From nobody Thu Nov 14 05:22:29 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82100C00528 for ; Sat, 29 Jul 2023 03:47:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235910AbjG2Drv (ORCPT ); Fri, 28 Jul 2023 23:47:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229786AbjG2Drs (ORCPT ); Fri, 28 Jul 2023 23:47:48 -0400 Received: from mailgw02.mediatek.com (unknown [210.61.82.184]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DA5A1BF4; Fri, 28 Jul 2023 20:47:45 -0700 (PDT) X-UUID: a9a41ef42dc211eeb20a276fd37b9834-20230729 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:CC:To:From; bh=VEEwb4tnPlSsH6KiOPFjEFlmYoO7OdGBRVj4QRhhkX8=; b=QWcKjRfNKBgRomPpJKTqceViG5ZSiTlcPlAFn3LxWgOtT6QFfNirfFOYXmOxwpPGsxnuS8HdMrP6M9Rqop7fjMafY2oTWSf7TivQoN23VRJmIAmwEpWw1g4ZK27UpoEoDrJ+NO/R96uBgjVVZFNbSkstxJ6kMC1kiXh3m6cuzto=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.30,REQID:38872fc2-1c6e-4c2c-8807-fa4d6781310a,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Release_Ham,ACTI ON:release,TS:70 X-CID-INFO: VERSION:1.1.30,REQID:38872fc2-1c6e-4c2c-8807-fa4d6781310a,IP:0,URL :0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Spam_GS981B3D,ACTI ON:quarantine,TS:70 X-CID-META: VersionHash:1fcc6f8,CLOUDID:314b73d2-cd77-4e67-bbfd-aa4eaace762f,B ulkID:23072911474039E37PVW,BulkQuantity:0,Recheck:0,SF:17|19|48|38|29|28,T C:nil,Content:0,EDM:-3,IP:nil,URL:0,File:nil,Bulk:nil,QS:nil,BEC:nil,COL:0 ,OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SDM,TF_CID_SPAM_ASC,TF_CID_SPAM_FAS,TF_CID_SPAM_FSD, TF_CID_SPAM_SNR X-UUID: a9a41ef42dc211eeb20a276fd37b9834-20230729 Received: from mtkmbs13n1.mediatek.inc [(172.21.101.193)] by mailgw02.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 652089822; Sat, 29 Jul 2023 11:47:38 +0800 Received: from mtkmbs13n1.mediatek.inc (172.21.101.193) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Sat, 29 Jul 2023 11:47:37 +0800 Received: from mhfsdcap04.gcn.mediatek.inc (10.17.3.154) by mtkmbs13n1.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Sat, 29 Jul 2023 11:47:36 +0800 From: Yunfei Dong To: =?UTF-8?q?N=C3=ADcolas=20F=20=2E=20R=20=2E=20A=20=2E=20Prado?= , Nicolas Dufresne , Hans Verkuil , AngeloGioacchino Del Regno , Benjamin Gaignard , Nathan Hebert CC: Chen-Yu Tsai , Hsin-Yi Wang , Fritz Koenig , Daniel Vetter , "Steve Cho" , Yunfei Dong , , , , , , Subject: [PATCH v3,2/2] media: mediatek: vcodec: Fix possible invalid memory access for encoder Date: Sat, 29 Jul 2023 11:47:35 +0800 Message-ID: <20230729034735.17213-2-yunfei.dong@mediatek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230729034735.17213-1-yunfei.dong@mediatek.com> References: <20230729034735.17213-1-yunfei.dong@mediatek.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The vpu maybe null pointer or unreasonable value when scp crash, need to validate that the vpu pointer and the vpu instance within this context is valid in case of leading to kernel reboot. Fixes: 27a274db6b4c6 ("[media] vcodec: mediatek: Add Mediatek VP8 Video Enc= oder Driver") Signed-off-by: Yunfei Dong Reported-by: Steve Cho --- .../vcodec/encoder/mtk_vcodec_enc_drv.h | 2 + .../mediatek/vcodec/encoder/venc_vpu_if.c | 39 +++++++++++++++++-- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_= drv.h b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h index c07010e566492..a042f607ed8d1 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h +++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h @@ -123,6 +123,7 @@ struct mtk_enc_params { * @xfer_func: enum v4l2_xfer_func, colorspace transfer function * * @q_mutex: vb2_queue mutex. + * @vpu_inst: vpu instance pointer. */ struct mtk_vcodec_enc_ctx { enum mtk_instance_type type; @@ -156,6 +157,7 @@ struct mtk_vcodec_enc_ctx { enum v4l2_xfer_func xfer_func; =20 struct mutex q_mutex; + void *vpu_inst; }; =20 /** diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c b= /drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c index 708db1bb32d44..b10f3544b2411 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c +++ b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c @@ -42,19 +42,46 @@ static void handle_enc_encode_msg(struct venc_vpu_inst = *vpu, const void *data) vpu->is_key_frm =3D msg->is_key_frm; } =20 +static bool vpu_enc_check_ap_inst(struct mtk_vcodec_enc_dev *enc_dev, stru= ct venc_vpu_inst *vpu) +{ + struct mtk_vcodec_enc_ctx *ctx; + int ret =3D false; + + list_for_each_entry(ctx, &enc_dev->ctx_list, list) { + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst =3D=3D vpu) { + ret =3D true; + break; + } + } + + return ret; +} + static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv) { + struct mtk_vcodec_enc_dev *enc_dev; const struct venc_vpu_ipi_msg_common *msg =3D data; - struct venc_vpu_inst *vpu =3D - (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + struct venc_vpu_inst *vpu; + + enc_dev =3D (struct mtk_vcodec_enc_dev *)priv; + vpu =3D (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + if (!priv || !vpu) { + mtk_v4l2_venc_err(vpu->ctx, "venc_inst is NULL, did the SCP hang or cras= h?"); + return; + } =20 mtk_venc_debug(vpu->ctx, "msg_id %x inst %p status %d", msg->msg_id, vpu,= msg->status); + if (!vpu_enc_check_ap_inst(enc_dev, vpu) || msg->msg_id < VPU_IPIMSG_ENC_= INIT_DONE || + msg->msg_id > VPU_IPIMSG_ENC_DEINIT_DONE) { + mtk_v4l2_venc_err(vpu->ctx, "venc msg id not correctly =3D> 0x%x", msg->= msg_id); + vpu->failure =3D -EINVAL; + goto error; + } =20 - vpu->signaled =3D 1; vpu->failure =3D (msg->status !=3D VENC_IPI_MSG_STATUS_OK); if (vpu->failure) { mtk_venc_err(vpu->ctx, "vpu enc status failure %d", vpu->failure); - return; + goto error; } =20 switch (msg->msg_id) { @@ -72,6 +99,9 @@ static void vpu_enc_ipi_handler(void *data, unsigned int = len, void *priv) mtk_venc_err(vpu->ctx, "unknown msg id %x", msg->msg_id); break; } + +error: + vpu->signaled =3D 1; } =20 static int vpu_enc_send_msg(struct venc_vpu_inst *vpu, void *msg, @@ -105,6 +135,7 @@ int vpu_enc_init(struct venc_vpu_inst *vpu) init_waitqueue_head(&vpu->wq_hd); vpu->signaled =3D 0; vpu->failure =3D 0; + vpu->ctx->vpu_inst =3D vpu; =20 status =3D mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id, vpu_enc_ipi_handler, "venc", NULL); --=20 2.18.0