summaryrefslogtreecommitdiff
path: root/drivers/media/platform/qcom/venus
AgeCommit message (Collapse)Author
2025-07-03media: venus: Fix MSM8998 frequency tableKonrad Dybcio
Fill in the correct data for the production SKU. Fixes: 193b3dac29a4 ("media: venus: add msm8998 support") Cc: stable@vger.kernel.org Signed-off-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com> Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com> Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-07-03media: venus: hfi: explicitly release IRQ during teardownJorge Ramirez-Ortiz
Ensure the IRQ is disabled - and all pending handlers completed - before dismantling the interrupt routing and clearing related pointers. This prevents any possibility of the interrupt triggering after the handler context has been invalidated. Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") Cc: stable@vger.kernel.org Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com> Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5 Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-07-03media: venus: Fix OOB read due to missing payload bound checkVedang Nagar
Currently, The event_seq_changed() handler processes a variable number of properties sent by the firmware. The number of properties is indicated by the firmware and used to iterate over the payload. However, the payload size is not being validated against the actual message length. This can lead to out-of-bounds memory access if the firmware provides a property count that exceeds the data available in the payload. Such a condition can result in kernel crashes or potential information leaks if memory beyond the buffer is accessed. Fix this by properly validating the remaining size of the payload before each property access and updating bounds accordingly as properties are parsed. This ensures that property parsing is safely bounded within the received message buffer and protects against malformed or malicious firmware behavior. Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Cc: stable@vger.kernel.org Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com> Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-07-03media: venus: Add a check for packet size after reading from shared memoryVedang Nagar
Add a check to ensure that the packet size does not exceed the number of available words after reading the packet header from shared memory. This ensures that the size provided by the firmware is safe to process and prevent potential out-of-bounds memory access. Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") Cc: stable@vger.kernel.org Signed-off-by: Vedang Nagar <quic_vnagar@quicinc.com> Co-developed-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-07-03media: venus: protect against spurious interrupts during probeJorge Ramirez-Ortiz
Make sure the interrupt handler is initialized before the interrupt is registered. If the IRQ is registered before hfi_create(), it's possible that an interrupt fires before the handler setup is complete, leading to a NULL dereference. This error condition has been observed during system boot on Rb3Gen2. Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") Cc: stable@vger.kernel.org Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com> Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5 Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-07-03media: venus: pm_helpers: use opp-table for the frequencyRenjiang Han
Some platforms (such as qcs615 and sc7180) use the same core but have different frequency tables. Using the opp-table allows us to separate the core description from the frequency data and supports the use of fallback compatibles. Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Renjiang Han <quic_renjiang@quicinc.com> Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-07-03media: venus: vdec: Make the range of us_per_frame explicitRicardo Ribalda
Fps bigger than 0.000232829 fps, this fits in a 32 bit us_per_frame. There is no need to do a 64 bit division here. Also, the driver only works with whole fps. Found by cocci: drivers/media/platform/qcom/venus/vdec.c:488:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # qrb5615-rb5 Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-07-03media: venus: venc: Make the range of us_per_frame explicitRicardo Ribalda
Fps bigger than 0.000232829 fps, this fits in a 32 bit us_per_frame. There is no need to do a 64 bit division here. Also, the driver only works with whole fps. Found with cocci: drivers/media/platform/qcom/venus/venc.c:418:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead. Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-07-03media: venus: venc: Clamp param smaller than 1fps and bigger than 240Ricardo Ribalda
The driver uses "whole" fps in all its calculations (e.g. in load_per_instance()). Those calculation expect an fps bigger than 1, and not big enough to overflow. Clamp the param if the user provides a value that will result in an invalid fps. Reported-by: Hans Verkuil <hverkuil@xs4all.nl> Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0 Fixes: aaaa93eda64b ("[media] media: venus: venc: add video encoder files") Cc: stable@vger.kernel.org Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> [bod: Change "parm" to "param"] Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-07-03media: venus: vdec: Clamp param smaller than 1fps and bigger than 240.Ricardo Ribalda
The driver uses "whole" fps in all its calculations (e.g. in load_per_instance()). Those calculation expect an fps bigger than 1, and not big enough to overflow. Clamp the value if the user provides a param that will result in an invalid fps. Reported-by: Hans Verkuil <hverkuil@xs4all.nl> Closes: https://lore.kernel.org/linux-media/f11653a7-bc49-48cd-9cdb-1659147453e4@xs4all.nl/T/#m91cd962ac942834654f94c92206e2f85ff7d97f0 Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") Cc: stable@vger.kernel.org Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> # qrb5615-rb5 Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> [bod: Change "parm" to "param"] Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-04-11media: venus: pm_helpers: add compatibility for dev_pm_genpd_set_hwmode on V4Renjiang Han
There are two ways to switch GDSC mode. One is to write the POWER_CONTROL register and the other is to use dev_pm_genpd_set_hwmode(). However, they rely on different clock driver flags. dev_pm_genpd_set_hwmode() depends on the HW_CTRL_TRIGGER flag and POWER_CONTROL register depends on the HW_CTRL flag. By default, the dev_pm_genpd_set_hwmode() is used to switch the GDSC mode. If it fails and dev_pm_genpd_set_hwmode() returns -EOPNOTSUPP, it means that the clock driver uses the HW_CTRL flag. At this time, the GDSC mode is switched to write the POWER_CONTROL register. Clock driver is using HW_CTRL_TRIGGER flag with V6. So hwmode_dev is always true on using V6 platform. Conversely, if hwmode_dev is false, this platform must be not using V6. Therefore, replace IS_V6 in poweroff_coreid with hwmode_dev. Also, with HW_CTRL_TRIGGER flag, the vcodec gdsc gets enabled in SW mode by default. Therefore, before disabling the GDSC, GDSC should be switched to SW mode so that GDSC gets enabled in SW mode in the next enable. Signed-off-by: Renjiang Han <quic_renjiang@quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com> [bod: added media prefix] Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-04-11media: venus: vdec: queue dpb buffers to firmware for video seekRenjiang Han
For the seek case, the input port will be called stream_off and then stream_on in the driver. Firmware will flush all buffers during stream_off input port. Therefore, driver needs to queue DPB buffers to firmware during stream_on input port to ensure that decoder can decode normally when it receives enough input and output buffers. Otherwise, decoder will not be able to decode due to lack of DPB buffer even if there are enough input and output buffers. Signed-off-by: Renjiang Han <quic_renjiang@quicinc.com> Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com> [bod: added media prefix] Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-04-11media: venus: Fix probe error handlingLoic Poulain
Video device registering has been moved earlier in the probe function, but the new order has not been propagated to error handling. This means we can end with unreleased resources on error (e.g dangling video device on missing firmware probe aborting). Fixes: 08b1cf474b7f7 ("media: venus: core, venc, vdec: Fix probe dependency error") Cc: stable@vger.kernel.org Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com> Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Reviewed-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Bryan O'Donoghue <bod@kernel.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-04-07media: qcom: venus: Fix uninitialized variable warningNas Chung
Avoid uninitialized variable when both V4L2_TYPE_IS_OUTPUT() and V4L2_TYPE_IS_CAPTURE() return false. Signed-off-by: Nas Chung <nas.chung@chipsnmedia.com> Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-03-06media: qcom: Clean up Kconfig dependenciesRobin Murphy
Depending on IOMMU_DMA is suspicious, since the low-level DMA ops internals and MSI helpers is provides are not of interest to general drivers. In practice it mostly seems to be serving as a dependency on ARM64 here, so do that properly. The venus driver looks like it won't actually be useful at runtime without the IOMMU API, so add that too. Signed-off-by: Robin Murphy <robin.murphy@arm.com> Reviewed-by: Robert Foss <robert.foss@linaro.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-03-03media: v4l2-ctrls: add support for V4L2_CTRL_WHICH_MIN/MAX_VALHans Verkuil
Add the capability of retrieving the min and max values of a compound control. [Ricardo: Added static to v4l2_ctrl_type_op_(maximum|minimum) proto] [Ricardo: Fix documentation] Signed-off-by: Yunke Cao <yunkec@google.com> Tested-by: Yunke Cao <yunkec@google.com> Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Link: https://lore.kernel.org/r/20250203-uvc-roi-v17-2-5900a9fed613@chromium.org Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> [hverkuil: fix small alignment checkpatch warning]
2025-03-03media: venus: hfi: add a check to handle OOB in sfr regionVikash Garodia
sfr->buf_size is in shared memory and can be modified by malicious user. OOB write is possible when the size is made higher than actual sfr data buffer. Cap the size to allocated size for such cases. Cc: stable@vger.kernel.org Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-03-03media: venus: hfi: add check to handle incorrect queue sizeVikash Garodia
qsize represents size of shared queued between driver and video firmware. Firmware can modify this value to an invalid large value. In such situation, empty_space will be bigger than the space actually available. Since new_wr_idx is not checked, so the following code will result in an OOB write. ... qsize = qhdr->q_size if (wr_idx >= rd_idx) empty_space = qsize - (wr_idx - rd_idx) .... if (new_wr_idx < qsize) { memcpy(wr_ptr, packet, dwords << 2) --> OOB write Add check to ensure qsize is within the allocated size while reading and writing packets into the queue. Cc: stable@vger.kernel.org Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-03-03media: venus: hfi_parser: refactor hfi packet parsing logicVikash Garodia
words_count denotes the number of words in total payload, while data points to payload of various property within it. When words_count reaches last word, data can access memory beyond the total payload. This can lead to OOB access. With this patch, the utility api for handling individual properties now returns the size of data consumed. Accordingly remaining bytes are calculated before parsing the payload, thereby eliminates the OOB access possibilities. Cc: stable@vger.kernel.org Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-03-03media: venus: hfi_parser: add check to avoid out of bound accessVikash Garodia
There is a possibility that init_codecs is invoked multiple times during manipulated payload from video firmware. In such case, if codecs_count can get incremented to value more than MAX_CODEC_NUM, there can be OOB access. Reset the count so that it always starts from beginning. Cc: stable@vger.kernel.org Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser") Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-01-06media: venus: Remove unused hfi_core_ping()Dr. David Alan Gilbert
hfi_core_ping() was added by 2017's commit 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") but has remained unused. Remove it. It was the only caller of the ->core_ping member of hfi_ops, so remove it, and the venus_core_ping that it pointed to. Note I've left pky_sys_ping which seems to be the lowest level definition of the command. Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-01-06media: venus: Populate video encoder/decoder nodename entriesBryan O'Donoghue
Populate encoder and decoder node-name entries for the upstream parts. Once done the compat="video-encoder" and compat="video-decoder" in the dtsi can be dropped though the venus driver will continue to favour DT declared video-encoder/video-decoder declarations over static declarations for compatibility. Tested-by: Renjiang Han <quic_renjiang@quicinc.com> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-01-06media: venus: Add support for static video encoder/decoder declarationsBryan O'Donoghue
Add resource structure data and probe() logic to support static declarations of encoder and decoder. Right now we rely on video encoder/decoder selection happening in the dtb but, this goes against the remit of device tree which is supposed to describe hardware, not select functional logic in Linux drivers. Provide two strings in the venus resource structure enc_nodename and dec_nodename. When set the venus driver will create an OF entry in-memory consistent with: dec_nodename { compat = "video-decoder"; }; and/or enc_nodename { compat = "video-encoder"; }; This will allow us to reuse the existing driver scheme of relying on compat names maintaining compatibility with old dtb files. dec_nodename can be "video-decoder" or "video0" enc_nodename can be "video-encoder" or "video1" This change relies on of_changeset() API as a result select OF_DYNAMIC will be added to venus/Kconfig Tested-by: Renjiang Han <quic_renjiang@quicinc.com> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-01-06media: venus: match instance creation and destruction orderSergey Senozhatsky
Match order of instances' initialization in venc_open()/vdec_close() and order of destruction in venus_common_close(). Suggested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2025-01-06media: venus: destroy hfi session after m2m_ctx releaseSergey Senozhatsky
This partially reverts commit that made hfi_session_destroy() the first step of vdec/venc close(). The reason being is a regression report when, supposedly, encode/decoder is closed with still active streaming (no ->stop_streaming() call before close()) and pending pkts, so isr_thread cannot find instance and fails to process those pending pkts. This was the idea behind the original patch - make it impossible to use instance under destruction, because this is racy, but apparently there are uses cases that depend on that unsafe pattern. Return to the old (unsafe) behaviour for the time being (until a better fix is found). Fixes: 45b1a1b348ec ("media: venus: sync with threaded IRQ during inst destruction") Cc: stable@vger.kernel.org Reported-by: Nathan Hebert <nhebert@google.com> Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2024-11-20Merge tag 'media/v6.13-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media updates from Mauro Carvalho Chehab: - removal of the old omap4iss media driver - mantis: remove orphan mantis_core.h - add support for Raspberypi CFE - uvc driver got a co-maintainer - main media tree moved to git://linuxtv.org/media.git - lots of driver cleanups, updates and fixes * tag 'media/v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (233 commits) docs: media: update location of the media patches MAINTAINERS: update location of media main tree media: MAINTAINERS: Add Hans de Goede as USB VIDEO CLASS co-maintainer media: platform: samsung: s5p-jpeg: Remove deadcode media: qcom: camss: Add MSM8953 resources media: dt-bindings: Add qcom,msm8953-camss media: qcom: camss: implement pm domain ops for VFE v4.1 media: platform: exynos4-is: Fix an OF node reference leak in fimc_md_is_isp_available media: adv7180: Also check for "adi,force-bt656-4" media: dt-bindings: adv7180: Document 'adi,force-bt656-4' media: mgb4: Fix inconsistent input/output alignment in loopback mode media: replace obsolete hans.verkuil@cisco.com alias Documentation: media: improve V4L2_CID_MIN_BUFFERS_FOR_*, doc media: vicodec: add V4L2_CID_MIN_BUFFERS_FOR_* controls media: atomisp: Add check for rgby_data memory allocation failure media: atomisp: remove redundant re-checking of err media: atomisp: Fix spelling errors reported by codespell media: atomisp: Remove License information boilerplate media: atomisp: Fix typos in comment media: atomisp: hmm_bo: Fix spelling errors in hmm_bo.h ...
2024-11-07media: venus: factor out inst destruction routineSergey Senozhatsky
Factor out common instance destruction code into a common function. Suggested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2024-11-07media: venus: sync with threaded IRQ during inst destructionSergey Senozhatsky
When destroying an inst we should make sure that we don't race against threaded IRQ (or pending IRQ), otherwise we can concurrently kfree() inst context and inst itself. BUG: KASAN: slab-use-after-free in vb2_queue_error+0x80/0x90 Call trace: dump_backtrace+0x1c4/0x1f8 show_stack+0x38/0x60 dump_stack_lvl+0x168/0x1f0 print_report+0x170/0x4c8 kasan_report+0x94/0xd0 __asan_report_load2_noabort+0x20/0x30 vb2_queue_error+0x80/0x90 venus_helper_vb2_queue_error+0x54/0x78 venc_event_notify+0xec/0x158 hfi_event_notify+0x878/0xd20 hfi_process_msg_packet+0x27c/0x4e0 venus_isr_thread+0x258/0x6e8 hfi_isr_thread+0x70/0x90 venus_isr_thread+0x34/0x50 irq_thread_fn+0x88/0x130 irq_thread+0x160/0x2c0 kthread+0x294/0x328 ret_from_fork+0x10/0x20 Allocated by task 20291: kasan_set_track+0x4c/0x80 kasan_save_alloc_info+0x28/0x38 __kasan_kmalloc+0x84/0xa0 kmalloc_trace+0x7c/0x98 v4l2_m2m_ctx_init+0x74/0x280 venc_open+0x444/0x6d0 v4l2_open+0x19c/0x2a0 chrdev_open+0x374/0x3f0 do_dentry_open+0x710/0x10a8 vfs_open+0x88/0xa8 path_openat+0x1e6c/0x2700 do_filp_open+0x1a4/0x2e0 do_sys_openat2+0xe8/0x508 do_sys_open+0x15c/0x1a0 __arm64_sys_openat+0xa8/0xc8 invoke_syscall+0xdc/0x270 el0_svc_common+0x1ec/0x250 do_el0_svc+0x54/0x70 el0_svc+0x50/0xe8 el0t_64_sync_handler+0x48/0x120 el0t_64_sync+0x1a8/0x1b0 Freed by task 20291: kasan_set_track+0x4c/0x80 kasan_save_free_info+0x3c/0x60 ____kasan_slab_free+0x124/0x1a0 __kasan_slab_free+0x18/0x28 __kmem_cache_free+0x134/0x300 kfree+0xc8/0x1a8 v4l2_m2m_ctx_release+0x44/0x60 venc_close+0x78/0x130 [venus_enc] v4l2_release+0x20c/0x2f8 __fput+0x328/0x7f0 ____fput+0x2c/0x48 task_work_run+0x1e0/0x280 get_signal+0xfb8/0x1190 do_notify_resume+0x34c/0x16a8 el0_svc+0x9c/0xe8 el0t_64_sync_handler+0x48/0x120 el0t_64_sync+0x1a8/0x1b0 Rearrange inst destruction. First remove the inst from the core->instances list, second synchronize IRQ/IRQ-thread to make sure that nothing else would see the inst while we take it down. Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2024-11-07media: venus: fix enc/dec destruction orderSergey Senozhatsky
We destroy mutex-es too early as they are still taken in v4l2_fh_exit()->v4l2_event_unsubscribe()->v4l2_ctrl_find(). We should destroy mutex-es right before kfree(). Also do not vdec_ctrl_deinit() before v4l2_fh_exit(). Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") Suggested-by: Tomasz Figa <tfiga@google.com> Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2024-11-07media: venus: Enable h.264 hierarchical codingFritz Koenig
HFI supports hierarchical P encoding and the ability to specify the bitrate for the different layers. Connect the controls that V4L2 provides and HFI supports. Signed-off-by: Fritz Koenig <frkoenig@chromium.org> Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2024-11-07media: venus: Helper function for dynamically updating bitrateFritz Koenig
Move the dynamic bitrate updating functionality to a separate function so that it can be shared. No functionality changes. Signed-off-by: Fritz Koenig <frkoenig@chromium.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2024-11-07media: venus: Fix pm_runtime_set_suspended() with runtime pm enabledJinjie Ruan
It is not valid to call pm_runtime_set_suspended() for devices with runtime PM enabled because it returns -EAGAIN if it is enabled already and working. So, call pm_runtime_disable() before to fix it. Cc: stable@vger.kernel.org Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Acked-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
2024-10-28media: platform: drop vb2_ops_wait_prepare/finishHans Verkuil
Since commit 88785982a19d ("media: vb2: use lock if wait_prepare/finish are NULL") it is no longer needed to set the wait_prepare/finish vb2_ops callbacks as long as the lock field in vb2_queue is set. Since the vb2_ops_wait_prepare/finish callbacks already rely on that field, we can safely drop these callbacks. This simplifies the code and this is a step towards the goal of deleting these callbacks. Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org> # for meson-ge2d Acked-by: Andrzej Pietrasiewicz <andrzejtp2010@gmail.com>
2024-10-12media: Switch back to struct platform_driver::remove()Uwe Kleine-König
After commit 0edb555a65d1 ("platform: Make platform_driver::remove() return void") .remove() is (again) the right callback to implement for platform drivers. Convert all platform drivers below drivers/media to use .remove(), with the eventual goal to drop struct platform_driver::remove_new(). As .remove() and .remove_new() have the same prototypes, conversion is done by just changing the structure member name in the driver initializer. Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-10-12media: venus: add missing wait_prepare/finish opsHans Verkuil
Without these ops the v4l2-compliance blocking wait test will fail. These ops are required to ensure that when VIDIOC_DQBUF has to wait for buffers to arrive, the queue lock is correctly released and retaken. Otherwise the wait for a buffer would block all other queue ioctls. Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl> Cc: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2024-10-10media: venus: Convert into devm_pm_domain_attach_list() for OPP PM domainUlf Hansson
Rather than hooking up the PM domain through devm_pm_opp_attach_genpd() and manage the device-link, let's avoid the boilerplate-code by converting into devm_pm_domain_attach_list(). Acked-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Acked-by: Viresh Kumar <viresh.kumar@linaro.org> Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Link: https://lore.kernel.org/r/20241002122232.194245-10-ulf.hansson@linaro.org
2024-09-23Merge tag 'media/v6.12-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media updates from Mauro Carvalho Chehab: - New CEC driver: Extron DA HD 4K Plus - Lots of driver fixes, cleanups and improvements * tag 'media/v6.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (179 commits) media: atomisp: Use clamp() in ia_css_eed1_8_vmem_encode() media: atomisp: Fix eed1_8 code assigning signed values to an unsigned variable media: atomisp: set lock before calling vb2_queue_init() media: atomisp: Improve binary finding debug logging media: atomisp: Drop dev_dbg() calls from hmm_[alloc|free]() media: atomisp: csi2-bridge: Add DMI quirk for t4ka3 on Xiaomi Mipad2 media: atomisp: add missing wait_prepare/finish ops media: atomisp: Remove unused declaration media: atomisp: use clamp() in compute_coring() media: atomisp: use clamp() in ia_css_eed1_8_encode() media: atomisp: Simplify ia_css_pipe_create_cas_scaler_desc_single_output() media: atomisp: Replace rarely used macro from math_support.h media: atomisp: Remove duplicated leftover, i.e. sh_css_dvs_info.h media: atomisp: bnr: fix trailing statement media: atomisp: move trailing */ to separate lines media: atomisp: move trailing statement to next line. media: atomisp: Fix trailing statement in ia_css_de.host.c media: atomisp: Fix spelling mistakes in atomisp.h media: atomisp: Fix spelling mistakes in atomisp_platform.h media: atomisp: Fix spelling mistake in csi_rx_public.h ...
2024-09-18Merge tag 'hardening-v6.12-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardening updates from Kees Cook: - lib/string_choices: - Add str_up_down() helper (Michal Wajdeczko) - Add str_true_false()/str_false_true() helper (Hongbo Li) - Introduce several opposite string choice helpers (Hongbo Li) - lib/string_helpers: - rework overflow-dependent code (Justin Stitt) - fortify: refactor test_fortify Makefile to fix some build problems (Masahiro Yamada) - string: Check for "nonstring" attribute on strscpy() arguments - virt: vbox: Replace 1-element arrays with flexible arrays - media: venus: hfi_cmds: Replace 1-element arrays with flexible arrays * tag 'hardening-v6.12-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: lib/string_choices: Add some comments to make more clear for string choices helpers. lib/string_choices: Introduce several opposite string choice helpers lib/string_choices: Add str_true_false()/str_false_true() helper string: Check for "nonstring" attribute on strscpy() arguments media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Add __counted_by annotation media: venus: hfi_cmds: struct hfi_session_release_buffer_pkt: Replace 1-element array with flexible array virt: vbox: struct vmmdev_hgcm_pagelist: Replace 1-element array with flexible array lib/string_helpers: rework overflow-dependent code coccinelle: Add rules to find str_down_up() replacements string_choices: Add wrapper for str_down_up() coccinelle: Add rules to find str_up_down() replacements lib/string_choices: Add str_up_down() helper fortify: use if_changed_dep to record header dependency in *.cmd files fortify: move test_fortify.sh to lib/test_fortify/ fortify: refactor test_fortify Makefile to fix some build problems
2024-08-25media: venus: firmware: Use iommu_paging_domain_alloc()Lu Baolu
An iommu domain is allocated in venus_firmware_init() and is attached to core->fw.dev in the same function. Use iommu_paging_domain_alloc() to make it explicit. Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com> Reviewed-by: Jason Gunthorpe <jgg@nvidia.com> Link: https://lore.kernel.org/r/20240610085555.88197-10-baolu.lu@linux.intel.com Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Convert one-element-arrays to flex-arraysRicardo Ribalda
This structures are not used, and have a single element array at the end of them. This fix the following cocci warnings: drivers/media/platform/qcom/venus/hfi_helper.h:764:5-15: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) drivers/media/platform/qcom/venus/hfi_helper.h:1041:5-15: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) drivers/media/platform/qcom/venus/hfi_helper.h:1088:39-51: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) drivers/media/platform/qcom/venus/hfi_helper.h:1093:5-22: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) drivers/media/platform/qcom/venus/hfi_helper.h:1144:4-8: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) drivers/media/platform/qcom/venus/hfi_helper.h:1239:4-8: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) drivers/media/platform/qcom/venus/hfi_helper.h:1272:4-13: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) drivers/media/platform/qcom/venus/hfi_cmds.h:85:5-16: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) drivers/media/platform/qcom/venus/hfi_cmds.h:180:5-9: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) drivers/media/platform/qcom/venus/hfi_cmds.h:189:5-9: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Refactor hfi_buffer_alloc_mode_supportedRicardo Ribalda
Replace the old style single element array at the end of the struct with a flex array. The code does not allocate this structure, so the size change should not be a problem. This fixes the following cocci warning: drivers/media/platform/qcom/venus/hfi_helper.h:1233:5-9: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Acked-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Refactor hfi_session_fill_buffer_pktRicardo Ribalda
The single data array data[1] is only used to save the extradata_size. Replace it with a single element field. This fixes the following cocci warning: drivers/media/platform/qcom/venus/hfi_cmds.h:175:5-9: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Acked-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Refactor hfi_sys_get_property_pktRicardo Ribalda
Replace a single length element array with an element. This fixes the following cocci warning: drivers/media/platform/qcom/venus/hfi_cmds.h:77:5-9: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Acked-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Refactor hfi_session_empty_buffer_compressed_pktRicardo Ribalda
The single element array data[1] is never used. Replace it with a padding field of the same size. This fixes the following cocci warning: drivers/media/platform/qcom/venus/hfi_cmds.h:146:5-9: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Acked-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Refactor hfi_session_empty_buffer_uncompressed_plane0_pktRicardo Ribalda
The single element array data[1] is never used. Replace it with a padding field of the same size. This fixes the following cocci error: drivers/media/platform/qcom/venus/hfi_cmds.h:163:5-9: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Acked-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Refactor struct hfi_uncompressed_format_supportedRicardo Ribalda
plane_info is not a typical array, the data is not contiguous: pinfo = (void *)pinfo + sizeof(*constr) * num_planes + 2 * sizeof(u32); Replace the single element array with a single element field. This fixes the following cocci warning: drivers/media/platform/qcom/venus/hfi_helper.h:1009:36-46: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Acked-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Refactor struct hfi_session_get_property_pktRicardo Ribalda
The struct hfi_session_get_property_pkt is always used to fetch a single property. Make that explicit in the code and avoid a single element array at the end of the struct. This change fixes the following cocci warning: drivers/media/platform/qcom/venus/hfi_cmds.h:194:5-9: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Acked-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Refactor struct hfi_uncompressed_plane_infoRicardo Ribalda
This field is never used, but if we remove it we would change the size of the struct and can lead to behavior change. Stay on the safe side by replacing the single element array with a single element field. This fixes the following cocci warning: drivers/media/platform/qcom/venus/hfi_helper.h:1003:43-60: WARNING use flexible-array member instead (https://www.kernel.org/doc/html/latest/process/deprecated.html#zero-length-and-one-element-arrays) Signed-off-by: Ricardo Ribalda <ribalda@chromium.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Acked-by: Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: Constify struct dec_bufsize_ops and enc_bufsize_opsChristophe JAILLET
"struct dec_bufsize_ops and "struct enc_bufsize_ops" are not modified in this driver. Constifying these structures moves some data to a read-only section, so increase overall security. On a x86_64, with allmodconfig: Before: text data bss dec hex filename 12494 822 0 13316 3404 drivers/media/platform/qcom/venus/hfi_plat_bufs_v6.o After: text data bss dec hex filename 12766 566 0 13332 3414 drivers/media/platform/qcom/venus/hfi_plat_bufs_v6.o Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
2024-08-25media: venus: fix use after free bug in venus_remove due to race conditionZheng Wang
in venus_probe, core->work is bound with venus_sys_error_handler, which is used to handle error. The code use core->sys_err_done to make sync work. The core->work is started in venus_event_notify. If we call venus_remove, there might be an unfished work. The possible sequence is as follows: CPU0 CPU1 |venus_sys_error_handler venus_remove | hfi_destroy | venus_hfi_destroy | kfree(hdev); | |hfi_reinit |venus_hfi_queues_reinit |//use hdev Fix it by canceling the work in venus_remove. Cc: stable@vger.kernel.org Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com> Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>