From: sashiko-bot@kernel.org
To: "Christian Hewitt" <christianshewitt@gmail.com>
Cc: neil.armstrong@linaro.org, linux-amlogic@lists.infradead.org
Subject: Re: [PATCH] media: meson: vdec: fix NULL pointer deref in vdec_try_fmt_common
Date: Wed, 24 Jun 2026 07:09:32 +0000 [thread overview]
Message-ID: <20260624070933.1F75A1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260624065809.2460720-1-christianshewitt@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Missing V4L2 queue busy check in vdec_s_fmt allows format changes during active streaming, leading to type confusion and memory corruption in the ISR.
--
commit 8aa33adb9b745ad7b1a26721ccafdbeb5f0768bb
Author: Christian Hewitt <christianshewitt@gmail.com>
media: meson: vdec: fix NULL pointer deref in vdec_try_fmt_common
This commit fixes a NULL pointer dereference in vdec_try_fmt_common() by
falling back to the first format in the platform's format array instead of
hardcoding MPEG2. This prevents crashes on systems where MPEG2 support has
been locally patched out.
> diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
> index a039d925c0fe5..c18bf352b1996 100644
> --- a/drivers/staging/media/meson/vdec/vdec.c
> +++ b/drivers/staging/media/meson/vdec/vdec.c
[ ... ]
[Severity: High]
This is a pre-existing issue, but while looking at the format handling in
this driver, I noticed a potential race condition.
Does vdec_s_fmt() allow format changes during active streaming?
drivers/staging/media/meson/vdec/vdec.c:vdec_s_fmt() {
...
if (f->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE)
sess->fmt_out = fmt_out;
else if (f->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE)
sess->pixfmt_cap = format.fmt.pix_mp.pixelformat;
...
}
It appears there is no check to ensure the V4L2 queues are idle (e.g.,
via vb2_is_busy()) before overwriting the session format parameters.
If a userspace application is actively streaming and concurrently calls
VIDIOC_S_FMT with a different format, could this lead to type confusion
and memory corruption in the hardirq handler?
drivers/staging/media/meson/vdec/vdec.c:vdec_isr() {
...
return sess->fmt_out->codec_ops->isr(sess);
}
Because the hardirq handler dereferences sess->fmt_out without locks,
a mid-stream format change might cause the ISR of the newly selected codec
to execute on a session state (sess->priv) initialized for the previous
codec.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260624065809.2460720-1-christianshewitt@gmail.com?part=1
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
prev parent reply other threads:[~2026-06-24 7:09 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-24 6:58 [PATCH] media: meson: vdec: fix NULL pointer deref in vdec_try_fmt_common Christian Hewitt
2026-06-24 6:58 ` Christian Hewitt
2026-06-24 7:09 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260624070933.1F75A1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=christianshewitt@gmail.com \
--cc=linux-amlogic@lists.infradead.org \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.