffers mapped until they are freed")
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
01 Feb, 2019
1 commit
-
vb2_dc_get_userptr pokes into arm direct mapping details to get the
resemblance of a dma address for a a physical address that does is
not backed by a page struct. Not only is this not portable to other
architectures with dma direct mapping offsets, but also not to uses
of IOMMUs of any kind. Switch to the proper dma_map_resource /
dma_unmap_resource interface instead.Signed-off-by: Christoph Hellwig
Acked-by: Mauro Carvalho Chehab
Tested-by: Marek Szyprowski
31 Jan, 2019
4 commits
-
The buf_out_validate is required for output queues in combination
with requests. Check this.Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
When queueing a buffer to a request the 'field' value is not validated.
That field is only validated when the _buf_prepare() is called,
which happens when the request is queued.However, this validation should happen at QBUF time, since you want
to know about this as soon as possible. Also, the spec requires that
the 'field' value is validated at QBUF time.This patch adds a new buf_out_validate callback to validate the
output buffer at buf_prepare time or when QBUF queues an unprepared
buffer to a request. This callback is mandatory for output queues
that support requests.This issue was found by v4l2-compliance since it failed to replace
V4L2_FIELD_ANY by a proper field value when testing the vivid video
output in combination with requests.Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
When using vb2 for video decoding, dequeued capture buffers may still
be accessed by the hardware: this is the case when they are used as
reference frames for decoding subsequent frames.When the buffer is imported with dma-buf, it needs to be mapped before
access. Until now, it was mapped when queuing and unmapped when
dequeuing, which doesn't work for access as a reference frames.One way to solve this would be to map the buffer again when it is
needed as a reference, but the mapping/unmapping operations can
seriously impact performance. As a result, map the buffer once (when it
is first needed when queued) and keep it mapped until it is freed.Reviewed-on: https://chromium-review.googlesource.com/334103
[Paul: Updated for mainline and changed commit message]Signed-off-by: Pawel Osciak
Signed-off-by: Paul Kocialkowski
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
There really is no reason why vb2_find_timestamp can't just find
buffers in any state. Drop that part of the test.This also means that vb->timestamp should only be set to 0 when
the driver doesn't copy timestamps.This change allows for more efficient pipelining (i.e. you can use
a buffer for a reference frame even when it is queued).Signed-off-by: Hans Verkuil
Reviewed-by: Tomasz Figa
Reviewed-by: Alexandre Courbot
Reviewed-by: Paul Kocialkowski
Signed-off-by: Mauro Carvalho Chehab
17 Jan, 2019
2 commits
-
Because it looks neater.
Signed-off-by: Peter Rosin
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
My @samsung.com address is going to cease existing soon, so change it to
an address which can actually be used to contact me.Signed-off-by: Andrzej Pietrasiewicz
Signed-off-by: Mauro Carvalho Chehab
08 Jan, 2019
1 commit
-
Use v4l2_timeval_to_ns instead of timeval_to_ns to ensure that
both kernelspace and userspace will use the same conversion
function.Next add a new vb2_find_timestamp() function to find buffers
with a specific timestamp.This function will only look at DEQUEUED and DONE buffers, i.e.
buffers that are already processed.Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
26 Dec, 2018
1 commit
-
Pull more media updates from Mauro Carvalho Chehab:
"The Intel IPU3 camera driver"* tag 'media/v4.20-7' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (23 commits)
media: staging/ipu3-imgu: Add MAINTAINERS entry
media: staging/ipu3-imgu: Address documentation comments
media: v4l: Add Intel IPU3 meta buffer formats
media: doc-rst: Add Intel IPU3 documentation
media: ipu3-imgu: Fix firmware binary location
media: ipu3-imgu: Fix compiler warnings
media: staging/intel-ipu3: Add dual pipe support
media: staging/intel-ipu3: Add Intel IPU3 meta data uAPI
media: staging/intel-ipu3: Add imgu top level pci device driver
media: staging/intel-ipu3: Add v4l2 driver based on media framework
media: staging/intel-ipu3: Add css pipeline programming
media: staging/intel-ipu3: css: Initialize css hardware
media: staging/intel-ipu3: css: Compute and program ccs
media: staging/intel-ipu3: css: Add static settings for image pipeline
media: staging/intel-ipu3: css: Add support for firmware management
media: staging/intel-ipu3: css: Add dma buff pool utility functions
media: staging/intel-ipu3: Implement DMA mapping functions
media: staging/intel-ipu3: mmu: Implement driver
media: staging/intel-ipu3: abi: Add structs
media: staging/intel-ipu3: abi: Add register definitions and enum
...
17 Dec, 2018
1 commit
-
Linux 4.20-rc7
* tag 'v4.20-rc7': (403 commits)
Linux 4.20-rc7
scripts/spdxcheck.py: always open files in binary mode
checkstack.pl: fix for aarch64
userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
fs/iomap.c: get/put the page in iomap_page_create/release()
hugetlbfs: call VM_BUG_ON_PAGE earlier in free_huge_page()
memblock: annotate memblock_is_reserved() with __init_memblock
psi: fix reference to kernel commandline enable
arch/sh/include/asm/io.h: provide prototypes for PCI I/O mapping in asm/io.h
mm/sparse: add common helper to mark all memblocks present
mm: introduce common STRUCT_PAGE_MAX_SHIFT define
alpha: fix hang caused by the bootmem removal
XArray: Fix xa_alloc when id exceeds max
drm/vmwgfx: Protect from excessive execbuf kernel memory allocations v3
MAINTAINERS: Daniel for drm co-maintainer
drm/amdgpu: drop fclk/gfxclk ratio setting
IB/core: Fix oops in netdev_next_upper_dev_rcu()
dm thin: bump target version
drm/vmwgfx: remove redundant return ret statement
drm/i915: Flush GPU relocs harder for gen3
...
14 Dec, 2018
1 commit
-
The V4L2_BUF_TYPE_META_OUTPUT mirrors the V4L2_BUF_TYPE_META_CAPTURE with
the exception that it is an OUTPUT type. The use case for this is to pass
buffers to the device that are not image data but metadata. The formats,
just as the metadata capture formats, are typically device specific and
highly structured.Signed-off-by: Sakari Ailus
Acked-by: Hans Verkuil
Reviewed-by: Tomasz Figa
Tested-by: Tian Shu Qiu
Signed-off-by: Mauro Carvalho Chehab
06 Dec, 2018
1 commit
-
The Request API is now merged to the kernel but the confidence on the
stability of that API is not great, especially regarding the interaction
with V4L2.Add a Kconfig option for the API, with a scary-looking warning.
The patch itself disables request creation as well as does not advertise
them as buffer flags. The driver requiring requests (cedrus) now depends
on the Kconfig option as well.Signed-off-by: Sakari Ailus
Acked-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
04 Dec, 2018
4 commits
-
When a buffer is returned to state QUEUED (that happens when
start_streaming fails), then do not unbind and put the object
from the request. Nothing has changed yet, so just keep it as
is.Signed-off-by: Hans Verkuil
Acked-by: Sakari Ailus
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
When vb2_buffer_done is called the buffer is unbound from the
request and put. The media_request_object_put also 'put's the
request reference. If the application has already closed the
request fd, then that means that the request reference at that
point goes to 0 and the whole request is released.This means that the control handler associated with the request is
also freed and that causes this kernel oops:[174705.995401] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908
[174705.995411] in_atomic(): 1, irqs_disabled(): 1, pid: 28071, name: vivid-000-vid-o
[174705.995416] 2 locks held by vivid-000-vid-o/28071:
[174705.995420] #0: 000000001ea3a232 (&dev->mutex#3){....}, at: vivid_thread_vid_out+0x3f5/0x550 [vivid]
[174705.995447] #1: 00000000e30a0d1e (&(&q->done_lock)->rlock){....}, at: vb2_buffer_done+0x92/0x1d0 [videobuf2_common]
[174705.995460] Preemption disabled at:
[174705.995461] [] (null)
[174705.995472] CPU: 11 PID: 28071 Comm: vivid-000-vid-o Tainted: G W 4.20.0-rc1-test-no #88
[174705.995476] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[174705.995481] Call Trace:
[174705.995500] dump_stack+0x46/0x60
[174705.995512] ___might_sleep.cold.79+0xe1/0xf1
[174705.995523] __mutex_lock+0x50/0x8f0
[174705.995531] ? find_held_lock+0x2d/0x90
[174705.995536] ? find_held_lock+0x2d/0x90
[174705.995542] ? find_held_lock+0x2d/0x90
[174705.995564] ? v4l2_ctrl_handler_free.part.13+0x44/0x1d0 [videodev]
[174705.995576] v4l2_ctrl_handler_free.part.13+0x44/0x1d0 [videodev]
[174705.995590] v4l2_ctrl_request_release+0x1c/0x30 [videodev]
[174705.995600] media_request_clean+0x64/0xe0 [media]
[174705.995609] media_request_release+0x19/0x40 [media]
[174705.995617] vb2_buffer_done+0xef/0x1d0 [videobuf2_common]
[174705.995630] vivid_thread_vid_out+0x2c1/0x550 [vivid]
[174705.995645] ? vivid_stop_generating_vid_cap+0x1c0/0x1c0 [vivid]
[174705.995653] kthread+0x113/0x130
[174705.995659] ? kthread_park+0x80/0x80
[174705.995667] ret_from_fork+0x35/0x40The vb2_buffer_done function can be called from interrupt context, so
anything that sleeps is not allowed.The solution is to increment the request refcount when the buffer is
queued and decrement it when the buffer is dequeued. Releasing the
request is fine if that happens from VIDIOC_DQBUF.Signed-off-by: Hans Verkuil
Acked-by: Sakari Ailus
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
VIDIOC_PREPARE_BUF should ignore V4L2_BUF_FLAG_REQUEST_FD since it isn't
doing anything with requests. So inform vb2_queue_or_prepare_buf whether
it is called from vb2_prepare_buf or vb2_qbuf and just return 0 in the
first case.This was found when adding new v4l2-compliance checks.
Signed-off-by: Hans Verkuil
Acked-by: Sakari Ailus
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
vb2_start_streaming() already rolls back the buffers, so there is no
need to call __vb2_queue_cancel(). Especially since __vb2_queue_cancel()
does too much, such as zeroing the q->queued_count value, causing vb2
to think that no buffers have been queued.It appears that this call to __vb2_queue_cancel() is a left-over from
before commit b3379c6201bb3.Fixes: b3379c6201bb3 ('vb2: only call start_streaming if sufficient buffers are queued')
Signed-off-by: Hans Verkuil
Cc: # for v4.16 and up
Acked-by: Sakari Ailus
Signed-off-by: Mauro Carvalho Chehab
23 Nov, 2018
6 commits
-
As reported by smatch:
drivers/media/common/videobuf2/videobuf2-core.c: drivers/media/common/videobuf2/videobuf2-core.c:2159 vb2_mmap() warn: inconsistent returns 'mutex:&q->mmap_lock'.
Locked on: line 2148
Unlocked on: line 2100
line 2108
line 2113
line 2118
line 2156
line 2159There is one error condition that doesn't unlock a mutex.
Fixes: cd26d1c4d1bc ("media: vb2: vb2_mmap: move lock up")
Reviewed-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab -
Userspace shouldn't set bytesused to 0 for output buffers.
vb2_warn_zero_bytesused() warns about this (only once!), but it also
calls WARN_ON(1), which is confusing since it is not immediately clear
that it warns about a 0 value for bytesused.Just drop the WARN_ON as it serves no purpose.
Signed-off-by: Hans Verkuil
Acked-by: Ezequiel Garcia
Signed-off-by: Mauro Carvalho Chehab -
Videobuf2 presently does not allow VIDIOC_REQBUFS to destroy outstanding
buffers if the queue is of type V4L2_MEMORY_MMAP, and if the buffers are
considered "in use". This is different behavior than for other memory
types and prevents us from deallocating buffers in following two cases:1) There are outstanding mmap()ed views on the buffer. However even if
we put the buffer in reqbufs(0), there will be remaining references,
due to vma .open/close() adjusting vb2 buffer refcount appropriately.
This means that the buffer will be in fact freed only when the last
mmap()ed view is unmapped.2) Buffer has been exported as a DMABUF. Refcount of the vb2 buffer
is managed properly by VB2 DMABUF ops, i.e. incremented on DMABUF
get and decremented on DMABUF release. This means that the buffer
will be alive until all importers release it.Considering both cases above, there does not seem to be any need to
prevent reqbufs(0) operation, because buffer lifetime is already
properly managed by both mmap() and DMABUF code paths. Let's remove it
and allow userspace freeing the queue (and potentially allocating a new
one) even though old buffers might be still in processing.To let userspace know that the kernel now supports orphaning buffers
that are still in use, add a new V4L2_BUF_CAP_SUPPORTS_ORPHANED_BUFS
to be set by reqbufs and create_bufs.[p.zabel@pengutronix.de: added V4L2_BUF_CAP_SUPPORTS_ORPHANED_BUFS,
updated documentation, and added back debug message]Signed-off-by: John Sheu
Reviewed-by: Pawel Osciak
Signed-off-by: Tomasz Figa
Signed-off-by: Philipp Zabel
Acked-by: Sakari Ailus
Signed-off-by: Hans Verkuil
[hverkuil-cisco@xs4all.nl: added V4L2-BUF-CAP-SUPPORTS-ORPHANED-BUFS ref]
Signed-off-by: Mauro Carvalho Chehab -
text[s] is a signed char, so using that as index into the font8x16 array
can result in negative indices. Cast it to u8 to be safe.Signed-off-by: Hans Verkuil
Reported-by: syzbot+ccf0a61ed12f2a7313ee@syzkaller.appspotmail.com
Cc: # for v4.7 and up
Signed-off-by: Mauro Carvalho Chehab -
vb2_core_create_bufs did not check if the memory model for newly added
buffers is the same as for already existing buffers. It should return an
error if they aren't the same.Signed-off-by: Hans Verkuil
Reported-by: syzbot+e1fb118a2ebb88031d21@syzkaller.appspotmail.com
Cc: # for v4.16 and up
Signed-off-by: Mauro Carvalho Chehab -
If a filehandle is dup()ped, then it is possible to close it from one fd
and call mmap from the other. This creates a race condition in vb2_mmap
where it is using queue data that __vb2_queue_free (called from close())
is in the process of releasing.By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided
since __vb2_queue_free is called with the same mutex locked. So vb2_mmap
now reads consistent buffer data.Signed-off-by: Hans Verkuil
Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
