[media] mtk-vcodec: check the vp9 decoder buffer index from VPU
authorWu-Cheng Li <wuchengli@google.com>
Wed, 8 Mar 2017 03:40:58 +0000 (00:40 -0300)
committerMauro Carvalho Chehab <mchehab@s-opensource.com>
Wed, 22 Mar 2017 14:26:47 +0000 (11:26 -0300)
VPU firmware has a bug and may return invalid buffer index for
some vp9 videos. Check the buffer indexes before accessing the
buffer.

Signed-off-by: Wu-Cheng Li <wuchengli@chromium.org>
Acked-by: Tiffany Lin <Tiffany.lin@mediatek.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.c
drivers/media/platform/mtk-vcodec/mtk_vcodec_dec.h
drivers/media/platform/mtk-vcodec/vdec/vdec_vp9_if.c
drivers/media/platform/mtk-vcodec/vdec_drv_if.h

index 502877a4b1df34a502145d22e57af23889643fd8..a60b538686ea9bd66deef19b55d1e0ca0504ee37 100644 (file)
@@ -420,6 +420,11 @@ static void mtk_vdec_worker(struct work_struct *work)
                        dst_buf->index,
                        ret, res_chg);
                src_buf = v4l2_m2m_src_buf_remove(ctx->m2m_ctx);
+               if (ret == -EIO) {
+                       mutex_lock(&ctx->lock);
+                       src_buf_info->error = true;
+                       mutex_unlock(&ctx->lock);
+               }
                v4l2_m2m_buf_done(&src_buf_info->vb, VB2_BUF_STATE_ERROR);
        } else if (res_chg == false) {
                /*
@@ -1170,8 +1175,16 @@ static void vb2ops_vdec_buf_queue(struct vb2_buffer *vb)
                 */
 
                src_buf = v4l2_m2m_src_buf_remove(ctx->m2m_ctx);
-               v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf),
-                                       VB2_BUF_STATE_DONE);
+               if (ret == -EIO) {
+                       mtk_v4l2_err("[%d] Unrecoverable error in vdec_if_decode.",
+                                       ctx->id);
+                       ctx->state = MTK_STATE_ABORT;
+                       v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf),
+                                               VB2_BUF_STATE_ERROR);
+               } else {
+                       v4l2_m2m_buf_done(to_vb2_v4l2_buffer(src_buf),
+                                               VB2_BUF_STATE_DONE);
+               }
                mtk_v4l2_debug(ret ? 0 : 1,
                               "[%d] vdec_if_decode() src_buf=%d, size=%zu, fail=%d, res_chg=%d",
                               ctx->id, src_buf->index,
@@ -1216,16 +1229,22 @@ static void vb2ops_vdec_buf_finish(struct vb2_buffer *vb)
        struct mtk_vcodec_ctx *ctx = vb2_get_drv_priv(vb->vb2_queue);
        struct vb2_v4l2_buffer *vb2_v4l2;
        struct mtk_video_dec_buf *buf;
-
-       if (vb->vb2_queue->type != V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
-               return;
+       bool buf_error;
 
        vb2_v4l2 = container_of(vb, struct vb2_v4l2_buffer, vb2_buf);
        buf = container_of(vb2_v4l2, struct mtk_video_dec_buf, vb);
        mutex_lock(&ctx->lock);
-       buf->queued_in_v4l2 = false;
-       buf->queued_in_vb2 = false;
+       if (vb->vb2_queue->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
+               buf->queued_in_v4l2 = false;
+               buf->queued_in_vb2 = false;
+       }
+       buf_error = buf->error;
        mutex_unlock(&ctx->lock);
+
+       if (buf_error) {
+               mtk_v4l2_err("Unrecoverable error on buffer.");
+               ctx->state = MTK_STATE_ABORT;
+       }
 }
 
 static int vb2ops_vdec_buf_init(struct vb2_buffer *vb)
index 362f5a85762eab88935907720e9913dceb16c0ad..dc4fc1df63c522a4dbe03f7169e56d1f6374250d 100644 (file)
@@ -50,6 +50,7 @@ struct vdec_fb {
  * @queued_in_v4l2:    Capture buffer is in v4l2 driver, but not in vb2
  *                     queue yet
  * @lastframe:         Intput buffer is last buffer - EOS
+ * @error:             An unrecoverable error occurs on this buffer.
  * @frame_buffer:      Decode status, and buffer information of Capture buffer
  *
  * Note : These status information help us track and debug buffer state
@@ -63,6 +64,7 @@ struct mtk_video_dec_buf {
        bool    queued_in_vb2;
        bool    queued_in_v4l2;
        bool    lastframe;
+       bool    error;
        struct vdec_fb  frame_buffer;
 };
 
index e91a3b425b0cef3298370582121c23f11a79707f..5539b1853f166a611ed678bc1274f55e48f1347c 100644 (file)
@@ -718,6 +718,26 @@ static void get_free_fb(struct vdec_vp9_inst *inst, struct vdec_fb **out_fb)
        *out_fb = fb;
 }
 
+static int validate_vsi_array_indexes(struct vdec_vp9_inst *inst,
+               struct vdec_vp9_vsi *vsi) {
+       if (vsi->sf_frm_idx >= VP9_MAX_FRM_BUF_NUM - 1) {
+               mtk_vcodec_err(inst, "Invalid vsi->sf_frm_idx=%u.",
+                               vsi->sf_frm_idx);
+               return -EIO;
+       }
+       if (vsi->frm_to_show_idx >= VP9_MAX_FRM_BUF_NUM) {
+               mtk_vcodec_err(inst, "Invalid vsi->frm_to_show_idx=%u.",
+                               vsi->frm_to_show_idx);
+               return -EIO;
+       }
+       if (vsi->new_fb_idx >= VP9_MAX_FRM_BUF_NUM) {
+               mtk_vcodec_err(inst, "Invalid vsi->new_fb_idx=%u.",
+                               vsi->new_fb_idx);
+               return -EIO;
+       }
+       return 0;
+}
+
 static void vdec_vp9_deinit(unsigned long h_vdec)
 {
        struct vdec_vp9_inst *inst = (struct vdec_vp9_inst *)h_vdec;
@@ -834,6 +854,12 @@ static int vdec_vp9_decode(unsigned long h_vdec, struct mtk_vcodec_mem *bs,
                        goto DECODE_ERROR;
                }
 
+               ret = validate_vsi_array_indexes(inst, vsi);
+               if (ret) {
+                       mtk_vcodec_err(inst, "Invalid values from VPU.");
+                       goto DECODE_ERROR;
+               }
+
                if (vsi->resolution_changed) {
                        if (!vp9_alloc_work_buf(inst)) {
                                ret = -EINVAL;
index db6b5205ffb1d19c50a932d715da1df01a0036c2..ded1154481cdc50c540f720613e3d0a37fe890c8 100644 (file)
@@ -85,6 +85,8 @@ void vdec_if_deinit(struct mtk_vcodec_ctx *ctx);
  * @res_chg    : [out] resolution change happens if current bs have different
  *     picture width/height
  * Note: To flush the decoder when reaching EOF, set input bitstream as NULL.
+ *
+ * Return: 0 on success. -EIO on unrecoverable error.
  */
 int vdec_if_decode(struct mtk_vcodec_ctx *ctx, struct mtk_vcodec_mem *bs,
                   struct vdec_fb *fb, bool *res_chg);