From patchwork Mon Jul 17 08:13:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yunfei Dong X-Patchwork-Id: 13315332 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 13533C001B0 for ; Mon, 17 Jul 2023 08:14:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type: Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:CC:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=qrbYFQFTULswIVhKXIXxxBSaDew7tCRdcz9YCkBbjFU=; b=mJY0ltJxLgv7/DYZltI4mD6uy2 bNpn/+dzsScsFK0bAs8WA3jYR76E3nuRIIgoYvC+X7UdshyFq3a/qo2vreLlpsda0l2mOa9/mgirK lhe/DahmtT96iIT35OXeMc0BdH21VxEwWxhNg4UOhV12ffHKZQ5yz6cXAD5DIfptCauBbYuicOBIR ajvGt4RmIY1WFf2vNVOf5c2MIgPF1N93Sjq0W3Q0mdJCeDSwYxQDa7ewwctBRJzu/PJoXpSqZ6orJ 1dugnWFZfjqAMCeSHF5P03yiORxYfNLOTFhbpg4ffsIsWaq2CcK8xdl17tWJZiNBEDiokMZt8TD1O K6UqWJFA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1qLJMa-003Qj7-1I; Mon, 17 Jul 2023 08:13:48 +0000 Received: from mailgw02.mediatek.com ([216.200.240.185]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1qLJMT-003QgX-2O; Mon, 17 Jul 2023 08:13:45 +0000 X-UUID: d3dfe632247911ee83ed1395ce914268-20230717 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=qrbYFQFTULswIVhKXIXxxBSaDew7tCRdcz9YCkBbjFU=; b=DrYPNBzljaB4+MEv+Fw1DjxXv4eOD6290fxfNwMcQbwIQx4R3i1xE06dIg5b2r8SRZOUEh9GzsfHQVFui516xyScSui/45Oiw1rxSp5xqgm4YmNEUMZRAz1QE6ADxgItx+/EODT9oMcgYuMzu6CDRUlqp8bScD/FXEqz5eNAMw4=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.28,REQID:03fab6a1-5a58-4db4-8ce5-0b380e573ce7,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTIO N:release,TS:-25 X-CID-META: VersionHash:176cd25,CLOUDID:9f74ca4c-06c1-468b-847d-5b62d44dbb9b,B ulkID:nil,BulkQuantity:0,Recheck:0,SF:102,TC:nil,Content:0,EDM:-3,IP:nil,U RL:0,File:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES:1,SPR:NO, DKR:0,DKP:0 X-CID-BVR: 0,NGT X-CID-BAS: 0,NGT,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR X-UUID: d3dfe632247911ee83ed1395ce914268-20230717 Received: from mtkmbs11n1.mediatek.inc [(172.21.101.185)] by mailgw02.mediatek.com (envelope-from ) (musrelay.mediatek.com ESMTP with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 2144330251; Mon, 17 Jul 2023 01:13:35 -0700 Received: from mtkmbs13n2.mediatek.inc (172.21.101.108) by mtkmbs11n1.mediatek.inc (172.21.101.185) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Mon, 17 Jul 2023 16:13:21 +0800 Received: from mhfsdcap04.gcn.mediatek.inc (10.17.3.154) by mtkmbs13n2.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Mon, 17 Jul 2023 16:13:20 +0800 From: Yunfei Dong To: =?utf-8?q?N=C3=ADcolas_F_=2E_R_=2E_A_=2E_Prado?= , Nicolas Dufresne , Hans Verkuil , AngeloGioacchino Del Regno , Benjamin Gaignard , Nathan Hebert CC: Chen-Yu Tsai , Hsin-Yi Wang , Fritz Koenig , Daniel Vetter , Steve Cho , Yunfei Dong , , , , , , Subject: [PATCH 1/2] media: mediatek: vcodec: checking decoder ack message parameter Date: Mon, 17 Jul 2023 16:13:18 +0800 Message-ID: <20230717081319.12542-1-yunfei.dong@mediatek.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-MTK: N X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230717_011341_809842_C40066F7 X-CRM114-Status: GOOD ( 16.37 ) X-BeenThere: linux-mediatek@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Linux-mediatek" Errors-To: linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org Need to checking all parameters of msg data are valid or not, in case of access null pointer or unreasonable value leading to kernel reboot. Signed-off-by: Yunfei Dong Reviewed-by: Nicolas Dufresne --- .../vcodec/decoder/mtk_vcodec_dec_drv.h | 2 + .../mediatek/vcodec/decoder/vdec_vpu_if.c | 77 ++++++++++++------- 2 files changed, 52 insertions(+), 27 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h index c8b4374c5e6c..1ea5dbb475dd 100644 --- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h +++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h @@ -160,6 +160,7 @@ struct mtk_vcodec_dec_pdata { * @hw_id: hardware index used to identify different hardware. * * @msg_queue: msg queue used to store lat buffer information. + * @vpu_inst: vpu instance pointer. */ struct mtk_vcodec_dec_ctx { enum mtk_instance_type type; @@ -202,6 +203,7 @@ struct mtk_vcodec_dec_ctx { int hw_id; struct vdec_msg_queue msg_queue; + void *vpu_inst; }; /** diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c index 82c3dc8c4127..23cfe5c6c90b 100644 --- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c +++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c @@ -72,6 +72,21 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms } } +static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev *dec_dev, struct vdec_vpu_inst *vpu) +{ + struct mtk_vcodec_dec_ctx *ctx; + int ret = false; + + list_for_each_entry(ctx, &dec_dev->ctx_list, list) { + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) { + ret = true; + break; + } + } + + return ret; +} + /* * vpu_dec_ipi_handler - Handler for VPU ipi message. * @@ -84,44 +99,51 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms */ static void vpu_dec_ipi_handler(void *data, unsigned int len, void *priv) { + struct mtk_vcodec_dec_dev *dec_dev; const struct vdec_vpu_ipi_ack *msg = data; - struct vdec_vpu_inst *vpu = (struct vdec_vpu_inst *) - (unsigned long)msg->ap_inst_addr; + struct vdec_vpu_inst *vpu; - if (!vpu) { + dec_dev = (struct mtk_vcodec_dec_dev *)priv; + vpu = (struct vdec_vpu_inst *)(unsigned long)msg->ap_inst_addr; + if (!priv || !vpu) { mtk_v4l2_vdec_err(vpu->ctx, "ap_inst_addr is NULL, did the SCP hang or crash?"); return; } - mtk_vdec_debug(vpu->ctx, "+ id=%X", msg->msg_id); + if (!vpu_dec_check_ap_inst(dec_dev, vpu) || msg->msg_id < VPU_IPIMSG_DEC_INIT_ACK || + msg->msg_id > VPU_IPIMSG_DEC_GET_PARAM_ACK) { + mtk_v4l2_vdec_err(vpu->ctx, "vdec msg id not correctly => 0x%x", msg->msg_id); + vpu->failure = -EINVAL; + goto error; + } vpu->failure = msg->status; - vpu->signaled = 1; + if (msg->status != 0) + goto error; - if (msg->status == 0) { - switch (msg->msg_id) { - case VPU_IPIMSG_DEC_INIT_ACK: - handle_init_ack_msg(data); - break; + switch (msg->msg_id) { + case VPU_IPIMSG_DEC_INIT_ACK: + handle_init_ack_msg(data); + break; - case VPU_IPIMSG_DEC_START_ACK: - case VPU_IPIMSG_DEC_END_ACK: - case VPU_IPIMSG_DEC_DEINIT_ACK: - case VPU_IPIMSG_DEC_RESET_ACK: - case VPU_IPIMSG_DEC_CORE_ACK: - case VPU_IPIMSG_DEC_CORE_END_ACK: - break; + case VPU_IPIMSG_DEC_START_ACK: + case VPU_IPIMSG_DEC_END_ACK: + case VPU_IPIMSG_DEC_DEINIT_ACK: + case VPU_IPIMSG_DEC_RESET_ACK: + case VPU_IPIMSG_DEC_CORE_ACK: + case VPU_IPIMSG_DEC_CORE_END_ACK: + break; - case VPU_IPIMSG_DEC_GET_PARAM_ACK: - handle_get_param_msg_ack(data); - break; - default: - mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id); - break; - } + case VPU_IPIMSG_DEC_GET_PARAM_ACK: + handle_get_param_msg_ack(data); + break; + default: + mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id); + break; } - mtk_vdec_debug(vpu->ctx, "- id=%X", msg->msg_id); +error: + vpu->signaled = 1; } static int vcodec_vpu_send_msg(struct vdec_vpu_inst *vpu, void *msg, int len) @@ -182,9 +204,10 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) init_waitqueue_head(&vpu->wq); vpu->handler = vpu_dec_ipi_handler; + vpu->ctx->vpu_inst = vpu; err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id, - vpu->handler, "vdec", NULL); + vpu->handler, "vdec", vpu->ctx->dev); if (err) { mtk_vdec_err(vpu->ctx, "vpu_ipi_register fail status=%d", err); return err; @@ -193,7 +216,7 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) if (vpu->ctx->dev->vdec_pdata->hw_arch == MTK_VDEC_LAT_SINGLE_CORE) { err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->core_id, vpu->handler, - "vdec", NULL); + "vdec", vpu->ctx->dev); if (err) { mtk_vdec_err(vpu->ctx, "vpu_ipi_register core fail status=%d", err); return err;