From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D06A33E63BB for ; Mon, 25 May 2026 09:53:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702804; cv=none; b=YeA+laILNLyLO+b2nDompfi8dUEZrVwZNWPNN7H1TAMkqXUOJNj7V7y+zPrxaGhu8hACQ8vTA4newEOBru4MdWsE+v9u52VSFVK9iu7S86oPPFgnW5ipMcKBsupHjoUtGXrqIQSMNFN9WlpP32+jj3mKsIHd+VOerhGE4pkG11M= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779702804; c=relaxed/simple; bh=E43zb/0exWQdHZ2/viBusfLWpvPfMhAC55xSTIPBc2I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rMkGyi0FEIBxjKrGaj0bEXtmhis9Ro5cFvNWeZYAkmYH5UNL1GCH2GoWwZyzprhWpgUBMPHMEYcYjlnaETAKIBRGqJTXvoDvVn2dprs1VxYee4aXlZfuvWSXH4Nia82SzPO1JPMzXLf/md21nE5s5dAhKddWIWzhyx4txhC9ffQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iqz+Y/ts; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iqz+Y/ts" Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2ba21d32776so69121605ad.2 for ; Mon, 25 May 2026 02:53:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702802; x=1780307602; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=iqz+Y/tsfB0uFWamE+j53v1BeK2zrQpR9pv5fwW1JWuuIiWriBxStDGkhUvSj36xWD hIil90SpTRK4oSnCEWk6jwaKRubOlSCblFtBpLqBGCCK8BJi61qA6B5XtMJgC3/JV5T2 kzZZ1wGzIB1nk/xw0dI4mLBI5HqavQ10pTC3uBotdXcpAbHCHPlRgunRq165h4nrRuaP fBtalrdKsUdISkvwyCz5aempdjBFf4MRoOaEiyFHzEym/G73BgQ3Q57UOtIlAoYbDHUk zviyUfACmwvkD0ed1goOPFDA/ZYZePX5cCKKUyNub9DwMJmEc/3at95NVhBXLjmUEKO/ ZbfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702802; x=1780307602; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=o5x9V13i6iH+CKcaKMIGcRa5tm97ToU4RSXBqWtk/BtgE5YMQOCLCSZs2ZUQOfxH6q iP+XLYG8Lk9+Zh0QjplLEE/PQoCYW+86kPzxYRDjDzags8yhbQgmkI/YnRLfnTPU7I3P v6alfVv8X1Gvg3MlExqqNgqlBqTqt2s5g2SoLz7/mkIf2eM4WyRu9deWNoBw3ou2ZvJ9 C4I7bC/h7zqL2ltTOzu2StwGZjV6dcznfnvY+8bu3A64QfuasjfAvRPhukz9Hj8Bwl37 UbaKv2UE/SN6jtKSr0q1hcRvC5hQLpuS+oi+1qFxO8fTUElkZUnKOZ3WjGi5M1WBdBU4 bRwg== X-Forwarded-Encrypted: i=1; AFNElJ9Ejp4h2sJ4ilvSy0MNG01jb2YejiQXc0AJhoefxoTKq/p7VmaZB2FYdGFHNZ9w1RNkbHxu3UOSHjAGXL+l@lists.linux.dev X-Gm-Message-State: AOJu0YwJcnBqWiDcvsp7FkvQNsmIrGnYjmmov5KrK23O+UZKyLjRKuz/ mdSDWd1gyFDVh7jKiMd0qe13cEOCa+1AeFMNs+G0tnrROgpaqNr7wBuS X-Gm-Gg: Acq92OHqaxoBLX25K91PgpMibGof5dGymaXTYGWMga5WlfIH1Hk9RFVEnl2yjZaWN5B OvPkAW0wGN7mz0yoP6e6f3SM08KoEIel5Ks3iMjJWMCKWlPeHcU652sTCILgocLWx4qTPMLtD3Z cKMD1vt7EbOEV3bwlU3t+0FJohKu0zw21Sn+lITkKeFnBj/W6cRde182ym29M+CZBjTlfuqOIhA +aez9DS2TFsQJjL/3cw90yDtAh1PkJp/54dlheSQ/WoFoCfAGy0j3QcSQ9c62H4pdGTnT40kNQ1 b99PBinkndiRqDXZHRmO6VCNc8Lm9k3P15sUlT5NBUaoJsIf8F9AkT9y3N+Lc1Tx5o3je9ZUa1k AJdYV1YW7i8skKj3v2n7c6t744REriSCWr3hrm/6Ra4HTNmQfcs8XQG7slRBHT9jrEVDFqoYWLN EYOPRpP8QD2upJNH2PlfPi X-Received: by 2002:a17:902:ebc2:b0:2ae:6259:5aff with SMTP id d9443c01a7336-2beb031adfdmr138558515ad.6.1779702802100; Mon, 25 May 2026 02:53:22 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.53.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:53:21 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v5 6/6] media: meson: vdec: Cancel esparser work in error and stop paths Date: Mon, 25 May 2026 15:21:54 +0530 Message-ID: <20260525095216.12078-7-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The esparser workqueue may remain pending when streaming is stopped or the device is closed, leading to use-after-free if it runs after session teardown. vdec_start_streaming(), vdec_stop_streaming(), and vdec_close() did not cancel this work, leaving a race between session cleanup and work execution. Fix this by calling cancel_work_sync(&sess->esparser_queue_work) in all cleanup paths. Unlocking and relocking sess->lock around the cancel ensures the work handler cannot run concurrently with teardown. This prevents dangling work items from accessing freed session memory and eliminates a potential kernel crash. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: Tried to fix the order of cancel_work_sync() which could lead to a use-after-free. update the commit message. --- drivers/staging/media/meson/vdec/vdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index 925537bd4d0b..296b387f3667 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -372,6 +372,10 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: + mutex_unlock(&sess->lock); + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&sess->lock); + if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { sess->streamon_out = 0; while ((buf = v4l2_m2m_src_buf_remove(sess->m2m_ctx))) @@ -430,6 +434,9 @@ static void vdec_stop_streaming(struct vb2_queue *q) kthread_stop(sess->recycle_thread); vdec_poweroff(sess); + mutex_unlock(&sess->lock); + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&sess->lock); vdec_free_canvas(sess); dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); @@ -948,6 +955,8 @@ static int vdec_close(struct file *file) { struct amvdec_session *sess = file_to_amvdec_session(file); + cancel_work_sync(&sess->esparser_queue_work); + v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_m2m_release(sess->m2m_dev); v4l2_fh_del(&sess->fh, file); -- 2.50.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E361BCD5BC8 for ; Mon, 25 May 2026 09:53:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:Date :Subject:To:From:Reply-To:Content-Type:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=vxXbdEtym8eftY HS2C/jVGAhLNdxJXLvmwdGJSnSP/hQdM8oKJ/8WZXl166B44A/8/p7rqJCiervP1Yi2e2w/Ablbjq ycc0SLF3tc93XKUpdrasFVS9T/kOZgz9p0wJLYq+aJ1mJcBnewCuxltpkEnvQCpsMVndMWJQlFqes QCopOOTQnIWtDunrOLG3p55uDi0gGusSMJ16dFZ+uqml5RtYNgYugRNo62kaJrkPDHTeNWREyDWSY 46gUctrJ9FTL1b2JCyHazoyEFqkfOj9hYRdS2gPWHOrDXVLT60PBtaUDCLI0zObEeLDEdWqoHAIQR 0iVDCwC+PCFmgynAn7+A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wRRzx-0000000GsnX-3bo9; Mon, 25 May 2026 09:53:25 +0000 Received: from mail-pl1-x633.google.com ([2607:f8b0:4864:20::633]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wRRzu-0000000Gskm-4Aup for linux-arm-kernel@lists.infradead.org; Mon, 25 May 2026 09:53:24 +0000 Received: by mail-pl1-x633.google.com with SMTP id d9443c01a7336-2bd2c147abaso56275235ad.3 for ; Mon, 25 May 2026 02:53:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702802; x=1780307602; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=QvBsXgCQZV3UVx0UBG5v3OikZR2+rBckV+3IAvIVXvY9sTjstBDk+GzGO0QPWWhVFR jTfQypPVON3MB+y9Lf0f9cjyYzgHkQFjd5sVJtDe/qUQg8W0EqVa9PkbZseIXXERPFxg rM/kybAS6Ho1G5J1bnhIBSc3iy/rZQC7rbK3tpQvpaHSi2zye7+BopcNqiiu/erEwLBp L4SwZ6woNKvuReJku6DCfCB+C5tgDBPpRowUIQicBmkqVMQAaqVnwMv03h2rWPLmbEO1 2doM5y1kUdmzYnevmULoSmTsGhsx9goUf50FrnKtvo+S1Mq4G+y6HK3d0Fx41x3mH4UX 32Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702802; x=1780307602; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=B2ArlhBRVYC99ExhHkvQNeYDZJKJEO2yQ9wv/4P2waQeKgzmkoOlCUggvHxVrWVrJ6 ldFB6QEvjrQKOnS5I6u5DdWmj8DqDa2UitXuDVTQTFXICGTh648/OfJYhQ66wEilCJOo lswT70pbjmCW/HNsqKrWN9pFhCo5t82TVABjwZJrfRF8I0TEMhiDjZvc1rppBS6bMTdw pWodo+JiAfd/tLaFqtrSodgHEEQaJD78bgInGxwTXKVyf8Vx34xYaRL1EdwrUZCKlRKL nwYRDTWNdS4dfW9p7l6r6PxwerclQTX7A5QQ89o8MfYKoSVhZnYzox4rLSIdxT2ejiaC SlPA== X-Forwarded-Encrypted: i=1; AFNElJ9pCwPqA3f58QYbyeK//SPvRTzZIhEjwVKbIuoBMiep09rxAsDAUAvmnuShSx+SVr8v43HMxljTZkuVXJjeOrqG@lists.infradead.org X-Gm-Message-State: AOJu0YxZzkw5BzW48WJfwhe+sO9uJ3qJzPJIsLPp2l+AhvbMgg8U83FL NysYjXcqq2QUjW3BvoHgahxrTrgpI24EpfVVS694pdO37PLVr42g4ZwH X-Gm-Gg: Acq92OGPUWSJJ0ZaGas0LPlUksJfw1QgnOBy64SQXm61wkGl3Z87BR+YWS1FrjKn/wP 7dXDrhX5hFPGyxxvoewZRA1xzYQypmokFpgWQh4ouJROWmHfN23p8DwsY5KGPvfalu33tgVW8Kn +zWTImEdqWyRNsnu9d/v//YBKa9XQ6aaKcJ4UQNjarXVb2YpKRsgUMyyaM9OT+yKMICBME7AFam saU0pwoVBgnoY7WAxe3pHD/sekbvESjFcQbQcaHqO/b+Bo85SpxjOB3ghPPnpaN/e6ZwFCwr+Wi 3K8yUytJBgoFfqMYDoB41otQMUicy/hnmgKriDazt8cE84RMiYqcUjNQRmLnStgFZOeOQp6qtOS yPXk5UWGbd7WoOEbEE9bNG4PYi8EnESJfXAvyn1WvRe30eImLa0N05q1bunX1AULqPexCB2z/7H 9POjlIRS6Z4rWzzKPShrtR X-Received: by 2002:a17:902:ebc2:b0:2ae:6259:5aff with SMTP id d9443c01a7336-2beb031adfdmr138558515ad.6.1779702802100; Mon, 25 May 2026 02:53:22 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.53.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:53:21 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v5 6/6] media: meson: vdec: Cancel esparser work in error and stop paths Date: Mon, 25 May 2026 15:21:54 +0530 Message-ID: <20260525095216.12078-7-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260525_025323_037375_E0843FF5 X-CRM114-Status: GOOD ( 15.89 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sashiko , Nicolas Dufresne Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The esparser workqueue may remain pending when streaming is stopped or the device is closed, leading to use-after-free if it runs after session teardown. vdec_start_streaming(), vdec_stop_streaming(), and vdec_close() did not cancel this work, leaving a race between session cleanup and work execution. Fix this by calling cancel_work_sync(&sess->esparser_queue_work) in all cleanup paths. Unlocking and relocking sess->lock around the cancel ensures the work handler cannot run concurrently with teardown. This prevents dangling work items from accessing freed session memory and eliminates a potential kernel crash. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: Tried to fix the order of cancel_work_sync() which could lead to a use-after-free. update the commit message. --- drivers/staging/media/meson/vdec/vdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index 925537bd4d0b..296b387f3667 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -372,6 +372,10 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: + mutex_unlock(&sess->lock); + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&sess->lock); + if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { sess->streamon_out = 0; while ((buf = v4l2_m2m_src_buf_remove(sess->m2m_ctx))) @@ -430,6 +434,9 @@ static void vdec_stop_streaming(struct vb2_queue *q) kthread_stop(sess->recycle_thread); vdec_poweroff(sess); + mutex_unlock(&sess->lock); + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&sess->lock); vdec_free_canvas(sess); dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); @@ -948,6 +955,8 @@ static int vdec_close(struct file *file) { struct amvdec_session *sess = file_to_amvdec_session(file); + cancel_work_sync(&sess->esparser_queue_work); + v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_m2m_release(sess->m2m_dev); v4l2_fh_del(&sess->fh, file); -- 2.50.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 31916CD5BBF for ; Mon, 25 May 2026 09:53:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=bVfcR8Ib/8TExfHbPyiSDgfbgcMavJXdB8Kt8LDhdmY=; b=l8w+ruJtORI+IW 26owmh+/Dq1encWg+2mhAaarIpHU8Frh1kwU5YS717G6rIlDsMhFxNgh7o/Au3Rt5J6d1z5M1tnmz Tyb5gpipl0uv/FI4j1xVVmt8mEjqi55jD7fzq8J5pwNvyR1pLh9a7xVcr6G/14uqOp7NTpLpEwVDv KDbGQHI9TM33fj72jyJlCyxX1MDwZesIvRZWT5T07PItgFxyoFn2RQYfy3+O7w2F2s+r/YfwWzBu4 88tRFZlGH3s1NZ8YIQ+0ZPyfj1J2KadrZuRxi3PFCz5BgppdGwRu1bKJezVEpF9QAO/H7dl3uc0LJ OyR2YQul0CaLOfgKWBcA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wRRzz-0000000Gspm-43Ya; Mon, 25 May 2026 09:53:27 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wRRzy-0000000GsnU-1wpq for linux-amlogic@bombadil.infradead.org; Mon, 25 May 2026 09:53:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=Gin17YnkW6vppUhdzC1/bAiuwE s0NdSJePxGx5KO0PD06MaWaQhA244cvIuY0AS1Wr87R/ge91FsPGoMtjD8505DqBbNNa/M0R9xDaS myePnSZ7qNZeXJSdXBY9joVk5WkKwabWDULTU/cwR9nsIuxLy3hxY+OUcEWu2jLC9XjqTcEi+Yl1C hFECGbXyZppMBmH/9phWtQtwXabmxtpBCNizDh3UghhOxYBezlI990M7N5BVHlRSznla1AKJ/Fxbw EQ6cIQsNfTeFwm2DUonnGGBHPezgTB/eP/vnqvj0Gy2jjmV0Nr20pyU5T5hagOWIiNWLOb4j0Y86z bX01sSPA==; Received: from mail-pl1-x62b.google.com ([2607:f8b0:4864:20::62b]) by desiato.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wRRzv-00000008wgI-1HYR for linux-amlogic@lists.infradead.org; Mon, 25 May 2026 09:53:25 +0000 Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-2b45cb89f7eso63454345ad.0 for ; Mon, 25 May 2026 02:53:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779702802; x=1780307602; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=QvBsXgCQZV3UVx0UBG5v3OikZR2+rBckV+3IAvIVXvY9sTjstBDk+GzGO0QPWWhVFR jTfQypPVON3MB+y9Lf0f9cjyYzgHkQFjd5sVJtDe/qUQg8W0EqVa9PkbZseIXXERPFxg rM/kybAS6Ho1G5J1bnhIBSc3iy/rZQC7rbK3tpQvpaHSi2zye7+BopcNqiiu/erEwLBp L4SwZ6woNKvuReJku6DCfCB+C5tgDBPpRowUIQicBmkqVMQAaqVnwMv03h2rWPLmbEO1 2doM5y1kUdmzYnevmULoSmTsGhsx9goUf50FrnKtvo+S1Mq4G+y6HK3d0Fx41x3mH4UX 32Bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779702802; x=1780307602; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=AKwrXEXaLENw99YJowK3xb8rjn7NyiynQVbSpLY2vlI=; b=IGu5/ELBHjimku8xY5u3Z4QDWaYatsPOkPAfZ4gU5ACAPC7nwhq/8mYZsS7lsiLJoo yU+5/t89rfeGmFtc2EYvMPAhTfHTbrsV5tiq90W5fJBCqG9EcBzOYinjD32EReSd6FfM dsrO2l/xms1JC5BwTiICRwGW1OgZ+2iozoORE1HbPoc+/ySlTfO7rXRKFkl/847DciC5 lAf3ZWt3zRq1mGv2NHubbwHBBMeYcS15mG8qoMKlZJIwrfTyBb0E8JRJtyheTO0ohpvI 39R9pONouiaiW+KlOzOIBPkBDw9U+pEsdwhjygMml7SLnGr+NYpUtYgNDLXfxlaN8gxT ElXw== X-Forwarded-Encrypted: i=1; AFNElJ+t8CKgBCAE7FvnG4sIkCfS1ZaMK5RX5gzTEITbLy7M/L8P0mvzdH+zZ7HF+UPU046g4i8gUE8tl6GIwnmD@lists.infradead.org X-Gm-Message-State: AOJu0YxnXdAjhYMLYNuxTi36e/ik+GWDovGRHSp/BBT9X1RdEGd3lYmT lKqphPja1Pi2eYdMIHHfX1kop0T9ISQF+kbqN2spk9fOtgkk+wSnmEmu X-Gm-Gg: Acq92OGkM/zzHRsCPorqeoUNi2ey6XDC+sYT0v2DjPxrshH1dbw9CMkEJvEiVazcD+S hwCnemqh7eO9ruailIvpck2b4uxEjjcw0+82u2dk9bU6VzGRCjtoc+mKiJjOE2hy2HtmVXulV3c 9FNvm2aERojyg5+dQylpv35P33pjPtVDLSzFsl+wlFtMV1CaRMBCKp1VnxZynGaZ8pvgwqWblyy +Ir45gi+XltysXKxPBTEAyPg2OyFw1EYW3rATi19nnq1Sy2lqvq03HjpWLIabXf3VJfU+wkQkSN fSauLjYgosg5+6lXfHdCzwhHfAdGZwIh6bnVjf2+C2ZftK354zMvyjqVPup7k+JjupbwZQnBGkU cKqSbmxlxLhaAJkZHH1wv8PL2EhwJ+r7p4iYhvAVp2CPhZKqvf3xeL/+5Re0NSI48nBw9SLrkNh zwjXQoq9xtAZ/gm36GPVf8 X-Received: by 2002:a17:902:ebc2:b0:2ae:6259:5aff with SMTP id d9443c01a7336-2beb031adfdmr138558515ad.6.1779702802100; Mon, 25 May 2026 02:53:22 -0700 (PDT) Received: from rockpi-5b ([45.112.0.230]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.53.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2026 02:53:21 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Mauro Carvalho Chehab , Greg Kroah-Hartman , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Maxime Jourdan , Hans Verkuil , linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list) Subject: [PATCH v5 6/6] media: meson: vdec: Cancel esparser work in error and stop paths Date: Mon, 25 May 2026 15:21:54 +0530 Message-ID: <20260525095216.12078-7-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260525095216.12078-1-linux.amoon@gmail.com> References: <20260525095216.12078-1-linux.amoon@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260525_105323_662563_1FC2BB49 X-CRM114-Status: GOOD ( 14.01 ) X-BeenThere: linux-amlogic@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sashiko , Nicolas Dufresne Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-amlogic" Errors-To: linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org The esparser workqueue may remain pending when streaming is stopped or the device is closed, leading to use-after-free if it runs after session teardown. vdec_start_streaming(), vdec_stop_streaming(), and vdec_close() did not cancel this work, leaving a race between session cleanup and work execution. Fix this by calling cancel_work_sync(&sess->esparser_queue_work) in all cleanup paths. Unlocking and relocking sess->lock around the cancel ensures the work handler cannot run concurrently with teardown. This prevents dangling work items from accessing freed session memory and eliminates a potential kernel crash. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- v5: Tried to fix the order of cancel_work_sync() which could lead to a use-after-free. update the commit message. --- drivers/staging/media/meson/vdec/vdec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index 925537bd4d0b..296b387f3667 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -372,6 +372,10 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); bufs_done: + mutex_unlock(&sess->lock); + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&sess->lock); + if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { sess->streamon_out = 0; while ((buf = v4l2_m2m_src_buf_remove(sess->m2m_ctx))) @@ -430,6 +434,9 @@ static void vdec_stop_streaming(struct vb2_queue *q) kthread_stop(sess->recycle_thread); vdec_poweroff(sess); + mutex_unlock(&sess->lock); + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&sess->lock); vdec_free_canvas(sess); dma_free_coherent(sess->core->dev, sess->vififo_size, sess->vififo_vaddr, sess->vififo_paddr); @@ -948,6 +955,8 @@ static int vdec_close(struct file *file) { struct amvdec_session *sess = file_to_amvdec_session(file); + cancel_work_sync(&sess->esparser_queue_work); + v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_m2m_release(sess->m2m_dev); v4l2_fh_del(&sess->fh, file); -- 2.50.1 _______________________________________________ linux-amlogic mailing list linux-amlogic@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-amlogic