From patchwork Mon Mar 14 09:04:27 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tiffany Lin X-Patchwork-Id: 33452 Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.84) (envelope-from ) id 1afOQw-0002iH-I1; Mon, 14 Mar 2016 09:05:02 +0000 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.76/mailfrontend-7) with esmtp id 1afOQu-00037L-1m; Mon, 14 Mar 2016 10:05:02 +0100 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755449AbcCNJEf (ORCPT + 1 other); Mon, 14 Mar 2016 05:04:35 -0400 Received: from mailgw01.mediatek.com ([210.61.82.183]:64361 "EHLO mailgw01.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1752813AbcCNJEe (ORCPT ); Mon, 14 Mar 2016 05:04:34 -0400 Received: from mtkhts07.mediatek.inc [(172.21.101.69)] by mailgw01.mediatek.com (envelope-from ) (mhqrelay.mediatek.com ESMTP with TLS) with ESMTP id 1561277379; Mon, 14 Mar 2016 17:04:29 +0800 Received: from [172.21.77.4] (172.21.77.4) by mtkhts07.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 14.3.266.1; Mon, 14 Mar 2016 17:04:28 +0800 Message-ID: <1457946267.16701.6.camel@mtksdaap41> Subject: Re: FW: [PATCH v5 0/8] Add MT8173 Video Encoder Driver and VPU Driver From: tiffany lin To: Hans Verkuil CC: Hans Verkuil , , "Rob Herring" , Mauro Carvalho Chehab , Matthias Brugger , Daniel Kurtz , Pawel Osciak , Eddie Huang , Yingjoe Chen , , , , , , Date: Mon, 14 Mar 2016 17:04:27 +0800 In-Reply-To: <56E66672.9030307@xs4all.nl> References: <1457939579.32502.10.camel@mtksdaap41> <56E66672.9030307@xs4all.nl> X-Mailer: Evolution 3.2.3-0ubuntu6 MIME-Version: 1.0 X-MTK: N Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2016.3.14.85416 X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, MSGID_ADDED_BY_MTA 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_2000_2999 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, CT_TEXT_PLAIN_UTF8_CAPS 0, INVALID_MSGID_NO_FQDN 0, NO_URI_HTTPS 0, REFERENCES 0, SINGLE_URI_IN_BODY 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __BOUNCE_CHALLENGE_SUBJ 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CP_MEDIA_BODY 0, __CP_URI_IN_BODY 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __DATE_TZ_HK 0, __FORWARDED_MSG 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILER 0, __HAS_X_MAILING_LIST 0, __IN_REP_TO 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __REFERENCES 0, __SANE_MSGID 0, __SINGLE_URI_TEXT 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0, __TO_MALFORMED_2 0, __URI_IN_BODY 0, __URI_NO_WWW 0, __URI_NS , __URI_WITH_PATH 0' On Mon, 2016-03-14 at 08:21 +0100, Hans Verkuil wrote: > On 03/14/2016 08:12 AM, tiffany lin wrote: > > Hi Hans, > > > > After change to use "v4l-utils.git master branch", "V4l2-compliance > > -d /dev/video1" fail on "fail: v4l2-test-buffers.cpp(555): > > check_0(crbufs.reserved, sizeof(crbufs.reserved))". > > > > Check the source code and found > > > > memset(&crbufs, 0xff, sizeof(crbufs)); -> crbufs to 0xff > > node->g_fmt(crbufs.format, i); > > crbufs.count = 0; > > crbufs.memory = m; > > fail_on_test(doioctl(node, VIDIOC_CREATE_BUFS, &crbufs)); > > fail_on_test(check_0(crbufs.reserved, sizeof(crbufs.reserved))); > > fail_on_test(crbufs.index != q.g_buffers()); > > > > crbufs is initialized to fill with 0xff and after VIDIOC_CREATE_BUFS, > > crbufs.reserved field should be 0x0. But v4l2_m2m_create_bufs and > > vb2_create_bufs do not process reserved filed. > > Do we really need to check reserved filed filled with 0x0? Or we need to > > change vb2_create_bufs to fix this issue? > > The reserved field is zeroed in v4l_create_bufs() in v4l2-ioctl.c, so even before > vb2_create_bufs et al is called. > > The fact that it is no longer zeroed afterwards suggests that someone is messing > with the reserved field. > > You'll have to do a bit more digging, I'm afraid. > Hi Hans, Thanks for your information. I found the root cause is in "put_v4l2_create32". It do not copy reserved field from kernel space to user space. After modification,"test VIDIOC_REQBUFS/CREATE_BUFS/QUERYBUF: OK" format)) || + copy_to_user(up->reserved, kp->reserved, sizeof(kp->reserved))) return -EFAULT; return __put_v4l2_format32(&kp->format, &up->format); } best regards, Tiffany > Regards, > > Hans --- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c index f38c076..109f687 100644 --- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c @@ -280,7 +280,8 @@ static int put_v4l2_format32(struct v4l2_format *kp, struct v4l2_format32 __user static int put_v4l2_create32(struct v4l2_create_buffers *kp, struct v4l2_create_buffers32 __user *up) { if (!access_ok(VERIFY_WRITE, up, sizeof(struct v4l2_create_buffers32)) || - copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32, format))) + copy_to_user(up, kp, offsetof(struct v4l2_create_buffers32,