mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-20 01:20:54 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/media/platform
History
Rob Clark 9883dc2c4c media: venus: hfi: fix error handling in hfi_sys_init_done() 
Not entirely sure what triggers it, but with venus build as kernel
module and in initrd, we hit this crash:

  Unable to handle kernel paging request at virtual address ffff80003c039000
  pgd = ffff00000a14f000
  [ffff80003c039000] *pgd=00000000bd9f7003, *pud=00000000bd9f6003, *pmd=00000000bd9f0003, *pte=0000000000000000
  Internal error: Oops: 96000007 [#1] SMP
  Modules linked in: qcom_wcnss_pil(E+) crc32_ce(E) qcom_common(E) venus_core(E+) remoteproc(E) snd_soc_msm8916_digital(E) virtio_ring(E) cdc_ether(E) snd_soc_lpass_apq8016(E) snd_soc_lpass_cpu(E) snd_soc_apq8016_sbc(E) snd_soc_lpass_platform(E) v4l2_mem2mem(E) virtio(E) snd_soc_core(E) ac97_bus(E) snd_pcm_dmaengine(E) snd_seq(E) leds_gpio(E) videobuf2_v4l2(E) videobuf2_core(E) snd_seq_device(E) snd_pcm(E) videodev(E) media(E) nvmem_qfprom(E) msm(E) snd_timer(E) snd(E) soundcore(E) spi_qup(E) mdt_loader(E) qcom_tsens(E) qcom_spmi_temp_alarm(E) nvmem_core(E) msm_rng(E) uas(E) usb_storage(E) dm9601(E) usbnet(E) mii(E) mmc_block(E) adv7511(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) fb_sys_fops(E) qcom_spmi_vadc(E) qcom_vadc_common(PE) industrialio(E) pinctrl_spmi_mpp(E)
   pinctrl_spmi_gpio(E) rtc_pm8xxx(E) clk_smd_rpm(E) sdhci_msm(E) sdhci_pltfm(E) qcom_smd_regulator(E) drm(E) smd_rpm(E) qcom_spmi_pmic(E) regmap_spmi(E) ci_hdrc_msm(E) ci_hdrc(E) usb3503(E) extcon_usb_gpio(E) phy_msm_usb(E) udc_core(E) qcom_hwspinlock(E) extcon_core(E) ehci_msm(E) i2c_qup(E) sdhci(E) mmc_core(E) spmi_pmic_arb(E) spmi(E) qcom_smd(E) smsm(E) rpmsg_core(E) smp2p(E) smem(E) hwspinlock_core(E) gpio_keys(E)
  CPU: 2 PID: 551 Comm: irq/150-venus Tainted: P            E   4.12.0+ #1625
  Hardware name: qualcomm dragonboard410c/dragonboard410c, BIOS 2017.07-rc2-00144-ga97bdbdf72-dirty 07/08/2017
  task: ffff800037338000 task.stack: ffff800038e00000
  PC is at hfi_sys_init_done+0x64/0x140 [venus_core]
  LR is at hfi_process_msg_packet+0xcc/0x1e8 [venus_core]
  pc : [<ffff00000118b384>] lr : [<ffff00000118c11c>] pstate: 20400145
  sp : ffff800038e03c60
  x29: ffff800038e03c60 x28: 0000000000000000
  x27: 00000000000df018 x26: ffff00000118f4d0
  x25: 0000000000020003 x24: ffff80003a8d3010
  x23: ffff00000118f760 x22: ffff800037b40028
  x21: ffff8000382981f0 x20: ffff800037b40028
  x19: ffff80003c039000 x18: 0000000000000020
  x17: 0000000000000000 x16: ffff800037338000
  x15: ffffffffffffffff x14: 0000001000000014
  x13: 0000000100001007 x12: 0000000100000020
  x11: 0000100e00000000 x10: 0000000000000001
  x9 : 0000000200000000 x8 : 0000001400000001
  x7 : 0000000000001010 x6 : 0000000000000148
  x5 : 0000000000001009 x4 : ffff80003c039000
  x3 : 00000000cd770abb x2 : 0000000000000042
  x1 : 0000000000000788 x0 : 0000000000000002
  Process irq/150-venus (pid: 551, stack limit = 0xffff800038e00000)
  Call trace:
  [<ffff00000118b384>] hfi_sys_init_done+0x64/0x140 [venus_core]
  [<ffff00000118c11c>] hfi_process_msg_packet+0xcc/0x1e8 [venus_core]
  [<ffff00000118a2b4>] venus_isr_thread+0x1b4/0x208 [venus_core]
  [<ffff00000118e750>] hfi_isr_thread+0x28/0x38 [venus_core]
  [<ffff000008161550>] irq_thread_fn+0x30/0x70
  [<ffff0000081617fc>] irq_thread+0x14c/0x1c8
  [<ffff000008105e68>] kthread+0x138/0x140
  [<ffff000008083590>] ret_from_fork+0x10/0x40
  Code: 52820125 52820207 7a431820 54000249 (b9400263)
  ---[ end trace c963460f20a984b6 ]---

The problem is that in the error case, we've incremented the data ptr
but not decremented rem_bytes, and keep reading (presumably garbage)
until eventually we go beyond the end of the buffer.

Instead, on first error, we should probably just bail out.  Other
option is to increment read_bytes by sizeof(u32) before the switch,
rather than only accounting for the ptype header in the non-error
case.  Note that in this case it is HFI_ERR_SYS_INVALID_PARAMETER,
ie. an unrecognized/unsupported parameter, so interpreting the next
word as a property type would be bogus.  The other error cases are
due to truncated buffer, so there isn't likely to be anything valid
to interpret in the remainder of the buffer.  So just bailing seems
like a reasonable solution.

Signed-off-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-07-20 15:53:50 -04:00
..
am437x [media] v4l: Switch from V4L2 OF not V4L2 fwnode API 2017-06-06 09:58:16 -03:00
atmel media: atmel-isc: constify vb2_ops structure 2017-07-19 15:08:07 -04:00
blackfin media: media/platform: add const to v4l2_file_operations structures 2017-07-19 14:56:19 -04:00
coda media: coda: wake up capture queue on encoder stop after output streamoff 2017-07-19 15:21:45 -04:00
davinci media: davinci: vpif_capture: fix potential NULL deref 2017-07-19 15:13:04 -04:00
exynos-gsc [media] v4l2-ioctl/exynos: fix G/S_SELECTION's type handling 2017-06-23 09:20:42 -03:00
exynos4-is [media] v4l2-ioctl/exynos: fix G/S_SELECTION's type handling 2017-06-23 09:20:42 -03:00
marvell-ccic media: marvell-ccic: constify i2c_algorithm structure 2017-07-20 14:55:41 -04:00
mtk-jpeg media: mediatek: constify vb2_ops structure 2017-07-19 15:10:52 -04:00
mtk-mdp media: mtk-mdp: constify vb2_ops structure 2017-07-19 15:10:39 -04:00
mtk-vcodec Linux 4.12-rc6 2017-06-20 08:51:56 -03:00
mtk-vpu IOMMU Updates for Linux v4.12 2017-05-09 15:15:47 -07:00
omap media: v4l: omap_vout: vrfb: Convert to dmaengine 2017-06-24 16:00:25 -03:00
omap3isp media: omap3isp: Ignore endpoints with invalid configuration 2017-07-19 15:50:13 -04:00
qcom/venus media: venus: hfi: fix error handling in hfi_sys_init_done() 2017-07-20 15:53:50 -04:00
rcar-vin [media] rcar-vin: fix bug in pixelformat selection 2017-06-06 16:45:49 -03:00
s3c-camif [media] s3c-camif: fix arguments position in a function call 2017-06-13 14:21:24 -03:00
s5p-cec [media] s5p_cec: set the CEC_CAP_NEEDS_HPD flag if needed 2017-06-20 06:56:31 -03:00
s5p-g2d [media] s5p-g2d: Fix error handling 2017-04-05 16:37:15 -03:00
s5p-jpeg [media] s5p-jpeg: fix recursive spinlock acquisition 2017-06-13 13:56:49 -03:00
s5p-mfc [media] s5p-mfc: fix spelling mistake: "destionation" -> "destination" 2017-06-13 14:01:10 -03:00
soc_camera media: v4l: Add support for CSI-1 and CCP2 busses 2017-07-19 15:34:59 -04:00
sti media: st-delta: constify vb2_ops structures 2017-07-19 15:03:22 -04:00
stm32 media: stm32-dcmi: constify vb2_ops structure 2017-07-19 15:02:50 -04:00
ti-vpe [media] v4l: Switch from V4L2 OF not V4L2 fwnode API 2017-06-06 09:58:16 -03:00
vimc media: vimc: set id_table for platform drivers 2017-07-17 11:26:56 -03:00
vivid [media] stih-cec/vivid/pulse8/rainshadow: use cec_transmit_attempt_done 2017-06-20 06:53:20 -03:00
vsp1 v4l: vsp1: Add API to map and unmap DRM buffers through the VSP 2017-06-09 12:25:38 +01:00
xilinx [media] v4l: Switch from V4L2 OF not V4L2 fwnode API 2017-06-06 09:58:16 -03:00
arv.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
fsl-viu.c media: media/platform: add const to v4l2_file_operations structures 2017-07-19 14:56:19 -04:00
Kconfig media: venus: fix compile-test build on non-qcom ARM platform 2017-07-20 15:52:23 -04:00
m2m-deinterlace.c [media] m2m-deinterlace: don't return zero on failure paths in deinterlace_probe() 2017-04-10 14:43:31 -03:00
Makefile [media] media: venus: enable building of Venus video driver 2017-06-20 08:53:40 -03:00
mx2_emmaprp.c [media] platform: don't break long lines 2016-10-21 10:06:32 -02:00
pxa_camera.c media: v4l: Add support for CSI-1 and CCP2 busses 2017-07-19 15:34:59 -04:00
rcar-fcp.c v4l: rcar-fcp: Add an API to retrieve the FCP device 2017-06-09 12:25:36 +01:00
rcar_drif.c [media] media: platform: rcar_drif: Add DRIF support 2017-06-20 07:07:37 -03:00
rcar_fdp1.c media: rcar_fdp1: constify vb2_ops structure 2017-07-19 15:03:55 -04:00
rcar_jpu.c [media] platform: constify vb2_ops structures 2016-09-19 16:21:06 -03:00
sh_veu.c [media] vb2: replace void *alloc_ctxs by struct device *alloc_devs 2016-07-08 14:45:07 -03:00
sh_vou.c [media] media drivers: annotate fall-through 2017-05-19 07:10:03 -03:00
via-camera.c [media] platform: don't break long lines 2016-10-21 10:06:32 -02:00
via-camera.h
video-mux.c media: platform: video-mux: convert to multiplexer framework 2017-07-20 06:59:25 -04:00
vim2m.c [media] vim2m: Clean up file handle in open() error path 2017-01-31 07:44:26 -02:00