From nobody Sun May 24 21:36:41 2026 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 509C0242D6A for ; Thu, 21 May 2026 07:35:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779348918; cv=none; b=LA0hu0DDkzVAKnTF3GZkY0pKWYmVB8PGbBgtjcCaurBEL84vTesTa3QjtRFF24Jr4DA7lac5/6mx0Au/1T16yC0vKJ5QFAC56HLQl3wwzhSOWLRjP4snBRIqeW+0367I9m8kcNlusaXif/s3OgY2xEPRvifoqNBBhIuuSVhh/L8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779348918; c=relaxed/simple; bh=ryTUXf8sC7d0Ori3299ByXCBMLqJUA7IfN4hnFcDBsc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sBGu6asxsAHgFJfGv5ECQVLHdVYPtsKLCLlSO9OMoKMcwGwNeIkksdNwB4k17zXEb6L3fZE4lLVvED80Ct5GbslAg14Rpyy4ah1i4tEZyXLGcgjY4joTknoGbYD8sXyZtI0qFBJLnior24ONLkm9WTK1+MfjTh0Nn0ido4Z3IN4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=krDouXGs; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="krDouXGs" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-36643b96b99so5370929a91.0 for ; Thu, 21 May 2026 00:35:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779348915; x=1779953715; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=62v+VUjFmSMO7xe18HMoRAsN6xnzoeMa1iqyd56dOLs=; b=krDouXGs7/Wk/XqT6TvNSsNXI+oXv21jwmp0CMzkLdqYSo0zfMw6AXnzpWH1VGgFZq A3thu+viQ2o0OmKvulscLx4RUeOHU4Mm6BstC12wcNYPcLR1mSjkIAL6iCR+pUX/6IWO hBjjZMQ+fMnNW6qGN2zFcIQomuf8wiPt/57+uVa5r0yUKC5GbZA5N2+cj0qAa+dDRgOs 351KIpggt2ZVfAUGCfFhV8PRER5F01X/c9JA7HXtVC4obUCziGrqJF0CmAGmva6R/544 ToJ2W33cegDJtFKqRUzbVhRowT/CHdSYhU5jaxPNzpF+D0jq3FUQf+mD0Ip5FSBC7BMf pfKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779348915; x=1779953715; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=62v+VUjFmSMO7xe18HMoRAsN6xnzoeMa1iqyd56dOLs=; b=mpXlz5G1f2Rwpe6h9rrLSBu12r4D4vMUPfSunxV6dTK2cZHgv4BAqYzszBSdL/W+Kj Qgmo57KqP1T1RbYWJcFNwo9U+0EMNAnpDXJmqGC7nBQYH5wcXrJ2SG6eRNtY3+bkblU7 0Pe8/cMciYBkjBQd3+IGbzKxy1DVqHKgIuhmImYmFKLGkZm6KsPQz5wE4C8T1TJZBvt9 jCUnqTd8EY14Heu9GBsHcXf9E1haFc41uwPtWM/KE3gsEF7UJCp1hdnjy0jajsw7NTmS Z+vhgA6dhZvu+1SqL556RMtSO2i7+4Nq59NERkAz4QIuFPvfaIeJ+y6yY7MdBGtXL6h7 twTg== X-Forwarded-Encrypted: i=1; AFNElJ+UdQAtA+jitkx/5c7fs2ic1QDLnLTQrTBS5/JvsMmbnMsh9u7tJe62T0Wbfr81mwqqjNNxLBhgzc3zYyE=@vger.kernel.org X-Gm-Message-State: AOJu0YzoSSx+Ky9DFPXS39uxZfD21ZTTZrHQRj451pse4GftSt2OqTYf wo3iY7fYC8QGNTynrioo5O+d65Jxs9RR9NXbGaKafRKJPD3b8hhmPyAD X-Gm-Gg: Acq92OGZf63phxBtDkrFofJhV5RO0E3WRD+22ln+BxSQYN9QxBEOaJHn9YYKbe6bLBn 8QZGeZy9JN2Rtj6Tmw5opwmDEdF2mU75S19cM2G5eI2YStT6lPnsJD9JoFzmOidWFBdUwFAIQZf uhVzUqTfkc4g0AoOPywuZiIXBtK0KGxfkxQ/iUR5drHQuqtiHQx5YVIMZm4xN3q5qSHzhHFOEr0 xjkBddvxtm2R+/XHDwGzWHMTHjyMyZ1szIvQo5IwEkKZjjotuYS4oO2v9470eJLnRX5icRYW5NG ns/z1hBTCOrNKnDwaPTFO5G+KWWBef5QKANuJADah45CNfV4XS4VbcKMcLxPzfT0DRoo80xsQJX RMBMfNmsUXs1cpODN1VzEGRTH3Csm8ci938dP/Z74xXmOHaOWIjUuanbtCof7l9l0h3EoL0ZmbO 7gLJCH1nSWXEHDSD2yNpSn X-Received: by 2002:a17:90b:2c8d:b0:36a:2a9b:3fb2 with SMTP id 98e67ed59e1d1-36a45600421mr1777569a91.16.1779348915390; Thu, 21 May 2026 00:35:15 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36a45c5decesm783833a91.1.2026.05.21.00.35.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 00:35:14 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Hans Verkuil , Maxime Jourdan , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v4 1/3] media: meson: vdec: Fix memory leak in error path of vdec_open Date: Thu, 21 May 2026 13:04:11 +0530 Message-ID: <20260521073449.10057-2-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260521073449.10057-1-linux.amoon@gmail.com> References: <20260521073449.10057-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The vdec_open() function previously jumped directly to err_m2m_release when vdec_init_ctrls() failed, skipping release of the m2m context. This caused a resource leak. Fix it by introducing a proper err_m2m_ctx_release label that calls v4l2_m2m_ctx_release(sess->m2m_ctx) before releasing the m2m device. Also free the v4l2 control handler memory allocated by vdec_init_ctrls() in vdec_close(). This was identified via kmemleak: unreferenced object 0xffff0000205d6878 (size 8): comm "v4l_id", pid 5289, jiffies 4294938580 hex dump (first 8 bytes): 40 d2 49 18 00 00 ff ff @.I..... backtrace (crc d3204599): kmemleak_alloc+0xc8/0xf0 __kvmalloc_node_noprof+0x60c/0x850 v4l2_ctrl_handler_init_class+0x1b4/0x2e8 [videodev] vdec_open+0x1f4/0x788 [meson_vdec] v4l2_open+0x144/0x460 [videodev] chrdev_open+0x1ac/0x500 do_dentry_open+0x3f0/0xfe8 vfs_open+0x68/0x320 do_open+0x2d8/0x9a8 path_openat+0x1d0/0x4f0 do_filp_open+0x190/0x380 do_sys_openat2+0xf8/0x1b0 __arm64_sys_openat+0x13c/0x1e8 invoke_syscall+0xdc/0x268 el0_svc_common.constprop.0+0x178/0x258 do_el0_svc+0x4c/0x70 Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel= .org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v4: update the commit message to add v4l2_ctrl_handler_free() in vdec_close= () to adderss the issue: This isn't a bug introduced by this patch, but does vdec_close() properly free the v4l2 control handler memory allocated by vdec_init_ctrls() here? v3: https://lore.kernel.org/all/20260520044046.7553-1-linux.amoon@gmail.com/ update the commit messagee. v2: https://lore.kernel.org/all/20260321065408.209723-1-linux.amoon@gmail.c= om/ updated the commit message, applied the suggestion from sashiko below. [3] https://sashiko.dev/#/patchset/20260321065408.209723-1-linux.amoon%40= gmail.com v1: https://lore.kernel.org/all/20260304100557.126488-1-linux.amoon@gmail.c= om/ tried to address the issue reported by Nicolas improve the commit message. --- drivers/staging/media/meson/vdec/vdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/medi= a/meson/vdec/vdec.c index 4b77ec1af5a7..9244fb09eb36 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -889,7 +889,7 @@ static int vdec_open(struct file *file) =20 ret =3D vdec_init_ctrls(sess); if (ret) - goto err_m2m_release; + goto err_m2m_ctx_release; =20 sess->pixfmt_cap =3D formats[0].pixfmts_cap[0]; sess->fmt_out =3D &formats[0]; @@ -913,6 +913,8 @@ static int vdec_open(struct file *file) =20 return 0; =20 +err_m2m_ctx_release: + v4l2_m2m_ctx_release(sess->m2m_ctx); err_m2m_release: v4l2_m2m_release(sess->m2m_dev); err_free_sess: @@ -926,6 +928,7 @@ static int vdec_close(struct file *file) =20 v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_m2m_release(sess->m2m_dev); + v4l2_ctrl_handler_free(&sess->ctrl_handler); v4l2_fh_del(&sess->fh, file); v4l2_fh_exit(&sess->fh); =20 --=20 2.50.1 From nobody Sun May 24 21:36:41 2026 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0AFFF23EA84 for ; Thu, 21 May 2026 07:35:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779348934; cv=none; b=qbx62uRyFpb7dd/+MBsX8EaYb/c7x4G2XdisISc3PchOXrJAGNUVyr5dVz2TbmyYUdVcSHv3kEzy5md4VR3PACrajW6u1lFtIwcyFWHZPU5yo//3cxFZVmwgaER6QRzlZVsxqnOOptN1aiCxSNQRhgPlgD6HF3MUVzANlYIH5Rs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779348934; c=relaxed/simple; bh=R3voIaLtl2BRlPPKHEPBQ78/UAuVNbWj0w+ZXJI+bb4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BtUmPlDj0xba8fToKe+0tWYKKnqV4Hdwu44ytDnx+iOkgijomCLwC3pF2FmZEF9QFD4qt5/asF5Lfyz//g4xTPOb3EtPH8DvDr5mebZ6skOJccKJm+EGGIyfL42vg14tMGZRCgLBWmoAnKrvo9Dy46jnhKlGOUJErojq7giFMdo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=HdhxFlHb; arc=none smtp.client-ip=209.85.216.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HdhxFlHb" Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-368f25ff4c4so3022103a91.2 for ; Thu, 21 May 2026 00:35:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779348932; x=1779953732; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3NPvLu4dxOkoKdNg46+oSXq3CipWU7w/mHnMaydoddU=; b=HdhxFlHb31qKSbw27ge6zqBrW4qTzLoC4CW/JbK43OvWrcjicwns75bxemt9fj+IgV GGvCY7l3A6EhurN+LbhTOAtMK7RaSlK6SsfaDLlHelN+suwbL31p8I9m6H2lOY8QqRe1 WWzefx+wcraTGqStv8XGslVhzVn7tm+yn3dIOZw4JkSrs0djgV8x3GgU42tQ/8Fh6+tk PS6BtHs44rp5K8YPbDSZXg9vgXmskDFp58+n8YqSo/Y8Zc2dVcNd5/CT+70aYvF78QGQ Axp05AWf5gP333QI8+3w7BCJS2E10u+SYavOSkQGoOC/K6hfMhkBqtOjBcjrbygtUED+ 66OA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779348932; x=1779953732; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3NPvLu4dxOkoKdNg46+oSXq3CipWU7w/mHnMaydoddU=; b=pOMHDjAhLQj43W6r+Sik0fH3zhir7YxKbYBZkFViE3qpwAIvJRnKADL3ajsSVg2mEx n8SErzxHEqr1KSVpJv9SxLCH+hqmgsyI1xgFVsCDJHta37bJmlWBzPhqHBVLd2niVsui mRR5D0cjKvCYYuWaDAoyDMPuMPlrnHQfFYa2MxlUX+S+XI0xaxK80EKDua6701C0V9QM Lt+SFX12J1AX+P0RMeUjKSaP+uONnXwmN/ZFe8Rv/4qALrR2kpmst+UjjiUf6feD49Om fltn+xShY/rTiP6PoeV/Bc9oSB75SDyEdLRUu/JbuBqZwQGQcEQ34/w9xoYewUvIUGkv WJlg== X-Forwarded-Encrypted: i=1; AFNElJ8qUjHgYu+IiMfPLAofPeTpoHgIseFvQoBbkVscAeEWKQI5l77or99lxelEucjfIAYKKniXRI+gi67sY84=@vger.kernel.org X-Gm-Message-State: AOJu0Yzv7qSPB2PUg6wrWTskHSswbxHrkmxoWdSr/jvSXFYGXRBIfrX0 eKZop/WEePTH4m/47F58M8dH0pPNbsMbtaZv/MrE+yuAyN3rvkwfwyGSj18m5A== X-Gm-Gg: Acq92OFfvcxkbZcWSySe+PLiDUjQvXaT7huiYsvh3Bk4T97kNiDWymbUuwm1e3qYlsq NNIikGkP3gxMZ70LP+5qb9/iyaQ4fT2MedXfDxBY2aXxDeY0TxrTN8X9gb8TOR02mtBTGvFgwdn pJ9t5J68BSLzmH1m+1cEc1ApF+2yvxtYZzym6IskHc84he+/YdRWRS3p0tgwQ2V/qCACv9zVFup yLubDKcWmnZVAdPVxNN4bkvhu6Gl3rxbtPxd6lLKlTiTdnQnb486KHguSiZrmNQ1wIXQDtkUalY JjGfBTLGDKFjy01tZLTOBx8fhqkd16vEu1f/7HcvZZSD2wJCXGy+UXtDtMNK8vCO2QY4BmkaPxq Ig4W1FVu18HNSdrN3azb09FTqBgK+oAA+FTDNdr+66ykA/jpEWUgipDC2Qk10m8xIowhRwTX9kL cpVBZ51F9SAwnX4KV85pXpw9OQ04hG3P4= X-Received: by 2002:a17:90b:3c08:b0:35d:a3b4:2f0d with SMTP id 98e67ed59e1d1-36a45137990mr1777189a91.6.1779348932255; Thu, 21 May 2026 00:35:32 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36a45c5decesm783833a91.1.2026.05.21.00.35.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 00:35:31 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Hans Verkuil , Maxime Jourdan , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v4 2/3] media: meson: vdec: Add error handling for recycle thread creation Date: Thu, 21 May 2026 13:04:12 +0530 Message-ID: <20260521073449.10057-3-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260521073449.10057-1-linux.amoon@gmail.com> References: <20260521073449.10057-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add proper error handling for kthread_run() in vdec_start_streaming(). If thread creation fails and returns an ERR_PTR, record the error, reset sess->recycle_thread to NULL, and unwind resources via err_cleanup. This prevents later calls to kthread_stop() in vdec_stop_streaming() from dereferencing an ERR_PTR and causing a kernel panic. Fix this by adding the label and invoking vdec_poweroff() to prevent hardware power leaks. Additionally, reorder the error path to properly mirror the allocation sequence clear the streamon status flags before emptying the M2M buffers to avoid race conditions, and ensure DMA buffers are released gracefully relative to the hardware state lifecycle. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel= .org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v4: new patch [Severity: High] This isn't a bug introduced by this patch, but does the driver verify if kthread_run() returns an ERR_PTR when starting the recycle thread? If thread creation fails in vdec_start_streaming() and returns an ERR_PTR, could a later call to kthread_stop(sess->recycle_thread) in vdec_stop_streaming() attempt to dereference that ERR_PTR and cause a kernel panic? --- drivers/staging/media/meson/vdec/vdec.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/medi= a/meson/vdec/vdec.c index 9244fb09eb36..8615a935e86d 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -337,29 +337,37 @@ static int vdec_start_streaming(struct vb2_queue *q, = unsigned int count) =20 sess->sequence_cap =3D 0; sess->sequence_out =3D 0; - if (vdec_codec_needs_recycle(sess)) + if (vdec_codec_needs_recycle(sess)) { sess->recycle_thread =3D kthread_run(vdec_recycle_thread, sess, "vdec_recycle"); + if (IS_ERR(sess->recycle_thread)) { + ret =3D PTR_ERR(sess->recycle_thread); + sess->recycle_thread =3D NULL; + goto err_cleanup; + } + } =20 sess->status =3D STATUS_INIT; core->cur_sess =3D sess; schedule_work(&sess->esparser_queue_work); return 0; =20 +err_cleanup: + vdec_poweroff(sess); vififo_free: dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: - while ((buf =3D v4l2_m2m_src_buf_remove(sess->m2m_ctx))) - v4l2_m2m_buf_done(buf, VB2_BUF_STATE_QUEUED); - while ((buf =3D v4l2_m2m_dst_buf_remove(sess->m2m_ctx))) - v4l2_m2m_buf_done(buf, VB2_BUF_STATE_QUEUED); - if (q->type =3D=3D V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) sess->streamon_out =3D 0; else sess->streamon_cap =3D 0; =20 + while ((buf =3D v4l2_m2m_src_buf_remove(sess->m2m_ctx))) + v4l2_m2m_buf_done(buf, VB2_BUF_STATE_QUEUED); + while ((buf =3D v4l2_m2m_dst_buf_remove(sess->m2m_ctx))) + v4l2_m2m_buf_done(buf, VB2_BUF_STATE_QUEUED); + return ret; } =20 --=20 2.50.1 From nobody Sun May 24 21:36:41 2026 Received: from mail-pj1-f53.google.com (mail-pj1-f53.google.com [209.85.216.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6708439A4DF for ; Thu, 21 May 2026 07:35:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779348944; cv=none; b=GLzNrmQU/hx9SP6FgVhDiZlMVH3lcNB78KUvXOAiDp1ODYo5AL/nZ3KmkmgLZ9OsicKWXTjrQm2LFwxBVts05wDWEvWmd2eet3pgaqxcHZEJLhf01EACqdnb3HHde0xiNqEdHOmrOR6X6MIk6ujPWbTMwhGsGreQBVNOvVA18Ak= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779348944; c=relaxed/simple; bh=n31stoUzsPX4RNMyRRmVvUZVj4OVkqdnAHTSrpxgKN8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZJE7cUqL/Jsd8YvNGK5ZOJgsNOVmd9ngbYbi9eIB0ZfMtM3sL3mgRwCtc+hWUVo3YaHdpZ/cQjHxnI9sPoIJ5XXZmM7yN9ULeYwfrjYwSDQqMg4pFz1NclzxXaRdivp6NaLpeHoeT8ofJT4t9ef/vg6BPvCeDxk9wkYBveAD64w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BReiTv5l; arc=none smtp.client-ip=209.85.216.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BReiTv5l" Received: by mail-pj1-f53.google.com with SMTP id 98e67ed59e1d1-3680540a6efso3101992a91.2 for ; Thu, 21 May 2026 00:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779348943; x=1779953743; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Mklgo4SEnQFqu5UeBwzviEPZFhn2UwuL3rIfaoDrBUI=; b=BReiTv5l5jwJGf+pPJh0ibysy0fl5IgAyt95k6NX2mOKB1W+Gmks7y/lgPKodMQOa3 Z9k7XSJnyKH8Y2wFTkt90QFTpWr4gG4YH897CJaoz3ltCr95QozNn0e6p1jcIbKnHPCj dYdg9rCY0RICFAwOH4zKb8hob5ip3wYkq4+ok+DdMpN/sGs+kQ5xiT3t+rCdBAFZjel4 AafJodmspQx2GrO8ZrbRROntnjupiBoJCzDuhW2ft7ItuSaH4uTdnflALBAP378N9Y3D oSh6FVVLw9hvNgo4fGEnjcDw151WGIg8iQcOMlIjTU4NOhigYVueei0F6jYHWyXHA4cR /aJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779348943; x=1779953743; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Mklgo4SEnQFqu5UeBwzviEPZFhn2UwuL3rIfaoDrBUI=; b=ewKkSXEuRZFjjySi5HlBwVmF40jn/xxAUWyB5NTdXP/UismWzs6B8H3fABn9bTVoJn wMEbHXbisQ5fX5JdtwxMR3m8GUdUggjAPan7N7oIVATojqZvNaelWO4dQeZ8FHGNTJFe 2WRLdUwPRjn6gTaytfDxI3QoxHPW78XlhKNqiPOlx2uhV9A/Tok8Z9N68y1Qx0xIcmu/ s4VdMpyQk4jud9dNIJP2SbMGoXt0XrGBB/urOZH8/FRmtHAUWndrn8vNz6IYCQ+DE94a pql9h5qadoZdDCtenTqIFwhIOCvteluz7ltl90CiPY5VYxTwP8jKfZmPzVSIlhN8GlHa yQ1w== X-Forwarded-Encrypted: i=1; AFNElJ+u3X3uGQOUbtHEGla2z24QEMdHt/flXTU3nG47ECt7wek+YSXRaz1i3yWgraKmjnwyuAlR0euVSbk0cWk=@vger.kernel.org X-Gm-Message-State: AOJu0YxAcWoxvfdLAsy7w4BEzvO7UGsZAfs8nfQgVWNINeDDIo5i54GK 19pXDbdf1cTeq7Zk/MHC9Ug53ZIMjZKPQc5OW+6cZ00vU5cDNyz8JYaQ X-Gm-Gg: Acq92OE6t1xlYu8QH54n3V5LRvktb6ueb2dXPSED2/PFHZQB9V1b5La6Zk6e5ZPi3gX rYjcBdvXHNUpibNNwEcFjukGvm9DT48Z6Iz+Uu8Vtzk/hNDja416dSLnU9gt9vElggZS+2PXUSF oQ6+Dfx7SRb4ef5fHOPp/i8lDNeP5OrWc41rxtHlQf3EYT1LtIMtFHmLX8dPzkzEz+B0NKN+myz DTaSlbz4YTvMhK0X/FSMuf4vRLwBEZMRcz91iYzLdVsL/5y4OSAVmdUWiV7eln0TrO9vFIbu+MV Sf539emwjbcWAKI349JtPKLW9p8JUccumBDBiL27uYX3CukrbSJ60pKiy+L6HcO38bHHx5yYZTT EIQysXyQaz6Zd11ipCNjCGbFI72jPjPdH0OOVwgEtIRFLxeeyGtCbIU0J6gN7TFl+qRM5rQETPl jWEHr82KwzuYjSuJsm4GGIE4+CbWnXiL4= X-Received: by 2002:a17:90b:540e:b0:369:223a:cb60 with SMTP id 98e67ed59e1d1-36a4514fbcdmr1729123a91.8.1779348942657; Thu, 21 May 2026 00:35:42 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36a45c5decesm783833a91.1.2026.05.21.00.35.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 00:35:42 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v4 3/3] media: meson: vdec: Cancel esparser work in error and stop paths Date: Thu, 21 May 2026 13:04:13 +0530 Message-ID: <20260521073449.10057-4-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260521073449.10057-1-linux.amoon@gmail.com> References: <20260521073449.10057-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Ensure that esparser_queue_work is canceled before freeing the session context. Add cancel_work_sync() in both the error path of vdec_close() and vdec_start_streaming() and in vdec_stop_streaming(). This prevents background work from dereferencing a freed sess structure and triggering a use-after-free. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel= .org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v4: new patch If vdec_close() calls kfree(sess) without first stopping or synchronizing with this background work via cancel_work_sync(), could a concurrently running esparser_queue_all_src() dereference the freed sess structure and trigger a use-after-free? --- drivers/staging/media/meson/vdec/vdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/medi= a/meson/vdec/vdec.c index 8615a935e86d..a57bd4a8e33c 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -358,6 +358,8 @@ static int vdec_start_streaming(struct vb2_queue *q, un= signed int count) dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: + cancel_work_sync(&sess->esparser_queue_work); + if (q->type =3D=3D V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) sess->streamon_out =3D 0; else @@ -415,6 +417,7 @@ static void vdec_stop_streaming(struct vb2_queue *q) if (vdec_codec_needs_recycle(sess)) kthread_stop(sess->recycle_thread); =20 + cancel_work_sync(&sess->esparser_queue_work); vdec_poweroff(sess); vdec_free_canvas(sess); dma_free_coherent(sess->core->dev, sess->vififo_size, @@ -937,6 +940,7 @@ static int vdec_close(struct file *file) v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_m2m_release(sess->m2m_dev); v4l2_ctrl_handler_free(&sess->ctrl_handler); + cancel_work_sync(&sess->esparser_queue_work); v4l2_fh_del(&sess->fh, file); v4l2_fh_exit(&sess->fh); =20 --=20 2.50.1