1. 22 Jan, 2019 2 commits
  2. 09 Jan, 2019 2 commits
  3. 05 Dec, 2018 1 commit
  4. 03 Dec, 2018 4 commits
    • Hans Verkuil's avatar
      media: vb2: don't unbind/put the object when going to state QUEUED · dde6bdcc
      Hans Verkuil authored
      When a buffer is returned to state QUEUED (that happens when
      start_streaming fails), then do not unbind and put the object
      from the request. Nothing has changed yet, so just keep it as
      is.
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Acked-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      dde6bdcc
    • Hans Verkuil's avatar
      media: vb2: keep a reference to the request until dqbuf · 6093d300
      Hans Verkuil authored
      When vb2_buffer_done is called the buffer is unbound from the
      request and put. The media_request_object_put also 'put's the
      request reference. If the application has already closed the
      request fd, then that means that the request reference at that
      point goes to 0 and the whole request is released.
      
      This means that the control handler associated with the request is
      also freed and that causes this kernel oops:
      
      [174705.995401] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:908
      [174705.995411] in_atomic(): 1, irqs_disabled(): 1, pid: 28071, name: vivid-000-vid-o
      [174705.995416] 2 locks held by vivid-000-vid-o/28071:
      [174705.995420]  #0: 000000001ea3a232 (&dev->mutex#3){....}, at: vivid_thread_vid_out+0x3f5/0x550 [vivid]
      [174705.995447]  #1: 00000000e30a0d1e (&(&q->done_lock)->rlock){....}, at: vb2_buffer_done+0x92/0x1d0 [videobuf2_common]
      [174705.995460] Preemption disabled at:
      [174705.995461] [<0000000000000000>]           (null)
      [174705.995472] CPU: 11 PID: 28071 Comm: vivid-000-vid-o Tainted: G        W         4.20.0-rc1-test-no #88
      [174705.995476] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
      [174705.995481] Call Trace:
      [174705.995500]  dump_stack+0x46/0x60
      [174705.995512]  ___might_sleep.cold.79+0xe1/0xf1
      [174705.995523]  __mutex_lock+0x50/0x8f0
      [174705.995531]  ? find_held_lock+0x2d/0x90
      [174705.995536]  ? find_held_lock+0x2d/0x90
      [174705.995542]  ? find_held_lock+0x2d/0x90
      [174705.995564]  ? v4l2_ctrl_handler_free.part.13+0x44/0x1d0 [videodev]
      [174705.995576]  v4l2_ctrl_handler_free.part.13+0x44/0x1d0 [videodev]
      [174705.995590]  v4l2_ctrl_request_release+0x1c/0x30 [videodev]
      [174705.995600]  media_request_clean+0x64/0xe0 [media]
      [174705.995609]  media_request_release+0x19/0x40 [media]
      [174705.995617]  vb2_buffer_done+0xef/0x1d0 [videobuf2_common]
      [174705.995630]  vivid_thread_vid_out+0x2c1/0x550 [vivid]
      [174705.995645]  ? vivid_stop_generating_vid_cap+0x1c0/0x1c0 [vivid]
      [174705.995653]  kthread+0x113/0x130
      [174705.995659]  ? kthread_park+0x80/0x80
      [174705.995667]  ret_from_fork+0x35/0x40
      
      The vb2_buffer_done function can be called from interrupt context, so
      anything that sleeps is not allowed.
      
      The solution is to increment the request refcount when the buffer is
      queued and decrement it when the buffer is dequeued. Releasing the
      request is fine if that happens from VIDIOC_DQBUF.
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Acked-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      6093d300
    • Hans Verkuil's avatar
      media: vb2: skip request checks for VIDIOC_PREPARE_BUF · b7ff0b09
      Hans Verkuil authored
      VIDIOC_PREPARE_BUF should ignore V4L2_BUF_FLAG_REQUEST_FD since it isn't
      doing anything with requests. So inform vb2_queue_or_prepare_buf whether
      it is called from vb2_prepare_buf or vb2_qbuf and just return 0 in the
      first case.
      
      This was found when adding new v4l2-compliance checks.
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Acked-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      b7ff0b09
    • Hans Verkuil's avatar
      media: vb2: don't call __vb2_queue_cancel if vb2_start_streaming failed · 04990215
      Hans Verkuil authored
      vb2_start_streaming() already rolls back the buffers, so there is no
      need to call __vb2_queue_cancel(). Especially since __vb2_queue_cancel()
      does too much, such as zeroing the q->queued_count value, causing vb2
      to think that no buffers have been queued.
      
      It appears that this call to __vb2_queue_cancel() is a left-over from
      before commit b3379c62.
      
      Fixes: b3379c62 ('vb2: only call start_streaming if sufficient buffers are queued')
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Cc: <stable@vger.kernel.org>      # for v4.16 and up
      Acked-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      04990215
  5. 09 Oct, 2018 2 commits
  6. 04 Oct, 2018 1 commit
  7. 24 Sep, 2018 3 commits
  8. 11 Sep, 2018 6 commits
  9. 31 Aug, 2018 12 commits
  10. 08 Aug, 2018 1 commit
  11. 02 Aug, 2018 1 commit
  12. 24 Jul, 2018 1 commit
  13. 20 Jun, 2018 2 commits
  14. 12 Jun, 2018 1 commit
    • Kees Cook's avatar
      treewide: Use array_size() in vzalloc() · fad953ce
      Kees Cook authored
      The vzalloc() function has no 2-factor argument form, so multiplication
      factors need to be wrapped in array_size(). This patch replaces cases of:
      
              vzalloc(a * b)
      
      with:
              vzalloc(array_size(a, b))
      
      as well as handling cases of:
      
              vzalloc(a * b * c)
      
      with:
      
              vzalloc(array3_size(a, b, c))
      
      This does, however, attempt to ignore constant size factors like:
      
              vzalloc(4 * 1024)
      
      though any constants defined via macros get caught up in the conversion.
      
      Any factors with a sizeof() of "unsigned char", "char", and "u8" were
      dropped, since they're redundant.
      
      The Coccinelle script used for this was:
      
      // Fix redundant parens around sizeof().
      @@
      type TYPE;
      expression THING, E;
      @@
      
      (
        vzalloc(
      -	(sizeof(TYPE)) * E
      +	sizeof(TYPE) * E
        , ...)
      |
        vzalloc(
      -	(sizeof(THING)) * E
      +	sizeof(THING) * E
        , ...)
      )
      
      // Drop single-byte sizes and redundant parens.
      @@
      expression COUNT;
      typedef u8;
      typedef __u8;
      @@
      
      (
        vzalloc(
      -	sizeof(u8) * (COUNT)
      +	COUNT
        , ...)
      |
        vzalloc(
      -	sizeof(__u8) * (COUNT)
      +	COUNT
        , ...)
      |
        vzalloc(
      -	sizeof(char) * (COUNT)
      +	COUNT
        , ...)
      |
        vzalloc(
      -	sizeof(unsigned char) * (COUNT)
      +	COUNT
        , ...)
      |
        vzalloc(
      -	sizeof(u8) * COUNT
      +	COUNT
        , ...)
      |
        vzalloc(
      -	sizeof(__u8) * COUNT
      +	COUNT
        , ...)
      |
        vzalloc(
      -	sizeof(char) * COUNT
      +	COUNT
        , ...)
      |
        vzalloc(
      -	sizeof(unsigned char) * COUNT
      +	COUNT
        , ...)
      )
      
      // 2-factor product with sizeof(type/expression) and identifier or constant.
      @@
      type TYPE;
      expression THING;
      identifier COUNT_ID;
      constant COUNT_CONST;
      @@
      
      (
        vzalloc(
      -	sizeof(TYPE) * (COUNT_ID)
      +	array_size(COUNT_ID, sizeof(TYPE))
        , ...)
      |
        vzalloc(
      -	sizeof(TYPE) * COUNT_ID
      +	array_size(COUNT_ID, sizeof(TYPE))
        , ...)
      |
        vzalloc(
      -	sizeof(TYPE) * (COUNT_CONST)
      +	array_size(COUNT_CONST, sizeof(TYPE))
        , ...)
      |
        vzalloc(
      -	sizeof(TYPE) * COUNT_CONST
      +	array_size(COUNT_CONST, sizeof(TYPE))
        , ...)
      |
        vzalloc(
      -	sizeof(THING) * (COUNT_ID)
      +	array_size(COUNT_ID, sizeof(THING))
        , ...)
      |
        vzalloc(
      -	sizeof(THING) * COUNT_ID
      +	array_size(COUNT_ID, sizeof(THING))
        , ...)
      |
        vzalloc(
      -	sizeof(THING) * (COUNT_CONST)
      +	array_size(COUNT_CONST, sizeof(THING))
        , ...)
      |
        vzalloc(
      -	sizeof(THING) * COUNT_CONST
      +	array_size(COUNT_CONST, sizeof(THING))
        , ...)
      )
      
      // 2-factor product, only identifiers.
      @@
      identifier SIZE, COUNT;
      @@
      
        vzalloc(
      -	SIZE * COUNT
      +	array_size(COUNT, SIZE)
        , ...)
      
      // 3-factor product with 1 sizeof(type) or sizeof(expression), with
      // redundant parens removed.
      @@
      expression THING;
      identifier STRIDE, COUNT;
      type TYPE;
      @@
      
      (
        vzalloc(
      -	sizeof(TYPE) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        vzalloc(
      -	sizeof(TYPE) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        vzalloc(
      -	sizeof(TYPE) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        vzalloc(
      -	sizeof(TYPE) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(TYPE))
        , ...)
      |
        vzalloc(
      -	sizeof(THING) * (COUNT) * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        vzalloc(
      -	sizeof(THING) * (COUNT) * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        vzalloc(
      -	sizeof(THING) * COUNT * (STRIDE)
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      |
        vzalloc(
      -	sizeof(THING) * COUNT * STRIDE
      +	array3_size(COUNT, STRIDE, sizeof(THING))
        , ...)
      )
      
      // 3-factor product with 2 sizeof(variable), with redundant parens removed.
      @@
      expression THING1, THING2;
      identifier COUNT;
      type TYPE1, TYPE2;
      @@
      
      (
        vzalloc(
      -	sizeof(TYPE1) * sizeof(TYPE2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        vzalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
        , ...)
      |
        vzalloc(
      -	sizeof(THING1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        vzalloc(
      -	sizeof(THING1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(THING1), sizeof(THING2))
        , ...)
      |
        vzalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * COUNT
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      |
        vzalloc(
      -	sizeof(TYPE1) * sizeof(THING2) * (COUNT)
      +	array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
        , ...)
      )
      
      // 3-factor product, only identifiers, with redundant parens removed.
      @@
      identifier STRIDE, SIZE, COUNT;
      @@
      
      (
        vzalloc(
      -	(COUNT) * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vzalloc(
      -	COUNT * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vzalloc(
      -	COUNT * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vzalloc(
      -	(COUNT) * (STRIDE) * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vzalloc(
      -	COUNT * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vzalloc(
      -	(COUNT) * STRIDE * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vzalloc(
      -	(COUNT) * (STRIDE) * (SIZE)
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      |
        vzalloc(
      -	COUNT * STRIDE * SIZE
      +	array3_size(COUNT, STRIDE, SIZE)
        , ...)
      )
      
      // Any remaining multi-factor products, first at least 3-factor products
      // when they're not all constants...
      @@
      expression E1, E2, E3;
      constant C1, C2, C3;
      @@
      
      (
        vzalloc(C1 * C2 * C3, ...)
      |
        vzalloc(
      -	E1 * E2 * E3
      +	array3_size(E1, E2, E3)
        , ...)
      )
      
      // And then all remaining 2 factors products when they're not all constants.
      @@
      expression E1, E2;
      constant C1, C2;
      @@
      
      (
        vzalloc(C1 * C2, ...)
      |
        vzalloc(
      -	E1 * E2
      +	array_size(E1, E2)
        , ...)
      )
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      fad953ce
  15. 28 May, 2018 1 commit