From: sashiko-bot@kernel.org
To: "Anand Moon" <linux.amoon@gmail.com>
Cc: dri-devel@lists.freedesktop.org, neil.armstrong@linaro.org,
linux-amlogic@lists.infradead.org
Subject: Re: [PATCH v7 12/19] media: meson: vdec: Coordinate m2m task execution inside async loop
Date: Mon, 13 Jul 2026 12:54:43 +0000 [thread overview]
Message-ID: <20260713125443.7F1031F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260713120840.17427-13-linux.amoon@gmail.com>
Thank you for your contribution! Sashiko AI review found 7 potential issue(s) to consider:
New issues:
- [Critical] An AB-BA deadlock occurs between the V4L2 `VIDIOC_STREAMOFF` ioctl and the workqueue worker `esparser_queue_all_src` over `sess->lock`.
- [Critical] A recursive mutex self-deadlock occurs because `core->lock` is manually acquired inside functions already protected by the V4L2 core.
- [High] The `esparser_queue_all_src` workqueue thread enters a 100% CPU infinite busy-loop on empty queues, end-of-stream buffers, or hardware FIFO full conditions.
- [High] The V4L2 M2M framework permanently stalls due to a leaked job context when `esparser_queue_all_src` exits early or hits loop break conditions without calling `v4l2_m2m_job_finish()`.
- [High] Closing any secondary file descriptor unconditionally clears `core->cur_sess`, stripping hardware ownership from the active session and causing permanent DMA memory leaks.
Pre-existing issues:
- [Critical] An unconditional out-of-bounds heap write occurs when padding artificially small, user-controlled buffers in `esparser_pad_start_code()`.
- [Critical] An integer overflow during VP9 sub-frame length parsing allows attackers to bypass size boundaries and trigger an out-of-bounds `memmove` copy.
--
--- Patch [12]: [PATCH v7 12/19] media: meson: vdec: Coordinate m2m task execution inside async loop ---
commit 8f8ffb4492573d6d82ee209ecb382a9f5fbed9e4
Author: Anand Moon <linux.amoon@gmail.com>
media: meson: vdec: Coordinate m2m task execution inside async loop
This commit introduces proper V4L2 Memory-to-Memory (m2m) scheduler pipeline
tracking by handling job finalisation inside the asynchronous esparser
workqueue. It defers the scheduling call to v4l2_m2m_job_finish() to execute
within the worker routine.
> diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
> index b9f36fef4be12..939b239c2af47 100644
> --- a/drivers/staging/media/meson/vdec/esparser.c
> +++ b/drivers/staging/media/meson/vdec/esparser.c
[ ... ]
> @@ -437,6 +438,9 @@ void esparser_queue_all_src(struct work_struct *work)
> else
> v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_DONE);
>
> + /* Safely notify the V4L2 core sub-framework */
> + v4l2_m2m_job_finish(core->m2m_dev, sess->m2m_ctx);
> +
> /* Set tracking flag indicating transaction completion */
> processed_frame = true;
> }
[Severity: High]
Does this worker thread run into an infinite busy-loop on empty queues or
end-of-stream buffers?
In esparser_queue_all_src(), the code uses a scoped_guard for the lock:
while (1) {
...
scoped_guard(mutex, &sess->lock) {
if (!vbuf)
break;
}
}
Since scoped_guard expands into a hidden for-loop, the break statement only
exits the scoped_guard's loop, not the outer while (1) loop. This could trap
execution indefinitely, consuming 100% CPU when the queue is empty, hits an
EOS buffer, or the hardware FIFO is full.
[Severity: High]
Could the V4L2 M2M job context permanently leak if the session shuts down?
Looking at esparser_queue_all_src():
scoped_guard(mutex, &sess->lock) {
/* Safe atomic tracking check: exit loop if session is shutting down */
if (READ_ONCE(sess->should_stop))
return;
Returning early directly bypasses the newly added v4l2_m2m_job_finish() call.
This could permanently hang the V4L2 memory-to-memory framework because it
considers the device busy forever, preventing further decoding jobs.
[Severity: Critical]
Is there a risk of an AB-BA deadlock between the V4L2 VIDIOC_STREAMOFF ioctl
and the workqueue worker?
The V4L2 core framework acquires sess->lock during VIDIOC_STREAMOFF and then
calls vdec_stop_streaming(), which waits for the active worker thread:
drivers/staging/media/meson/vdec/vdec.c:vdec_stop_streaming() {
...
cancel_work_sync(&sess->esparser_queue_work);
}
Concurrently, the worker thread esparser_queue_all_src spins up and blocks
attempting to acquire the identical sess->lock:
drivers/staging/media/meson/vdec/esparser.c:esparser_queue_all_src() {
...
scoped_guard(mutex, &sess->lock) {
}
This sequence would entirely deadlock the system when stopping the video stream.
> diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
> index 0eb39aa6014ee..b3e1d99e8889f 100644
> --- a/drivers/staging/media/meson/vdec/vdec.c
> +++ b/drivers/staging/media/meson/vdec/vdec.c
> @@ -149,6 +149,17 @@ vdec_queue_recycle(struct amvdec_session *sess, struct vb2_buffer *vb)
> static void vdec_m2m_device_run(void *priv)
> {
> struct amvdec_session *sess = priv;
> + struct amvdec_core *core = sess->core;
> +
> + if (READ_ONCE(sess->should_stop)) {
> + v4l2_m2m_job_finish(core->m2m_dev, sess->m2m_ctx);
> + return;
> + }
> +
> + mutex_lock(&core->lock);
> + if (!core->cur_sess)
> + core->cur_sess = sess;
> + mutex_unlock(&core->lock);
>
> schedule_work(&sess->esparser_queue_work);
> }
[Severity: Critical]
Will acquiring core->lock manually here and in vdec_start_streaming result
in a recursive mutex self-deadlock?
Because vdev->queue is intentionally left NULL for M2M devices, the V4L2 core
ioctl wrapper unconditionally acquires vdev->lock (which is mapped to
&core->lock) before delegating execution to the ioctl implementations.
The underlying driver callback vdec_start_streaming then attempts to manually
acquire it again:
drivers/staging/media/meson/vdec/vdec.c:vdec_start_streaming() {
...
mutex_lock(&core->lock);
if (core->cur_sess && core->cur_sess != sess) {
}
This would immediately self-deadlock the kernel thread processing
VIDIOC_STREAMON or VIDIOC_STREAMOFF.
[Severity: High]
Does closing a secondary file descriptor unintentionally strip hardware
ownership from the active session?
In vdec_close(), the state modification is placed outside the active session
check block:
drivers/staging/media/meson/vdec/vdec.c:vdec_close() {
...
/* Safely clear hardware ownership since we were confirmed as the owner */
smp_store_release(&core->cur_sess, NULL);
}
If a user-space process opens the video node twice, streams on the first
session, and then closes the second session, this clears core->cur_sess
unconditionally. This destroys the ownership state of the active session,
bypassing its cleanup sequence and permanently leaking DMA buffers and canvases.
[Severity: Critical]
This is a pre-existing issue, but can esparser_pad_start_code() cause an
out-of-bounds heap write when handling artificially small buffers?
If userspace negotiates a small sizeimage and queues a tiny buffer, the padding
function computes pad_size based on ESPARSER_MIN_PACKET_SIZE and executes
a memset before verifying the vb2_plane_size:
drivers/staging/media/meson/vdec/esparser.c:esparser_pad_start_code() {
...
pad_size = ESPARSER_MIN_PACKET_SIZE - payload_size;
memset(vaddr + payload_size, 0, pad_size);
}
if ((payload_size + pad_size + SEARCH_PATTERN_LEN) >
vb2_plane_size(vb, 0)) {
}
This could allow a local user to overwrite memory with zeroes by passing a
payload_size of 0, resulting in a 4096-byte memset.
[Severity: Critical]
This is a pre-existing issue, but might an integer overflow in
vp9_update_header() allow attackers to trigger an out-of-bounds memmove?
The parser reconstructs frame lengths by bit-shifting byte payloads:
drivers/staging/media/meson/vdec/esparser.c:vp9_update_header() {
...
frame_size[cur_frame] |=
(dp[mag_ptr] << (cur_mag * 8));
}
If dp[mag_ptr] is >= 128 and cur_mag is 3, the unsigned 8-bit value promotes
to an int and shifts into the sign bit, resulting in a large negative integer.
Later, this negative frame_size is passed to memmove():
drivers/staging/media/meson/vdec/esparser.c:vp9_update_header() {
...
memmove(fdata + VP9_HEADER_SIZE, old_framedata, framesize);
}
The negative framesize implicitly converts to a massive size_t, which could
corrupt arbitrary kernel memory.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260713120840.17427-1-linux.amoon@gmail.com?part=12
_______________________________________________
linux-amlogic mailing list
linux-amlogic@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-amlogic
next prev parent reply other threads:[~2026-07-13 12:54 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-13 12:06 [PATCH v7 00/19] media: meson: vdec: Fix lifecycles, race conditions, and stability bugs Anand Moon
2026-07-13 12:06 ` [PATCH v7 01/19] media: meson: vdec: Fix m2m device lifetime and cleanup path Anand Moon
2026-07-13 12:35 ` sashiko-bot
2026-07-13 12:06 ` [PATCH v7 02/19] media: meson: vdec: Fix STREAMON / STREAMOFF race conditions and session teardown Anand Moon
2026-07-13 12:38 ` sashiko-bot
2026-07-13 12:06 ` [PATCH v7 03/19] media: meson: vdec: Fix lifecycle leaks and race conditions in recycle_thread Anand Moon
2026-07-13 12:32 ` sashiko-bot
2026-07-13 12:06 ` [PATCH v7 04/19] media: meson: vdec: Fix use-after-free race between teardown and ISR routines Anand Moon
2026-07-13 12:23 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 05/19] media: meson: vdec: Fix race condition and synchronize esparser IRQ Anand Moon
2026-07-13 12:28 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 06/19] media: meson: vdec: Fix race condition by canceling work sync Anand Moon
2026-07-13 12:33 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 07/19] media: meson: vdec: Refactor esparser work queue and fix teardown race Anand Moon
2026-07-13 12:27 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 08/19] media: meson: vdec: Fix concurrent execution races and unsafe teardown Anand Moon
2026-07-13 12:42 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 09/19] media: meson: vdec: Fix vp9 header update failure on invalid payloads Anand Moon
2026-07-13 12:42 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 10/19] media: meson: vdec: Fix race conditions and leaks in esparser pipeline Anand Moon
2026-07-13 12:46 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 11/19] media: meson: vdec: Update core m2m stream state during transitions Anand Moon
2026-07-13 12:48 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 12/19] media: meson: vdec: Coordinate m2m task execution inside async loop Anand Moon
2026-07-13 12:54 ` sashiko-bot [this message]
2026-07-13 12:07 ` [PATCH v7 13/19] media: meson: vdec: Fix race conditions in job abort sequence Anand Moon
2026-07-13 12:55 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 14/19] media: meson: vdec: Correct atomic counter placement in dst_buf_done Anand Moon
2026-07-13 12:48 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 15/19] media: meson: vdec: Fix concurrent firmware loading race and hardware timeout Anand Moon
2026-07-13 12:56 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 16/19] media: meson: vdec: Configure DMA mask and segment size in probe Anand Moon
2026-07-13 12:55 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 17/19] media: meson: canvas: Fix Use-After-Free by linking canvas provider device Anand Moon
2026-07-13 12:58 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 18/19] media: meson: vdec: Increase VIFIFO buffer size to 32 MiB Anand Moon
2026-07-13 13:06 ` sashiko-bot
2026-07-13 12:07 ` [PATCH v7 19/19] gpu: drm: meson: Fix DMA segment size limits and maximize allocation boundaries Anand Moon
2026-07-13 12:57 ` sashiko-bot
2026-07-13 14:04 ` Nicolas Dufresne
2026-07-14 7:23 ` [PATCH v7 00/19] media: meson: vdec: Fix lifecycles, race conditions, and stability bugs Anand Moon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260713125443.7F1031F00A3D@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux.amoon@gmail.com \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox