From nobody Mon Jun 8 23:56:04 2026 Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3F833E2AA3 for ; Mon, 25 May 2026 09:52:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.178 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702762; cv=none; b=YubaLA1YxdYK2Yosdn3n3mnq5/HbdPAJxCHWAPS/yz5Mkf3Zs9Wz8G51sI4ONGs3Q2XaMKXfoX4UBptZpvVRsV8CCqsVGY2Lj2tD9z0mUVyAa1AtEZanwOblExuedI9ElgvY1zzOmNbAhDMhpNHV8z9qaXDVsqEiYDufXvvfQio= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702762; c=relaxed/simple; bh=WIS3BgyrEbuPFk0DAL3nE3V6IGRFLo7gF/BE5feLCxo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=J5BbJ4nmysI0gL+cfBJ4EzsuSRUrwfvMnUxoXqBdR5ZcFlfvnFxc9K39mRAaDA4SMdfVzrytuM4XYAAL9sIU5NJeIV+UHK5fuNiGZZHs7v4sSgKxQpNpTBXR0Jh8TsWcuwM1+L5LHjAO5yvi5KTFUDEyXHdnDz43zjXPvjAQ4u8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=krDJvIw7; arc=none smtp.client-ip=209.85.214.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="krDJvIw7" Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-2baef9f5ecdso77465865ad.1 for ; Mon, 25 May 2026 02:52:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702760; x=1780307560; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5gZEIwW5TqIv7uy+nwwFRwQeWX+dkGvQ9eeETlxlcvg=; b=krDJvIw7DyTuW5gqNxDvwpPwCYjS9hn4JmztEKVe23sTtev/33wHFxgiKquNIpzzta Rc+bl+QuW8LOklanU5k6l4534mwhd98xUsBYokvImrPt+3E9DE6+fxJD2yj8PE3NjgHs 470bCEuQeTMdBwyhiVxunpw7wdRp06XNE6ltCVwE+Yu+XHORePjIzrdATRHw6+Rn3eIw A1Nz3YKs/PiA7+y5eRUvqFxPIhqxJUW103FOpH+xL08iTbqODxdHBOuVtxbG/UxaAJCR x7kF7BF86rIBrO7v4Xe2Zt9ZjjZ47qpfQ5KX6IZS5NgVL0oXbD8SN0RZvcWZ245H/qBP CTMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702760; x=1780307560; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=5gZEIwW5TqIv7uy+nwwFRwQeWX+dkGvQ9eeETlxlcvg=; b=GZo+Gz3HeTVHbhHPOJyurifueEBkr83tIWJwaII6BlTH7r9ku5Q0eguI443G2hEyD3 Oyo0E2IfpR6w7O9xLg45rcYlPn34xOPhldsAI01i/b6PvBprZe5UUe5SyPxnesJgT2vS ZU+LU+m0ab8rvSo0+wmNa6g+eoBjQP62PtYHvqr80VTeAHpTV3F5vpWIaxDM/DYMulSY d5bymcoBWljo2wQ+szoJZlA4JD4dtvsaD5jAuAZl0wdR5hsQK+rZ9nh6yestb8lHOYIq 8PF33p4hdwFmZZ2LOJAakFXCthh6pVoF5mNImNdqxyZFICpEOiwnViL0iEyGz3Ykb3Mw TNRg== X-Forwarded-Encrypted: i=1; AFNElJ/ElU3wUK1v7NSNPRVvlYF17CuyPrIu9DSvwv4NqbRljrAiL/Du0lARWE9R+mHpYLZfNYSEtYjIDfx2E0Q=@vger.kernel.org X-Gm-Message-State: AOJu0YzlmihU6iExokx5PsQnARM2FFb9qH506LCKi8zyN/37MX3tOzLW 5dY83apIFrp+IeMlTfFZR0lbXLyc2ojmA+z8DCsgRz0pWSN645vkw4Jf X-Gm-Gg: Acq92OFWpudqPnnB/uL9DYmBq2B4JT8INvQnK5nKqYjd5JQB5Jis/sXL5Dwxq0BmarN PaCm8WH2fffkdBF+BMPrv0Q9sSbljN4UNqEIoUuDU2XMeZja0qmSpwKQvZoDYMgRDVVp5zEpC02 qGNy9UO6kyNIkSCDxfmaDM0Jh1wiP2uxx7o6eIjSsEFT8rAMNQdHcXGAOmNoA6EYxwcKEE4mzNU Rt8t/eFxjAMXGy4nOjhOqH618jQV7yC4n9rwaHmbDuTwqprfNHsB7pThzP1ZQtd+ePtQRMlhtCR +JNdAOjh6E837lx9jJ/FJwjqIOtlfA4x4t1v2lKQiKocpaxpP+cvCl/9XYERTKk4Up7Y3eHW0Gn SAN1u8KhkJa2bdNxFzHUxkclEFLg5yX5jOOT4UTF3YmZlbFFXRpmIB62q1NgXhq4aD4FUvKr7dU QpG+jNcOEQaB2E24Lgjj/4GQ7C+EPsjMo= X-Received: by 2002:a17:902:f70e:b0:2bc:8ebd:af76 with SMTP id d9443c01a7336-2beb03466afmr148144335ad.0.1779702760099; Mon, 25 May 2026 02:52:40 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:52:39 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Hans Verkuil , Maxime Jourdan , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v5 1/6] media: meson: vdec: Fix memory leak in error path of vdec_open Date: Mon, 25 May 2026 15:21:49 +0530 Message-ID: <20260525095216.12078-2-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The vdec_open() function previously jumped directly to err_m2m_release when vdec_init_ctrls() failed, skipping release of the m2m context. This caused a resource leak. Fix it by introducing a proper err_m2m_ctx_release label that calls v4l2_m2m_ctx_release(sess->m2m_ctx) before releasing the m2m device. Also free the v4l2 control handler memory allocated by vdec_init_ctrls() in vdec_close(). This was identified via kmemleak: unreferenced object 0xffff0000205d6878 (size 8): comm "v4l_id", pid 5289, jiffies 4294938580 hex dump (first 8 bytes): 40 d2 49 18 00 00 ff ff @.I..... backtrace (crc d3204599): kmemleak_alloc+0xc8/0xf0 __kvmalloc_node_noprof+0x60c/0x850 v4l2_ctrl_handler_init_class+0x1b4/0x2e8 [videodev] vdec_open+0x1f4/0x788 [meson_vdec] v4l2_open+0x144/0x460 [videodev] chrdev_open+0x1ac/0x500 do_dentry_open+0x3f0/0xfe8 vfs_open+0x68/0x320 do_open+0x2d8/0x9a8 path_openat+0x1d0/0x4f0 do_filp_open+0x190/0x380 do_sys_openat2+0xf8/0x1b0 __arm64_sys_openat+0x13c/0x1e8 invoke_syscall+0xdc/0x268 el0_svc_common.constprop.0+0x178/0x258 do_el0_svc+0x4c/0x70 Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel= .org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: update the error path for v4l2_ctrl_handler_free() as per the review ccmment to fix the use after free bug. [4] https://patchwork.kernel.org/project/linux-amlogic/patch/20260521073449= .10057-2-linux.amoon@gmail.com/ v4: update the commit message to add v4l2_ctrl_handler_free() in vdec_close= () to adderss the issue: This isn't a bug introduced by this patch, but does vdec_close() properly free the v4l2 control handler memory allocated by vdec_init_ctrls() here? v3: https://lore.kernel.org/all/20260520044046.7553-1-linux.amoon@gmail.com/ update the commit messagee. v2: https://lore.kernel.org/all/20260321065408.209723-1-linux.amoon@gmail.c= om/ updated the commit message, applied the suggestion from sashiko below. [3] https://sashiko.dev/#/patchset/20260321065408.209723-1-linux.amoon%40= gmail.com v1: https://lore.kernel.org/all/20260304100557.126488-1-linux.amoon@gmail.c= om/ tried to address the issue reported by Nicolas improve the commit message. --- drivers/staging/media/meson/vdec/vdec.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/medi= a/meson/vdec/vdec.c index 4b77ec1af5a7..18a22b79e835 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -889,7 +889,7 @@ static int vdec_open(struct file *file) =20 ret =3D vdec_init_ctrls(sess); if (ret) - goto err_m2m_release; + goto err_m2m_ctx_release; =20 sess->pixfmt_cap =3D formats[0].pixfmts_cap[0]; sess->fmt_out =3D &formats[0]; @@ -913,6 +913,8 @@ static int vdec_open(struct file *file) =20 return 0; =20 +err_m2m_ctx_release: + v4l2_m2m_ctx_release(sess->m2m_ctx); err_m2m_release: v4l2_m2m_release(sess->m2m_dev); err_free_sess: @@ -928,6 +930,7 @@ static int vdec_close(struct file *file) v4l2_m2m_release(sess->m2m_dev); v4l2_fh_del(&sess->fh, file); v4l2_fh_exit(&sess->fh); + v4l2_ctrl_handler_free(&sess->ctrl_handler); =20 mutex_destroy(&sess->lock); mutex_destroy(&sess->bufs_recycle_lock); --=20 2.50.1 From nobody Mon Jun 8 23:56:04 2026 Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2B1D3E63BB for ; Mon, 25 May 2026 09:52:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702769; cv=none; b=iWec0OaWqTY7raF9ucP7tVyZhbYGXD57rOmXvAICmvTLEVl/sBha7EqG5EEp0m5IS9qCmxiVWClKZJSZ4/kh1ETwqIVtYC/pYMLBQ8wxkz9Jpiz5Feexk3STtV1Gu1F8b+92dJ6JpbTVUYEDYZ2QV6crY2lLIln7U+c/QP9SbOw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702769; c=relaxed/simple; bh=4B9KkP1btML4C6oNkrTHn+OUIMQeidMbAkDiIWR3XwY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hjz3uii/EFDWajflzqUwEIOEkMywEyFQktHyjDx0poovr+rx5ikVVWN3oBUZfe2kMUcd1NmA0PZR8p+Y9teUJF+6uMZN7en1eiseyzurj2AkGWgiho0G2GU3KcOO3VeeJwHVITAhNuvlIubj6R2A/sVFALuCXlKqFf30GtcgqQk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=OXe63wV4; arc=none smtp.client-ip=209.85.216.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OXe63wV4" Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-3684a6f3b0bso4656299a91.1 for ; Mon, 25 May 2026 02:52:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702768; x=1780307568; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oIFEnpVuawucZlIPGTpnFigTasBUEJzr8Hl8oaehmP4=; b=OXe63wV47PkWs03ZPySrt/2gPtLAHsNor9VUjIKALf3FkjA6cYDgOa0x/xOdhjrIq9 9/4nS71Ud18+q7jSmnX3qNwWtjo8bKyCcl0YRZdDo+1JpCJ9uX/zyQop8lqS+aNADYHm blBqlSguNEVntBR71ip6tthOLJajRioknYfAw2IYmGkdMrk7RnG4WSFCVjKBc4bt16lQ oY4xHEtPyjmFbmRKQhI3ENk+nwAWSeZd0UjIohGGbBO1VxPNJL44cP+4T3LMdqhxtLwj gUVtDRItqp48RB+ZvaYQt68BhIVyFOL2N1/bBxM8pGmZD1zs0Kk+5Ueq1YN5QT8DD6cO o8Rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702768; x=1780307568; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=oIFEnpVuawucZlIPGTpnFigTasBUEJzr8Hl8oaehmP4=; b=qGGfc+3IFggQM2Laf853e1sHcN+wCDxfr9niksYFZNd06JLFVPa0E1NKtLP2RO5Kap pR6AICnh9Nm/YTcA67tWHc278jRlcSHvrsrGqC8k5qH0klr0oh2pa/KcsTNOiqjYqmqe bzrJzPDknMLDk4GhRmIYHA0pI4KvBZUyq/rpdUQSutO7lmAcZVxhCuJ6UUOFMvf+vPNg /XGa4DfCuYNJEUq5EKSXB1ZGCZUWjDNsRxUOv6mmg430UM33rV6aGV8jZgNxxi5Np1nv aYRqXnnZCjZXaI3WjQlzDHY4kBr8IyBv/9sSWbgirOyAXCjFOnwCnol+kc9l95+gGKNB x2Kg== X-Forwarded-Encrypted: i=1; AFNElJ/c4vNObvvvVPDjDGrmV5J1qCBf1e5aWIEiKQGbLshJzcAN5Qyjpwpxyex4VJW9NFgWN0Wu3Ma6otvRkaw=@vger.kernel.org X-Gm-Message-State: AOJu0Yxpg+tDjwH841CLc5UcmoCfwhGefqtSVdIjJcExG9ptuBMJ2kcq iWv8bYgmsJl75CoNYGjZhPlmY7pRWqdR8tNlk5CJe7bsdAFqTz8ozgnI X-Gm-Gg: Acq92OFSbAOc5mgKNwECyaztO9XfsoIj/W/AcYTBPiwbJPmRu1vDOGdCWJFoaWJ1U/+ O6+1WAr/5CRb2Jg0TD8oD0PMiAqnLOLeXOkuaNiP3MdbCEVqFY6e91krclYOiQniFnm85N/Th/I oFMl6p7ZfwbiOl3oZnVR9iVcII/2OlEdX9ap05XnaKJOkrGay2uC6Ymyb+Bk+LNDVF8ZBM7uy2c s8nQO3OyMpAbcBnKuHD4EzabvD9Q1LVj2tUpHjXt3yH/PXTXG7hGRCwpzd10KxobcgmItHgpNnu mFGrj95BKpkLqbHsbldi1pFXs2mlfhoKssjNYdTlhjRfyO0d3Tl2R0IQK3A7sVcHPhl1AvpF9yW nTBpdcSE0QGtgFTXaQhhCjVVVSTp4SeBOzHQ4yULXNhzjbzkcF9yIDC+tStYhp0i2d2M/viB9LY pFsNvUPx43qkw/l6OXjqLd X-Received: by 2002:a17:902:f546:b0:2bc:8e7d:3dce with SMTP id d9443c01a7336-2bea23e2057mr157194235ad.27.1779702767866; Mon, 25 May 2026 02:52:47 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:52:47 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Hans Verkuil , Maxime Jourdan , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v5 2/6] media: meson: vdec: Protect session exclusivity check with lock Date: Mon, 25 May 2026 15:21:50 +0530 Message-ID: <20260525095216.12078-3-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add the check for an active hardware session is performed without holding the core->lock mutex. In multi-threaded environments, two concurrent STREAMON ioctls on different file descriptors can simultaneously find core->cur_sess to be NULL, bypass the check, and concurrently call vdec_poweron(), corrupting hardware state. Fix this by wrapping the session exclusivity check inside core->lock. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel= .org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: New patch. [High] Concurrent sessions can bypass the hardware exclusivity check, leading to simultaneous hardware programming. --- drivers/staging/media/meson/vdec/vdec.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/medi= a/meson/vdec/vdec.c index 18a22b79e835..e72f54af026e 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -286,10 +286,13 @@ static int vdec_start_streaming(struct vb2_queue *q, = unsigned int count) struct vb2_v4l2_buffer *buf; int ret; =20 + mutex_lock(&core->lock); if (core->cur_sess && core->cur_sess !=3D sess) { + mutex_unlock(&core->lock); ret =3D -EBUSY; goto bufs_done; } + mutex_unlock(&core->lock); =20 if (q->type =3D=3D V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) sess->streamon_out =3D 1; --=20 2.50.1 From nobody Mon Jun 8 23:56:04 2026 Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D0213E5A31 for ; Mon, 25 May 2026 09:52:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702779; cv=none; b=oXCMQsUErxsVQQBalcVYlAk23LtU/QrYU+56yz61F5L8T6mrJftRVapigsYVyCldVLgqtADvHyRFzAElTQNe/A7tlzlueJETwIrQV8HghJmxAiz0oRHqKFfnl0ho7xep7J4RckqU5QsOzju97Zq7ZReTjYkCscor6DZiisaAohQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702779; c=relaxed/simple; bh=YXwLVmvrPT3CxIUwe1z2kjZT4+cCRWaplcDqgHQKXS4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EDR8ZQ+LyBhRFzYsjidDQuc45O3XtW3cmNBuS2a4/L6AWSEHvarI1qTdskdX5qS0gm5IaazR5B1F3jK3trmAg2LbSVU5mL7WFIsckzeCkphrJHGvUSw5CQbz5nqAUqJQxnLEDLudy+Xqr9KWUCjcmZRLo5wfFobVU4XZnrlv33E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CTD236eX; arc=none smtp.client-ip=209.85.214.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CTD236eX" Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-2ba6485d219so72093805ad.3 for ; Mon, 25 May 2026 02:52:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702778; x=1780307578; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=v2KznrLCQ77VZ51Z4KvrxVufB2DqA7HTlU0nEjlF/zw=; b=CTD236eXwI4Dgzt3N534Wd/Pr09C2fNX4w8CgDnjYyvNwOUbyIk8mCi13rUVwz1Rr0 rxKXmosAkTxyjxA4ezwiAAEoAhUaXteqaAmzD1ferJ0iDZMJpCkYFQABO+Nx3PBElMLc CX8BEDb7+s9L/LEhHzQHGvYRzDBBQzlDxplR7UECqvRbRlntVChEogoqvdfRz7ulr7P8 IECb5UHV0HJjI9YVQ6Uujy5HGNtyOpZ/+fMOa7NCqPMh02htLyMKU6qw6wWonDrtav4K 6zpTBJYpup7AlGWgAM7qHh/D3/FedlnqgBxpsTr/nOPiXJ6Lw5EwnMK6a3INOMG6LNcA 0tIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702778; x=1780307578; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=v2KznrLCQ77VZ51Z4KvrxVufB2DqA7HTlU0nEjlF/zw=; b=L8o59LsVaD9DKYfh53p5IF+2g4zFulwW++G6ErLB2X1jTVs4pEjrXUAzPI/YGf/KYp +C8DPeSl31IHkJ6iZBlgkQXNID0M3pDN6ME8Hx5Sb1ka4OnyPKUxJawyfLffEt8NFB9i glJXreBaY6SCw0fsDc+JTBslNWhKTWjs+RuDn8OpxfS0l8rtRrMZVun7pfM4YtNy6UlG /zI5cU3GnQvWg3zPBAU8gLw2sbQZwz3u8xd8YIrQd8oxXiquQ+UvA0LgZxagSRJ6plOd C+u4E5XGgCril1H5tw7se7z+iHa3LmDUCEI8iiC38Rhqi2LwXcoLmO+0QDNuZwNsrsXG r75Q== X-Forwarded-Encrypted: i=1; AFNElJ8qi6nXeHjjKna60wP9Jvwu+SgJhOIABHZmL2aWHmKHy8pjP8HFh90ywNlQCFoi7crT4xjg+nQCRC62YTw=@vger.kernel.org X-Gm-Message-State: AOJu0YyWejHBCWIB7X+WOB1OazPYa6UoNejEeuLuMwfe+iAyS21noSgv vIlsrSXQ90LlNqVPV4tJQF4drw3Bj4c4RtbhfQFv1u0U1bf8kj3X2aes X-Gm-Gg: Acq92OHR08pyZm16uO3UEkz46mQNrmyO1bZ+/J1XmLMx4IYzR1f3oVuzC5aEdoIleg5 HXUPgcsJ1UlqUbXPbuCFT6vAag3lhm75Cv5xG0n+9LCLA5z8cPZWJ/FLX7Cq3tjciqMmW8qlvbK JPjkllGw+xhvKjK/voDscmwARaZr7woUf/b1sEcQ8yh8Pfi/EYrWYAIlbj+FA+fXRtTRNyNzKeY +AvSBc5+Eei9+lmJEJdImRHvwPxOacsny6n70jinSBNK/Dp5k42css3DkOisCO7qS8GLk1lsun4 loZZSyBtqjsltc6rc6TiBaUQifuzJSW23Igs57OCA/YUf44kXKgqqdfgWsSW40ZAM+6DQxfESkP uOum1DfH3vNoIijPxVJFlTJ6EqN/8IMdr/Z4G54jEAGAirXNiTckou4rvn/nR/+mgz63Xx5KMKB YADdst4B17fFIFkRD4+siU X-Received: by 2002:a17:903:1ae3:b0:2ba:bfc:76a8 with SMTP id d9443c01a7336-2beb057f8c9mr151250385ad.16.1779702777738; Mon, 25 May 2026 02:52:57 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:52:56 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v5 3/6] media: meson: vdec: Set cur_sess before hardware vdec_poweron() Date: Mon, 25 May 2026 15:21:51 +0530 Message-ID: <20260525095216.12078-4-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vdec_poweron() initializes hardware and unmasks device interrupts. If an interrupt fires before core->cur_sess is set, vdec_isr() dereferences a NULL pointer when updating sess->last_irq_jiffies, leading to a kernel panic. Fix this by assigning core->cur_sess and updating sess->status under core->lock before calling vdec_poweron(). This ensures the interrupt handler always sees a valid session pointer. On the error path, clear core->cur_sess and reset sess->status to STATUS_STOPPED to avoid stale references. Following change also strengthens the hardware exclusivity check by holding core->lock during session assignment, preventing concurrent sessions from racing through cur_sess =3D=3D NULL and corrupting hardware state. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel= .org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: [Critical] Race condition between hardware power-on and `core->cur_sess` initialization leads to a NULL pointer dereference in the IRQ handler. --- drivers/staging/media/meson/vdec/vdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/medi= a/meson/vdec/vdec.c index e72f54af026e..52ace4de967c 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -334,6 +334,11 @@ static int vdec_start_streaming(struct vb2_queue *q, u= nsigned int count) atomic_set(&sess->esparser_queued_bufs, 0); v4l2_ctrl_s_ctrl(sess->ctrl_min_buf_capture, 1); =20 + mutex_lock(&core->lock); + core->cur_sess =3D sess; + sess->status =3D STATUS_INIT; + mutex_unlock(&core->lock); + ret =3D vdec_poweron(sess); if (ret) goto vififo_free; @@ -344,12 +349,14 @@ static int vdec_start_streaming(struct vb2_queue *q, = unsigned int count) sess->recycle_thread =3D kthread_run(vdec_recycle_thread, sess, "vdec_recycle"); =20 - sess->status =3D STATUS_INIT; - core->cur_sess =3D sess; schedule_work(&sess->esparser_queue_work); return 0; =20 vififo_free: + mutex_lock(&core->lock); + core->cur_sess =3D NULL; + sess->status =3D STATUS_STOPPED; + mutex_unlock(&core->lock); dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: --=20 2.50.1 From nobody Mon Jun 8 23:56:04 2026 Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F0853E3C79 for ; Mon, 25 May 2026 09:53:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702787; cv=none; b=Xvp0Ex/sEapVLYnVFbPo3Mqm/HgRcsnOZMh2qkR7+N1Kh8qMyqebSh34JD/3/Jwfp3+QSpjnTHA079LMUAPkxhlouluqbBVYbSFeP4IF5jz1Bebe64x1Ol2RT1LKGxG3PNB0JuxdnRicsCtTKhA3qoLfcKOVYS5UP0jssx2KOL0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702787; c=relaxed/simple; bh=QRfnZAsf4fSDp5/JMDhDg9a0MSoVbrVjv3/Xv8G0CJQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oqEji+JCJwfSKfM+OzV1ygE4GWuACvtN/W4SRT92WYAl18bJxyO80NYszu4UIcTKGbJbxLu19e0uQSXoi/pADDW7T7XZNn0kdQLk6sne0lKTx+Lsow+l4kR1jiZpfSzfAMQdc3Pou0djtOWi8iU0yYC5f3u6icPbQs8P4ukQYD8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=f9B78uoN; arc=none smtp.client-ip=209.85.216.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="f9B78uoN" Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-367d88b9940so6292805a91.1 for ; Mon, 25 May 2026 02:53:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702786; x=1780307586; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ib1oZbigCdwlVvPfRDEBvGe4OjSQvC3V53nI1f6TImU=; b=f9B78uoNHb8vUqbZY6bPi9y8gjEyERgSaOn/9gqMy1ODBY/TEhNVRtFcLX8gfiOTX4 GcW+BLpc4VZVjcOj39jN7eqhZiXQx7RWyMXM15gg+g6dDi0wR08pB7gmUSInAOgLKbQX 4Lx75GGRYpMc36X7VIVX8g30oiIvygren6LX3zKW7sjjc6QNT0Ixbi24JoA6ccw1Wg2I B5tE8L4SRPTqIqCuC97G4ussaJYp7zemkBKgG7a0TDJyvYeo1xtYCd9eSR7Kq7dRycZf qUqLqheaH1JYtwoOwuwVqzp7zrIq8Ug4KHxHB1AlG5muqlmnPV2mGck3+GmUchUbjqvu y/eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702786; x=1780307586; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Ib1oZbigCdwlVvPfRDEBvGe4OjSQvC3V53nI1f6TImU=; b=ZTzEYltJm8VwYEEJ6IG6SxU7DymwiV8CedN8tuxAUo1Ecbdv50PA8J9mfpZaHGIor8 byK1JVw5X4L+fdOfrepeMamMBKj8TnBmqdT+XH4/bxrwDTIIzUH/m8Z8dK/PKPHpFscd m3ABIgE3p8HysU0rUgCX87wy3R3d2DAgY1LZ9keEc0GDFHZwYr3fKmI5I0Or/2v2fudz 7aJdOI1vnSnXdUHTtd4/KjManoD1k0Xrf+iZzXQPTmC1X5R45N0r7rj6DY6oGk98CyEn yvf5atdemxXQxhElJmopImEkj7stH7+sIUllHysN0J9JUXOgUU31syMEhaMsw/c1nkLS mxVw== X-Forwarded-Encrypted: i=1; AFNElJ+9ajAfza11reBVXBRDssYDa0Jr0AY8JqDksywIhKb/5DSZ1+RuZn4fXpUgtBfOYIIRvNXdgcgjCLYUk7M=@vger.kernel.org X-Gm-Message-State: AOJu0YzPM7HrxREzfhDKLoAMfSNus51VPah19XTUdvVAH2ydAfkHFfva wR8sN9XkSCQtXdp5RvcDhca8zbatngqSztU1udp4el8iYFZ6+q4N4BNM X-Gm-Gg: Acq92OFCMdWQ9dHk5fcLf1PlhpGfynphH93ELQ0d/Mtest/X+3BCgC4T9hZmMaM0Vng pFOyYbD6NuzznG940JjVnFkY+lWELxC88IxbSYPHtY+lmWEXTaegmqhPSxtVR6/Ce5ngm0pcyx+ y5nLqt7w3Da9Dl6OJERae/vjpn+6OXSL/c0TvQG39X/CgL+olCpBq6QlplGMQ8BC1cpqfkMinOt JnAzaYKoVvlHJlAWxJ7m9TOKOLQ44hhsS3pqfn521583GctLnsZYvQCjllCRMaFpnMFpLZQbhVY q0dpAldUfHhmgtmgS5XUWG8mS7qt5wNzmleQncY7LrPB/bznSVXzLzXtbtPJSMTkLCij2UkI3Db cUiRH1ILiy5Mj7S5auYTffx8XSef1gU6jGVEqPwuGHzN9vq2m0LHfUkiam/6Ty2IQletG5+AaTT A2uD61hZl0innQyrJ/WdUT X-Received: by 2002:a17:903:2f90:b0:2bd:ef15:9fce with SMTP id d9443c01a7336-2beb063227emr153939475ad.20.1779702785924; Mon, 25 May 2026 02:53:05 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.53.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:53:05 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Hans Verkuil , Maxime Jourdan , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v5 4/6] media: meson: vdec: Handle kthread error and free codec private data Date: Mon, 25 May 2026 15:21:52 +0530 Message-ID: <20260525095216.12078-5-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" vdec_start_streaming() launches a recycle thread when required by the codec. If kthread_run() fails, the previous error path only powered off the hardware, leaving sess->priv and codec state allocated. This caused a permanent leak of the codec context and associated DMA buffers. Fix this by adding an err_cleanup path: if thread creation fails, call codec_ops->stop() to release the codec context and clear sess->priv, then power off the hardware. Also reset core->cur_sess and sess->status to avoid stale references. This change closes the memory leak on kthread_run() failure and ensures proper cleanup of codec resources. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel= .org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: The vdec_poweron() function invoked earlier allocates dynamic memory for the codec context and assigns it to sess->priv. When kthread_run() fails, this new error path calls vdec_poweroff() which stops the hardware but doesn't free sess->priv. --- drivers/staging/media/meson/vdec/vdec.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/medi= a/meson/vdec/vdec.c index 52ace4de967c..b31bf08af88e 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -345,13 +345,25 @@ static int vdec_start_streaming(struct vb2_queue *q, = unsigned int count) =20 sess->sequence_cap =3D 0; sess->sequence_out =3D 0; - if (vdec_codec_needs_recycle(sess)) + if (vdec_codec_needs_recycle(sess)) { sess->recycle_thread =3D kthread_run(vdec_recycle_thread, sess, "vdec_recycle"); + if (IS_ERR(sess->recycle_thread)) { + ret =3D PTR_ERR(sess->recycle_thread); + sess->recycle_thread =3D NULL; + goto err_cleanup; + } + } =20 schedule_work(&sess->esparser_queue_work); return 0; =20 +err_cleanup: + if (codec_ops && codec_ops->stop && sess->priv) { + codec_ops->stop(sess); + sess->priv =3D NULL; + } + vdec_poweroff(sess); vififo_free: mutex_lock(&core->lock); core->cur_sess =3D NULL; --=20 2.50.1 From nobody Mon Jun 8 23:56:04 2026 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C59273E5A31 for ; Mon, 25 May 2026 09:53:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702796; cv=none; b=flk6lDDRhUZjcTrLUQ1PWZQgX9V8657PPiR2/zRyiXq+cHi2qh0e861ZVP1jPdUGVxmjqDWoyIUD10kDv+3c19OWrIOUw42qlQUikkd1A52snFU8sUxgx4VLb0WYUvRDFRkExIQzaOglADgcscpbdcuFm5E9KGf9Sy+ExbMkS1Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702796; c=relaxed/simple; bh=Mdlv4jporUZmlLf4lx7rproUzpgtFGaAxxp4Y+lMBaY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=RP/wrBwTbhNPCVxNUaDHR/6pdck+Rl4uWoQN145U9HK3TO9bHAY75u5VA4CeBz8CcddHy9wzzSvNXN6VrRKmgw4KrwPKFa0TQOMCDkwV6HQ9G6FH5o4LNseuD3bghXG28Gc96OCTS0ZuDIaSHWCVcmjNBCIk4XxD9XbBAJMdqJs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Gy4iUtU8; arc=none smtp.client-ip=209.85.216.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Gy4iUtU8" Received: by mail-pj1-f45.google.com with SMTP id 98e67ed59e1d1-367cbac9cb1so9197284a91.3 for ; Mon, 25 May 2026 02:53:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702794; x=1780307594; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ez92gLCG1+yJIQjG46e8Hvs9v1kkCpJ4jicfjTVkky4=; b=Gy4iUtU8TgUq2ggD09CiuB+YALvZU6JbW/+IrnNzx4xBwvlTjjrBzVO7TOlUM0Bpzr PspLApYpWnNM4CfFYygh/smiomrCR6ExBcZ8vkr9t+YWr+dj1zq/o6L0h7gStgTcwOth caZ/OM74edl3el9wzXnpUexsgGWeCDkW0toGmZP3z6kKPGbA4E+ViF5CFmDttVIhfoIi KNHbbsZXyO2P9JKgOpUtlEoJKxvde02GKIdu0tXfX4ev3db2/FZhpauNoncYVSk6tM2l w7Cyf3pAzyCbz+njgpy1zLOs7m0BxGVe2Vm4r0m77ndvSSBC26A6m3lipwtlLZlB5Yuk 076Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702794; x=1780307594; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=ez92gLCG1+yJIQjG46e8Hvs9v1kkCpJ4jicfjTVkky4=; b=MyaZPi4Iudq7atH5rsEDJQTb4oGK0uiBkdskXmbbkNXNHhyQp/0odeRmdQWt/u1eb+ ozllo2T8yoZEWeUONRGS/fuEfJE3XGZb8dZCNGF9RQk3EHms+INTwU1aEZi9GSGRppXC Mc27DDJfZNsqZDB4146MXysP92goYZVnkH0jOzRytC16lxB7b1++6Dbt47aR9jsB6Xpc UazhqHCApWbmgjE1UryCMX1wQ2eIGv4/xkK/mqRIieNDtmp5nBRG1+1TUK64Arn5xXQE YuJCUDK38fqEnH1PhrtLFmeTTbuqrpvi45DDpLUqepyJNG21crC0onttmTwks8BUAZ9Y Z7QQ== X-Forwarded-Encrypted: i=1; AFNElJ/r8piPqq3MaVaWNbIugAu0oiLKu4m/d6tRNlRg/1ePxkv1mR/CJBCbb5GINPH1/V5I22PnquinaZlSM9s=@vger.kernel.org X-Gm-Message-State: AOJu0YxsPVBr2AGhom19eYrxZN0yqJbSJM0iCul0P5Jc9xAYUbDPjFL8 y9fK/LGAW9y+rAhv2a81rYbzlyqg5M7CyJgvLyrxsvRLJ8LXLdrCtl1n X-Gm-Gg: Acq92OF3JROFiyC2KAI49Tvxd0sEISc36rTp5nrO2KnZGhvPHup1lqNlOoZytD66Do+ cfyeUePTF69vJnx4758iR6HTtu91+Gf4WTmidzZUnmaAqUEaPVKRjtvfbPEnJD5BGhRPXhZhGLE ftP9DvJUzlLR3lRkDLJHlsfJ4iXPXREz9jKV0mCLHtjp4+A3Da4hlfItMM6ZaOkhonLN9c5xzSp K5Q5a1vmHAjpKgwhZfAbBujHgmzhUUpGTe4XzPW0cB6B7NtrR8tTptTCaWz0SCWY59Orf6iZQ8m 3gC0OPzrCPvvJ0+h7TNOVVVieywWlKElpciKsska/z8ZzeDYN6s1mqaYwwAFQhBs14s1Rco0UGb m5j1rCRazwVYFhHBaH0Xo3Zpgnt3tgX+wsWGEyh940ZZ5QntASYv+9LjrFcoBvhquM8lrUfBF2D ImKzF6ZN+jkOiPbAM8+J1G9Zuia9A7NLmrBwb72l4WFA== X-Received: by 2002:a17:902:e548:b0:2ba:78a6:7dec with SMTP id d9443c01a7336-2beb05c07aemr160215525ad.13.1779702794227; Mon, 25 May 2026 02:53:14 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.53.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:53:13 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Hans Verkuil , Maxime Jourdan , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v5 5/6] media: meson: vdec: Isolate error path buffer flush to the active queue Date: Mon, 25 May 2026 15:21:53 +0530 Message-ID: <20260525095216.12078-6-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When vdec_start_streaming() fails, the error path clears buffers from both the source and destination queues unconditionally. If one queue was already streaming successfully from a prior invocation, flushing its buffers behind its back leaves videobuf2 deadlocked waiting for completions. Fix this by only sweeping buffers from the specific queue type container that failed to initialize. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel= .org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: This is a pre-existing issue, but will returning buffers for both queues up= on a single-queue failure orphan active queue buffers? If the CAPTURE queue was successfully started in a previous call, returning its buffers puts them back into the vb2 queued list while the driver discards its references. Because the CAPTURE queue remains active, userspace calling DQBUF will hang indefinitely waiting for frames that the driver will never process. --- drivers/staging/media/meson/vdec/vdec.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/medi= a/meson/vdec/vdec.c index b31bf08af88e..925537bd4d0b 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -372,15 +372,15 @@ static int vdec_start_streaming(struct vb2_queue *q, = unsigned int count) dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: - while ((buf =3D v4l2_m2m_src_buf_remove(sess->m2m_ctx))) - v4l2_m2m_buf_done(buf, VB2_BUF_STATE_QUEUED); - while ((buf =3D v4l2_m2m_dst_buf_remove(sess->m2m_ctx))) - v4l2_m2m_buf_done(buf, VB2_BUF_STATE_QUEUED); - - if (q->type =3D=3D V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) + if (q->type =3D=3D V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { sess->streamon_out =3D 0; - else + while ((buf =3D v4l2_m2m_src_buf_remove(sess->m2m_ctx))) + v4l2_m2m_buf_done(buf, VB2_BUF_STATE_QUEUED); + } else { sess->streamon_cap =3D 0; + while ((buf =3D v4l2_m2m_dst_buf_remove(sess->m2m_ctx))) + v4l2_m2m_buf_done(buf, VB2_BUF_STATE_QUEUED); + } =20 return ret; } --=20 2.50.1 From nobody Mon Jun 8 23:56:04 2026 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6B3A3E5A31 for ; Mon, 25 May 2026 09:53:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702803; cv=none; b=OE687iDtVenaQUwRaHV5KVBtMxs5Gatr45JNlhX3JJVOo+gti2aY6I8IfThX5VypTDL9+S8V+7N92n8oT9AmNc69cAKvRR62hKSY367owwFVZabAPLUZ5a056mdvMF70bEihvyF2F8RKRg4Km+mXvWlCj5j/Ccy3wDijTyisLaU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702803; c=relaxed/simple; bh=E43zb/0exWQdHZ2/viBusfLWpvPfMhAC55xSTIPBc2I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=QKPxqoHdPG7Qt3oJvQbNk6Tow5Ass228CZJvT+1aPORvJKhyv6wl53ioo3A1RHatTyGC238f7E3hwnxPdMVI1a000GftRCX0ha+NxUcVXIqaBlWQc7ua5yd0FJvc2QvevnlwzXOAV0wW1eepkexaSzQvu7Fjq0/sr5bJjuqnZkk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Aq7KE4OA; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Aq7KE4OA" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2bd2c147abaso56275245ad.3 for ; Mon, 25 May 2026 02:53:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702802; x=1780307602; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=Aq7KE4OAPg8ajzf+yYY4MhHT+Swy8gwyGx/gV2LJZo5ACSLHCagj684d3oq+KOVfQ+ OZmdWaWtCfWMQSCQwbjifruDHZSOWIF2kaomyFdphxIZrRSlLCPjgyW+AST1tlL6EQ6j mrfZ70HPKxkaBFUnMRV+Ac99poa9BhTiTrfSAS+wjh6+WVwHEJJcOmMPXhZDaLWyXQsB QktFpjBhRwWqLj3vIjB8Hv4zbtuSnwN87hHk0yfza0xLeqe22ca/8ENFEnfvkkW0bROR tgSYPc4EU6g8fzBXY8p+7kO9zRKqtInwIcd0wNwIqLFbnDOpQLnCK/BqzzZ072RnKuAm /jTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702802; x=1780307602; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=iORtGCQ91CYEM6CwHf96hiqhqEJEHp2qEP7m/OKiLeLGKxdt8QW6EfVPQUiJrSxGSt CksqKh9gE7XRASp3yvzILDxoGjfdha+8E0f54+sPlyPpuTQxQi2lGLwP3gfO2nTZbaoW wJs5E26TlT+wAlJC1BBeusasupFXBQpMxN9csIBHvhOWGrVNU4+hr4LV6BxoVkXvWfJI fbvrwonPw7RbbGZesp3O0t3PTOAS3smWHVdEJen0CxExrkqHxoX4hddH1gv0GyGhOIJF XiHUOwR2FSkLaqa1s73qVef2D6r+18R/zm/VQnSap2g/TmR8I2peqzAPZUA1NkJ3IrcO O0cA== X-Forwarded-Encrypted: i=1; AFNElJ/pFCeCZgP/NJ1yBg8L3U0ZZUyU53YL+IQxxSBRV/Ip8PoXH1LGITRTZbO5ngQmedKR01UqF5GnynXNagM=@vger.kernel.org X-Gm-Message-State: AOJu0YyL8geLUqLweUclCaJCCnP3L3NFCQs46jCPvbhLRIS6f26paOtJ TI9p5tMFl1mstorZxSODzb5WkWThs9LP9xXjV3hNfmtcXwEmV8WgdOt4 X-Gm-Gg: Acq92OFEjaT9BPyIvTNW33NOgfvj2I9LXW7L4hROen4F//LMKAb6UjD+p1Vo11AlGXt wmbG3wFmDBMLrvQx6FjcxF5CykVmd6YKYxI6aMnaSDF5MqyTjIP6WzJ9fue8EBxinWm67z+b8LP +Ie7BKX6se/pTLixNzSNhNqlo9KQPasQa/GWsNwngyMijHfdcNdN6iVsc/rrOu+JogPNyRf+NTL lrufD/jjFhjWt6IrKGmcl40t7klQiJ/hhGband7cajPFLCj9xDm0YOpDTZKLRDk6bdLIpcF/iXH hOiO6jgyXh+KI6uGKNbMVSC1V7oOAGZ1ukfjkrOMGzanidik7Y/vgF+BzZ4JI/6w4Ar07I/25l8 mDKvHBwtRDoOElWq9WDZqVymie34SyQeDNRObaARGviO7+0uv43USv52IdlBetRyX1Ra3nKDE4M 6mpA3c8d3cOD7hVv+l+XND X-Received: by 2002:a17:902:ebc2:b0:2ae:6259:5aff with SMTP id d9443c01a7336-2beb031adfdmr138558515ad.6.1779702802100; Mon, 25 May 2026 02:53:22 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.53.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:53:21 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v5 6/6] media: meson: vdec: Cancel esparser work in error and stop paths Date: Mon, 25 May 2026 15:21:54 +0530 Message-ID: <20260525095216.12078-7-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The esparser workqueue may remain pending when streaming is stopped or the device is closed, leading to use-after-free if it runs after session teardown. vdec_start_streaming(), vdec_stop_streaming(), and vdec_close() did not cancel this work, leaving a race between session cleanup and work execution. Fix this by calling cancel_work_sync(&sess->esparser_queue_work) in all cleanup paths. Unlocking and relocking sess->lock around the cancel ensures the work handler cannot run concurrently with teardown. This prevents dangling work items from accessing freed session memory and eliminates a potential kernel crash. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel= .org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: Tried to fix the order of cancel_work_sync() which could lead to a use-after-free. update the commit message. --- drivers/staging/media/meson/vdec/vdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/medi= a/meson/vdec/vdec.c index 925537bd4d0b..296b387f3667 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -372,6 +372,10 @@ static int vdec_start_streaming(struct vb2_queue *q, u= nsigned int count) dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: + mutex_unlock(&sess->lock); + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&sess->lock); + if (q->type =3D=3D V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { sess->streamon_out =3D 0; while ((buf =3D v4l2_m2m_src_buf_remove(sess->m2m_ctx))) @@ -430,6 +434,9 @@ static void vdec_stop_streaming(struct vb2_queue *q) kthread_stop(sess->recycle_thread); =20 vdec_poweroff(sess); + mutex_unlock(&sess->lock); + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&sess->lock); vdec_free_canvas(sess); dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); @@ -948,6 +955,8 @@ static int vdec_close(struct file *file) { struct amvdec_session *sess =3D file_to_amvdec_session(file); =20 + cancel_work_sync(&sess->esparser_queue_work); + v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_m2m_release(sess->m2m_dev); v4l2_fh_del(&sess->fh, file); --=20 2.50.1