[PATCH v2 1/6] media: v4l2-ctrls: validate HEVC and AV1 tile counts

Mon Jun 15 01:05:17 PDT 2026

Le 14/06/2026 à 17:56, Michael Bommarito a écrit :
> The stateless HEVC and AV1 controls carry tile counts that several SoC
> decoder drivers consume as loop bounds when laying out fixed-size hardware
> descriptor buffers, but std_validate_compound() does not bound them.
>
> For V4L2_CTRL_TYPE_HEVC_PPS with tiling enabled, num_tile_columns_minus1
> and num_tile_rows_minus1 (u8) drive loops over column_width_minus1[20] and
> row_height_minus1[22]. For V4L2_CTRL_TYPE_AV1_FRAME, tile_info.tile_cols
> and tile_rows (u8) bound loops over the mi_*_starts[] / *_in_sbs_minus_1[]
> arrays. Reject counts beyond the uAPI array capacity with -EINVAL.
>
> These are active-count fields (loop bounds), so bounding the upper limit
> here mirrors the existing num_active_dpb_entries check. Only the upper
> bound is enforced; a zero tile count is left to the consuming driver, so
> the zero-initialised AV1 frame control that existing userspace submits is
> not rejected, and the AV1 divisor (context_update_tile_id / tile_cols) is
> guarded where it is used in the rockchip decoder (patch 4).
>
> Driver-interpreted index values (HEVC pic_parameter_set_id, AV1
> context_update_tile_id) are bounded in the consuming drivers instead
> (patches 2 and 4).
>
> Fixes: 256fa3920874 ("media: v4l: Add definitions for HEVC stateless decoding")
> Fixes: 9de30f579980 ("media: Add AV1 uAPI")

I think you need to do a patch for each of the codec with only one "Fixes" tag on each.

Regards,
Benjamin

> Signed-off-by: Michael Bommarito <michael.bommarito at gmail.com>
> Assisted-by: Claude:claude-opus-4-8
> ---
>   drivers/media/v4l2-core/v4l2-ctrls-core.c | 23 +++++++++++++++++++++++
>   1 file changed, 23 insertions(+)
>
> diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c
> index 6b375720e395c..58e2eb7002a19 100644
> --- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
> +++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
> @@ -790,10 +790,25 @@ static int validate_av1_film_grain(struct v4l2_ctrl_av1_film_grain *fg)
>   	return 0;
>   }
>   
> +static int validate_av1_tile_info(struct v4l2_av1_tile_info *t)
> +{
> +	/* Loop bounds in the stateless AV1 drivers. */
> +	if (t->tile_cols > V4L2_AV1_MAX_TILE_COLS)
> +		return -EINVAL;
> +
> +	if (t->tile_rows > V4L2_AV1_MAX_TILE_ROWS)
> +		return -EINVAL;
> +
> +	return 0;
> +}
> +
>   static int validate_av1_frame(struct v4l2_ctrl_av1_frame *f)
>   {
>   	int ret = 0;
>   
> +	ret = validate_av1_tile_info(&f->tile_info);
> +	if (ret)
> +		return ret;
>   	ret = validate_av1_quantization(&f->quantization);
>   	if (ret)
>   		return ret;
> @@ -1242,6 +1257,14 @@ static int std_validate_compound(const struct v4l2_ctrl *ctrl, u32 idx,
>   
>   			p_hevc_pps->flags &=
>   				~V4L2_HEVC_PPS_FLAG_LOOP_FILTER_ACROSS_TILES_ENABLED;
> +		} else {
> +			/* Loop bounds in the stateless HEVC drivers. */
> +			if (p_hevc_pps->num_tile_columns_minus1 >=
> +			    ARRAY_SIZE(p_hevc_pps->column_width_minus1))
> +				return -EINVAL;
> +			if (p_hevc_pps->num_tile_rows_minus1 >=
> +			    ARRAY_SIZE(p_hevc_pps->row_height_minus1))
> +				return -EINVAL;
>   		}
>   
>   		if (p_hevc_pps->flags &