From: sashiko-bot@kernel.org
To: "Anand Moon" <linux.amoon@gmail.com>
Cc: dri-devel@lists.freedesktop.org,
linux-amlogic@lists.infradead.org, neil.armstrong@linaro.org
Subject: Re: [PATCH v7 07/19] media: meson: vdec: Refactor esparser work queue and fix teardown race
Date: Mon, 13 Jul 2026 12:27:46 +0000 [thread overview]
Message-ID: <20260713122748.277121F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260713120840.17427-8-linux.amoon@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [High] The worker thread enters a 100% CPU infinite loop when the queue is empty, full, or hits an EOS buffer, and prematurely exits after a single frame on success due to an inverted loop condition and misuse of `scoped_guard`.
Pre-existing issues:
- [Critical] Maliciously crafted VP9 superframe headers can cause an integer overflow in `total_datasize`, bypassing bounds checks and triggering a massive out-of-bounds `memmove()`.
--
--- Patch [7]: [PATCH v7 07/19] media: meson: vdec: Refactor esparser work queue and fix teardown race ---
commit f4cf4afadbba1cd9ed8438a311d676dabd768d33
Author: Anand Moon <linux.amoon@gmail.com>
media: meson: vdec: Refactor esparser work queue and fix teardown race
Rework the esparser work queue logic to prevent concurrent queue mutations
and fix a race condition during streaming teardown.
> diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
> index 37749ede308c6..e5d3d817b9b2b 100644
> --- a/drivers/staging/media/meson/vdec/esparser.c
> +++ b/drivers/staging/media/meson/vdec/esparser.c
[ ... ]
> @@ -348,12 +344,10 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
> if (sess->fmt_out->pixfmt == V4L2_PIX_FMT_VP9) {
> payload_size = vp9_update_header(core, vb);
>
> - /* If unable to alter buffer to add headers */
> if (payload_size == 0) {
> + dev_err(core->dev, "esparser: VP9 header update failed\n");
> amvdec_remove_ts(sess, vb->timestamp);
> - v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
> -
> - return 0;
> + return -EBADMSG;
> }
> }
[Severity: Critical]
This is a pre-existing issue, but can maliciously crafted VP9 superframe
headers cause an integer overflow in vp9_update_header(), leading to a
massive out-of-bounds memory copy?
Looking at vp9_update_header() in the same file:
for (cur_mag = 0; cur_mag < mag; cur_mag++) {
...
frame_size[cur_frame] |=
(dp[mag_ptr] << (cur_mag * 8));
mag_ptr++;
}
...
total_datasize += frame_size[cur_frame];
If untrusted user data shifted into the signed 32-bit frame_size becomes
negative, multiple negative values can sum to a small positive
total_datasize, which bypasses the size checks:
new_frame_size = total_datasize + num_frames * VP9_HEADER_SIZE;
if (new_frame_size >= vb2_plane_size(buf, 0)) {
return -ENOMEM;
}
Then, later in the same function:
int framesize = frame_size[cur_frame];
...
memmove(fdata + VP9_HEADER_SIZE, old_framedata, framesize);
The negative framesize is implicitly converted to a size_t, which causes
an out-of-bounds memmove(). Could this lead to memory corruption when
handling untrusted V4L2 video stream data?
[ ... ]
> void esparser_queue_all_src(struct work_struct *work)
> {
> - struct v4l2_m2m_buffer *buf, *n;
> struct amvdec_session *sess =
> container_of(work, struct amvdec_session, esparser_queue_work);
> + struct device *dev = sess->core->dev_dec;
> + int ret;
>
> - mutex_lock(&sess->lock);
> - v4l2_m2m_for_each_src_buf_safe(sess->m2m_ctx, buf, n) {
> - if (sess->should_stop)
> - break;
> + while (1) {
> + struct vb2_v4l2_buffer *vbuf = NULL;
> + bool processed_frame = false;
> +
> + scoped_guard(mutex, &sess->lock) {
> + /* Safe atomic tracking check: exit loop if session is shutting down */
> + if (sess->should_stop)
> + return;
> +
> + /* Queue completely empty: exit work loop cleanly */
> + vbuf = v4l2_m2m_next_src_buf(sess->m2m_ctx);
> + if (!vbuf)
> + break;
> +
> + /* Stop processing if we hit the end-of-stream drain buffer */
> + if (vbuf->flags & V4L2_BUF_FLAG_LAST)
> + break;
> +
> + /* Check hardware FIFO limits safely inside the locks */
> + ret = esparser_queue(sess, vbuf);
> + if (ret == -EAGAIN)
> + break;
> +
> + /* Pop the buffer from the source queue since it is now processed */
> + vbuf = v4l2_m2m_src_buf_remove(sess->m2m_ctx);
> + if (!vbuf) {
> + dev_dbg(dev, "Buffer missing during queue removal\n");
> + break;
> + }
> +
> + /* Complete the buffer transaction based on parser results */
> + if (ret < 0)
> + v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
> + else
> + v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_DONE);
>
> - if (esparser_queue(sess, &buf->vb) < 0)
> + /* Set tracking flag indicating transaction completion */
> + processed_frame = true;
> + }
> +
> + if (processed_frame)
> break;
[Severity: High]
Does this code inadvertently create an infinite loop?
Because scoped_guard() is implemented internally as a for-loop, the
break statements inside the scoped_guard() block will only exit the lock
scope, not the outer while (1) loop.
If the queue is empty (!vbuf), we break out of the scoped_guard(),
processed_frame remains false, and the while (1) loop continues infinitely,
consuming 100% CPU.
Conversely, if a frame is successfully processed, processed_frame becomes
true, which causes the outer while (1) loop to exit after just one frame
instead of continuing to drain the queue.
Could the logic here be inverted, or should the inner loop use goto
instead of break to exit the outer loop?
> +
> + /* Give other threads and IRQ routines a window to execute while unlocked */
> + cond_resched();
> }
> - mutex_unlock(&sess->lock);
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260713120840.17427-1-linux.amoon@gmail.com?part=7
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2026-07-13 12:27 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-13 12:06 [PATCH v7 00/19] media: meson: vdec: Fix lifecycles, race conditions, and stability bugs Anand Moon
2026-07-13 12:06 ` [PATCH v7 01/19] media: meson: vdec: Fix m2m device lifetime and cleanup path Anand Moon
2026-07-13 12:35 ` sashiko-bot
2026-07-13 12:06 ` [PATCH v7 02/19] media: meson: vdec: Fix STREAMON / STREAMOFF race conditions and session teardown Anand Moon
2026-07-13 12:38 ` sashiko-bot
2026-07-13 12:06 ` [PATCH v7 03/19] media: meson: vdec: Fix lifecycle leaks and race conditions in recycle_thread Anand Moon
2026-07-13 12:32 ` sashiko-bot
2026-07-13 12:06 ` [PATCH v7 04/19] media: meson: vdec: Fix use-after-free race between teardown and ISR routines Anand Moon
2026-07-13 12:23 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 05/19] media: meson: vdec: Fix race condition and synchronize esparser IRQ Anand Moon
2026-07-13 12:28 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 06/19] media: meson: vdec: Fix race condition by canceling work sync Anand Moon
2026-07-13 12:33 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 07/19] media: meson: vdec: Refactor esparser work queue and fix teardown race Anand Moon
2026-07-13 12:27 ` sashiko-bot [this message]
2026-07-13 12:07 ` [PATCH v7 08/19] media: meson: vdec: Fix concurrent execution races and unsafe teardown Anand Moon
2026-07-13 12:42 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 09/19] media: meson: vdec: Fix vp9 header update failure on invalid payloads Anand Moon
2026-07-13 12:42 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 10/19] media: meson: vdec: Fix race conditions and leaks in esparser pipeline Anand Moon
2026-07-13 12:46 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 11/19] media: meson: vdec: Update core m2m stream state during transitions Anand Moon
2026-07-13 12:48 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 12/19] media: meson: vdec: Coordinate m2m task execution inside async loop Anand Moon
2026-07-13 12:54 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 13/19] media: meson: vdec: Fix race conditions in job abort sequence Anand Moon
2026-07-13 12:55 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 14/19] media: meson: vdec: Correct atomic counter placement in dst_buf_done Anand Moon
2026-07-13 12:48 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 15/19] media: meson: vdec: Fix concurrent firmware loading race and hardware timeout Anand Moon
2026-07-13 12:56 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 16/19] media: meson: vdec: Configure DMA mask and segment size in probe Anand Moon
2026-07-13 12:55 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 17/19] media: meson: canvas: Fix Use-After-Free by linking canvas provider device Anand Moon
2026-07-13 12:58 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 18/19] media: meson: vdec: Increase VIFIFO buffer size to 32 MiB Anand Moon
2026-07-13 13:06 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 19/19] gpu: drm: meson: Fix DMA segment size limits and maximize allocation boundaries Anand Moon
2026-07-13 12:57 ` sashiko-bot
2026-07-13 14:04 ` Nicolas Dufresne
2026-07-14 7:23 ` [PATCH v7 00/19] media: meson: vdec: Fix lifecycles, race conditions, and stability bugs Anand Moon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260713122748.277121F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux.amoon@gmail.com \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox