From: Marek Szyprowski <m.szyprowski@samsung.com>
To: linux-media@vger.kernel.org, linux-rockchip@lists.infradead.org
Cc: Marek Szyprowski <m.szyprowski@samsung.com>,
Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>,
Philipp Zabel <p.zabel@pengutronix.de>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Benjamin Gaignard <benjamin.gaignard@collabora.com>
Subject: [PATCH] media: verisilicon: Final fix for the crash when opening the driver
Date: Fri, 21 Apr 2023 12:47:59 +0200 [thread overview]
Message-ID: <20230421104759.2236463-1-m.szyprowski@samsung.com> (raw)
In-Reply-To: CGME20230421104811eucas1p16ad5e11ebc4d305c6fab372d3743b6e1@eucas1p1.samsung.com
ctx->vpu_src_fmt is no more initialized before calling hantro_try_fmt()
so checking it led to crash the kernel. Simply use the provided 'fmt' as
a format for those checks.
This fixes the following issue observed on Odroid-M1 board:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
Mem abort info:
...
Modules linked in: crct10dif_ce hantro_vpu snd_soc_simple_card snd_soc_simple_card_utils v4l2_vp9 v4l2_h264 rockchip_saradc v4l2_mem2mem videobuf2_dma_contig videobuf2_memops rtc_rk808 videobuf2_v4l2 industrialio_triggered_buffer rockchip_thermal dwmac_rk stmmac_platform stmmac videodev kfifo_buf display_connector videobuf2_common pcs_xpcs mc rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi drm_display_helper panfrost drm_shmem_helper gpu_sched ip_tables x_tables ipv6
CPU: 3 PID: 176 Comm: v4l_id Not tainted 6.3.0-rc7-next-20230420 #13481
Hardware name: Hardkernel ODROID-M1 (DT)
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hantro_try_fmt+0xa0/0x278 [hantro_vpu]
lr : hantro_try_fmt+0x94/0x278 [hantro_vpu]
...
Call trace:
hantro_try_fmt+0xa0/0x278 [hantro_vpu]
hantro_set_fmt_out+0x3c/0x298 [hantro_vpu]
hantro_reset_raw_fmt+0x98/0x128 [hantro_vpu]
hantro_set_fmt_cap+0x240/0x254 [hantro_vpu]
hantro_reset_encoded_fmt+0x94/0xcc [hantro_vpu]
hantro_reset_fmts+0x18/0x38 [hantro_vpu]
hantro_open+0xd4/0x20c [hantro_vpu]
v4l2_open+0x80/0x120 [videodev]
chrdev_open+0xc0/0x22c
do_dentry_open+0x13c/0x48c
vfs_open+0x2c/0x38
path_openat+0x550/0x934
do_filp_open+0x80/0x12c
do_sys_openat2+0xb4/0x168
__arm64_sys_openat+0x64/0xac
invoke_syscall+0x48/0x114
el0_svc_common+0x100/0x120
do_el0_svc+0x3c/0xa8
el0_svc+0x40/0xa8
el0t_64_sync_handler+0xb8/0xbc
el0t_64_sync+0x190/0x194
Code: 97fc8a7f f940aa80 52864a61 72a686c1 (b9400800)
---[ end trace 0000000000000000 ]---
Fixes: db6f68b51e5c ("media: verisilicon: Do not set context src/dst formats in reset functions")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
---
It looks that I've missed the fact that the first fix merged as commit
f100ce3bbd6a ("media: verisilicon: Fix crash when probing encoder") did
not fix all the issues introduced by db6f68b51e5c ("media: verisilicon:
Do not set context src/dst formats in reset functions"). I'm really sorry
for that.
---
drivers/media/platform/verisilicon/hantro_v4l2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/platform/verisilicon/hantro_v4l2.c b/drivers/media/platform/verisilicon/hantro_v4l2.c
index 835518534e3b..618ea23a7d49 100644
--- a/drivers/media/platform/verisilicon/hantro_v4l2.c
+++ b/drivers/media/platform/verisilicon/hantro_v4l2.c
@@ -313,17 +313,17 @@ static int hantro_try_fmt(const struct hantro_ctx *ctx,
/* Fill remaining fields */
v4l2_fill_pixfmt_mp(pix_mp, fmt->fourcc, pix_mp->width,
pix_mp->height);
- if (ctx->vpu_src_fmt->fourcc == V4L2_PIX_FMT_H264_SLICE &&
+ if (fmt->fourcc == V4L2_PIX_FMT_H264_SLICE &&
!hantro_needs_postproc(ctx, fmt))
pix_mp->plane_fmt[0].sizeimage +=
hantro_h264_mv_size(pix_mp->width,
pix_mp->height);
- else if (ctx->vpu_src_fmt->fourcc == V4L2_PIX_FMT_VP9_FRAME &&
+ else if (fmt->fourcc == V4L2_PIX_FMT_VP9_FRAME &&
!hantro_needs_postproc(ctx, fmt))
pix_mp->plane_fmt[0].sizeimage +=
hantro_vp9_mv_size(pix_mp->width,
pix_mp->height);
- else if (ctx->vpu_src_fmt->fourcc == V4L2_PIX_FMT_HEVC_SLICE &&
+ else if (fmt->fourcc == V4L2_PIX_FMT_HEVC_SLICE &&
!hantro_needs_postproc(ctx, fmt))
pix_mp->plane_fmt[0].sizeimage +=
hantro_hevc_mv_size(pix_mp->width,
--
2.34.1
WARNING: multiple messages have this Message-ID (diff)
From: Marek Szyprowski <m.szyprowski@samsung.com>
To: linux-media@vger.kernel.org, linux-rockchip@lists.infradead.org
Cc: Marek Szyprowski <m.szyprowski@samsung.com>,
Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>,
Philipp Zabel <p.zabel@pengutronix.de>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Hans Verkuil <hverkuil-cisco@xs4all.nl>,
Benjamin Gaignard <benjamin.gaignard@collabora.com>
Subject: [PATCH] media: verisilicon: Final fix for the crash when opening the driver
Date: Fri, 21 Apr 2023 12:47:59 +0200 [thread overview]
Message-ID: <20230421104759.2236463-1-m.szyprowski@samsung.com> (raw)
In-Reply-To: CGME20230421104811eucas1p16ad5e11ebc4d305c6fab372d3743b6e1@eucas1p1.samsung.com
ctx->vpu_src_fmt is no more initialized before calling hantro_try_fmt()
so checking it led to crash the kernel. Simply use the provided 'fmt' as
a format for those checks.
This fixes the following issue observed on Odroid-M1 board:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
Mem abort info:
...
Modules linked in: crct10dif_ce hantro_vpu snd_soc_simple_card snd_soc_simple_card_utils v4l2_vp9 v4l2_h264 rockchip_saradc v4l2_mem2mem videobuf2_dma_contig videobuf2_memops rtc_rk808 videobuf2_v4l2 industrialio_triggered_buffer rockchip_thermal dwmac_rk stmmac_platform stmmac videodev kfifo_buf display_connector videobuf2_common pcs_xpcs mc rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi drm_display_helper panfrost drm_shmem_helper gpu_sched ip_tables x_tables ipv6
CPU: 3 PID: 176 Comm: v4l_id Not tainted 6.3.0-rc7-next-20230420 #13481
Hardware name: Hardkernel ODROID-M1 (DT)
pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hantro_try_fmt+0xa0/0x278 [hantro_vpu]
lr : hantro_try_fmt+0x94/0x278 [hantro_vpu]
...
Call trace:
hantro_try_fmt+0xa0/0x278 [hantro_vpu]
hantro_set_fmt_out+0x3c/0x298 [hantro_vpu]
hantro_reset_raw_fmt+0x98/0x128 [hantro_vpu]
hantro_set_fmt_cap+0x240/0x254 [hantro_vpu]
hantro_reset_encoded_fmt+0x94/0xcc [hantro_vpu]
hantro_reset_fmts+0x18/0x38 [hantro_vpu]
hantro_open+0xd4/0x20c [hantro_vpu]
v4l2_open+0x80/0x120 [videodev]
chrdev_open+0xc0/0x22c
do_dentry_open+0x13c/0x48c
vfs_open+0x2c/0x38
path_openat+0x550/0x934
do_filp_open+0x80/0x12c
do_sys_openat2+0xb4/0x168
__arm64_sys_openat+0x64/0xac
invoke_syscall+0x48/0x114
el0_svc_common+0x100/0x120
do_el0_svc+0x3c/0xa8
el0_svc+0x40/0xa8
el0t_64_sync_handler+0xb8/0xbc
el0t_64_sync+0x190/0x194
Code: 97fc8a7f f940aa80 52864a61 72a686c1 (b9400800)
---[ end trace 0000000000000000 ]---
Fixes: db6f68b51e5c ("media: verisilicon: Do not set context src/dst formats in reset functions")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
---
It looks that I've missed the fact that the first fix merged as commit
f100ce3bbd6a ("media: verisilicon: Fix crash when probing encoder") did
not fix all the issues introduced by db6f68b51e5c ("media: verisilicon:
Do not set context src/dst formats in reset functions"). I'm really sorry
for that.
---
drivers/media/platform/verisilicon/hantro_v4l2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/platform/verisilicon/hantro_v4l2.c b/drivers/media/platform/verisilicon/hantro_v4l2.c
index 835518534e3b..618ea23a7d49 100644
--- a/drivers/media/platform/verisilicon/hantro_v4l2.c
+++ b/drivers/media/platform/verisilicon/hantro_v4l2.c
@@ -313,17 +313,17 @@ static int hantro_try_fmt(const struct hantro_ctx *ctx,
/* Fill remaining fields */
v4l2_fill_pixfmt_mp(pix_mp, fmt->fourcc, pix_mp->width,
pix_mp->height);
- if (ctx->vpu_src_fmt->fourcc == V4L2_PIX_FMT_H264_SLICE &&
+ if (fmt->fourcc == V4L2_PIX_FMT_H264_SLICE &&
!hantro_needs_postproc(ctx, fmt))
pix_mp->plane_fmt[0].sizeimage +=
hantro_h264_mv_size(pix_mp->width,
pix_mp->height);
- else if (ctx->vpu_src_fmt->fourcc == V4L2_PIX_FMT_VP9_FRAME &&
+ else if (fmt->fourcc == V4L2_PIX_FMT_VP9_FRAME &&
!hantro_needs_postproc(ctx, fmt))
pix_mp->plane_fmt[0].sizeimage +=
hantro_vp9_mv_size(pix_mp->width,
pix_mp->height);
- else if (ctx->vpu_src_fmt->fourcc == V4L2_PIX_FMT_HEVC_SLICE &&
+ else if (fmt->fourcc == V4L2_PIX_FMT_HEVC_SLICE &&
!hantro_needs_postproc(ctx, fmt))
pix_mp->plane_fmt[0].sizeimage +=
hantro_hevc_mv_size(pix_mp->width,
--
2.34.1
_______________________________________________
Linux-rockchip mailing list
Linux-rockchip@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-rockchip
next parent reply other threads:[~2023-04-21 10:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20230421104811eucas1p16ad5e11ebc4d305c6fab372d3743b6e1@eucas1p1.samsung.com>
2023-04-21 10:47 ` Marek Szyprowski [this message]
2023-04-21 10:47 ` [PATCH] media: verisilicon: Final fix for the crash when opening the driver Marek Szyprowski
2023-05-01 18:50 ` Nicolas Dufresne
2023-05-01 18:50 ` Nicolas Dufresne
2023-05-23 14:35 ` Michael Tretter
2023-05-23 14:35 ` Michael Tretter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230421104759.2236463-1-m.szyprowski@samsung.com \
--to=m.szyprowski@samsung.com \
--cc=benjamin.gaignard@collabora.com \
--cc=ezequiel@vanguardiasur.com.ar \
--cc=hverkuil-cisco@xs4all.nl \
--cc=linux-media@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=mchehab@kernel.org \
--cc=p.zabel@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.