From: Anand Moon <linux.amoon@gmail.com>
To: Neil Armstrong <neil.armstrong@linaro.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kevin Hilman <khilman@baylibre.com>,
Jerome Brunet <jbrunet@baylibre.com>,
Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
Hans Verkuil <hverkuil@kernel.org>,
Maxime Jourdan <mjourdan@baylibre.com>,
linux-media@vger.kernel.org (open list:MESON VIDEO DECODER
DRIVER FOR AMLOGIC SOCS),
linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER
DRIVER FOR AMLOGIC SOCS),
linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM),
linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic
Meson SoC support), linux-kernel@vger.kernel.org (open list)
Cc: Sashiko <sashiko-bot@kernel.org>,
Nicolas Dufresne <nicolas@ndufresne.ca>
Subject: [PATCH v5 2/6] media: meson: vdec: Protect session exclusivity check with lock
Date: Mon, 25 May 2026 15:21:50 +0530 [thread overview]
Message-ID: <20260525095216.12078-3-linux.amoon@gmail.com> (raw)
In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com>
Add the check for an active hardware session is performed without holding
the core->lock mutex. In multi-threaded environments, two concurrent
STREAMON ioctls on different file descriptors can simultaneously find
core->cur_sess to be NULL, bypass the check, and concurrently call
vdec_poweron(), corrupting hardware state.
Fix this by wrapping the session exclusivity check inside core->lock.
Cc: Nicolas Dufresne <nicolas@ndufresne.ca>
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/
Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver")
Signed-off-by: Anand Moon <linux.amoon@gmail.com>
---
v5: New patch.
[High] Concurrent sessions can bypass the hardware exclusivity check,
leading to simultaneous hardware programming.
---
drivers/staging/media/meson/vdec/vdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
index 18a22b79e835..e72f54af026e 100644
--- a/drivers/staging/media/meson/vdec/vdec.c
+++ b/drivers/staging/media/meson/vdec/vdec.c
@@ -286,10 +286,13 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count)
struct vb2_v4l2_buffer *buf;
int ret;
+ mutex_lock(&core->lock);
if (core->cur_sess && core->cur_sess != sess) {
+ mutex_unlock(&core->lock);
ret = -EBUSY;
goto bufs_done;
}
+ mutex_unlock(&core->lock);
if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE)
sess->streamon_out = 1;
--
2.50.1
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
WARNING: multiple messages have this Message-ID (diff)
From: Anand Moon <linux.amoon@gmail.com>
To: Neil Armstrong <neil.armstrong@linaro.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kevin Hilman <khilman@baylibre.com>,
Jerome Brunet <jbrunet@baylibre.com>,
Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
Hans Verkuil <hverkuil@kernel.org>,
Maxime Jourdan <mjourdan@baylibre.com>,
linux-media@vger.kernel.org (open list:MESON VIDEO DECODER
DRIVER FOR AMLOGIC SOCS),
linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER
DRIVER FOR AMLOGIC SOCS),
linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM),
linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic
Meson SoC support), linux-kernel@vger.kernel.org (open list)
Cc: Anand Moon <linux.amoon@gmail.com>,
Nicolas Dufresne <nicolas@ndufresne.ca>,
Sashiko <sashiko-bot@kernel.org>
Subject: [PATCH v5 2/6] media: meson: vdec: Protect session exclusivity check with lock
Date: Mon, 25 May 2026 15:21:50 +0530 [thread overview]
Message-ID: <20260525095216.12078-3-linux.amoon@gmail.com> (raw)
In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com>
Add the check for an active hardware session is performed without holding
the core->lock mutex. In multi-threaded environments, two concurrent
STREAMON ioctls on different file descriptors can simultaneously find
core->cur_sess to be NULL, bypass the check, and concurrently call
vdec_poweron(), corrupting hardware state.
Fix this by wrapping the session exclusivity check inside core->lock.
Cc: Nicolas Dufresne <nicolas@ndufresne.ca>
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/
Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver")
Signed-off-by: Anand Moon <linux.amoon@gmail.com>
---
v5: New patch.
[High] Concurrent sessions can bypass the hardware exclusivity check,
leading to simultaneous hardware programming.
---
drivers/staging/media/meson/vdec/vdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
index 18a22b79e835..e72f54af026e 100644
--- a/drivers/staging/media/meson/vdec/vdec.c
+++ b/drivers/staging/media/meson/vdec/vdec.c
@@ -286,10 +286,13 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count)
struct vb2_v4l2_buffer *buf;
int ret;
+ mutex_lock(&core->lock);
if (core->cur_sess && core->cur_sess != sess) {
+ mutex_unlock(&core->lock);
ret = -EBUSY;
goto bufs_done;
}
+ mutex_unlock(&core->lock);
if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE)
sess->streamon_out = 1;
--
2.50.1
WARNING: multiple messages have this Message-ID (diff)
From: Anand Moon <linux.amoon@gmail.com>
To: Neil Armstrong <neil.armstrong@linaro.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kevin Hilman <khilman@baylibre.com>,
Jerome Brunet <jbrunet@baylibre.com>,
Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
Hans Verkuil <hverkuil@kernel.org>,
Maxime Jourdan <mjourdan@baylibre.com>,
linux-media@vger.kernel.org (open list:MESON VIDEO DECODER
DRIVER FOR AMLOGIC SOCS),
linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER
DRIVER FOR AMLOGIC SOCS),
linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM),
linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic
Meson SoC support), linux-kernel@vger.kernel.org (open list)
Cc: Sashiko <sashiko-bot@kernel.org>,
Nicolas Dufresne <nicolas@ndufresne.ca>
Subject: [PATCH v5 2/6] media: meson: vdec: Protect session exclusivity check with lock
Date: Mon, 25 May 2026 15:21:50 +0530 [thread overview]
Message-ID: <20260525095216.12078-3-linux.amoon@gmail.com> (raw)
In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com>
Add the check for an active hardware session is performed without holding
the core->lock mutex. In multi-threaded environments, two concurrent
STREAMON ioctls on different file descriptors can simultaneously find
core->cur_sess to be NULL, bypass the check, and concurrently call
vdec_poweron(), corrupting hardware state.
Fix this by wrapping the session exclusivity check inside core->lock.
Cc: Nicolas Dufresne <nicolas@ndufresne.ca>
Reported-by: Sashiko <sashiko-bot@kernel.org>
Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/
Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver")
Signed-off-by: Anand Moon <linux.amoon@gmail.com>
---
v5: New patch.
[High] Concurrent sessions can bypass the hardware exclusivity check,
leading to simultaneous hardware programming.
---
drivers/staging/media/meson/vdec/vdec.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
index 18a22b79e835..e72f54af026e 100644
--- a/drivers/staging/media/meson/vdec/vdec.c
+++ b/drivers/staging/media/meson/vdec/vdec.c
@@ -286,10 +286,13 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count)
struct vb2_v4l2_buffer *buf;
int ret;
+ mutex_lock(&core->lock);
if (core->cur_sess && core->cur_sess != sess) {
+ mutex_unlock(&core->lock);
ret = -EBUSY;
goto bufs_done;
}
+ mutex_unlock(&core->lock);
if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE)
sess->streamon_out = 1;
--
2.50.1
next prev parent reply other threads:[~2026-05-25 9:53 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 9:51 [PATCH v5 0/6] media: meson: Fix memory leak in error path in vdec Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 9:51 ` [PATCH v5 1/6] media: meson: vdec: Fix memory leak in error path of vdec_open Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 10:27 ` sashiko-bot
2026-05-25 16:15 ` Anand Moon
2026-05-25 9:51 ` Anand Moon [this message]
2026-05-25 9:51 ` [PATCH v5 2/6] media: meson: vdec: Protect session exclusivity check with lock Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 10:43 ` sashiko-bot
2026-05-25 9:51 ` [PATCH v5 3/6] media: meson: vdec: Set cur_sess before hardware vdec_poweron() Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 11:20 ` sashiko-bot
2026-05-25 9:51 ` [PATCH v5 4/6] media: meson: vdec: Handle kthread error and free codec private data Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 12:15 ` sashiko-bot
2026-05-25 9:51 ` [PATCH v5 5/6] media: meson: vdec: Isolate error path buffer flush to the active queue Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 12:51 ` sashiko-bot
2026-05-25 9:51 ` [PATCH v5 6/6] media: meson: vdec: Cancel esparser work in error and stop paths Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 9:51 ` Anand Moon
2026-05-25 13:42 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260525095216.12078-3-linux.amoon@gmail.com \
--to=linux.amoon@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hverkuil@kernel.org \
--cc=jbrunet@baylibre.com \
--cc=khilman@baylibre.com \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=martin.blumenstingl@googlemail.com \
--cc=mchehab@kernel.org \
--cc=mjourdan@baylibre.com \
--cc=neil.armstrong@linaro.org \
--cc=nicolas@ndufresne.ca \
--cc=sashiko-bot@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.