* [PATCH v1 0/1] mtk-vcodec: check the vp9 decoder buffer index from VPU @ 2017-03-07 6:03 Wu-Cheng Li 2017-03-07 6:03 ` [PATCH 1/1] " Wu-Cheng Li 0 siblings, 1 reply; 4+ messages in thread From: Wu-Cheng Li @ 2017-03-07 6:03 UTC (permalink / raw) To: pawel, tiffany.lin, andrew-ct.chen, mchehab, matthias.bgg, hans.verkuil, wuchengli Cc: djkurtz, linux-media, linux-arm-kernel, linux-mediatek, linux-kernel From: Wu-Cheng Li <wuchengli@google.com> This patch guards against the invalid buffer index from VPU firmware. Wu-Cheng Li (1): mtk-vcodec: check the vp9 decoder buffer index from VPU. drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c | 6 +++++ .../media/platform/mtk-vcodec/vdec/vdec_vp9_if.c | 26 ++++++++++++++++++++++ drivers/media/platform/mtk-vcodec/vdec_drv_if.h | 2 ++ 3 files changed, 34 insertions(+) -- 2.12.0.rc1.440.g5b76565f74-goog ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] mtk-vcodec: check the vp9 decoder buffer index from VPU. 2017-03-07 6:03 [PATCH v1 0/1] mtk-vcodec: check the vp9 decoder buffer index from VPU Wu-Cheng Li @ 2017-03-07 6:03 ` Wu-Cheng Li 2017-03-07 7:59 ` Tiffany Lin 0 siblings, 1 reply; 4+ messages in thread From: Wu-Cheng Li @ 2017-03-07 6:03 UTC (permalink / raw) To: pawel, tiffany.lin, andrew-ct.chen, mchehab, matthias.bgg, hans.verkuil, wuchengli Cc: djkurtz, linux-media, linux-arm-kernel, linux-mediatek, linux-kernel, Wu-Cheng Li From: Wu-Cheng Li <wuchengli@google.com> VPU firmware has a bug and may return invalid buffer index for some vp9 videos. Check the buffer indexes before accessing the buffer. Signed-off-by: Wu-Cheng Li <wuchengli@chromium.org> --- drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c | 6 +++++ .../media/platform/mtk-vcodec/vdec/vdec_vp9_if.c | 26 ++++++++++++++++++++++ drivers/media/platform/mtk-vcodec/vdec_drv_if.h | 2 ++ 3 files changed, 34 insertions(+) diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c index 502877a4b1df..7ebcf9e57ac7 100644 --- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c +++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c @@ -1176,6 +1176,12 @@ static void vb2ops_vdec_buf_queue(struct vb2_buffer *vb) "[%d] vdec_if_decode() src_buf=%d, size=%zu, fail=%d, res_chg=%d", ctx->id, src_buf->index, src_mem.size, ret, res_chg); + + if (ret == -EIO) { + mtk_v4l2_err("[%d] Unrecoverable error in vdec_if_decode.", + ctx->id); + ctx->state = MTK_STATE_ABORT; + } return; } diff --git a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c index e91a3b425b0c..5539b1853f16 100644 --- a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c +++ b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c @@ -718,6 +718,26 @@ static void get_free_fb(struct vdec_vp9_inst *inst, struct vdec_fb **out_fb) *out_fb = fb; } +static int validate_vsi_array_indexes(struct vdec_vp9_inst *inst, + struct vdec_vp9_vsi *vsi) { + if (vsi->sf_frm_idx >= VP9_MAX_FRM_BUF_NUM - 1) { + mtk_vcodec_err(inst, "Invalid vsi->sf_frm_idx=%u.", + vsi->sf_frm_idx); + return -EIO; + } + if (vsi->frm_to_show_idx >= VP9_MAX_FRM_BUF_NUM) { + mtk_vcodec_err(inst, "Invalid vsi->frm_to_show_idx=%u.", + vsi->frm_to_show_idx); + return -EIO; + } + if (vsi->new_fb_idx >= VP9_MAX_FRM_BUF_NUM) { + mtk_vcodec_err(inst, "Invalid vsi->new_fb_idx=%u.", + vsi->new_fb_idx); + return -EIO; + } + return 0; +} + static void vdec_vp9_deinit(unsigned long h_vdec) { struct vdec_vp9_inst *inst = (struct vdec_vp9_inst *)h_vdec; @@ -834,6 +854,12 @@ static int vdec_vp9_decode(unsigned long h_vdec, struct mtk_vcodec_mem *bs, goto DECODE_ERROR; } + ret = validate_vsi_array_indexes(inst, vsi); + if (ret) { + mtk_vcodec_err(inst, "Invalid values from VPU."); + goto DECODE_ERROR; + } + if (vsi->resolution_changed) { if (!vp9_alloc_work_buf(inst)) { ret = -EINVAL; diff --git a/drivers/media/platform/mtk-vcodec/vdec_drv_if.h b/drivers/media/platform/mtk-vcodec/vdec_drv_if.h index db6b5205ffb1..ded1154481cd 100644 --- a/drivers/media/platform/mtk-vcodec/vdec_drv_if.h +++ b/drivers/media/platform/mtk-vcodec/vdec_drv_if.h @@ -85,6 +85,8 @@ void vdec_if_deinit(struct mtk_vcodec_ctx *ctx); * @res_chg : [out] resolution change happens if current bs have different * picture width/height * Note: To flush the decoder when reaching EOF, set input bitstream as NULL. + * + * Return: 0 on success. -EIO on unrecoverable error. */ int vdec_if_decode(struct mtk_vcodec_ctx *ctx, struct mtk_vcodec_mem *bs, struct vdec_fb *fb, bool *res_chg); -- 2.12.0.rc1.440.g5b76565f74-goog ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] mtk-vcodec: check the vp9 decoder buffer index from VPU. 2017-03-07 6:03 ` [PATCH 1/1] " Wu-Cheng Li @ 2017-03-07 7:59 ` Tiffany Lin 2017-03-07 9:13 ` Wu-Cheng Li (李務誠) 0 siblings, 1 reply; 4+ messages in thread From: Tiffany Lin @ 2017-03-07 7:59 UTC (permalink / raw) To: Wu-Cheng Li Cc: pawel, andrew-ct.chen, mchehab, matthias.bgg, hans.verkuil, wuchengli, djkurtz, linux-media, linux-arm-kernel, linux-mediatek, linux-kernel On Tue, 2017-03-07 at 14:03 +0800, Wu-Cheng Li wrote: > From: Wu-Cheng Li <wuchengli@google.com> > > VPU firmware has a bug and may return invalid buffer index for > some vp9 videos. Check the buffer indexes before accessing the > buffer. > > Signed-off-by: Wu-Cheng Li <wuchengli@chromium.org> > --- > drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c | 6 +++++ > .../media/platform/mtk-vcodec/vdec/vdec_vp9_if.c | 26 ++++++++++++++++++++++ > drivers/media/platform/mtk-vcodec/vdec_drv_if.h | 2 ++ > 3 files changed, 34 insertions(+) > > diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c > index 502877a4b1df..7ebcf9e57ac7 100644 > --- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c > +++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c > @@ -1176,6 +1176,12 @@ static void vb2ops_vdec_buf_queue(struct vb2_buffer *vb) > "[%d] vdec_if_decode() src_buf=%d, size=%zu, fail=%d, res_chg=%d", > ctx->id, src_buf->index, > src_mem.size, ret, res_chg); > + > + if (ret == -EIO) { > + mtk_v4l2_err("[%d] Unrecoverable error in vdec_if_decode.", > + ctx->id); > + ctx->state = MTK_STATE_ABORT; > + } Could we use v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf), VB2_BUF_STATE_ERROR); instead ctx->state = MTK_STATE_ABORT; In this case, the behavior will be same as vdec_if_decode called in mtk_vdec_worker. And we could also get information about what output buffer make vpu crash. best regards, Tiffany > return; > } > > diff --git a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c > index e91a3b425b0c..5539b1853f16 100644 > --- a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c > +++ b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c > @@ -718,6 +718,26 @@ static void get_free_fb(struct vdec_vp9_inst *inst, struct vdec_fb **out_fb) > *out_fb = fb; > } > > +static int validate_vsi_array_indexes(struct vdec_vp9_inst *inst, > + struct vdec_vp9_vsi *vsi) { > + if (vsi->sf_frm_idx >= VP9_MAX_FRM_BUF_NUM - 1) { > + mtk_vcodec_err(inst, "Invalid vsi->sf_frm_idx=%u.", > + vsi->sf_frm_idx); > + return -EIO; > + } > + if (vsi->frm_to_show_idx >= VP9_MAX_FRM_BUF_NUM) { > + mtk_vcodec_err(inst, "Invalid vsi->frm_to_show_idx=%u.", > + vsi->frm_to_show_idx); > + return -EIO; > + } > + if (vsi->new_fb_idx >= VP9_MAX_FRM_BUF_NUM) { > + mtk_vcodec_err(inst, "Invalid vsi->new_fb_idx=%u.", > + vsi->new_fb_idx); > + return -EIO; > + } > + return 0; > +} > + > static void vdec_vp9_deinit(unsigned long h_vdec) > { > struct vdec_vp9_inst *inst = (struct vdec_vp9_inst *)h_vdec; > @@ -834,6 +854,12 @@ static int vdec_vp9_decode(unsigned long h_vdec, struct mtk_vcodec_mem *bs, > goto DECODE_ERROR; > } > > + ret = validate_vsi_array_indexes(inst, vsi); > + if (ret) { > + mtk_vcodec_err(inst, "Invalid values from VPU."); > + goto DECODE_ERROR; > + } > + > if (vsi->resolution_changed) { > if (!vp9_alloc_work_buf(inst)) { > ret = -EINVAL; > diff --git a/drivers/media/platform/mtk-vcodec/vdec_drv_if.h b/drivers/media/platform/mtk-vcodec/vdec_drv_if.h > index db6b5205ffb1..ded1154481cd 100644 > --- a/drivers/media/platform/mtk-vcodec/vdec_drv_if.h > +++ b/drivers/media/platform/mtk-vcodec/vdec_drv_if.h > @@ -85,6 +85,8 @@ void vdec_if_deinit(struct mtk_vcodec_ctx *ctx); > * @res_chg : [out] resolution change happens if current bs have different > * picture width/height > * Note: To flush the decoder when reaching EOF, set input bitstream as NULL. > + * > + * Return: 0 on success. -EIO on unrecoverable error. > */ > int vdec_if_decode(struct mtk_vcodec_ctx *ctx, struct mtk_vcodec_mem *bs, > struct vdec_fb *fb, bool *res_chg); ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] mtk-vcodec: check the vp9 decoder buffer index from VPU. 2017-03-07 7:59 ` Tiffany Lin @ 2017-03-07 9:13 ` Wu-Cheng Li (李務誠) 0 siblings, 0 replies; 4+ messages in thread From: Wu-Cheng Li (李務誠) @ 2017-03-07 9:13 UTC (permalink / raw) To: Tiffany Lin Cc: Wu-Cheng Li, pawel, Andrew-CT Chen (陳智迪), mchehab, Matthias Brugger, Hans Verkuil, Daniel Kurtz, linux-media, linux-arm-kernel, linux-mediatek, linux-kernel On Tue, Mar 7, 2017 at 3:59 PM, Tiffany Lin <tiffany.lin@mediatek.com> wrote: > On Tue, 2017-03-07 at 14:03 +0800, Wu-Cheng Li wrote: >> From: Wu-Cheng Li <wuchengli@google.com> >> >> VPU firmware has a bug and may return invalid buffer index for >> some vp9 videos. Check the buffer indexes before accessing the >> buffer. >> >> Signed-off-by: Wu-Cheng Li <wuchengli@chromium.org> >> --- >> drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c | 6 +++++ >> .../media/platform/mtk-vcodec/vdec/vdec_vp9_if.c | 26 ++++++++++++++++++++++ >> drivers/media/platform/mtk-vcodec/vdec_drv_if.h | 2 ++ >> 3 files changed, 34 insertions(+) >> >> diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c >> index 502877a4b1df..7ebcf9e57ac7 100644 >> --- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c >> +++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c >> @@ -1176,6 +1176,12 @@ static void vb2ops_vdec_buf_queue(struct vb2_buffer *vb) >> "[%d] vdec_if_decode() src_buf=%d, size=%zu, fail=%d, res_chg=%d", >> ctx->id, src_buf->index, >> src_mem.size, ret, res_chg); >> + >> + if (ret == -EIO) { >> + mtk_v4l2_err("[%d] Unrecoverable error in vdec_if_decode.", >> + ctx->id); >> + ctx->state = MTK_STATE_ABORT; >> + } > Could we use v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf), > VB2_BUF_STATE_ERROR); instead ctx->state = MTK_STATE_ABORT; > In this case, the behavior will be same as vdec_if_decode called in > mtk_vdec_worker. If we use VB2_BUF_STATE_ERROR, dqbuf will return V4L2_BUF_FLAG_ERROR. It means a recoverable error. "The driver may also set V4L2_BUF_FLAG_ERROR in the flags field. It indicates a non-critical (recoverable) streaming error. In such case the application may continue as normal, but should be aware that data in the dequeued buffer might be corrupted." https://static.lwn.net/kerneldoc/media/uapi/v4l/vidioc-qbuf.html > And we could also get information about what output buffer make vpu > crash. > > best regards, > Tiffany >> return; >> } >> >> diff --git a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c >> index e91a3b425b0c..5539b1853f16 100644 >> --- a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c >> +++ b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c >> @@ -718,6 +718,26 @@ static void get_free_fb(struct vdec_vp9_inst *inst, struct vdec_fb **out_fb) >> *out_fb = fb; >> } >> >> +static int validate_vsi_array_indexes(struct vdec_vp9_inst *inst, >> + struct vdec_vp9_vsi *vsi) { >> + if (vsi->sf_frm_idx >= VP9_MAX_FRM_BUF_NUM - 1) { >> + mtk_vcodec_err(inst, "Invalid vsi->sf_frm_idx=%u.", >> + vsi->sf_frm_idx); >> + return -EIO; >> + } >> + if (vsi->frm_to_show_idx >= VP9_MAX_FRM_BUF_NUM) { >> + mtk_vcodec_err(inst, "Invalid vsi->frm_to_show_idx=%u.", >> + vsi->frm_to_show_idx); >> + return -EIO; >> + } >> + if (vsi->new_fb_idx >= VP9_MAX_FRM_BUF_NUM) { >> + mtk_vcodec_err(inst, "Invalid vsi->new_fb_idx=%u.", >> + vsi->new_fb_idx); >> + return -EIO; >> + } >> + return 0; >> +} >> + >> static void vdec_vp9_deinit(unsigned long h_vdec) >> { >> struct vdec_vp9_inst *inst = (struct vdec_vp9_inst *)h_vdec; >> @@ -834,6 +854,12 @@ static int vdec_vp9_decode(unsigned long h_vdec, struct mtk_vcodec_mem *bs, >> goto DECODE_ERROR; >> } >> >> + ret = validate_vsi_array_indexes(inst, vsi); >> + if (ret) { >> + mtk_vcodec_err(inst, "Invalid values from VPU."); >> + goto DECODE_ERROR; >> + } >> + >> if (vsi->resolution_changed) { >> if (!vp9_alloc_work_buf(inst)) { >> ret = -EINVAL; >> diff --git a/drivers/media/platform/mtk-vcodec/vdec_drv_if.h b/drivers/media/platform/mtk-vcodec/vdec_drv_if.h >> index db6b5205ffb1..ded1154481cd 100644 >> --- a/drivers/media/platform/mtk-vcodec/vdec_drv_if.h >> +++ b/drivers/media/platform/mtk-vcodec/vdec_drv_if.h >> @@ -85,6 +85,8 @@ void vdec_if_deinit(struct mtk_vcodec_ctx *ctx); >> * @res_chg : [out] resolution change happens if current bs have different >> * picture width/height >> * Note: To flush the decoder when reaching EOF, set input bitstream as NULL. >> + * >> + * Return: 0 on success. -EIO on unrecoverable error. >> */ >> int vdec_if_decode(struct mtk_vcodec_ctx *ctx, struct mtk_vcodec_mem *bs, >> struct vdec_fb *fb, bool *res_chg); > > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-03-07 9:23 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-03-07 6:03 [PATCH v1 0/1] mtk-vcodec: check the vp9 decoder buffer index from VPU Wu-Cheng Li 2017-03-07 6:03 ` [PATCH 1/1] " Wu-Cheng Li 2017-03-07 7:59 ` Tiffany Lin 2017-03-07 9:13 ` Wu-Cheng Li (李務誠)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox