From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA2C2368D79 for ; Sat, 30 May 2026 09:44:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780134295; cv=none; b=LbsTBuUqBdR1PPHepgEXi58a/f9EBRmY+s80E6hZH4w1qaSGGQ1/spXcoey9n0drPQPZCmnO5rtOC4ULAxB85Mcq8JXHcrKm7HN1eWCownQXGHhy0oFEzNgU/3ly9OdCDxKZzqcEeC3huArdnJTaYLKOmTUkF2WYmFwjcQZcdgA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780134295; c=relaxed/simple; bh=U+d2jT76hbERqFnnuLcNz9UQ38hwXQfEMVzxXIG/jas=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=fPc1+JZrfHSAmaZhUo6RmJq2wZfqb2a4+WwJJQJdmlk0iiqvD6QS84oIdRiim0mukG19nbLQZAXT7d18ouuYF8cgz1mgD11xow11uCTVaqf7uiSAcXUuxeGKxJeeCIO4L336mo7zRSctwolALzUnznWUxStW2iUIPSbGjvMDl2M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ayR3VtPg; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ayR3VtPg" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-2c0aa420401so1621975ad.3 for ; Sat, 30 May 2026 02:44:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780134293; x=1780739093; darn=lists.linux.dev; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Eg9ggvkEkoQKR+hIDJPnP9lc/gF7VRqufBdsoqX52Vc=; b=ayR3VtPgs8Gq191WgOaCkmG0GvY77inAYejhVGPuL+Bsh7vraBKTUx5NHdEEg0G4mP OHLbBjMaNtyYR79nEdlHpo0g5nnrLUsnmGcAir6k+quSwm0LV3eDLcLQzga5IiXJx7ZA lQq9ElIIEhPN/JJdkLSAUaRQq6U2ZXkrI0NtkirvqV2XbYFLP4/I/RMEZt+debu8O0AU wnAo0TAvoP6/kQfcaQhqE8fds+biQyjNxM+75Sx6yi7dw0qGp18U/isN1XVNzJk4AFEP 46+Oy/Jap21FoMXDS9EZEZM97VQ1mf2dARAutwcEE4zmCyYO5Kumzu0VfAKC3V+IwcGL fnCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780134293; x=1780739093; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Eg9ggvkEkoQKR+hIDJPnP9lc/gF7VRqufBdsoqX52Vc=; b=mY3IJ+vbSfGqMBA81Tk/3Kzv5fr9ybDGuJEKxx4gGmZtzYCxDO0yuSDQadRyLYwuAI 3j/8kh0ua2k37g6VrZKLgzjSFjPduz7oZErfpkronJx93HGUzGmADJHx2oWYQGJsk/pT dwxea6hDJhxgD3gpMB07ccNRzCRb5Vl3llLUSi9hK+aJAna7ztw3LCoJjPGqQCwu/rKJ s8czoW9++256tXCsqvEtLOP6Sfm3Jmk26UJ5vtFu9yKOhFHQ1IZoQCljd5tGR9uDS0Bg vQeCTgDTKhSJLS7WLM9uhHmSePlgIxwQrgGyokzMqseWB5OWAHWrOGxusxKEDIVsizIu Af4w== X-Forwarded-Encrypted: i=1; AFNElJ/OVCdl7SMG/0AQ4tn81UMZOZbxMvldqt0+8W/x7y+qUdvVH50Em4dSke0xZ6NBij1RfzEC3vwxxwlb9goa@lists.linux.dev X-Gm-Message-State: AOJu0YzCYOGwXEQ439Q5O6AEkst7CdheIOrv2KL4uiSknUplKAY/jqhn D8XAkCkHiyemEmciklI4RYh/u9wAcAG8ZfRDSI6TCa7g2MjzIaFSMP5M X-Gm-Gg: Acq92OHIK8r4vOgL3XVQaOMniDeHzvol5jDNE5KG0YOSa8KMGlYh2oIN+EvDhPl7/Tn xBuUiiifvHOdn+lXcca5Zp8a7pcvWg05MZDAfviL5z1LD1stPLp/JL9lYaM665QvD1zh0IBvNZx xa6qA6LhBkpNclNLj4cr+wMSCisX1KOfUvPDGtrlRfZJjrVfmieFglQysxOWwmYw/YHzZFzARr7 mKXHZyJE7bykETykJUrDZyfID9xn5oOjCoyjFCsWVmgHbSF+WvkTQgz0yWUVXgHIoivlL/QGYvC jjSO6fG3k4rwwmCx65kRJzKB24WNuTQp3TgertpVePnCJWrdi7pUW/GPfZcLxXGmjrnXRjmdpGh fsMPDqU/1ghapL7ThWYYNmC0pxaE9q3fFtWklcrSTq6fmkvcpTSAtwT50cFkgcWd9sJgikBtiD9 ug1bFnJl4oaWTYC9PYBNNtDvCCBI+In4Q= X-Received: by 2002:a17:902:c94c:b0:2b2:be01:5532 with SMTP id d9443c01a7336-2bf3686d1dcmr41074635ad.35.1780134293228; Sat, 30 May 2026 02:44:53 -0700 (PDT) Received: from rockpi-5b ([45.112.0.191]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bf239e700csm61529945ad.10.2026.05.30.02.44.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 May 2026 02:44:52 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Mauro Carvalho Chehab , Greg Kroah-Hartman , Hans Verkuil , Maxime Jourdan , dri-devel@lists.freedesktop.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list), linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v6 5/8] media: meson: vdec: Cancel esparser work during teardown Date: Sat, 30 May 2026 15:12:51 +0530 Message-ID: <20260530094326.11892-6-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260530094326.11892-1-linux.amoon@gmail.com> References: <20260530094326.11892-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The esparser workqueue could remain active during error unwind, streaming stop, or device close, leading to use‑after‑free when work items accessed freed session memory. Fix this by explicitly cancelling the work in all teardown paths: - Call cancel_work_sync(&sess->esparser_queue_work) in vdec_start_streaming() error unwind, vdec_stop_streaming(), and vdec_close(). - Ensure the workqueue is drained before releasing session state and buffers. - Move codec_ops->drain() evaluation earlier in stop_streaming() using the status snapshot, so draining occurs before buffer cleanup. Following change prevents dangling work execution, eliminates use‑after‑free hazards, and ensures orderly teardown of decoder resources. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- drivers/staging/media/meson/vdec/vdec.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index 698a95566ad2..4884ee04b352 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -380,6 +380,8 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) sess->vififo_vaddr, sess->vififo_paddr); sess->vififo_vaddr = NULL; bufs_done: + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&core->lock); if (core->cur_sess == sess) core->cur_sess = NULL; @@ -437,6 +439,8 @@ static void vdec_stop_streaming(struct vb2_queue *q) struct vb2_v4l2_buffer *buf; enum amvdec_status old_status; + cancel_work_sync(&sess->esparser_queue_work); + /* * Safely snapshot the status and clear the hardware owner inside * the mutex to prevent data races with concurrent STREAMON requests. @@ -448,7 +452,11 @@ static void vdec_stop_streaming(struct vb2_queue *q) sess->status = STATUS_STOPPED; mutex_unlock(&core->lock); - /* Evaluate the hardware state using our snapshot */ + if (q->type != V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { + if (old_status >= STATUS_RUNNING && codec_ops->drain) + codec_ops->drain(sess); + } + if (old_status == STATUS_RUNNING || old_status == STATUS_INIT || (old_status == STATUS_NEEDS_RESUME && @@ -472,16 +480,10 @@ static void vdec_stop_streaming(struct vb2_queue *q) if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { while ((buf = v4l2_m2m_src_buf_remove(sess->m2m_ctx))) v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR); - sess->streamon_out = 0; } else { - /* Drain remaining refs if was still running using the snapshot */ - if (old_status >= STATUS_RUNNING && codec_ops->drain) - codec_ops->drain(sess); - while ((buf = v4l2_m2m_dst_buf_remove(sess->m2m_ctx))) v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR); - sess->streamon_cap = 0; } } @@ -967,6 +969,8 @@ static int vdec_close(struct file *file) { struct amvdec_session *sess = file_to_amvdec_session(file); + cancel_work_sync(&sess->esparser_queue_work); + v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_fh_del(&sess->fh, file); v4l2_fh_exit(&sess->fh); -- 2.50.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0E4EACD6E4A for ; Sat, 30 May 2026 09:45:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=TUfgqaKCZ+x+Dptqpqh2rXY8TlrdXYYCTcjKw1UXamE=; b=UPqR7dMpf1st45 14PeH6KEhViNMbB1yjdist2q16SU8Cbv7AintSwNcniD4iTGgoz7L93nvU+hmQhLVEgu1KXbla89y kB6GLgWp8K8jZ6J7N7NSLxjIvOgnjaZZP2qSIH9F+JI0OhA9WcKJTYQwPNQI2QZFnr8LpwPkep0yF u67riH8wL22aouxHi+MvzyPaUCt1puDcpfK6IwzRHTZvJdbjehL7JKB9eFHKR41Q8WLhYyegyNgmm Z3E+rNWEtdn349N0R9bnqpD4AUPB3gjwZ/XmF1j+8ynXrrvlDyPVLUynK36qFwO3ncSOai7iGLVL2 rCLUSURbJZ/cSt+sY32g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wTGFX-00000008att-18r7; Sat, 30 May 2026 09:44:59 +0000 Received: from mail-pl1-x630.google.com ([2607:f8b0:4864:20::630]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wTGFS-00000008apY-0dRL for linux-amlogic@lists.infradead.org; Sat, 30 May 2026 09:44:57 +0000 Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-2bab82d75fdso75061035ad.2 for ; Sat, 30 May 2026 02:44:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780134293; x=1780739093; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Eg9ggvkEkoQKR+hIDJPnP9lc/gF7VRqufBdsoqX52Vc=; b=os+Tpt4Agfc9cAKsndlHPjAkf542T5rI/8B8/zjsWff1qkadnlwYbaPxVq2lX1pdPk FzLEdY4W4A1cXW3/S6YrVn8TabNbEYOyetPOUSOPX/7t41uGvz8TDPvP8LKo5bE6sidC T5qBZO2GkQ67kf94gfNiGbPg1R5SaIDxiDJ9cAkc2Og0n5lCoQmkkWolqDQf3mWp1Dte 69kZXpFqp0aG6Hzxy/xaxNDo4OrZH/t/CJvDLrOeUhalIkbxnFJUBsUuEkGOlG6XOoIt QQLBaFHPXkHJlzi3TEhaSLIs5RlVV+1+MlSjH9y+2jHpwokhjoggjy2TIhOIwGmPsXo6 VU7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780134293; x=1780739093; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Eg9ggvkEkoQKR+hIDJPnP9lc/gF7VRqufBdsoqX52Vc=; b=OpC+EOQuGFseovx3PSWLzYspk6Jv+KCLhF8XjCpCIX5GpMq6vFyACvDW6yZd1RiS5q V7rT7BgscaThtUo1ks50jA0/8LBDPiE9wpkMisjMI7ZgUlgTvSpwslayCMjpfyFu4UUL nkIVamLQNcBPTkcE1hIwqL9AakBFAqENmQBT+gMXx6sqJsZQgmwhhs0OIfB3jEn8BzQd 8Pxwr0hTkUfW4VNCffp7kuD5XmYivA4Opt+Rl8E7wmeDJx/lTv78b3SKBgmvaYa7vBUk CrQnAFPrdTBEljVzU9ZgfOXLYhuhLocBoC6bFa2AegZnTuRlNVbDH2e/oWEVdMPbvVUS 1zkw== X-Forwarded-Encrypted: i=1; AFNElJ+mwtMehv7FVqtroymeeoTch+gck0isws+mIAXcvG3okGzfI8w01+SYXXipOb31RCPNvrRfjqqMqnIUr//t@lists.infradead.org X-Gm-Message-State: AOJu0YwWQF1yFsxEj7+FY581Abd+9vaMkwAAPSf7oORwRlOJMOtJ68Fy Kgy+fPwNELYe6znRfFu6hRqepNFOY9ZKssNDtD6Po9MifDZJ071G6GdH X-Gm-Gg: Acq92OEFZbH8kFJSqNgh36yr3bgC1rCf212lmLnbspzT+5/nT/Z3V2ph+rs5sueXNZx G+DAVUo5UNvWDR4VL0gv/TY6syYTZfQX790H6X429zSjexIrrTn10F1KGY476BLBWOEIS6+kn7O mCYHwfWAvbrxK8tt3impQkT0QmhMtXVk6gCfQ9fXLOIe0LVa0/XmXxuGPvSXX7O/K1N+dWl158U 19RJXUHSPfohPMjlqUEw0kUwR6vxJF5VsB96XnJStSRxf5mZ3ma6nc/lX8aDltw7JP4P5Yq9fbb vXT5wSG3Vfm8Cy1xpD6LN+JXij+iX7TbxVjSg0Vfe68DttBKZi9X7OPHSfJsf6NqYy0uT82A8WG +zwutgluF+8Y8N5ZqAyrtFNtTUkxkb4iI/wzIrrb78L9TwGsKteTNW/euA1epL1VCEOP/XvuWPe Qtg5T6cs6/i1yOECxb2/4giIKUcyUA4iI= X-Received: by 2002:a17:902:c94c:b0:2b2:be01:5532 with SMTP id d9443c01a7336-2bf3686d1dcmr41074635ad.35.1780134293228; Sat, 30 May 2026 02:44:53 -0700 (PDT) Received: from rockpi-5b ([45.112.0.191]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bf239e700csm61529945ad.10.2026.05.30.02.44.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 May 2026 02:44:52 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Mauro Carvalho Chehab , Greg Kroah-Hartman , Hans Verkuil , Maxime Jourdan , dri-devel@lists.freedesktop.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list), linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM) Subject: [PATCH v6 5/8] media: meson: vdec: Cancel esparser work during teardown Date: Sat, 30 May 2026 15:12:51 +0530 Message-ID: <20260530094326.11892-6-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260530094326.11892-1-linux.amoon@gmail.com> References: <20260530094326.11892-1-linux.amoon@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260530_024454_198805_9D6C8490 X-CRM114-Status: GOOD ( 17.07 ) X-BeenThere: linux-amlogic@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sashiko , Nicolas Dufresne Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-amlogic" Errors-To: linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org VGhlIGVzcGFyc2VyIHdvcmtxdWV1ZSBjb3VsZCByZW1haW4gYWN0aXZlIGR1cmluZyBlcnJvciB1 bndpbmQsCnN0cmVhbWluZyBzdG9wLCBvciBkZXZpY2UgY2xvc2UsIGxlYWRpbmcgdG8gdXNl4oCR YWZ0ZXLigJFmcmVlIHdoZW4Kd29yayBpdGVtcyBhY2Nlc3NlZCBmcmVlZCBzZXNzaW9uIG1lbW9y eS4KCkZpeCB0aGlzIGJ5IGV4cGxpY2l0bHkgY2FuY2VsbGluZyB0aGUgd29yayBpbiBhbGwgdGVh cmRvd24gcGF0aHM6CgotIENhbGwgY2FuY2VsX3dvcmtfc3luYygmc2Vzcy0+ZXNwYXJzZXJfcXVl dWVfd29yaykgaW4KICB2ZGVjX3N0YXJ0X3N0cmVhbWluZygpIGVycm9yIHVud2luZCwgdmRlY19z dG9wX3N0cmVhbWluZygpLAogIGFuZCB2ZGVjX2Nsb3NlKCkuCi0gRW5zdXJlIHRoZSB3b3JrcXVl dWUgaXMgZHJhaW5lZCBiZWZvcmUgcmVsZWFzaW5nIHNlc3Npb24KICBzdGF0ZSBhbmQgYnVmZmVy cy4KLSBNb3ZlIGNvZGVjX29wcy0+ZHJhaW4oKSBldmFsdWF0aW9uIGVhcmxpZXIgaW4gc3RvcF9z dHJlYW1pbmcoKQogIHVzaW5nIHRoZSBzdGF0dXMgc25hcHNob3QsIHNvIGRyYWluaW5nIG9jY3Vy cyBiZWZvcmUgYnVmZmVyCiAgY2xlYW51cC4KCkZvbGxvd2luZyBjaGFuZ2UgcHJldmVudHMgZGFu Z2xpbmcgd29yayBleGVjdXRpb24sIGVsaW1pbmF0ZXMKdXNl4oCRYWZ0ZXLigJFmcmVlIGhhemFy ZHMsIGFuZCBlbnN1cmVzIG9yZGVybHkgdGVhcmRvd24gb2YgZGVjb2RlcgpyZXNvdXJjZXMuCgpD YzogTmljb2xhcyBEdWZyZXNuZSA8bmljb2xhc0BuZHVmcmVzbmUuY2E+ClJlcG9ydGVkLWJ5OiBT YXNoaWtvIDxzYXNoaWtvLWJvdEBrZXJuZWwub3JnPgpDbG9zZXM6IGh0dHBzOi8vbG9yZS5rZXJu ZWwub3JnL2FsbC8yMDI2MDUyMTA5MDk0NC5GMzU0MDFGMDBBM0RAc210cC5rZXJuZWwub3JnLwpG aXhlczogM2U3ZjUxYmQ5NjA3ICgibWVkaWE6IG1lc29uOiBhZGQgdjRsMiBtMm0gdmlkZW8gZGVj b2RlciBkcml2ZXIiKQpTaWduZWQtb2ZmLWJ5OiBBbmFuZCBNb29uIDxsaW51eC5hbW9vbkBnbWFp bC5jb20+Ci0tLQogZHJpdmVycy9zdGFnaW5nL21lZGlhL21lc29uL3ZkZWMvdmRlYy5jIHwgMTgg KysrKysrKysrKystLS0tLS0tCiAxIGZpbGUgY2hhbmdlZCwgMTEgaW5zZXJ0aW9ucygrKSwgNyBk ZWxldGlvbnMoLSkKCmRpZmYgLS1naXQgYS9kcml2ZXJzL3N0YWdpbmcvbWVkaWEvbWVzb24vdmRl Yy92ZGVjLmMgYi9kcml2ZXJzL3N0YWdpbmcvbWVkaWEvbWVzb24vdmRlYy92ZGVjLmMKaW5kZXgg Njk4YTk1NTY2YWQyLi40ODg0ZWUwNGIzNTIgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvc3RhZ2luZy9t ZWRpYS9tZXNvbi92ZGVjL3ZkZWMuYworKysgYi9kcml2ZXJzL3N0YWdpbmcvbWVkaWEvbWVzb24v dmRlYy92ZGVjLmMKQEAgLTM4MCw2ICszODAsOCBAQCBzdGF0aWMgaW50IHZkZWNfc3RhcnRfc3Ry ZWFtaW5nKHN0cnVjdCB2YjJfcXVldWUgKnEsIHVuc2lnbmVkIGludCBjb3VudCkKIAkJCSAgc2Vz cy0+dmlmaWZvX3ZhZGRyLCBzZXNzLT52aWZpZm9fcGFkZHIpOwogCXNlc3MtPnZpZmlmb192YWRk ciA9IE5VTEw7CiBidWZzX2RvbmU6CisJY2FuY2VsX3dvcmtfc3luYygmc2Vzcy0+ZXNwYXJzZXJf cXVldWVfd29yayk7CisKIAltdXRleF9sb2NrKCZjb3JlLT5sb2NrKTsKIAlpZiAoY29yZS0+Y3Vy X3Nlc3MgPT0gc2VzcykKIAkJY29yZS0+Y3VyX3Nlc3MgPSBOVUxMOwpAQCAtNDM3LDYgKzQzOSw4 IEBAIHN0YXRpYyB2b2lkIHZkZWNfc3RvcF9zdHJlYW1pbmcoc3RydWN0IHZiMl9xdWV1ZSAqcSkK IAlzdHJ1Y3QgdmIyX3Y0bDJfYnVmZmVyICpidWY7CiAJZW51bSBhbXZkZWNfc3RhdHVzIG9sZF9z dGF0dXM7CiAKKwljYW5jZWxfd29ya19zeW5jKCZzZXNzLT5lc3BhcnNlcl9xdWV1ZV93b3JrKTsK KwogCS8qCiAJICogU2FmZWx5IHNuYXBzaG90IHRoZSBzdGF0dXMgYW5kIGNsZWFyIHRoZSBoYXJk d2FyZSBvd25lciBpbnNpZGUKIAkgKiB0aGUgbXV0ZXggdG8gcHJldmVudCBkYXRhIHJhY2VzIHdp dGggY29uY3VycmVudCBTVFJFQU1PTiByZXF1ZXN0cy4KQEAgLTQ0OCw3ICs0NTIsMTEgQEAgc3Rh dGljIHZvaWQgdmRlY19zdG9wX3N0cmVhbWluZyhzdHJ1Y3QgdmIyX3F1ZXVlICpxKQogCXNlc3Mt PnN0YXR1cyA9IFNUQVRVU19TVE9QUEVEOwogCW11dGV4X3VubG9jaygmY29yZS0+bG9jayk7CiAK LQkvKiBFdmFsdWF0ZSB0aGUgaGFyZHdhcmUgc3RhdGUgdXNpbmcgb3VyIHNuYXBzaG90ICovCisJ aWYgKHEtPnR5cGUgIT0gVjRMMl9CVUZfVFlQRV9WSURFT19PVVRQVVRfTVBMQU5FKSB7CisJCWlm IChvbGRfc3RhdHVzID49IFNUQVRVU19SVU5OSU5HICYmIGNvZGVjX29wcy0+ZHJhaW4pCisJCQlj b2RlY19vcHMtPmRyYWluKHNlc3MpOworCX0KKwogCWlmIChvbGRfc3RhdHVzID09IFNUQVRVU19S VU5OSU5HIHx8CiAJICAgIG9sZF9zdGF0dXMgPT0gU1RBVFVTX0lOSVQgfHwKIAkgICAgKG9sZF9z dGF0dXMgPT0gU1RBVFVTX05FRURTX1JFU1VNRSAmJgpAQCAtNDcyLDE2ICs0ODAsMTAgQEAgc3Rh dGljIHZvaWQgdmRlY19zdG9wX3N0cmVhbWluZyhzdHJ1Y3QgdmIyX3F1ZXVlICpxKQogCWlmIChx LT50eXBlID09IFY0TDJfQlVGX1RZUEVfVklERU9fT1VUUFVUX01QTEFORSkgewogCQl3aGlsZSAo KGJ1ZiA9IHY0bDJfbTJtX3NyY19idWZfcmVtb3ZlKHNlc3MtPm0ybV9jdHgpKSkKIAkJCXY0bDJf bTJtX2J1Zl9kb25lKGJ1ZiwgVkIyX0JVRl9TVEFURV9FUlJPUik7Ci0KIAkJc2Vzcy0+c3RyZWFt b25fb3V0ID0gMDsKIAl9IGVsc2UgewotCQkvKiBEcmFpbiByZW1haW5pbmcgcmVmcyBpZiB3YXMg c3RpbGwgcnVubmluZyB1c2luZyB0aGUgc25hcHNob3QgKi8KLQkJaWYgKG9sZF9zdGF0dXMgPj0g U1RBVFVTX1JVTk5JTkcgJiYgY29kZWNfb3BzLT5kcmFpbikKLQkJCWNvZGVjX29wcy0+ZHJhaW4o c2Vzcyk7Ci0KIAkJd2hpbGUgKChidWYgPSB2NGwyX20ybV9kc3RfYnVmX3JlbW92ZShzZXNzLT5t Mm1fY3R4KSkpCiAJCQl2NGwyX20ybV9idWZfZG9uZShidWYsIFZCMl9CVUZfU1RBVEVfRVJST1Ip OwotCiAJCXNlc3MtPnN0cmVhbW9uX2NhcCA9IDA7CiAJfQogfQpAQCAtOTY3LDYgKzk2OSw4IEBA IHN0YXRpYyBpbnQgdmRlY19jbG9zZShzdHJ1Y3QgZmlsZSAqZmlsZSkKIHsKIAlzdHJ1Y3QgYW12 ZGVjX3Nlc3Npb24gKnNlc3MgPSBmaWxlX3RvX2FtdmRlY19zZXNzaW9uKGZpbGUpOwogCisJY2Fu Y2VsX3dvcmtfc3luYygmc2Vzcy0+ZXNwYXJzZXJfcXVldWVfd29yayk7CisKIAl2NGwyX20ybV9j dHhfcmVsZWFzZShzZXNzLT5tMm1fY3R4KTsKIAl2NGwyX2ZoX2RlbCgmc2Vzcy0+ZmgsIGZpbGUp OwogCXY0bDJfZmhfZXhpdCgmc2Vzcy0+ZmgpOwotLSAKMi41MC4xCgoKX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGludXgtYW1sb2dpYyBtYWlsaW5nIGxp c3QKbGludXgtYW1sb2dpY0BsaXN0cy5pbmZyYWRlYWQub3JnCmh0dHA6Ly9saXN0cy5pbmZyYWRl YWQub3JnL21haWxtYW4vbGlzdGluZm8vbGludXgtYW1sb2dpYwo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5DDD0CD6E4C for ; Sat, 30 May 2026 09:45:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Eg9ggvkEkoQKR+hIDJPnP9lc/gF7VRqufBdsoqX52Vc=; b=iOdAKQ2AZoz8Hy 9YiCYtZtpSexY7G1BKDBHQ+QGQ001+giKsgwZ47RWFt/H996QxuZKB/qriHRwkWgILR4muYlnia+D jQCA1TMXqvVzPQP8+EKBnV/57OcP0pgeFwvTVe8XU+zISJAGjlfOQDg/hGaMriYBd5UE8DxKKJmPh 51HKbBhR4nZAf1Brn5aNktbNQZT6ghrnYFMRDyOFpxFzsmZMRpG03yLvpImEGd7U3o3ziMsOsyhRd J/8Sxhb4PgrAzXfMySGzOnIYZjklvnVxPhU+gDqcQz55DYSLyGg/v4E3aIo/HswAHTm/FcfC5cxnB kJz1FwqkCBx/nO0eV5hw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wTGFX-00000008ati-0ihY; Sat, 30 May 2026 09:44:59 +0000 Received: from mail-pl1-x62f.google.com ([2607:f8b0:4864:20::62f]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wTGFS-00000008apX-0dR4 for linux-arm-kernel@lists.infradead.org; Sat, 30 May 2026 09:44:57 +0000 Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-2bab82d75fdso75061025ad.2 for ; Sat, 30 May 2026 02:44:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780134293; x=1780739093; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Eg9ggvkEkoQKR+hIDJPnP9lc/gF7VRqufBdsoqX52Vc=; b=os+Tpt4Agfc9cAKsndlHPjAkf542T5rI/8B8/zjsWff1qkadnlwYbaPxVq2lX1pdPk FzLEdY4W4A1cXW3/S6YrVn8TabNbEYOyetPOUSOPX/7t41uGvz8TDPvP8LKo5bE6sidC T5qBZO2GkQ67kf94gfNiGbPg1R5SaIDxiDJ9cAkc2Og0n5lCoQmkkWolqDQf3mWp1Dte 69kZXpFqp0aG6Hzxy/xaxNDo4OrZH/t/CJvDLrOeUhalIkbxnFJUBsUuEkGOlG6XOoIt QQLBaFHPXkHJlzi3TEhaSLIs5RlVV+1+MlSjH9y+2jHpwokhjoggjy2TIhOIwGmPsXo6 VU7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780134293; x=1780739093; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Eg9ggvkEkoQKR+hIDJPnP9lc/gF7VRqufBdsoqX52Vc=; b=F1RBWegTdq9EOzR+OjBJ2TxfXof3Pi2MReWGRj4inqTY95NQDS+IALMxukVcjjq3nR F+u6SXiCNpDy2wV7Rk3e1tkWrHvHJl9F3ZeFHwybxfoQ+IcJIZRlMYapYbrAGkXvlapM we61O2kVQBXAUs1S4ET4KOWJmAIh5/KMsk40oOmVM3USe0I55JVno1+1DB6lf7vFKvT4 +Xscnz3JvpQ5vuvOae3pEMmN3qAJQf4zm7TzVHlJvx/39oXgOv5zM6kNA1+0BXJJnDjR 4vA8O8QB3DWqOo8LeHZjNAn+o1PRBHwqF6NhcQ7j6+U9HtSXI7LYNdlXVv3zmRuEsa/3 6tZg== X-Forwarded-Encrypted: i=1; AFNElJ+AtFWP4tZUtCImg5r8zNkPSihjlvQhP53mZC70D1pRu+Gj6YIeU68o3/I7sC6/bc4ruoLsK7FGm7aJQGjKT8pQ@lists.infradead.org X-Gm-Message-State: AOJu0YxeAlTrA+nBL6hb7yIW7hUCJlQrxJsPyD7MsfuS1ItXICiHP6vd dsY1y6IFOdr1DAuUo29v6IuboZHSht4AHXEyxJGFVP4n/PsRJ3F/bAC3 X-Gm-Gg: Acq92OFmmjz8Lojv42YqOvNtDb/NF3FYAtaiDVnxMEmW2dCMLYlOLc7UI8uLaZw5412 LueSmGdt0Aq2pw7ZL8A6cpEoyUFOd/blBEcraS+K5Gyj9rAJsCDuMxxe4j/LYSsJ7+EcehMEjNR 1M2CBZv0MCAzipMu25/cjrZu/ZL889VPtPfzLWQby9UVKkKXF0eqAayfEsPcc9wD2ic0+p41XqU yuDqVu64Yal8sGjSMB6nwycaxkdVJfaSUc0sRheO0tKbVuWrcd25gfFKIEp94Uy9j7z67QgUrDh GCTXI85AZx0/mTTGUIlqaiwZhTIkJhwKOn/GkrMuuf+WIagqKZHD+cqq9JQevSuZqa0Vm5hj9XL Ffv+UImwxtvLh9ZGci1LXk/x5eVqMx+oNlWocIfsW6bnP+7jTzGaWXAPwcT+1DWpiQHECPWAgYE kZA2R2XrKaSPmf6brVQuWAQgM6r+cat58= X-Received: by 2002:a17:902:c94c:b0:2b2:be01:5532 with SMTP id d9443c01a7336-2bf3686d1dcmr41074635ad.35.1780134293228; Sat, 30 May 2026 02:44:53 -0700 (PDT) Received: from rockpi-5b ([45.112.0.191]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bf239e700csm61529945ad.10.2026.05.30.02.44.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 May 2026 02:44:52 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Mauro Carvalho Chehab , Greg Kroah-Hartman , Hans Verkuil , Maxime Jourdan , dri-devel@lists.freedesktop.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list), linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM) Subject: [PATCH v6 5/8] media: meson: vdec: Cancel esparser work during teardown Date: Sat, 30 May 2026 15:12:51 +0530 Message-ID: <20260530094326.11892-6-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260530094326.11892-1-linux.amoon@gmail.com> References: <20260530094326.11892-1-linux.amoon@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.9.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20260530_024454_199091_CCE29C1A X-CRM114-Status: GOOD ( 18.62 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sashiko , Nicolas Dufresne Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The esparser workqueue could remain active during error unwind, streaming stop, or device close, leading to use‑after‑free when work items accessed freed session memory. Fix this by explicitly cancelling the work in all teardown paths: - Call cancel_work_sync(&sess->esparser_queue_work) in vdec_start_streaming() error unwind, vdec_stop_streaming(), and vdec_close(). - Ensure the workqueue is drained before releasing session state and buffers. - Move codec_ops->drain() evaluation earlier in stop_streaming() using the status snapshot, so draining occurs before buffer cleanup. Following change prevents dangling work execution, eliminates use‑after‑free hazards, and ensures orderly teardown of decoder resources. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- drivers/staging/media/meson/vdec/vdec.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index 698a95566ad2..4884ee04b352 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -380,6 +380,8 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) sess->vififo_vaddr, sess->vififo_paddr); sess->vififo_vaddr = NULL; bufs_done: + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&core->lock); if (core->cur_sess == sess) core->cur_sess = NULL; @@ -437,6 +439,8 @@ static void vdec_stop_streaming(struct vb2_queue *q) struct vb2_v4l2_buffer *buf; enum amvdec_status old_status; + cancel_work_sync(&sess->esparser_queue_work); + /* * Safely snapshot the status and clear the hardware owner inside * the mutex to prevent data races with concurrent STREAMON requests. @@ -448,7 +452,11 @@ static void vdec_stop_streaming(struct vb2_queue *q) sess->status = STATUS_STOPPED; mutex_unlock(&core->lock); - /* Evaluate the hardware state using our snapshot */ + if (q->type != V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { + if (old_status >= STATUS_RUNNING && codec_ops->drain) + codec_ops->drain(sess); + } + if (old_status == STATUS_RUNNING || old_status == STATUS_INIT || (old_status == STATUS_NEEDS_RESUME && @@ -472,16 +480,10 @@ static void vdec_stop_streaming(struct vb2_queue *q) if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { while ((buf = v4l2_m2m_src_buf_remove(sess->m2m_ctx))) v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR); - sess->streamon_out = 0; } else { - /* Drain remaining refs if was still running using the snapshot */ - if (old_status >= STATUS_RUNNING && codec_ops->drain) - codec_ops->drain(sess); - while ((buf = v4l2_m2m_dst_buf_remove(sess->m2m_ctx))) v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR); - sess->streamon_cap = 0; } } @@ -967,6 +969,8 @@ static int vdec_close(struct file *file) { struct amvdec_session *sess = file_to_amvdec_session(file); + cancel_work_sync(&sess->esparser_queue_work); + v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_fh_del(&sess->fh, file); v4l2_fh_exit(&sess->fh); -- 2.50.1