mirror of
https://github.com/torvalds/linux.git
synced 2024-12-23 19:31:53 +00:00
5993a663a9
videobuf_vmalloc_free() is never freeing the video buffer memory. Due to that, after multiple open/closes, user can suffer a panic: Kernel BUG at mm/slab.c:2650 invalid opcode: 0000 [1] SMP last sysfs file: /class/video4linux/video0/dev CPU 4 Modules linked in: vivi(U) videodev(U) v4l1_compat(U) v4l2_compat_ioctl32(U) videobuf_vmalloc(U) videobuf_core(U) ipv6 xfrm_nalgo autofs4 vmnet(U) vmblock(U) vmci(U) vmmon(U) ip_conntrack_netbios_ns ipt_REJECT xt_state ip_conntrack nfnetlink xt_tcpudp iptable_filter ip_tables x_tables cpufreq_ondemand dm_mirror dm_log dm_multipath scsi_dh dm_mod video backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac lp testmgr_cipher testmgr aead crypto_blkcipher crypto_algapi crypto_api arc4 snd_hda_intel nvidia(PFU) snd_seq_dummy snd_seq_oss snd_seq_midi_event rt73usb crc_itu_t snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss tg3 sr_mod snd_pcm snd_timer snd_page_alloc snd_hwdep pcspkr rt2500usb cdrom rt2x00usb rt2x00lib libphy snd parport_pc soundcore shpchp serio_raw i2c_i801 i5400_edac parport ata_piix sg mac80211 edac_mc i2c_core cfg80211 ahci libata sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd Pid: 6215, comm: v4l-stress-buff Tainted: PF 2.6.18-118.el5 #1 RIP: 0010:[<ffffffff80017506>] [<ffffffff80017506>] cache_grow+0x1e/0x395 RSP: 0018:ffff810128a35d28 EFLAGS: 00010006 RAX: 0000000000000000 RBX: 00000000000080d0 RCX: 00000000ffffffff RDX: 0000000000000000 RSI: 00000000000080d0 RDI: ffff8101042d8340 RBP: ffff8101042ce5e0 R08: ffff81012fc1e8c0 R09: ffff8101042eac00 R10: 0000000000000000 R11: ffffffff882a5139 R12: ffff8101042d8340 R13: ffff8101042ce5c0 R14: 0000000000000000 R15: ffff8101042d8340 FS: 0000000000000000(0000) GS:ffff81012fc24d40(0063) knlGS:00000000f7f706c0 CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b CR2: 00000000f7f9a000 CR3: 0000000117ad0000 CR4: 00000000000006e0 Process v4l-stress-buff (pid: 6215, threadinfo ffff810128a34000, task ffff810128fcb820) Stack: ffffc20012a39000 0000004415173ff8 ffff810000011c10 000280d200000000 0000000000000002 00000000ffffffff ffff8101042ce5e0 ffff81012fc1e8c0 ffff8101042ce5c0 000000000000000c ffff8101042d8340 ffffffff8005bdde Call Trace: [<ffffffff8005bdde>] cache_alloc_refill+0x136/0x186 [<ffffffff800d7822>] kmem_cache_alloc_node+0x98/0xb2 [<ffffffff800cda1f>] __vmalloc_area_node+0x62/0x153 [<ffffffff800cdd65>] vmalloc_user+0x15/0x50 [<ffffffff882a521f>] :videobuf_vmalloc:__videobuf_iolock+0xe6/0x155 [<ffffffff8838f958>] :vivi:buffer_prepare+0xb9/0xe6 [<ffffffff882981f3>] :videobuf_core:__videobuf_read_start+0xa2/0x10f [<ffffffff882983e6>] :videobuf_core:videobuf_read_stream+0x9c/0x1f3 [<ffffffff8000b3f3>] vfs_read+0xcb/0x171 [<ffffffff80011967>] sys_read+0x45/0x6e [<ffffffff8006149b>] sysenter_do_call+0x1b/0x67 Code: 0f 0b 68 af 1e 2a 80 c2 5a 0a f6 c7 20 0f 85 53 03 00 00 89 RIP [<ffffffff80017506>] cache_grow+0x1e/0x395 RSP <ffff810128a35d28> <0>Kernel panic - not syncing: Fatal exception Thanks to Douglas Schilling Landgraf <dougsland@gmail.com> for writing a stress tool for testing and to Robert Krakora <rob.krakora@messagenetsystems.com> to trace the code and discover the point where the bug were happening. Thanks also to Magnus Damm <damm@igel.co.jp> that provided us a fix for a similar bug on videobuf-dma-contig. Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
448 lines
11 KiB
C
448 lines
11 KiB
C
/*
|
|
* helper functions for vmalloc video4linux capture buffers
|
|
*
|
|
* The functions expect the hardware being able to scatter gather
|
|
* (i.e. the buffers are not linear in physical memory, but fragmented
|
|
* into PAGE_SIZE chunks). They also assume the driver does not need
|
|
* to touch the video data.
|
|
*
|
|
* (c) 2007 Mauro Carvalho Chehab, <mchehab@infradead.org>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2
|
|
*/
|
|
|
|
#include <linux/init.h>
|
|
#include <linux/module.h>
|
|
#include <linux/moduleparam.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/interrupt.h>
|
|
|
|
#include <linux/pci.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/pagemap.h>
|
|
#include <asm/page.h>
|
|
#include <asm/pgtable.h>
|
|
|
|
#include <media/videobuf-vmalloc.h>
|
|
|
|
#define MAGIC_DMABUF 0x17760309
|
|
#define MAGIC_VMAL_MEM 0x18221223
|
|
|
|
#define MAGIC_CHECK(is,should) if (unlikely((is) != (should))) \
|
|
{ printk(KERN_ERR "magic mismatch: %x (expected %x)\n",is,should); BUG(); }
|
|
|
|
static int debug;
|
|
module_param(debug, int, 0644);
|
|
|
|
MODULE_DESCRIPTION("helper module to manage video4linux vmalloc buffers");
|
|
MODULE_AUTHOR("Mauro Carvalho Chehab <mchehab@infradead.org>");
|
|
MODULE_LICENSE("GPL");
|
|
|
|
#define dprintk(level, fmt, arg...) if (debug >= level) \
|
|
printk(KERN_DEBUG "vbuf-vmalloc: " fmt , ## arg)
|
|
|
|
|
|
/***************************************************************************/
|
|
|
|
static void
|
|
videobuf_vm_open(struct vm_area_struct *vma)
|
|
{
|
|
struct videobuf_mapping *map = vma->vm_private_data;
|
|
|
|
dprintk(2,"vm_open %p [count=%u,vma=%08lx-%08lx]\n",map,
|
|
map->count,vma->vm_start,vma->vm_end);
|
|
|
|
map->count++;
|
|
}
|
|
|
|
static void videobuf_vm_close(struct vm_area_struct *vma)
|
|
{
|
|
struct videobuf_mapping *map = vma->vm_private_data;
|
|
struct videobuf_queue *q = map->q;
|
|
int i;
|
|
|
|
dprintk(2,"vm_close %p [count=%u,vma=%08lx-%08lx]\n", map,
|
|
map->count, vma->vm_start, vma->vm_end);
|
|
|
|
map->count--;
|
|
if (0 == map->count) {
|
|
struct videobuf_vmalloc_memory *mem;
|
|
|
|
dprintk(1, "munmap %p q=%p\n", map, q);
|
|
mutex_lock(&q->vb_lock);
|
|
|
|
/* We need first to cancel streams, before unmapping */
|
|
if (q->streaming)
|
|
videobuf_queue_cancel(q);
|
|
|
|
for (i = 0; i < VIDEO_MAX_FRAME; i++) {
|
|
if (NULL == q->bufs[i])
|
|
continue;
|
|
|
|
if (q->bufs[i]->map != map)
|
|
continue;
|
|
|
|
mem = q->bufs[i]->priv;
|
|
if (mem) {
|
|
/* This callback is called only if kernel has
|
|
allocated memory and this memory is mmapped.
|
|
In this case, memory should be freed,
|
|
in order to do memory unmap.
|
|
*/
|
|
|
|
MAGIC_CHECK(mem->magic, MAGIC_VMAL_MEM);
|
|
|
|
/* vfree is not atomic - can't be
|
|
called with IRQ's disabled
|
|
*/
|
|
dprintk(1, "%s: buf[%d] freeing (%p)\n",
|
|
__func__, i, mem->vmalloc);
|
|
|
|
vfree(mem->vmalloc);
|
|
mem->vmalloc = NULL;
|
|
}
|
|
|
|
q->bufs[i]->map = NULL;
|
|
q->bufs[i]->baddr = 0;
|
|
}
|
|
|
|
kfree(map);
|
|
|
|
mutex_unlock(&q->vb_lock);
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
static struct vm_operations_struct videobuf_vm_ops =
|
|
{
|
|
.open = videobuf_vm_open,
|
|
.close = videobuf_vm_close,
|
|
};
|
|
|
|
/* ---------------------------------------------------------------------
|
|
* vmalloc handlers for the generic methods
|
|
*/
|
|
|
|
/* Allocated area consists on 3 parts:
|
|
struct video_buffer
|
|
struct <driver>_buffer (cx88_buffer, saa7134_buf, ...)
|
|
struct videobuf_dma_sg_memory
|
|
*/
|
|
|
|
static void *__videobuf_alloc(size_t size)
|
|
{
|
|
struct videobuf_vmalloc_memory *mem;
|
|
struct videobuf_buffer *vb;
|
|
|
|
vb = kzalloc(size+sizeof(*mem),GFP_KERNEL);
|
|
|
|
mem = vb->priv = ((char *)vb)+size;
|
|
mem->magic=MAGIC_VMAL_MEM;
|
|
|
|
dprintk(1,"%s: allocated at %p(%ld+%ld) & %p(%ld)\n",
|
|
__func__,vb,(long)sizeof(*vb),(long)size-sizeof(*vb),
|
|
mem,(long)sizeof(*mem));
|
|
|
|
return vb;
|
|
}
|
|
|
|
static int __videobuf_iolock (struct videobuf_queue* q,
|
|
struct videobuf_buffer *vb,
|
|
struct v4l2_framebuffer *fbuf)
|
|
{
|
|
struct videobuf_vmalloc_memory *mem = vb->priv;
|
|
int pages;
|
|
|
|
BUG_ON(!mem);
|
|
|
|
MAGIC_CHECK(mem->magic, MAGIC_VMAL_MEM);
|
|
|
|
switch (vb->memory) {
|
|
case V4L2_MEMORY_MMAP:
|
|
dprintk(1, "%s memory method MMAP\n", __func__);
|
|
|
|
/* All handling should be done by __videobuf_mmap_mapper() */
|
|
if (!mem->vmalloc) {
|
|
printk(KERN_ERR "memory is not alloced/mmapped.\n");
|
|
return -EINVAL;
|
|
}
|
|
break;
|
|
case V4L2_MEMORY_USERPTR:
|
|
pages = PAGE_ALIGN(vb->size);
|
|
|
|
dprintk(1, "%s memory method USERPTR\n", __func__);
|
|
|
|
#if 1
|
|
if (vb->baddr) {
|
|
printk(KERN_ERR "USERPTR is currently not supported\n");
|
|
return -EINVAL;
|
|
}
|
|
#endif
|
|
|
|
/* The only USERPTR currently supported is the one needed for
|
|
read() method.
|
|
*/
|
|
|
|
mem->vmalloc = vmalloc_user(pages);
|
|
if (!mem->vmalloc) {
|
|
printk(KERN_ERR "vmalloc (%d pages) failed\n", pages);
|
|
return -ENOMEM;
|
|
}
|
|
dprintk(1, "vmalloc is at addr %p (%d pages)\n",
|
|
mem->vmalloc, pages);
|
|
|
|
#if 0
|
|
int rc;
|
|
/* Kernel userptr is used also by read() method. In this case,
|
|
there's no need to remap, since data will be copied to user
|
|
*/
|
|
if (!vb->baddr)
|
|
return 0;
|
|
|
|
/* FIXME: to properly support USERPTR, remap should occur.
|
|
The code below won't work, since mem->vma = NULL
|
|
*/
|
|
/* Try to remap memory */
|
|
rc = remap_vmalloc_range(mem->vma, (void *)vb->baddr, 0);
|
|
if (rc < 0) {
|
|
printk(KERN_ERR "mmap: remap failed with error %d. ", rc);
|
|
return -ENOMEM;
|
|
}
|
|
#endif
|
|
|
|
break;
|
|
case V4L2_MEMORY_OVERLAY:
|
|
default:
|
|
dprintk(1, "%s memory method OVERLAY/unknown\n", __func__);
|
|
|
|
/* Currently, doesn't support V4L2_MEMORY_OVERLAY */
|
|
printk(KERN_ERR "Memory method currently unsupported.\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int __videobuf_sync(struct videobuf_queue *q,
|
|
struct videobuf_buffer *buf)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static int __videobuf_mmap_free(struct videobuf_queue *q)
|
|
{
|
|
unsigned int i;
|
|
|
|
dprintk(1, "%s\n", __func__);
|
|
for (i = 0; i < VIDEO_MAX_FRAME; i++) {
|
|
if (q->bufs[i]) {
|
|
if (q->bufs[i]->map)
|
|
return -EBUSY;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int __videobuf_mmap_mapper(struct videobuf_queue *q,
|
|
struct vm_area_struct *vma)
|
|
{
|
|
struct videobuf_vmalloc_memory *mem;
|
|
struct videobuf_mapping *map;
|
|
unsigned int first;
|
|
int retval, pages;
|
|
unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
|
|
|
|
dprintk(1, "%s\n", __func__);
|
|
if (!(vma->vm_flags & VM_WRITE) || !(vma->vm_flags & VM_SHARED))
|
|
return -EINVAL;
|
|
|
|
/* look for first buffer to map */
|
|
for (first = 0; first < VIDEO_MAX_FRAME; first++) {
|
|
if (NULL == q->bufs[first])
|
|
continue;
|
|
|
|
if (V4L2_MEMORY_MMAP != q->bufs[first]->memory)
|
|
continue;
|
|
if (q->bufs[first]->boff == offset)
|
|
break;
|
|
}
|
|
if (VIDEO_MAX_FRAME == first) {
|
|
dprintk(1,"mmap app bug: offset invalid [offset=0x%lx]\n",
|
|
(vma->vm_pgoff << PAGE_SHIFT));
|
|
return -EINVAL;
|
|
}
|
|
|
|
/* create mapping + update buffer list */
|
|
map = kzalloc(sizeof(struct videobuf_mapping), GFP_KERNEL);
|
|
if (NULL == map)
|
|
return -ENOMEM;
|
|
|
|
q->bufs[first]->map = map;
|
|
map->start = vma->vm_start;
|
|
map->end = vma->vm_end;
|
|
map->q = q;
|
|
|
|
q->bufs[first]->baddr = vma->vm_start;
|
|
|
|
mem = q->bufs[first]->priv;
|
|
BUG_ON(!mem);
|
|
MAGIC_CHECK(mem->magic, MAGIC_VMAL_MEM);
|
|
|
|
pages = PAGE_ALIGN(vma->vm_end - vma->vm_start);
|
|
mem->vmalloc = vmalloc_user(pages);
|
|
if (!mem->vmalloc) {
|
|
printk(KERN_ERR "vmalloc (%d pages) failed\n", pages);
|
|
goto error;
|
|
}
|
|
dprintk(1, "vmalloc is at addr %p (%d pages)\n",
|
|
mem->vmalloc, pages);
|
|
|
|
/* Try to remap memory */
|
|
retval = remap_vmalloc_range(vma, mem->vmalloc, 0);
|
|
if (retval < 0) {
|
|
printk(KERN_ERR "mmap: remap failed with error %d. ", retval);
|
|
vfree(mem->vmalloc);
|
|
goto error;
|
|
}
|
|
|
|
vma->vm_ops = &videobuf_vm_ops;
|
|
vma->vm_flags |= VM_DONTEXPAND | VM_RESERVED;
|
|
vma->vm_private_data = map;
|
|
|
|
dprintk(1,"mmap %p: q=%p %08lx-%08lx (%lx) pgoff %08lx buf %d\n",
|
|
map, q, vma->vm_start, vma->vm_end,
|
|
(long int) q->bufs[first]->bsize,
|
|
vma->vm_pgoff, first);
|
|
|
|
videobuf_vm_open(vma);
|
|
|
|
return 0;
|
|
|
|
error:
|
|
mem = NULL;
|
|
kfree(map);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
static int __videobuf_copy_to_user ( struct videobuf_queue *q,
|
|
char __user *data, size_t count,
|
|
int nonblocking )
|
|
{
|
|
struct videobuf_vmalloc_memory *mem=q->read_buf->priv;
|
|
BUG_ON (!mem);
|
|
MAGIC_CHECK(mem->magic,MAGIC_VMAL_MEM);
|
|
|
|
BUG_ON (!mem->vmalloc);
|
|
|
|
/* copy to userspace */
|
|
if (count > q->read_buf->size - q->read_off)
|
|
count = q->read_buf->size - q->read_off;
|
|
|
|
if (copy_to_user(data, mem->vmalloc+q->read_off, count))
|
|
return -EFAULT;
|
|
|
|
return count;
|
|
}
|
|
|
|
static int __videobuf_copy_stream ( struct videobuf_queue *q,
|
|
char __user *data, size_t count, size_t pos,
|
|
int vbihack, int nonblocking )
|
|
{
|
|
unsigned int *fc;
|
|
struct videobuf_vmalloc_memory *mem=q->read_buf->priv;
|
|
BUG_ON (!mem);
|
|
MAGIC_CHECK(mem->magic,MAGIC_VMAL_MEM);
|
|
|
|
if (vbihack) {
|
|
/* dirty, undocumented hack -- pass the frame counter
|
|
* within the last four bytes of each vbi data block.
|
|
* We need that one to maintain backward compatibility
|
|
* to all vbi decoding software out there ... */
|
|
fc = (unsigned int*)mem->vmalloc;
|
|
fc += (q->read_buf->size>>2) -1;
|
|
*fc = q->read_buf->field_count >> 1;
|
|
dprintk(1,"vbihack: %d\n",*fc);
|
|
}
|
|
|
|
/* copy stuff using the common method */
|
|
count = __videobuf_copy_to_user (q,data,count,nonblocking);
|
|
|
|
if ( (count==-EFAULT) && (0 == pos) )
|
|
return -EFAULT;
|
|
|
|
return count;
|
|
}
|
|
|
|
static struct videobuf_qtype_ops qops = {
|
|
.magic = MAGIC_QTYPE_OPS,
|
|
|
|
.alloc = __videobuf_alloc,
|
|
.iolock = __videobuf_iolock,
|
|
.sync = __videobuf_sync,
|
|
.mmap_free = __videobuf_mmap_free,
|
|
.mmap_mapper = __videobuf_mmap_mapper,
|
|
.video_copy_to_user = __videobuf_copy_to_user,
|
|
.copy_stream = __videobuf_copy_stream,
|
|
.vmalloc = videobuf_to_vmalloc,
|
|
};
|
|
|
|
void videobuf_queue_vmalloc_init(struct videobuf_queue* q,
|
|
struct videobuf_queue_ops *ops,
|
|
void *dev,
|
|
spinlock_t *irqlock,
|
|
enum v4l2_buf_type type,
|
|
enum v4l2_field field,
|
|
unsigned int msize,
|
|
void *priv)
|
|
{
|
|
videobuf_queue_core_init(q, ops, dev, irqlock, type, field, msize,
|
|
priv, &qops);
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(videobuf_queue_vmalloc_init);
|
|
|
|
void *videobuf_to_vmalloc (struct videobuf_buffer *buf)
|
|
{
|
|
struct videobuf_vmalloc_memory *mem=buf->priv;
|
|
BUG_ON (!mem);
|
|
MAGIC_CHECK(mem->magic,MAGIC_VMAL_MEM);
|
|
|
|
return mem->vmalloc;
|
|
}
|
|
EXPORT_SYMBOL_GPL(videobuf_to_vmalloc);
|
|
|
|
void videobuf_vmalloc_free (struct videobuf_buffer *buf)
|
|
{
|
|
struct videobuf_vmalloc_memory *mem = buf->priv;
|
|
|
|
/* mmapped memory can't be freed here, otherwise mmapped region
|
|
would be released, while still needed. In this case, the memory
|
|
release should happen inside videobuf_vm_close().
|
|
So, it should free memory only if the memory were allocated for
|
|
read() operation.
|
|
*/
|
|
if ((buf->memory != V4L2_MEMORY_USERPTR) || buf->baddr)
|
|
return;
|
|
|
|
if (!mem)
|
|
return;
|
|
|
|
MAGIC_CHECK(mem->magic, MAGIC_VMAL_MEM);
|
|
|
|
vfree(mem->vmalloc);
|
|
mem->vmalloc = NULL;
|
|
|
|
return;
|
|
}
|
|
EXPORT_SYMBOL_GPL(videobuf_vmalloc_free);
|
|
|
|
/*
|
|
* Local variables:
|
|
* c-basic-offset: 8
|
|
* End:
|
|
*/
|