From patchwork Sat Jul 29 03:47:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?WXVuZmVpIERvbmcgKOiRo+S6kemjnik=?= X-Patchwork-Id: 128012 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:918b:0:b0:3e4:2afc:c1 with SMTP id s11csp864393vqg; Fri, 28 Jul 2023 22:50:25 -0700 (PDT) X-Google-Smtp-Source: APBJJlEpCiI/IerzjhNI4HcW8JZCeilzGLxO4aNRSH4fTwQ+cYlYzJhG6OkMRl1JWG65eaSxAWUP X-Received: by 2002:a17:903:1205:b0:1b3:fb76:215b with SMTP id l5-20020a170903120500b001b3fb76215bmr3588262plh.48.1690609824976; Fri, 28 Jul 2023 22:50:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690609824; cv=none; d=google.com; s=arc-20160816; b=bjJr4qUlHbwXk2oLxGDrt+7NG3GhzYIFbL9oTA+JjY51Du/ROICVcyCrojChAczDbn vIQk7wCZ/LGr/uaVFXtWdpT35Hs1AQhAHmwImwOHf417IGwV9b/PC21CC7K2jGUqeuzq AFzSxUQ7bCuH4gwAk3yl6gMkFT1LGIot8HgdhOeQ8cTkZtZSzLTwuFDwSXkF0yts35wD rVQJVd+yYwhFzsx6Bf/wlgX86KH3l83WeZQ9wjlyXrsxeDOZYnw6LZD/G/8WL/yTWXdI oaizvN9e6bkYJeAVd5KBWOYA5fFg9C2aSPOUa/a52VLMtZVToV7sc6OrG/oooFK7Dh02 /gHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=frF69WcvIrOzT+hgDUhxie4Ou+1gy38h2cbfiP5qp9M=; fh=dnvkKDphEn4iJqR7Zr9ymMkUoTSWsQaqOPrldMKPwU0=; b=ebsEwfe59RSNVGkmPHnVMAuMPTmeIoWwmgzocsD7yXiXtPNRK7YYTF8ip2nUCNaSg/ qrO9AseiwISPA5+TWPT4aj+Ix/VaIkOHw5Kq025dxyp3AVSsQdHu8Kyxeclw7vAifawn duIjklMZGMxvtv7Vp02nzkaLpwaVamgpuCJxkS9OHGyuqvqVr1qc1yV69bHga/UTRGWs F/ssISXjWmEyUckRrgy9MHLJ0q6nm3t7d8Yp4sdU3r2vuulfSm/HkxcrjH1LYhuItPw2 3/yWko2wFiwTpFBQK0Md1UrYaSNmrEA9LyWd5qkQZASowBW2gUxYc1gA7Vu6dHLeH+Hb FGAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b="h/a5AWvK"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n10-20020a170902d0ca00b001b20e2ba8e1si438353pln.23.2023.07.28.22.50.07; Fri, 28 Jul 2023 22:50:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b="h/a5AWvK"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236454AbjG2Dr4 (ORCPT + 99 others); Fri, 28 Jul 2023 23:47:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230054AbjG2Drs (ORCPT ); Fri, 28 Jul 2023 23:47:48 -0400 Received: from mailgw02.mediatek.com (unknown [210.61.82.184]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C84E61FC4; Fri, 28 Jul 2023 20:47:46 -0700 (PDT) X-UUID: a91437bc2dc211eeb20a276fd37b9834-20230729 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=frF69WcvIrOzT+hgDUhxie4Ou+1gy38h2cbfiP5qp9M=; b=h/a5AWvKMydJonaXh1hmoVBbPZIQshv25/vicuEutmRpBn7AyHyitwFxFQAijEC83HOI5TOZiBghRxnYKkU6ApyzvgYm7YSqX8et7Wlz42toINI2cbRNVF6ty4ueiB7ekSYExlbsUVF7pOg0P2FLvzXp5DP+67ofk0IZmmaGlS0=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.30,REQID:da99ce63-e99e-40ff-b3f9-9d974c1e1dbb,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTIO N:release,TS:-25 X-CID-META: VersionHash:1fcc6f8,CLOUDID:be3a9442-d291-4e62-b539-43d7d78362ba,B ulkID:nil,BulkQuantity:0,Recheck:0,SF:102,TC:nil,Content:0,EDM:-3,IP:nil,U RL:0,File:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES:1,SPR:NO, DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-UUID: a91437bc2dc211eeb20a276fd37b9834-20230729 Received: from mtkmbs10n2.mediatek.inc [(172.21.101.183)] by mailgw02.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 2096234705; Sat, 29 Jul 2023 11:47:37 +0800 Received: from mtkmbs13n1.mediatek.inc (172.21.101.193) by MTKMBS14N1.mediatek.inc (172.21.101.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Sat, 29 Jul 2023 11:47:36 +0800 Received: from mhfsdcap04.gcn.mediatek.inc (10.17.3.154) by mtkmbs13n1.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Sat, 29 Jul 2023 11:47:35 +0800 From: Yunfei Dong To: =?utf-8?q?N=C3=ADcolas_F_=2E_R_=2E_A_=2E_Prado?= , Nicolas Dufresne , Hans Verkuil , AngeloGioacchino Del Regno , Benjamin Gaignard , Nathan Hebert CC: Chen-Yu Tsai , Hsin-Yi Wang , Fritz Koenig , Daniel Vetter , Steve Cho , Yunfei Dong , , , , , , Subject: [PATCH v3,1/2] media: mediatek: vcodec: Fix possible invalid memory access for decoder Date: Sat, 29 Jul 2023 11:47:34 +0800 Message-ID: <20230729034735.17213-1-yunfei.dong@mediatek.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-MTK: N X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,RDNS_NONE,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772732887861107087 X-GMAIL-MSGID: 1772732887861107087 The vpu maybe null pointer or unreasonable value when scp crash, need to validate that the vpu pointer and the vpu instance within this context is valid in case of leading to kernel reboot. Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Signed-off-by: Yunfei Dong Reported-by: Steve Cho Reviewed-by: Nicolas Dufresne --- - compared with v2: - rewrite the commit message for patch 01 and 02. - add Reported-by and Fixes tag. - fix smatch fail for patch 02/2. --- .../vcodec/decoder/mtk_vcodec_dec_drv.h | 2 + .../mediatek/vcodec/decoder/vdec_vpu_if.c | 77 ++++++++++++------- 2 files changed, 52 insertions(+), 27 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h index 6c318de25a55e..7e36b2c69b7d1 100644 --- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h +++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h @@ -161,6 +161,7 @@ struct mtk_vcodec_dec_pdata { * @hw_id: hardware index used to identify different hardware. * * @msg_queue: msg queue used to store lat buffer information. + * @vpu_inst: vpu instance pointer. * * @is_10bit_bitstream: set to true if it's 10bit bitstream */ @@ -205,6 +206,7 @@ struct mtk_vcodec_dec_ctx { int hw_id; struct vdec_msg_queue msg_queue; + void *vpu_inst; bool is_10bit_bitstream; }; diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c index 82c3dc8c41273..23cfe5c6c90b7 100644 --- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c +++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c @@ -72,6 +72,21 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms } } +static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev *dec_dev, struct vdec_vpu_inst *vpu) +{ + struct mtk_vcodec_dec_ctx *ctx; + int ret = false; + + list_for_each_entry(ctx, &dec_dev->ctx_list, list) { + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) { + ret = true; + break; + } + } + + return ret; +} + /* * vpu_dec_ipi_handler - Handler for VPU ipi message. * @@ -84,44 +99,51 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms */ static void vpu_dec_ipi_handler(void *data, unsigned int len, void *priv) { + struct mtk_vcodec_dec_dev *dec_dev; const struct vdec_vpu_ipi_ack *msg = data; - struct vdec_vpu_inst *vpu = (struct vdec_vpu_inst *) - (unsigned long)msg->ap_inst_addr; + struct vdec_vpu_inst *vpu; - if (!vpu) { + dec_dev = (struct mtk_vcodec_dec_dev *)priv; + vpu = (struct vdec_vpu_inst *)(unsigned long)msg->ap_inst_addr; + if (!priv || !vpu) { mtk_v4l2_vdec_err(vpu->ctx, "ap_inst_addr is NULL, did the SCP hang or crash?"); return; } - mtk_vdec_debug(vpu->ctx, "+ id=%X", msg->msg_id); + if (!vpu_dec_check_ap_inst(dec_dev, vpu) || msg->msg_id < VPU_IPIMSG_DEC_INIT_ACK || + msg->msg_id > VPU_IPIMSG_DEC_GET_PARAM_ACK) { + mtk_v4l2_vdec_err(vpu->ctx, "vdec msg id not correctly => 0x%x", msg->msg_id); + vpu->failure = -EINVAL; + goto error; + } vpu->failure = msg->status; - vpu->signaled = 1; + if (msg->status != 0) + goto error; - if (msg->status == 0) { - switch (msg->msg_id) { - case VPU_IPIMSG_DEC_INIT_ACK: - handle_init_ack_msg(data); - break; + switch (msg->msg_id) { + case VPU_IPIMSG_DEC_INIT_ACK: + handle_init_ack_msg(data); + break; - case VPU_IPIMSG_DEC_START_ACK: - case VPU_IPIMSG_DEC_END_ACK: - case VPU_IPIMSG_DEC_DEINIT_ACK: - case VPU_IPIMSG_DEC_RESET_ACK: - case VPU_IPIMSG_DEC_CORE_ACK: - case VPU_IPIMSG_DEC_CORE_END_ACK: - break; + case VPU_IPIMSG_DEC_START_ACK: + case VPU_IPIMSG_DEC_END_ACK: + case VPU_IPIMSG_DEC_DEINIT_ACK: + case VPU_IPIMSG_DEC_RESET_ACK: + case VPU_IPIMSG_DEC_CORE_ACK: + case VPU_IPIMSG_DEC_CORE_END_ACK: + break; - case VPU_IPIMSG_DEC_GET_PARAM_ACK: - handle_get_param_msg_ack(data); - break; - default: - mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id); - break; - } + case VPU_IPIMSG_DEC_GET_PARAM_ACK: + handle_get_param_msg_ack(data); + break; + default: + mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id); + break; } - mtk_vdec_debug(vpu->ctx, "- id=%X", msg->msg_id); +error: + vpu->signaled = 1; } static int vcodec_vpu_send_msg(struct vdec_vpu_inst *vpu, void *msg, int len) @@ -182,9 +204,10 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) init_waitqueue_head(&vpu->wq); vpu->handler = vpu_dec_ipi_handler; + vpu->ctx->vpu_inst = vpu; err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id, - vpu->handler, "vdec", NULL); + vpu->handler, "vdec", vpu->ctx->dev); if (err) { mtk_vdec_err(vpu->ctx, "vpu_ipi_register fail status=%d", err); return err; @@ -193,7 +216,7 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) if (vpu->ctx->dev->vdec_pdata->hw_arch == MTK_VDEC_LAT_SINGLE_CORE) { err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->core_id, vpu->handler, - "vdec", NULL); + "vdec", vpu->ctx->dev); if (err) { mtk_vdec_err(vpu->ctx, "vpu_ipi_register core fail status=%d", err); return err; From patchwork Sat Jul 29 03:47:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?WXVuZmVpIERvbmcgKOiRo+S6kemjnik=?= X-Patchwork-Id: 128029 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:918b:0:b0:3e4:2afc:c1 with SMTP id s11csp899308vqg; Sat, 29 Jul 2023 00:36:45 -0700 (PDT) X-Google-Smtp-Source: APBJJlFIaqucbYi/62WmoWCdx1nmlMrntxauKMy6NNIJJnoNn/c6CP4ZHMbGUu9sErPC5ejgShu5 X-Received: by 2002:aa7:d903:0:b0:522:5799:d5e7 with SMTP id a3-20020aa7d903000000b005225799d5e7mr3741867edr.26.1690616205330; Sat, 29 Jul 2023 00:36:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690616205; cv=none; d=google.com; s=arc-20160816; b=RyR6SsFiGS6h0xEG2wX2zPspV9Q4ZSojHp6iFqrvsSswJQjWjUlVd/X5kIF69/sUPX QXrO4ZHAwhJPQ8qZX5CAKOcTmabhxI9s8IXX02fWiVk4aFJr7ggb/M/TfOIQBvJHr03b 38m79G/MOQqF75HwLOXglPsxlooH7iBvxQ/czUMwfzz1GcXwcB/H5HDPfMi9aqque3i4 jDP0sQrCmIl6N+1RtC3SefHRqqijtu2HzxmMJZhs1YiCpjCx0t2BcZsIO17DBcYHTYBN qXpuZrt/8nlY2U4sWwfghQvQXgssy/9LNqZyp7UoarRHb8MoXOJOLmZJa4qFZzZb664L jj/w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=VEEwb4tnPlSsH6KiOPFjEFlmYoO7OdGBRVj4QRhhkX8=; fh=JNu33da7kzA6xRV91jumLxXvft4D8QIU8MqbM9iLAMY=; b=JA0xvQdh+PdysxWyJFYne5hAy/WHbe3Ya0SbIfppd5jtlK4YMPG1F/Jg6s8c7orB0o EW6Yuk0svkR/6L//Dp98W86QuDDSmxs5oIq9E4LeO6iDD0mP+jhWhMhxg3jxjSTIAnbW aorJbTRiMryJS0Wv57n17SLcKvi7RGsUhCHkFsOwCFwtpRo1SKb9rkEDtFp4W0E5pQX6 /TmqfqLJa+DefPQu3+SUjx+khrw28DkUIe8iLDYV0Z/98hm8GymFKrQDkJnC4AKsPOps D6y6MIBfpqiO6/D1NDjs5E2o6Dn07OiBaCDMvw1B1IqAxaWQz3BOJp11hHe55pquyIGG 048g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=QWcKjRfN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f14-20020a056402150e00b00522ab2a485dsi1338886edw.579.2023.07.29.00.36.21; Sat, 29 Jul 2023 00:36:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=QWcKjRfN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235679AbjG2Dru (ORCPT + 99 others); Fri, 28 Jul 2023 23:47:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229786AbjG2Drs (ORCPT ); Fri, 28 Jul 2023 23:47:48 -0400 Received: from mailgw02.mediatek.com (unknown [210.61.82.184]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DA5A1BF4; Fri, 28 Jul 2023 20:47:45 -0700 (PDT) X-UUID: a9a41ef42dc211eeb20a276fd37b9834-20230729 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:CC:To:From; bh=VEEwb4tnPlSsH6KiOPFjEFlmYoO7OdGBRVj4QRhhkX8=; b=QWcKjRfNKBgRomPpJKTqceViG5ZSiTlcPlAFn3LxWgOtT6QFfNirfFOYXmOxwpPGsxnuS8HdMrP6M9Rqop7fjMafY2oTWSf7TivQoN23VRJmIAmwEpWw1g4ZK27UpoEoDrJ+NO/R96uBgjVVZFNbSkstxJ6kMC1kiXh3m6cuzto=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.30,REQID:38872fc2-1c6e-4c2c-8807-fa4d6781310a,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Release_Ham,ACTI ON:release,TS:70 X-CID-INFO: VERSION:1.1.30,REQID:38872fc2-1c6e-4c2c-8807-fa4d6781310a,IP:0,URL :0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Spam_GS981B3D,ACTI ON:quarantine,TS:70 X-CID-META: VersionHash:1fcc6f8,CLOUDID:314b73d2-cd77-4e67-bbfd-aa4eaace762f,B ulkID:23072911474039E37PVW,BulkQuantity:0,Recheck:0,SF:17|19|48|38|29|28,T C:nil,Content:0,EDM:-3,IP:nil,URL:0,File:nil,Bulk:nil,QS:nil,BEC:nil,COL:0 ,OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SDM,TF_CID_SPAM_ASC,TF_CID_SPAM_FAS,TF_CID_SPAM_FSD, TF_CID_SPAM_SNR X-UUID: a9a41ef42dc211eeb20a276fd37b9834-20230729 Received: from mtkmbs13n1.mediatek.inc [(172.21.101.193)] by mailgw02.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 652089822; Sat, 29 Jul 2023 11:47:38 +0800 Received: from mtkmbs13n1.mediatek.inc (172.21.101.193) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Sat, 29 Jul 2023 11:47:37 +0800 Received: from mhfsdcap04.gcn.mediatek.inc (10.17.3.154) by mtkmbs13n1.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Sat, 29 Jul 2023 11:47:36 +0800 From: Yunfei Dong To: =?utf-8?q?N=C3=ADcolas_F_=2E_R_=2E_A_=2E_Prado?= , Nicolas Dufresne , Hans Verkuil , AngeloGioacchino Del Regno , Benjamin Gaignard , Nathan Hebert CC: Chen-Yu Tsai , Hsin-Yi Wang , Fritz Koenig , Daniel Vetter , "Steve Cho" , Yunfei Dong , , , , , , Subject: [PATCH v3,2/2] media: mediatek: vcodec: Fix possible invalid memory access for encoder Date: Sat, 29 Jul 2023 11:47:35 +0800 Message-ID: <20230729034735.17213-2-yunfei.dong@mediatek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230729034735.17213-1-yunfei.dong@mediatek.com> References: <20230729034735.17213-1-yunfei.dong@mediatek.com> MIME-Version: 1.0 X-MTK: N X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,RDNS_NONE,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1772739577912000664 X-GMAIL-MSGID: 1772739577912000664 The vpu maybe null pointer or unreasonable value when scp crash, need to validate that the vpu pointer and the vpu instance within this context is valid in case of leading to kernel reboot. Fixes: 27a274db6b4c6 ("[media] vcodec: mediatek: Add Mediatek VP8 Video Encoder Driver") Signed-off-by: Yunfei Dong Reported-by: Steve Cho --- .../vcodec/encoder/mtk_vcodec_enc_drv.h | 2 + .../mediatek/vcodec/encoder/venc_vpu_if.c | 39 +++++++++++++++++-- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h index c07010e566492..a042f607ed8d1 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h +++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h @@ -123,6 +123,7 @@ struct mtk_enc_params { * @xfer_func: enum v4l2_xfer_func, colorspace transfer function * * @q_mutex: vb2_queue mutex. + * @vpu_inst: vpu instance pointer. */ struct mtk_vcodec_enc_ctx { enum mtk_instance_type type; @@ -156,6 +157,7 @@ struct mtk_vcodec_enc_ctx { enum v4l2_xfer_func xfer_func; struct mutex q_mutex; + void *vpu_inst; }; /** diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c index 708db1bb32d44..b10f3544b2411 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c +++ b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c @@ -42,19 +42,46 @@ static void handle_enc_encode_msg(struct venc_vpu_inst *vpu, const void *data) vpu->is_key_frm = msg->is_key_frm; } +static bool vpu_enc_check_ap_inst(struct mtk_vcodec_enc_dev *enc_dev, struct venc_vpu_inst *vpu) +{ + struct mtk_vcodec_enc_ctx *ctx; + int ret = false; + + list_for_each_entry(ctx, &enc_dev->ctx_list, list) { + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) { + ret = true; + break; + } + } + + return ret; +} + static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv) { + struct mtk_vcodec_enc_dev *enc_dev; const struct venc_vpu_ipi_msg_common *msg = data; - struct venc_vpu_inst *vpu = - (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + struct venc_vpu_inst *vpu; + + enc_dev = (struct mtk_vcodec_enc_dev *)priv; + vpu = (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + if (!priv || !vpu) { + mtk_v4l2_venc_err(vpu->ctx, "venc_inst is NULL, did the SCP hang or crash?"); + return; + } mtk_venc_debug(vpu->ctx, "msg_id %x inst %p status %d", msg->msg_id, vpu, msg->status); + if (!vpu_enc_check_ap_inst(enc_dev, vpu) || msg->msg_id < VPU_IPIMSG_ENC_INIT_DONE || + msg->msg_id > VPU_IPIMSG_ENC_DEINIT_DONE) { + mtk_v4l2_venc_err(vpu->ctx, "venc msg id not correctly => 0x%x", msg->msg_id); + vpu->failure = -EINVAL; + goto error; + } - vpu->signaled = 1; vpu->failure = (msg->status != VENC_IPI_MSG_STATUS_OK); if (vpu->failure) { mtk_venc_err(vpu->ctx, "vpu enc status failure %d", vpu->failure); - return; + goto error; } switch (msg->msg_id) { @@ -72,6 +99,9 @@ static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv) mtk_venc_err(vpu->ctx, "unknown msg id %x", msg->msg_id); break; } + +error: + vpu->signaled = 1; } static int vpu_enc_send_msg(struct venc_vpu_inst *vpu, void *msg, @@ -105,6 +135,7 @@ int vpu_enc_init(struct venc_vpu_inst *vpu) init_waitqueue_head(&vpu->wq_hd); vpu->signaled = 0; vpu->failure = 0; + vpu->ctx->vpu_inst = vpu; status = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id, vpu_enc_ipi_handler, "venc", NULL);