From: sashiko-bot@kernel.org
To: "Anand Moon" <linux.amoon@gmail.com>
Cc: linux-media@vger.kernel.org, neil.armstrong@linaro.org,
linux-amlogic@lists.infradead.org
Subject: Re: [PATCH v6 6/8] media: meson: vdec: Configure DMA mask and segment size in probe
Date: Sat, 30 May 2026 11:10:22 +0000 [thread overview]
Message-ID: <20260530111022.9C6D71F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260530094326.11892-7-linux.amoon@gmail.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Critical] Applying a 64-bit DMA mask causes silent physical address truncation and memory corruption, as the hardware and driver only support 32-bit addresses.
Pre-existing issues:
- [High] The vdec driver stores a raw pointer to the `meson_canvas` device without linking the devices or holding a reference, leading to a Use-After-Free if the canvas provider unbinds.
--
commit 895ef453d9c75df04fd40367102f8eafce76e013
Author: Anand Moon <linux.amoon@gmail.com>
media: meson: vdec: Configure DMA mask and segment size in probe
The vdec probe routine did not set explicit DMA constraints, leaving the
driver dependent on platform defaults. This could cause allocation failures
or fragmented buffer handling on systems with stricter DMA limits. This
change configures a 64-bit DMA mask and sets the maximum contiguous segment
size to UINT_MAX.
Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/
> diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
> index 4884ee04b3529..f99335effe176 100644
> --- a/drivers/staging/media/meson/vdec/vdec.c
> +++ b/drivers/staging/media/meson/vdec/vdec.c
> @@ -1064,6 +1064,15 @@ static int vdec_probe(struct platform_device *pdev)
> if (IS_ERR(core->canvas))
> return PTR_ERR(core->canvas);
[Severity: High]
This isn't a bug introduced by this patch, but can we experience a
use-after-free here if the canvas provider unbinds?
Looking at meson_canvas_get(), the reference to the provider device is
dropped immediately before returning the internal canvas pointer:
drivers/soc/amlogic/meson-canvas.c:meson_canvas_get() {
...
put_device(&canvas_pdev->dev);
return canvas;
}
Since the vdec driver stores this pointer in core->canvas but does not
establish a device link or hold a module reference, what prevents the
canvas memory from being freed by devres while the vdec driver is still
using it?
>
> + ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(64));
[Severity: Critical]
Will setting a 64-bit DMA mask cause silent physical address truncation?
The Meson VDEC hardware natively uses 32-bit registers for DMA addresses,
and the driver's helper functions strictly accept 32-bit values:
drivers/staging/media/meson/vdec/vdec_helpers.h:
void amvdec_write_dos(struct amvdec_core *core, u32 reg, u32 val);
If the DMA API allocates memory buffers at physical addresses above 4GB,
their 64-bit addresses will be implicitly truncated to 32 bits when passed
to the hardware registers.
Can this lead to the hardware reading or writing to incorrect physical
memory locations in the lower 4GB?
> + if (ret)
> + return dev_err_probe(dev, ret, "Failed to set DMA mask\n");
> +
> + ret = vb2_dma_contig_set_max_seg_size(dev, UINT_MAX);
> + if (ret)
> + return dev_err_probe(dev, ret,
> + "Failed to set DMA max segment size\n");
> +
> of_id = of_match_node(vdec_dt_match, dev->of_node);
> core->platform = of_id->data;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260530094326.11892-1-linux.amoon@gmail.com?part=6
next prev parent reply other threads:[~2026-05-30 11:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-30 9:42 [PATCH v6 0/8] media: meson: Fix memory leak in error path in vdec Anand Moon
2026-05-30 9:42 ` [PATCH v6 1/8] media: meson: vdec: Fix memory leaks and lifetime of m2m device Anand Moon
2026-05-30 9:55 ` sashiko-bot
2026-05-30 9:42 ` [PATCH v6 2/8] media: meson: vdec: Fix concurrent STREAMON / STREAMOFF race conditions Anand Moon
2026-05-30 10:08 ` sashiko-bot
2026-05-30 9:42 ` [PATCH v6 3/8] media: meson: vdec: Handle kthread failure and free codec state Anand Moon
2026-05-30 10:25 ` sashiko-bot
2026-05-30 9:42 ` [PATCH v6 4/8] media: meson: vdec: Condition buffer flushing on queue type in start_streaming Anand Moon
2026-05-30 10:43 ` sashiko-bot
2026-05-30 9:42 ` [PATCH v6 5/8] media: meson: vdec: Cancel esparser work during teardown Anand Moon
2026-05-30 10:59 ` sashiko-bot
2026-05-30 9:42 ` [PATCH v6 6/8] media: meson: vdec: Configure DMA mask and segment size in probe Anand Moon
2026-05-30 11:10 ` sashiko-bot [this message]
2026-05-30 9:42 ` [PATCH v6 7/8] media: meson: vdec: Fix NULL pointer dereference in ISR handlers Anand Moon
2026-05-30 11:23 ` sashiko-bot
2026-05-30 9:42 ` [PATCH v6 8/8] gpu: drm: meson: Fix DMA max segment size for DMABUF imports Anand Moon
2026-05-30 11:35 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260530111022.9C6D71F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-amlogic@lists.infradead.org \
--cc=linux-media@vger.kernel.org \
--cc=linux.amoon@gmail.com \
--cc=neil.armstrong@linaro.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox