08 Oct, 2020
1 commit
-
* tag 'v5.4.70': (3051 commits)
Linux 5.4.70
netfilter: ctnetlink: add a range check for l3/l4 protonum
ep_create_wakeup_source(): dentry name can change under you...
...Conflicts:
arch/arm/mach-imx/pm-imx6.c
arch/arm64/boot/dts/freescale/imx8mm-evk.dts
arch/arm64/boot/dts/freescale/imx8mn-ddr4-evk.dts
drivers/crypto/caam/caamalg.c
drivers/gpu/drm/imx/dw_hdmi-imx.c
drivers/gpu/drm/imx/imx-ldb.c
drivers/gpu/drm/imx/ipuv3/ipuv3-crtc.c
drivers/mmc/host/sdhci-esdhc-imx.c
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
drivers/net/ethernet/freescale/enetc/enetc.c
drivers/net/ethernet/freescale/enetc/enetc_pf.c
drivers/thermal/imx_thermal.c
drivers/usb/cdns3/ep0.c
drivers/xen/swiotlb-xen.c
sound/soc/fsl/fsl_esai.c
sound/soc/fsl/fsl_sai.cSigned-off-by: Jason Liu
05 Oct, 2020
1 commit
-
There are two Coverity isues on the same piece of code:
ID 6296629 Operands don't affect result
ID 9000746 Pointless comparison of unsigned integer with neg constSigned-off-by: Mirela Rabulea
Reviewed-by: Robert Chiras
01 Oct, 2020
6 commits
-
[ Upstream commit bc3d870e414b42d72cd386aa20a4fc3612e4feb7 ]
Presently the list initialization is done only in
dynamic-resolution-change state, which leads to list corruptions
and use-after-free. Init list_head unconditionally in
vdec_stop_capture called by vb2 stop_streaming without takeing
into account current codec state.Signed-off-by: Stanimir Varbanov
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit a7463e2dc698075132de9905b89f495df888bb79 ]
The shifting of buf[3] by 24 bits to the left will be promoted to
a 32 bit signed int and then sign-extended to an unsigned long. In
the unlikely event that the the top bit of buf[3] is set then all
then all the upper bits end up as also being set because of
the sign-extension and this affect the ev->post_bit_error sum.
Fix this by using the temporary u32 variable bit_error to avoid
the sign-extension promotion. This also removes the need to do the
computation twice.Addresses-Coverity: ("Unintended sign extension")
Fixes: 267897a4708f ("[media] tda10071: implement DVBv5 statistics")
Signed-off-by: Colin Ian King
Signed-off-by: Sean Young
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e ]
Josef reported that his old-and-good Plextor ConvertX M402U video
converter spews lots of WARNINGs on the recent kernels, and it turned
out that the device uses a bulk endpoint for interrupt handling just
like 2250 board.For fixing it, generalize the check with the proper verification of
the endpoint instead of hard-coded board type check.Fixes: 7e5219d18e93 ("[media] go7007: Fix 2250 urb type")
Reported-and-tested-by: Josef Möllers
BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1162583
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206427Signed-off-by: Takashi Iwai
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 6e72eab2e7b7a157d554b8f9faed7676047be7c1 ]
When setting DMA for video capture from CSI channel, if the DMA size
is not given, it ends up writing as much data as sent by the camera.This may lead to overwriting the buffers causing memory corruption.
Observed green lines on the default framebuffer.Restrict the DMA to maximum height as specified in the S_FMT ioctl.
Signed-off-by: Nikhil Devshatwar
Signed-off-by: Benoit Parrot
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit a5b1d5413534607b05fb34470ff62bf395f5c8d0 ]
If NVM reading failed, the device was left powered on. Fix that.
Signed-off-by: Sakari Ailus
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 713f871b30a66dc4daff4d17b760c9916aaaf2e1 ]
In media_device_register_entity, if media_graph_walk_init fails,
need to free the previously memory.Reported-by: Hulk Robot
Signed-off-by: zhengbin
Signed-off-by: Sakari Ailus
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin
18 Sep, 2020
1 commit
-
GPIO IR receive is much rely on interrupt response, uneven interrupt
latency will lead to incorrect timing, so the decoder fails to decode
it. The issue is particularly acute on systems which supports
cpuidle, dynamically disable and enable cpuidle can solve this problem
to a great extent.However, there is a downside to this approach, the measurement of header
on the first signal may incorrect. Test on i.MX8M serials, when enable
cpuidle, interrupt latency could be about 500us.Luckily, RC would transmit multiple signals at once press. The first
signal may not decode correctly, later can be decoded correctly.Reviewed-by: Frank Li
Reviewed-by: Fugang Duan
Signed-off-by: Joakim Zhang
10 Sep, 2020
3 commits
-
commit 4f0835d6677dc69263f90f976524cb92b257d9f4 upstream.
Only report uevent file contents if device still registered, else we
might read freed memory.Reported-by: syzbot+ceef16277388d6f24898@syzkaller.appspotmail.com
Cc: Hillf Danton
Cc: # 4.16+
Signed-off-by: Sean Young
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman -
commit a2e2d73fa28136598e84db9d021091f1b98cbb1a upstream.
Device drivers do not expect to have change_protocol or wakeup
re-programming to be accesed after rc_unregister_device(). This can
cause the device driver to access deallocated resources.Cc: # 4.16+
Signed-off-by: Sean Young
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 2e7c8fb8942773f412fe12f3b63e8bb92c18ab3f ]
The check for a required control in the request was missing a call to
v4l2_ctrl_request_hdl_put(), so the control request object was never
released.Signed-off-by: Hans Verkuil
Fixes: 997deb811bf5 ("media: vicodec: Add support for stateless decoder.")
Reviewed-by: Ezequiel Garcia
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin
03 Sep, 2020
4 commits
-
[ Upstream commit ea8912b788f8144e7d32ee61e5ccba45424bef83 ]
usleep_range() may take longer than the max argument due to scheduling,
especially under load. This is causing random errors in the transmitted
IR. Remove the usleep_range() in favour of busy-looping with udelay().Signed-off-by: Sean Young
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 602649eadaa0c977e362e641f51ec306bc1d365d ]
In case of errors vpif_probe_complete() releases memory for vpif_obj.sd
and unregisters the V4L2 device. But then this is done again by
vpif_probe() itself. The patch removes the cleaning from
vpif_probe_complete().Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 6c42227c3467549ddc65efe99c869021d2f4a570 ]
Fix this smatch warning:
drivers/media/cec/core/cec-api.c:156 cec_adap_g_log_addrs() warn: check that 'log_addrs' doesn't leak information (struct has a hole after
'features')Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ]
The value av7110->debi_virt is stored in DMA memory, and it is assigned
to data, and thus data[0] can be modified at any time by malicious
hardware. In this case, "if (data[0] < 2)" can be passed, but then
data[0] can be changed into a large number, which may cause buffer
overflow when the code "av7110->ci_slot[data[0]]" is used.To fix this possible bug, data[0] is assigned to a local variable, which
replaces the use of data[0].Signed-off-by: Jia-Ju Bai
Signed-off-by: Sean Young
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin
01 Sep, 2020
2 commits
-
Variable streaming is used to track ov5640 working state and control to turn
on/off ov5640. For normal case, streaming will be set to false when user call
STREAMOFF ioctl, but for some special cases, process will be killed at any time
and STREAMOFF ioctl will be ignored in this case. It leads to sensor software
state is out of sync with its real state, so driver force to set streaming to
false when call ov5640_set_power_off(). It will keep software state sync with
sensor real state.Signed-off-by: Guoniu.zhou
Reviewed-by: Robby Cai
(cherry picked from commit 83f205588674877837d10d2bd5ebd9c8308f33e7) -
When use USERPTR mode to queue v4l2 buffer, field and timestamp info
needs to be stored.Signed-off-by: Haihua Hu
Reviewed-by: Liu Ying
(cherry picked from commit 4e4c19ea2a0d686ebeab204198a37a2c09b104d4)
26 Aug, 2020
3 commits
-
[ Upstream commit f45882cfb152f5d3a421fd58f177f227e44843b9 ]
camss_probe() does not free camss on error handling paths. The patch
introduces an additional error label for this purpose. Besides, it
removes call of v4l2_async_notifier_cleanup() from
camss_of_parse_ports() since its caller, camss_probe(), cleans up all
its resources itself.Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov
Co-developed-by: Anton Vasilyev
Signed-off-by: Anton Vasilyev
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 9c487b0b0ea7ff22127fe99a7f67657d8730ff94 ]
If platform_driver_register() fails within vpss_init() resources are not
cleaned up. The patch fixes this issue by introducing the corresponding
error handling.Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit fc0456458df8b3421dba2a5508cd817fbc20ea71 ]
budget_register() has no error handling after its failure.
Add the missed undo functions for error handling to fix it.Signed-off-by: Chuhong Yuan
Signed-off-by: Sean Young
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin
21 Aug, 2020
3 commits
-
[ Upstream commit 0f879bab72f47e8ba2421a984e7acfa763d3e84e ]
Setting the output CSC mode is required for a YUV output, but must not
be set when the input is also YUV. Doing this (as tested with a YUV420P
to YUV420P conversion) results in wrong colors.Adapt the logic to only set the output CSC mode when the output is YUV and
the input is RGB. Also add a comment to clarify the rationale.Fixes: f7e7b48e6d79 ("[media] rockchip/rga: v4l2 m2m support")
Signed-off-by: Paul Kocialkowski
Reviewed-by: Ezequiel Garcia
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit ded874ece29d3fe2abd3775810a06056067eb68c ]
This introduces two macros: RGA_COLOR_FMT_IS_YUV and RGA_COLOR_FMT_IS_RGB
which allow quick checking of the colorspace familily of a RGA color format.These macros are then used to refactor the logic for CSC mode selection.
The two nested tests for input colorspace are simplified into a single one,
with a logical and, making the whole more readable.Signed-off-by: Paul Kocialkowski
Reviewed-by: Ezequiel Garcia
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
commit c92d30e4b78dc331909f8c6056c2792aa14e2166 upstream.
In commit f3b98e3c4d2e16 ("media: vsp1: Provide support for extended
command pools"), the vsp pointer used for referencing the VSP1 device
structure from a command pool during vsp1_dl_ext_cmd_pool_destroy() was
not populated.Correctly assign the pointer to prevent the following
null-pointer-dereference when removing the device:[*] h3ulcb-kf #>
echo fea28000.vsp > /sys/bus/platform/devices/fea28000.vsp/driver/unbind
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
Mem abort info:
ESR = 0x96000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00000007318be000
[0000000000000028] pgd=00000007333a1003, pud=00000007333a6003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 486 Comm: sh Not tainted 5.7.0-rc6-arm64-renesas-00118-ge644645abf47 #185
Hardware name: Renesas H3ULCB Kingfisher board based on r8a77951 (DT)
pstate: 40000005 (nZcv daif -PAN -UAO)
pc : vsp1_dlm_destroy+0xe4/0x11c
lr : vsp1_dlm_destroy+0xc8/0x11c
sp : ffff800012963b60
x29: ffff800012963b60 x28: ffff0006f83fc440
x27: 0000000000000000 x26: ffff0006f5e13e80
x25: ffff0006f5e13ed0 x24: ffff0006f5e13ed0
x23: ffff0006f5e13ed0 x22: dead000000000122
x21: ffff0006f5e3a080 x20: ffff0006f5df2938
x19: ffff0006f5df2980 x18: 0000000000000003
x17: 0000000000000000 x16: 0000000000000016
x15: 0000000000000003 x14: 00000000000393c0
x13: ffff800011a5ec18 x12: ffff800011d8d000
x11: ffff0006f83fcc68 x10: ffff800011a53d70
x9 : ffff8000111f3000 x8 : 0000000000000000
x7 : 0000000000210d00 x6 : 0000000000000000
x5 : ffff800010872e60 x4 : 0000000000000004
x3 : 0000000078068000 x2 : ffff800012781000
x1 : 0000000000002c00 x0 : 0000000000000000
Call trace:
vsp1_dlm_destroy+0xe4/0x11c
vsp1_wpf_destroy+0x10/0x20
vsp1_entity_destroy+0x24/0x4c
vsp1_destroy_entities+0x54/0x130
vsp1_remove+0x1c/0x40
platform_drv_remove+0x28/0x50
__device_release_driver+0x178/0x220
device_driver_detach+0x44/0xc0
unbind_store+0xe0/0x104
drv_attr_store+0x20/0x30
sysfs_kf_write+0x48/0x70
kernfs_fop_write+0x148/0x230
__vfs_write+0x18/0x40
vfs_write+0xdc/0x1c4
ksys_write+0x68/0xf0
__arm64_sys_write+0x18/0x20
el0_svc_common.constprop.0+0x70/0x170
do_el0_svc+0x20/0x80
el0_sync_handler+0x134/0x1b0
el0_sync+0x140/0x180
Code: b40000c2 f9403a60 d2800084 a9400663 (f9401400)
---[ end trace 3875369841fb288a ]---Fixes: f3b98e3c4d2e16 ("media: vsp1: Provide support for extended command pools")
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Eugeniu Rosca
Reviewed-by: Kieran Bingham
Tested-by: Kieran Bingham
Reviewed-by: Laurent Pinchart
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
19 Aug, 2020
7 commits
-
commit e30cc79cc80fd919b697a15c5000d9f57487de8e upstream.
Syzbot reports a NULL-ptr deref in the kref_put() call:
BUG: KASAN: null-ptr-deref in media_request_put drivers/media/mc/mc-request.c:81 [inline]
kref_put include/linux/kref.h:64 [inline]
media_request_put drivers/media/mc/mc-request.c:81 [inline]
media_request_close+0x4d/0x170 drivers/media/mc/mc-request.c:89
__fput+0x2ed/0x750 fs/file_table.c:281
task_work_run+0x147/0x1d0 kernel/task_work.c:123
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_usermode_loop arch/x86/entry/common.c:165 [inline]
prepare_exit_to_usermode+0x48e/0x600 arch/x86/entry/common.c:196What led to this crash was an injected memory allocation failure in
media_request_alloc():FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
should_failslab+0x5/0x20
kmem_cache_alloc_trace+0x57/0x300
? anon_inode_getfile+0xe5/0x170
media_request_alloc+0x339/0x440
media_device_request_alloc+0x94/0xc0
media_device_ioctl+0x1fb/0x330
? do_vfs_ioctl+0x6ea/0x1a00
? media_ioctl+0x101/0x120
? __media_device_usb_init+0x430/0x430
? media_poll+0x110/0x110
__se_sys_ioctl+0xf9/0x160
do_syscall_64+0xf3/0x1b0When that allocation fails, filp->private_data is left uninitialized
which media_request_close() does not expect and crashes.To avoid this, reorder media_request_alloc() such that
allocating the struct file happens as the last step thus
media_request_close() will no longer get called for a partially created
media request.Reported-by: syzbot+6bed2d543cf7e48b822b@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Tuomas Tynkkynen
Fixes: 10905d70d788 ("media: media-request: implement media requests")
Reviewed-by: Hans Verkuil
Signed-off-by: Sakari Ailus
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 6f01dfb760c027d5dd6199d91ee9599f2676b5c6 ]
Do not fail probing when device_init_wakeup fails.
device_init_wakeup fails when the device is already enabled as wakeup
device. Hence, the driver fails to probe the device if:
- The device has already been enabled for wakeup (by e.g. sysfs)
- The driver has been unloaded and is being loaded again.This goal of the patch is to fix the above cases.
Overwhelming majority of the drivers do not check device_init_wakeup
return code.Fixes: cd70de2d356ee ("media: platform: Add ChromeOS EC CEC driver")
Signed-off-by: Dariusz Marcinkiewicz
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 18ffec750578f7447c288647d7282c7d12b1d969 ]
fimc_md_get_pinctrl() misses a check for pinctrl_lookup_state().
Add the missed check to fix it.Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration]")
Signed-off-by: Chuhong Yuan
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 2505a210fc126599013aec2be741df20aaacc490 ]
If fw_csr_string() returns -ENOENT, then "name" is uninitialized. So
then the "strlen(model_names[i])
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit dc7690a73017e1236202022e26a6aa133f239c8c ]
preview_init_entities() does not call v4l2_ctrl_handler_free() when
it fails.
Add the missed function to fix it.Fixes: de1135d44f4f ("[media] omap3isp: CCDC, preview engine and resizer")
Signed-off-by: Chuhong Yuan
Reviewed-by: Laurent Pinchart
Signed-off-by: Sakari Ailus
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 4603a5b4a87ccd6fb90cbfa10195291cfcf6ba34 ]
mccic_register() forgets to cleanup the notifier in its error handler.
mccic_shutdown() also misses calling v4l2_async_notifier_cleanup().
Add the missed calls to fix them.Fixes: 3eefe36cc00c ("media: marvell-ccic: use async notifier to get the sensor")
Signed-off-by: Chuhong Yuan
Signed-off-by: Sakari Ailus
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
[ Upstream commit 1a55caf010c46d4f2073f9e92e97ef65358c16bf ]
CONFIG_DVB_USB_CXUSB_ANALOG is a 'bool' symbol with a dependency on the
tristate CONFIG_VIDEO_V4L2, which means it can be enabled as =y even
when its dependency is =m. This leads to a link failure:drivers/media/usb/dvb-usb/cxusb-analog.o: In function `cxusb_medion_analog_init':
cxusb-analog.c:(.text+0x92): undefined reference to `v4l2_subdev_call_wrappers'
drivers/media/usb/dvb-usb/cxusb-analog.o: In function `cxusb_medion_register_analog':
cxusb-analog.c:(.text+0x466): undefined reference to `v4l2_device_register'
cxusb-analog.c:(.text+0x4c3): undefined reference to `v4l2_i2c_new_subdev'
cxusb-analog.c:(.text+0x4fb): undefined reference to `v4l2_subdev_call_wrappers'
...Change the dependency only disallow the analog portion of the driver
in that configuration.Fixes: e478d4054054 ("media: cxusb: add analog mode support for Medion MD95700")
Signed-off-by: Arnd Bergmann
Signed-off-by: Sean Young
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin
14 Aug, 2020
1 commit
-
Skip v4l2 register subdev for isi, the second csi and ov5640 sensor
because currently, isp_media_server can't handle multi camera case,
if there are other /dev/v4l-subdev, isp_media_server can't handle.Signed-off-by: Guoniu.zhou
Reviewed-by: Robby Cai
05 Aug, 2020
1 commit
-
[ Upstream commit a7b2df76b42bdd026e3106cf2ba97db41345a177 ]
In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
should be released.Signed-off-by: Navid Emamdoost
Signed-off-by: Sean Young
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin
16 Jul, 2020
1 commit
-
Found by Coverity scan, ID 10280660.
Signed-off-by: Mirela Rabulea
Reviewed-by: Laurentiu Palcu
14 Jul, 2020
2 commits
-
check return value of v4l2_async_notifier_add_subdev
Fix Coverity Issue ID: 9536729Signed-off-by: Robby Cai
Reviewed-by: Guoniu.zhou -
check return value agaist NULL for devm_kzalloc()
Fix Coverity Issue ID: 6091815Signed-off-by: Robby Cai
Reviewed-by: G.n. Zhou
10 Jul, 2020
1 commit
-
use existing standard function instead of mx6s_csi_mmap().
this could also fix possible deadlock issue from mx6s_csi_mmap as below.======================================================
WARNING: possible circular locking dependency detected
5.7.0-next-20200612-lts-next+g2a193301c3f1 #1 Tainted: G O
------------------------------------------------------
v4l2_capture_em/1430 is trying to acquire lock:
d933281c (&mm->mmap_lock){++++}-{3:3}, at: get_vaddr_frames+0x5c/0x234but task is already holding lock:
d94d6b50 (&csi_dev->lock){+.+.}-{3:3}, at: __video_do_ioctl+0xec/0x44cwhich lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&csi_dev->lock){+.+.}-{3:3}:
mutex_lock_interruptible_nested+0x1c/0x24
mx6s_csi_mmap+0x20/0x54 [mx6s_capture]
v4l2_mmap+0x54/0x90
mmap_region+0x3ac/0x67c
do_mmap+0x3c0/0x50c
vm_mmap_pgoff+0x94/0xe8
ksys_mmap_pgoff+0x7c/0xb4
ret_fast_syscall+0x0/0x28
0xbe925524-> #0 (&mm->mmap_lock){++++}-{3:3}:
lock_acquire+0xe0/0x524
down_read+0x38/0x1f4
get_vaddr_frames+0x5c/0x234
vb2_create_framevec+0x48/0x84
vb2_dc_get_userptr+0x7c/0x3e0
__prepare_userptr+0x17c/0x3d0
__buf_prepare+0x190/0x230
vb2_core_qbuf+0x3c8/0x68c
vb2_qbuf+0x7c/0xd4
__video_do_ioctl+0x214/0x44c
video_usercopy+0x140/0x860
ksys_ioctl+0xec/0xb8c
ret_fast_syscall+0x0/0x28
0xbeb775a4other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&csi_dev->lock);
lock(&mm->mmap_lock);
lock(&csi_dev->lock);
lock(&mm->mmap_lock);*** DEADLOCK ***
1 lock held by v4l2_capture_em/1430:
#0: d94d6b50 (&csi_dev->lock){+.+.}-{3:3}, at: __video_do_ioctl+0xec/0x44cstack backtrace:
CPU: 0 PID: 1430 Comm: v4l2_capture_em Tainted: G O 5.7.0-next-20200612-lts-next+g2a193301c3f1 #1
Hardware name: Freescale i.MX6 SoloX (Device Tree)
[] (unwind_backtrace) from [] (show_stack+0x10/0x14)
[] (show_stack) from [] (dump_stack+0xd8/0x10c)
[] (dump_stack) from [] (check_noncircular+0x130/0x1e4)
[] (check_noncircular) from [] (__lock_acquire+0x15e8/0x33dc)
[] (__lock_acquire) from [] (lock_acquire+0xe0/0x524)
[] (lock_acquire) from [] (down_read+0x38/0x1f4)
[] (down_read) from [] (get_vaddr_frames+0x5c/0x234)
[] (get_vaddr_frames) from [] (vb2_create_framevec+0x48/0x84)
[] (vb2_create_framevec) from [] (vb2_dc_get_userptr+0x7c/0x3e0)
[] (vb2_dc_get_userptr) from [] (__prepare_userptr+0x17c/0x3d0)
[] (__prepare_userptr) from [] (__buf_prepare+0x190/0x230)
[] (__buf_prepare) from [] (vb2_core_qbuf+0x3c8/0x68c)
[] (vb2_core_qbuf) from [] (vb2_qbuf+0x7c/0xd4)
[] (vb2_qbuf) from [] (__video_do_ioctl+0x214/0x44c)
[] (__video_do_ioctl) from [] (video_usercopy+0x140/0x860)
[] (video_usercopy) from [] (ksys_ioctl+0xec/0xb8c)
[] (ksys_ioctl) from [] (ret_fast_syscall+0x0/0x28)Signed-off-by: Robby Cai
Reviewed-by: G.n. Zhou
07 Jul, 2020
1 commit
-
$ rmmod mx6s_capture
$ rmmod mxc_mipi_csi------------[ cut here ]------------
WARNING: CPU: 0 PID: 31970 at drivers/clk/clk.c:954 clk_core_disable+0xc4/0xcc
mipi_csi_root_clk already disabled
Modules linked in: cdc_acm 8021q brcmfmac brcmutil ov5640_camera_mipi_v2 mxc_mipi_csi(-) [last unloaded: mx6s_capture]
CPU: 0 PID: 31970 Comm: modprobe Tainted: G O 5.4.24-2.1.0+g2ad925d15481 #1
Hardware name: Freescale i.MX7 Dual (Device Tree)
[] (unwind_backtrace) from [] (show_stack+0x10/0x14)
[] (show_stack) from [] (dump_stack+0x90/0xa4)
[] (dump_stack) from [] (__warn+0xbc/0xd8)
[] (__warn) from [] (warn_slowpath_fmt+0x98/0xc4)
[] (warn_slowpath_fmt) from [] (clk_core_disable+0xc4/0xcc)
[] (clk_core_disable) from [] (clk_core_disable_lock+0x18/0x24)
[] (clk_core_disable_lock) from [] (mipi_csis_clk_disable+0x14/0x6c [mxc_mipi_csi])
[] (mipi_csis_clk_disable [mxc_mipi_csi]) from [] (mipi_csis_remove+0x44/0x58 [mxc_mipi_csi])
[] (mipi_csis_remove [mxc_mipi_csi]) from [] (platform_drv_remove+0x24/0x3c)
[] (platform_drv_remove) from [] (device_release_driver_internal+0xec/0x1bc)
[] (device_release_driver_internal) from [] (driver_detach+0x44/0x80)
[] (driver_detach) from [] (bus_remove_driver+0x4c/0xa4)
[] (bus_remove_driver) from [] (sys_delete_module+0x134/0x1f8)
[] (sys_delete_module) from [] (ret_fast_syscall+0x0/0x54)
Exception stack(0xa4979fa8 to 0xa4979ff0)
9fa0: 00ecb688 00ecb6c4 00ecb6c4 00000800 00000000 00000000
9fc0: 00ecb688 00ecb6c4 00000001 00000081 00000000 7efc7bb0 00ecb688 7efc7cd9
9fe0: 0049ff70 7efc67f4 0048667b 76f49468
---[ end trace f2007e3990192dab ]---Fix the kernel dump by removing unbalanced clock disablement in remove
function.Signed-off-by: Robby Cai
Reviewed-by: G.n. Zhou
06 Jul, 2020
1 commit
-
Fixed the coverity issue ID 9536729
Signed-off-by: Robby Cai
Reviewed-by: Sandor Yu
(cherry picked from commit 8367d7255888848d5fdd45b95bf2094152d06470)
24 Jun, 2020
1 commit
-
The commit f90580ca0133 ("[media] videodev2: Set vb2_rect's width
and height as unsigned") changes the width and height fields of
struct v4l2_rect from type __s32 to type __u32, which makes Coverity
complain that it's unnecessary for the platform driver to check on
the fields to ensure they are not less than zero. This patch removes
the check to make Coverity happy.This fixes Coverity issue: CID 9176743.
Signed-off-by: Liu Ying
Reviewed-by: Sandor Yu