From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 02D143E2AA3
	for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 09:52:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1779702753; cv=none; b=qKmk0vCKO80GEGyevtyglwJxnGbWAvuyf7t5gO28UBrreyrqyzphXmvoMuQLxoX4C0FAgjjW5MbP/xoKlIAGVUT6v2Aq5L8e3Y89r4KpsVxtN4BAzEvSMpvZwszdtoIwKXHSNqf1/k9PMB99XqoQKGVRPBEr2P1p8uRFRONUwpY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1779702753; c=relaxed/simple;
	bh=gfO1Y5Cvx+draxMRz7VV+taVU8+4zXC20+dPuEQlJG8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=rQLMy+vgqXUfxfJXtIaYdimAMn90sNqQId5EAtS6Eche5h3p0JesCmxNWFRCpzLsBNIYFIvbPClSXVb0kw7EdJZX6FH3pAljga+/6/2MKnSefMTcdIYLyOlN4UNinym/WioboBYOim6yxtDnnp7F8bR5/CcTpbKdNSlUH9ZBCVc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=p7uqsc/V; arc=none smtp.client-ip=209.85.214.181
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="p7uqsc/V"
Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2b4650d5f5cso38892635ad.0
        for <linux-kernel@vger.kernel.org>; Mon, 25 May 2026 02:52:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779702751; x=1780307551; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=6jqLwhkLz3GnNiG5F6aqvc2zAsvy9RUUFv6VMz3rWAI=;
        b=p7uqsc/VrGZVSPDRdZ7Qz8bpSpkoeSP/fcSSIvjq3Lbp2jPpZzOTeDqd4OdSEP0j7p
         9OAB5o0sNqy+/flDAjwmM1fe3PgDOq44L45ekAG//MS6k0I75y1abR3mj3TRIXaxl7dp
         qQe9m3RnWHUWYPFTF5oI2qrpRCyNBTx52L7TV2KxH9OQ2v1Uu0XliPvfKnAdRyUUEy0f
         CJhci46MqRM9iev6XrFNCvwbXBTrDK3urzIHCqer+QJK5ukkcOMfr4GX7KJsFDZ4D1A5
         YOtua3AIPANEPb7Xxfw8eUjxeV+YNtAipuEIkc5ng/2Opt++idGF68iS6AwyHypiRtew
         9/5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779702751; x=1780307551;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6jqLwhkLz3GnNiG5F6aqvc2zAsvy9RUUFv6VMz3rWAI=;
        b=tVecEYTRSWGHCj0WiktMxmcvAovIG355V1dhAlud/cn5xk+dZ1m+Z1MO47EaeGaage
         8DnZr87amgoermizr8M1L7DLt1J3NU8/WbCtXmHoGPt781d0Dkh90zpRrPbF8q4OgPzY
         PD/flgLKCdMcfi8qgTV9oQvc0YNGun1e67TbKgRe0enykuz69QTmxP37xIrXR2jhgwjn
         pYw3pJTm2oTbQLPSEuX1Q7h9gvU0i+x5L+TP5oFwLtW6cJo07rXSHkqio7aMs6iTxdEn
         BvKiJC2HDwA4voFuNrbeEfbVPOE4HPqISki8HVRZ5djr2Hvm1iPP2QoZMN/+lpSha6pF
         DHFw==
X-Forwarded-Encrypted: i=1; AFNElJ+m6VVfzrEOSrjwkMtntrMO+js0K6ZERlju8tFgqrZj4R8SOEQLYsEW08zh4VADXqyYtJqFEfONTms3nyE=@vger.kernel.org
X-Gm-Message-State: AOJu0YykIWnJXf24SUyDoxBWMHPlXUuR1w36AbCauRTGBgKND1jmyJSl
	BYS9RIhxgt6XCU0tVMlIpeuMkQcQzZ+y9Q+SmbhwO9UrXekZ8HJo0WlU
X-Gm-Gg: Acq92OHQPRFzOz1T4PsOS1IgF1ri/VEKfyyvL4FvbpJ05puHGIMTg/7Y3MObS2ED8Kg
	eFxSkAwRyZLbCggAngQw6Siam21ic8gROrBKudwGK8b2U0J6LDxVbtDk+4oEG1uQPqWgvqEFqDd
	oustMTnccIFXfAYrbToJzaGxGLK044LuqcCaDpATs3PqKHWZVvoxxW/JBQgX/aOxPnwM/bT750E
	57lyPJpLlAE/KdVT05+SdqZKBuRLVcwg02BRgzxthTPQz/nPrsBWY5mpER+Iha1aqKbn/qWj2w/
	ziY0QklpBRC+thQyA5/1XMqHDjbHDOn+i9bTeQQ+XChWbEpB8MbchqVbDTv03PxZp0LR63nCUmZ
	Z3r0IuuOdT47NWb8qrrPvhH2fl4P1zquV8oqixCU10y4O2NOdC5RzmSY0szlSmrDfToH6OqK1d1
	hV7HEoi6i34vHkoFCdcS3I
X-Received: by 2002:a17:902:ffcf:b0:2b0:663f:6b53 with SMTP id d9443c01a7336-2beb0385f3amr153090915ad.13.1779702751312;
        Mon, 25 May 2026 02:52:31 -0700 (PDT)
Received: from rockpi-5b ([45.112.0.230])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2beb58b2cd6sm92533615ad.52.2026.05.25.02.52.25
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 May 2026 02:52:30 -0700 (PDT)
From: Anand Moon <linux.amoon@gmail.com>
To: Neil Armstrong <neil.armstrong@linaro.org>,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Kevin Hilman <khilman@baylibre.com>,
	Jerome Brunet <jbrunet@baylibre.com>,
	Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
	Maxime Jourdan <mjourdan@baylibre.com>,
	Hans Verkuil <hverkuil@kernel.org>,
	linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS),
	linux-amlogic@lists.infradead.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS),
	linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM),
	linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support),
	linux-kernel@vger.kernel.org (open list)
Cc: Anand Moon <linux.amoon@gmail.com>,
	Sashiko <sashiko-bot@kernel.org>
Subject: [PATCH v5 0/6] media: meson: Fix memory leak in error path in vdec
Date: Mon, 25 May 2026 15:21:48 +0530
Message-ID: <20260525095216.12078-1-linux.amoon@gmail.com>
X-Mailer: git-send-email 2.50.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

V5: Changes 
Following chamges try to fix the memory leak reported by Sashiko

New issues:
- [High] The newly added error path in `vdec_start_streaming()` leaks 
  `sess->priv` when `kthread_run()` fails.

Pre-existing issues:
- [Critical] Race condition between hardware power-on and `core->cur_sess`
   initialization leads to a NULL pointer dereference in the IRQ handler.
- [High] Returning buffers for both source and destination queues upon
    single-queue failure orphans active queue buffers.
- [High] Concurrent sessions can bypass the hardware exclusivity check, 
  leading to simultaneous hardware programming.
--

Reported-by: Sashiko <sashiko-bot@kernel.org>
https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/

V4: Changes:

Following chamges try to fix the memory leak reported by Sashiko

Pre-existing issues:
- [Critical] The `sess->esparser_queue_work` work item is not canceled
   before freeing the session context, leading to a potential Use-After-Free
   vulnerability.
- [High] The patch attempts to fix a memory leak reported by kmemleak,
    but misdiagnoses the root cause and leaves the primary memory leak
    (the V4L2 control handler) unresolved.
- [High] The driver does not verify if `kthread_run()` returns an `ERR_PTR`,
     leading to a kernel panic when `kthread_stop()` is called.

Reported-by: Sashiko <sashiko-bot@kernel.org>
https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t

Thanks
-Anand

Anand Moon (6):
  media: meson: vdec: Fix memory leak in error path of vdec_open
  media: meson: vdec: Protect session exclusivity check with lock
  media: meson: vdec: Set cur_sess before hardware vdec_poweron()
  media: meson: vdec: Handle kthread error and free codec private data
  media: meson: vdec: Isolate error path buffer flush to the active
    queue
  media: meson: vdec: Cancel esparser work in error and stop paths

 drivers/staging/media/meson/vdec/vdec.c | 54 ++++++++++++++++++++-----
 1 file changed, 44 insertions(+), 10 deletions(-)


base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d
-- 
2.50.1