From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D29833557F3 for ; Sat, 30 May 2026 09:44:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780134295; cv=none; b=OnSnYG5Un0dryELV8iCJCd9/4kJwsIByg+RuMnUB+wplenmQRjwyMuEYvF0nT8PnoNlCZVXpW7ZCKgSckWnfvrN+mNcQ9l977QROqUwfGSHEkiOdRkPSCTYATR7SOa/rVPuT6JCMFzrcpHzQ2M7WJiUBg8lTpe//hgu6Pa3x1no= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780134295; c=relaxed/simple; bh=U+d2jT76hbERqFnnuLcNz9UQ38hwXQfEMVzxXIG/jas=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=fPc1+JZrfHSAmaZhUo6RmJq2wZfqb2a4+WwJJQJdmlk0iiqvD6QS84oIdRiim0mukG19nbLQZAXT7d18ouuYF8cgz1mgD11xow11uCTVaqf7uiSAcXUuxeGKxJeeCIO4L336mo7zRSctwolALzUnznWUxStW2iUIPSbGjvMDl2M= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Py+qmQt1; arc=none smtp.client-ip=209.85.214.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Py+qmQt1" Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2c0aa420401so1621985ad.3 for ; Sat, 30 May 2026 02:44:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780134293; x=1780739093; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Eg9ggvkEkoQKR+hIDJPnP9lc/gF7VRqufBdsoqX52Vc=; b=Py+qmQt1TCI9VuVFPFxZqIK0ucZ5osbRuCLbGsbcwf9yracV8aHsS2IHYGgEYyW7Xv JelEr0HMgLgPbFSKUwOQQt7HQx6x1LcVNwSe7Cia9+TWaZV3VUhBZGrNzsTWdOoSbc4B 3qgzmBLfFfP25MYyc2BubYcsPeMQoZGjr6Tp4vdlJ1GQucsB9uY2vNsaydJsq8aOwEYC QorhlZ9DG/XQ4tAwVBcs+NhjGTrfDF9Pnu2QvYRZhwyIwy/2nYsrkL62t2EXNvRGXE2g o3MdFEsJuazJBT+IANL1Gyj5HczDAFwZElrM/j8aDhGTyxVZn4xuaudaXiFdfKm/88sk frhQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780134293; x=1780739093; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Eg9ggvkEkoQKR+hIDJPnP9lc/gF7VRqufBdsoqX52Vc=; b=oHLo7jJ/DZsZWxW6pMy5GbmSW1TstbkHxWWgBOtXEfk7CCLDuNZJLAcU5IbAz0fbmm OrIelPL6xrS77E4Rnth3hvjPMRsNvQ71vMFvRuszsF24JF8AETSdYOFZOwMsIODZj01P hYPEMws7jQ4PW/3ics9rTZqe2l/cSRFi51atHcV6AQMxX/mparxASja9AZmfJhd/YFGj tjLgeYlLZmuX0r9mesevQ0p/LETR5d61lbooAgI/DTu2EoR2iGDcDmoH1gXKLmvOIVLc Uagy31/QyT0a8BsXZH1t+tKQAWrCDhaTG3O+zK1Uy+A+4scmiQgx8eR/+z5xnsXc+mGO KA2g== X-Forwarded-Encrypted: i=1; AFNElJ8FucRcR/607AFydNVQmx4MyX+Fxy8bq1wsMCM+inhEgrHGgm6ynytimXO4pvQ70wilH8EskE+UHagyhH4=@vger.kernel.org X-Gm-Message-State: AOJu0YzInbLIgWfSdQFmdaNfiAiqs5kfp8sjxxXNTRFCQ1YqtVefS//H qLX7xqKk2gMCyf/rLMb3eBt9XDOTTukQL8+y+eOU53xOEMtuKY+X6fYS5NhL5g== X-Gm-Gg: Acq92OEdB3C6eif30uscji/W6pIf0opTkZhIMxKAcfRsCJapQtsE0hItiwwdugY7jD0 jLfIV0trfwtX9s5djcih9L/QgSnGGAmAFpzTR0yIihA0VGQY7N7bnyDpMJ93OQfTpJhfnXb8n2r hQFKKMV9hYAne/Fnm3XwRpXsz9FetDpZZoEFRgnHMm2uRL6DOAiaHYZ8+LM+lOohY5VHz7FnFR/ OL+SqI91mZa78qK1Age6VAgU/0WotJujuTpFhOSp9loMjS2rXqKEB5n9mUPgLTrN7Bwy1Zlr0g8 w6tiBkPKxNIv3srWpEvqF3Ry6QCD9DAEToTeJFvwSDuhef1kaZ5TOACSodBfxiIcT5/uiCahvGk YfkEj1VdxJiJrneF6dUDulgdhu7CDwRpHtpE++0mrHXlVghi/CqVwO6EsnudeDxItWbMvUZjH5l W/7oDmKABQArPGBGsC/whnkDZr6rH6vUg= X-Received: by 2002:a17:902:c94c:b0:2b2:be01:5532 with SMTP id d9443c01a7336-2bf3686d1dcmr41074635ad.35.1780134293228; Sat, 30 May 2026 02:44:53 -0700 (PDT) Received: from rockpi-5b ([45.112.0.191]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bf239e700csm61529945ad.10.2026.05.30.02.44.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 May 2026 02:44:52 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Mauro Carvalho Chehab , Greg Kroah-Hartman , Hans Verkuil , Maxime Jourdan , dri-devel@lists.freedesktop.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list), linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v6 5/8] media: meson: vdec: Cancel esparser work during teardown Date: Sat, 30 May 2026 15:12:51 +0530 Message-ID: <20260530094326.11892-6-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260530094326.11892-1-linux.amoon@gmail.com> References: <20260530094326.11892-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The esparser workqueue could remain active during error unwind, streaming stop, or device close, leading to use‑after‑free when work items accessed freed session memory. Fix this by explicitly cancelling the work in all teardown paths: - Call cancel_work_sync(&sess->esparser_queue_work) in vdec_start_streaming() error unwind, vdec_stop_streaming(), and vdec_close(). - Ensure the workqueue is drained before releasing session state and buffers. - Move codec_ops->drain() evaluation earlier in stop_streaming() using the status snapshot, so draining occurs before buffer cleanup. Following change prevents dangling work execution, eliminates use‑after‑free hazards, and ensures orderly teardown of decoder resources. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- drivers/staging/media/meson/vdec/vdec.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index 698a95566ad2..4884ee04b352 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -380,6 +380,8 @@ static int vdec_start_streaming(struct vb2_queue *q, unsigned int count) sess->vififo_vaddr, sess->vififo_paddr); sess->vififo_vaddr = NULL; bufs_done: + cancel_work_sync(&sess->esparser_queue_work); + mutex_lock(&core->lock); if (core->cur_sess == sess) core->cur_sess = NULL; @@ -437,6 +439,8 @@ static void vdec_stop_streaming(struct vb2_queue *q) struct vb2_v4l2_buffer *buf; enum amvdec_status old_status; + cancel_work_sync(&sess->esparser_queue_work); + /* * Safely snapshot the status and clear the hardware owner inside * the mutex to prevent data races with concurrent STREAMON requests. @@ -448,7 +452,11 @@ static void vdec_stop_streaming(struct vb2_queue *q) sess->status = STATUS_STOPPED; mutex_unlock(&core->lock); - /* Evaluate the hardware state using our snapshot */ + if (q->type != V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { + if (old_status >= STATUS_RUNNING && codec_ops->drain) + codec_ops->drain(sess); + } + if (old_status == STATUS_RUNNING || old_status == STATUS_INIT || (old_status == STATUS_NEEDS_RESUME && @@ -472,16 +480,10 @@ static void vdec_stop_streaming(struct vb2_queue *q) if (q->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE) { while ((buf = v4l2_m2m_src_buf_remove(sess->m2m_ctx))) v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR); - sess->streamon_out = 0; } else { - /* Drain remaining refs if was still running using the snapshot */ - if (old_status >= STATUS_RUNNING && codec_ops->drain) - codec_ops->drain(sess); - while ((buf = v4l2_m2m_dst_buf_remove(sess->m2m_ctx))) v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR); - sess->streamon_cap = 0; } } @@ -967,6 +969,8 @@ static int vdec_close(struct file *file) { struct amvdec_session *sess = file_to_amvdec_session(file); + cancel_work_sync(&sess->esparser_queue_work); + v4l2_m2m_ctx_release(sess->m2m_ctx); v4l2_fh_del(&sess->fh, file); v4l2_fh_exit(&sess->fh); -- 2.50.1