Re: [PATCH v3] media: v4l2-ctrls: validate HEVC active reference counts

[Nicolas Dufresne <nicolas.dufresne@collabora.com>]

[-- Attachment #1: Type: text/plain, Size: 2746 bytes --]

Le mardi 24 mars 2026 à 11:13 +0800, Pengpeng Hou a écrit :
> HEVC slice parameters are shared stateless V4L2 controls, but the common
> validation path does not verify the active L0/L1 reference counts before
> driver-specific code consumes them.
> 
> The original report came from Cedrus, but the active count bounds are
> not Cedrus-specific. Validate them in the common HEVC slice control path
> so stateless HEVC drivers get the same basic guarantees as soon as the
> control is queued.
> 
> Do not reject ref_idx_l0/ref_idx_l1 entries here. Existing userspace may
> use out-of-range sentinel values such as 0xff for missing references, and
> some hardware can use that information for concealment. Keep this common
> check limited to the active reference counts.
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>

Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>

> ---
> v3:
> - add the missing `p_hevc_slice_params` declaration to fix the build break
>   reported by lkp
> - keep only the active L0/L1 reference count validation in common code
> - drop the ref_idx_l0/ref_idx_l1 rejection per Nicolas Dufresne's review,
>   since existing userspace may use out-of-range sentinel values such as
>   0xff for missing references
> 
>  drivers/media/v4l2-core/v4l2-ctrls-core.c | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-
> core/v4l2-ctrls-core.c
> index 6b375720e395..ba047d7d8601 100644
> --- a/drivers/media/v4l2-core/v4l2-ctrls-core.c
> +++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c
> @@ -971,6 +971,7 @@ static int std_validate_compound(const struct v4l2_ctrl
> *ctrl, u32 idx,
>  	struct v4l2_ctrl_hevc_ext_sps_st_rps *p_hevc_st_rps;
>  	struct v4l2_ctrl_hevc_sps *p_hevc_sps;
>  	struct v4l2_ctrl_hevc_pps *p_hevc_pps;
> +	struct v4l2_ctrl_hevc_slice_params *p_hevc_slice_params;
>  	struct v4l2_ctrl_hdr10_mastering_display *p_hdr10_mastering;
>  	struct v4l2_ctrl_hevc_decode_params *p_hevc_decode_params;
>  	struct v4l2_area *area;
> @@ -1260,6 +1261,18 @@ static int std_validate_compound(const struct v4l2_ctrl
> *ctrl, u32 idx,
>  		break;
>  
>  	case V4L2_CTRL_TYPE_HEVC_SLICE_PARAMS:
> +		p_hevc_slice_params = p;
> +
> +		if (p_hevc_slice_params->num_ref_idx_l0_active_minus1 >=
> +		    V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> +			return -EINVAL;
> +
> +		if (p_hevc_slice_params->slice_type !=
> V4L2_HEVC_SLICE_TYPE_B)
> +			break;
> +
> +		if (p_hevc_slice_params->num_ref_idx_l1_active_minus1 >=
> +		    V4L2_HEVC_DPB_ENTRIES_NUM_MAX)
> +			return -EINVAL;
>  		break;
>  
>  	case V4L2_CTRL_TYPE_HEVC_EXT_SPS_ST_RPS:

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 228 bytes --]