Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
can copy up to 255 bytes and we only have room for two bytes. Even
if this comes from the firmware and we trust it, the new policy
generally is just to fix it as kernel hardenning.
I can't test this code so I tried to be very conservative. I considered
not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
whole variable but in the end I decided to allow it and manually
initialized "asic_id" and "asic_ver" to zero.
Fixes: e8454ff7b9 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
'vb' null check should be done before dereferencing it in
tw5864_handle_frame, otherwise a NULL pointer dereference
may occur.
Fixes: 34d1324edd ("[media] pci: Add tw5864 driver")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
In case usb_alloc_coherent fails, the fix returns -ENOMEM to
avoid a potential NULL pointer dereference.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
devm_kcalloc may fail and return a null pointer. The fix returns
-ENOMEM upon failures to avoid null pointer dereferences.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
This member is never read throughout the code, so remove it.
Signed-off-by: Alexandre Courbot <acourbot@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Commit 0650a91499 ("media: mtk-vcodec: Correct return type for mem2mem
buffer helpers") fixed the return types for mem2mem buffer helper
functions by changing a few local variables from vb2_buffer to
vb2_v4l2_buffer. However, it left a few accesses to vb2_buffer::planes
as-is, accidentally turning them into accesses to
vb2_v4l2_buffer::planes and resulting in values being read from/written
to the wrong place.
Fix this by inserting vb2_buf into these accesses so they mimic their
original behavior.
Fixes: 0650a91499 ("media: mtk-vcodec: Correct return type for mem2mem buffer helpers")
Signed-off-by: Alexandre Courbot <acourbot@chromium.org>
Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
This code generates a static checker warning:
drivers/media/v4l2-core/v4l2-ctrls.c:2921 v4l2_querymenu()
warn: should '(1 << i)' be a 64 bit type?
The problem is that "ctrl->menu_skip_mask" is a u64 and we're only
testing the lower 32 bits.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
clang warns about a possible variable use that gcc never
complained about:
drivers/media/platform/davinci/isif.c:982:32: error: variable 'frame_size' is uninitialized when used here
[-Werror,-Wuninitialized]
dm365_vpss_set_pg_frame_size(frame_size);
^~~~~~~~~~
drivers/media/platform/davinci/isif.c:887:2: note: variable 'frame_size' is declared here
struct vpss_pg_frame_size frame_size;
^
1 error generated.
There is no initialization for this variable at all, and there
has never been one in the mainline kernel, so we really should
not put that stack data into an mmio register.
On the other hand, I suspect that gcc checks the condition
more closely and notices that the global
isif_cfg.bayer.config_params.test_pat_gen flag is initialized
to zero and never written to from any code path, so anything
depending on it can be eliminated.
To shut up the clang warning, just remove the dead code manually,
it has probably never been used because any attempt to do so
would have resulted in undefined behavior.
Fixes: 63e3ab142f ("V4L/DVB: V4L - vpfe capture - source for ISIF driver on DM365")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Building tda1997x fails now unless V4L2_FWNODE is selected:
drivers/media/i2c/tda1997x.o: in function `tda1997x_parse_dt'
undefined reference to `v4l2_fwnode_endpoint_parse'
While at it, also sort the selections alphabetically
Fixes: 9ac0038db9 ("media: i2c: Add TDA1997x HDMI receiver driver")
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Cc: stable@vger.kernel.org # v4.17+
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
In order to prevent ISOC URBs from being infinitely resubmitted,
the driver's USB disconnect handler must kill all the in-flight URBs.
While here, change the URB packet status message to a debug level,
to avoid spamming the console too much.
This commit fixes a lockup caused by an interrupt storm coming
from the URB completion handler.
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Smatch warns about small size on two structs:
drivers/media/platform/qcom/venus/hfi_parser.c:103 parse_profile_level() error: memcpy() 'proflevel' too small (8 vs 128)
drivers/media/platform/qcom/venus/hfi_parser.c: drivers/media/platform/qcom/venus/hfi_parser.c:129 parse_caps() error: memcpy() 'cap' too small (16 vs 512)
The reason is that the hfi_parser actually expects:
- multiple data entries on hfi_capabilities
- multiple profile_level on hfi_profile_level_supported
However, the structs trick gcc, making it to believe that
there's just one value for each.
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
The only way for p_set to be NULL would be if vin_coef_set would be an
empty array.
On such case, the driver will OOPS, as it would try to de-reference a
NULL value. So, the check if p_set is not NULL doesn't make any sense.
Solves those two smatch warnings:
drivers/media/platform/rcar-vin/rcar-dma.c:489 rvin_set_coeff() warn: variable dereferenced before check 'p_set' (see line 484)
drivers/media/platform/rcar-vin/rcar-dma.c:494 rvin_set_coeff() error: we previously assumed 'p_set' could be null (see line 489)
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
At the error logic, ipc_buf was already asigned to &ctx->ipc_buf_struct,
with can't be null, as warned by smatch:
drivers/media/platform/sti/delta/delta-ipc.c:223 delta_ipc_open() warn: variable dereferenced before check 'ctx->ipc_buf' (see line 183)
So, remove the uneeded check.
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
The way the code works, compression will be a valid value (less or equal to 3)
on both set_video_mode_foo() calls at the beginning of the while() loop.
So, the value for pChoose can't be NULL.
Solves those smatch warnings:
drivers/media/usb/pwc/pwc-ctrl.c: drivers/media/usb/pwc/pwc-ctrl.c:252 set_video_mode_Timon() warn: variable dereferenced before check 'pChoose' (see line 248)
drivers/media/usb/pwc/pwc-ctrl.c: drivers/media/usb/pwc/pwc-ctrl.c:302 set_video_mode_Kiara() warn: variable dereferenced before check 'pChoose' (see line 298)
and simplifies the code a little bit.
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
There are some macros at cx2341x_update() with seemed to
be introduced in order to ensure that lines would be less
than 80 columns.
Well, the thing is that they make the code harder to be analized,
not only by humans, but also for static code analyzers:
drivers/media/common/cx2341x.c:1116 cx2341x_update() error: we previously assumed 'old' could be null (see line 1047)
So, remove the "force" var, and replace the NEQ macro to a
better designed one that makes clearer about what it is doing.
While here, also remove the "temporal" var, as it is just another
way of doing the same type of check as the new CMP_FIELD() macro
already does.
Finally, fix coding style at the block code.
remove such macros.
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
As warned by smatch:
drivers/media/i2c/imx214.c:591 imx214_set_format() warn: variable dereferenced before check 'format' (see line 589)
It turns that the code at imx214_set_format() has support for being
called with the format being NULL. I've no idea why, as it is only
called internally with the pointer set, and via subdev API (with
should also set it).
Also, the entire logic there depends on having format != NULL, so
just remove the bogus broken support for a null format.
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Reviewed-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reviewed-by: Ricardo Ribalda Delgado <ricardo@ribalda.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Indentation is odd in several places, especially when printing messages
to the kernel log. Fix it to match the usual coding style.
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
for stateless decoder, set the output pixelformat
to V4L2_PIX_FMT_FWHT_STATELESS and the pix info to
pixfmt_stateless_fwht
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Implement a stateless decoder for the new node.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil-cisco@xs4all.nl: add 'return 0;' before default case in vicodec_try_ctrl()]
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Add stateless decoder instance field to the dev struct and
register another node for the statelsess decoder.
The stateless API for the node will be implemented in further patches.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil-cisco@xs4all.nl: fix typo: videdev-stateless-dec -> stateless-decoder]
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Add V4L2_PIX_FMT_FWHT_STATELESS to the list of pixelformats that
v4l_fill_fmtdesc() understands.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Add structs and definitions needed to implement stateless
decoder for fwht and add I/P-frames QP controls to the
public api.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Add struct 'vicodec_dev_instance' for the fields in vicodec_dev
that have have both decoder and encoder versions.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
In the stateless decoder the reference buffer is null if the
frame is an I-frame (flagged with FWHT_FL_I_FRAME).
Make sure not to dereference it in that case.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Rename 'v4l2_fwht_default_fmt' to 'v4l2_fwht_find_nth_fmt'
and add a function 'v4l2_fwht_validate_fmt' to check if
a format info matches the parameters.
This function will also be used to validate the stateless
params when adding support for stateless codecs.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Move the code that validates version dependent header
values to a separate function 'validate_by_version'
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
In the decoder, save the inner reference frame in the same
format as the capture buffer.
The decoder writes directly to the capture buffer and then
the capture buffer is copied to the reference buffer.
This will simplify the stateless decoder.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Add the field 'buf' to fwht_raw_frame to indicate
the start of the raw frame buffer.
This field will be used to copy the capture buffer
to the reference buffer in the next patch.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Introduce 'prepare_raw_frame' function that fills the values
of a raw frame struct according to the format.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
The function 'v4l2_m2m_buf_copy_metadata' should
be called even if decoding/encoding ends with
status VB2_BUF_STATE_ERROR, so that the metadata
is copied from the source buffer to the dest buffer.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
v4l2_fwht_encode returns either an error code on
failure or the size of the compressed frame on
success. So change the var assigned to it from
'ret' to 'comp_sz_or_errcode' to clarify that.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
If one of the controls fails to set,
then 'v4l2_ctrl_request_setup'
immediately returns with the error code.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Reviewed-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
'v4l2_m2m_ctx_release' calls request complete
so it should be called before 'v4l2_ctrl_handler_free'.
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
The logic of g_selection was wrong: encoders support crop,
decoders support compose, but the code allowed both.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
The selection api should check only single buffer types
because multiplanar types are converted to
single in drivers/media/v4l2-core/v4l2-ioctl.c
Signed-off-by: Dafna Hirschfeld <dafna3@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
If requests are used when they shouldn't, or not used when they should,
then return EBADR (Invalid request descriptor) instead of EACCES.
The reason for this change is that EACCES has more to do with permissions
(not being the owner of the resource), but in this case the request file
descriptor is just wrong for the current mode of the device.
Update the documentation accordingly.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Stateless codecs require the use of the Request API as opposed of it
being optional.
So add a bit to indicate this and let vb2 check for this.
If an attempt is made to queue a buffer without an associated request,
then the EBADR error is returned to userspace.
Doing this check in the vb2 core simplifies drivers, since they
don't have to check for this, they can just set this flag.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reviewed-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Checkpatch wants to use 'help' instead of '---help---':
WARNING: prefer 'help' over '---help---' for new help texts
Let's change it globally at the media subsystem, as otherwise people
would keep using the old way.
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
This is not how ACPI tables are written. Add a deprecation note and refer
to the proper documentation.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Set the entity function for the four CSI-2 receiver sub-devices the driver
creates. This avoids a kernel warning from each as well.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
The lens drivers had ended up under the video decoder section; add a new
one just for them, between the camera sensors and flash drivers.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
ti-vpe driver parsed the remote endpoints for properties but ignored the
local ones. Fix this by parsing the local endpoint properties instead.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
V4L2 fwnode matching right now still works based on device nodes, not port
nodes. Fix this.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
C-PHY has no clock lanes. Therefore the first data lane is 0 by default.
Fixes: edc6d56c2e ("media: v4l: fwnode: Support parsing of CSI-2 C-PHY endpoints")
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
The lack of defaults provided by the caller to
v4l2_fwnode_endpoint_parse() signals the use of the default lane mapping.
The default lane mapping must not be used however if the firmmare contains
the lane mapping. Disable the default lane mapping in that case, and
improve the debug messages telling of the use of the defaults.
This was missed previously since the default mapping will only unsed in
this case if the bus type is set, and no driver did both while still
needing the lane mapping configuration.
Fixes: b4357d21d6 ("media: v4l: fwnode: Support default CSI-2 lane mapping for drivers")
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Since commit 3d6a8fe256 ("media: ov7670: hook s_power onto v4l2 core"),
the device is actually powered off while the video stream is stopped.
So now set_format and s_frame_interval could be called while the device
is powered off, but these callbacks try to change the register settings
at this time.
The frame format and framerate will be restored right after power-up, so
we can just postpone applying these changes at these callbacks if the
device is not powered up.
Fixes: 3d6a8fe256 ("media: ov7670: hook s_power onto v4l2 core")
Cc: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reviewed-by: Lubomir Rintel <lkundrak@v3.sk>
Tested-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Since commit 3d6a8fe256 ("media: ov7670: hook s_power onto v4l2 core"),
the device is actually powered off while the video stream is stopped.
The frame format and framerate are restored right after power-up, but
restoring the default register settings is forgotten.
Fixes: 3d6a8fe256 ("media: ov7670: hook s_power onto v4l2 core")
Cc: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reviewed-by: Lubomir Rintel <lkundrak@v3.sk>
Tested-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
When start_streaming was called both last_src_buf and last_dst_buf
pointers were set to NULL, but this depends on whether the capture
or output queue starts streaming.
When decoding with resolution changes in between the capture queue
has to restart streaming whenever a resolution change occurs. And
that would reset last_src_buf as well, which causes a problem if
the decoder was stopped by the application. Since last_src_buf
is now NULL, the LAST flag is never set for the last capture
buffer.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>