Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp1091299rwo; Wed, 2 Aug 2023 08:35:05 -0700 (PDT) X-Google-Smtp-Source: APBJJlEieLXcxAkNcG9ngdQfNcWmZgmF+yx5I74ZIbiR0Lvgg+iTpXBE8uJeT22PJCbtiOs5362L X-Received: by 2002:a17:906:74cb:b0:994:8e9:67fe with SMTP id z11-20020a17090674cb00b0099408e967femr4901608ejl.35.1690990505230; Wed, 02 Aug 2023 08:35:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690990505; cv=none; d=google.com; s=arc-20160816; b=XdwWOpZb04NN/ndlOz5nZ1dfW3nz1EnlttGjSylKRDjCeeZ3bHz6S/0NIAUPBw4S7E z6Y7SQzakTG/zhamUKsavOaKhnlHfw2juJ5yWGnh/jLrXiqR8FC1W1djzFoppViEmt04 KIwBtm0XVUXiDVOG2KlRyMSgSOx+AwC5c/we1g0vsl9fHh0L/5VONwAKKPE5t6rC3Nzm NfG0DBt7cBGqfZR57osvqKPn3dUnmemAMnuSiYLRC+41+xpFrE646mt6ZwVb9JsR8nEf rCD15hrT1Ep/mLKba5oJg4U7d7mjt27Ckn4fq6eUc4h2o0B33t628TAPykgG2byfeKvP 4NLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=WvUeVFDPb4EMGYbb53F91WRmcOa9itzlcYCTFvFRYc0=; fh=JNu33da7kzA6xRV91jumLxXvft4D8QIU8MqbM9iLAMY=; b=MMpJhuWjYPkQMhyw9YJsuks3BWF+Bu05OG+JhOY1ZRAC/BO5iH+3mPSX/JqJlX5PlY uv4MW5RVg1CA0u1Tf14rMQLnLRQWmIfBE8YamkpgaZXP2dlYPUvHE1ckuKLy6anDch5Z pBQNwHa9fppYAzgvt29fNUFFXZeg9UwKYl9TvXNBWO4vfWU/uWLDkWThLS+kiQhICE2Y itD8xAPY+1iEwlb7QrkoI9Rt9cbvug3tOpaARrVCs4rJ6I5XwC+M8+YdIlruKsrOvkwF ledHdgdJBqE+o6XTKj9Q3CCzpNLyfPI6myjTE/O1I0gJhWSwM5nehWJQyqfcwPdYY649 Qi0g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=BFjldis3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z17-20020a170906815100b0099bd5ad1e95si11121273ejw.498.2023.08.02.08.34.40; Wed, 02 Aug 2023 08:35:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=BFjldis3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234602AbjHBOxQ (ORCPT + 99 others); Wed, 2 Aug 2023 10:53:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48840 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234574AbjHBOxP (ORCPT ); Wed, 2 Aug 2023 10:53:15 -0400 Received: from mailgw02.mediatek.com (unknown [210.61.82.184]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9E1B1982; Wed, 2 Aug 2023 07:53:12 -0700 (PDT) X-UUID: 4a24474e314411eeb20a276fd37b9834-20230802 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:CC:To:From; bh=WvUeVFDPb4EMGYbb53F91WRmcOa9itzlcYCTFvFRYc0=; b=BFjldis3sw6qPYpI46hV4kYF3sxOaAoMzOewVRZY428Hsp5+bwY8oBMycGo6UzyjL7dHa4/Cp0yZC894yLuwCaTuNQKfEgTjK6D1bntBYXixl+JqVr9YL2KTiMUTYlSBozehR/r2fyWSqaEewi7G2Lq2tHBhFshA9u6GSIdJwfM=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.30,REQID:96ab9bb7-1710-4953-afa4-411264a870f3,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Release_Ham,ACTI ON:release,TS:70 X-CID-INFO: VERSION:1.1.30,REQID:96ab9bb7-1710-4953-afa4-411264a870f3,IP:0,URL :0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Spam_GS981B3D,ACTI ON:quarantine,TS:70 X-CID-META: VersionHash:1fcc6f8,CLOUDID:638ed1a0-0933-4333-8d4f-6c3c53ebd55b,B ulkID:230802225309PPL6E4CR,BulkQuantity:0,Recheck:0,SF:38|29|28|17|19|48,T C:nil,Content:0,EDM:-3,IP:nil,URL:0,File:nil,Bulk:nil,QS:nil,BEC:nil,COL:0 ,OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_SDM,TF_CID_SPAM_ASC,TF_CID_SPAM_FAS, TF_CID_SPAM_FSD X-UUID: 4a24474e314411eeb20a276fd37b9834-20230802 Received: from mtkmbs14n1.mediatek.inc [(172.21.101.75)] by mailgw02.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 1035919754; Wed, 02 Aug 2023 22:53:06 +0800 Received: from mtkmbs11n2.mediatek.inc (172.21.101.187) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Wed, 2 Aug 2023 22:53:06 +0800 Received: from mhfsdcap04.gcn.mediatek.inc (10.17.3.154) by mtkmbs11n2.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Wed, 2 Aug 2023 22:53:05 +0800 From: Yunfei Dong To: =?UTF-8?q?N=C3=ADcolas=20F=20=2E=20R=20=2E=20A=20=2E=20Prado?= , Nicolas Dufresne , Hans Verkuil , AngeloGioacchino Del Regno , Benjamin Gaignard , Nathan Hebert CC: Chen-Yu Tsai , Hsin-Yi Wang , Fritz Koenig , Daniel Vetter , "Steve Cho" , Yunfei Dong , , , , , , Subject: [PATCH v4,2/2] media: mediatek: vcodec: Fix possible invalid memory access for encoder Date: Wed, 2 Aug 2023 22:53:02 +0800 Message-ID: <20230802145303.28765-2-yunfei.dong@mediatek.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230802145303.28765-1-yunfei.dong@mediatek.com> References: <20230802145303.28765-1-yunfei.dong@mediatek.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-MTK: N X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RDNS_NONE,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The vpu maybe null pointer or unreasonable value when scp crash, need to validate that the vpu pointer and the vpu instance within this context is valid in case of leading to kernel reboot. Fixes: 27a274db6b4c6 ("[media] vcodec: mediatek: Add Mediatek VP8 Video Encoder Driver") Signed-off-by: Yunfei Dong Reported-by: Steve Cho --- .../vcodec/encoder/mtk_vcodec_enc_drv.h | 2 + .../mediatek/vcodec/encoder/venc_vpu_if.c | 39 +++++++++++++++++-- 2 files changed, 37 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h index c07010e56649..a042f607ed8d 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h +++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h @@ -123,6 +123,7 @@ struct mtk_enc_params { * @xfer_func: enum v4l2_xfer_func, colorspace transfer function * * @q_mutex: vb2_queue mutex. + * @vpu_inst: vpu instance pointer. */ struct mtk_vcodec_enc_ctx { enum mtk_instance_type type; @@ -156,6 +157,7 @@ struct mtk_vcodec_enc_ctx { enum v4l2_xfer_func xfer_func; struct mutex q_mutex; + void *vpu_inst; }; /** diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c index 708db1bb32d4..d299cc2962a5 100644 --- a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c +++ b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c @@ -42,19 +42,46 @@ static void handle_enc_encode_msg(struct venc_vpu_inst *vpu, const void *data) vpu->is_key_frm = msg->is_key_frm; } +static bool vpu_enc_check_ap_inst(struct mtk_vcodec_enc_dev *enc_dev, struct venc_vpu_inst *vpu) +{ + struct mtk_vcodec_enc_ctx *ctx; + int ret = false; + + list_for_each_entry(ctx, &enc_dev->ctx_list, list) { + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) { + ret = true; + break; + } + } + + return ret; +} + static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv) { + struct mtk_vcodec_enc_dev *enc_dev; const struct venc_vpu_ipi_msg_common *msg = data; - struct venc_vpu_inst *vpu = - (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + struct venc_vpu_inst *vpu; + + enc_dev = (struct mtk_vcodec_enc_dev *)priv; + vpu = (struct venc_vpu_inst *)(unsigned long)msg->venc_inst; + if (!priv || !vpu) { + pr_err(MTK_DBG_V4L2_STR "venc_inst is NULL, did the SCP hang or crash?"); + return; + } mtk_venc_debug(vpu->ctx, "msg_id %x inst %p status %d", msg->msg_id, vpu, msg->status); + if (!vpu_enc_check_ap_inst(enc_dev, vpu) || msg->msg_id < VPU_IPIMSG_ENC_INIT_DONE || + msg->msg_id > VPU_IPIMSG_ENC_DEINIT_DONE) { + mtk_v4l2_venc_err(vpu->ctx, "venc msg id not correctly => 0x%x", msg->msg_id); + vpu->failure = -EINVAL; + goto error; + } - vpu->signaled = 1; vpu->failure = (msg->status != VENC_IPI_MSG_STATUS_OK); if (vpu->failure) { mtk_venc_err(vpu->ctx, "vpu enc status failure %d", vpu->failure); - return; + goto error; } switch (msg->msg_id) { @@ -72,6 +99,9 @@ static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv) mtk_venc_err(vpu->ctx, "unknown msg id %x", msg->msg_id); break; } + +error: + vpu->signaled = 1; } static int vpu_enc_send_msg(struct venc_vpu_inst *vpu, void *msg, @@ -105,6 +135,7 @@ int vpu_enc_init(struct venc_vpu_inst *vpu) init_waitqueue_head(&vpu->wq_hd); vpu->signaled = 0; vpu->failure = 0; + vpu->ctx->vpu_inst = vpu; status = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id, vpu_enc_ipi_handler, "venc", NULL); -- 2.18.0