[PATCH] media: cedrus: skip invalid H.264 reference list entries

public inbox for linux-arm-kernel@lists.infradead.org
 help / color / mirror / Atom feed

* [PATCH] media: cedrus: skip invalid H.264 reference list entries
@ 2026-03-24  8:08 Pengpeng Hou
  2026-03-29  9:21 ` Jernej Škrabec
  0 siblings, 1 reply; 3+ messages in thread
From: Pengpeng Hou @ 2026-03-24  8:08 UTC (permalink / raw)
  To: mripard
  Cc: paulk, mchehab, gregkh, wens, jernej.skrabec, samuel,
	nicolas.dufresne, linux-media, linux-staging, linux-arm-kernel,
	linux-sunxi, linux-kernel, pengpeng

Cedrus consumes H.264 ref_pic_list0/ref_pic_list1 entries from the
stateless slice control and later uses their indices to look up
decode->dpb[] in _cedrus_write_ref_list().

Rejecting such controls in cedrus_try_ctrl() would break existing
userspace, since stateless H.264 reference lists may legitimately carry
out-of-range indices for missing references. Instead, guard the actual
DPB lookup in Cedrus and skip entries whose indices do not fit the fixed
V4L2_H264_NUM_DPB_ENTRIES array.

This keeps the fix local to the driver use site and avoids out-of-bounds
reads from malformed or unsupported reference list entries.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/staging/media/sunxi/cedrus/cedrus_h264.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_h264.c b/drivers/staging/media/sunxi/cedrus/cedrus_h264.c
--- a/drivers/staging/media/sunxi/cedrus/cedrus_h264.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus_h264.c
@@ -210,6 +210,9 @@ static void _cedrus_write_ref_list(struct cedrus_ctx *ctx,
 		u8 dpb_idx;

 		dpb_idx = ref_list[i].index;
+		if (dpb_idx >= V4L2_H264_NUM_DPB_ENTRIES)
+			continue;
+
 		dpb = &decode->dpb[dpb_idx];

 		if (!(dpb->flags & V4L2_H264_DPB_ENTRY_FLAG_ACTIVE))
-- 
2.50.1

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] media: cedrus: skip invalid H.264 reference list entries
  2026-03-24  8:08 [PATCH] media: cedrus: skip invalid H.264 reference list entries Pengpeng Hou
@ 2026-03-29  9:21 ` Jernej Škrabec
  2026-03-29 12:44   ` Chen-Yu Tsai
  0 siblings, 1 reply; 3+ messages in thread
From: Jernej Škrabec @ 2026-03-29  9:21 UTC (permalink / raw)
  To: mripard, Pengpeng Hou
  Cc: paulk, mchehab, gregkh, wens, samuel, nicolas.dufresne,
	linux-media, linux-staging, linux-arm-kernel, linux-sunxi,
	linux-kernel, pengpeng

Dne torek, 24. marec 2026 ob 09:08:56 Srednjeevropski poletni čas je Pengpeng Hou napisal(a):
> Cedrus consumes H.264 ref_pic_list0/ref_pic_list1 entries from the
> stateless slice control and later uses their indices to look up
> decode->dpb[] in _cedrus_write_ref_list().
> 
> Rejecting such controls in cedrus_try_ctrl() would break existing
> userspace, since stateless H.264 reference lists may legitimately carry
> out-of-range indices for missing references. Instead, guard the actual
> DPB lookup in Cedrus and skip entries whose indices do not fit the fixed
> V4L2_H264_NUM_DPB_ENTRIES array.
> 
> This keeps the fix local to the driver use site and avoids out-of-bounds
> reads from malformed or unsupported reference list entries.
> 
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>

Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>

Best regards,
Jernej




^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] media: cedrus: skip invalid H.264 reference list entries
  2026-03-29  9:21 ` Jernej Škrabec
@ 2026-03-29 12:44   ` Chen-Yu Tsai
  0 siblings, 0 replies; 3+ messages in thread
From: Chen-Yu Tsai @ 2026-03-29 12:44 UTC (permalink / raw)
  To: Jernej Škrabec
  Cc: mripard, Pengpeng Hou, paulk, mchehab, gregkh, samuel,
	nicolas.dufresne, linux-media, linux-staging, linux-arm-kernel,
	linux-sunxi, linux-kernel

On Sun, Mar 29, 2026 at 5:21 PM Jernej Škrabec <jernej.skrabec@gmail.com> wrote:
>
> Dne torek, 24. marec 2026 ob 09:08:56 Srednjeevropski poletni čas je Pengpeng Hou napisal(a):
> > Cedrus consumes H.264 ref_pic_list0/ref_pic_list1 entries from the
> > stateless slice control and later uses their indices to look up
> > decode->dpb[] in _cedrus_write_ref_list().
> >
> > Rejecting such controls in cedrus_try_ctrl() would break existing
> > userspace, since stateless H.264 reference lists may legitimately carry
> > out-of-range indices for missing references. Instead, guard the actual
> > DPB lookup in Cedrus and skip entries whose indices do not fit the fixed
> > V4L2_H264_NUM_DPB_ENTRIES array.
> >
> > This keeps the fix local to the driver use site and avoids out-of-bounds
> > reads from malformed or unsupported reference list entries.
> >
> > Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
>
> Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>

Tested-by: Chen-Yu Tsai <wens@kernel.org>

This fixes a KASAN slab-use-after-free warning when running fluster H.264
tests.


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-03-29 12:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-24  8:08 [PATCH] media: cedrus: skip invalid H.264 reference list entries Pengpeng Hou
2026-03-29  9:21 ` Jernej Škrabec
2026-03-29 12:44   ` Chen-Yu Tsai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox