Need to checking all parameters of msg data are valid or not,
in case of access null pointer or unreasonable value leading
to kernel reboot.
Signed-off-by: Yunfei Dong <[email protected]>
---
.../vcodec/decoder/mtk_vcodec_dec_drv.h | 2 +
.../mediatek/vcodec/decoder/vdec_vpu_if.c | 77 ++++++++++++-------
2 files changed, 52 insertions(+), 27 deletions(-)
diff --git a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
index c8b4374c5e6c..1ea5dbb475dd 100644
--- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
+++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
@@ -160,6 +160,7 @@ struct mtk_vcodec_dec_pdata {
* @hw_id: hardware index used to identify different hardware.
*
* @msg_queue: msg queue used to store lat buffer information.
+ * @vpu_inst: vpu instance pointer.
*/
struct mtk_vcodec_dec_ctx {
enum mtk_instance_type type;
@@ -202,6 +203,7 @@ struct mtk_vcodec_dec_ctx {
int hw_id;
struct vdec_msg_queue msg_queue;
+ void *vpu_inst;
};
/**
diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
index 82c3dc8c4127..23cfe5c6c90b 100644
--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
+++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
@@ -72,6 +72,21 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms
}
}
+static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev *dec_dev, struct vdec_vpu_inst *vpu)
+{
+ struct mtk_vcodec_dec_ctx *ctx;
+ int ret = false;
+
+ list_for_each_entry(ctx, &dec_dev->ctx_list, list) {
+ if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
+ ret = true;
+ break;
+ }
+ }
+
+ return ret;
+}
+
/*
* vpu_dec_ipi_handler - Handler for VPU ipi message.
*
@@ -84,44 +99,51 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms
*/
static void vpu_dec_ipi_handler(void *data, unsigned int len, void *priv)
{
+ struct mtk_vcodec_dec_dev *dec_dev;
const struct vdec_vpu_ipi_ack *msg = data;
- struct vdec_vpu_inst *vpu = (struct vdec_vpu_inst *)
- (unsigned long)msg->ap_inst_addr;
+ struct vdec_vpu_inst *vpu;
- if (!vpu) {
+ dec_dev = (struct mtk_vcodec_dec_dev *)priv;
+ vpu = (struct vdec_vpu_inst *)(unsigned long)msg->ap_inst_addr;
+ if (!priv || !vpu) {
mtk_v4l2_vdec_err(vpu->ctx, "ap_inst_addr is NULL, did the SCP hang or crash?");
return;
}
- mtk_vdec_debug(vpu->ctx, "+ id=%X", msg->msg_id);
+ if (!vpu_dec_check_ap_inst(dec_dev, vpu) || msg->msg_id < VPU_IPIMSG_DEC_INIT_ACK ||
+ msg->msg_id > VPU_IPIMSG_DEC_GET_PARAM_ACK) {
+ mtk_v4l2_vdec_err(vpu->ctx, "vdec msg id not correctly => 0x%x", msg->msg_id);
+ vpu->failure = -EINVAL;
+ goto error;
+ }
vpu->failure = msg->status;
- vpu->signaled = 1;
+ if (msg->status != 0)
+ goto error;
- if (msg->status == 0) {
- switch (msg->msg_id) {
- case VPU_IPIMSG_DEC_INIT_ACK:
- handle_init_ack_msg(data);
- break;
+ switch (msg->msg_id) {
+ case VPU_IPIMSG_DEC_INIT_ACK:
+ handle_init_ack_msg(data);
+ break;
- case VPU_IPIMSG_DEC_START_ACK:
- case VPU_IPIMSG_DEC_END_ACK:
- case VPU_IPIMSG_DEC_DEINIT_ACK:
- case VPU_IPIMSG_DEC_RESET_ACK:
- case VPU_IPIMSG_DEC_CORE_ACK:
- case VPU_IPIMSG_DEC_CORE_END_ACK:
- break;
+ case VPU_IPIMSG_DEC_START_ACK:
+ case VPU_IPIMSG_DEC_END_ACK:
+ case VPU_IPIMSG_DEC_DEINIT_ACK:
+ case VPU_IPIMSG_DEC_RESET_ACK:
+ case VPU_IPIMSG_DEC_CORE_ACK:
+ case VPU_IPIMSG_DEC_CORE_END_ACK:
+ break;
- case VPU_IPIMSG_DEC_GET_PARAM_ACK:
- handle_get_param_msg_ack(data);
- break;
- default:
- mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id);
- break;
- }
+ case VPU_IPIMSG_DEC_GET_PARAM_ACK:
+ handle_get_param_msg_ack(data);
+ break;
+ default:
+ mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id);
+ break;
}
- mtk_vdec_debug(vpu->ctx, "- id=%X", msg->msg_id);
+error:
+ vpu->signaled = 1;
}
static int vcodec_vpu_send_msg(struct vdec_vpu_inst *vpu, void *msg, int len)
@@ -182,9 +204,10 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu)
init_waitqueue_head(&vpu->wq);
vpu->handler = vpu_dec_ipi_handler;
+ vpu->ctx->vpu_inst = vpu;
err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id,
- vpu->handler, "vdec", NULL);
+ vpu->handler, "vdec", vpu->ctx->dev);
if (err) {
mtk_vdec_err(vpu->ctx, "vpu_ipi_register fail status=%d", err);
return err;
@@ -193,7 +216,7 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu)
if (vpu->ctx->dev->vdec_pdata->hw_arch == MTK_VDEC_LAT_SINGLE_CORE) {
err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler,
vpu->core_id, vpu->handler,
- "vdec", NULL);
+ "vdec", vpu->ctx->dev);
if (err) {
mtk_vdec_err(vpu->ctx, "vpu_ipi_register core fail status=%d", err);
return err;
--
2.18.0
Need to checking all parameters of msg data are valid or not,
in case of access null pointer or unreasonable value leading
to kernel reboot.
Signed-off-by: Yunfei Dong <[email protected]>
---
.../vcodec/encoder/mtk_vcodec_enc_drv.h | 2 +
.../mediatek/vcodec/encoder/venc_vpu_if.c | 40 +++++++++++++++++--
2 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
index c07010e56649..a042f607ed8d 100644
--- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
+++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
@@ -123,6 +123,7 @@ struct mtk_enc_params {
* @xfer_func: enum v4l2_xfer_func, colorspace transfer function
*
* @q_mutex: vb2_queue mutex.
+ * @vpu_inst: vpu instance pointer.
*/
struct mtk_vcodec_enc_ctx {
enum mtk_instance_type type;
@@ -156,6 +157,7 @@ struct mtk_vcodec_enc_ctx {
enum v4l2_xfer_func xfer_func;
struct mutex q_mutex;
+ void *vpu_inst;
};
/**
diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
index 708db1bb32d4..213544e55166 100644
--- a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
+++ b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
@@ -42,19 +42,47 @@ static void handle_enc_encode_msg(struct venc_vpu_inst *vpu, const void *data)
vpu->is_key_frm = msg->is_key_frm;
}
+static bool vpu_enc_check_ap_inst(struct mtk_vcodec_enc_dev *enc_dev, struct venc_vpu_inst *vpu)
+{
+ struct mtk_vcodec_enc_ctx *ctx;
+ int ret = false;
+
+ list_for_each_entry(ctx, &enc_dev->ctx_list, list) {
+ if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
+ ret = true;
+ break;
+ }
+ }
+
+ return ret;
+}
+
static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv)
{
+ struct mtk_vcodec_enc_dev *enc_dev;
const struct venc_vpu_ipi_msg_common *msg = data;
- struct venc_vpu_inst *vpu =
- (struct venc_vpu_inst *)(unsigned long)msg->venc_inst;
+ struct venc_vpu_inst *vpu;
mtk_venc_debug(vpu->ctx, "msg_id %x inst %p status %d", msg->msg_id, vpu, msg->status);
- vpu->signaled = 1;
+ enc_dev = (struct mtk_vcodec_enc_dev *)priv;
+ vpu = (struct venc_vpu_inst *)(unsigned long)msg->venc_inst;
+ if (!priv || !vpu) {
+ mtk_v4l2_venc_err(vpu->ctx, "venc_inst is NULL, did the SCP hang or crash?");
+ return;
+ }
+
+ if (!vpu_enc_check_ap_inst(enc_dev, vpu) || msg->msg_id < VPU_IPIMSG_ENC_INIT_DONE ||
+ msg->msg_id > VPU_IPIMSG_ENC_DEINIT_DONE) {
+ mtk_v4l2_venc_err(vpu->ctx, "venc msg id not correctly => 0x%x", msg->msg_id);
+ vpu->failure = -EINVAL;
+ goto error;
+ }
+
vpu->failure = (msg->status != VENC_IPI_MSG_STATUS_OK);
if (vpu->failure) {
mtk_venc_err(vpu->ctx, "vpu enc status failure %d", vpu->failure);
- return;
+ goto error;
}
switch (msg->msg_id) {
@@ -72,6 +100,9 @@ static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv)
mtk_venc_err(vpu->ctx, "unknown msg id %x", msg->msg_id);
break;
}
+
+error:
+ vpu->signaled = 1;
}
static int vpu_enc_send_msg(struct venc_vpu_inst *vpu, void *msg,
@@ -105,6 +136,7 @@ int vpu_enc_init(struct venc_vpu_inst *vpu)
init_waitqueue_head(&vpu->wq_hd);
vpu->signaled = 0;
vpu->failure = 0;
+ vpu->ctx->vpu_inst = vpu;
status = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id,
vpu_enc_ipi_handler, "venc", NULL);
--
2.18.0
Hi,
Le lundi 17 juillet 2023 à 16:13 +0800, Yunfei Dong a écrit :
> Need to checking all parameters of msg data are valid or not,
> in case of access null pointer or unreasonable value leading
> to kernel reboot.
>
> Signed-off-by: Yunfei Dong <[email protected]>
> ---
> .../vcodec/decoder/mtk_vcodec_dec_drv.h | 2 +
> .../mediatek/vcodec/decoder/vdec_vpu_if.c | 77 ++++++++++++-------
> 2 files changed, 52 insertions(+), 27 deletions(-)
>
> diff --git a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
> index c8b4374c5e6c..1ea5dbb475dd 100644
> --- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
> +++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
> @@ -160,6 +160,7 @@ struct mtk_vcodec_dec_pdata {
> * @hw_id: hardware index used to identify different hardware.
> *
> * @msg_queue: msg queue used to store lat buffer information.
> + * @vpu_inst: vpu instance pointer.
> */
> struct mtk_vcodec_dec_ctx {
> enum mtk_instance_type type;
> @@ -202,6 +203,7 @@ struct mtk_vcodec_dec_ctx {
> int hw_id;
>
> struct vdec_msg_queue msg_queue;
> + void *vpu_inst;
> };
>
> /**
> diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> index 82c3dc8c4127..23cfe5c6c90b 100644
> --- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> +++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> @@ -72,6 +72,21 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms
> }
> }
>
> +static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev *dec_dev, struct vdec_vpu_inst *vpu)
> +{
> + struct mtk_vcodec_dec_ctx *ctx;
> + int ret = false;
> +
> + list_for_each_entry(ctx, &dec_dev->ctx_list, list) {
I'm not quite fully aware of the threading model in place, but this ctx_list is
normally protected by dev->dev_mutex, and is not being protected here. I also
don't know which type of interrupt handler we are in here.
> + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
> + ret = true;
> + break;
> + }
> + }
> +
> + return ret;
> +}
> +
> /*
> * vpu_dec_ipi_handler - Handler for VPU ipi message.
> *
> @@ -84,44 +99,51 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms
> */
> static void vpu_dec_ipi_handler(void *data, unsigned int len, void *priv)
> {
> + struct mtk_vcodec_dec_dev *dec_dev;
> const struct vdec_vpu_ipi_ack *msg = data;
> - struct vdec_vpu_inst *vpu = (struct vdec_vpu_inst *)
> - (unsigned long)msg->ap_inst_addr;
> + struct vdec_vpu_inst *vpu;
>
> - if (!vpu) {
> + dec_dev = (struct mtk_vcodec_dec_dev *)priv;
> + vpu = (struct vdec_vpu_inst *)(unsigned long)msg->ap_inst_addr;
> + if (!priv || !vpu) {
> mtk_v4l2_vdec_err(vpu->ctx, "ap_inst_addr is NULL, did the SCP hang or crash?");
> return;
> }
>
> - mtk_vdec_debug(vpu->ctx, "+ id=%X", msg->msg_id);
> + if (!vpu_dec_check_ap_inst(dec_dev, vpu) || msg->msg_id < VPU_IPIMSG_DEC_INIT_ACK ||
> + msg->msg_id > VPU_IPIMSG_DEC_GET_PARAM_ACK) {
> + mtk_v4l2_vdec_err(vpu->ctx, "vdec msg id not correctly => 0x%x", msg->msg_id);
> + vpu->failure = -EINVAL;
> + goto error;
> + }
>
> vpu->failure = msg->status;
> - vpu->signaled = 1;
> + if (msg->status != 0)
> + goto error;
>
> - if (msg->status == 0) {
> - switch (msg->msg_id) {
> - case VPU_IPIMSG_DEC_INIT_ACK:
> - handle_init_ack_msg(data);
> - break;
> + switch (msg->msg_id) {
> + case VPU_IPIMSG_DEC_INIT_ACK:
> + handle_init_ack_msg(data);
> + break;
>
> - case VPU_IPIMSG_DEC_START_ACK:
> - case VPU_IPIMSG_DEC_END_ACK:
> - case VPU_IPIMSG_DEC_DEINIT_ACK:
> - case VPU_IPIMSG_DEC_RESET_ACK:
> - case VPU_IPIMSG_DEC_CORE_ACK:
> - case VPU_IPIMSG_DEC_CORE_END_ACK:
> - break;
> + case VPU_IPIMSG_DEC_START_ACK:
> + case VPU_IPIMSG_DEC_END_ACK:
> + case VPU_IPIMSG_DEC_DEINIT_ACK:
> + case VPU_IPIMSG_DEC_RESET_ACK:
> + case VPU_IPIMSG_DEC_CORE_ACK:
> + case VPU_IPIMSG_DEC_CORE_END_ACK:
> + break;
>
> - case VPU_IPIMSG_DEC_GET_PARAM_ACK:
> - handle_get_param_msg_ack(data);
> - break;
> - default:
> - mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id);
> - break;
> - }
> + case VPU_IPIMSG_DEC_GET_PARAM_ACK:
> + handle_get_param_msg_ack(data);
> + break;
> + default:
> + mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id);
> + break;
> }
>
> - mtk_vdec_debug(vpu->ctx, "- id=%X", msg->msg_id);
> +error:
> + vpu->signaled = 1;
> }
>
> static int vcodec_vpu_send_msg(struct vdec_vpu_inst *vpu, void *msg, int len)
> @@ -182,9 +204,10 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu)
>
> init_waitqueue_head(&vpu->wq);
> vpu->handler = vpu_dec_ipi_handler;
> + vpu->ctx->vpu_inst = vpu;
>
> err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id,
> - vpu->handler, "vdec", NULL);
> + vpu->handler, "vdec", vpu->ctx->dev);
> if (err) {
> mtk_vdec_err(vpu->ctx, "vpu_ipi_register fail status=%d", err);
> return err;
> @@ -193,7 +216,7 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu)
> if (vpu->ctx->dev->vdec_pdata->hw_arch == MTK_VDEC_LAT_SINGLE_CORE) {
> err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler,
> vpu->core_id, vpu->handler,
> - "vdec", NULL);
> + "vdec", vpu->ctx->dev);
> if (err) {
> mtk_vdec_err(vpu->ctx, "vpu_ipi_register core fail status=%d", err);
> return err;
Hi Nicolas,
Thanks for your review.
On Thu, 2023-07-20 at 16:22 -0400, Nicolas Dufresne wrote:
> Hi,
>
> Le lundi 17 juillet 2023 à 16:13 +0800, Yunfei Dong a écrit :
> > Need to checking all parameters of msg data are valid or not,
> > in case of access null pointer or unreasonable value leading
> > to kernel reboot.
> >
> > Signed-off-by: Yunfei Dong <[email protected]>
> > ---
> > .../vcodec/decoder/mtk_vcodec_dec_drv.h | 2 +
> > .../mediatek/vcodec/decoder/vdec_vpu_if.c | 77 ++++++++++++---
> > ----
> > 2 files changed, 52 insertions(+), 27 deletions(-)
> >
> > diff --git
> > a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv
> > .h
> > b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv
> > .h
> > index c8b4374c5e6c..1ea5dbb475dd 100644
> > ---
> > a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv
> > .h
> > +++
> > b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv
> > .h
> > @@ -160,6 +160,7 @@ struct mtk_vcodec_dec_pdata {
> > * @hw_id: hardware index used to identify different hardware.
> > *
> > * @msg_queue: msg queue used to store lat buffer information.
> > + * @vpu_inst: vpu instance pointer.
> > */
> > struct mtk_vcodec_dec_ctx {
> > enum mtk_instance_type type;
> > @@ -202,6 +203,7 @@ struct mtk_vcodec_dec_ctx {
> > int hw_id;
> >
> > struct vdec_msg_queue msg_queue;
> > + void *vpu_inst;
> > };
> >
> > /**
> > diff --git
> > a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> > b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> > index 82c3dc8c4127..23cfe5c6c90b 100644
> > --- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> > +++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> > @@ -72,6 +72,21 @@ static void handle_get_param_msg_ack(const
> > struct vdec_vpu_ipi_get_param_ack *ms
> > }
> > }
> >
> > +static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev
> > *dec_dev, struct vdec_vpu_inst *vpu)
> > +{
> > + struct mtk_vcodec_dec_ctx *ctx;
> > + int ret = false;
> > +
> > + list_for_each_entry(ctx, &dec_dev->ctx_list, list) {
>
> I'm not quite fully aware of the threading model in place, but this
> ctx_list is
> normally protected by dev->dev_mutex, and is not being protected
> here. I also
> don't know which type of interrupt handler we are in here.
>
If the device is opened, one ctx will be inserted to ctx_list, then the
handler interface will be called.
1: This function just used to check whether the context is reasonable,
no need to add mutex to protect because the context already in ctx_list
in oped period. This function won't be called after deinit ctx from
ctx_list.
2: This handler will be called when ap send message to scp.
Best Regards,
Yunfei Dong
> > + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
> > + ret = true;
> > + break;
> > + }
> > + }
> > +
> > + return ret;
> > +}
> > +
> > /*
> > * vpu_dec_ipi_handler - Handler for VPU ipi message.
> > *
> > @@ -84,44 +99,51 @@ static void handle_get_param_msg_ack(const
> > struct vdec_vpu_ipi_get_param_ack *ms
> > */
> > static void vpu_dec_ipi_handler(void *data, unsigned int len, void
> > *priv)
> > {
> > + struct mtk_vcodec_dec_dev *dec_dev;
> > const struct vdec_vpu_ipi_ack *msg = data;
> > - struct vdec_vpu_inst *vpu = (struct vdec_vpu_inst *)
> > - (unsigned long)msg-
> > >ap_inst_addr;
> > + struct vdec_vpu_inst *vpu;
> >
> > - if (!vpu) {
> > + dec_dev = (struct mtk_vcodec_dec_dev *)priv;
> > + vpu = (struct vdec_vpu_inst *)(unsigned long)msg->ap_inst_addr;
> > + if (!priv || !vpu) {
> > mtk_v4l2_vdec_err(vpu->ctx, "ap_inst_addr is NULL, did
> > the SCP hang or crash?");
> > return;
> > }
> >
> > - mtk_vdec_debug(vpu->ctx, "+ id=%X", msg->msg_id);
> > + if (!vpu_dec_check_ap_inst(dec_dev, vpu) || msg->msg_id <
> > VPU_IPIMSG_DEC_INIT_ACK ||
> > + msg->msg_id > VPU_IPIMSG_DEC_GET_PARAM_ACK) {
> > + mtk_v4l2_vdec_err(vpu->ctx, "vdec msg id not correctly
> > => 0x%x", msg->msg_id);
> > + vpu->failure = -EINVAL;
> > + goto error;
> > + }
> >
> > vpu->failure = msg->status;
> > - vpu->signaled = 1;
> > + if (msg->status != 0)
> > + goto error;
> >
> > - if (msg->status == 0) {
> > - switch (msg->msg_id) {
> > - case VPU_IPIMSG_DEC_INIT_ACK:
> > - handle_init_ack_msg(data);
> > - break;
> > + switch (msg->msg_id) {
> > + case VPU_IPIMSG_DEC_INIT_ACK:
> > + handle_init_ack_msg(data);
> > + break;
> >
> > - case VPU_IPIMSG_DEC_START_ACK:
> > - case VPU_IPIMSG_DEC_END_ACK:
> > - case VPU_IPIMSG_DEC_DEINIT_ACK:
> > - case VPU_IPIMSG_DEC_RESET_ACK:
> > - case VPU_IPIMSG_DEC_CORE_ACK:
> > - case VPU_IPIMSG_DEC_CORE_END_ACK:
> > - break;
> > + case VPU_IPIMSG_DEC_START_ACK:
> > + case VPU_IPIMSG_DEC_END_ACK:
> > + case VPU_IPIMSG_DEC_DEINIT_ACK:
> > + case VPU_IPIMSG_DEC_RESET_ACK:
> > + case VPU_IPIMSG_DEC_CORE_ACK:
> > + case VPU_IPIMSG_DEC_CORE_END_ACK:
> > + break;
> >
> > - case VPU_IPIMSG_DEC_GET_PARAM_ACK:
> > - handle_get_param_msg_ack(data);
> > - break;
> > - default:
> > - mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg-
> > >msg_id);
> > - break;
> > - }
> > + case VPU_IPIMSG_DEC_GET_PARAM_ACK:
> > + handle_get_param_msg_ack(data);
> > + break;
> > + default:
> > + mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id);
> > + break;
> > }
> >
> > - mtk_vdec_debug(vpu->ctx, "- id=%X", msg->msg_id);
> > +error:
> > + vpu->signaled = 1;
> > }
> >
> > static int vcodec_vpu_send_msg(struct vdec_vpu_inst *vpu, void
> > *msg, int len)
> > @@ -182,9 +204,10 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu)
> >
> > init_waitqueue_head(&vpu->wq);
> > vpu->handler = vpu_dec_ipi_handler;
> > + vpu->ctx->vpu_inst = vpu;
> >
> > err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler,
> > vpu->id,
> > - vpu->handler, "vdec", NULL);
> > + vpu->handler, "vdec", vpu-
> > >ctx->dev);
> > if (err) {
> > mtk_vdec_err(vpu->ctx, "vpu_ipi_register fail
> > status=%d", err);
> > return err;
> > @@ -193,7 +216,7 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu)
> > if (vpu->ctx->dev->vdec_pdata->hw_arch ==
> > MTK_VDEC_LAT_SINGLE_CORE) {
> > err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev-
> > >fw_handler,
> > vpu->core_id, vpu-
> > >handler,
> > - "vdec", NULL);
> > + "vdec", vpu->ctx-
> > >dev);
> > if (err) {
> > mtk_vdec_err(vpu->ctx, "vpu_ipi_register core
> > fail status=%d", err);
> > return err;
>
>
Le vendredi 21 juillet 2023 à 01:58 +0000, Yunfei Dong (董云飞) a écrit :
> Hi Nicolas,
>
> Thanks for your review.
>
> On Thu, 2023-07-20 at 16:22 -0400, Nicolas Dufresne wrote:
> > Hi,
> >
> > Le lundi 17 juillet 2023 à 16:13 +0800, Yunfei Dong a écrit :
> > > Need to checking all parameters of msg data are valid or not,
> > > in case of access null pointer or unreasonable value leading
> > > to kernel reboot.
> > >
> > > Signed-off-by: Yunfei Dong <[email protected]>
> > > ---
> > > .../vcodec/decoder/mtk_vcodec_dec_drv.h | 2 +
> > > .../mediatek/vcodec/decoder/vdec_vpu_if.c | 77 ++++++++++++---
> > > ----
> > > 2 files changed, 52 insertions(+), 27 deletions(-)
> > >
> > > diff --git
> > > a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv
> > > .h
> > > b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv
> > > .h
> > > index c8b4374c5e6c..1ea5dbb475dd 100644
> > > ---
> > > a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv
> > > .h
> > > +++
> > > b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv
> > > .h
> > > @@ -160,6 +160,7 @@ struct mtk_vcodec_dec_pdata {
> > > * @hw_id: hardware index used to identify different hardware.
> > > *
> > > * @msg_queue: msg queue used to store lat buffer information.
> > > + * @vpu_inst: vpu instance pointer.
> > > */
> > > struct mtk_vcodec_dec_ctx {
> > > enum mtk_instance_type type;
> > > @@ -202,6 +203,7 @@ struct mtk_vcodec_dec_ctx {
> > > int hw_id;
> > >
> > > struct vdec_msg_queue msg_queue;
> > > + void *vpu_inst;
> > > };
> > >
> > > /**
> > > diff --git
> > > a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> > > b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> > > index 82c3dc8c4127..23cfe5c6c90b 100644
> > > --- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> > > +++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
> > > @@ -72,6 +72,21 @@ static void handle_get_param_msg_ack(const
> > > struct vdec_vpu_ipi_get_param_ack *ms
> > > }
> > > }
> > >
> > > +static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev
> > > *dec_dev, struct vdec_vpu_inst *vpu)
> > > +{
> > > + struct mtk_vcodec_dec_ctx *ctx;
> > > + int ret = false;
> > > +
> > > + list_for_each_entry(ctx, &dec_dev->ctx_list, list) {
> >
> > I'm not quite fully aware of the threading model in place, but this
> > ctx_list is
> > normally protected by dev->dev_mutex, and is not being protected
> > here. I also
> > don't know which type of interrupt handler we are in here.
> >
> If the device is opened, one ctx will be inserted to ctx_list, then the
> handler interface will be called.
>
> 1: This function just used to check whether the context is reasonable,
> no need to add mutex to protect because the context already in ctx_list
> in oped period. This function won't be called after deinit ctx from
> ctx_list.
>
> 2: This handler will be called when ap send message to scp.
Ack.
Reviewed-by: Nicolas Dufresne <[email protected]>
>
> Best Regards,
> Yunfei Dong
> > > + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
> > > + ret = true;
> > > + break;
> > > + }
> > > + }
> > > +
> > > + return ret;
> > > +}
> > > +
> > > /*
> > > * vpu_dec_ipi_handler - Handler for VPU ipi message.
> > > *
> > > @@ -84,44 +99,51 @@ static void handle_get_param_msg_ack(const
> > > struct vdec_vpu_ipi_get_param_ack *ms
> > > */
> > > static void vpu_dec_ipi_handler(void *data, unsigned int len, void
> > > *priv)
> > > {
> > > + struct mtk_vcodec_dec_dev *dec_dev;
> > > const struct vdec_vpu_ipi_ack *msg = data;
> > > - struct vdec_vpu_inst *vpu = (struct vdec_vpu_inst *)
> > > - (unsigned long)msg-
> > > > ap_inst_addr;
> > > + struct vdec_vpu_inst *vpu;
> > >
> > > - if (!vpu) {
> > > + dec_dev = (struct mtk_vcodec_dec_dev *)priv;
> > > + vpu = (struct vdec_vpu_inst *)(unsigned long)msg->ap_inst_addr;
> > > + if (!priv || !vpu) {
> > > mtk_v4l2_vdec_err(vpu->ctx, "ap_inst_addr is NULL, did
> > > the SCP hang or crash?");
> > > return;
> > > }
> > >
> > > - mtk_vdec_debug(vpu->ctx, "+ id=%X", msg->msg_id);
> > > + if (!vpu_dec_check_ap_inst(dec_dev, vpu) || msg->msg_id <
> > > VPU_IPIMSG_DEC_INIT_ACK ||
> > > + msg->msg_id > VPU_IPIMSG_DEC_GET_PARAM_ACK) {
> > > + mtk_v4l2_vdec_err(vpu->ctx, "vdec msg id not correctly
> > > => 0x%x", msg->msg_id);
> > > + vpu->failure = -EINVAL;
> > > + goto error;
> > > + }
> > >
> > > vpu->failure = msg->status;
> > > - vpu->signaled = 1;
> > > + if (msg->status != 0)
> > > + goto error;
> > >
> > > - if (msg->status == 0) {
> > > - switch (msg->msg_id) {
> > > - case VPU_IPIMSG_DEC_INIT_ACK:
> > > - handle_init_ack_msg(data);
> > > - break;
> > > + switch (msg->msg_id) {
> > > + case VPU_IPIMSG_DEC_INIT_ACK:
> > > + handle_init_ack_msg(data);
> > > + break;
> > >
> > > - case VPU_IPIMSG_DEC_START_ACK:
> > > - case VPU_IPIMSG_DEC_END_ACK:
> > > - case VPU_IPIMSG_DEC_DEINIT_ACK:
> > > - case VPU_IPIMSG_DEC_RESET_ACK:
> > > - case VPU_IPIMSG_DEC_CORE_ACK:
> > > - case VPU_IPIMSG_DEC_CORE_END_ACK:
> > > - break;
> > > + case VPU_IPIMSG_DEC_START_ACK:
> > > + case VPU_IPIMSG_DEC_END_ACK:
> > > + case VPU_IPIMSG_DEC_DEINIT_ACK:
> > > + case VPU_IPIMSG_DEC_RESET_ACK:
> > > + case VPU_IPIMSG_DEC_CORE_ACK:
> > > + case VPU_IPIMSG_DEC_CORE_END_ACK:
> > > + break;
> > >
> > > - case VPU_IPIMSG_DEC_GET_PARAM_ACK:
> > > - handle_get_param_msg_ack(data);
> > > - break;
> > > - default:
> > > - mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg-
> > > > msg_id);
> > > - break;
> > > - }
> > > + case VPU_IPIMSG_DEC_GET_PARAM_ACK:
> > > + handle_get_param_msg_ack(data);
> > > + break;
> > > + default:
> > > + mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id);
> > > + break;
> > > }
> > >
> > > - mtk_vdec_debug(vpu->ctx, "- id=%X", msg->msg_id);
> > > +error:
> > > + vpu->signaled = 1;
> > > }
> > >
> > > static int vcodec_vpu_send_msg(struct vdec_vpu_inst *vpu, void
> > > *msg, int len)
> > > @@ -182,9 +204,10 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu)
> > >
> > > init_waitqueue_head(&vpu->wq);
> > > vpu->handler = vpu_dec_ipi_handler;
> > > + vpu->ctx->vpu_inst = vpu;
> > >
> > > err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler,
> > > vpu->id,
> > > - vpu->handler, "vdec", NULL);
> > > + vpu->handler, "vdec", vpu-
> > > > ctx->dev);
> > > if (err) {
> > > mtk_vdec_err(vpu->ctx, "vpu_ipi_register fail
> > > status=%d", err);
> > > return err;
> > > @@ -193,7 +216,7 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu)
> > > if (vpu->ctx->dev->vdec_pdata->hw_arch ==
> > > MTK_VDEC_LAT_SINGLE_CORE) {
> > > err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev-
> > > > fw_handler,
> > > vpu->core_id, vpu-
> > > > handler,
> > > - "vdec", NULL);
> > > + "vdec", vpu->ctx-
> > > > dev);
> > > if (err) {
> > > mtk_vdec_err(vpu->ctx, "vpu_ipi_register core
> > > fail status=%d", err);
> > > return err;
> >
> >