* [PATCH v2] media: chips-media: wave5: Move src_buf Removal to finish_encode
@ 2026-03-20 18:05 Brandon Brnich
2026-03-25 7:32 ` jackson.lee
0 siblings, 1 reply; 2+ messages in thread
From: Brandon Brnich @ 2026-03-20 18:05 UTC (permalink / raw)
To: linux-kernel, linux-media, jackson.lee, nas.chung
Cc: mchehab, nicolas.dufresne, b-brnich
During encoder processing, there is a case where the IRQ response could
return the buffer back to userspace via v4l2_m2m_buf_done call. In this
time, userspace could queue up this same buffer before start_encode removes
the index from the ready queue. This would then lead to a case where the
buffer in the ready queue could be a self loop due to the
WRITE_ONCE(prev->next, new) call in __list_add.
When __list_del is finally called, the loop is already made so nothing
points back to ready queue list head and pointers are poisoned.
A buffer should not be marked as DONE before the buffer is removed from
m2m ready queue. Move removal entirely to finish_encode.
Signed-off-by: Brandon Brnich <b-brnich@ti.com>
---
V2:
- Update function to use reported index from encoder
- Fix reported media CI bot style errors with brackets
.../chips-media/wave5/wave5-vpu-enc.c | 29 +++----------------
1 file changed, 4 insertions(+), 25 deletions(-)
diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
index 7613fcdbafed..c605a91718d8 100644
--- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
+++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
@@ -226,13 +226,6 @@ static int start_encode(struct vpu_instance *inst, u32 *fail_res)
} else {
dev_dbg(inst->dev->dev, "%s: wave5_vpu_enc_start_one_frame success\n",
__func__);
- /*
- * Remove the source buffer from the ready-queue now and finish
- * it in the videobuf2 framework once the index is returned by the
- * firmware in finish_encode
- */
- if (src_buf)
- v4l2_m2m_src_buf_remove_by_idx(m2m_ctx, src_buf->vb2_buf.index);
}
return 0;
@@ -259,27 +252,13 @@ static void wave5_vpu_enc_finish_encode(struct vpu_instance *inst)
__func__, enc_output_info.pic_type, enc_output_info.recon_frame_index,
enc_output_info.enc_src_idx, enc_output_info.enc_pic_byte, enc_output_info.pts);
- /*
- * The source buffer will not be found in the ready-queue as it has been
- * dropped after sending of the encode firmware command, locate it in
- * the videobuf2 queue directly
- */
if (enc_output_info.enc_src_idx >= 0) {
- struct vb2_buffer *vb = vb2_get_buffer(v4l2_m2m_get_src_vq(m2m_ctx),
- enc_output_info.enc_src_idx);
- if (vb->state != VB2_BUF_STATE_ACTIVE)
- dev_warn(inst->dev->dev,
- "%s: encoded buffer (%d) was not in ready queue %i.",
- __func__, enc_output_info.enc_src_idx, vb->state);
- else
- src_buf = to_vb2_v4l2_buffer(vb);
-
- if (src_buf) {
+ src_buf = v4l2_m2m_src_buf_remove_by_idx(m2m_ctx, enc_output_info.enc_src_idx);
+ if (!src_buf) {
+ dev_warn(inst->dev->dev, "%s: no source buffer found\n", __func__);
+ } else {
inst->timestamp = src_buf->vb2_buf.timestamp;
v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_DONE);
- } else {
- dev_warn(inst->dev->dev, "%s: no source buffer with index: %d found\n",
- __func__, enc_output_info.enc_src_idx);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* RE: [PATCH v2] media: chips-media: wave5: Move src_buf Removal to finish_encode
2026-03-20 18:05 [PATCH v2] media: chips-media: wave5: Move src_buf Removal to finish_encode Brandon Brnich
@ 2026-03-25 7:32 ` jackson.lee
0 siblings, 0 replies; 2+ messages in thread
From: jackson.lee @ 2026-03-25 7:32 UTC (permalink / raw)
To: Brandon Brnich, linux-kernel@vger.kernel.org,
linux-media@vger.kernel.org, Nas Chung
Cc: mchehab@kernel.org, nicolas.dufresne@collabora.com
Hi Brandon
> -----Original Message-----
> From: Brandon Brnich <b-brnich@ti.com>
> Sent: Saturday, March 21, 2026 3:05 AM
> To: linux-kernel@vger.kernel.org; linux-media@vger.kernel.org; jackson.lee
> <jackson.lee@chipsnmedia.com>; Nas Chung <nas.chung@chipsnmedia.com>
> Cc: mchehab@kernel.org; nicolas.dufresne@collabora.com; b-brnich@ti.com
> Subject: [PATCH v2] media: chips-media: wave5: Move src_buf Removal to
> finish_encode
>
> During encoder processing, there is a case where the IRQ response could
> return the buffer back to userspace via v4l2_m2m_buf_done call. In this
> time, userspace could queue up this same buffer before start_encode
> removes the index from the ready queue. This would then lead to a case
> where the buffer in the ready queue could be a self loop due to the
> WRITE_ONCE(prev->next, new) call in __list_add.
>
> When __list_del is finally called, the loop is already made so nothing
> points back to ready queue list head and pointers are poisoned.
>
> A buffer should not be marked as DONE before the buffer is removed from
> m2m ready queue. Move removal entirely to finish_encode.
>
> Signed-off-by: Brandon Brnich <b-brnich@ti.com>
Tested-by: Jackson Lee <jackson.lee@chipsnmedia.com>
Thanks
Jackson
> ---
>
> V2:
> - Update function to use reported index from encoder
> - Fix reported media CI bot style errors with brackets
>
> .../chips-media/wave5/wave5-vpu-enc.c | 29 +++----------------
> 1 file changed, 4 insertions(+), 25 deletions(-)
>
> diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> index 7613fcdbafed..c605a91718d8 100644
> --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> @@ -226,13 +226,6 @@ static int start_encode(struct vpu_instance *inst,
> u32 *fail_res)
> } else {
> dev_dbg(inst->dev->dev, "%s: wave5_vpu_enc_start_one_frame
> success\n",
> __func__);
> - /*
> - * Remove the source buffer from the ready-queue now and
> finish
> - * it in the videobuf2 framework once the index is returned
> by the
> - * firmware in finish_encode
> - */
> - if (src_buf)
> - v4l2_m2m_src_buf_remove_by_idx(m2m_ctx, src_buf-
> >vb2_buf.index);
> }
>
> return 0;
> @@ -259,27 +252,13 @@ static void wave5_vpu_enc_finish_encode(struct
> vpu_instance *inst)
> __func__, enc_output_info.pic_type,
> enc_output_info.recon_frame_index,
> enc_output_info.enc_src_idx, enc_output_info.enc_pic_byte,
> enc_output_info.pts);
>
> - /*
> - * The source buffer will not be found in the ready-queue as it has
> been
> - * dropped after sending of the encode firmware command, locate it
> in
> - * the videobuf2 queue directly
> - */
> if (enc_output_info.enc_src_idx >= 0) {
> - struct vb2_buffer *vb =
> vb2_get_buffer(v4l2_m2m_get_src_vq(m2m_ctx),
> - enc_output_info.enc_src_idx);
> - if (vb->state != VB2_BUF_STATE_ACTIVE)
> - dev_warn(inst->dev->dev,
> - "%s: encoded buffer (%d) was not in ready
> queue %i.",
> - __func__, enc_output_info.enc_src_idx, vb-
> >state);
> - else
> - src_buf = to_vb2_v4l2_buffer(vb);
> -
> - if (src_buf) {
> + src_buf = v4l2_m2m_src_buf_remove_by_idx(m2m_ctx,
> enc_output_info.enc_src_idx);
> + if (!src_buf) {
> + dev_warn(inst->dev->dev, "%s: no source buffer
> found\n", __func__);
> + } else {
> inst->timestamp = src_buf->vb2_buf.timestamp;
> v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_DONE);
> - } else {
> - dev_warn(inst->dev->dev, "%s: no source buffer with
> index: %d found\n",
> - __func__, enc_output_info.enc_src_idx);
> }
> }
>
> --
> 2.43.0
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-03-25 7:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-20 18:05 [PATCH v2] media: chips-media: wave5: Move src_buf Removal to finish_encode Brandon Brnich
2026-03-25 7:32 ` jackson.lee
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox