Message ID | 1457946267.16701.6.camel@mtksdaap41 (mailing list archive) |
---|---|
State | Superseded, archived |
Headers |
Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.84) (envelope-from <linux-media-owner@vger.kernel.org>) id 1afOQw-0002iH-I1; Mon, 14 Mar 2016 09:05:02 +0000 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.76/mailfrontend-7) with esmtp id 1afOQu-00037L-1m; Mon, 14 Mar 2016 10:05:02 +0100 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755449AbcCNJEf (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Mon, 14 Mar 2016 05:04:35 -0400 Received: from mailgw01.mediatek.com ([210.61.82.183]:64361 "EHLO mailgw01.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1752813AbcCNJEe (ORCPT <rfc822;linux-media@vger.kernel.org>); Mon, 14 Mar 2016 05:04:34 -0400 Received: from mtkhts07.mediatek.inc [(172.21.101.69)] by mailgw01.mediatek.com (envelope-from <tiffany.lin@mediatek.com>) (mhqrelay.mediatek.com ESMTP with TLS) with ESMTP id 1561277379; Mon, 14 Mar 2016 17:04:29 +0800 Received: from [172.21.77.4] (172.21.77.4) by mtkhts07.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 14.3.266.1; Mon, 14 Mar 2016 17:04:28 +0800 Message-ID: <1457946267.16701.6.camel@mtksdaap41> Subject: Re: FW: [PATCH v5 0/8] Add MT8173 Video Encoder Driver and VPU Driver From: tiffany lin <tiffany.lin@mediatek.com> To: Hans Verkuil <hverkuil@xs4all.nl> CC: Hans Verkuil <hans.verkuil@cisco.com>, <daniel.thompson@linaro.org>, "Rob Herring" <robh+dt@kernel.org>, Mauro Carvalho Chehab <mchehab@osg.samsung.com>, Matthias Brugger <matthias.bgg@gmail.com>, Daniel Kurtz <djkurtz@chromium.org>, Pawel Osciak <posciak@chromium.org>, Eddie Huang <eddie.huang@mediatek.com>, Yingjoe Chen <yingjoe.chen@mediatek.com>, <devicetree@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>, <linux-media@vger.kernel.org>, <linux-mediatek@lists.infradead.org>, <PoChun.Lin@mediatek.com> Date: Mon, 14 Mar 2016 17:04:27 +0800 In-Reply-To: <56E66672.9030307@xs4all.nl> References: <D706F7FE148A8A429434F78C46336826048E7053@mtkmbs02n1> <1457939579.32502.10.camel@mtksdaap41> <56E66672.9030307@xs4all.nl> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3-0ubuntu6 Content-Transfer-Encoding: 7bit MIME-Version: 1.0 X-MTK: N Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2016.3.14.85416 X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, MSGID_ADDED_BY_MTA 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_2000_2999 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, CT_TEXT_PLAIN_UTF8_CAPS 0, INVALID_MSGID_NO_FQDN 0, NO_URI_HTTPS 0, REFERENCES 0, SINGLE_URI_IN_BODY 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_MEDIA_BODY 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __DATE_TZ_HK 0, __FORWARDED_MSG 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __REFERENCES 0, __SANE_MSGID 0, __SINGLE_URI_TEXT 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0, __TO_MALFORMED_2 0, __URI_IN_BODY 0, __URI_NO_WWW 0, __URI_NS , __URI_WITH_PATH 0' |
Commit Message
Tiffany Lin
March 14, 2016, 9:04 a.m. UTC
On Mon, 2016-03-14 at 08:21 +0100, Hans Verkuil wrote: > On 03/14/2016 08:12 AM, tiffany lin wrote: > > Hi Hans, > > > > After change to use "v4l-utils.git master branch", "V4l2-compliance > > -d /dev/video1" fail on "fail: v4l2-test-buffers.cpp(555): > > check_0(crbufs.reserved, sizeof(crbufs.reserved))". > > > > Check the source code and found > > > > memset(&crbufs, 0xff, sizeof(crbufs)); -> crbufs to 0xff > > node->g_fmt(crbufs.format, i); > > crbufs.count = 0; > > crbufs.memory = m; > > fail_on_test(doioctl(node, VIDIOC_CREATE_BUFS, &crbufs)); > > fail_on_test(check_0(crbufs.reserved, sizeof(crbufs.reserved))); > > fail_on_test(crbufs.index != q.g_buffers()); > > > > crbufs is initialized to fill with 0xff and after VIDIOC_CREATE_BUFS, > > crbufs.reserved field should be 0x0. But v4l2_m2m_create_bufs and > > vb2_create_bufs do not process reserved filed. > > Do we really need to check reserved filed filled with 0x0? Or we need to > > change vb2_create_bufs to fix this issue? > > The reserved field is zeroed in v4l_create_bufs() in v4l2-ioctl.c, so even before > vb2_create_bufs et al is called. > > The fact that it is no longer zeroed afterwards suggests that someone is messing > with the reserved field. > > You'll have to do a bit more digging, I'm afraid. > Hi Hans, Thanks for your information. I found the root cause is in "put_v4l2_create32". It do not copy reserved field from kernel space to user space. After modification,"test VIDIOC_REQBUFS/CREATE_BUFS/QUERYBUF: OK" format)) || + copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) return -EFAULT; return __put_v4l2_format32(&kp->format, &up->format); } best regards, Tiffany > Regards, > > Hans -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Comments
On 03/14/2016 10:04 AM, tiffany lin wrote: > On Mon, 2016-03-14 at 08:21 +0100, Hans Verkuil wrote: >> On 03/14/2016 08:12 AM, tiffany lin wrote: >>> Hi Hans, >>> >>> After change to use "v4l-utils.git master branch", "V4l2-compliance >>> -d /dev/video1" fail on "fail: v4l2-test-buffers.cpp(555): >>> check_0(crbufs.reserved, sizeof(crbufs.reserved))". >>> >>> Check the source code and found >>> >>> memset(&crbufs, 0xff, sizeof(crbufs)); -> crbufs to 0xff >>> node->g_fmt(crbufs.format, i); >>> crbufs.count = 0; >>> crbufs.memory = m; >>> fail_on_test(doioctl(node, VIDIOC_CREATE_BUFS, &crbufs)); >>> fail_on_test(check_0(crbufs.reserved, sizeof(crbufs.reserved))); >>> fail_on_test(crbufs.index != q.g_buffers()); >>> >>> crbufs is initialized to fill with 0xff and after VIDIOC_CREATE_BUFS, >>> crbufs.reserved field should be 0x0. But v4l2_m2m_create_bufs and >>> vb2_create_bufs do not process reserved filed. >>> Do we really need to check reserved filed filled with 0x0? Or we need to >>> change vb2_create_bufs to fix this issue? >> >> The reserved field is zeroed in v4l_create_bufs() in v4l2-ioctl.c, so even before >> vb2_create_bufs et al is called. >> >> The fact that it is no longer zeroed afterwards suggests that someone is messing >> with the reserved field. >> >> You'll have to do a bit more digging, I'm afraid. >> > Hi Hans, > > Thanks for your information. > I found the root cause is in "put_v4l2_create32". > It do not copy reserved field from kernel space to user space. > After modification,"test VIDIOC_REQBUFS/CREATE_BUFS/QUERYBUF: OK" > > diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > index f38c076..109f687 100644 > --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c > @@ -280,7 +280,8 @@ static int put_v4l2_format32(struct v4l2_format *kp, > struct v4l2_format32 __user > static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct > v4l2_create_buffers32 __user *up) > { > if (!access_ok(VERIFY_WRITE, up, sizeof(struct > v4l2_create_buffers32)) || > - copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, > format))) > + copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, > format)) || > + copy_to_user(up->reserved, kp->reserved, > sizeof(kp->reserved))) > return -EFAULT; > return __put_v4l2_format32(&kp->format, &up->format); > } Yup, that's the cause. Can you post this as a 'proper' patch to the mailinglist? I'll take it for kernel 4.6 (and I'll add a CC to the stable mailinglist to get it backported as well). Thanks! Hans -- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c index f38c076..109f687 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c @@ -280,7 +280,8 @@ static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) { if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) || - copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format))) + copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32,