lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAOMLVLhZ5ZrreMixO0B3V7zsdRjJ=KO4ktntih+b-64ZaYFAJA@mail.gmail.com>
Date:   Tue, 7 Mar 2017 17:13:29 +0800
From:   Wu-Cheng Li (李務誠) 
        <wuchengli@...omium.org>
To:     Tiffany Lin <tiffany.lin@...iatek.com>
Cc:     Wu-Cheng Li <wuchengli@...omium.org>, pawel@...iak.com,
        Andrew-CT Chen (陳智迪) 
        <andrew-ct.chen@...iatek.com>, mchehab@...nel.org,
        Matthias Brugger <matthias.bgg@...il.com>,
        Hans Verkuil <hans.verkuil@...co.com>,
        Daniel Kurtz <djkurtz@...omium.org>,
        linux-media@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] mtk-vcodec: check the vp9 decoder buffer index from VPU.

On Tue, Mar 7, 2017 at 3:59 PM, Tiffany Lin <tiffany.lin@...iatek.com> wrote:
> On Tue, 2017-03-07 at 14:03 +0800, Wu-Cheng Li wrote:
>> From: Wu-Cheng Li <wuchengli@...gle.com>
>>
>> VPU firmware has a bug and may return invalid buffer index for
>> some vp9 videos. Check the buffer indexes before accessing the
>> buffer.
>>
>> Signed-off-by: Wu-Cheng Li <wuchengli@...omium.org>
>> ---
>>  drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c |  6 +++++
>>  .../media/platform/mtk-vcodec/vdec/vdec_vp9_if.c   | 26 ++++++++++++++++++++++
>>  drivers/media/platform/mtk-vcodec/vdec_drv_if.h    |  2 ++
>>  3 files changed, 34 insertions(+)
>>
>> diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
>> index 502877a4b1df..7ebcf9e57ac7 100644
>> --- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
>> +++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
>> @@ -1176,6 +1176,12 @@ static void vb2ops_vdec_buf_queue(struct vb2_buffer *vb)
>>                              "[%d] vdec_if_decode() src_buf=%d, size=%zu, fail=%d, res_chg=%d",
>>                              ctx->id, src_buf->index,
>>                              src_mem.size, ret, res_chg);
>> +
>> +             if (ret == -EIO) {
>> +                     mtk_v4l2_err("[%d] Unrecoverable error in vdec_if_decode.",
>> +                                     ctx->id);
>> +                     ctx->state = MTK_STATE_ABORT;
>> +             }
> Could we use v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf),
> VB2_BUF_STATE_ERROR); instead ctx->state = MTK_STATE_ABORT;
> In this case, the behavior will be same as vdec_if_decode called in
> mtk_vdec_worker.
If we use VB2_BUF_STATE_ERROR, dqbuf will return V4L2_BUF_FLAG_ERROR.
It means a recoverable error.

"The driver may also set V4L2_BUF_FLAG_ERROR in the flags field. It indicates
a non-critical (recoverable) streaming error. In such case the application may
continue as normal, but should be aware that data in the dequeued buffer might
be corrupted."
https://static.lwn.net/kerneldoc/media/uapi/v4l/vidioc-qbuf.html
> And we could also get information about what output buffer make vpu
> crash.
>
> best regards,
> Tiffany
>>               return;
>>       }
>>
>> diff --git a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c
>> index e91a3b425b0c..5539b1853f16 100644
>> --- a/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c
>> +++ b/drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c
>> @@ -718,6 +718,26 @@ static void get_free_fb(struct vdec_vp9_inst *inst, struct vdec_fb **out_fb)
>>       *out_fb = fb;
>>  }
>>
>> +static int validate_vsi_array_indexes(struct vdec_vp9_inst *inst,
>> +             struct vdec_vp9_vsi *vsi) {
>> +     if (vsi->sf_frm_idx >= VP9_MAX_FRM_BUF_NUM - 1) {
>> +             mtk_vcodec_err(inst, "Invalid vsi->sf_frm_idx=%u.",
>> +                             vsi->sf_frm_idx);
>> +             return -EIO;
>> +     }
>> +     if (vsi->frm_to_show_idx >= VP9_MAX_FRM_BUF_NUM) {
>> +             mtk_vcodec_err(inst, "Invalid vsi->frm_to_show_idx=%u.",
>> +                             vsi->frm_to_show_idx);
>> +             return -EIO;
>> +     }
>> +     if (vsi->new_fb_idx >= VP9_MAX_FRM_BUF_NUM) {
>> +             mtk_vcodec_err(inst, "Invalid vsi->new_fb_idx=%u.",
>> +                             vsi->new_fb_idx);
>> +             return -EIO;
>> +     }
>> +     return 0;
>> +}
>> +
>>  static void vdec_vp9_deinit(unsigned long h_vdec)
>>  {
>>       struct vdec_vp9_inst *inst = (struct vdec_vp9_inst *)h_vdec;
>> @@ -834,6 +854,12 @@ static int vdec_vp9_decode(unsigned long h_vdec, struct mtk_vcodec_mem *bs,
>>                       goto DECODE_ERROR;
>>               }
>>
>> +             ret = validate_vsi_array_indexes(inst, vsi);
>> +             if (ret) {
>> +                     mtk_vcodec_err(inst, "Invalid values from VPU.");
>> +                     goto DECODE_ERROR;
>> +             }
>> +
>>               if (vsi->resolution_changed) {
>>                       if (!vp9_alloc_work_buf(inst)) {
>>                               ret = -EINVAL;
>> diff --git a/drivers/media/platform/mtk-vcodec/vdec_drv_if.h b/drivers/media/platform/mtk-vcodec/vdec_drv_if.h
>> index db6b5205ffb1..ded1154481cd 100644
>> --- a/drivers/media/platform/mtk-vcodec/vdec_drv_if.h
>> +++ b/drivers/media/platform/mtk-vcodec/vdec_drv_if.h
>> @@ -85,6 +85,8 @@ void vdec_if_deinit(struct mtk_vcodec_ctx *ctx);
>>   * @res_chg  : [out] resolution change happens if current bs have different
>>   *   picture width/height
>>   * Note: To flush the decoder when reaching EOF, set input bitstream as NULL.
>> + *
>> + * Return: 0 on success. -EIO on unrecoverable error.
>>   */
>>  int vdec_if_decode(struct mtk_vcodec_ctx *ctx, struct mtk_vcodec_mem *bs,
>>                  struct vdec_fb *fb, bool *res_chg);
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ