Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp1210571rwo; Wed, 2 Aug 2023 10:15:08 -0700 (PDT) X-Google-Smtp-Source: APBJJlFEVPonVItjWVccXYqnB2kPfrP/p/gFIV228oh9Fzf5t8tR7QZcxFPGjnj+2ZtdMib0igHG X-Received: by 2002:a05:6a00:1785:b0:679:bc89:e45 with SMTP id s5-20020a056a00178500b00679bc890e45mr18807795pfg.6.1690996507976; Wed, 02 Aug 2023 10:15:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690996507; cv=none; d=google.com; s=arc-20160816; b=ydkW9FDhPGSyffusR3K5YlUO+JthnWDgK75fOrYqHtmqVkzUhrU64kGOLZS2Q/OhR2 Sk/h8vZ+aJ6tgVgyxQkDGZdtq6UlDK7PUMyj+oaC1hoQHWfpUVsVeT5fy8Ul2+Y3+L5h KfP0wA99/JnH5TFeTmLBZCmcrFt5UXDBDWMJzhFP3uzAJWSMUuk8lXn7OGN5rq+rs6tM vIdzOQxdUsrbLtevL7Z/Drdbp13pV7vfoRx8ibrBuM3Bt+u7gjIZwoDtaycZPJ1iz+u3 Mn3vGwrOc2iaZjdCqYJbk3z6rzUSloO2qkcJ/iEoeK48SuYcVA8xg6WHDHjtemlPv9ZG Au2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=cpoHbY7586Mt5hnPOEQJpg1iUMg9V8SaW0q/DtbqEa4=; fh=JNu33da7kzA6xRV91jumLxXvft4D8QIU8MqbM9iLAMY=; b=oOZyeZJLaVfO43Jxcun8KrHDJm+Kge7Y4GZ6Zw1LWkAHXuyHbnr+hqgeVnjWCeiPOp TYJBg0OPCBmqie//KzxWTOm+l1Dj1D8JAEeOH4L0fUBM+Hz54qeiiAvMnEsCm7jyLkWg zFJN1QczealZgW0sGWE4YXulJhun3AvW8GjN5x8/0HlFda6hHeW9/D7pZ3Rw215UJuv/ K7bj07sW6BAzk+0lKgZa5VHIA6ZuxydVXlWAn7RoY9DlnnQZqfSEuYREQICg0AKe1Qao zEkltySqW41zgx/y5UhmPKFjCqAdxxf0VoGFkNX45sD+wEXtW31ZR8veC1ctW+Sj7H29 k7jg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=su+0smTL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cm14-20020a056a00338e00b0068730bad69bsi5992099pfb.305.2023.08.02.10.14.54; Wed, 02 Aug 2023 10:15:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=su+0smTL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234622AbjHBOxT (ORCPT + 99 others); Wed, 2 Aug 2023 10:53:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232603AbjHBOxP (ORCPT ); Wed, 2 Aug 2023 10:53:15 -0400 Received: from mailgw02.mediatek.com (unknown [210.61.82.184]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 810761BFD; Wed, 2 Aug 2023 07:53:13 -0700 (PDT) X-UUID: 4a207ee8314411eeb20a276fd37b9834-20230802 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=cpoHbY7586Mt5hnPOEQJpg1iUMg9V8SaW0q/DtbqEa4=; b=su+0smTLiHa6oiM/LuNLy+gKtgzfieZ9VQv2wgKRmyHwG7KlhDg8tvrKqMG24tRpc4I5b4lQARJ0/reFFk9P7qT96GyveArpZfEuY3EZgbAEkMAjnZoJQAPDnwotRuNB4wbisdGZgsO8JA+AFqSbZDQ7Bl23KktTmd7EobHW+nU=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.30,REQID:efe7b0e5-1ba8-4b5e-82ff-32caffc4d56a,IP:0,U RL:0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Release_Ham,ACTI ON:release,TS:70 X-CID-INFO: VERSION:1.1.30,REQID:efe7b0e5-1ba8-4b5e-82ff-32caffc4d56a,IP:0,URL :0,TC:0,Content:-25,EDM:0,RT:0,SF:95,FILE:0,BULK:0,RULE:Spam_GS981B3D,ACTI ON:quarantine,TS:70 X-CID-META: VersionHash:1fcc6f8,CLOUDID:fe04be42-d291-4e62-b539-43d7d78362ba,B ulkID:230802225309HNY5XMG3,BulkQuantity:0,Recheck:0,SF:38|29|28|17|19|48,T C:nil,Content:0,EDM:-3,IP:nil,URL:0,File:nil,Bulk:nil,QS:nil,BEC:nil,COL:0 ,OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_SDM,TF_CID_SPAM_ASC,TF_CID_SPAM_FAS, TF_CID_SPAM_FSD X-UUID: 4a207ee8314411eeb20a276fd37b9834-20230802 Received: from mtkmbs14n1.mediatek.inc [(172.21.101.75)] by mailgw02.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 639006661; Wed, 02 Aug 2023 22:53:06 +0800 Received: from mtkmbs11n2.mediatek.inc (172.21.101.187) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Wed, 2 Aug 2023 22:53:05 +0800 Received: from mhfsdcap04.gcn.mediatek.inc (10.17.3.154) by mtkmbs11n2.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Wed, 2 Aug 2023 22:53:04 +0800 From: Yunfei Dong To: =?UTF-8?q?N=C3=ADcolas=20F=20=2E=20R=20=2E=20A=20=2E=20Prado?= , Nicolas Dufresne , Hans Verkuil , AngeloGioacchino Del Regno , Benjamin Gaignard , Nathan Hebert CC: Chen-Yu Tsai , Hsin-Yi Wang , Fritz Koenig , Daniel Vetter , "Steve Cho" , Yunfei Dong , , , , , , Subject: [PATCH v4,1/2] media: mediatek: vcodec: Fix possible invalid memory access for decoder Date: Wed, 2 Aug 2023 22:53:01 +0800 Message-ID: <20230802145303.28765-1-yunfei.dong@mediatek.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-MTK: N X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RDNS_NONE,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The vpu maybe null pointer or unreasonable value when scp crash, need to validate that the vpu pointer and the vpu instance within this context is valid in case of leading to kernel reboot. Fixes: 590577a4e525 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Decoder Driver") Signed-off-by: Yunfei Dong Reported-by: Steve Cho Reviewed-by: Nicolas Dufresne --- - compared with v3: - fix error log for patch 1 and 2. - compared with v2: - rewrite the commit message for patch 01 and 02. - add Reported-by and Fixes tag. - fix smatch fail for patch 02/2. --- .../vcodec/decoder/mtk_vcodec_dec_drv.h | 2 + .../mediatek/vcodec/decoder/vdec_vpu_if.c | 79 ++++++++++++------- 2 files changed, 53 insertions(+), 28 deletions(-) diff --git a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h index 6c318de25a55..7e36b2c69b7d 100644 --- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h +++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h @@ -161,6 +161,7 @@ struct mtk_vcodec_dec_pdata { * @hw_id: hardware index used to identify different hardware. * * @msg_queue: msg queue used to store lat buffer information. + * @vpu_inst: vpu instance pointer. * * @is_10bit_bitstream: set to true if it's 10bit bitstream */ @@ -205,6 +206,7 @@ struct mtk_vcodec_dec_ctx { int hw_id; struct vdec_msg_queue msg_queue; + void *vpu_inst; bool is_10bit_bitstream; }; diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c index 82c3dc8c4127..82e57ae983d5 100644 --- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c +++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c @@ -72,6 +72,21 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms } } +static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev *dec_dev, struct vdec_vpu_inst *vpu) +{ + struct mtk_vcodec_dec_ctx *ctx; + int ret = false; + + list_for_each_entry(ctx, &dec_dev->ctx_list, list) { + if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) { + ret = true; + break; + } + } + + return ret; +} + /* * vpu_dec_ipi_handler - Handler for VPU ipi message. * @@ -84,44 +99,51 @@ static void handle_get_param_msg_ack(const struct vdec_vpu_ipi_get_param_ack *ms */ static void vpu_dec_ipi_handler(void *data, unsigned int len, void *priv) { + struct mtk_vcodec_dec_dev *dec_dev; const struct vdec_vpu_ipi_ack *msg = data; - struct vdec_vpu_inst *vpu = (struct vdec_vpu_inst *) - (unsigned long)msg->ap_inst_addr; + struct vdec_vpu_inst *vpu; - if (!vpu) { - mtk_v4l2_vdec_err(vpu->ctx, "ap_inst_addr is NULL, did the SCP hang or crash?"); + dec_dev = (struct mtk_vcodec_dec_dev *)priv; + vpu = (struct vdec_vpu_inst *)(unsigned long)msg->ap_inst_addr; + if (!priv || !vpu) { + pr_err(MTK_DBG_V4L2_STR "ap_inst_addr is NULL, did the SCP hang or crash?"); return; } - mtk_vdec_debug(vpu->ctx, "+ id=%X", msg->msg_id); + if (!vpu_dec_check_ap_inst(dec_dev, vpu) || msg->msg_id < VPU_IPIMSG_DEC_INIT_ACK || + msg->msg_id > VPU_IPIMSG_DEC_GET_PARAM_ACK) { + mtk_v4l2_vdec_err(vpu->ctx, "vdec msg id not correctly => 0x%x", msg->msg_id); + vpu->failure = -EINVAL; + goto error; + } vpu->failure = msg->status; - vpu->signaled = 1; + if (msg->status != 0) + goto error; - if (msg->status == 0) { - switch (msg->msg_id) { - case VPU_IPIMSG_DEC_INIT_ACK: - handle_init_ack_msg(data); - break; + switch (msg->msg_id) { + case VPU_IPIMSG_DEC_INIT_ACK: + handle_init_ack_msg(data); + break; - case VPU_IPIMSG_DEC_START_ACK: - case VPU_IPIMSG_DEC_END_ACK: - case VPU_IPIMSG_DEC_DEINIT_ACK: - case VPU_IPIMSG_DEC_RESET_ACK: - case VPU_IPIMSG_DEC_CORE_ACK: - case VPU_IPIMSG_DEC_CORE_END_ACK: - break; + case VPU_IPIMSG_DEC_START_ACK: + case VPU_IPIMSG_DEC_END_ACK: + case VPU_IPIMSG_DEC_DEINIT_ACK: + case VPU_IPIMSG_DEC_RESET_ACK: + case VPU_IPIMSG_DEC_CORE_ACK: + case VPU_IPIMSG_DEC_CORE_END_ACK: + break; - case VPU_IPIMSG_DEC_GET_PARAM_ACK: - handle_get_param_msg_ack(data); - break; - default: - mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id); - break; - } + case VPU_IPIMSG_DEC_GET_PARAM_ACK: + handle_get_param_msg_ack(data); + break; + default: + mtk_vdec_err(vpu->ctx, "invalid msg=%X", msg->msg_id); + break; } - mtk_vdec_debug(vpu->ctx, "- id=%X", msg->msg_id); +error: + vpu->signaled = 1; } static int vcodec_vpu_send_msg(struct vdec_vpu_inst *vpu, void *msg, int len) @@ -182,9 +204,10 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) init_waitqueue_head(&vpu->wq); vpu->handler = vpu_dec_ipi_handler; + vpu->ctx->vpu_inst = vpu; err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id, - vpu->handler, "vdec", NULL); + vpu->handler, "vdec", vpu->ctx->dev); if (err) { mtk_vdec_err(vpu->ctx, "vpu_ipi_register fail status=%d", err); return err; @@ -193,7 +216,7 @@ int vpu_dec_init(struct vdec_vpu_inst *vpu) if (vpu->ctx->dev->vdec_pdata->hw_arch == MTK_VDEC_LAT_SINGLE_CORE) { err = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->core_id, vpu->handler, - "vdec", NULL); + "vdec", vpu->ctx->dev); if (err) { mtk_vdec_err(vpu->ctx, "vpu_ipi_register core fail status=%d", err); return err; -- 2.18.0