[PATCH v2,2/2] media: mediatek: vcodec: checking encoder ack message parameter
Yunfei Dong
yunfei.dong at mediatek.com
Sat Jul 22 00:46:08 PDT 2023
Need to checking all parameters of msg data are valid or not,
in case of access null pointer or unreasonable value leading
to kernel reboot.
Signed-off-by: Yunfei Dong <yunfei.dong at mediatek.com>
---
.../vcodec/encoder/mtk_vcodec_enc_drv.h | 2 +
.../mediatek/vcodec/encoder/venc_vpu_if.c | 40 +++++++++++++++++--
2 files changed, 38 insertions(+), 4 deletions(-)
diff --git a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
index c07010e56649..a042f607ed8d 100644
--- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
+++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
@@ -123,6 +123,7 @@ struct mtk_enc_params {
* @xfer_func: enum v4l2_xfer_func, colorspace transfer function
*
* @q_mutex: vb2_queue mutex.
+ * @vpu_inst: vpu instance pointer.
*/
struct mtk_vcodec_enc_ctx {
enum mtk_instance_type type;
@@ -156,6 +157,7 @@ struct mtk_vcodec_enc_ctx {
enum v4l2_xfer_func xfer_func;
struct mutex q_mutex;
+ void *vpu_inst;
};
/**
diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
index 708db1bb32d4..213544e55166 100644
--- a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
+++ b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
@@ -42,19 +42,47 @@ static void handle_enc_encode_msg(struct venc_vpu_inst *vpu, const void *data)
vpu->is_key_frm = msg->is_key_frm;
}
+static bool vpu_enc_check_ap_inst(struct mtk_vcodec_enc_dev *enc_dev, struct venc_vpu_inst *vpu)
+{
+ struct mtk_vcodec_enc_ctx *ctx;
+ int ret = false;
+
+ list_for_each_entry(ctx, &enc_dev->ctx_list, list) {
+ if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
+ ret = true;
+ break;
+ }
+ }
+
+ return ret;
+}
+
static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv)
{
+ struct mtk_vcodec_enc_dev *enc_dev;
const struct venc_vpu_ipi_msg_common *msg = data;
- struct venc_vpu_inst *vpu =
- (struct venc_vpu_inst *)(unsigned long)msg->venc_inst;
+ struct venc_vpu_inst *vpu;
mtk_venc_debug(vpu->ctx, "msg_id %x inst %p status %d", msg->msg_id, vpu, msg->status);
- vpu->signaled = 1;
+ enc_dev = (struct mtk_vcodec_enc_dev *)priv;
+ vpu = (struct venc_vpu_inst *)(unsigned long)msg->venc_inst;
+ if (!priv || !vpu) {
+ mtk_v4l2_venc_err(vpu->ctx, "venc_inst is NULL, did the SCP hang or crash?");
+ return;
+ }
+
+ if (!vpu_enc_check_ap_inst(enc_dev, vpu) || msg->msg_id < VPU_IPIMSG_ENC_INIT_DONE ||
+ msg->msg_id > VPU_IPIMSG_ENC_DEINIT_DONE) {
+ mtk_v4l2_venc_err(vpu->ctx, "venc msg id not correctly => 0x%x", msg->msg_id);
+ vpu->failure = -EINVAL;
+ goto error;
+ }
+
vpu->failure = (msg->status != VENC_IPI_MSG_STATUS_OK);
if (vpu->failure) {
mtk_venc_err(vpu->ctx, "vpu enc status failure %d", vpu->failure);
- return;
+ goto error;
}
switch (msg->msg_id) {
@@ -72,6 +100,9 @@ static void vpu_enc_ipi_handler(void *data, unsigned int len, void *priv)
mtk_venc_err(vpu->ctx, "unknown msg id %x", msg->msg_id);
break;
}
+
+error:
+ vpu->signaled = 1;
}
static int vpu_enc_send_msg(struct venc_vpu_inst *vpu, void *msg,
@@ -105,6 +136,7 @@ int vpu_enc_init(struct venc_vpu_inst *vpu)
init_waitqueue_head(&vpu->wq_hd);
vpu->signaled = 0;
vpu->failure = 0;
+ vpu->ctx->vpu_inst = vpu;
status = mtk_vcodec_fw_ipi_register(vpu->ctx->dev->fw_handler, vpu->id,
vpu_enc_ipi_handler, "venc", NULL);
--
2.18.0
More information about the linux-arm-kernel
mailing list