From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BB223CD5BD0 for ; Sat, 30 May 2026 11:23:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Reply-To:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: References:In-Reply-To:Cc:To:Subject:From:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Ma5qCQubHPsKbWvihLRDoXWQOa1eLXWqJkJikN2t1do=; b=HSC8BCN1WOcMSl t2qen073auE7xqObg7HaaCVlQnaoITXvc6Uq2pop6iQ4KCI3wezEbYV2Ww+JL2MX9fhP0BH3hNI9x 5+q2gbEQhg0x2x+qtjxK5iCPiG5wu++FVl86MtWI4DGG1z3ZqI1CGkWjm0+gonnHjaQAPP7wfgm8b d6nBEiV73tBNwNzfC+l47V/xq7Ac5XGbLx9aHemeL/mKBWGUlqlZ5TdsfE+T8Smx3lQXuF5RLVs8P NkVGSHFRageFD+LmhmlWlZLSyryXmsC6vJ0nBpcVgkGX1OLXzzBXoYS6sSPgZ0PIuqt3u84J9xeOY WiW4DAFERaC5bgbSv+AQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.99.1 #2 (Red Hat Linux)) id 1wTHn8-00000008g0H-3Q3h; Sat, 30 May 2026 11:23:46 +0000 Received: from tor.source.kernel.org ([2600:3c04:e001:324:0:1991:8:25]) by bombadil.infradead.org with esmtps (Exim 4.99.1 #2 (Red Hat Linux)) id 1wTHn7-00000008g06-1ynz for linux-amlogic@lists.infradead.org; Sat, 30 May 2026 11:23:45 +0000 Received: from smtp.kernel.org (quasi.space.kernel.org [100.103.45.18]) by tor.source.kernel.org (Postfix) with ESMTP id 72E8E600AB; Sat, 30 May 2026 11:23:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E33051F00893; Sat, 30 May 2026 11:23:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780140224; bh=p3GF2+elIyBw2+ACsQDxH2lMBpgjPWo/Sy0efQo5rqk=; h=From:Subject:Reply-To:To:Cc:In-Reply-To:References:Date; b=SnqX67f+zGkajBdgRJruuRtPIe32xsYGosp8sHv3sfBpRrGD90u+/3ZlqPF3i/pxF xz7YGBqzVxmvA/32tG5OYlYgXWW4RYKQBepj3VGwL+RvbGRBHPk/HNR6l1FfryCmlr ksUfbN9DUJ7rtm9901qeLiXW6nHYl2FFOcl8skHE5TXj9F7M2z9/h2FSoyt+u0MEUz DLouBhbWtLhTeJEEimbnqT6pvXYl8c6zQL5GqdpaRdKxylpxfxEUT+xcLKY7d7J3n4 De7HjvqA9mNVc9SnQMiywyD09EQiz85HC8or3+T9DFsXe5xMumn0pQzR++mI/fU3ib vQB8rdgHKoETQ== From: sashiko-bot@kernel.org Subject: Re: [PATCH v6 7/8] media: meson: vdec: Fix NULL pointer dereference in ISR handlers To: "Anand Moon" Cc: linux-media@vger.kernel.org, neil.armstrong@linaro.org, linux-amlogic@lists.infradead.org In-Reply-To: <20260530094326.11892-8-linux.amoon@gmail.com> References: <20260530094326.11892-8-linux.amoon@gmail.com> Date: Sat, 30 May 2026 11:23:43 +0000 Message-Id: <20260530112343.E33051F00893@smtp.kernel.org> X-BeenThere: linux-amlogic@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: sashiko-reviews@lists.linux.dev MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-amlogic" Errors-To: linux-amlogic-bounces+linux-amlogic=archiver.kernel.org@lists.infradead.org VGhhbmsgeW91IGZvciB5b3VyIGNvbnRyaWJ1dGlvbiEgU2FzaGlrbyBBSSByZXZpZXcgZm91bmQg NSBwb3RlbnRpYWwgaXNzdWUocykgdG8gY29uc2lkZXI6CgpOZXcgaXNzdWVzOgotIFtDcml0aWNh bF0gRnJlZWluZyBgY29yZS0+bTJtX2RldmAgaW4gYHZkZWNfcmVtb3ZlYCBjYXVzZXMgYSB1c2Ut YWZ0ZXItZnJlZSB2dWxuZXJhYmlsaXR5IHdoZW4gdXNlcnNwYWNlIGtlZXBzIGZpbGUgZGVzY3Jp cHRvcnMgb3Blbi4KLSBbSGlnaF0gUmV0dXJuaW5nIElSUV9OT05FIHdpdGhvdXQgY2xlYXJpbmcg dGhlIGhhcmR3YXJlIGludGVycnVwdCBzdGF0dXMgd2hlbiBgY29yZS0+Y3VyX3Nlc3NgIGlzIE5V TEwgbGVhdmVzIHRoZSBsZXZlbC10cmlnZ2VyZWQgaGFyZHdhcmUgaW50ZXJydXB0IHVuYWNrbm93 bGVkZ2VkLCBjYXVzaW5nIGFuIGludGVycnVwdCBzdG9ybS4KLSBbSGlnaF0gQmFpbGluZyBvdXQg ZWFybHkgaW4gdGhlIElTUiBwcmV2ZW50cyB1cGRhdGluZyBgc2Vzcy0+bGFzdF9pcnFfamlmZmll c2AsIGNvbXBsZXRlbHkgYnlwYXNzaW5nIHRoZSBoYXJkd2FyZSBxdWllc2NlbmNlIHdhaXQuCi0g W0hpZ2hdIFByZW1hdHVyZWx5IHJlbGVhc2luZyBgY29yZS0+bG9ja2AgYW5kIGNsZWFyaW5nIGBj b3JlLT5jdXJfc2Vzc2AgaW4gYHZkZWNfc3RvcF9zdHJlYW1pbmcoKWAgYWxsb3dzIGFub3RoZXIg c2Vzc2lvbiB0byBzdGFydCBzdHJlYW1pbmcgY29uY3VycmVudGx5IHdoaWxlIHRoZSBoYXJkd2Fy ZSBpcyBzdGlsbCBiZWluZyBwb3dlcmVkIG9mZi4KClByZS1leGlzdGluZyBpc3N1ZXM6Ci0gW0hp Z2hdIFRoZSBwYXRjaCBmYWlscyB0byByZXNvbHZlIHRoZSB1bmRlcmx5aW5nIHJhY2UgY29uZGl0 aW9uLCBsZWF2aW5nIGEgVGltZS1vZi1DaGVjayB0byBUaW1lLW9mLVVzZSAoVE9DVE9VKSB2dWxu ZXJhYmlsaXR5IHRoYXQgY2F1c2VzIFVzZS1BZnRlci1GcmVlIGFuZCBidXMgYWJvcnRzLgotLQoK Y29tbWl0IGM2NDBhZWJhYmQwZTUxZjFlYzk0OTE2ZTYzYmMxOWUyZmMzMTJlYjcKQXV0aG9yOiBB bmFuZCBNb29uIDxsaW51eC5hbW9vbkBnbWFpbC5jb20+CgptZWRpYTogbWVzb246IHZkZWM6IEZp eCBOVUxMIHBvaW50ZXIgZGVyZWZlcmVuY2UgaW4gSVNSIGhhbmRsZXJzCgpUaGlzIGNvbW1pdCBh dHRlbXB0cyB0byBmaXggYSBOVUxMIHBvaW50ZXIgZGVyZWZlcmVuY2UgaW4gdGhlIHZkZWMKaW50 ZXJydXB0IGhhbmRsZXJzIGJ5IHVzaW5nIFJFQURfT05DRSgpIHRvIHRha2UgYW4gYXRvbWljIHNu YXBzaG90IG9mCmNvcmUtPmN1cl9zZXNzLiBJZiB0aGUgc2Vzc2lvbiBoYXMgYWxyZWFkeSBiZWVu IHRvcm4gZG93biBhbmQgdGhlCnBvaW50ZXIgaXMgTlVMTCwgaXQgcmV0dXJucyBJUlFfTk9ORSB0 byBwcmV2ZW50IGRlcmVmZXJlbmNpbmcgaXQuCgpMaW5rOiBodHRwczovL2xvcmUua2VybmVsLm9y Zy9hbGwvMjAyNjA1MjEwOTA5NDQuRjM1NDAxRjAwQTNEQHNtdHAua2VybmVsLm9yZy8KCj4gZGlm ZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9tZWRpYS9tZXNvbi92ZGVjL3ZkZWMuYyBiL2RyaXZl cnMvc3RhZ2luZy9tZWRpYS9tZXNvbi92ZGVjL3ZkZWMuYwo+IGluZGV4IGY5OTMzNWVmZmUxNzYu LjM4OTdjNzViMTljOGYgMTAwNjQ0Cj4gLS0tIGEvZHJpdmVycy9zdGFnaW5nL21lZGlhL21lc29u L3ZkZWMvdmRlYy5jCj4gKysrIGIvZHJpdmVycy9zdGFnaW5nL21lZGlhL21lc29uL3ZkZWMvdmRl Yy5jCj4gQEAgLTk5NiwxNyArOTk2LDM2IEBAIHN0YXRpYyBjb25zdCBzdHJ1Y3QgdjRsMl9maWxl X29wZXJhdGlvbnMgdmRlY19mb3BzID0gewo+ICBzdGF0aWMgaXJxcmV0dXJuX3QgdmRlY19pc3Io aW50IGlycSwgdm9pZCAqZGF0YSkKPiAgewo+ICAJc3RydWN0IGFtdmRlY19jb3JlICpjb3JlID0g ZGF0YTsKPiAtCXN0cnVjdCBhbXZkZWNfc2Vzc2lvbiAqc2VzcyA9IGNvcmUtPmN1cl9zZXNzOwo+ ICsJc3RydWN0IGFtdmRlY19zZXNzaW9uICpzZXNzOwo+ICsJaXJxcmV0dXJuX3QgcmV0ID0gSVJR X0hBTkRMRUQ7Cj4gKwo+ICsJLyoKPiArCSAqIFVzZSBSRUFEX09OQ0UgdG8gc2VjdXJlIGFuIGF0 b21pYyBzbmFwc2hvdCBvZiB0aGUgcG9pbnRlciwKPiArCSAqIHByb3RlY3RpbmcgYWdhaW5zdCBj b25jdXJyZW50IGNsZWFyaW5nIGR1cmluZyBzdHJlYW1pbmcKPiArCSAqIHRlYXJkb3ducy4KPiAr CSAqLwo+ICsJc2VzcyA9IFJFQURfT05DRShjb3JlLT5jdXJfc2Vzcyk7Cj4gKwlpZiAoIXNlc3Mp Cj4gKwkJcmV0dXJuIElSUV9OT05FOwoKW1NldmVyaXR5OiBIaWdoXQpDYW4gcmV0dXJuaW5nIElS UV9OT05FIGhlcmUgY2F1c2UgYW4gaW50ZXJydXB0IHN0b3JtPwoKSW4gdmRlY19zdG9wX3N0cmVh bWluZygpLCBjb3JlLT5jdXJfc2VzcyBpcyBzZXQgdG8gTlVMTCBiZWZvcmUgdGhlIGhhcmR3YXJl CmlzIGFjdHVhbGx5IHN0b3BwZWQuIElmIGFuIGFjdGl2ZSBoYXJkd2FyZSBpbnRlcnJ1cHQgZmly ZXMgZHVyaW5nIHRoaXMgd2luZG93LAp0aGUgaGFuZGxlciBvYnNlcnZlcyBhIE5VTEwgc2VzcyBh bmQgcmV0dXJucyBJUlFfTk9ORSBlYXJseS4KCkJlY2F1c2UgdGhlIGludGVycnVwdCBpcyBub3Qg Y2xlYXJlZCBpbiB0aGUgaGFyZHdhcmUgcmVnaXN0ZXJzLCB0aGUKbGV2ZWwtdHJpZ2dlcmVkIGlu dGVycnVwdCByZW1haW5zIGFzc2VydGVkLiBXaWxsIHRoaXMgdHJpZ2dlciBhbiBpbmZpbml0ZQpp bnRlcnJ1cHQgbG9vcCB1bnRpbCB0aGUga2VybmVsJ3Mgc3B1cmlvdXMgaW50ZXJydXB0IGRldGVj dG9yIHBlcm1hbmVudGx5CmRpc2FibGVzIHRoZSBJUlEgbGluZT8KCltTZXZlcml0eTogSGlnaF0K RG9lcyBiYWlsaW5nIG91dCBlYXJseSBwcmV2ZW50IHVwZGF0aW5nIHNlc3MtPmxhc3RfaXJxX2pp ZmZpZXM/CgpUaGUgdGVhcmRvd24gc2VxdWVuY2UgY2FsbHMgdmRlY193YWl0X2luYWN0aXZlKCks IHdoaWNoIHNsZWVwcyB1bnRpbCA1MG1zCmhhdmUgZWxhcHNlZCBzaW5jZSBzZXNzLT5sYXN0X2ly cV9qaWZmaWVzLiBCeSByZXR1cm5pbmcgZWFybHkgd2hlbgpjb3JlLT5jdXJfc2VzcyBpcyBOVUxM LCB0aGUgaGFuZGxlciBubyBsb25nZXIgdXBkYXRlcyB0aGlzIHRpbWVzdGFtcCBmb3IKdHJhaWxp bmcgaW50ZXJydXB0cy4KCkNvdWxkIHZkZWNfd2FpdF9pbmFjdGl2ZSgpIG9ic2VydmUgYSBzdGFs ZSB0aW1lc3RhbXAgYW5kIHJldHVybiBpbW1lZGlhdGVseQppbnN0ZWFkIG9mIHdhaXRpbmcgZm9y IHRoZSBoYXJkd2FyZSB0byBxdWllc2NlPyBUaGlzIG1pZ2h0IGFsbG93IHRoZSBkcml2ZXIKdG8g Zm9yY2VmdWxseSBkaXNhYmxlIGRldmljZSBjbG9ja3Mgd2hpbGUgdGhlIGhhcmR3YXJlIGlzIHN0 aWxsIGFjdGl2ZWx5CnByb2Nlc3NpbmcuCgo+ICAKPiAgCXNlc3MtPmxhc3RfaXJxX2ppZmZpZXMg PSBnZXRfamlmZmllc182NCgpOwo+ICsJcmV0ID0gc2Vzcy0+Zm10X291dC0+Y29kZWNfb3BzLT5p c3Ioc2Vzcyk7Cj4gIAo+IC0JcmV0dXJuIHNlc3MtPmZtdF9vdXQtPmNvZGVjX29wcy0+aXNyKHNl c3MpOwo+ICsJcmV0dXJuIHJldDsKPiAgfQo+ICAKPiAgc3RhdGljIGlycXJldHVybl90IHZkZWNf dGhyZWFkZWRfaXNyKGludCBpcnEsIHZvaWQgKmRhdGEpCj4gIHsKPiAgCXN0cnVjdCBhbXZkZWNf Y29yZSAqY29yZSA9IGRhdGE7Cj4gLQlzdHJ1Y3QgYW12ZGVjX3Nlc3Npb24gKnNlc3MgPSBjb3Jl LT5jdXJfc2VzczsKPiArCXN0cnVjdCBhbXZkZWNfc2Vzc2lvbiAqc2VzczsKPiArCj4gKwkvKgo+ ICsJICogUHJldmVudCBsYXRlLXN0YWdlIHRocmVhZGVkIGludGVycnVwdHMgZnJvbSBkZXJlZmVy ZW5jaW5nIGEgTlVMTAo+ICsJICogc2Vzc2lvbi4KPiArCSAqLwo+ICsJc2VzcyA9IFJFQURfT05D RShjb3JlLT5jdXJfc2Vzcyk7CgpbU2V2ZXJpdHk6IEhpZ2hdClRoaXMgaXMgYSBwcmUtZXhpc3Rp bmcgaXNzdWUsIGJ1dCBkb2VzIHVzaW5nIFJFQURfT05DRSgpIGhlcmUgZnVsbHkgcmVzb2x2ZQp0 aGUgdW5kZXJseWluZyByYWNlIGNvbmRpdGlvbj8KCklmIHRoZSB0aHJlYWQgaXMgcHJlZW1wdGVk IGFmdGVyIHBhc3NpbmcgdGhlICFzZXNzIGNoZWNrLCBjb3VsZAp2ZGVjX3N0b3Bfc3RyZWFtaW5n KCkgY29uY3VycmVudGx5IGNsZWFyIGNvcmUtPmN1cl9zZXNzLCBkaXNhYmxlIGhhcmR3YXJlCmNs b2NrcyB2aWEgdmRlY19wb3dlcm9mZigpLCBhbmQgZnJlZSBzZXNzLT5wcml2PwoKV2hlbiB0aGUg dGhyZWFkIHJlc3VtZXMsIGl0IHdvdWxkIGRlcmVmZXJlbmNlIHRoZSBmcmVlZCBzZXNzLT5wcml2 IGFuZCBhY2Nlc3MKZGlzYWJsZWQgaGFyZHdhcmUuIFNob3VsZCB0aGUgZHJpdmVyIHVzZSBzeW5j aHJvbml6ZV9pcnEoKSB0byBlbnN1cmUKaW4tZmxpZ2h0IGhhbmRsZXJzIGhhdmUgY29tcGxldGVk IGJlZm9yZSB0ZWFyaW5nIGRvd24gc2Vzc2lvbiByZXNvdXJjZXM/Cgo+ICsJaWYgKCFzZXNzKQo+ ICsJCXJldHVybiBJUlFfTk9ORTsKPiAgCj4gIAlyZXR1cm4gc2Vzcy0+Zm10X291dC0+Y29kZWNf b3BzLT50aHJlYWRlZF9pc3Ioc2Vzcyk7Cj4gIH0KCltTZXZlcml0eTogSGlnaF0KRG9lcyBwcmVt YXR1cmVseSByZWxlYXNpbmcgY29yZS0+bG9jayBhbmQgY2xlYXJpbmcgY29yZS0+Y3VyX3Nlc3Mg aW4KdmRlY19zdG9wX3N0cmVhbWluZygpIGFsbG93IGFub3RoZXIgc2Vzc2lvbiB0byBzdGFydCBz dHJlYW1pbmcgY29uY3VycmVudGx5CndoaWxlIHRoZSBoYXJkd2FyZSBpcyBzdGlsbCBiZWluZyBw b3dlcmVkIG9mZj8KCnZkZWNfc3RvcF9zdHJlYW1pbmcoKSBhY3F1aXJlcyBjb3JlLT5sb2NrIHRv IHNldCBjb3JlLT5jdXJfc2VzcyA9IE5VTEwsIGJ1dAp0aGVuIHJlbGVhc2VzIHRoZSBsb2NrIGJl Zm9yZSBzdG9wcGluZyB0aGUgaGFyZHdhcmUgdmlhIHZkZWNfcG93ZXJvZmYoKS4KCkNvdWxkIGEg Y29uY3VycmVudCB2ZGVjX3N0YXJ0X3N0cmVhbWluZygpIG9uIGEgZGlmZmVyZW50IHNlc3Npb24g c3VjY2Vzc2Z1bGx5CmNsYWltIGNvcmUtPmN1cl9zZXNzLCByZWxlYXNlIHRoZSBsb2NrLCBhbmQg Y2FsbCB2ZGVjX3Bvd2Vyb24oKSwgYnJlYWtpbmcKaGFyZHdhcmUgZXhjbHVzaW9uPwoKW1NldmVy aXR5OiBDcml0aWNhbF0KRG9lcyBmcmVlaW5nIGNvcmUtPm0ybV9kZXYgaW4gdmRlY19yZW1vdmUo KSBjYXVzZSBhIHVzZS1hZnRlci1mcmVlCnZ1bG5lcmFiaWxpdHkgd2hlbiB1c2Vyc3BhY2Uga2Vl cHMgZmlsZSBkZXNjcmlwdG9ycyBvcGVuPwoKVGhlIGRyaXZlciBhbGxvY2F0ZXMgYSBzaGFyZWQg bTJtX2RldiBpbiB2ZGVjX3Byb2JlKCkgYW5kIGV4cGxpY2l0bHkgZnJlZXMgaXQKdmlhIHY0bDJf bTJtX3JlbGVhc2UoY29yZS0+bTJtX2RldikgaW4gdmRlY19yZW1vdmUoKS4gSG93ZXZlciwgdmRl Y19yZW1vdmUoKQppcyBleGVjdXRlZCBvbiBkZXZpY2UgdW5iaW5kLCB3aGljaCBkb2VzIG5vdCB3 YWl0IGZvciB1c2Vyc3BhY2UgdG8gY2xvc2UKYWN0aXZlIGZpbGUgZGVzY3JpcHRvcnMuCgpJZiBh IHVzZXIgaG9sZHMgYW4gb3BlbiBmaWxlIGRlc2NyaXB0b3Igd2hlbiB0aGUgZGV2aWNlIGlzIHVu Ym91bmQsIG0ybV9kZXYgaXMKZnJlZWQgaW1tZWRpYXRlbHkuIFdoZW4gdGhlIHVzZXIgbGF0ZXIg Y2xvc2VzIHRoZSBmaWxlIGRlc2NyaXB0b3IsIHZkZWNfY2xvc2UoKQpjYWxscyB2NGwyX20ybV9j dHhfcmVsZWFzZShzZXNzLT5tMm1fY3R4KSwgd2hpY2ggaW50ZXJuYWxseSBkZXJlZmVyZW5jZXMg dGhlCmFscmVhZHktZnJlZWQgbTJtX2Rldi4KCi0tIApTYXNoaWtvIEFJIHJldmlldyDCtyBodHRw czovL3Nhc2hpa28uZGV2LyMvcGF0Y2hzZXQvMjAyNjA1MzAwOTQzMjYuMTE4OTItMS1saW51eC5h bW9vbkBnbWFpbC5jb20/cGFydD03CgpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fXwpsaW51eC1hbWxvZ2ljIG1haWxpbmcgbGlzdApsaW51eC1hbWxvZ2ljQGxp c3RzLmluZnJhZGVhZC5vcmcKaHR0cDovL2xpc3RzLmluZnJhZGVhZC5vcmcvbWFpbG1hbi9saXN0 aW5mby9saW51eC1hbWxvZ2ljCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 797C42475CF for ; Sat, 30 May 2026 11:23:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780140225; cv=none; b=Nc4TnDrYOQykIPgdegH/Q0lnzrO5RyV8OSqjSJU++frYOzNr+jSoPVz/VmsgQV8wFtXjR4r9riy1Q8BONiXFdgeeG9S9xNuXTuoxMXoP5Qa0bwJOBAoJFaKcwYv/XdWT0BaFUwcGJ4VAtr0YmFKMq6Vxz1a6/T/DWPz/A62bbAo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780140225; c=relaxed/simple; bh=TUmKLMAq//3RSTzEWCncl86apzOdtgMk0XOIs12SQdQ=; h=From:Subject:To:Cc:In-Reply-To:References:Content-Type:Date: Message-Id; b=L5SUwbwlBUa+jhfoqiPl61aeyeCnrRnvchyFq7gNLc92pfp6yfPsQlkTdX2rxXOo8ikGIcJMDuG88f5O5C1/BBL/X3sdwMjyHYTQCFLjZ92tTS3OL+4yyMA1rU+mIzAtsHwWC6VVABnuQw63DZAoTcOxKSdefTRQQEs8dLmLcMY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=SnqX67f+; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="SnqX67f+" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E33051F00893; Sat, 30 May 2026 11:23:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1780140224; bh=p3GF2+elIyBw2+ACsQDxH2lMBpgjPWo/Sy0efQo5rqk=; h=From:Subject:Reply-To:To:Cc:In-Reply-To:References:Date; b=SnqX67f+zGkajBdgRJruuRtPIe32xsYGosp8sHv3sfBpRrGD90u+/3ZlqPF3i/pxF xz7YGBqzVxmvA/32tG5OYlYgXWW4RYKQBepj3VGwL+RvbGRBHPk/HNR6l1FfryCmlr ksUfbN9DUJ7rtm9901qeLiXW6nHYl2FFOcl8skHE5TXj9F7M2z9/h2FSoyt+u0MEUz DLouBhbWtLhTeJEEimbnqT6pvXYl8c6zQL5GqdpaRdKxylpxfxEUT+xcLKY7d7J3n4 De7HjvqA9mNVc9SnQMiywyD09EQiz85HC8or3+T9DFsXe5xMumn0pQzR++mI/fU3ib vQB8rdgHKoETQ== From: sashiko-bot@kernel.org Subject: Re: [PATCH v6 7/8] media: meson: vdec: Fix NULL pointer dereference in ISR handlers Reply-To: sashiko-reviews@lists.linux.dev To: "Anand Moon" Cc: linux-media@vger.kernel.org, neil.armstrong@linaro.org, linux-amlogic@lists.infradead.org In-Reply-To: <20260530094326.11892-8-linux.amoon@gmail.com> References: <20260530094326.11892-8-linux.amoon@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Sat, 30 May 2026 11:23:43 +0000 Message-Id: <20260530112343.E33051F00893@smtp.kernel.org> Precedence: bulk X-Mailing-List: linux-media@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Thank you for your contribution! Sashiko AI review found 5 potential issue(= s) to consider: New issues: - [Critical] Freeing `core->m2m_dev` in `vdec_remove` causes a use-after-fr= ee vulnerability when userspace keeps file descriptors open. - [High] Returning IRQ_NONE without clearing the hardware interrupt status = when `core->cur_sess` is NULL leaves the level-triggered hardware interrupt= unacknowledged, causing an interrupt storm. - [High] Bailing out early in the ISR prevents updating `sess->last_irq_jif= fies`, completely bypassing the hardware quiescence wait. - [High] Prematurely releasing `core->lock` and clearing `core->cur_sess` i= n `vdec_stop_streaming()` allows another session to start streaming concurr= ently while the hardware is still being powered off. Pre-existing issues: - [High] The patch fails to resolve the underlying race condition, leaving = a Time-of-Check to Time-of-Use (TOCTOU) vulnerability that causes Use-After= -Free and bus aborts. -- commit c640aebabd0e51f1ec94916e63bc19e2fc312eb7 Author: Anand Moon media: meson: vdec: Fix NULL pointer dereference in ISR handlers This commit attempts to fix a NULL pointer dereference in the vdec interrupt handlers by using READ_ONCE() to take an atomic snapshot of core->cur_sess. If the session has already been torn down and the pointer is NULL, it returns IRQ_NONE to prevent dereferencing it. Link: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.o= rg/ > diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/me= dia/meson/vdec/vdec.c > index f99335effe176..3897c75b19c8f 100644 > --- a/drivers/staging/media/meson/vdec/vdec.c > +++ b/drivers/staging/media/meson/vdec/vdec.c > @@ -996,17 +996,36 @@ static const struct v4l2_file_operations vdec_fops = =3D { > static irqreturn_t vdec_isr(int irq, void *data) > { > struct amvdec_core *core =3D data; > - struct amvdec_session *sess =3D core->cur_sess; > + struct amvdec_session *sess; > + irqreturn_t ret =3D IRQ_HANDLED; > + > + /* > + * Use READ_ONCE to secure an atomic snapshot of the pointer, > + * protecting against concurrent clearing during streaming > + * teardowns. > + */ > + sess =3D READ_ONCE(core->cur_sess); > + if (!sess) > + return IRQ_NONE; [Severity: High] Can returning IRQ_NONE here cause an interrupt storm? In vdec_stop_streaming(), core->cur_sess is set to NULL before the hardware is actually stopped. If an active hardware interrupt fires during this wind= ow, the handler observes a NULL sess and returns IRQ_NONE early. Because the interrupt is not cleared in the hardware registers, the level-triggered interrupt remains asserted. Will this trigger an infinite interrupt loop until the kernel's spurious interrupt detector permanently disables the IRQ line? [Severity: High] Does bailing out early prevent updating sess->last_irq_jiffies? The teardown sequence calls vdec_wait_inactive(), which sleeps until 50ms have elapsed since sess->last_irq_jiffies. By returning early when core->cur_sess is NULL, the handler no longer updates this timestamp for trailing interrupts. Could vdec_wait_inactive() observe a stale timestamp and return immediately instead of waiting for the hardware to quiesce? This might allow the driver to forcefully disable device clocks while the hardware is still actively processing. > =20 > sess->last_irq_jiffies =3D get_jiffies_64(); > + ret =3D sess->fmt_out->codec_ops->isr(sess); > =20 > - return sess->fmt_out->codec_ops->isr(sess); > + return ret; > } > =20 > static irqreturn_t vdec_threaded_isr(int irq, void *data) > { > struct amvdec_core *core =3D data; > - struct amvdec_session *sess =3D core->cur_sess; > + struct amvdec_session *sess; > + > + /* > + * Prevent late-stage threaded interrupts from dereferencing a NULL > + * session. > + */ > + sess =3D READ_ONCE(core->cur_sess); [Severity: High] This is a pre-existing issue, but does using READ_ONCE() here fully resolve the underlying race condition? If the thread is preempted after passing the !sess check, could vdec_stop_streaming() concurrently clear core->cur_sess, disable hardware clocks via vdec_poweroff(), and free sess->priv? When the thread resumes, it would dereference the freed sess->priv and acce= ss disabled hardware. Should the driver use synchronize_irq() to ensure in-flight handlers have completed before tearing down session resources? > + if (!sess) > + return IRQ_NONE; > =20 > return sess->fmt_out->codec_ops->threaded_isr(sess); > } [Severity: High] Does prematurely releasing core->lock and clearing core->cur_sess in vdec_stop_streaming() allow another session to start streaming concurrently while the hardware is still being powered off? vdec_stop_streaming() acquires core->lock to set core->cur_sess =3D NULL, b= ut then releases the lock before stopping the hardware via vdec_poweroff(). Could a concurrent vdec_start_streaming() on a different session successful= ly claim core->cur_sess, release the lock, and call vdec_poweron(), breaking hardware exclusion? [Severity: Critical] Does freeing core->m2m_dev in vdec_remove() cause a use-after-free vulnerability when userspace keeps file descriptors open? The driver allocates a shared m2m_dev in vdec_probe() and explicitly frees = it via v4l2_m2m_release(core->m2m_dev) in vdec_remove(). However, vdec_remove() is executed on device unbind, which does not wait for userspace to close active file descriptors. If a user holds an open file descriptor when the device is unbound, m2m_dev= is freed immediately. When the user later closes the file descriptor, vdec_clo= se() calls v4l2_m2m_ctx_release(sess->m2m_ctx), which internally dereferences the already-freed m2m_dev. --=20 Sashiko AI review =C2=B7 https://sashiko.dev/#/patchset/20260530094326.1189= 2-1-linux.amoon@gmail.com?part=3D7