Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp839757rwo; Sat, 22 Jul 2023 00:55:08 -0700 (PDT) X-Google-Smtp-Source: APBJJlFEV/JR+yZsZxXsEbUNNPdxqS15rEtKtXRmwsQmKJ3cX5+ETzIf3GDZbYL+y45m9esydpq3 X-Received: by 2002:a17:906:5189:b0:969:7739:2eb7 with SMTP id y9-20020a170906518900b0096977392eb7mr3557985ejk.4.1690012508607; Sat, 22 Jul 2023 00:55:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690012508; cv=none; d=google.com; s=arc-20160816; b=HcEpZ2vuQLgAF91iA+EgFZiBLEeeXPdHhGPPLisCul/xLIEWqvumUvNdeDHD60MPId Ci+Yp9yU6TtBjN5MzYKGVzRExlpIK8ykpINAxrPvoxTLhjPihVW749s3r/E/4VTq9eM5 fxFGDg26nuzvRaZXquxAxSpnyeMK5Vc7dJTxZxjsuFzo4cbeAQznEGN52ZQ1FBY2hfSH RuIgGswq6B3XLrDoSyS6akWQrJrsS53Db6PMdDCIoikrfhDLmI1cFKTUAffdZDn5XmHC /vX9Q/row8wFZTNTblGYqIF9fAtqf7fhAoknQhmz3HitMv4UsWXU0P6/d0LfQ8Q7h3+W fIFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=qqEksVJOPOKTBPEsGrR2lio+XwHgG5w59AALFAQnXeI=; fh=JNu33da7kzA6xRV91jumLxXvft4D8QIU8MqbM9iLAMY=; b=H5s6XA4iAqw6cKqgtvynrsOAgNS7uVxljQt52pZH+GiCMjBLmFFf3wjNMli5Iw8+y3 gZ2puExsqKZk1bGwybrtMPU3HizWWx3ypv5TuTxrS3neXQQUd1ZN70mwuIeWRQQ1+KCR 1ME+kHjzhCNLStipJWeMmE3Xa1p8NEty1dSLTmv9CapqRxQ0fY1+v5mnwlhCE2gKkmdv VCeyel8xjUk7MNpIrqZ+ZAOa7dPNg/bySybwcFgmc0PlrQtvEbTgtsCq6Yvr/B0AK/7P xjBRG7nKrvnga0mFAKT3NiX+y2OUzU5SYq81p4l4qt36OggiLmblFsbs5rHMOFqQeKEg eZxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=Bqy75utW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e1-20020a1709062c0100b0099027b40d82si3379496ejh.243.2023.07.22.00.54.40; Sat, 22 Jul 2023 00:55:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=Bqy75utW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231293AbjGVHsD (ORCPT + 99 others); Sat, 22 Jul 2023 03:48:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231415AbjGVHr7 (ORCPT ); Sat, 22 Jul 2023 03:47:59 -0400 Received: from mailgw02.mediatek.com (unknown [210.61.82.184]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 53EEF4202; Sat, 22 Jul 2023 00:47:19 -0700 (PDT) X-UUID: d469db6a286311eeb20a276fd37b9834-20230722 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=qqEksVJOPOKTBPEsGrR2lio+XwHgG5w59AALFAQnXeI=; b=Bqy75utWYAj0+cwNWEAlYMhTcesfOtoLlYiPvi3fbfraUwPMN2Ye7jgJd6fDy62OIubCyBJxYTzBc2szngcfp7bQhTokOf+k4E8OH+l3lB/ex7AujM7/xOadg6Lt54aNn18UjTtbJ3e3HtzCg9ERPPOiBxSHbjwdiPv9EQwg0J8=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.28,REQID:887ee29f-7bbf-4515-b44d-80b92dac8371,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Release_Ham,ACTI ON:release,TS:70 X-CID-INFO: VERSION:1.1.28,REQID:887ee29f-7bbf-4515-b44d-80b92dac8371,IP:0,URL :0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Spam_GS981B3D,ACTI ON:quarantine,TS:70 X-CID-META: VersionHash:176cd25,CLOUDID:1da7ff4c-06c1-468b-847d-5b62d44dbb9b,B ulkID:230722154614MWI8BHDS,BulkQuantity:1,Recheck:0,SF:48|38|29|28|17|19,T C:nil,Content:0,EDM:-3,IP:nil,URL:0,File:nil,Bulk:40,QS:nil,BEC:nil,COL:0, OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0 X-CID-BVR: 0,NGT X-CID-BAS: 0,NGT,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_SDM,TF_CID_SPAM_ASC,TF_CID_SPAM_FAS, TF_CID_SPAM_FSD X-UUID: d469db6a286311eeb20a276fd37b9834-20230722 Received: from mtkmbs14n2.mediatek.inc [(172.21.101.76)] by mailgw02.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 880688141; Sat, 22 Jul 2023 15:46:12 +0800 Received: from mtkmbs13n1.mediatek.inc (172.21.101.193) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Sat, 22 Jul 2023 15:46:11 +0800 Received: from mhfsdcap04.gcn.mediatek.inc (10.17.3.154) by mtkmbs13n1.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Sat, 22 Jul 2023 15:46:10 +0800 From: Yunfei Dong To: =?UTF-8?q?N=C3=ADcolas=20F=20=2E=20R=20=2E=20A=20=2E=20Prado?= , Nicolas Dufresne , Hans Verkuil , AngeloGioacchino Del Regno , Benjamin Gaignard , Nathan Hebert CC: Chen-Yu Tsai , Hsin-Yi Wang , Fritz Koenig , Daniel Vetter , "Steve Cho" , Yunfei Dong , , , , , , Subject: [PATCH v2,1/2] media: mediatek: vcodec: checking decoder ack message parameter Date: Sat, 22 Jul 2023 15:46:07 +0800 Message-ID: <20230722074608.30766-1-yunfei.dong@mediatek.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-MTK: N X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Need to checking all parameters of msg data are valid or not, in case of access null pointer or unreasonable value leading to kernel reboot. Signed-off-by: Yunfei Dong Reviewed-by: Nicolas Dufresne --- .../vcodec/decoder/mtk_vcodec_dec_drv.h | 2 + .../mediatek/vcodec/decoder/vdec_vpu_if.c | 77 ++++++++++++------- 2 files changed, 52 insertions(+), 27 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h index 6c318de25a55..7e36b2c69b7d 100644 --- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h +++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h @@ -161,6 +161,7 @@ struct mtk_vcodec_dec_pdata { * @hw_id: hardware index used to identify different hardware. * * @msg_queue: msg queue used to store lat buffer information. + * @vpu_inst: vpu instance pointer. * * @is_10bit_bitstream: set to true if it's 10bit bitstream */ @@ -205,6 +206,7 @@ struct mtk_vcodec_dec_ctx { int hw_id; struct vdec_msg_queue msg_queue; + void *vpu_inst; bool is_10bit_bitstream; }; diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c index 82c3dc8c4127..23cfe5c6c90b 100644 --- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c +++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c @@ -72,6 +72,21 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms } } +static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev *dec_dev, struct vdec_vpu_inst *vpu) +{ + struct mtk_vcodec_dec_ctx *ctx; + int ret = false; + + list_for_each_entry(ctx, &dec_dev->ctx_list, list) { + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) { + ret = true; + break; + } + } + + return ret; +} + /* * vpu_dec_ipi_handler - Handler for VPU ipi message. * @@ -84,44 +99,51 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms */ static void vpu_dec_ipi_handler(void *data, unsigned int len, void *priv) { + struct mtk_vcodec_dec_dev *dec_dev; const struct vdec_vpu_ipi_ack *msg = data; - struct vdec_vpu_inst *vpu = (struct vdec_vpu_inst *) - (unsigned long)msg->ap_inst_addr; + struct vdec_vpu_inst *vpu; - if (!vpu) { + dec_dev = (struct mtk_vcodec_dec_dev *)priv; + vpu = (struct vdec_vpu_inst *)(unsigned long)msg->ap_inst_addr; + if (!priv || !vpu) { mtk_v4l2_vdec_err(vpu->ctx, "ap_inst_addr is NULL, did the SCP hang or crash?"); return; } - mtk_vdec_debug(vpu->ctx, "+ id=%X", msg->msg_id); + if (!vpu_dec_check_ap_inst(dec_dev, vpu) || msg->msg_id < VPU_IPIMSG_DEC_INIT_ACK || + msg->msg_id > VPU_IPIMSG_DEC_GET_PARAM_ACK) { + mtk_v4l2_vdec_err(vpu->ctx, "vdec msg id not correctly => 0x%x", msg->msg_id); + vpu->failure = -EINVAL; + goto error; + } vpu->failure = msg->status; - vpu->signaled = 1; + if (msg->status != 0) + goto error; - if (msg->status == 0) { - switch (msg->msg_id) { - case VPU_IPIMSG_DEC_INIT_ACK: - handle_init_ack_msg(data); - break; + switch (msg->msg_id) { + case VPU_IPIMSG_DEC_INIT_ACK: + handle_init_ack_msg(data); + break; - case VPU_IPIMSG_DEC_START_ACK: - case VPU_IPIMSG_DEC_END_ACK: - case VPU_IPIMSG_DEC_DEINIT_ACK: - case VPU_IPIMSG_DEC_RESET_ACK: - case VPU_IPIMSG_DEC_CORE_ACK: - case VPU_IPIMSG_DEC_CORE_END_ACK: - break; + case VPU_IPIMSG_DEC_START_ACK: + case VPU_IPIMSG_DEC_END_ACK: + case VPU_IPIMSG_DEC_DEINIT_ACK: + case VPU_IPIMSG_DEC_RESET_ACK: + case VPU_IPIMSG_DEC_CORE_ACK: + case VPU_IPIMSG_DEC_CORE_END_ACK: + break; - case VPU_IPIMSG_DEC_GET_PARAM_ACK: - handle_get_param_msg_ack(data); - break; - default: - mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id); - break; - } + case VPU_IPIMSG_DEC_GET_PARAM_ACK: + handle_get_param_msg_ack(data); + break; + default: + mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id); + break; } - mtk_vdec_debug(vpu->ctx, "- id=%X", msg->msg_id); +error: + vpu->signaled = 1; } static int vcodec_vpu_send_msg(struct vdec_vpu_inst *vpu, void *msg, int len) @@ -182,9 +204,10 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) init_waitqueue_head(&vpu->wq); vpu->handler = vpu_dec_ipi_handler; + vpu->ctx->vpu_inst = vpu; err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id, - vpu->handler, "vdec", NULL); + vpu->handler, "vdec", vpu->ctx->dev); if (err) { mtk_vdec_err(vpu->ctx, "vpu_ipi_register fail status=%d", err); return err; @@ -193,7 +216,7 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) if (vpu->ctx->dev->vdec_pdata->hw_arch == MTK_VDEC_LAT_SINGLE_CORE) { err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->core_id, vpu->handler, - "vdec", NULL); + "vdec", vpu->ctx->dev); if (err) { mtk_vdec_err(vpu->ctx, "vpu_ipi_register core fail status=%d", err); return err; -- 2.18.0