From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AAA7B40BCB4 for ; Tue, 30 Jun 2026 13:08:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782824892; cv=none; b=O3RvvdfLtaCsw9vSVPPerYvabxNVtVKW2MpMltLro+7wsjUBieiSCJHrN5cHj9RuSiPr+PSNM0YpGLizPaGQW0DdFB+zwx7/ioXGaFk08F+RC/bbotqLu1fj2XC4RrzLdq9ZOHrIpTVxxe+kklodtFXZB1reuuuj83CfrwSaBMg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782824892; c=relaxed/simple; bh=v90WNkUJaI76E3J1bgXlk2sMkqnYwKRFGAk2rrarAXw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=k9jwRZs2t6fvoHT/8W5uEfMtGuDWm8MIzNK3wMu5LFAicN8zdZ76KR9rAfruCDQf07cYi/kVWE8RPEMC9bbUMSQLjQVjFl2Auyhvn6gTuwNN6YQ54G6SWOr1ClhT4OKkT7qQT6ZaOkIw5F8lwOzd2710N+Xz3E3T+1lnUG+bhtU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=tL+lQ+dk; arc=none smtp.client-ip=209.85.210.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="tL+lQ+dk" Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-845e47133c9so201018b3a.0 for ; Tue, 30 Jun 2026 06:08:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782824890; x=1783429690; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Z6j0F+xqCQECDY9wnaqI3d2SI54fqdn+nhFSDa4vOUo=; b=tL+lQ+dkfMqIuoo+x8MzB1Mea6sJxlu68YiTCP+pAg3U95nMnugCgZ7YTVf1aOdXLa McpMiQLldWGCvDN/M+646ckcqekVVUv+kGwsPStJN7hKTFVLEOpF20NSQqKJjOIGNNxk WT/+pnLrt+InWMuMVy2vH0t5eJnuNEsf1pxaA8KIIbhmxGsuDHR9CnmSgZ7+cud47Pqt hgvyQkP9jYOSkVJVXZGyp/BwLNh4e/wIi0mMs56mWWKTJNqibv56k+YWZNPsKJTcFh/P At+9xio2X1qUgn/05BvjDKIfgvXK6muU3Z9bQIVgmVVI5iHqFZt/V2tytxxiBxdEU5z8 6+iQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782824890; x=1783429690; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Z6j0F+xqCQECDY9wnaqI3d2SI54fqdn+nhFSDa4vOUo=; b=M7HaIz3Ecyt9ZOJ5EsSGoeFEZf9QrU1m74uYeAn8U8g36MWOgiOSFWwXNaNo2zDNfi E4rV2i4kUwUuRC/Ff57pJQGEWBuTaxOS4u6hXmhJaohGqOzdJ9FCUzTT8w6PX46JKPxb 1JyH5gNxg17cbThbnoUnBMGLKXNpEhmy+0+67LtXNZ+bIZS5bEUY4T2vTB25DpYJM6Q+ pSK5cC+LcrgMCLxXEBqTZ+cAL1viFZDxP/RRXZRGI7a7ATUjeUJLAL4RHfbVKw7yfCet GL/4wIHXYXy7GbbLOnVP1gJVBOvHpgWXntvQX51Beb/MSDQx8ERoboZUk2+rKyrXN3oa JeBg== X-Forwarded-Encrypted: i=1; AHgh+RrlP4S1SAg17CleOOr1Hwxjai0jRBbR2UP8r3zORTxELUBTXQ85huXoipvuCXiVvix+Mi9PMtbulqAB+MA=@vger.kernel.org X-Gm-Message-State: AOJu0Yx5otWv4+j67SqRgp+u1wh8Y2jyjYHiy4FnEh4+T71qC7pAT1A4 UxqALvt91ehw+VYs3q9ktGwgg+uwnt7QXzlgOdpq9WPALTxVD2bosytd X-Gm-Gg: AfdE7cnCITWCyjnGfxWRa4JfTBO429hMIAfvvqnYVzxG9clFWwL7yFMIFL5u9YXodqz mGNSDIlq0c3BYjEqxQBgnaleM165/LgbDS1P2FzCkVCekoUO8m/jDY3xK3+ricOlBhSRPpbMl7T pTPgeRDZOzdch0Dl2D2GBzF8BhfO+tYhX12oqbxItGxukitA+oZh9ihETB5jSEDljV5KTX6ZoUx 2NNL3XCNQuuvxPOhncWN81lcaybH8vSnsfsuUfhvdnkXe2g56yrHcH7V6nsF9Qg5uXCzbrRWvc+ 2W+Gs5BiAU8foAClMBMffO3PUot8ajmoL8xagMEMX7VlAz7zJexrJvBZ1Ca6CoZgTqoNM5YLApP tMbzSR5vw8YzomNFEoXCD3esl0pEF7tn5S/5NchrB/rE7Egxs8q/YS6W6O3iPUVcS+5qv9r+DaP 220MkIausY3Iz2doOJahq7ZBPBEzfSfred4H3MhQ== X-Received: by 2002:a05:6a00:85a3:b0:842:dd4:d9e2 with SMTP id d2e1a72fcca58-847a7ed202dmr1140309b3a.0.1782824889921; Tue, 30 Jun 2026 06:08:09 -0700 (PDT) Received: from x1c ([2405:9800:b670:b64b:1b46:470e:6375:45a7]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-847a03a6fd5sm1991541b3a.57.2026.06.30.06.08.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jun 2026 06:08:09 -0700 (PDT) From: Tharit Tangkijwanichakul To: tomi.valkeinen@ideasonboard.com, kernel-list@raspberrypi.com, mchehab@kernel.org, linux-media@vger.kernel.org Cc: florian.fainelli@broadcom.com, bcm-kernel-feedback-list@broadcom.com, linux-rpi-kernel@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linux.dev, Tharit Tangkijwanichakul Subject: [PATCH] media: raspberrypi: rp1-cfe: acquire state_lock in cfe_start_streaming() Date: Tue, 30 Jun 2026 20:07:56 +0700 Message-ID: <20260630130756.28744-1-tharitt97@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit cfe_start_streaming() modifies shared device state without holding state_lock. The driver exposes multiple video nodes backed by a single cfe_device. While one node runs cfe_start_streaming(), another node's cfe_buffer_queue() may read the node state via test_all_nodes() under state_lock to decide whether to schedule a job. Another case is when node->fs_count is read by the interrupt handler in cfe_sof_isr(). Modifying this state without state_lock races against those readers. The counterpart cfe_stop_streaming() already takes state_lock around its state modification. Fix cfe_start_streaming() to do the same. Found by code inspection. Fixes: 6edb685abb2a ("media: raspberrypi: Add support for RP1-CFE") Signed-off-by: Tharit Tangkijwanichakul --- drivers/media/platform/raspberrypi/rp1-cfe/cfe.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c index 8375ed3e9..d8ea71830 100644 --- a/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c +++ b/drivers/media/platform/raspberrypi/rp1-cfe/cfe.c @@ -1151,6 +1151,7 @@ static int cfe_start_streaming(struct vb2_queue *vq, unsigned int count) struct v4l2_subdev_state *state; struct v4l2_subdev_route *route; s64 link_freq; + unsigned long flags; int ret; cfe_dbg(cfe, "%s: [%s]\n", __func__, node_desc[node->id].name); @@ -1184,9 +1185,11 @@ static int cfe_start_streaming(struct vb2_queue *vq, unsigned int count) state = v4l2_subdev_lock_and_get_active_state(&cfe->csi2.sd); + spin_lock_irqsave(&cfe->state_lock, flags); clear_state(cfe, FS_INT | FE_INT, node->id); set_state(cfe, NODE_STREAMING, node->id); node->fs_count = 0; + spin_unlock_irqrestore(&cfe->state_lock, flags); ret = cfe_start_channel(node); if (ret) base-commit: 06cb687a5132fcffe624c0070576ab852ac6b568 prerequisite-patch-id: 4c010e20cdeb611d14546bc729b513f959e25afd -- 2.53.0