From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB0B239EB73 for ; Sat, 30 May 2026 09:45:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780134317; cv=none; b=Ep7h3rhIF/rq5oLyasYMdKAh4QrjDRqcX4HlsQdLSxvsnY/52ivdge/1WMm9pFeTWGSm81xheoR+xFn066Qdc5i6Wt7VWSZeHaC33Znnxe3gCWG3Vs1yMU/7mg7BwhF/feO8ut875gj9prqlY9dQ43bq4mAzFEpo0+Cid/HqMlk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780134317; c=relaxed/simple; bh=r/mFmOM61+eHlTftM3kVYPBjuVOCnP0h2xGjOd4i4LA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=L10obzGRmt2lIchGTrgguAp4MAY7HYJ0zRLciBWylhekqgbQq3y1eJ+3mzanX8PRHRXq4ljwQhk5dDIWzdHWPl1FdGTbrsDWhETNm68T2uuvZmljdedodZz9rq5yXmPdHbRFPDqtkUl1IYvAInZfrCNO4UMZtvVf1cSzZd4ig1o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mRoI6cYh; arc=none smtp.client-ip=209.85.214.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mRoI6cYh" Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-2bf008a99d4so29393235ad.2 for ; Sat, 30 May 2026 02:45:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780134316; x=1780739116; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=N5aJiRofz4S8JTYcjNZpyXHhE2VKKeRqZ24DGJJ/QHU=; b=mRoI6cYh1nYepdomEUbkhUKdWtYRW35pzYomgvroHNJRcHm18tkXdikGLAp7IwaDIr QE3EuaQW0T9o9ub6RHcyeGcaOj2YMX6vgVgzJkINfj5vGdjtndSPqPcor4ztzIWJjhGq 4qUHQo01094PlL+LaUClL+MMwcGgOn8jWM8MvIbjOcEkesg7OY3ln/T8WPKpVtGEA9pf catjIA4a0b1HwUSuNHLAM3nDvxt+ENSrJ5d1WBnGQRo1J/cbdGJp3tN6ByOVh0UCOrGx ucuuFOrBFjNcldaPfpOTl8FavWrctXl5yyIwdUagoSKvKiREqApgs5gP8crsz84dXASE lpwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780134316; x=1780739116; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=N5aJiRofz4S8JTYcjNZpyXHhE2VKKeRqZ24DGJJ/QHU=; b=P94HffdzGHK/R5sOYPnql7MXl4XEcCV52ZCtezrzalvet1qwItZn2eAtJIgsG5AgOd 5/31RSgUKwkv6StbtSDaQ+Vsu5oYrmk4IlnyHxfgP6jQFewMLCee4I822+vKSlDjRRci yflXkOuzW1JM7+mG4/Ej6wsdKQEej3jnUEv9eixQQ+yHgDlaW6qgOSlEveAtmkLtTtoe NfAh7AemShXgNJ1gyO7XVga0vFyaA7nsUE9qkcbbi/j2FT7GTdUhd2ws1f7+dOCzK2Bu xCaIukEnhIKk9ODtQQd8nESz57Eto9+mCpArCa7OI0ZNLkIDI6K7VSC63btlIaqMUWwv EfUw== X-Forwarded-Encrypted: i=1; AFNElJ+MkQfUgit4hiV5idJbXy4vSty21iXys+xe/cTG+OrUjykmBtfztrhyfM+KWYXvBrQuG04WeKhgW1peEEs=@vger.kernel.org X-Gm-Message-State: AOJu0YyMGMIh8n/G8F/mGtFP2ow0noluYqOwLfRIMB6/UAK0a9cSDpyc Iewjaox3knDwNqugaCN2UmIFXqm2X0AEGlLyg9iHRxv+4K6KUA8VbQjQ X-Gm-Gg: Acq92OESN+9Qx/i5CUvWSivZbPlsGm3qxiz6AbmOLEZ2xE6zWH6OJtQ+Ezst4jV2nnz 5gqSSbjn1HFwGVC2va7d/V2c4dB7vVVfm2TOBYh4gtlzBNSjiKw/ey+t9U/hbqpOmy9nmUQgej2 vwBNYR1FOwzyptxdhkQt9Wi5Fgq47knBXmf69rj5aC/slJMS1VnCbjDjHZTfXOvL+cluVKYn2te rHIQWPW0NIqU810ejDqMClJ9SgVSIZCOJHZPYrpimEnYM/sxLOsKPX5rMkRDtSnh+opC72clRPt E4Cv74tkYwc7rVMnrMZ/Ps3T1yEvKaUH/It7MCjFBTDckWMNI7tehpSlgom+XHQDh9rvzJNyLrp eiuO2eAZaVQ0bcQ1epJYe13/Fcl6C4x58UQBG6VFXEuoiRbOw706TYoGDazHTk4n8D6H82jeWlD Fcg5Lmz1HSYy1zoHKYWAatW4ZtokLlO1k= X-Received: by 2002:a17:902:e88e:b0:2c0:a3dd:4e6c with SMTP id d9443c01a7336-2c0a3dd4f17mr23090205ad.38.1780134315999; Sat, 30 May 2026 02:45:15 -0700 (PDT) Received: from rockpi-5b ([45.112.0.191]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2bf239e700csm61529945ad.10.2026.05.30.02.45.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 30 May 2026 02:45:15 -0700 (PDT) From: Anand Moon To: Neil Armstrong , Maarten Lankhorst , Maxime Ripard , Thomas Zimmermann , David Airlie , Simona Vetter , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Mauro Carvalho Chehab , Greg Kroah-Hartman , Maxime Jourdan , Hans Verkuil , dri-devel@lists.freedesktop.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-amlogic@lists.infradead.org (open list:DRM DRIVERS FOR AMLOGIC SOCS), linux-arm-kernel@lists.infradead.org (moderated list:ARM/Amlogic Meson SoC support), linux-kernel@vger.kernel.org (open list), linux-media@vger.kernel.org (open list:MESON VIDEO DECODER DRIVER FOR AMLOGIC SOCS), linux-staging@lists.linux.dev (open list:STAGING SUBSYSTEM) Cc: Anand Moon , Nicolas Dufresne , Sashiko Subject: [PATCH v6 7/8] media: meson: vdec: Fix NULL pointer dereference in ISR handlers Date: Sat, 30 May 2026 15:12:53 +0530 Message-ID: <20260530094326.11892-8-linux.amoon@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20260530094326.11892-1-linux.amoon@gmail.com> References: <20260530094326.11892-1-linux.amoon@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The hard interrupt handler (vdec_isr) and the threaded interrupt handler (vdec_threaded_isr) directly read core->cur_sess without synchronization or validation. If a streaming teardown concurrently clears core->cur_sess to NULL while an interrupt is being processed, a NULL pointer dereference occurs when accessing the session fields or codec operations. Fix this race condition by using READ_ONCE() to obtain a stable, atomic snapshot of core->cur_sess. Check if the returned session pointer is NULL, and return IRQ_NONE immediately if the session has already been torn down. Cc: Nicolas Dufresne Reported-by: Sashiko Closes: https://lore.kernel.org/all/20260521090944.F35401F00A3D@smtp.kernel.org/ Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver") Signed-off-by: Anand Moon --- drivers/staging/media/meson/vdec/vdec.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c index f99335effe17..3897c75b19c8 100644 --- a/drivers/staging/media/meson/vdec/vdec.c +++ b/drivers/staging/media/meson/vdec/vdec.c @@ -996,17 +996,36 @@ static const struct v4l2_file_operations vdec_fops = { static irqreturn_t vdec_isr(int irq, void *data) { struct amvdec_core *core = data; - struct amvdec_session *sess = core->cur_sess; + struct amvdec_session *sess; + irqreturn_t ret = IRQ_HANDLED; + + /* + * Use READ_ONCE to secure an atomic snapshot of the pointer, + * protecting against concurrent clearing during streaming + * teardowns. + */ + sess = READ_ONCE(core->cur_sess); + if (!sess) + return IRQ_NONE; sess->last_irq_jiffies = get_jiffies_64(); + ret = sess->fmt_out->codec_ops->isr(sess); - return sess->fmt_out->codec_ops->isr(sess); + return ret; } static irqreturn_t vdec_threaded_isr(int irq, void *data) { struct amvdec_core *core = data; - struct amvdec_session *sess = core->cur_sess; + struct amvdec_session *sess; + + /* + * Prevent late-stage threaded interrupts from dereferencing a NULL + * session. + */ + sess = READ_ONCE(core->cur_sess); + if (!sess) + return IRQ_NONE; return sess->fmt_out->codec_ops->threaded_isr(sess); } -- 2.50.1