| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251006154041.1804800-1-Pavel.Zhigulin@kaspersky.com>
Date: Mon, 6 Oct 2025 18:40:39 +0300
From: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>
To: Vikash Garodia <vikash.garodia@....qualcomm.com>
CC: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>, Dikshita Agarwal
<dikshita.agarwal@....qualcomm.com>, Bryan O'Donoghue <bod@...nel.org>, Mauro
Carvalho Chehab <mchehab@...nel.org>, Stanimir Varbanov
<stanimir.varbanov@...aro.org>, <linux-media@...r.kernel.org>,
<linux-arm-msm@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<lvc-project@...uxtesting.org>
Subject: [PATCH] media: venus: prevent potential integer overflow in decide_core()
The function 'decide_core()' contains the following code:
cur_inst_load = load_per_instance(inst);
cur_inst_load *= inst->clk_data.vpp_freq;
...
cur_inst_lp_load = load_per_instance(inst);
cur_inst_lp_load *= inst->clk_data.low_power_freq;
This can lead to an integer overflow because the variables
'cur_inst_load' and 'cur_inst_lp_load' are of type u32.
The overflow can occur in the following scenario:
1. The current FPS is 240 (VENUS_MAX_FPS constant).
The processed image frame has a resolution of 4096x4096 pixels.
2. According to 'codec_freq_data':
- 'inst->clk_data.low_power_freq' can be up to 320
- 'inst->clk_data.vpp_freq' can be up to 675
(see drivers/media/platform/qcom/venus/hfi_platform_v4.c
and drivers/media/platform/qcom/venus/hfi_platform_v6.c)
3. 'load_per_instance()' returns 15728640 under these conditions.
4. As a result:
cur_inst_load *= inst->clk_data.vpp_freq → 10616832000
cur_inst_lp_load *= inst->clk_data.low_power_freq → 5033164800
The proposed fix changes the type of these variables from u32 to u64
to prevent overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 3cfe5815ce0e ("media: venus: Enable low power setting for encoder")
Signed-off-by: Pavel Zhigulin <Pavel.Zhigulin@...persky.com>
---
drivers/media/platform/qcom/venus/pm_helpers.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c
index f0269524ac70..caaab097a04d 100644
--- a/drivers/media/platform/qcom/venus/pm_helpers.c
+++ b/drivers/media/platform/qcom/venus/pm_helpers.c
@@ -582,9 +582,9 @@ static int move_core_to_power_save_mode(struct venus_core *core,
}
static void
-min_loaded_core(struct venus_inst *inst, u32 *min_coreid, u32 *min_load, bool low_power)
+min_loaded_core(struct venus_inst *inst, u64 *min_coreid, u64 *min_load, bool low_power)
{
- u32 mbs_per_sec, load, core1_load = 0, core2_load = 0;
+ u64 mbs_per_sec, load, core1_load = 0, core2_load = 0;
u32 cores_max = core_num_max(inst);
struct venus_core *core = inst->core;
struct venus_inst *inst_pos;
@@ -639,8 +639,8 @@ static int decide_core(struct venus_inst *inst)
{
const u32 ptype = HFI_PROPERTY_CONFIG_VIDEOCORES_USAGE;
struct venus_core *core = inst->core;
- u32 min_coreid, min_load, cur_inst_load;
- u32 min_lp_coreid, min_lp_load, cur_inst_lp_load;
+ u64 min_coreid, min_load, cur_inst_load;
+ u64 min_lp_coreid, min_lp_load, cur_inst_lp_load;
struct hfi_videocores_usage_type cu;
unsigned long max_freq = ULONG_MAX;
struct device *dev = core->dev;
--
2.43.0
Powered by blists - more mailing lists