linux_dsm_epyc7002/drivers/media/platform/vsp1
Eugeniu Rosca c92d30e4b7 media: vsp1: dl: Fix NULL pointer dereference on unbind
In commit f3b98e3c4d ("media: vsp1: Provide support for extended
command pools"), the vsp pointer used for referencing the VSP1 device
structure from a command pool during vsp1_dl_ext_cmd_pool_destroy() was
not populated.

Correctly assign the pointer to prevent the following
null-pointer-dereference when removing the device:

[*] h3ulcb-kf #>
echo fea28000.vsp > /sys/bus/platform/devices/fea28000.vsp/driver/unbind
 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000028
 Mem abort info:
   ESR = 0x96000006
   EC = 0x25: DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
 Data abort info:
   ISV = 0, ISS = 0x00000006
   CM = 0, WnR = 0
 user pgtable: 4k pages, 48-bit VAs, pgdp=00000007318be000
 [0000000000000028] pgd=00000007333a1003, pud=00000007333a6003, pmd=0000000000000000
 Internal error: Oops: 96000006 [#1] PREEMPT SMP
 Modules linked in:
 CPU: 1 PID: 486 Comm: sh Not tainted 5.7.0-rc6-arm64-renesas-00118-ge644645abf47 #185
 Hardware name: Renesas H3ULCB Kingfisher board based on r8a77951 (DT)
 pstate: 40000005 (nZcv daif -PAN -UAO)
 pc : vsp1_dlm_destroy+0xe4/0x11c
 lr : vsp1_dlm_destroy+0xc8/0x11c
 sp : ffff800012963b60
 x29: ffff800012963b60 x28: ffff0006f83fc440
 x27: 0000000000000000 x26: ffff0006f5e13e80
 x25: ffff0006f5e13ed0 x24: ffff0006f5e13ed0
 x23: ffff0006f5e13ed0 x22: dead000000000122
 x21: ffff0006f5e3a080 x20: ffff0006f5df2938
 x19: ffff0006f5df2980 x18: 0000000000000003
 x17: 0000000000000000 x16: 0000000000000016
 x15: 0000000000000003 x14: 00000000000393c0
 x13: ffff800011a5ec18 x12: ffff800011d8d000
 x11: ffff0006f83fcc68 x10: ffff800011a53d70
 x9 : ffff8000111f3000 x8 : 0000000000000000
 x7 : 0000000000210d00 x6 : 0000000000000000
 x5 : ffff800010872e60 x4 : 0000000000000004
 x3 : 0000000078068000 x2 : ffff800012781000
 x1 : 0000000000002c00 x0 : 0000000000000000
 Call trace:
  vsp1_dlm_destroy+0xe4/0x11c
  vsp1_wpf_destroy+0x10/0x20
  vsp1_entity_destroy+0x24/0x4c
  vsp1_destroy_entities+0x54/0x130
  vsp1_remove+0x1c/0x40
  platform_drv_remove+0x28/0x50
  __device_release_driver+0x178/0x220
  device_driver_detach+0x44/0xc0
  unbind_store+0xe0/0x104
  drv_attr_store+0x20/0x30
  sysfs_kf_write+0x48/0x70
  kernfs_fop_write+0x148/0x230
  __vfs_write+0x18/0x40
  vfs_write+0xdc/0x1c4
  ksys_write+0x68/0xf0
  __arm64_sys_write+0x18/0x20
  el0_svc_common.constprop.0+0x70/0x170
  do_el0_svc+0x20/0x80
  el0_sync_handler+0x134/0x1b0
  el0_sync+0x140/0x180
 Code: b40000c2 f9403a60 d2800084 a9400663 (f9401400)
 ---[ end trace 3875369841fb288a ]---

Fixes: f3b98e3c4d ("media: vsp1: Provide support for extended command pools")
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Tested-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2020-07-04 12:02:02 +02:00
..
Makefile
vsp1_brx.c
vsp1_brx.h
vsp1_clu.c
vsp1_clu.h
vsp1_dl.c media: vsp1: dl: Fix NULL pointer dereference on unbind 2020-07-04 12:02:02 +02:00
vsp1_dl.h media: vsp1: drm: Implement writeback support 2019-03-18 17:24:14 +02:00
vsp1_drm.c media: vsp1: drm: Implement writeback support 2019-03-18 17:24:14 +02:00
vsp1_drm.h media: vsp1: drm: Extend frame completion API to the DU driver 2019-03-18 17:24:09 +02:00
vsp1_drv.c
vsp1_entity.c
vsp1_entity.h
vsp1_hgo.c
vsp1_hgo.h
vsp1_hgt.c
vsp1_hgt.h
vsp1_histo.c media: media/platform: rename VFL_TYPE_GRABBER to _VIDEO 2020-02-24 16:54:14 +01:00
vsp1_histo.h
vsp1_hsit.c
vsp1_hsit.h
vsp1_lif.c
vsp1_lif.h
vsp1_lut.c
vsp1_lut.h
vsp1_pipe.c media: vsp1: Add support for missing 16-bit RGB555 formats 2019-04-25 11:07:05 -04:00
vsp1_pipe.h
vsp1_regs.h media: vsp1: tidyup VI6_HGT_LBn_H() macro 2020-02-27 17:49:48 -03:00
vsp1_rpf.c
vsp1_rwpf.c
vsp1_rwpf.h
vsp1_sru.c
vsp1_sru.h
vsp1_uds.c
vsp1_uds.h
vsp1_uif.c
vsp1_uif.h
vsp1_video.c media: media/platform: rename VFL_TYPE_GRABBER to _VIDEO 2020-02-24 16:54:14 +01:00
vsp1_video.h
vsp1_wpf.c
vsp1.h