From nobody Thu Nov 14 05:26:37 2024 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AC374C41513 for ; Wed, 2 Aug 2023 14:53:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234601AbjHBOxS (ORCPT ); Wed, 2 Aug 2023 10:53:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48840 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234574AbjHBOxP (ORCPT ); Wed, 2 Aug 2023 10:53:15 -0400 Received: from mailgw02.mediatek.com (unknown [210.61.82.184]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9E1B1982; Wed, 2 Aug 2023 07:53:12 -0700 (PDT) X-UUID: 4a24474e314411eeb20a276fd37b9834-20230802 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:CC:To:From; bh=WvUeVFDPb4EMGYbb53F91WRmcOa9itzlcYCTFvFRYc0=; b=BFjldis3sw6qPYpI46hV4kYF3sxOaAoMzOewVRZY428Hsp5+bwY8oBMycGo6UzyjL7dHa4/Cp0yZC894yLuwCaTuNQKfEgTjK6D1bntBYXixl+JqVr9YL2KTiMUTYlSBozehR/r2fyWSqaEewi7G2Lq2tHBhFshA9u6GSIdJwfM=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.30,REQID:96ab9bb7-1710-4953-afa4-411264a870f3,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Release_Ham,ACTI ON:release,TS:70 X-CID-INFO: VERSION:1.1.30,REQID:96ab9bb7-1710-4953-afa4-411264a870f3,IP:0,URL :0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Spam_GS981B3D,ACTI ON:quarantine,TS:70 X-CID-META: VersionHash:1fcc6f8,CLOUDID:638ed1a0-0933-4333-8d4f-6c3c53ebd55b,B ulkID:230802225309PPL6E4CR,BulkQuantity:0,Recheck:0,SF:38|29|28|17|19|48,T C:nil,Content:0,EDM:-3,IP:nil,URL:0,File:nil,Bulk:nil,QS:nil,BEC:nil,COL:0 ,OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_SDM,TF_CID_SPAM_ASC,TF_CID_SPAM_FAS, TF_CID_SPAM_FSD X-UUID: 4a24474e314411eeb20a276fd37b9834-20230802 Received: from mtkmbs14n1.mediatek.inc [(172.21.101.75)] by mailgw02.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 1035919754; Wed, 02 Aug 2023 22:53:06 +0800 Received: from mtkmbs11n2.mediatek.inc (172.21.101.187) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Wed, 2 Aug 2023 22:53:06 +0800 Received: from mhfsdcap04.gcn.mediatek.inc (10.17.3.154) by mtkmbs11n2.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Wed, 2 Aug 2023 22:53:05 +0800 From: Yunfei Dong To: =?UTF-8?q?N=C3=ADcolas=20F=20=2E=20R=20=2E=20A=20=2E=20Prado?= , Nicolas Dufresne , Hans Verkuil , AngeloGioacchino Del Regno , Benjamin Gaignard , Nathan Hebert CC: Chen-Yu Tsai , Hsin-Yi Wang , Fritz Koenig , Daniel Vetter , "Steve Cho" , Yunfei Dong , , , , , , Subject: [PATCH v4,2/2] media: mediatek: vcodec: Fix possible invalid memory access for encoder Date: Wed, 2 Aug 2023 22:53:02 +0800 Message-ID: <20230802145303.28765-2-yunfei.dong@mediatek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230802145303.28765-1-yunfei.dong@mediatek.com> References: <20230802145303.28765-1-yunfei.dong@mediatek.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The vpu maybe null pointer or unreasonable value when scp crash, need to validate that the vpu pointer and the vpu instance within this context is valid in case of leading to kernel reboot. Fixes: 27a274db6b4c6 ("[media] vcodec: mediatek: Add Mediatek VP8 Video Enc= oder Driver") Signed-off-by: Yunfei Dong Reported-by: Steve Cho --- .../vcodec/encoder/mtk_vcodec_enc_drv.h | 2 + .../mediatek/vcodec/encoder/venc_vpu_if.c | 39 +++++++++++++++++-- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_= drv.h b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h index c07010e56649..a042f607ed8d 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h +++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h @@ -123,6 +123,7 @@ struct mtk_enc_params { * @xfer_func: enum v4l2_xfer_func, colorspace transfer function * * @q_mutex: vb2_queue mutex. + * @vpu_inst: vpu instance pointer. */ struct mtk_vcodec_enc_ctx { enum mtk_instance_type type; @@ -156,6 +157,7 @@ struct mtk_vcodec_enc_ctx { enum v4l2_xfer_func xfer_func; =20 struct mutex q_mutex; + void *vpu_inst; }; =20 /** diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c b= /drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c index 708db1bb32d4..d299cc2962a5 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c +++ b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c @@ -42,19 +42,46 @@ static void handle_enc_encode_msg(struct venc_vpu_inst = *vpu, const void *data) vpu->is_key_frm =3D msg->is_key_frm; } =20 +static bool vpu_enc_check_ap_inst(struct mtk_vcodec_enc_dev *enc_dev, stru= ct venc_vpu_inst *vpu) +{ + struct mtk_vcodec_enc_ctx *ctx; + int ret =3D false; + + list_for_each_entry(ctx, &enc_dev->ctx_list, list) { + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst =3D=3D vpu) { + ret =3D true; + break; + } + } + + return ret; +} + static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv) { + struct mtk_vcodec_enc_dev *enc_dev; const struct venc_vpu_ipi_msg_common *msg =3D data; - struct venc_vpu_inst *vpu =3D - (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + struct venc_vpu_inst *vpu; + + enc_dev =3D (struct mtk_vcodec_enc_dev *)priv; + vpu =3D (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + if (!priv || !vpu) { + pr_err(MTK_DBG_V4L2_STR "venc_inst is NULL, did the SCP hang or crash?"); + return; + } =20 mtk_venc_debug(vpu->ctx, "msg_id %x inst %p status %d", msg->msg_id, vpu,= msg->status); + if (!vpu_enc_check_ap_inst(enc_dev, vpu) || msg->msg_id < VPU_IPIMSG_ENC_= INIT_DONE || + msg->msg_id > VPU_IPIMSG_ENC_DEINIT_DONE) { + mtk_v4l2_venc_err(vpu->ctx, "venc msg id not correctly =3D> 0x%x", msg->= msg_id); + vpu->failure =3D -EINVAL; + goto error; + } =20 - vpu->signaled =3D 1; vpu->failure =3D (msg->status !=3D VENC_IPI_MSG_STATUS_OK); if (vpu->failure) { mtk_venc_err(vpu->ctx, "vpu enc status failure %d", vpu->failure); - return; + goto error; } =20 switch (msg->msg_id) { @@ -72,6 +99,9 @@ static void vpu_enc_ipi_handler(void *data, unsigned int = len, void *priv) mtk_venc_err(vpu->ctx, "unknown msg id %x", msg->msg_id); break; } + +error: + vpu->signaled =3D 1; } =20 static int vpu_enc_send_msg(struct venc_vpu_inst *vpu, void *msg, @@ -105,6 +135,7 @@ int vpu_enc_init(struct venc_vpu_inst *vpu) init_waitqueue_head(&vpu->wq_hd); vpu->signaled =3D 0; vpu->failure =3D 0; + vpu->ctx->vpu_inst =3D vpu; =20 status =3D mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id, vpu_enc_ipi_handler, "venc", NULL); --=20 2.18.0