From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id E5A9ACD5BBF
	for <linux-amlogic@archiver.kernel.org>; Mon, 25 May 2026 09:52:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:To
	:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=3LbIvvXWT2KoRnc3tUy2JSp31e7SR85i/u4K+mVaW00=; b=4nsjh6ShOr3BDo
	Zo8UyV5ZB98UsB2oIOqqZ+ba9W6bV830Qi11pNeHNPZgcn+K7JPq9lZGoMKrEoKveqIqRCmH62YUp
	GTXvy4e0tlysEXaFm84M8lI/xtDkXkVSD7tJngeF+28xiD0HxUIAr1HJF1x+ByF8ircJ6SbLsqkFu
	KM0TuKN78/yOV0ZK85GYrcxesGFwfv1R0/ol3rYQwrgh0jyx+R029LnC7qwfbslzDdINB46A0Gxny
	x/59kR9/HgMSYoAo+2srZjlbjnwqQALCGjlk5Ay5ZSWs2RkUoKswh84ud1GwomwlPfgxFXmpKxxfs
	9HohuhhzTsgWabFzmkNg==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux))
	id 1wRRz8-0000000GsCR-1KqQ;
	Mon, 25 May 2026 09:52:34 +0000
Received: from mail-pl1-x635.google.com ([2607:f8b0:4864:20::635])
	by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux))
	id 1wRRz6-0000000GsBZ-2w2a
	for linux-amlogic@lists.infradead.org;
	Mon, 25 May 2026 09:52:33 +0000
Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-2ba0714574fso51119005ad.2
        for <linux-amlogic@lists.infradead.org>; Mon, 25 May 2026 02:52:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779702751; x=1780307551; darn=lists.infradead.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=6jqLwhkLz3GnNiG5F6aqvc2zAsvy9RUUFv6VMz3rWAI=;
        b=JICKPqQLsnmhDi9eJl4j6hVkasSWvV5iaddg/iKQSd1EuwCKnJ5RChLmTHgdbTvlDY
         GyCRWcxzKyN5fjkuJ6x1pqVgSMbsBj7ZGzyZmIfxZ97ysL51JZ2zvoh5+i0dhL9oYgrC
         CCQcBMRlSBYMWIgwRks5Xl3uWDLvwFwUwQwWPyOzR/jWzqtH/tkXsbDteqTXsc5g3VqJ
         VuvJ9C7yaUF9fj8iznDDTvCgxCztzhSGK9L2qFe9utx0lUCC7fmu9vvockHgk+4Cc+Ff
         ddLH63Cv9vvErUeLKzvAralRgVMYAJbgF69dMBQ9TwpD63TqgMNO6X92aLP3L8kuefgS
         FtZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779702751; x=1780307551;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6jqLwhkLz3GnNiG5F6aqvc2zAsvy9RUUFv6VMz3rWAI=;
        b=aZUnLLSYcasgVon3LpDZHqfjQ79p5ta1Z/PI7WazQzpj01HAGuqiVkYfVifJorjq3r
         u4T8vY15KN1G1XGG9aafF/ZYjx7ckVkZRWrtmO+17frjm2C44HflVSKcB+tF1e2wiqsr
         AC/PHiIrKgdnkD7b1yI2wahQ2nH2mZlxfHc92n6JpX0GCyVWMCGXYIYv3BG4J5yXnxgq
         C/6qgW+LWqx8aLqSCxrm8NQNdhXLEE5DNXp6RZY4jAcH9IJUdkqlV0PGt/ogCwPgexxz
         tbpyQpz4cJ6/4j/oqSlMc6BIduhf9Jz1Ky+MgRte6RtJ5VP1qXTSMe4zSlz67NTBB2MX
         x1/Q==
X-Forwarded-Encrypted: i=1; AFNElJ9JCmPP/eBDwEIU/pyk2fBM2QbxOofe7IUpczptG7uSqhr2TMlH/qNHg4ecV9f8/8k9ztpD2O8HVhfqkm6d@lists.infradead.org
X-Gm-Message-State: AOJu0YzBiRIFLRwHvpHrsR8DuHUKGAulyzF9bF9+yWwWqJCMvli0XYLe
	JU8v+7KMBtpEYGWtXYfE3LIXCDrqE++y0Nbj8YyAQh/Bv+Yjdg8oMSdf
X-Gm-Gg: Acq92OF9ilx8umuEPJFAzEPpT4JvDdjFLb/uda6sj6XjA5udP8Eccx0UXc5pW767B5N
	2ymOgDbVW4nuJLRDEIhTFH9K3nuy+/Cg606Avr5/50Ws+LXVJXhEijSPICplPojuJC8gxA5Wtqq
	Ev18PXM9YErzbf8cPUQheHy4MzBc9/QW8fREFKp8o6R6H6+UgzmQhW2ZbPv2GuDEMsxHmTHON6u
	ERNPhTAD+RVYZ7fPCdAHz7R/kqjaiHlFjvbd4CHhKrgCNblTd8HuOXYblwfqMTnoJ/f1jVNi+sF
	pA0JlGg9MyEc9vrfeIjRcWuTNoQjLT0tOwjZ3rUqzbfriPFJhIf4wc3oj9vtdDDmi0JBc/B10CQ
	i42sfVj56OSAbWoa/TCPYFf9hql+kmcshRe4Z0AVRTNP3tz35zT/L2bdxwxjfrhmiBR1e0Vmb71
	F9+fvfdx7CBtpeOn0vf/Kj
X-Received: by 2002:a17:902:ffcf:b0:2b0:663f:6b53 with SMTP id d9443c01a7336-2beb0385f3amr153090915ad.13.1779702751312;
        Mon, 25 May 2026 02:52:31 -0700 (PDT)
Received: from rockpi-5b ([45.112.0.230])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:52:30 -0700 (PDT)
From: Anand Moon <linux.amoon@gmail.com>
To: Neil Armstrong <neil.armstrong@linaro.org>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Kevin Hilman <khilman@baylibre.com>,
	Jerome Brunet <jbrunet@baylibre.com>,
	Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
	Maxime Jourdan <mjourdan@baylibre.com>,
	Hans Verkuil <hverkuil@kernel.org>,
	linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS),
	linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS),
	linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM),
	linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support),
	linux-kernel@vger.kernel.org (open list)
Subject: [PATCH v5 0/6] media: meson: Fix memory leak in error path in vdec
Date: Mon, 25 May 2026 15:21:48 +0530
Message-ID: <20260525095216.12078-1-linux.amoon@gmail.com>
X-Mailer: git-send-email 2.50.1
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20260525_025232_739790_5B8B94FA 
X-CRM114-Status: GOOD (  12.09  )
X-BeenThere: linux-amlogic@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-amlogic.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-amlogic>,
 <mailto:linux-amlogic-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-amlogic/>
List-Post: <mailto:linux-amlogic@lists.infradead.org>
List-Help: <mailto:linux-amlogic-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-amlogic>,
 <mailto:linux-amlogic-request@lists.infradead.org?subject=subscribe>
Cc: Sashiko <sashiko-bot@kernel.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-amlogic" <linux-amlogic-bounces@lists.infradead.org>
Errors-To: linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org

V5: Changes 
Following chamges try to fix the memory leak reported by Sashiko

New issues:
- [High] The newly added error path in `vdec_start_streaming()` leaks 
  `sess->priv` when `kthread_run()` fails.

Pre-existing issues:
- [Critical] Race condition between hardware power-on and `core->cur_sess`
   initialization leads to a NULL pointer dereference in the IRQ handler.
- [High] Returning buffers for both source and destination queues upon
    single-queue failure orphans active queue buffers.
- [High] Concurrent sessions can bypass the hardware exclusivity check, 
  leading to simultaneous hardware programming.
--

Reported-by: Sashiko <sashiko-bot@kernel.org>
https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/

V4: Changes:

Following chamges try to fix the memory leak reported by Sashiko

Pre-existing issues:
- [Critical] The `sess->esparser_queue_work` work item is not canceled
   before freeing the session context, leading to a potential Use-After-Free
   vulnerability.
- [High] The patch attempts to fix a memory leak reported by kmemleak,
    but misdiagnoses the root cause and leaves the primary memory leak
    (the V4L2 control handler) unresolved.
- [High] The driver does not verify if `kthread_run()` returns an `ERR_PTR`,
     leading to a kernel panic when `kthread_stop()` is called.

Reported-by: Sashiko <sashiko-bot@kernel.org>
https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t

Thanks
-Anand

Anand Moon (6):
  media: meson: vdec: Fix memory leak in error path of vdec_open
  media: meson: vdec: Protect session exclusivity check with lock
  media: meson: vdec: Set cur_sess before hardware vdec_poweron()
  media: meson: vdec: Handle kthread error and free codec private data
  media: meson: vdec: Isolate error path buffer flush to the active
    queue
  media: meson: vdec: Cancel esparser work in error and stop paths

 drivers/staging/media/meson/vdec/vdec.c | 54 ++++++++++++++++++++-----
 1 file changed, 44 insertions(+), 10 deletions(-)


base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d
-- 
2.50.1


_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic

From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1548C3E3C79
	for <linux-staging@lists.linux.dev>; Mon, 25 May 2026 09:52:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.54
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779702753; cv=none; b=Mi1RHZOYwWu8r4lDKqO1qXtYuIWu8KTcAxgWd9i/VAhkU6Z8ab+miQyH1JrFeVX8jVRtGisN+mbjg728FBnjobqCcmCw9b0Pr3o6VB6s9lpQUi6Qb/JOrvjYkePUxfQVSQhcvbnBKwEZiQbYFtcSMqkJ6hH2WR7QT7CXNmMsggQ=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779702753; c=relaxed/simple;
	bh=gfO1Y5Cvx+draxMRz7VV+taVU8+4zXC20+dPuEQlJG8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=rQLMy+vgqXUfxfJXtIaYdimAMn90sNqQId5EAtS6Eche5h3p0JesCmxNWFRCpzLsBNIYFIvbPClSXVb0kw7EdJZX6FH3pAljga+/6/2MKnSefMTcdIYLyOlN4UNinym/WioboBYOim6yxtDnnp7F8bR5/CcTpbKdNSlUH9ZBCVc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fELTCjhx; arc=none smtp.client-ip=209.85.216.54
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fELTCjhx"
Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-36608b2f2dcso6199827a91.2
        for <linux-staging@lists.linux.dev>; Mon, 25 May 2026 02:52:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779702751; x=1780307551; darn=lists.linux.dev;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=6jqLwhkLz3GnNiG5F6aqvc2zAsvy9RUUFv6VMz3rWAI=;
        b=fELTCjhxZBqkTxwuDFLo+3xzXpOPmCgocJ/bAsx2apdl+l9GNfUg0sqsIHO5efaQct
         jb+LLg9fuhDlzOjUteOSkU32KpNXjrZ7hlHxBseBXbiZXzbaq//GoL4DhvrLZefRrSBc
         RtiDfxiTf0RCBbVhs3lHClJMMmbOPRE4xljZY8v8GMeKQ6nOb5IYXKGKSana4ZeUkx8L
         9K0qC/GLZXP3+rsricsY25ww/nH5bTj3CWaOXnBiZcl2IKepnIDu/5QfUhyeFco7orU8
         6z9XDIBelubWBj/UqVTSGz7s/rJrRkqYaH9mfNCSm4gGMknGAOn41WQbywGYnmCZ3JJM
         eruQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779702751; x=1780307551;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6jqLwhkLz3GnNiG5F6aqvc2zAsvy9RUUFv6VMz3rWAI=;
        b=WOEAjZeM+vrEIDeUTLKmdbDgSaDDoCI9B3gGJEvyMQDFrvSiIpWSVydC3jBICgzhVv
         ieXFzgU8jjidGh0J6GacW1JZ0DiQIH13GeNjq+VF36OqeqBp6Q3Wk57+OfENxZ6CFZAw
         xyjbU6KpLpRM++WHICyDvcVvmoNHi2JLs2/xJ7y7CkAZW60ixZhMqkfkMWqZcdTYPFdB
         diT8QXlhLc0aKpamw367dDjMtr4ETXsPgYxZnUAHoexKspXNrEyYQ47h/03rhzqwxfST
         L01wGV5+pQrJwRS2Z5g1WVH0dDEGtwHYMs0nKTITK6ZWQB/Ujzz/9Dbl5NRti3R25yl+
         8faQ==
X-Forwarded-Encrypted: i=1; AFNElJ9C24UfNJef2vRvebVa86+2aQ8t6MblcDKYRvPPAcFlDxxWdxTkpPJv3h+zxm+8dvqXzRk18KMgfKR/6iQi@lists.linux.dev
X-Gm-Message-State: AOJu0YwU8kIhsBV8NjGMwzG8zgc1yn2mzSVY+Gc4Jun3p1tReYupkT7+
	+GXU+4/yPLjwkTmJjVbhBwNCXeXeOLO3WpAZ/FYmtwFe+7vnawZVXQC8
X-Gm-Gg: Acq92OHiMo0U0s5Kqg3JV+RzmfQI8cMCL1Qo0PpLKC4T1dCXpS2orgnXGs07D2hFKt0
	k5inL9WrrcOs/cbSuGL21MgrAIWzSirTnNj7VIxPKl1x0XsPS51q0TK1ADrvoNB90eu51q9h8xC
	PbEs9sVCHqCbsv4Px8im6ww0d34puPed2HYDvRv0sFtrhKCYqQuRLEHN3GQTNAWJCMn4T4N/s8u
	/m3yPIU3ew6r4wxrMgAFmrURXqI3odKA7FT+nJRdSK+IUnPm/3hRmkDb3WjIcGrVZY+zecNyH+V
	5JQ6BTLb5iM9Jeq41LvU3KMasuQd8iuP68TKxEcPbu+M+6IHekhXH76/0eYJkJQw5mH8n9VsY/e
	u8/8RG9bKx8iVx93tVrykIMj2JlhnvwDIPhcBQgqt/DkvMRRNG3NgUuavEcMg92jlU+KhEbUKz1
	rYMfyS4E2XIobYwU8CTAlC
X-Received: by 2002:a17:902:ffcf:b0:2b0:663f:6b53 with SMTP id d9443c01a7336-2beb0385f3amr153090915ad.13.1779702751312;
        Mon, 25 May 2026 02:52:31 -0700 (PDT)
Received: from rockpi-5b ([45.112.0.230])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:52:30 -0700 (PDT)
From: Anand Moon <linux.amoon@gmail.com>
To: Neil Armstrong <neil.armstrong@linaro.org>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Kevin Hilman <khilman@baylibre.com>,
	Jerome Brunet <jbrunet@baylibre.com>,
	Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
	Maxime Jourdan <mjourdan@baylibre.com>,
	Hans Verkuil <hverkuil@kernel.org>,
	linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS),
	linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS),
	linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM),
	linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support),
	linux-kernel@vger.kernel.org (open list)
Cc: Anand Moon <linux.amoon@gmail.com>,
	Sashiko <sashiko-bot@kernel.org>
Subject: [PATCH v5 0/6] media: meson: Fix memory leak in error path in vdec
Date: Mon, 25 May 2026 15:21:48 +0530
Message-ID: <20260525095216.12078-1-linux.amoon@gmail.com>
X-Mailer: git-send-email 2.50.1
Precedence: bulk
X-Mailing-List: linux-staging@lists.linux.dev
List-Id: <linux-staging.lists.linux.dev>
List-Subscribe: <mailto:linux-staging+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:linux-staging+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

V5: Changes 
Following chamges try to fix the memory leak reported by Sashiko

New issues:
- [High] The newly added error path in `vdec_start_streaming()` leaks 
  `sess->priv` when `kthread_run()` fails.

Pre-existing issues:
- [Critical] Race condition between hardware power-on and `core->cur_sess`
   initialization leads to a NULL pointer dereference in the IRQ handler.
- [High] Returning buffers for both source and destination queues upon
    single-queue failure orphans active queue buffers.
- [High] Concurrent sessions can bypass the hardware exclusivity check, 
  leading to simultaneous hardware programming.
--

Reported-by: Sashiko <sashiko-bot@kernel.org>
https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/

V4: Changes:

Following chamges try to fix the memory leak reported by Sashiko

Pre-existing issues:
- [Critical] The `sess->esparser_queue_work` work item is not canceled
   before freeing the session context, leading to a potential Use-After-Free
   vulnerability.
- [High] The patch attempts to fix a memory leak reported by kmemleak,
    but misdiagnoses the root cause and leaves the primary memory leak
    (the V4L2 control handler) unresolved.
- [High] The driver does not verify if `kthread_run()` returns an `ERR_PTR`,
     leading to a kernel panic when `kthread_stop()` is called.

Reported-by: Sashiko <sashiko-bot@kernel.org>
https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t

Thanks
-Anand

Anand Moon (6):
  media: meson: vdec: Fix memory leak in error path of vdec_open
  media: meson: vdec: Protect session exclusivity check with lock
  media: meson: vdec: Set cur_sess before hardware vdec_poweron()
  media: meson: vdec: Handle kthread error and free codec private data
  media: meson: vdec: Isolate error path buffer flush to the active
    queue
  media: meson: vdec: Cancel esparser work in error and stop paths

 drivers/staging/media/meson/vdec/vdec.c | 54 ++++++++++++++++++++-----
 1 file changed, 44 insertions(+), 10 deletions(-)


base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d
-- 
2.50.1


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 29889CD5BC9
	for <linux-arm-kernel@archiver.kernel.org>; Mon, 25 May 2026 09:52:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:
	Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:To:From:
	Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=6jqLwhkLz3GnNiG5F6aqvc2zAsvy9RUUFv6VMz3rWAI=; b=mlVQjAepBe3yVH
	B4SpQujANRZhmmF/5udVcLg6e9e15WwuUyoIrup6WMveDTnO3CFhMW1vPcGIWUL2T/kcddvB5/ZYp
	kCrzCNek8Cpl5Auz3W8XXYfQnaJCBa3ExGVnHJ86mx9qk7cbRn2apeTlz5DkjL7/6Foagh6mdAfQT
	+0y6pwW9ulU4JfwK1+D2MqUqveklHX1WQQjbn7O6AYMenMByv1BuvkQpmTvVtdWFYmF6w+cfNN3y0
	jIBlpPXNo+QM+5TwIkWVJ6x/TpThX2cpGI04El1QA5c6uOMKI6B+NA9JofKps6xNrkc+BCHsoqBNq
	zvx3qybkrKr8N1sz9IaA==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux))
	id 1wRRz9-0000000GsCp-1ZJU;
	Mon, 25 May 2026 09:52:35 +0000
Received: from mail-pj1-x102a.google.com ([2607:f8b0:4864:20::102a])
	by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux))
	id 1wRRz6-0000000GsBa-2b4j
	for linux-arm-kernel@lists.infradead.org;
	Mon, 25 May 2026 09:52:34 +0000
Received: by mail-pj1-x102a.google.com with SMTP id 98e67ed59e1d1-367c26471f5so6046177a91.1
        for <linux-arm-kernel@lists.infradead.org>; Mon, 25 May 2026 02:52:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779702751; x=1780307551; darn=lists.infradead.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=6jqLwhkLz3GnNiG5F6aqvc2zAsvy9RUUFv6VMz3rWAI=;
        b=JICKPqQLsnmhDi9eJl4j6hVkasSWvV5iaddg/iKQSd1EuwCKnJ5RChLmTHgdbTvlDY
         GyCRWcxzKyN5fjkuJ6x1pqVgSMbsBj7ZGzyZmIfxZ97ysL51JZ2zvoh5+i0dhL9oYgrC
         CCQcBMRlSBYMWIgwRks5Xl3uWDLvwFwUwQwWPyOzR/jWzqtH/tkXsbDteqTXsc5g3VqJ
         VuvJ9C7yaUF9fj8iznDDTvCgxCztzhSGK9L2qFe9utx0lUCC7fmu9vvockHgk+4Cc+Ff
         ddLH63Cv9vvErUeLKzvAralRgVMYAJbgF69dMBQ9TwpD63TqgMNO6X92aLP3L8kuefgS
         FtZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779702751; x=1780307551;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6jqLwhkLz3GnNiG5F6aqvc2zAsvy9RUUFv6VMz3rWAI=;
        b=cTfkBoqOrJb2Dejk+ocV1gs1oItPd/jtmTa+ayRSvrN/ZW4kCC7yVBKDh25LuN+WfR
         L1SEkbdxOjG/C0IZes/OTqxIQCLXFKAe0UVkZBV0EWWrAiK7Y7fl0yWBmW6iQc68xXal
         w0L6l8INrdwy89QQNoycsuX4BQVg9HXFQTxHaI8VoZJuaflYgc0UHG4hIhP9pQ9ow2CB
         kPGFbmMNLkX69dO8XvxTRjAc4I4aZNRAfFamZJuA3150cUq0mR1EGtOVsis/yKAfggKf
         3sJTCO8ETheE7IjnTAEjh+k61Ui08L+Rt8rMUjW8EjP7dolAYLA0XdRAy+3kYHBTX0FE
         YsAw==
X-Forwarded-Encrypted: i=1; AFNElJ9jUUW83C8HTkz0YgMe4v/gWO4jzkM9GOPaLTaoeQj19BYzTxJWOM50UlQQZyM1TWIhAdRSKvD5Lrm9NE3g+Mon@lists.infradead.org
X-Gm-Message-State: AOJu0YyQH3IgZwZXTeO79G6P2s4I3OjxxERlQE9dnW7+VxQmgPk8pRKa
	sYqh/LEg7Ozy4bj7+H6G7uYO+ElnEVhEFlCUiCmnYO+MJ0euxMNh/Wf8
X-Gm-Gg: Acq92OEbgK8B6YccZfnvaVYuiI0zr1inFtUexmgG0wLFHV1583Uz8123GGYWSRpwYRe
	Ydvpl5V58jg/Qh+HGsuq+yXkv1+2XzLJ81ytXxXS1+xNOgW5+5BTx1LCL6NFJXA5xPdnBOYppYl
	L/eqiWEy8pom6Pkv2TtlYUNYHRtscg8veEvLncpHBELPICONNQ7Y+iJaUZvCE9j1U1wQxN8m+Ao
	NCKF0IM7cE082LaRIdAkdVKFSXENQzylly2oN0Q0c7YJlj/dEZy84C57zC5Gbob6xFosCYsZm/B
	40g+8rozE+O5AVS2/75Zs09klTCUEcGT60dUD88s+mwlgG1b77PG4AITep7KV6b0bTSIsl15OqG
	ffq7SwUXafmG6EI7raW5fo3orzT2esZmN8wib8fbyeaGVAHIWpkWpMYuklDf0HHabVTZsKkultM
	hgbnbcYRvVmahXeJKiHLvA
X-Received: by 2002:a17:902:ffcf:b0:2b0:663f:6b53 with SMTP id d9443c01a7336-2beb0385f3amr153090915ad.13.1779702751312;
        Mon, 25 May 2026 02:52:31 -0700 (PDT)
Received: from rockpi-5b ([45.112.0.230])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:52:30 -0700 (PDT)
From: Anand Moon <linux.amoon@gmail.com>
To: Neil Armstrong <neil.armstrong@linaro.org>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Kevin Hilman <khilman@baylibre.com>,
	Jerome Brunet <jbrunet@baylibre.com>,
	Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
	Maxime Jourdan <mjourdan@baylibre.com>,
	Hans Verkuil <hverkuil@kernel.org>,
	linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS),
	linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS),
	linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM),
	linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support),
	linux-kernel@vger.kernel.org (open list)
Subject: [PATCH v5 0/6] media: meson: Fix memory leak in error path in vdec
Date: Mon, 25 May 2026 15:21:48 +0530
Message-ID: <20260525095216.12078-1-linux.amoon@gmail.com>
X-Mailer: git-send-email 2.50.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20260525_025232_662431_5DD1FA9D 
X-CRM114-Status: GOOD (  13.71  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: Sashiko <sashiko-bot@kernel.org>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

V5: Changes 
Following chamges try to fix the memory leak reported by Sashiko

New issues:
- [High] The newly added error path in `vdec_start_streaming()` leaks 
  `sess->priv` when `kthread_run()` fails.

Pre-existing issues:
- [Critical] Race condition between hardware power-on and `core->cur_sess`
   initialization leads to a NULL pointer dereference in the IRQ handler.
- [High] Returning buffers for both source and destination queues upon
    single-queue failure orphans active queue buffers.
- [High] Concurrent sessions can bypass the hardware exclusivity check, 
  leading to simultaneous hardware programming.
--

Reported-by: Sashiko <sashiko-bot@kernel.org>
https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/

V4: Changes:

Following chamges try to fix the memory leak reported by Sashiko

Pre-existing issues:
- [Critical] The `sess->esparser_queue_work` work item is not canceled
   before freeing the session context, leading to a potential Use-After-Free
   vulnerability.
- [High] The patch attempts to fix a memory leak reported by kmemleak,
    but misdiagnoses the root cause and leaves the primary memory leak
    (the V4L2 control handler) unresolved.
- [High] The driver does not verify if `kthread_run()` returns an `ERR_PTR`,
     leading to a kernel panic when `kthread_stop()` is called.

Reported-by: Sashiko <sashiko-bot@kernel.org>
https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t

Thanks
-Anand

Anand Moon (6):
  media: meson: vdec: Fix memory leak in error path of vdec_open
  media: meson: vdec: Protect session exclusivity check with lock
  media: meson: vdec: Set cur_sess before hardware vdec_poweron()
  media: meson: vdec: Handle kthread error and free codec private data
  media: meson: vdec: Isolate error path buffer flush to the active
    queue
  media: meson: vdec: Cancel esparser work in error and stop paths

 drivers/staging/media/meson/vdec/vdec.c | 54 ++++++++++++++++++++-----
 1 file changed, 44 insertions(+), 10 deletions(-)


base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d
-- 
2.50.1