android_kernel_xiaomi_sm8350/drivers/media/video/videobuf-vmalloc.c
Mauro Carvalho Chehab 5993a663a9 V4L/DVB (10305): videobuf-vmalloc: Fix: videobuf memory were never freed
videobuf_vmalloc_free() is never freeing the video buffer memory. Due to
that, after multiple open/closes, user can suffer a panic:

Kernel BUG at mm/slab.c:2650
invalid opcode: 0000 [1] SMP
last sysfs file: /class/video4linux/video0/dev
CPU 4
Modules linked in: vivi(U) videodev(U) v4l1_compat(U) v4l2_compat_ioctl32(U) videobuf_vmalloc(U) videobuf_core(U) ipv6 xfrm_nalgo autofs4 vmnet(U) vmblock(U) vmci(U) vmmon(U) ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_tcpudp iptable_filter ip_tables x_tables cpufreq_ondemand dm_mirror dm_log dm_multipath scsi_dh dm_mod video backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp testmgr_cipher testmgr aead crypto_blkcipher crypto_algapi crypto_api arc4 snd_hda_intel nvidia(PFU) snd_seq_dummy snd_seq_oss snd_seq_midi_event rt73usb crc_itu_t snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss tg3 sr_mod snd_pcm snd_timer snd_page_alloc snd_hwdep pcspkr rt2500usb cdrom rt2x00usb rt2x00lib libphy snd parport_pc soundcore shpchp serio_raw i2c_i801 i5400_edac parport ata_piix sg mac80211 edac_mc i2c_core cfg80211 ahci libata sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 6215, comm: v4l-stress-buff Tainted: PF     2.6.18-118.el5 #1
RIP: 0010:[<ffffffff80017506>]  [<ffffffff80017506>] cache_grow+0x1e/0x395
RSP: 0018:ffff810128a35d28  EFLAGS: 00010006
RAX: 0000000000000000 RBX: 00000000000080d0 RCX: 00000000ffffffff
RDX: 0000000000000000 RSI: 00000000000080d0 RDI: ffff8101042d8340
RBP: ffff8101042ce5e0 R08: ffff81012fc1e8c0 R09: ffff8101042eac00
R10: 0000000000000000 R11: ffffffff882a5139 R12: ffff8101042d8340
R13: ffff8101042ce5c0 R14: 0000000000000000 R15: ffff8101042d8340
FS:  0000000000000000(0000) GS:ffff81012fc24d40(0063) knlGS:00000000f7f706c0
CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 00000000f7f9a000 CR3: 0000000117ad0000 CR4: 00000000000006e0
Process v4l-stress-buff (pid: 6215, threadinfo ffff810128a34000, task ffff810128fcb820)
Stack:  ffffc20012a39000 0000004415173ff8 ffff810000011c10 000280d200000000
 0000000000000002 00000000ffffffff ffff8101042ce5e0 ffff81012fc1e8c0
 ffff8101042ce5c0 000000000000000c ffff8101042d8340 ffffffff8005bdde
Call Trace:
 [<ffffffff8005bdde>] cache_alloc_refill+0x136/0x186
 [<ffffffff800d7822>] kmem_cache_alloc_node+0x98/0xb2
 [<ffffffff800cda1f>] __vmalloc_area_node+0x62/0x153
 [<ffffffff800cdd65>] vmalloc_user+0x15/0x50
 [<ffffffff882a521f>] :videobuf_vmalloc:__videobuf_iolock+0xe6/0x155
 [<ffffffff8838f958>] :vivi:buffer_prepare+0xb9/0xe6
 [<ffffffff882981f3>] :videobuf_core:__videobuf_read_start+0xa2/0x10f
 [<ffffffff882983e6>] :videobuf_core:videobuf_read_stream+0x9c/0x1f3
 [<ffffffff8000b3f3>] vfs_read+0xcb/0x171
 [<ffffffff80011967>] sys_read+0x45/0x6e
 [<ffffffff8006149b>] sysenter_do_call+0x1b/0x67

Code: 0f 0b 68 af 1e 2a 80 c2 5a 0a f6 c7 20 0f 85 53 03 00 00 89
RIP  [<ffffffff80017506>] cache_grow+0x1e/0x395
 RSP <ffff810128a35d28>
 <0>Kernel panic - not syncing: Fatal exception

Thanks to Douglas Schilling Landgraf <dougsland@gmail.com> for writing a
stress tool for testing and to Robert Krakora <rob.krakora@messagenetsystems.com>
to trace the code and discover the point where the bug were happening.
Thanks also to Magnus Damm <damm@igel.co.jp> that provided us a fix for
a similar bug on videobuf-dma-contig.

Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
2009-03-30 12:42:27 -03:00

448 lines
11 KiB
C

/*
* helper functions for vmalloc video4linux capture buffers
*
* The functions expect the hardware being able to scatter gather
* (i.e. the buffers are not linear in physical memory, but fragmented
* into PAGE_SIZE chunks). They also assume the driver does not need
* to touch the video data.
*
* (c) 2007 Mauro Carvalho Chehab, <mchehab@infradead.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2
*/
#include <linux/init.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/slab.h>
#include <linux/interrupt.h>
#include <linux/pci.h>
#include <linux/vmalloc.h>
#include <linux/pagemap.h>
#include <asm/page.h>
#include <asm/pgtable.h>
#include <media/videobuf-vmalloc.h>
#define MAGIC_DMABUF 0x17760309
#define MAGIC_VMAL_MEM 0x18221223
#define MAGIC_CHECK(is,should) if (unlikely((is) != (should))) \
{ printk(KERN_ERR "magic mismatch: %x (expected %x)\n",is,should); BUG(); }
static int debug;
module_param(debug, int, 0644);
MODULE_DESCRIPTION("helper module to manage video4linux vmalloc buffers");
MODULE_AUTHOR("Mauro Carvalho Chehab <mchehab@infradead.org>");
MODULE_LICENSE("GPL");
#define dprintk(level, fmt, arg...) if (debug >= level) \
printk(KERN_DEBUG "vbuf-vmalloc: " fmt , ## arg)
/***************************************************************************/
static void
videobuf_vm_open(struct vm_area_struct *vma)
{
struct videobuf_mapping *map = vma->vm_private_data;
dprintk(2,"vm_open %p [count=%u,vma=%08lx-%08lx]\n",map,
map->count,vma->vm_start,vma->vm_end);
map->count++;
}
static void videobuf_vm_close(struct vm_area_struct *vma)
{
struct videobuf_mapping *map = vma->vm_private_data;
struct videobuf_queue *q = map->q;
int i;
dprintk(2,"vm_close %p [count=%u,vma=%08lx-%08lx]\n", map,
map->count, vma->vm_start, vma->vm_end);
map->count--;
if (0 == map->count) {
struct videobuf_vmalloc_memory *mem;
dprintk(1, "munmap %p q=%p\n", map, q);
mutex_lock(&q->vb_lock);
/* We need first to cancel streams, before unmapping */
if (q->streaming)
videobuf_queue_cancel(q);
for (i = 0; i < VIDEO_MAX_FRAME; i++) {
if (NULL == q->bufs[i])
continue;
if (q->bufs[i]->map != map)
continue;
mem = q->bufs[i]->priv;
if (mem) {
/* This callback is called only if kernel has
allocated memory and this memory is mmapped.
In this case, memory should be freed,
in order to do memory unmap.
*/
MAGIC_CHECK(mem->magic, MAGIC_VMAL_MEM);
/* vfree is not atomic - can't be
called with IRQ's disabled
*/
dprintk(1, "%s: buf[%d] freeing (%p)\n",
__func__, i, mem->vmalloc);
vfree(mem->vmalloc);
mem->vmalloc = NULL;
}
q->bufs[i]->map = NULL;
q->bufs[i]->baddr = 0;
}
kfree(map);
mutex_unlock(&q->vb_lock);
}
return;
}
static struct vm_operations_struct videobuf_vm_ops =
{
.open = videobuf_vm_open,
.close = videobuf_vm_close,
};
/* ---------------------------------------------------------------------
* vmalloc handlers for the generic methods
*/
/* Allocated area consists on 3 parts:
struct video_buffer
struct <driver>_buffer (cx88_buffer, saa7134_buf, ...)
struct videobuf_dma_sg_memory
*/
static void *__videobuf_alloc(size_t size)
{
struct videobuf_vmalloc_memory *mem;
struct videobuf_buffer *vb;
vb = kzalloc(size+sizeof(*mem),GFP_KERNEL);
mem = vb->priv = ((char *)vb)+size;
mem->magic=MAGIC_VMAL_MEM;
dprintk(1,"%s: allocated at %p(%ld+%ld) & %p(%ld)\n",
__func__,vb,(long)sizeof(*vb),(long)size-sizeof(*vb),
mem,(long)sizeof(*mem));
return vb;
}
static int __videobuf_iolock (struct videobuf_queue* q,
struct videobuf_buffer *vb,
struct v4l2_framebuffer *fbuf)
{
struct videobuf_vmalloc_memory *mem = vb->priv;
int pages;
BUG_ON(!mem);
MAGIC_CHECK(mem->magic, MAGIC_VMAL_MEM);
switch (vb->memory) {
case V4L2_MEMORY_MMAP:
dprintk(1, "%s memory method MMAP\n", __func__);
/* All handling should be done by __videobuf_mmap_mapper() */
if (!mem->vmalloc) {
printk(KERN_ERR "memory is not alloced/mmapped.\n");
return -EINVAL;
}
break;
case V4L2_MEMORY_USERPTR:
pages = PAGE_ALIGN(vb->size);
dprintk(1, "%s memory method USERPTR\n", __func__);
#if 1
if (vb->baddr) {
printk(KERN_ERR "USERPTR is currently not supported\n");
return -EINVAL;
}
#endif
/* The only USERPTR currently supported is the one needed for
read() method.
*/
mem->vmalloc = vmalloc_user(pages);
if (!mem->vmalloc) {
printk(KERN_ERR "vmalloc (%d pages) failed\n", pages);
return -ENOMEM;
}
dprintk(1, "vmalloc is at addr %p (%d pages)\n",
mem->vmalloc, pages);
#if 0
int rc;
/* Kernel userptr is used also by read() method. In this case,
there's no need to remap, since data will be copied to user
*/
if (!vb->baddr)
return 0;
/* FIXME: to properly support USERPTR, remap should occur.
The code below won't work, since mem->vma = NULL
*/
/* Try to remap memory */
rc = remap_vmalloc_range(mem->vma, (void *)vb->baddr, 0);
if (rc < 0) {
printk(KERN_ERR "mmap: remap failed with error %d. ", rc);
return -ENOMEM;
}
#endif
break;
case V4L2_MEMORY_OVERLAY:
default:
dprintk(1, "%s memory method OVERLAY/unknown\n", __func__);
/* Currently, doesn't support V4L2_MEMORY_OVERLAY */
printk(KERN_ERR "Memory method currently unsupported.\n");
return -EINVAL;
}
return 0;
}
static int __videobuf_sync(struct videobuf_queue *q,
struct videobuf_buffer *buf)
{
return 0;
}
static int __videobuf_mmap_free(struct videobuf_queue *q)
{
unsigned int i;
dprintk(1, "%s\n", __func__);
for (i = 0; i < VIDEO_MAX_FRAME; i++) {
if (q->bufs[i]) {
if (q->bufs[i]->map)
return -EBUSY;
}
}
return 0;
}
static int __videobuf_mmap_mapper(struct videobuf_queue *q,
struct vm_area_struct *vma)
{
struct videobuf_vmalloc_memory *mem;
struct videobuf_mapping *map;
unsigned int first;
int retval, pages;
unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
dprintk(1, "%s\n", __func__);
if (!(vma->vm_flags & VM_WRITE) || !(vma->vm_flags & VM_SHARED))
return -EINVAL;
/* look for first buffer to map */
for (first = 0; first < VIDEO_MAX_FRAME; first++) {
if (NULL == q->bufs[first])
continue;
if (V4L2_MEMORY_MMAP != q->bufs[first]->memory)
continue;
if (q->bufs[first]->boff == offset)
break;
}
if (VIDEO_MAX_FRAME == first) {
dprintk(1,"mmap app bug: offset invalid [offset=0x%lx]\n",
(vma->vm_pgoff << PAGE_SHIFT));
return -EINVAL;
}
/* create mapping + update buffer list */
map = kzalloc(sizeof(struct videobuf_mapping), GFP_KERNEL);
if (NULL == map)
return -ENOMEM;
q->bufs[first]->map = map;
map->start = vma->vm_start;
map->end = vma->vm_end;
map->q = q;
q->bufs[first]->baddr = vma->vm_start;
mem = q->bufs[first]->priv;
BUG_ON(!mem);
MAGIC_CHECK(mem->magic, MAGIC_VMAL_MEM);
pages = PAGE_ALIGN(vma->vm_end - vma->vm_start);
mem->vmalloc = vmalloc_user(pages);
if (!mem->vmalloc) {
printk(KERN_ERR "vmalloc (%d pages) failed\n", pages);
goto error;
}
dprintk(1, "vmalloc is at addr %p (%d pages)\n",
mem->vmalloc, pages);
/* Try to remap memory */
retval = remap_vmalloc_range(vma, mem->vmalloc, 0);
if (retval < 0) {
printk(KERN_ERR "mmap: remap failed with error %d. ", retval);
vfree(mem->vmalloc);
goto error;
}
vma->vm_ops = &videobuf_vm_ops;
vma->vm_flags |= VM_DONTEXPAND | VM_RESERVED;
vma->vm_private_data = map;
dprintk(1,"mmap %p: q=%p %08lx-%08lx (%lx) pgoff %08lx buf %d\n",
map, q, vma->vm_start, vma->vm_end,
(long int) q->bufs[first]->bsize,
vma->vm_pgoff, first);
videobuf_vm_open(vma);
return 0;
error:
mem = NULL;
kfree(map);
return -ENOMEM;
}
static int __videobuf_copy_to_user ( struct videobuf_queue *q,
char __user *data, size_t count,
int nonblocking )
{
struct videobuf_vmalloc_memory *mem=q->read_buf->priv;
BUG_ON (!mem);
MAGIC_CHECK(mem->magic,MAGIC_VMAL_MEM);
BUG_ON (!mem->vmalloc);
/* copy to userspace */
if (count > q->read_buf->size - q->read_off)
count = q->read_buf->size - q->read_off;
if (copy_to_user(data, mem->vmalloc+q->read_off, count))
return -EFAULT;
return count;
}
static int __videobuf_copy_stream ( struct videobuf_queue *q,
char __user *data, size_t count, size_t pos,
int vbihack, int nonblocking )
{
unsigned int *fc;
struct videobuf_vmalloc_memory *mem=q->read_buf->priv;
BUG_ON (!mem);
MAGIC_CHECK(mem->magic,MAGIC_VMAL_MEM);
if (vbihack) {
/* dirty, undocumented hack -- pass the frame counter
* within the last four bytes of each vbi data block.
* We need that one to maintain backward compatibility
* to all vbi decoding software out there ... */
fc = (unsigned int*)mem->vmalloc;
fc += (q->read_buf->size>>2) -1;
*fc = q->read_buf->field_count >> 1;
dprintk(1,"vbihack: %d\n",*fc);
}
/* copy stuff using the common method */
count = __videobuf_copy_to_user (q,data,count,nonblocking);
if ( (count==-EFAULT) && (0 == pos) )
return -EFAULT;
return count;
}
static struct videobuf_qtype_ops qops = {
.magic = MAGIC_QTYPE_OPS,
.alloc = __videobuf_alloc,
.iolock = __videobuf_iolock,
.sync = __videobuf_sync,
.mmap_free = __videobuf_mmap_free,
.mmap_mapper = __videobuf_mmap_mapper,
.video_copy_to_user = __videobuf_copy_to_user,
.copy_stream = __videobuf_copy_stream,
.vmalloc = videobuf_to_vmalloc,
};
void videobuf_queue_vmalloc_init(struct videobuf_queue* q,
struct videobuf_queue_ops *ops,
void *dev,
spinlock_t *irqlock,
enum v4l2_buf_type type,
enum v4l2_field field,
unsigned int msize,
void *priv)
{
videobuf_queue_core_init(q, ops, dev, irqlock, type, field, msize,
priv, &qops);
}
EXPORT_SYMBOL_GPL(videobuf_queue_vmalloc_init);
void *videobuf_to_vmalloc (struct videobuf_buffer *buf)
{
struct videobuf_vmalloc_memory *mem=buf->priv;
BUG_ON (!mem);
MAGIC_CHECK(mem->magic,MAGIC_VMAL_MEM);
return mem->vmalloc;
}
EXPORT_SYMBOL_GPL(videobuf_to_vmalloc);
void videobuf_vmalloc_free (struct videobuf_buffer *buf)
{
struct videobuf_vmalloc_memory *mem = buf->priv;
/* mmapped memory can't be freed here, otherwise mmapped region
would be released, while still needed. In this case, the memory
release should happen inside videobuf_vm_close().
So, it should free memory only if the memory were allocated for
read() operation.
*/
if ((buf->memory != V4L2_MEMORY_USERPTR) || buf->baddr)
return;
if (!mem)
return;
MAGIC_CHECK(mem->magic, MAGIC_VMAL_MEM);
vfree(mem->vmalloc);
mem->vmalloc = NULL;
return;
}
EXPORT_SYMBOL_GPL(videobuf_vmalloc_free);
/*
* Local variables:
* c-basic-offset: 8
* End:
*/