RE: [PATCH v2] media: chips-media: wave5: Move src_buf Removal to finish_encode

[jackson.lee <jackson.lee@chipsnmedia.com>]

Hi Brandon


> -----Original Message-----
> From: Brandon Brnich <b-brnich@ti.com>
> Sent: Saturday, March 21, 2026 3:05 AM
> To: linux-kernel@vger.kernel.org; linux-media@vger.kernel.org; jackson.lee
> <jackson.lee@chipsnmedia.com>; Nas Chung <nas.chung@chipsnmedia.com>
> Cc: mchehab@kernel.org; nicolas.dufresne@collabora.com; b-brnich@ti.com
> Subject: [PATCH v2] media: chips-media: wave5: Move src_buf Removal to
> finish_encode
> 
> During encoder processing, there is a case where the IRQ response could
> return the buffer back to userspace via v4l2_m2m_buf_done call. In this
> time, userspace could queue up this same buffer before start_encode
> removes the index from the ready queue. This would then lead to a case
> where the buffer in the ready queue could be a self loop due to the
> WRITE_ONCE(prev->next, new) call in __list_add.
> 
> When __list_del is finally called, the loop is already made so nothing
> points back to ready queue list head and pointers are poisoned.
> 
> A buffer should not be marked as DONE before the buffer is removed from
> m2m ready queue. Move removal entirely to finish_encode.
> 
> Signed-off-by: Brandon Brnich <b-brnich@ti.com>

Tested-by: Jackson Lee <jackson.lee@chipsnmedia.com>

Thanks
Jackson
> ---
> 
> V2:
>  - Update function to use reported index from encoder
>  - Fix reported media CI bot style errors with brackets
> 
>  .../chips-media/wave5/wave5-vpu-enc.c         | 29 +++----------------
>  1 file changed, 4 insertions(+), 25 deletions(-)
> 
> diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> index 7613fcdbafed..c605a91718d8 100644
> --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> @@ -226,13 +226,6 @@ static int start_encode(struct vpu_instance *inst,
> u32 *fail_res)
>  	} else {
>  		dev_dbg(inst->dev->dev, "%s: wave5_vpu_enc_start_one_frame
> success\n",
>  			__func__);
> -		/*
> -		 * Remove the source buffer from the ready-queue now and
> finish
> -		 * it in the videobuf2 framework once the index is returned
> by the
> -		 * firmware in finish_encode
> -		 */
> -		if (src_buf)
> -			v4l2_m2m_src_buf_remove_by_idx(m2m_ctx, src_buf-
> >vb2_buf.index);
>  	}
> 
>  	return 0;
> @@ -259,27 +252,13 @@ static void wave5_vpu_enc_finish_encode(struct
> vpu_instance *inst)
>  		__func__,  enc_output_info.pic_type,
> enc_output_info.recon_frame_index,
>  		enc_output_info.enc_src_idx, enc_output_info.enc_pic_byte,
> enc_output_info.pts);
> 
> -	/*
> -	 * The source buffer will not be found in the ready-queue as it has
> been
> -	 * dropped after sending of the encode firmware command, locate it
> in
> -	 * the videobuf2 queue directly
> -	 */
>  	if (enc_output_info.enc_src_idx >= 0) {
> -		struct vb2_buffer *vb =
> vb2_get_buffer(v4l2_m2m_get_src_vq(m2m_ctx),
> -						       enc_output_info.enc_src_idx);
> -		if (vb->state != VB2_BUF_STATE_ACTIVE)
> -			dev_warn(inst->dev->dev,
> -				 "%s: encoded buffer (%d) was not in ready
> queue %i.",
> -				 __func__, enc_output_info.enc_src_idx, vb-
> >state);
> -		else
> -			src_buf = to_vb2_v4l2_buffer(vb);
> -
> -		if (src_buf) {
> +		src_buf = v4l2_m2m_src_buf_remove_by_idx(m2m_ctx,
> enc_output_info.enc_src_idx);
> +		if (!src_buf) {
> +			dev_warn(inst->dev->dev, "%s: no source buffer
> found\n", __func__);
> +		} else {
>  			inst->timestamp = src_buf->vb2_buf.timestamp;
>  			v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_DONE);
> -		} else {
> -			dev_warn(inst->dev->dev, "%s: no source buffer with
> index: %d found\n",
> -				 __func__, enc_output_info.enc_src_idx);
>  		}
>  	}
> 
> --
> 2.43.0