From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8336D39D3C0 for ; Thu, 21 May 2026 07:35:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779348946; cv=none; b=u6VvYO6FJXfI8/IidkeFI+f3RqfSTLiUoQcRCX66ySVOy1Z0dzmytd3D6c4bmXNheyMVSfLzt0S/HjnseExyquw6M8rSpb5mxichsh5C9UA+MqZxMNIYL8yEiSOVrnMWuh8GGkyu+iiTEZv4yrUTpMdQ4iaOwgjNEWsXACaej2w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779348946; c=relaxed/simple; bh=n31stoUzsPX4RNMyRRmVvUZVj4OVkqdnAHTSrpxgKN8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZT85wqQX/o3rPRyeBBXog2m2Stzhk8SHPsm3R5aCwEJoUYKV/tqPDqNlw0rTB7vvVMyDLMPTPoZi1QinesiWqOPa6LUI8A6ScBMbh1dbuQHJbrP/nLZFnxsPJomwDGaEd+WKfCMZhn5QVeGpyGjrft8pdHhvZjZuz24e8di2Y8E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gIys0oBD; arc=none smtp.client-ip=209.85.216.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gIys0oBD" Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-3680540a6efso3101991a91.2 for ; Thu, 21 May 2026 00:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779348943; x=1779953743; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Mklgo4SEnQFqu5UeBwzviEPZFhn2UwuL3rIfaoDrBUI=; b=gIys0oBDXTyG6MPK0nhQU0fALA4jT7xWDzYMET+DwTvEP2XLsnnpYiqhLpZ04b65gJ FAMkdto7TLgETH70LlJQ71ck7J7Mgv75plY5dV3U5cCmxR7TffBDGd1EfblHtzG2+y7b LV5D/WqUkXgM8TeIbSQ+YBTT4gbegnVYmw+Jml4TRmYZHncH/cO9+lB+U0pBwAEI7B3E NzZh172TWgb6AxgWOzkheOCdEG2t/TjSg9Tv0yB22Zb5F0gOa6YPGBpbY3Ktj9zFfbcK RmunO3lQtL6fKrpzlgEGfoDYzTL8I0w+LoQucU1hiWQO+nF1GgdZmvxh7cF0rB6Zz/NL UCew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779348943; x=1779953743; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Mklgo4SEnQFqu5UeBwzviEPZFhn2UwuL3rIfaoDrBUI=; b=cfA6JX+iA5A05MbYkq6O6J+yeJHz6i9TYWUN/aqMU0J1SDlLFkFapkigwqxvKV/dck /M26HpWCj8gbdy/2xhipcqkHfP/vOQeSEEG/+aBPuaXL6FTkPgjl4Kws/BeKrNsLGo3C 0VCbv9Nt9B0K0hGPy8GDA+FELV/Q9IIhWPB0zqrYorXjmdLtG3zLee76gYIj7iTr/csB kCoqO2nKOGY4/x+pi1lbIKiTlyVHpU6vtjtLkujPZiOV9xeGMEugFQKlA5PL5D8zX9em d7f0I2Ma/SQ3OVXmo74ho4Bs9obn8Ef6qbI1B0F/ojk5BIeEx6yUnIUCdoZgnL86dHTU bBAw== X-Forwarded-Encrypted: i=1; AFNElJ9bO5lD7upN94iNGm9hqtltx8JDEqXPeMdFK5RqSqtwr55brvEkTnQ6b80V3qeHgkvrya2szis8MmCtPptx@lists.linux.dev X-Gm-Message-State: AOJu0Yx3O24EbqpsOVkmbcdosTefWeMeZ27TdnYECfMyxAAo4beZlqzk gJ9dy4o7B2oo3ZhFibuC9nTDu/4ADd6NxpYNvCDmiX2sSqmWq0ayvb8F X-Gm-Gg: Acq92OGqTzQ+MkI23a2blOZcuR9WzDFSEK9g4ZCnrSRB2AECZz/gZa5pZjBCcXee9hO 68j0hvD3UhmOc2Zn+B8xq6VqQL0lnF0Hzrl2I6Ih7UO2w0mfw+R/XqppYpkpZBJsBKPWujqERly GlzatpHVURLRV7gQdpUQyLkfuENg9s6cVfp4xddurnE6ciq7ng9t7SQ4z3whIT1ioJ19BmlM6JA KN1oIMkWGbXVHs5lgU+FIinxG4UBL5CMKgKsTL6o6i/IzdjVL8vxGEhVWdI9cI85zN1qeHlYDno PXfGFkMHgQqhO06u9D0B/VXQjPxcCpJn0vpv8tTYz2LI2D7qrcLosso/te8G8TB1UF+gGOR6NXV RQJXJv8eOcGMPDYfr1IgvVH16ogRLKdCxLRVngbt3hVLH5+fU9vrOCT0a5P5wxSvodn/bnu/KHD TpWtcAoe3qZ8JZPflyf+iN6djSmnN/dxg= X-Received: by 2002:a17:90b:540e:b0:369:223a:cb60 with SMTP id 98e67ed59e1d1-36a4514fbcdmr1729123a91.8.1779348942657; Thu, 21 May 2026 00:35:42 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36a45c5decesm783833a91.1.2026.05.21.00.35.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 00:35:42 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v4 3/3] media: meson: vdec: Cancel esparser work in error and stop paths Date: Thu, 21 May 2026 13:04:13 +0530 Message-ID: <20260521073449.10057-4-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260521073449.10057-1-linux.amoon@gmail.com> References: <20260521073449.10057-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Ensure that esparser_queue_work is canceled before freeing the session context. Add cancel_work_sync() in both the error path of vdec_close() and vdec_start_streaming() and in vdec_stop_streaming(). This prevents background work from dereferencing a freed sess structure and triggering a use-after-free. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v4: new patch If vdec_close() calls kfree(sess) without first stopping or synchronizing with this background work via cancel_work_sync(), could a concurrently running esparser_queue_all_src() dereference the freed sess structure and trigger a use-after-free? --- drivers/staging/media/meson/vdec/vdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index 8615a935e86d..a57bd4a8e33c 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -358,6 +358,8 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: + cancel_work_sync(&sess->esparser_queue_work); + if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) sess->streamon_out = 0; else @@ -415,6 +417,7 @@ static void vdec_stop_streaming(struct vb2_queue *q) if (vdec_codec_needs_recycle(sess)) kthread_stop(sess->recycle_thread); + cancel_work_sync(&sess->esparser_queue_work); vdec_poweroff(sess); vdec_free_canvas(sess); dma_free_coherent(sess->core->dev, sess->vififo_size, @@ -937,6 +940,7 @@ static int vdec_close(struct file *file) v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_m2m_release(sess->m2m_dev); v4l2_ctrl_handler_free(&sess->ctrl_handler); + cancel_work_sync(&sess->esparser_queue_work); v4l2_fh_del(&sess->fh, file); v4l2_fh_exit(&sess->fh); -- 2.50.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8AB10CD343F for ; Thu, 21 May 2026 07:35:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=8Hc9fxonpq+ds9dQNrMC8uik+EZEQa5G5eg46Abc2BE=; b=AXy77LOionCOZs 62zR2EBzYPOUFuLqRLMGOzxKxPckIXckXLjnjpueGHEPI9WJZfi/PECSQa2IzUkOyeKUYcJ4bS8wB 73ISX9OEX80GI4ZPUF+bp8S2pEl6/E7qkIeQNrmlO0956mhSvAsVd98l2elF3v4sjd247qjpo5Xu/ WjFhY5tOy6s9XxZJ3kEiDHzOQzKoFa9mMuri0TsBO+jaTFZVCYiuYLjOstWHKBkU23OIPAeKGJkhw VqxF5oXV9Sw2diSa8N4x1diP/ZE2t9daAMwsuv2Rvw7GmtnS4qI/vjRb0D23wtssJUiKJGvENpP0W 8/g7XtkzOhzEPV8WsFoQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wPxwX-00000006ylX-2io1; Thu, 21 May 2026 07:35:45 +0000 Received: from mail-pj1-x1034.google.com ([2607:f8b0:4864:20::1034]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wPxwV-00000006yju-1nVU for linux-amlogic@lists.infradead.org; Thu, 21 May 2026 07:35:44 +0000 Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-367c2a39fcfso2700503a91.3 for ; Thu, 21 May 2026 00:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779348943; x=1779953743; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Mklgo4SEnQFqu5UeBwzviEPZFhn2UwuL3rIfaoDrBUI=; b=rgU1/da1ktDqBamY2YoMm05SErwLAId4huZV1DBXqgNbB47XpRMKOIt1wVRkRXSazX 2+dmWdBYeVKw6p0caexIooyi5LfszeZ4vrvx1fPjzRiMDZqQjhzPfSTjN9SwhR955Zlc E7Lwy5HXT/J/v/8+MuXqYbMWqt/YNnleQDXGbFRPqQSPvnIu+WHkEXJ+lWuohjXhfgg3 ju+TTVNJ7dqDHsLquP/ifmG3oYFtGuMSEV8qjTuFUmuDxkQmYGwl8uBHrz18PN/vxcCY j2/HtUI0wFGdqEE+j/wFahCMpgTeF3f9JRx2OCN+sQMXq0lWcy+eGm10J9xoIAbMMzMQ rsHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779348943; x=1779953743; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Mklgo4SEnQFqu5UeBwzviEPZFhn2UwuL3rIfaoDrBUI=; b=ATQ0omQ7/wSBgRI+NoP2n49lfTGFize3bE5SCUvuU2exzKKX9jWs7M7KWG/t9ST7aG 5O51EedgyYsYA1CTqVYW9MM4I6IKr+k5x4nKtzVduxtHvy6wNMgZtWJuaMwEk/yF1gQx BqrhBRAsPShihMUEDFuaSUD3SqNv89ieBeTQ64mNNjzVewJNRizI8fvytlc4J6VKoO1z 9YZW2v3FFgBN4ZicwZdDwgBIFU9zU/nopwIDyvAOiE292cHHxzJ7htqZ0piyFkqcsaw9 +EWB2jl8Gq6LrxFzoWVOQhsSBnh92IC1QDLTWYCdY/s0vYp5iUuAAnOMb7E6sibVwlqw 2nEA== X-Forwarded-Encrypted: i=1; AFNElJ9iK3esFCBQbeT6nYJA8qUAvMUcfyrNZnimCCGegupo9GscA92Y6lXIwSMK5BNhAouB/pdMNg3goacNguET@lists.infradead.org X-Gm-Message-State: AOJu0YzW6MWNFpmQfD52cv03mZr1wHkWrEcW8iMh2/YwgVbck0r2KQ0E FH92mAjUFqknIQRslWsgzctZCfZl1euLIqJyWrOCDf89P8mTM4QNYKtp X-Gm-Gg: Acq92OFVfbrLKFGq1D3qdAxBWPdmFJYdVwYW/A9DtpAGl48i2qQh7y36f9mphtJlmrM /YyCoNsuU0EJRdeXdHKnF3dTEZHUVpRX9t/9z2yz/6K3795tWUMVo7H1xcpjY5IlAKz3Yy4v4ZB OR3E34EarnTTgoK+e8XONQtldg+0/wjYDZmyzP57V5Qf+l1uf21zKUWYsyuS/VALE/ekmtRY9eB wtiaOGGzLKbnUrpAUq474EEFnMeuK6Vjg8nLuDu24e9pn7GQpHDZhDW3SsxG9O0W1lPkRga10g0 yz+limOp+9yxS2gib0VQOWdKU7KpbRYDAS6VgeRD/K1JpRjDqwXiQYeKXvGslwefi4iomzd7YyQ qPZa+sXo2wmF2WCiXHyVYSDTyjAFNPmrBDdsRi9omcTp41q/OYJAw0p2bu9FSAnjm/sT9W235yU G+0LUijmIxtIVUpGFXhTGRSAy3vGEFTzE= X-Received: by 2002:a17:90b:540e:b0:369:223a:cb60 with SMTP id 98e67ed59e1d1-36a4514fbcdmr1729123a91.8.1779348942657; Thu, 21 May 2026 00:35:42 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36a45c5decesm783833a91.1.2026.05.21.00.35.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 00:35:42 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v4 3/3] media: meson: vdec: Cancel esparser work in error and stop paths Date: Thu, 21 May 2026 13:04:13 +0530 Message-ID: <20260521073449.10057-4-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260521073449.10057-1-linux.amoon@gmail.com> References: <20260521073449.10057-1-linux.amoon@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260521_003543_470133_DCFDCEE7 X-CRM114-Status: GOOD ( 11.66 ) X-BeenThere: linux-amlogic@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sashiko , Nicolas Dufresne Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-amlogic" Errors-To: linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org Ensure that esparser_queue_work is canceled before freeing the session context. Add cancel_work_sync() in both the error path of vdec_close() and vdec_start_streaming() and in vdec_stop_streaming(). This prevents background work from dereferencing a freed sess structure and triggering a use-after-free. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v4: new patch If vdec_close() calls kfree(sess) without first stopping or synchronizing with this background work via cancel_work_sync(), could a concurrently running esparser_queue_all_src() dereference the freed sess structure and trigger a use-after-free? --- drivers/staging/media/meson/vdec/vdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index 8615a935e86d..a57bd4a8e33c 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -358,6 +358,8 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: + cancel_work_sync(&sess->esparser_queue_work); + if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) sess->streamon_out = 0; else @@ -415,6 +417,7 @@ static void vdec_stop_streaming(struct vb2_queue *q) if (vdec_codec_needs_recycle(sess)) kthread_stop(sess->recycle_thread); + cancel_work_sync(&sess->esparser_queue_work); vdec_poweroff(sess); vdec_free_canvas(sess); dma_free_coherent(sess->core->dev, sess->vififo_size, @@ -937,6 +940,7 @@ static int vdec_close(struct file *file) v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_m2m_release(sess->m2m_dev); v4l2_ctrl_handler_free(&sess->ctrl_handler); + cancel_work_sync(&sess->esparser_queue_work); v4l2_fh_del(&sess->fh, file); v4l2_fh_exit(&sess->fh); -- 2.50.1 _______________________________________________ linux-amlogic mailing list linux-amlogic@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-amlogic From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 210C7CD343F for ; Thu, 21 May 2026 07:35:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date :Subject:To:From:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Mklgo4SEnQFqu5UeBwzviEPZFhn2UwuL3rIfaoDrBUI=; b=qrrFGQrLCdSbor gnE7EDKuPRyQWUWCCu4R4tA9akNn2W+QrkVrlu5GfdPcmhSAWcK+wE/N7qyxvzIV8Io+MOvEotVEi KJWxpTGgIiaoOmPoAeTO0xkeRX2M+mJrCncGfm24G93ZGa1/fnzgZXnKnpAhUxWUeGtkwLJW4m2zv BESeBK0gfX+OngZZFmgA2hbSUcGYU0bJR4FjUhyYHVIOfTnvXcO1sOTNkwn/8Ep95SzeKw5rYhCkR x/AyTmJ4gXhHcDp+YwBNTNX9MTShJWT64w50eiTgJuRemcqLdJSp9Njg99iIcBoY9qhYeez09A2Ct /k3rPGof8tfhOhnY/t0Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wPxwX-00000006ylb-30BU; Thu, 21 May 2026 07:35:45 +0000 Received: from mail-pj1-x1034.google.com ([2607:f8b0:4864:20::1034]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wPxwV-00000006yjt-1nd8 for linux-arm-kernel@lists.infradead.org; Thu, 21 May 2026 07:35:44 +0000 Received: by mail-pj1-x1034.google.com with SMTP id 98e67ed59e1d1-36a35e4eefeso744730a91.1 for ; Thu, 21 May 2026 00:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779348943; x=1779953743; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Mklgo4SEnQFqu5UeBwzviEPZFhn2UwuL3rIfaoDrBUI=; b=rgU1/da1ktDqBamY2YoMm05SErwLAId4huZV1DBXqgNbB47XpRMKOIt1wVRkRXSazX 2+dmWdBYeVKw6p0caexIooyi5LfszeZ4vrvx1fPjzRiMDZqQjhzPfSTjN9SwhR955Zlc E7Lwy5HXT/J/v/8+MuXqYbMWqt/YNnleQDXGbFRPqQSPvnIu+WHkEXJ+lWuohjXhfgg3 ju+TTVNJ7dqDHsLquP/ifmG3oYFtGuMSEV8qjTuFUmuDxkQmYGwl8uBHrz18PN/vxcCY j2/HtUI0wFGdqEE+j/wFahCMpgTeF3f9JRx2OCN+sQMXq0lWcy+eGm10J9xoIAbMMzMQ rsHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779348943; x=1779953743; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Mklgo4SEnQFqu5UeBwzviEPZFhn2UwuL3rIfaoDrBUI=; b=ChZ/HSsOwgt2OKirtue+WCxppuZn3MW3RmgpmMVcX2WR54q3CD2SjuHN71v8nkXytT Hy/EUJTYK/zK3/e+LNeMh8Pylwq6/a3B4osNYVxcgt7ZX2ejt/aaFpHs5MjVxFru5wmI M292+4GAZzbJHT6GQtTYKPbuHUI/1Q+tMwLFq40ZmJCW35taT4WIUVXO7wUKuiD3Ef+T Uq0LnqgECdktjGHSOALTA8u5O/rr5CzRTe9LtkxMa9tT33YdUrhTDaARDY5VWaL5p1mo x4qknKBxkWANrQh+6SYn3+wUGvUPlNpoApY6SGMOVe/M6fHvD6ucjnwXZSUD3Rtks9S7 e5Aw== X-Forwarded-Encrypted: i=1; AFNElJ9/R01dH6WrlDtXeiAjtHnYuiLTQ8SbcfdW5Do5PugWw2GmpBhybGABRM3mV/5V1Wb6nFPkw2ecxUFEf/kr50ba@lists.infradead.org X-Gm-Message-State: AOJu0YzrSCjvgTKhpYSkgrRPB+33q4wv6LArlF/SlYYSNHDrgk3TI7no zAwpyxEewwsgvEgdDEt22jZRlKRtNcbvPZZEHQ7reat4jjUtLrAvIIX0 X-Gm-Gg: Acq92OH5sWqFwyjG+aJayF7Hl6g7dlaLYRxQSOX6jqH6HTkHXU7xjLH9AAY+34cnk1R rlMhO91iZL4PV9X9ZS99GSU3RLXdzO5+htaXuYl5oiS1HV0AJTR6hMPXhIM7Y6Z9c4mnYP6CLQl qkcpqMFxHR3jeBPJgzoqV72JHdriHXNuPg+1uFl/02VIwvROF4njbznjdCKRlKfZQnpY/wFU9QP Ws/WODGNBAAowiyWvhr2xQPnDFLINdqHzWNGUS0Jas+oNTVCSzigt4pKHFftUNWBoP1jKnyr3rZ /sJWmXnEB9nz1WijSTK6/Fo02JP79SIE8+LKZYQl4m2F7qkXiRsZFFXMSbb7D6WD1dOr+hCHBuY Z94riiJZWXa0ijbmE0Wu8plxbGyhwDfeB0izwiQ4PUG2MCvyGzNkgGH+Ap6ezvU6/AIe/kICv6Z 6wE4l0UVM5G641+yLY0Cwz9LalW5VotH8= X-Received: by 2002:a17:90b:540e:b0:369:223a:cb60 with SMTP id 98e67ed59e1d1-36a4514fbcdmr1729123a91.8.1779348942657; Thu, 21 May 2026 00:35:42 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-36a45c5decesm783833a91.1.2026.05.21.00.35.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 May 2026 00:35:42 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v4 3/3] media: meson: vdec: Cancel esparser work in error and stop paths Date: Thu, 21 May 2026 13:04:13 +0530 Message-ID: <20260521073449.10057-4-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260521073449.10057-1-linux.amoon@gmail.com> References: <20260521073449.10057-1-linux.amoon@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260521_003543_469559_D97F93DF X-CRM114-Status: GOOD ( 13.35 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sashiko , Nicolas Dufresne Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Ensure that esparser_queue_work is canceled before freeing the session context. Add cancel_work_sync() in both the error path of vdec_close() and vdec_start_streaming() and in vdec_stop_streaming(). This prevents background work from dereferencing a freed sess structure and triggering a use-after-free. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v4: new patch If vdec_close() calls kfree(sess) without first stopping or synchronizing with this background work via cancel_work_sync(), could a concurrently running esparser_queue_all_src() dereference the freed sess structure and trigger a use-after-free? --- drivers/staging/media/meson/vdec/vdec.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index 8615a935e86d..a57bd4a8e33c 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -358,6 +358,8 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: + cancel_work_sync(&sess->esparser_queue_work); + if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) sess->streamon_out = 0; else @@ -415,6 +417,7 @@ static void vdec_stop_streaming(struct vb2_queue *q) if (vdec_codec_needs_recycle(sess)) kthread_stop(sess->recycle_thread); + cancel_work_sync(&sess->esparser_queue_work); vdec_poweroff(sess); vdec_free_canvas(sess); dma_free_coherent(sess->core->dev, sess->vififo_size, @@ -937,6 +940,7 @@ static int vdec_close(struct file *file) v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_m2m_release(sess->m2m_dev); v4l2_ctrl_handler_free(&sess->ctrl_handler); + cancel_work_sync(&sess->esparser_queue_work); v4l2_fh_del(&sess->fh, file); v4l2_fh_exit(&sess->fh); -- 2.50.1