From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4154BCD5BC8 for ; Mon, 25 May 2026 09:53:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=DgIaJ2bgRwgJqFW55CmRX0n3Z7mMPB3wPIRMRuA/kHs=; b=2ZYFcZrXLYyjaB jyMgrxoWwD3Sfn8Qt7074BYKHNfn1BgH8o7mW9UaJ+U6kTi3hFcCm8G+g2bvMASaOrtXpo8+9Z0Jm VWdronp45fS3Ydq8QuyygkqRUaGmMVzxSZSMj6iHqRK6UHJ+ei6NSkznJshGx/efQprkiI59PfLOZ lEjAF/OUFHZ6ExYh/wzRRcSk6rakB8Skh0hbHKzyA8E73k+hwXHBeKsvUCh6IOrzxYhWSR5Vx7Rna 9G1lxAmnEzrzGKeRpRgSCO0UBe5u70TVkCIoXmocLw6CsQFjAKI5/4jTt4kKoGbGGloO3XKNbO/L/ veR3BtLqXDigy4QQ0T3w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wRRza-0000000GsSZ-0aDD; Mon, 25 May 2026 09:53:02 +0000 Received: from mail-pl1-x634.google.com ([2607:f8b0:4864:20::634]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wRRzW-0000000GsPU-35AQ for linux-amlogic@lists.infradead.org; Mon, 25 May 2026 09:53:00 +0000 Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-2ba6485d219so72093825ad.3 for ; Mon, 25 May 2026 02:52:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702778; x=1780307578; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=v2KznrLCQ77VZ51Z4KvrxVufB2DqA7HTlU0nEjlF/zw=; b=H4FArlHzPIG26K5zPKk/IbfMqfD5XIb+GGO1kfvwdHB/h0z76qVOccCD274kGN97yD PgbOLJ0rL8DTkK/5nsAAFnFCxgSwoaKkJxv9yr4y0MN+fk3W7rHQqwhyLrNgIiNVhj21 j0mUrV4Z5gb5d7LjsMW1RYwxq16zjs7opceYIallj8nlPpr+uUVQVKY0C1wPHbmttxtQ kucY/Z//5yn+BLqXhoBQ6D35r4s+csHGeG0vjh3iW53TIiU7Zs5D2fOSjTQIezNNM3fa 3hMSOATEEKwtgo6kGBofwZDeYBJYXV7QNJZkaFLldR3zqYs51eNVvtpJph9MxEuMuXrc S7Cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702778; x=1780307578; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=v2KznrLCQ77VZ51Z4KvrxVufB2DqA7HTlU0nEjlF/zw=; b=MBeg+DzgmF8D8/PaPnQNomgAaY/04944ZYP0422rVdj/KparlEHs8cEZmDn8PBSohy ZzTz4/vPDASbruUCG3Zb5IIyW4HGvp8hd6Y8H2sBqCjbnbGEC3i1ymSGTWcPuWVByRV/ e/QE1Jw1liM9wSWpi6o16LjLH52Ar201iOkc5Hn6nEN2qUwlxHOX8w6XSjxd07Ig83b0 s1JJSF4HcxPsLPXUTVcOOiMlaQQn5ZmVQZc9psp17tPROPpc+nIpZDh+7MPkYsPOkpNI f6WgRwW2xZMhYXg+MhTCEtvPp+Y5/R/qTxQKzyqGUedbg1b1lZKC2NoQSiwzTQ27M5P3 W1mA== X-Forwarded-Encrypted: i=1; AFNElJ9S1/+Zn/k8vdjSvHqynJ49LcAkxOePbWOH2cu6ZWBbd/KCfTFjhijVKmSmnMD+TI+Vqs3wMYNrlqVoLDiF@lists.infradead.org X-Gm-Message-State: AOJu0YyIvOvrwbtajkSir465+lNOJeX/SXVoA9r/WDN++mGvDc9Ve41C CAa6HRRBF6Cm7lnH73+wE1YhPO089SbPF16TLwJW9uTZtixgOS4COyPY X-Gm-Gg: Acq92OH/MTaC9DEqJSv+ICXZHhHQsNqkJJh2ARX2WPOKdaLP+h6IFDyXBSICAMY+zM5 mXC163DmD4VTEZUtcfIrT1ad33IsC/VylGUjwgnrloecYwpjytV1Z+0jlHk1aEYTpnJUT7sDAeD x0MR+PJTlSNPZ5ER3NS6b046nJhQ93ce/i8R6HCH4PejUr+x51rQaY6HZr33UbAl6x6YO1DmNeB axjx9HOFmXoGCQ/A3mknZZNnrAt1IMJi44d3SNubbzP290dXekY9HhTclJNKuN0kZh/vVcjtMTO p0+qU9Q7jYYglTtGMLc1ztoshvbtf5rDCoQhg6GbAhyvuGj/0ikKr09wwzQbtujqWZcudeys3m2 vvBu8Z7WqvXzAFh+qMBpHqGKp+Ihe3l6NltF3N5CjCplwgUVKEXYLwlhv7742eQ4dggMjpzOlFx yMPIzCS+xUpBf/JBA5bd7Q X-Received: by 2002:a17:903:1ae3:b0:2ba:bfc:76a8 with SMTP id d9443c01a7336-2beb057f8c9mr151250385ad.16.1779702777738; Mon, 25 May 2026 02:52:57 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:52:56 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v5 3/6] media: meson: vdec: Set cur_sess before hardware vdec_poweron() Date: Mon, 25 May 2026 15:21:51 +0530 Message-ID: <20260525095216.12078-4-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260525_025258_779736_F3CFD0C8 X-CRM114-Status: GOOD ( 12.93 ) X-BeenThere: linux-amlogic@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sashiko , Nicolas Dufresne Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-amlogic" Errors-To: linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org vdec_poweron() initializes hardware and unmasks device interrupts. If an interrupt fires before core->cur_sess is set, vdec_isr() dereferences a NULL pointer when updating sess->last_irq_jiffies, leading to a kernel panic. Fix this by assigning core->cur_sess and updating sess->status under core->lock before calling vdec_poweron(). This ensures the interrupt handler always sees a valid session pointer. On the error path, clear core->cur_sess and reset sess->status to STATUS_STOPPED to avoid stale references. Following change also strengthens the hardware exclusivity check by holding core->lock during session assignment, preventing concurrent sessions from racing through cur_sess == NULL and corrupting hardware state. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: [Critical] Race condition between hardware power-on and `core->cur_sess` initialization leads to a NULL pointer dereference in the IRQ handler. --- drivers/staging/media/meson/vdec/vdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index e72f54af026e..52ace4de967c 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -334,6 +334,11 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) atomic_set(&sess->esparser_queued_bufs, 0); v4l2_ctrl_s_ctrl(sess->ctrl_min_buf_capture, 1); + mutex_lock(&core->lock); + core->cur_sess = sess; + sess->status = STATUS_INIT; + mutex_unlock(&core->lock); + ret = vdec_poweron(sess); if (ret) goto vififo_free; @@ -344,12 +349,14 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) sess->recycle_thread = kthread_run(vdec_recycle_thread, sess, "vdec_recycle"); - sess->status = STATUS_INIT; - core->cur_sess = sess; schedule_work(&sess->esparser_queue_work); return 0; vififo_free: + mutex_lock(&core->lock); + core->cur_sess = NULL; + sess->status = STATUS_STOPPED; + mutex_unlock(&core->lock); dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: -- 2.50.1 _______________________________________________ linux-amlogic mailing list linux-amlogic@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-amlogic From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5949E3E2AA3 for ; Mon, 25 May 2026 09:52:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702779; cv=none; b=Q1aAPw87XofG7rKvEhtqGDjEw5aqdyh0KWMujzOgMlHGpdYpwhD+zG594P6lChyp1ntl4DZES3gUMlheIyjRE4lAiXVFJp4dF+EcHGW7orErwwSvjFN8I4+GbsYwKVevPywYfqzS1LuEU1OkC23PM8KyWFBLCpZgDYO3lUe8LFU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702779; c=relaxed/simple; bh=YXwLVmvrPT3CxIUwe1z2kjZT4+cCRWaplcDqgHQKXS4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EDR8ZQ+LyBhRFzYsjidDQuc45O3XtW3cmNBuS2a4/L6AWSEHvarI1qTdskdX5qS0gm5IaazR5B1F3jK3trmAg2LbSVU5mL7WFIsckzeCkphrJHGvUSw5CQbz5nqAUqJQxnLEDLudy+Xqr9KWUCjcmZRLo5wfFobVU4XZnrlv33E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=R5iLevg4; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="R5iLevg4" Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2b4650d5f5cso38894315ad.0 for ; Mon, 25 May 2026 02:52:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702778; x=1780307578; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=v2KznrLCQ77VZ51Z4KvrxVufB2DqA7HTlU0nEjlF/zw=; b=R5iLevg4GWsAqEwehG4X1G36NBctNPdGigHxK9dyjpRz2Z4hMuZ9s3KaPVE/l8ijCL hP1x8nKEr9AHH+X7VpGstKlqJUAN8nX7azeDTbkBDrQXVG/ZO+ejT2NaSj/IYL+Sqjs8 JHX2EG0gPA5DOPIanuZ4UYGmg6yhBo/jyE1/EkhcPRY4MzQxsZjwRIcv5xC0W8oGQwkW pP1Xk6S2TrVHuknHrrIJUotvYMTj5mvBFW/7FjFZv3Tzh6+Kv3fO0sUpy9if+UW3lvBQ ajtKqLdKLKffUM2JXGWzINuo7Xqq9ZlOhF5Rcvldoz32FmIch737ynrmt1F9JHCzFjRS fY6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702778; x=1780307578; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=v2KznrLCQ77VZ51Z4KvrxVufB2DqA7HTlU0nEjlF/zw=; b=TDNBSWRcaBAToKIDYOz+vcBIxAJxZSvUe24iFeDE9S9D4mQzngS3ULuRA57C51m3x+ HnUpMjj/Rv1eHm3nK6j6Kq/f2AyOBVoRhj9PIIyKL3qf2mY4TAub1clNLpFfg463kz4N CdSMjhZTuF279lpq0a+g/Nkf8ntWhUc7+rIWoUPga0tXEcnv6muGqb2woxed167Vaq+b B5bmerPrPXb0yMWPfGDUis3OT978YBGs7DG7ihWTYUWi+M6FamKP/jUgHaZBlsPIv+Qd DBBE8x8Mqt24bbM5eXhibBe2lUbEoyN5IxzmjGSIfRYIi1LA2dBoEpnSizn7UhwKwEzt pQqQ== X-Forwarded-Encrypted: i=1; AFNElJ/KeidtIQMvE1F0xGAxFR4+u3hGPUwXZpzFINF5yB0E3MM9ct3WarLR+826tEOku+RKjTlTc6NV71n5oshW@lists.linux.dev X-Gm-Message-State: AOJu0Yzg4u0qM/kjBxOaSnSdxQvuTHDWHkMot8TBQqdWliPtaZa7VtDn COiP6smFgX60uwSjXeDElcAa/+mvINqj9JI53TQwr7DsL+CMKNLq3vU9 X-Gm-Gg: Acq92OFZMC6NT7Nq9tkqdKaiHem2sd0DtKChZMBgtsAl1tVwFZyOKd4k2zo0NE5IRoW gPfO0hcWOOH95j8qmGyxSEwQaRXBv0z2g+TRX7Eq4DZwDw5KrEQVBFas8gM3rlgbKW77sttsfCG 3dphBNoI6IjM5s1fDE3uvLmgBFdy0v0UlqmnI62py9YeMVKpAVFOyIQMCscSgNHJ6XovBzKiKzD etP97abtKLpQHP0Jx/OzA0bIagWOgfxmDv7TscIEHrC4GZocGbmNd/HmLDValqlX+MJCnTzp6E/ V6dSYag0lOKRiC9djiaOwPmy4ABwuYebTvmC9PzE7+rOhKutTQAp/3m4b9FvKcoL4Y+t2/fRtsb QLVi28CnOsChLfOYaBhQANWqkmLHXLhDo9GKrddO9BlBrWDiw1KhfuB+uQky335ZUF5HdHuB4WC /gKpQZISRLtixSgsHgKwmD X-Received: by 2002:a17:903:1ae3:b0:2ba:bfc:76a8 with SMTP id d9443c01a7336-2beb057f8c9mr151250385ad.16.1779702777738; Mon, 25 May 2026 02:52:57 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:52:56 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v5 3/6] media: meson: vdec: Set cur_sess before hardware vdec_poweron() Date: Mon, 25 May 2026 15:21:51 +0530 Message-ID: <20260525095216.12078-4-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit vdec_poweron() initializes hardware and unmasks device interrupts. If an interrupt fires before core->cur_sess is set, vdec_isr() dereferences a NULL pointer when updating sess->last_irq_jiffies, leading to a kernel panic. Fix this by assigning core->cur_sess and updating sess->status under core->lock before calling vdec_poweron(). This ensures the interrupt handler always sees a valid session pointer. On the error path, clear core->cur_sess and reset sess->status to STATUS_STOPPED to avoid stale references. Following change also strengthens the hardware exclusivity check by holding core->lock during session assignment, preventing concurrent sessions from racing through cur_sess == NULL and corrupting hardware state. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: [Critical] Race condition between hardware power-on and `core->cur_sess` initialization leads to a NULL pointer dereference in the IRQ handler. --- drivers/staging/media/meson/vdec/vdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index e72f54af026e..52ace4de967c 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -334,6 +334,11 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) atomic_set(&sess->esparser_queued_bufs, 0); v4l2_ctrl_s_ctrl(sess->ctrl_min_buf_capture, 1); + mutex_lock(&core->lock); + core->cur_sess = sess; + sess->status = STATUS_INIT; + mutex_unlock(&core->lock); + ret = vdec_poweron(sess); if (ret) goto vififo_free; @@ -344,12 +349,14 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) sess->recycle_thread = kthread_run(vdec_recycle_thread, sess, "vdec_recycle"); - sess->status = STATUS_INIT; - core->cur_sess = sess; schedule_work(&sess->esparser_queue_work); return 0; vififo_free: + mutex_lock(&core->lock); + core->cur_sess = NULL; + sess->status = STATUS_STOPPED; + mutex_unlock(&core->lock); dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: -- 2.50.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3B737CD5BBF for ; Mon, 25 May 2026 09:53:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date :Subject:To:From:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=v2KznrLCQ77VZ51Z4KvrxVufB2DqA7HTlU0nEjlF/zw=; b=YmjSqIBRzDnabS Kutq45c8wRmGJnryNpxejefxpmvw73WCCayKziHLb8fw/CXzm7KNo291kUAl4GNYz52vv/vdRlP6o +DtSb9+BfkM0GPWp3k6ktC+/aViXJQS5EDL7nyzgUcV/wcMcTEWkIeLyYGur2nxM/WSYuy/6Tmp0K 5TCzhCNVEBnFK73R/IPVOoAoLzfZCqQGkYVNPyMuJ4vNSVj+uVd/S4vdiCeCFMt1hr5LuRL3TH5zy 7ecMVST8fNIGCtFSSJutxwAeZ0WM8NRaAgIbDRfzrRHoDPGKxA2dsqve651caf0OIZUlSGBcms+87 8uHH5kOyDI3gX9eLthPg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wRRza-0000000GsSd-0r2P; Mon, 25 May 2026 09:53:02 +0000 Received: from mail-pl1-x62e.google.com ([2607:f8b0:4864:20::62e]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wRRzW-0000000GsPV-3IVS for linux-arm-kernel@lists.infradead.org; Mon, 25 May 2026 09:53:00 +0000 Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-2bd2051167eso45530195ad.1 for ; Mon, 25 May 2026 02:52:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702778; x=1780307578; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=v2KznrLCQ77VZ51Z4KvrxVufB2DqA7HTlU0nEjlF/zw=; b=H4FArlHzPIG26K5zPKk/IbfMqfD5XIb+GGO1kfvwdHB/h0z76qVOccCD274kGN97yD PgbOLJ0rL8DTkK/5nsAAFnFCxgSwoaKkJxv9yr4y0MN+fk3W7rHQqwhyLrNgIiNVhj21 j0mUrV4Z5gb5d7LjsMW1RYwxq16zjs7opceYIallj8nlPpr+uUVQVKY0C1wPHbmttxtQ kucY/Z//5yn+BLqXhoBQ6D35r4s+csHGeG0vjh3iW53TIiU7Zs5D2fOSjTQIezNNM3fa 3hMSOATEEKwtgo6kGBofwZDeYBJYXV7QNJZkaFLldR3zqYs51eNVvtpJph9MxEuMuXrc S7Cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702778; x=1780307578; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=v2KznrLCQ77VZ51Z4KvrxVufB2DqA7HTlU0nEjlF/zw=; b=adAUimRO14ojdGIIauNQslngjZQPuucoqFx0AMaZbwLXsatq7Fg5GVIFaIybTa+FkO nfvNgOqTUqp/M3G7yFjWFt61ap76/mJEmQ0H46RZre1lNgC8dQ6S81tN5JkfBaVqzDh5 wWynIDqSA41f3SuS1Kb5FG44scC2nHLViiFw117/yqTEYbBGoz8Ex47KKQmfEsZnCj9t eu9XxkFGUJuu9c6v2PZ4hJdLR06VLchc5lfLFK5aKOoAFLzXLj1fl/Fiotn0eESTPOSB CHLQYt7YoD7IOJ77ptvcVhGkeI40CpyEipW/Kfe9IRMNS1vOkqkjB4xh5i1nMP+6TpjF pmLQ== X-Forwarded-Encrypted: i=1; AFNElJ/tHyGCu8RkCeaWoUpSHOyEkMyZflsINxBASxJcoZdk6RINjvF/hzsOLr+YAXrv2wOV3tGTYvgjsxaYCxalSniY@lists.infradead.org X-Gm-Message-State: AOJu0Yz82/ah0lYuGI/dFpL4/dz0v0fW3gg6p5Qkjq7stm9CAqNVqe5j 14vM2pU5KOyuTynIAw1YhXLMHc2qnQlwUoP3QpC1uSJwRjreisy6NTVe X-Gm-Gg: Acq92OGyQ5DGLCsz05h1+gq+3LkMAm9jov2Tpg1WHl1KiHM18nVMhX+IQbPp8k3vxCd nDnvPSAJ1Q6gYz6McNH0i6i3EJuayd30LkqG66hwDxw9MxFklV+HfiyoWGKjxZBXdwrwTlTxutD kl2FtsbNuWC9ujdHym0k5ZDl030vTR6YkcUyXUSQoBqYWzprT9isZZU+ssbws90TvBxjnnw8aXG 5TGSxiK8IJVfwvMrKfDnOfYoo+j/k/Dx2ao4HkKz4DwfiT6BVP1165SDYgl4KMso0LxtzjdUCWt UPbpaJDCwFZ0Fw34I49yYEgLkFG2CUjQcGshC8vcCLdEd2L7RPfTyNCGJ1nmmFy7C7lb2asLfHG FaKsLIpRszWjy76Z/TuWinaxfdKo4zKN7sCNWNP2erSiOKb0OkTLObp/1JJLNaH16zGgJoGpP9X JkwmkRd3p9WfMdGIZZXE9i X-Received: by 2002:a17:903:1ae3:b0:2ba:bfc:76a8 with SMTP id d9443c01a7336-2beb057f8c9mr151250385ad.16.1779702777738; Mon, 25 May 2026 02:52:57 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:52:56 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v5 3/6] media: meson: vdec: Set cur_sess before hardware vdec_poweron() Date: Mon, 25 May 2026 15:21:51 +0530 Message-ID: <20260525095216.12078-4-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260525_025258_830803_6B1A0D70 X-CRM114-Status: GOOD ( 14.55 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sashiko , Nicolas Dufresne Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org vdec_poweron() initializes hardware and unmasks device interrupts. If an interrupt fires before core->cur_sess is set, vdec_isr() dereferences a NULL pointer when updating sess->last_irq_jiffies, leading to a kernel panic. Fix this by assigning core->cur_sess and updating sess->status under core->lock before calling vdec_poweron(). This ensures the interrupt handler always sees a valid session pointer. On the error path, clear core->cur_sess and reset sess->status to STATUS_STOPPED to avoid stale references. Following change also strengthens the hardware exclusivity check by holding core->lock during session assignment, preventing concurrent sessions from racing through cur_sess == NULL and corrupting hardware state. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: [Critical] Race condition between hardware power-on and `core->cur_sess` initialization leads to a NULL pointer dereference in the IRQ handler. --- drivers/staging/media/meson/vdec/vdec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index e72f54af026e..52ace4de967c 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -334,6 +334,11 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) atomic_set(&sess->esparser_queued_bufs, 0); v4l2_ctrl_s_ctrl(sess->ctrl_min_buf_capture, 1); + mutex_lock(&core->lock); + core->cur_sess = sess; + sess->status = STATUS_INIT; + mutex_unlock(&core->lock); + ret = vdec_poweron(sess); if (ret) goto vififo_free; @@ -344,12 +349,14 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) sess->recycle_thread = kthread_run(vdec_recycle_thread, sess, "vdec_recycle"); - sess->status = STATUS_INIT; - core->cur_sess = sess; schedule_work(&sess->esparser_queue_work); return 0; vififo_free: + mutex_lock(&core->lock); + core->cur_sess = NULL; + sess->status = STATUS_STOPPED; + mutex_unlock(&core->lock); dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: -- 2.50.1