Hsin-Yi Wang e6599adfad media: mtk-vpu: avoid unaligned access to DTCM buffer.
Previously, vpu->recv_buf and send_buf are forced cast from
void __iomem *tcm. vpu->recv_buf->share_buf is passed to
vpu_ipi_desc.handler(). It's not able to do unaligned access. Otherwise
kernel would crash due to unable to handle kernel paging request.

struct vpu_run {
	u32 signaled;
	char fw_ver[VPU_FW_VER_LEN];
	unsigned int	dec_capability;
	unsigned int	enc_capability;
	wait_queue_head_t wq;
};

fw_ver starts at 4 byte boundary. If system enables
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, strscpy() will do
read_word_at_a_time(), which tries to read 8-byte: *(unsigned long *)addr

vpu_init_ipi_handler() calls strscpy(), which would lead to crash.

vpu_init_ipi_handler() and several other handlers (eg.
vpu_dec_ipi_handler) only do read access to this data, so they can be
const, and we can use memcpy_fromio() to copy the buf to another non iomem
buffer then pass to handler.

Fixes: 85709cbf1524 ("media: replace strncpy() by strscpy()")
Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
2020-03-12 16:25:33 +01:00

139 lines
3.2 KiB
C

// SPDX-License-Identifier: GPL-2.0-only
/*
* Copyright (c) 2015-2016 MediaTek Inc.
* Author: Houlong Wei <houlong.wei@mediatek.com>
* Ming Hsiu Tsai <minghsiu.tsai@mediatek.com>
*/
#include "mtk_mdp_core.h"
#include "mtk_mdp_vpu.h"
#include "mtk_vpu.h"
static inline struct mtk_mdp_ctx *vpu_to_ctx(struct mtk_mdp_vpu *vpu)
{
return container_of(vpu, struct mtk_mdp_ctx, vpu);
}
static void mtk_mdp_vpu_handle_init_ack(const struct mdp_ipi_comm_ack *msg)
{
struct mtk_mdp_vpu *vpu = (struct mtk_mdp_vpu *)
(unsigned long)msg->ap_inst;
/* mapping VPU address to kernel virtual address */
vpu->vsi = (struct mdp_process_vsi *)
vpu_mapping_dm_addr(vpu->pdev, msg->vpu_inst_addr);
vpu->inst_addr = msg->vpu_inst_addr;
}
static void mtk_mdp_vpu_ipi_handler(const void *data, unsigned int len,
void *priv)
{
const struct mdp_ipi_comm_ack *msg = data;
unsigned int msg_id = msg->msg_id;
struct mtk_mdp_vpu *vpu = (struct mtk_mdp_vpu *)
(unsigned long)msg->ap_inst;
struct mtk_mdp_ctx *ctx;
vpu->failure = msg->status;
if (!vpu->failure) {
switch (msg_id) {
case VPU_MDP_INIT_ACK:
mtk_mdp_vpu_handle_init_ack(data);
break;
case VPU_MDP_DEINIT_ACK:
case VPU_MDP_PROCESS_ACK:
break;
default:
ctx = vpu_to_ctx(vpu);
dev_err(&ctx->mdp_dev->pdev->dev,
"handle unknown ipi msg:0x%x\n",
msg_id);
break;
}
} else {
ctx = vpu_to_ctx(vpu);
mtk_mdp_dbg(0, "[%d]:msg 0x%x, failure:%d", ctx->id,
msg_id, vpu->failure);
}
}
int mtk_mdp_vpu_register(struct platform_device *pdev)
{
struct mtk_mdp_dev *mdp = platform_get_drvdata(pdev);
int err;
err = vpu_ipi_register(mdp->vpu_dev, IPI_MDP,
mtk_mdp_vpu_ipi_handler, "mdp_vpu", NULL);
if (err)
dev_err(&mdp->pdev->dev,
"vpu_ipi_registration fail status=%d\n", err);
return err;
}
static int mtk_mdp_vpu_send_msg(void *msg, int len, struct mtk_mdp_vpu *vpu,
int id)
{
struct mtk_mdp_ctx *ctx = vpu_to_ctx(vpu);
int err;
if (!vpu->pdev) {
mtk_mdp_dbg(1, "[%d]:vpu pdev is NULL", ctx->id);
return -EINVAL;
}
mutex_lock(&ctx->mdp_dev->vpulock);
err = vpu_ipi_send(vpu->pdev, (enum ipi_id)id, msg, len);
if (err)
dev_err(&ctx->mdp_dev->pdev->dev,
"vpu_ipi_send fail status %d\n", err);
mutex_unlock(&ctx->mdp_dev->vpulock);
return err;
}
static int mtk_mdp_vpu_send_ap_ipi(struct mtk_mdp_vpu *vpu, uint32_t msg_id)
{
int err;
struct mdp_ipi_comm msg;
msg.msg_id = msg_id;
msg.ipi_id = IPI_MDP;
msg.vpu_inst_addr = vpu->inst_addr;
msg.ap_inst = (unsigned long)vpu;
err = mtk_mdp_vpu_send_msg((void *)&msg, sizeof(msg), vpu, IPI_MDP);
if (!err && vpu->failure)
err = -EINVAL;
return err;
}
int mtk_mdp_vpu_init(struct mtk_mdp_vpu *vpu)
{
int err;
struct mdp_ipi_init msg;
struct mtk_mdp_ctx *ctx = vpu_to_ctx(vpu);
vpu->pdev = ctx->mdp_dev->vpu_dev;
msg.msg_id = AP_MDP_INIT;
msg.ipi_id = IPI_MDP;
msg.ap_inst = (unsigned long)vpu;
err = mtk_mdp_vpu_send_msg((void *)&msg, sizeof(msg), vpu, IPI_MDP);
if (!err && vpu->failure)
err = -EINVAL;
return err;
}
int mtk_mdp_vpu_deinit(struct mtk_mdp_vpu *vpu)
{
return mtk_mdp_vpu_send_ap_ipi(vpu, AP_MDP_DEINIT);
}
int mtk_mdp_vpu_process(struct mtk_mdp_vpu *vpu)
{
return mtk_mdp_vpu_send_ap_ipi(vpu, AP_MDP_PROCESS);
}