Without these ops the v4l2-compliance blocking wait test will fail.
These ops are required to ensure that when VIDIOC_DQBUF has to
wait for buffers to arrive, the queue lock is correctly released
and retaken. Otherwise the wait for a buffer would block all other
queue ioctls.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Pull media updates from Mauro Carvalho Chehab:
- New CEC driver: Extron DA HD 4K Plus
- Lots of driver fixes, cleanups and improvements
* tag 'media/v6.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (179 commits)
media: atomisp: Use clamp() in ia_css_eed1_8_vmem_encode()
media: atomisp: Fix eed1_8 code assigning signed values to an unsigned variable
media: atomisp: set lock before calling vb2_queue_init()
media: atomisp: Improve binary finding debug logging
media: atomisp: Drop dev_dbg() calls from hmm_[alloc|free]()
media: atomisp: csi2-bridge: Add DMI quirk for t4ka3 on Xiaomi Mipad2
media: atomisp: add missing wait_prepare/finish ops
media: atomisp: Remove unused declaration
media: atomisp: use clamp() in compute_coring()
media: atomisp: use clamp() in ia_css_eed1_8_encode()
media: atomisp: Simplify ia_css_pipe_create_cas_scaler_desc_single_output()
media: atomisp: Replace rarely used macro from math_support.h
media: atomisp: Remove duplicated leftover, i.e. sh_css_dvs_info.h
media: atomisp: bnr: fix trailing statement
media: atomisp: move trailing */ to separate lines
media: atomisp: move trailing statement to next line.
media: atomisp: Fix trailing statement in ia_css_de.host.c
media: atomisp: Fix spelling mistakes in atomisp.h
media: atomisp: Fix spelling mistakes in atomisp_platform.h
media: atomisp: Fix spelling mistake in csi_rx_public.h
...
"struct dec_bufsize_ops and "struct enc_bufsize_ops" are not modified in
this driver.
Constifying these structures moves some data to a read-only section, so
increase overall security.
On a x86_64, with allmodconfig:
Before:
text data bss dec hex filename
12494 822 0 13316 3404 drivers/media/platform/qcom/venus/hfi_plat_bufs_v6.o
After:
text data bss dec hex filename
12766 566 0 13332 3414 drivers/media/platform/qcom/venus/hfi_plat_bufs_v6.o
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
in venus_probe, core->work is bound with venus_sys_error_handler, which is
used to handle error. The code use core->sys_err_done to make sync work.
The core->work is started in venus_event_notify.
If we call venus_remove, there might be an unfished work. The possible
sequence is as follows:
CPU0 CPU1
|venus_sys_error_handler
venus_remove |
hfi_destroy |
venus_hfi_destroy |
kfree(hdev); |
|hfi_reinit
|venus_hfi_queues_reinit
|//use hdev
Fix it by canceling the work in venus_remove.
Cc: stable@vger.kernel.org
Fixes: af2c3834c8 ("[media] media: venus: adding core part and helper functions")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Pull media updates from Mauro Carvalho Chehab:
- New sensor drivers: gc05a2, gc08a3 and imx283
- New serializer/deserializer drivers: max96714 and max96717
- New JPEG encoder driver: e5010
- Support for Raspberry Pi PiSP Backend (BE) ISP driver
- Old documentation for av7110 driver removed, as a new version was
added as Documentation/userspace-api/media/dvb/legacy*.rst
- atompisp: Linux firmwares are now available, so drop firmware-related
task from TODO and update firmware logic
- The imx258 driver has gained several improvements
- wave5 driver has gained support for HEVC decoding
- em28xx gained support for MyGica UTV3
- av7110 budget-patch driver removed
- Lots of other cleanups, improvements and fixes
* tag 'media/v6.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (301 commits)
media: raspberrypi: Switch to remove_new
media: uapi: pisp_be_config: Add extra config fields
media: uapi: pisp_be_config: Re-sort pisp_be_tiles_config
media: uapi: pisp_common: Capitalize all macros
media: uapi: pisp_common: Add 32 bpp format test
media: uapi: pisp_be_config: Drop BIT() from uAPI
media: stm32: dcmipp: correct error handling in dcmipp_create_subdevs
media: atomisp: Fix spelling mistakes in sh_css_sp.c
media: atomisp: Fix spelling mistake in ia_css_debug.c
media: atomisp: Fix spelling mistake in hmm_bo.c
media: atomisp: Fix spelling mistake in ia_css_eed1_8.host.c
media: atomisp: Fix spelling mistake in sh_css_internal.h
media: atomisp: Fix spelling mistake "pipline" -> "pipeline"
media: atomisp: Remove unused GPIO related defines and APIs
media: atomisp: Replace COMPILATION_ERROR_IF() by static_assert()
media: atomisp: Clean up unused macros from math_support.h
media: atomisp: csi2-bridge: Add DMI quirk for OV5693 on Xiaomi Mipad2
media: atomisp: Update TODO
media: atomisp: Prefix firmware paths with "intel/ipu/"
media: atomisp: Remove firmware_name module parameter
...
The Venus driver requires vcodec GDSC to be ON in SW mode for clock
operations and move it back to HW mode to gain power benefits. Earlier,
as there is no interface to switch the GDSC mode from GenPD framework,
the GDSC is moved to HW control mode as part of GDSC enable callback and
venus driver is writing to its POWER_CONTROL register to keep the GDSC ON
from SW whereever required. But the POWER_CONTROL register addresses
are not constant and can vary across the variants.
Also as per the HW recommendation, the GDSC mode switching needs to be
controlled from respective GDSC register and this is a uniform approach
across all the targets. Hence use dev_pm_genpd_set_hwmode() API which
controls GDSC mode switching using its respective GDSC register.
In venus V6 variants, the vcodec gdsc gets enabled in SW mode by default
with new HW_CTRL_TRIGGER flag and there is no need to switch it to SW
mode again after enable, hence add check to avoid switching gdsc to SW mode
again after gdsc enable. Similarly add check to avoid switching GDSC to HW
mode before disabling the GDSC, so GDSC gets enabled in SW mode in the next
enable.
Signed-off-by: Jagadeesh Kona <quic_jkona@quicinc.com>
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
Link: https://lore.kernel.org/r/20240624044809.17751-6-quic_jkona@quicinc.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
There appears to be a possible use after free with vdec_close().
The firmware will add buffer release work to the work queue through
HFI callbacks as a normal part of decoding. Randomly closing the
decoder device from userspace during normal decoding can incur
a read after free for inst.
Fix it by cancelling the work in vdec_close.
Cc: stable@vger.kernel.org
Fixes: af2c3834c8 ("[media] media: venus: adding core part and helper functions")
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Acked-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Core dump is generated whenever there is system error reported
by firmware. Right now, multiple such dumps are generated if
recovery fails in first attempt, since the sys error handler is
invoked again for every failed recovery.
To avoid it, add conditional check to generate core dump only
once during every system error notification from firmware.
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil: document new dump_core field]
For scenarios, when source change is followed by VIDIOC_STREAMOFF
on output plane, driver should discard any queued OUTPUT
buffers, which are not decoded or dequeued.
Flush with HFI_FLUSH_INPUT does not have any actual impact.
So, fix it, by invoking HFI_FLUSH_ALL, which will flush all
queued buffers.
Fixes: 85872f861d ("media: venus: Mark last capture buffer")
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Tested-by: Nathan Hebert <nhebert@chromium.org>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Pull media updates from Mauro Carvalho Chehab:
- DVB budget legacy API was finally documented. It took only 20+ years
to get some documentation about it...
- hantro driver has gained support for STM32MP25 VDEC/VENC
- rkisp1 has gained support for i.MX8MP
- atomisp got rid of two items from its todo list. Still 5 items
pending for moving it out of staging
- lots of driver fixes, cleanups and improvements
* tag 'media/v6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (252 commits)
media: rcar-isp: Disallow unbind of devices
media: usbtv: Remove useless locks in usbtv_video_free()
media: mediatek: vcodec: avoid -Wcast-function-type-strict warning
media: ttpci: fix two memleaks in budget_av_attach
media: go7007: fix a memleak in go7007_load_encoder
media: dvb-frontends: avoid stack overflow warnings with clang
media: pvrusb2: fix uaf in pvr2_context_set_notify
media: usb: s2255: Refactor s2255_get_fx2fw
media: ti: j721e-csi2rx: Convert to platform remove callback returning void
media: stm32-dcmipp: Convert to platform remove callback returning void
media: nxp: imx8-isi: Convert to platform remove callback returning void
media: nuvoton: Convert to platform remove callback returning void
media: chips-media: wave5: Convert to platform remove callback returning void
media: chips-media: wave5: Remove unnecessary semicolons
media: i2c: imx290: Fix IMX920 typo
media: platform: replace of_graph_get_next_endpoint()
media: i2c: replace of_graph_get_next_endpoint()
media: ivsc: csi: Make use of sub-device state
media: ivsc: csi: Swap SINK and SOURCE pads
media: ipu-bridge: Serialise calls to IPU bridge init
...
Rename min_buffers_needed into min_queued_buffers and update
the documentation about it.
Signed-off-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil: Drop the change where min_queued_buffers + 1 buffers would be]
[hverkuil: allocated. Now this patch only renames this field instead of making]
[hverkuil: a functional change as well.]
[hverkuil: Renamed 3 remaining min_buffers_needed occurrences.]
Array `data` in `struct hfi_sfr` is being used as a fake flexible array
at run-time:
drivers/media/platform/qcom/venus/hfi_venus.c:
1033 p = memchr(sfr->data, '\0', sfr->buf_size);
1034 /*
1035 * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates
1036 * that Venus is in the process of crashing.
1037 */
1038 if (!p)
1039 sfr->data[sfr->buf_size - 1] = '\0';
1040
1041 dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data);
Fake flexible arrays are deprecated, and should be replaced by
flexible-array members. So, replace one-element array with a
flexible-array member in `struct hfi_sfr`.
While there, also annotate array `data` with __counted_by() to prepare
for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).
This results in no differences in binary output.
This issue was found with the help of Coccinelle, and audited and fixed
manually.
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Supported codec bitmask is populated from the payload from venus firmware.
There is a possible case when all the bits in the codec bitmask is set. In
such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized.
Now while filling the caps for encoder, it can lead to access the caps
array beyong 32 index. Hence leading to OOB write.
The fix counts the supported encoder and decoder. If the count is more than
max, then it skips accessing the caps.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04 ("media: venus: hfi_parser: add common capability parser")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
The hfi parser, parses the capabilities received from venus firmware and
copies them to core capabilities. Consider below api, for example,
fill_caps - In this api, caps in core structure gets updated with the
number of capabilities received in firmware data payload. If the same api
is called multiple times, there is a possibility of copying beyond the max
allocated size in core caps.
Similar possibilities in fill_raw_fmts and fill_profile_level functions.
Cc: stable@vger.kernel.org
Fixes: 1a73374a04 ("media: venus: hfi_parser: add common capability parser")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Buffer requirement, for different buffer type, comes from video firmware.
While copying these requirements, there is an OOB possibility when the
payload from firmware is more than expected size. Fix the check to avoid
the OOB possibility.
Cc: stable@vger.kernel.org
Fixes: 09c2845e8f ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
Reviewed-by: Nathan Hebert <nhebert@chromium.org>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Read and write pointers are used to track the packet index in the memory
shared between video driver and firmware. There is a possibility of OOB
access if the read or write pointer goes beyond the queue memory size.
Add checks for the read and write pointer to avoid OOB access.
Cc: stable@vger.kernel.org
Fixes: d96d3f30c0 ("[media] media: venus: hfi: add Venus HFI files")
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
'pd' can be NULL, and in that case it shouldn't be passed to
PTR_ERR. Fixes a smatch warning:
drivers/media/platform/qcom/venus/pm_helpers.c:873 vcodec_domains_get() warn: passing zero to 'PTR_ERR'
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Pull media updates from Mauro Carvalho Chehab:
- new i2c drivers: ds90ub913, ds90ub953, ds90ub960, dw9719, ds90ub913
- new Intel IVSC MEI drivers
- some Mediatek platform drivers were moved to a common location
- Intel atomisp2 driver is now working with the main ov2680 driver. Due
to that, the atomisp2 ov2680 staging one was removed
- the bttv driver was finally converted to videobuf2 framework. This
was the last one upstream using videobuf version 1 core. We'll likely
remove the old videobuf framework on 6.7
- lots of improvements at atomisp driver: it now works with normal I2C
sensors. Several compile-mode dependecies to select between ISP2400
and ISP2401 are now solved in runtime
- a new ipu-bridge logic was added to work with IVSC MEI drivers
- venus driver gained better support for new VPU versions
- the v4l core async framework has gained lots of improvements and
cleanups
- lots of other cleanups, improvements and driver fixes
* tag 'media/v6.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (358 commits)
media: ivsc: Add ACPI dependency
media: bttv: convert to vb2
media: bttv: use audio defaults for winfast2000
media: bttv: refactor bttv_set_dma()
media: bttv: move vbi_skip/vbi_count out of buffer
media: bttv: remove crop info from bttv_buffer
media: bttv: remove tvnorm field from bttv_buffer
media: bttv: remove format field from bttv_buffer
media: bttv: move do_crop flag out of bttv_fh
media: bttv: copy vbi_fmt from bttv_fh
media: bttv: copy vid fmt/width/height from fh
media: bttv: radio use v4l2_fh instead of bttv_fh
media: bttv: replace BUG with WARN_ON
media: bttv: use video_drvdata to get bttv
media: i2c: rdacm21: Fix uninitialized value
media: coda: Remove duplicated include
media: vivid: fix the racy dev->radio_tx_rds_owner
media: i2c: ccs: Check rules is non-NULL
media: i2c: ds90ub960: Fix PLL config for 1200 MHz CSI rate
media: i2c: ds90ub953: Fix use of uninitialized variables
...
Reserved memory can be either looked up using the generic function
of_address_to_resource() or using the special of_reserved_mem_lookup().
The latter has the advantage that it ensures that the referenced memory
region was really reserved and is not e.g. status = "disabled".
of_reserved_mem also supports allocating reserved memory dynamically at
boot time. This works only when using of_reserved_mem_lookup() since
there won't be a fixed address in the device tree.
Switch the code to use of_reserved_mem_lookup(). There is no functional
difference for static reserved memory allocations.
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Not all SC7180 devices ship with ChromeOS firmware. WoA devices use
Android-like TZ, which uses PAS for image authentication. That requires
the predefined virtual address ranges to be passed via scm calls.
Define them to enable Venus on non-CrOS SC7180 devices.
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
This write was last present on msm-3.10, which means before HFI3XX
platforms were introduced. Guard it with an appropriate if condition.
Does not seem to have any adverse effects on at least SM8250.
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Only IRIS2(_1) should enter the until-now-IS_V6() path and IRIS2_1
can be used instead of openly checking the number of VPP pipes.
Use VPU version comparison in both of these cases instead.
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
