From aba99662aad45c8f959cdba2fbb18c090185d1d1 Mon Sep 17 00:00:00 2001
From: Herman Chen <herman.chen@rock-chips.com>
Date: Wed, 15 Dec 2021 08:47:56 +0800
Subject: [PATCH] video: rockchip: mpp: rkvenc2: Fix slab-out-of-bounds on
 reboot
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the device is ccu device nothing should be done on shutdown.

[  231.948040][    T1] ==================================================================
[  231.948818][    T1] BUG: KASAN: slab-out-of-bounds in rkvenc_shutdown+0x44/0x138
[  231.949531][    T1] Read of size 8 at addr ffffff840424dd28 by task init/1
[  231.950178][    T1]
[  231.950443][    T1] CPU: 3 PID: 1 Comm: init Not tainted 5.10.66 #21
[  231.951053][    T1] Hardware name: Rockchip RK3588 EVB1 LP4 V10 Board (DT)
[  231.951706][    T1] Call trace:
[  231.952048][    T1]  dump_backtrace+0x0/0x278
[  231.952498][    T1]  show_stack+0x1c/0x2c
[  231.952928][    T1]  dump_stack_lvl+0xf0/0x140
[  231.953389][    T1]  print_address_description+0x88/0x38c
[  231.953934][    T1]  __kasan_report+0x144/0x2ac
[  231.954398][    T1]  kasan_report+0x54/0x84
[  231.954831][    T1]  __asan_load8+0xc8/0xcc
[  231.955264][    T1]  rkvenc_shutdown+0x44/0x138    还是 drivers/video/rockchip/mpp/mpp_rkvenc2.c:1689
[  231.955736][    T1]  platform_drv_shutdown+0x3c/0x50
[  231.956242][    T1]  device_shutdown+0x264/0x308
[  231.956719][    T1]  kernel_restart+0x54/0x13c
[  231.957174][    T1]  __arm64_sys_reboot+0x19c/0x264
[  231.957674][    T1]  el0_svc_common+0x100/0x248
[  231.958136][    T1]  do_el0_svc+0x3c/0xb8
[  231.958551][    T1]  el0_svc+0x14/0x24
[  231.958946][    T1]  el0_sync_handler+0x88/0xec
[  231.959407][    T1]  el0_sync+0x1a8/0x1c0
[  231.959805][    T1]
[  231.960051][    T1] Allocated by task 0:
[  231.960439][    T1] (stack is not available)

Signed-off-by: Herman Chen <herman.chen@rock-chips.com>
Change-Id: I0c12d663d74c640d9f2686252fc8544b29a2c4f9
---
 drivers/video/rockchip/mpp/mpp_rkvenc2.c | 27 +++++++++++++-----------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/drivers/video/rockchip/mpp/mpp_rkvenc2.c b/drivers/video/rockchip/mpp/mpp_rkvenc2.c
index 56d3695ba658..dfffbbf4516b 100644
--- a/drivers/video/rockchip/mpp/mpp_rkvenc2.c
+++ b/drivers/video/rockchip/mpp/mpp_rkvenc2.c
@@ -1678,23 +1678,26 @@ static int rkvenc_remove(struct platform_device *pdev)
 
 static void rkvenc_shutdown(struct platform_device *pdev)
 {
-	int ret;
-	int val;
 	struct device *dev = &pdev->dev;
-	struct rkvenc_dev *enc = platform_get_drvdata(pdev);
-	struct mpp_dev *mpp = &enc->mpp;
 
-	dev_info(dev, "shutdown device\n");
+	if (!strstr(dev_name(dev), "ccu")) {
+		int ret;
+		int val;
+		struct rkvenc_dev *enc = platform_get_drvdata(pdev);
+		struct mpp_dev *mpp = &enc->mpp;
 
-	if (mpp->srv)
-		atomic_inc(&mpp->srv->shutdown_request);
+		dev_info(dev, "shutdown device\n");
 
-	ret = readx_poll_timeout(atomic_read,
-				 &mpp->task_count,
-				 val, val == 0, 1000, 200000);
-	if (ret == -ETIMEDOUT)
-		dev_err(dev, "wait total running time out\n");
+		if (mpp->srv)
+			atomic_inc(&mpp->srv->shutdown_request);
 
+		ret = readx_poll_timeout(atomic_read,
+					 &mpp->task_count,
+					 val, val == 0, 1000, 200000);
+		if (ret == -ETIMEDOUT)
+			dev_err(dev, "wait total running time out\n");
+
+	}
 	dev_info(dev, "shutdown success\n");
 }