]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.16-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 14 Apr 2018 14:40:15 +0000 (16:40 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 14 Apr 2018 14:40:15 +0000 (16:40 +0200)
added patches:
media-v4l-vsp1-fix-header-display-list-status-check-in-continuous-mode.patch
media-v4l2-compat-ioctl32-don-t-oops-on-overlay.patch
media-v4l2-core-fix-size-of-devnode_nums-bitarray.patch

queue-4.16/media-v4l-vsp1-fix-header-display-list-status-check-in-continuous-mode.patch [new file with mode: 0644]
queue-4.16/media-v4l2-compat-ioctl32-don-t-oops-on-overlay.patch [new file with mode: 0644]
queue-4.16/media-v4l2-core-fix-size-of-devnode_nums-bitarray.patch [new file with mode: 0644]

diff --git a/queue-4.16/media-v4l-vsp1-fix-header-display-list-status-check-in-continuous-mode.patch b/queue-4.16/media-v4l-vsp1-fix-header-display-list-status-check-in-continuous-mode.patch
new file mode 100644 (file)
index 0000000..3155656
--- /dev/null
@@ -0,0 +1,44 @@
+From 613928e85317b945c863bb893f5737d2f22f5425 Mon Sep 17 00:00:00 2001
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Date: Fri, 9 Feb 2018 09:50:34 -0500
+Subject: media: v4l: vsp1: Fix header display list status check in continuous mode
+
+From: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+
+commit 613928e85317b945c863bb893f5737d2f22f5425 upstream.
+
+To allow dual pipelines utilising two WPF entities when available, the
+VSP was updated to support header-mode display list in continuous
+pipelines.
+
+A small bug in the status check of the command register causes the
+second pipeline to be directly afflicted by the running of the first;
+appearing as a perceived performance issue with stuttering display.
+
+Fix the vsp1_dl_list_hw_update_pending() call to ensure that the read
+comparison corresponds to the correct pipeline.
+
+Fixes: eaf4bfad6ad8 ("v4l: vsp1: Add support for header display lists in continuous mode")
+
+Cc: "Stable v4.14+" <stable@vger.kernel.org>
+Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/vsp1/vsp1_dl.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/vsp1/vsp1_dl.c
++++ b/drivers/media/platform/vsp1/vsp1_dl.c
+@@ -509,7 +509,8 @@ static bool vsp1_dl_list_hw_update_pendi
+               return !!(vsp1_read(vsp1, VI6_DL_BODY_SIZE)
+                         & VI6_DL_BODY_SIZE_UPD);
+       else
+-              return !!(vsp1_read(vsp1, VI6_CMD(dlm->index) & VI6_CMD_UPDHDR));
++              return !!(vsp1_read(vsp1, VI6_CMD(dlm->index))
++                        & VI6_CMD_UPDHDR);
+ }
+ static void vsp1_dl_list_hw_enqueue(struct vsp1_dl_list *dl)
diff --git a/queue-4.16/media-v4l2-compat-ioctl32-don-t-oops-on-overlay.patch b/queue-4.16/media-v4l2-compat-ioctl32-don-t-oops-on-overlay.patch
new file mode 100644 (file)
index 0000000..dad2cc4
--- /dev/null
@@ -0,0 +1,130 @@
+From 85ea29f19eab56ec16ec6b92bc67305998706afa Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Wed, 28 Mar 2018 13:59:22 -0400
+Subject: media: v4l2-compat-ioctl32: don't oops on overlay
+
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+
+commit 85ea29f19eab56ec16ec6b92bc67305998706afa upstream.
+
+At put_v4l2_window32(), it tries to access kp->clips. However,
+kp points to an userspace pointer. So, it should be obtained
+via get_user(), otherwise it can OOPS:
+
+ vivid-000: ==================  END STATUS  ==================
+ BUG: unable to handle kernel paging request at 00000000fffb18e0
+ IP: [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
+ PGD 3f5776067 PUD 3f576f067 PMD 3f5769067 PTE 800000042548f067
+ Oops: 0001 [#1] SMP
+ Modules linked in: vivid videobuf2_vmalloc videobuf2_memops v4l2_dv_timings videobuf2_core v4l2_common videodev media xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill binfmt_misc snd_hda_codec_hdmi i915 snd_hda_intel snd_hda_controller snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hwdep intel_powerclamp snd_pcm coretemp snd_seq_midi kvm_intel kvm snd_seq_midi_event snd_rawmidi i2c_algo_bit drm_kms_helper snd_seq drm crct10dif_pclmul e1000e snd_seq_device crc32_pclmul snd_timer ghash_clmulni_intel snd mei_me mei ptp pps_core soundcore lpc_ich video crc32c_intel [last unloaded: media]
+ CPU: 2 PID: 28332 Comm: v4l2-compliance Not tainted 3.18.102+ #107
+ Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
+ task: ffff8804293f8000 ti: ffff8803f5640000 task.ti: ffff8803f5640000
+ RIP: 0010:[<ffffffffc05468d9>]  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
+ RSP: 0018:ffff8803f5643e28  EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000fffb1ab4
+ RDX: 00000000fffb1a68 RSI: 00000000fffb18d8 RDI: 00000000fffb1aa8
+ RBP: ffff8803f5643e48 R08: 0000000000000001 R09: ffff8803f54b0378
+ R10: 0000000000000000 R11: 0000000000000168 R12: 00000000fffb18c0
+ R13: 00000000fffb1a94 R14: 00000000fffb18c8 R15: 0000000000000000
+ FS:  0000000000000000(0000) GS:ffff880456d00000(0063) knlGS:00000000f7100980
+ CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
+ CR2: 00000000fffb18e0 CR3: 00000003f552b000 CR4: 00000000003407e0
+ Stack:
+  00000000fffb1a94 00000000c0cc5640 0000000000000056 ffff8804274f3600
+  ffff8803f5643ed0 ffffffffc0547e16 0000000000000003 ffff8803f5643eb0
+  ffffffff81301460 ffff88009db44b01 ffff880441942520 ffff8800c0d05640
+ Call Trace:
+  [<ffffffffc0547e16>] v4l2_compat_ioctl32+0x12d6/0x1b1d [videodev]
+  [<ffffffff81301460>] ? file_has_perm+0x70/0xc0
+  [<ffffffff81252a2c>] compat_SyS_ioctl+0xec/0x1200
+  [<ffffffff8173241a>] sysenter_dispatch+0x7/0x21
+ Code: 00 00 48 8b 80 48 c0 ff ff 48 83 e8 38 49 39 c6 0f 87 2b ff ff ff 49 8d 45 1c e8 a3 ce e3 c0 85 c0 0f 85 1a ff ff ff 41 8d 40 ff <4d> 8b 64 24 20 41 89 d5 48 8d 44 40 03 4d 8d 34 c4 eb 15 0f 1f
+ RIP  [<ffffffffc05468d9>] __put_v4l2_format32+0x169/0x220 [videodev]
+ RSP <ffff8803f5643e28>
+ CR2: 00000000fffb18e0
+
+Tested with vivid driver on Kernel v3.18.102.
+
+Same bug happens upstream too:
+
+ BUG: KASAN: user-memory-access in __put_v4l2_format32+0x98/0x4d0 [videodev]
+ Read of size 8 at addr 00000000ffe48400 by task v4l2-compliance/8713
+
+ CPU: 0 PID: 8713 Comm: v4l2-compliance Not tainted 4.16.0-rc4+ #108
+ Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
+ Call Trace:
+  dump_stack+0x5c/0x7c
+  kasan_report+0x164/0x380
+  ? __put_v4l2_format32+0x98/0x4d0 [videodev]
+  __put_v4l2_format32+0x98/0x4d0 [videodev]
+  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
+  ? __fsnotify_inode_delete+0x20/0x20
+  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
+  compat_SyS_ioctl+0x646/0x14d0
+  ? do_ioctl+0x30/0x30
+  do_fast_syscall_32+0x191/0x3f4
+  entry_SYSENTER_compat+0x6b/0x7a
+ ==================================================================
+ Disabling lock debugging due to kernel taint
+ BUG: unable to handle kernel paging request at 00000000ffe48400
+ IP: __put_v4l2_format32+0x98/0x4d0 [videodev]
+ PGD 3a22fb067 P4D 3a22fb067 PUD 39b6f0067 PMD 39b6f1067 PTE 80000003256af067
+ Oops: 0001 [#1] SMP KASAN
+ Modules linked in: vivid videobuf2_vmalloc videobuf2_dma_contig videobuf2_memops v4l2_tpg v4l2_dv_timings videobuf2_v4l2 videobuf2_common v4l2_common videodev xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc snd_hda_codec_hdmi intel_rapl x86_pkg_temp_thermal intel_powerclamp i915 coretemp snd_hda_intel snd_hda_codec kvm_intel snd_hwdep snd_hda_core kvm snd_pcm irqbypass crct10dif_pclmul crc32_pclmul snd_seq_midi ghash_clmulni_intel snd_seq_midi_event i2c_algo_bit intel_cstate snd_rawmidi intel_uncore snd_seq drm_kms_helper e1000e snd_seq_device snd_timer intel_rapl_perf
+  drm ptp snd mei_me mei lpc_ich pps_core soundcore video crc32c_intel
+ CPU: 0 PID: 8713 Comm: v4l2-compliance Tainted: G    B            4.16.0-rc4+ #108
+ Hardware name:  /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017
+ RIP: 0010:__put_v4l2_format32+0x98/0x4d0 [videodev]
+ RSP: 0018:ffff8803b9be7d30 EFLAGS: 00010282
+ RAX: 0000000000000000 RBX: ffff8803ac983e80 RCX: ffffffff8cd929f2
+ RDX: 1ffffffff1d0a149 RSI: 0000000000000297 RDI: 0000000000000297
+ RBP: 00000000ffe485c0 R08: fffffbfff1cf5123 R09: ffffffff8e7a8948
+ R10: 0000000000000001 R11: fffffbfff1cf5122 R12: 00000000ffe483e0
+ R13: 00000000ffe485c4 R14: ffff8803ac985918 R15: 00000000ffe483e8
+ FS:  0000000000000000(0000) GS:ffff880407400000(0063) knlGS:00000000f7a46980
+ CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
+ CR2: 00000000ffe48400 CR3: 00000003a83f2003 CR4: 00000000003606f0
+ Call Trace:
+  v4l2_compat_ioctl32+0x1aec/0x27a0 [videodev]
+  ? __fsnotify_inode_delete+0x20/0x20
+  ? __put_v4l2_format32+0x4d0/0x4d0 [videodev]
+  compat_SyS_ioctl+0x646/0x14d0
+  ? do_ioctl+0x30/0x30
+  do_fast_syscall_32+0x191/0x3f4
+  entry_SYSENTER_compat+0x6b/0x7a
+ Code: 4c 89 f7 4d 8d 7c 24 08 e8 e6 a4 69 cb 48 8b 83 98 1a 00 00 48 83 e8 10 49 39 c7 0f 87 9d 01 00 00 49 8d 7c 24 20 e8 c8 a4 69 cb <4d> 8b 74 24 20 4c 89 ef 4c 89 fe ba 10 00 00 00 e8 23 d9 08 cc
+ RIP: __put_v4l2_format32+0x98/0x4d0 [videodev] RSP: ffff8803b9be7d30
+ CR2: 00000000ffe48400
+
+cc: stable@vger.kernel.org
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-compat-ioctl32.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
+@@ -101,7 +101,7 @@ static int get_v4l2_window32(struct v4l2
+ static int put_v4l2_window32(struct v4l2_window __user *kp,
+                            struct v4l2_window32 __user *up)
+ {
+-      struct v4l2_clip __user *kclips = kp->clips;
++      struct v4l2_clip __user *kclips;
+       struct v4l2_clip32 __user *uclips;
+       compat_caddr_t p;
+       u32 clipcount;
+@@ -116,6 +116,8 @@ static int put_v4l2_window32(struct v4l2
+       if (!clipcount)
+               return 0;
++      if (get_user(kclips, &kp->clips))
++              return -EFAULT;
+       if (get_user(p, &up->clips))
+               return -EFAULT;
+       uclips = compat_ptr(p);
diff --git a/queue-4.16/media-v4l2-core-fix-size-of-devnode_nums-bitarray.patch b/queue-4.16/media-v4l2-core-fix-size-of-devnode_nums-bitarray.patch
new file mode 100644 (file)
index 0000000..1c298ef
--- /dev/null
@@ -0,0 +1,261 @@
+From a95845ba184b854106972f5d8f50354c2d272c06 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Date: Thu, 5 Apr 2018 06:51:15 -0300
+Subject: media: v4l2-core: fix size of devnode_nums[] bitarray
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+
+commit a95845ba184b854106972f5d8f50354c2d272c06 upstream.
+
+The size of devnode_nums[] bit array is too short to store information
+for VFL_TYPE_TOUCH. That causes it to override other memory regions.
+
+Thankfully, on recent reports, it is overriding video_device[] array,
+trigging a WARN_ON(). Yet, it just warns about the problem, but let
+the code excecuting, with generates an OOPS:
+
+[   43.177394] WARNING: CPU: 1 PID: 711 at drivers/media/v4l2-core/v4l2-dev.c:945 __video_register_device+0xc99/0x1090 [videodev]
+[   43.177396] Modules linked in: hid_sensor_custom hid_sensor_als hid_sensor_incl_3d hid_sensor_rotation hid_sensor_magn_3d hid_sensor_accel_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf joydev hid_sensor_iio_common hid_rmi(+) rmi_core industrialio videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev hid_multitouch media hid_sensor_hub binfmt_misc nls_iso8859_1 snd_hda_codec_hdmi arc4 snd_soc_skl snd_soc_skl_ipc snd_hda_ext_core snd_soc_sst_dsp snd_soc_sst_ipc snd_hda_codec_realtek snd_soc_acpi snd_hda_codec_generic snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine snd_hda_intel snd_hda_codec intel_rapl snd_hda_core x86_pkg_temp_thermal snd_hwdep intel_powerclamp coretemp snd_pcm kvm_intel snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul
+[   43.177426]  crc32_pclmul ghash_clmulni_intel iwlmvm pcbc mac80211 snd_seq aesni_intel iwlwifi aes_x86_64 snd_seq_device crypto_simd glue_helper cryptd snd_timer intel_cstate intel_rapl_perf input_leds serio_raw intel_wmi_thunderbolt snd wmi_bmof cfg80211 soundcore ideapad_laptop sparse_keymap idma64 virt_dma tpm_crb acpi_pad int3400_thermal acpi_thermal_rel intel_pch_thermal processor_thermal_device mac_hid int340x_thermal_zone mei_me intel_soc_dts_iosf mei intel_lpss_pci shpchp intel_lpss sch_fq_codel vfio_pci nfsd vfio_virqfd parport_pc ppdev auth_rpcgss nfs_acl lockd grace lp parport sunrpc ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i915 i2c_algo_bit drm_kms_helper syscopyarea sdhci_pci sysfillrect
+[   43.177466]  sysimgblt cqhci fb_sys_fops sdhci drm i2c_hid wmi hid video pinctrl_sunrisepoint pinctrl_intel
+[   43.177474] CPU: 1 PID: 711 Comm: systemd-udevd Not tainted 4.16.0 #1
+[   43.177475] Hardware name: LENOVO 80UE/VIUU4, BIOS 2UCN10T 10/14/2016
+[   43.177481] RIP: 0010:__video_register_device+0xc99/0x1090 [videodev]
+[   43.177482] RSP: 0000:ffffa5c5c231b420 EFLAGS: 00010202
+[   43.177484] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000
+[   43.177485] RDX: ffffffffc0c44cc0 RSI: ffffffffffffffff RDI: ffffffffc0c44cc0
+[   43.177486] RBP: ffffa5c5c231b478 R08: ffffffffc0c96900 R09: ffff8eda1a51f018
+[   43.177487] R10: 0000000000000600 R11: 00000000000003b6 R12: 0000000000000000
+[   43.177488] R13: 0000000000000005 R14: ffffffffc0c96900 R15: ffff8eda1d6d91c0
+[   43.177489] FS:  00007fd2d8ef2480(0000) GS:ffff8eda33480000(0000) knlGS:0000000000000000
+[   43.177490] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   43.177491] CR2: 00007ffe0a6ad01c CR3: 0000000456ae2004 CR4: 00000000003606e0
+[   43.177492] Call Trace:
+[   43.177498]  ? devres_add+0x5f/0x70
+[   43.177502]  rmi_f54_probe+0x437/0x470 [rmi_core]
+[   43.177505]  rmi_function_probe+0x25/0x30 [rmi_core]
+[   43.177507]  driver_probe_device+0x310/0x480
+[   43.177509]  __device_attach_driver+0x86/0x100
+[   43.177511]  ? __driver_attach+0xf0/0xf0
+[   43.177512]  bus_for_each_drv+0x6b/0xb0
+[   43.177514]  __device_attach+0xdd/0x160
+[   43.177516]  device_initial_probe+0x13/0x20
+[   43.177518]  bus_probe_device+0x95/0xa0
+[   43.177519]  device_add+0x44b/0x680
+[   43.177522]  rmi_register_function+0x62/0xd0 [rmi_core]
+[   43.177525]  rmi_create_function+0x112/0x1a0 [rmi_core]
+[   43.177527]  ? rmi_driver_clear_irq_bits+0xc0/0xc0 [rmi_core]
+[   43.177530]  rmi_scan_pdt+0xca/0x1a0 [rmi_core]
+[   43.177535]  rmi_init_functions+0x5b/0x120 [rmi_core]
+[   43.177537]  rmi_driver_probe+0x152/0x3c0 [rmi_core]
+[   43.177547]  ? sysfs_create_link+0x25/0x40
+[   43.177549]  driver_probe_device+0x310/0x480
+[   43.177551]  __device_attach_driver+0x86/0x100
+[   43.177553]  ? __driver_attach+0xf0/0xf0
+[   43.177554]  bus_for_each_drv+0x6b/0xb0
+[   43.177556]  __device_attach+0xdd/0x160
+[   43.177558]  device_initial_probe+0x13/0x20
+[   43.177560]  bus_probe_device+0x95/0xa0
+[   43.177561]  device_add+0x44b/0x680
+[   43.177564]  rmi_register_transport_device+0x84/0x100 [rmi_core]
+[   43.177568]  rmi_input_configured+0xbf/0x1a0 [hid_rmi]
+[   43.177571]  ? input_allocate_device+0xdf/0xf0
+[   43.177574]  hidinput_connect+0x4a9/0x37a0 [hid]
+[   43.177578]  hid_connect+0x326/0x3d0 [hid]
+[   43.177581]  hid_hw_start+0x42/0x70 [hid]
+[   43.177583]  rmi_probe+0x115/0x510 [hid_rmi]
+[   43.177586]  hid_device_probe+0xd3/0x150 [hid]
+[   43.177588]  ? sysfs_create_link+0x25/0x40
+[   43.177590]  driver_probe_device+0x310/0x480
+[   43.177592]  __driver_attach+0xbf/0xf0
+[   43.177593]  ? driver_probe_device+0x480/0x480
+[   43.177595]  bus_for_each_dev+0x74/0xb0
+[   43.177597]  ? kmem_cache_alloc_trace+0x1a6/0x1c0
+[   43.177599]  driver_attach+0x1e/0x20
+[   43.177600]  bus_add_driver+0x167/0x260
+[   43.177602]  ? 0xffffffffc0cbc000
+[   43.177604]  driver_register+0x60/0xe0
+[   43.177605]  ? 0xffffffffc0cbc000
+[   43.177607]  __hid_register_driver+0x63/0x70 [hid]
+[   43.177610]  rmi_driver_init+0x23/0x1000 [hid_rmi]
+[   43.177612]  do_one_initcall+0x52/0x191
+[   43.177615]  ? _cond_resched+0x19/0x40
+[   43.177617]  ? kmem_cache_alloc_trace+0xa2/0x1c0
+[   43.177619]  ? do_init_module+0x27/0x209
+[   43.177621]  do_init_module+0x5f/0x209
+[   43.177623]  load_module+0x1987/0x1f10
+[   43.177626]  ? ima_post_read_file+0x96/0xa0
+[   43.177629]  SYSC_finit_module+0xfc/0x120
+[   43.177630]  ? SYSC_finit_module+0xfc/0x120
+[   43.177632]  SyS_finit_module+0xe/0x10
+[   43.177634]  do_syscall_64+0x73/0x130
+[   43.177637]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+[   43.177638] RIP: 0033:0x7fd2d880b839
+[   43.177639] RSP: 002b:00007ffe0a6b2368 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[   43.177641] RAX: ffffffffffffffda RBX: 000055cdd86542e0 RCX: 00007fd2d880b839
+[   43.177641] RDX: 0000000000000000 RSI: 00007fd2d84ea0e5 RDI: 0000000000000016
+[   43.177642] RBP: 00007fd2d84ea0e5 R08: 0000000000000000 R09: 00007ffe0a6b2480
+[   43.177643] R10: 0000000000000016 R11: 0000000000000246 R12: 0000000000000000
+[   43.177644] R13: 000055cdd8688930 R14: 0000000000020000 R15: 000055cdd86542e0
+[   43.177645] Code: 48 c7 c7 54 b4 c3 c0 e8 96 9d ec dd e9 d4 fb ff ff 0f 0b 41 be ea ff ff ff e9 c7 fb ff ff 0f 0b 41 be ea ff ff ff e9 ba fb ff ff <0f> 0b e9 d8 f4 ff ff 83 fa 01 0f 84 c4 02 00 00 48 83 78 68 00
+[   43.177675] ---[ end trace d44d9bc41477c2dd ]---
+[   43.177679] BUG: unable to handle kernel NULL pointer dereference at 0000000000000499
+[   43.177723] IP: __video_register_device+0x1cc/0x1090 [videodev]
+[   43.177749] PGD 0 P4D 0
+[   43.177764] Oops: 0000 [#1] SMP PTI
+[   43.177780] Modules linked in: hid_sensor_custom hid_sensor_als hid_sensor_incl_3d hid_sensor_rotation hid_sensor_magn_3d hid_sensor_accel_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf joydev hid_sensor_iio_common hid_rmi(+) rmi_core industrialio videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev hid_multitouch media hid_sensor_hub binfmt_misc nls_iso8859_1 snd_hda_codec_hdmi arc4 snd_soc_skl snd_soc_skl_ipc snd_hda_ext_core snd_soc_sst_dsp snd_soc_sst_ipc snd_hda_codec_realtek snd_soc_acpi snd_hda_codec_generic snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine snd_hda_intel snd_hda_codec intel_rapl snd_hda_core x86_pkg_temp_thermal snd_hwdep intel_powerclamp coretemp snd_pcm kvm_intel snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul
+[   43.178055]  crc32_pclmul ghash_clmulni_intel iwlmvm pcbc mac80211 snd_seq aesni_intel iwlwifi aes_x86_64 snd_seq_device crypto_simd glue_helper cryptd snd_timer intel_cstate intel_rapl_perf input_leds serio_raw intel_wmi_thunderbolt snd wmi_bmof cfg80211 soundcore ideapad_laptop sparse_keymap idma64 virt_dma tpm_crb acpi_pad int3400_thermal acpi_thermal_rel intel_pch_thermal processor_thermal_device mac_hid int340x_thermal_zone mei_me intel_soc_dts_iosf mei intel_lpss_pci shpchp intel_lpss sch_fq_codel vfio_pci nfsd vfio_virqfd parport_pc ppdev auth_rpcgss nfs_acl lockd grace lp parport sunrpc ip_tables x_tables autofs4 hid_logitech_hidpp hid_logitech_dj hid_generic usbhid kvmgt vfio_mdev mdev vfio_iommu_type1 vfio kvm irqbypass i915 i2c_algo_bit drm_kms_helper syscopyarea sdhci_pci sysfillrect
+[   43.178337]  sysimgblt cqhci fb_sys_fops sdhci drm i2c_hid wmi hid video pinctrl_sunrisepoint pinctrl_intel
+[   43.178380] CPU: 1 PID: 711 Comm: systemd-udevd Tainted: G        W        4.16.0 #1
+[   43.178411] Hardware name: LENOVO 80UE/VIUU4, BIOS 2UCN10T 10/14/2016
+[   43.178441] RIP: 0010:__video_register_device+0x1cc/0x1090 [videodev]
+[   43.178467] RSP: 0000:ffffa5c5c231b420 EFLAGS: 00010202
+[   43.178490] RAX: ffffffffc0c44cc0 RBX: 0000000000000005 RCX: ffffffffc0c454c0
+[   43.178519] RDX: 0000000000000001 RSI: ffff8eda1d6d9118 RDI: ffffffffc0c44cc0
+[   43.178549] RBP: ffffa5c5c231b478 R08: ffffffffc0c96900 R09: ffff8eda1a51f018
+[   43.178579] R10: 0000000000000600 R11: 00000000000003b6 R12: 0000000000000000
+[   43.178608] R13: 0000000000000005 R14: ffffffffc0c96900 R15: ffff8eda1d6d91c0
+[   43.178636] FS:  00007fd2d8ef2480(0000) GS:ffff8eda33480000(0000) knlGS:0000000000000000
+[   43.178669] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   43.178693] CR2: 0000000000000499 CR3: 0000000456ae2004 CR4: 00000000003606e0
+[   43.178721] Call Trace:
+[   43.178736]  ? devres_add+0x5f/0x70
+[   43.178755]  rmi_f54_probe+0x437/0x470 [rmi_core]
+[   43.178779]  rmi_function_probe+0x25/0x30 [rmi_core]
+[   43.178805]  driver_probe_device+0x310/0x480
+[   43.178828]  __device_attach_driver+0x86/0x100
+[   43.178851]  ? __driver_attach+0xf0/0xf0
+[   43.178884]  bus_for_each_drv+0x6b/0xb0
+[   43.178904]  __device_attach+0xdd/0x160
+[   43.178925]  device_initial_probe+0x13/0x20
+[   43.178948]  bus_probe_device+0x95/0xa0
+[   43.178968]  device_add+0x44b/0x680
+[   43.178987]  rmi_register_function+0x62/0xd0 [rmi_core]
+[   43.181747]  rmi_create_function+0x112/0x1a0 [rmi_core]
+[   43.184677]  ? rmi_driver_clear_irq_bits+0xc0/0xc0 [rmi_core]
+[   43.187505]  rmi_scan_pdt+0xca/0x1a0 [rmi_core]
+[   43.190171]  rmi_init_functions+0x5b/0x120 [rmi_core]
+[   43.192809]  rmi_driver_probe+0x152/0x3c0 [rmi_core]
+[   43.195403]  ? sysfs_create_link+0x25/0x40
+[   43.198253]  driver_probe_device+0x310/0x480
+[   43.201083]  __device_attach_driver+0x86/0x100
+[   43.203800]  ? __driver_attach+0xf0/0xf0
+[   43.206503]  bus_for_each_drv+0x6b/0xb0
+[   43.209291]  __device_attach+0xdd/0x160
+[   43.212207]  device_initial_probe+0x13/0x20
+[   43.215146]  bus_probe_device+0x95/0xa0
+[   43.217885]  device_add+0x44b/0x680
+[   43.220597]  rmi_register_transport_device+0x84/0x100 [rmi_core]
+[   43.223321]  rmi_input_configured+0xbf/0x1a0 [hid_rmi]
+[   43.226051]  ? input_allocate_device+0xdf/0xf0
+[   43.228814]  hidinput_connect+0x4a9/0x37a0 [hid]
+[   43.231701]  hid_connect+0x326/0x3d0 [hid]
+[   43.234548]  hid_hw_start+0x42/0x70 [hid]
+[   43.237302]  rmi_probe+0x115/0x510 [hid_rmi]
+[   43.239862]  hid_device_probe+0xd3/0x150 [hid]
+[   43.242558]  ? sysfs_create_link+0x25/0x40
+[   43.242828] audit: type=1400 audit(1522795151.600:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4206/usr/lib/snapd/snap-confine" pid=1151 comm="apparmor_parser"
+[   43.244859]  driver_probe_device+0x310/0x480
+[   43.244862]  __driver_attach+0xbf/0xf0
+[   43.246982] audit: type=1400 audit(1522795151.600:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4206/usr/lib/snapd/snap-confine//mount-namespace-capture-helper" pid=1151 comm="apparmor_parser"
+[   43.249403]  ? driver_probe_device+0x480/0x480
+[   43.249405]  bus_for_each_dev+0x74/0xb0
+[   43.253200] audit: type=1400 audit(1522795151.600:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/snap/core/4206/usr/lib/snapd/snap-confine//snap_update_ns" pid=1151 comm="apparmor_parser"
+[   43.254055]  ? kmem_cache_alloc_trace+0x1a6/0x1c0
+[   43.256282] audit: type=1400 audit(1522795151.604:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/sbin/dhclient" pid=1152 comm="apparmor_parser"
+[   43.258436]  driver_attach+0x1e/0x20
+[   43.260875] audit: type=1400 audit(1522795151.604:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1152 comm="apparmor_parser"
+[   43.263118]  bus_add_driver+0x167/0x260
+[   43.267676] audit: type=1400 audit(1522795151.604:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1152 comm="apparmor_parser"
+[   43.268807]  ? 0xffffffffc0cbc000
+[   43.268812]  driver_register+0x60/0xe0
+[   43.271184] audit: type=1400 audit(1522795151.604:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1152 comm="apparmor_parser"
+[   43.274081]  ? 0xffffffffc0cbc000
+[   43.274086]  __hid_register_driver+0x63/0x70 [hid]
+[   43.288367]  rmi_driver_init+0x23/0x1000 [hid_rmi]
+[   43.291501]  do_one_initcall+0x52/0x191
+[   43.292348] audit: type=1400 audit(1522795151.652:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=1242 comm="apparmor_parser"
+[   43.294212]  ? _cond_resched+0x19/0x40
+[   43.300028]  ? kmem_cache_alloc_trace+0xa2/0x1c0
+[   43.303475]  ? do_init_module+0x27/0x209
+[   43.306842]  do_init_module+0x5f/0x209
+[   43.310269]  load_module+0x1987/0x1f10
+[   43.313704]  ? ima_post_read_file+0x96/0xa0
+[   43.317174]  SYSC_finit_module+0xfc/0x120
+[   43.320754]  ? SYSC_finit_module+0xfc/0x120
+[   43.324065]  SyS_finit_module+0xe/0x10
+[   43.327387]  do_syscall_64+0x73/0x130
+[   43.330909]  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
+[   43.334305] RIP: 0033:0x7fd2d880b839
+[   43.337810] RSP: 002b:00007ffe0a6b2368 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[   43.341259] RAX: ffffffffffffffda RBX: 000055cdd86542e0 RCX: 00007fd2d880b839
+[   43.344613] RDX: 0000000000000000 RSI: 00007fd2d84ea0e5 RDI: 0000000000000016
+[   43.347962] RBP: 00007fd2d84ea0e5 R08: 0000000000000000 R09: 00007ffe0a6b2480
+[   43.351456] R10: 0000000000000016 R11: 0000000000000246 R12: 0000000000000000
+[   43.354845] R13: 000055cdd8688930 R14: 0000000000020000 R15: 000055cdd86542e0
+[   43.358224] Code: c7 05 ad 12 02 00 00 00 00 00 48 8d 88 00 08 00 00 eb 09 48 83 c0 08 48 39 c1 74 31 48 8b 10 48 85 d2 74 ef 49 8b b7 98 04 00 00 <48> 39 b2 98 04 00 00 75 df 48 63 92 f8 04 00 00 f0 48 0f ab 15
+[   43.361764] RIP: __video_register_device+0x1cc/0x1090 [videodev] RSP: ffffa5c5c231b420
+[   43.365281] CR2: 0000000000000499
+
+This patch fixes the array size and changes the WARN_ON() to return an error,
+instead of letting the Kernel to proceed with registering.
+
+Cc: stable@vger.kernel.org # For Kernel 4.16
+Fixes: 4839c58f034a ("media: v4l2-dev: convert VFL_TYPE_* into an enum")
+Reported-by: Peter Geis <pgwipeout@gmail.com>
+Reported-by: Jaak Ristioja <jaak@ristioja.ee>
+Reported-by: MichaƂ Siemek <mihau69@gmail.com>
+Reviewed-by: Hans Verkuil <hans.verkuil@cisco.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/v4l2-core/v4l2-dev.c |    8 ++++++--
+ include/media/v4l2-dev.h           |   12 ++++++------
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-dev.c
++++ b/drivers/media/v4l2-core/v4l2-dev.c
+@@ -939,10 +939,14 @@ int __video_register_device(struct video
+ #endif
+       vdev->minor = i + minor_offset;
+       vdev->num = nr;
+-      devnode_set(vdev);
+       /* Should not happen since we thought this minor was free */
+-      WARN_ON(video_device[vdev->minor] != NULL);
++      if (WARN_ON(video_device[vdev->minor])) {
++              mutex_unlock(&videodev_lock);
++              printk(KERN_ERR "video_device not empty!\n");
++              return -ENFILE;
++      }
++      devnode_set(vdev);
+       vdev->index = get_index(vdev);
+       video_device[vdev->minor] = vdev;
+       mutex_unlock(&videodev_lock);
+--- a/include/media/v4l2-dev.h
++++ b/include/media/v4l2-dev.h
+@@ -33,13 +33,13 @@
+  */
+ enum vfl_devnode_type {
+       VFL_TYPE_GRABBER        = 0,
+-      VFL_TYPE_VBI            = 1,
+-      VFL_TYPE_RADIO          = 2,
+-      VFL_TYPE_SUBDEV         = 3,
+-      VFL_TYPE_SDR            = 4,
+-      VFL_TYPE_TOUCH          = 5,
++      VFL_TYPE_VBI,
++      VFL_TYPE_RADIO,
++      VFL_TYPE_SUBDEV,
++      VFL_TYPE_SDR,
++      VFL_TYPE_TOUCH,
++      VFL_TYPE_MAX /* Shall be the last one */
+ };
+-#define VFL_TYPE_MAX VFL_TYPE_TOUCH
+ /**
+  * enum  vfl_direction - Identifies if a &struct video_device corresponds