lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200428125036.9401-3-narmstrong@baylibre.com>
Date:   Tue, 28 Apr 2020 14:50:35 +0200
From:   Neil Armstrong <narmstrong@...libre.com>
To:     linux-media@...r.kernel.org, hverkuil-cisco@...all.nl
Cc:     linux-amlogic@...ts.infradead.org,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
        Maxime Jourdan <mjourdan@...libre.com>,
        Neil Armstrong <narmstrong@...libre.com>
Subject: [PATCH 2/3] media: meson: vdec: fix another case of VP9 buffer shortage

From: Maxime Jourdan <mjourdan@...libre.com>

- Redo the logic where VP9 gets fresh CAPTURE buffers. The previous code
  could lead to a hardlock.
- Reserve 4 margin buffers instead of 3, as apparently there are corner
  cases where 3 is not enough.

Fixes: e9a3eb4819ca ("media: meson: vdec: add VP9 input support")
Fixes: 00c43088aa68 ("media: meson: vdec: add VP9 decoder support")
Signed-off-by: Maxime Jourdan <mjourdan@...libre.com>
Signed-off-by: Neil Armstrong <narmstrong@...libre.com>
---
 drivers/staging/media/meson/vdec/codec_vp9.c | 41 +++++++++++++-------
 drivers/staging/media/meson/vdec/esparser.c  | 24 ++++++------
 2 files changed, 38 insertions(+), 27 deletions(-)

diff --git a/drivers/staging/media/meson/vdec/codec_vp9.c b/drivers/staging/media/meson/vdec/codec_vp9.c
index 897f5d7a6aad..28a7e62e7371 100644
--- a/drivers/staging/media/meson/vdec/codec_vp9.c
+++ b/drivers/staging/media/meson/vdec/codec_vp9.c
@@ -1185,6 +1185,29 @@ static void codec_vp9_set_mc(struct amvdec_session *sess,
 	amvdec_write_dos(core, VP9D_MPP_REF_SCALE_ENBL, scale);
 }
 
+/*
+ * Get a free VB2 buffer that isn't currently used.
+ * VP9 references are held sometimes for so long that it's not really an option
+ * to hold them until they're no longer referenced, as it would delay the
+ * CAPTURE queue too much
+ */
+static struct vb2_v4l2_buffer *get_free_vbuf(struct amvdec_session *sess)
+{
+	struct codec_vp9 *vp9 = sess->priv;
+	struct vb2_v4l2_buffer *vbuf = v4l2_m2m_dst_buf_remove(sess->m2m_ctx);
+	struct vb2_v4l2_buffer *vbuf2;
+
+	if (!vbuf)
+		return NULL;
+
+	if (!codec_vp9_get_frame_by_idx(vp9, vbuf->vb2_buf.index))
+		return vbuf;
+
+	vbuf2 = get_free_vbuf(sess);
+	v4l2_m2m_buf_queue(sess->m2m_ctx, vbuf);
+	return vbuf2;
+}
+
 static struct vp9_frame *codec_vp9_get_new_frame(struct amvdec_session *sess)
 {
 	struct codec_vp9 *vp9 = sess->priv;
@@ -1196,25 +1219,13 @@ static struct vp9_frame *codec_vp9_get_new_frame(struct amvdec_session *sess)
 	if (!new_frame)
 		return NULL;
 
-	vbuf = v4l2_m2m_dst_buf_remove(sess->m2m_ctx);
+	vbuf = get_free_vbuf(sess);
 	if (!vbuf) {
 		dev_err(sess->core->dev, "No dst buffer available\n");
 		kfree(new_frame);
 		return NULL;
 	}
 
-	while (codec_vp9_get_frame_by_idx(vp9, vbuf->vb2_buf.index)) {
-		struct vb2_v4l2_buffer *old_vbuf = vbuf;
-
-		vbuf = v4l2_m2m_dst_buf_remove(sess->m2m_ctx);
-		v4l2_m2m_buf_queue(sess->m2m_ctx, old_vbuf);
-		if (!vbuf) {
-			dev_err(sess->core->dev, "No dst buffer available\n");
-			kfree(new_frame);
-			return NULL;
-		}
-	}
-
 	new_frame->vbuf = vbuf;
 	new_frame->index = vbuf->vb2_buf.index;
 	new_frame->intra_only = param->p.intra_only;
@@ -1267,8 +1278,10 @@ static void codec_vp9_process_frame(struct amvdec_session *sess)
 		codec_vp9_rm_noshow_frame(sess);
 
 	vp9->cur_frame = codec_vp9_get_new_frame(sess);
-	if (!vp9->cur_frame)
+	if (!vp9->cur_frame) {
+		amvdec_abort(sess);
 		return;
+	}
 
 	pr_debug("frame %d: type: %08X; show_exist: %u; show: %u, intra_only: %u\n",
 		 vp9->cur_frame->index,
diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
index db7022707ff8..814bb0587e3b 100644
--- a/drivers/staging/media/meson/vdec/esparser.c
+++ b/drivers/staging/media/meson/vdec/esparser.c
@@ -301,21 +301,19 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
 	u32 offset;
 	u32 pad_size;
 
-	/*
-	 * When max ref frame is held by VP9, this should be -= 3 to prevent a
-	 * shortage of CAPTURE buffers on the decoder side.
-	 * For the future, a good enhancement of the way this is handled could
-	 * be to notify new capture buffers to the decoding modules, so that
-	 * they could pause when there is no capture buffer available and
-	 * resume on this notification.
-	 */
-	if (sess->fmt_out->pixfmt == V4L2_PIX_FMT_VP9) {
-		if (codec_ops->num_pending_bufs)
-			num_dst_bufs = codec_ops->num_pending_bufs(sess);
-
+	if (codec_ops->num_pending_bufs) {
+		num_dst_bufs = codec_ops->num_pending_bufs(sess);
 		num_dst_bufs += v4l2_m2m_num_dst_bufs_ready(sess->m2m_ctx);
+		/*
+		 * When max ref frame is held by VP9, this should be -= 4
+		 * to prevent a shortage of CAPTURE buffers on the decoder side.
+		 * For the future, a good enhancement of the way this is handled
+		 * could be to notify new capture buffers to the decoding
+		 * modules, so that they could pause when there is no capture
+		 * buffer available and resume on this notification.
+		 */
 		if (sess->fmt_out->pixfmt == V4L2_PIX_FMT_VP9)
-			num_dst_bufs -= 3;
+			num_dst_bufs -= 4;
 
 		if (esparser_vififo_get_free_space(sess) < payload_size ||
 		    atomic_read(&sess->esparser_queued_bufs) >= num_dst_bufs)
-- 
2.22.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ