From patchwork Sat Jul 29 03:47:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yunfei Dong X-Patchwork-Id: 13333026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B3A4CC001DC for ; Sat, 29 Jul 2023 03:48:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=f2ms/KbMMMRXeJxvZ1l+wkhY+7u4gD4m93WWVuv4S7k=; b=4i0almr1D7fVQR OtZjgfb/lPSjoeYTWv0CNS9KzWGbCTJyOg7OpmPG0ZgcYk7CeVLjLdOLTcpLqgg4kRzwnGjnAiMan IrP14xTVlZuj84jcJZuNKwvuqhq3edzkXlRdVWFKZ5lquFR0m79AIg3pbcd2YSiFYxhelEZLWvLvs 34RKR6laRy6lNXuV/2SISvYArdKnxFS4HKHT8cfQke38RLkZ+FR3EZN28ygw1SvB0lacz+ztOoXsy CXHj33o2nGjipwCUHJJpY8kZfW6nZixubJvQcbzfLV40bZJD/LyPNxfdUEQEtaP5UUb2cftlXkmDP t6dpBsagQs+cIZezEn9g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qPavj-0067Kn-26; Sat, 29 Jul 2023 03:47:47 +0000 Received: from mailgw01.mediatek.com ([216.200.240.184]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qPavg-0067K8-0g; Sat, 29 Jul 2023 03:47:45 +0000 X-UUID: aa775fd02dc211ee912e1518a6540028-20230728 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:CC:To:From; bh=VEEwb4tnPlSsH6KiOPFjEFlmYoO7OdGBRVj4QRhhkX8=; b=QWcKjRfNKBgRomPpJKTqceViG5ZSiTlcPlAFn3LxWgOtT6QFfNirfFOYXmOxwpPGsxnuS8HdMrP6M9Rqop7fjMafY2oTWSf7TivQoN23VRJmIAmwEpWw1g4ZK27UpoEoDrJ+NO/R96uBgjVVZFNbSkstxJ6kMC1kiXh3m6cuzto=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.30,REQID:803ae234-dd8f-4685-aa95-47b7c6b54f3f,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTIO N:release,TS:-25 X-CID-META: VersionHash:1fcc6f8,CLOUDID:334b73d2-cd77-4e67-bbfd-aa4eaace762f,B ulkID:nil,BulkQuantity:0,Recheck:0,SF:102,TC:nil,Content:0,EDM:-3,IP:nil,U RL:0,File:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES:1,SPR:NO, DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-UUID: aa775fd02dc211ee912e1518a6540028-20230728 Received: from mtkmbs13n2.mediatek.inc [(172.21.101.108)] by mailgw01.mediatek.com (envelope-from ) (musrelay.mediatek.com ESMTP with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 6396897; Fri, 28 Jul 2023 20:47:40 -0700 Received: from mtkmbs13n1.mediatek.inc (172.21.101.193) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Sat, 29 Jul 2023 11:47:37 +0800 Received: from mhfsdcap04.gcn.mediatek.inc (10.17.3.154) by mtkmbs13n1.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Sat, 29 Jul 2023 11:47:36 +0800 From: Yunfei Dong To: =?utf-8?q?N=C3=ADcolas_F_=2E_R_=2E_A_=2E_Prado?= , Nicolas Dufresne , Hans Verkuil , AngeloGioacchino Del Regno , Benjamin Gaignard , Nathan Hebert CC: Chen-Yu Tsai , Hsin-Yi Wang , Fritz Koenig , Daniel Vetter , "Steve Cho" , Yunfei Dong , , , , , , Subject: [PATCH v3,2/2] media: mediatek: vcodec: Fix possible invalid memory access for encoder Date: Sat, 29 Jul 2023 11:47:35 +0800 Message-ID: <20230729034735.17213-2-yunfei.dong@mediatek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230729034735.17213-1-yunfei.dong@mediatek.com> References: <20230729034735.17213-1-yunfei.dong@mediatek.com> MIME-Version: 1.0 X-MTK: N X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230728_204744_284212_9EAF5ED0 X-CRM114-Status: GOOD ( 15.68 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The vpu maybe null pointer or unreasonable value when scp crash, need to validate that the vpu pointer and the vpu instance within this context is valid in case of leading to kernel reboot. Fixes: 27a274db6b4c6 ("[media] vcodec: mediatek: Add Mediatek VP8 Video Encoder Driver") Signed-off-by: Yunfei Dong Reported-by: Steve Cho --- .../vcodec/encoder/mtk_vcodec_enc_drv.h | 2 + .../mediatek/vcodec/encoder/venc_vpu_if.c | 39 +++++++++++++++++-- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h index c07010e566492..a042f607ed8d1 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h +++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h @@ -123,6 +123,7 @@ struct mtk_enc_params { * @xfer_func: enum v4l2_xfer_func, colorspace transfer function * * @q_mutex: vb2_queue mutex. + * @vpu_inst: vpu instance pointer. */ struct mtk_vcodec_enc_ctx { enum mtk_instance_type type; @@ -156,6 +157,7 @@ struct mtk_vcodec_enc_ctx { enum v4l2_xfer_func xfer_func; struct mutex q_mutex; + void *vpu_inst; }; /** diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c index 708db1bb32d44..b10f3544b2411 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c +++ b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c @@ -42,19 +42,46 @@ static void handle_enc_encode_msg(struct venc_vpu_inst *vpu, const void *data) vpu->is_key_frm = msg->is_key_frm; } +static bool vpu_enc_check_ap_inst(struct mtk_vcodec_enc_dev *enc_dev, struct venc_vpu_inst *vpu) +{ + struct mtk_vcodec_enc_ctx *ctx; + int ret = false; + + list_for_each_entry(ctx, &enc_dev->ctx_list, list) { + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) { + ret = true; + break; + } + } + + return ret; +} + static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv) { + struct mtk_vcodec_enc_dev *enc_dev; const struct venc_vpu_ipi_msg_common *msg = data; - struct venc_vpu_inst *vpu = - (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + struct venc_vpu_inst *vpu; + + enc_dev = (struct mtk_vcodec_enc_dev *)priv; + vpu = (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + if (!priv || !vpu) { + mtk_v4l2_venc_err(vpu->ctx, "venc_inst is NULL, did the SCP hang or crash?"); + return; + } mtk_venc_debug(vpu->ctx, "msg_id %x inst %p status %d", msg->msg_id, vpu, msg->status); + if (!vpu_enc_check_ap_inst(enc_dev, vpu) || msg->msg_id < VPU_IPIMSG_ENC_INIT_DONE || + msg->msg_id > VPU_IPIMSG_ENC_DEINIT_DONE) { + mtk_v4l2_venc_err(vpu->ctx, "venc msg id not correctly => 0x%x", msg->msg_id); + vpu->failure = -EINVAL; + goto error; + } - vpu->signaled = 1; vpu->failure = (msg->status != VENC_IPI_MSG_STATUS_OK); if (vpu->failure) { mtk_venc_err(vpu->ctx, "vpu enc status failure %d", vpu->failure); - return; + goto error; } switch (msg->msg_id) { @@ -72,6 +99,9 @@ static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv) mtk_venc_err(vpu->ctx, "unknown msg id %x", msg->msg_id); break; } + +error: + vpu->signaled = 1; } static int vpu_enc_send_msg(struct venc_vpu_inst *vpu, void *msg, @@ -105,6 +135,7 @@ int vpu_enc_init(struct venc_vpu_inst *vpu) init_waitqueue_head(&vpu->wq_hd); vpu->signaled = 0; vpu->failure = 0; + vpu->ctx->vpu_inst = vpu; status = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id, vpu_enc_ipi_handler, "venc", NULL);