From: Greg Kroah-Hartman Date: Wed, 4 Dec 2024 10:14:51 +0000 (+0100) Subject: drop venus patches from queues on request X-Git-Tag: v4.19.325~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=72cb29e7863a6731442d5a294433afdea8079985;p=thirdparty%2Fkernel%2Fstable-queue.git drop venus patches from queues on request --- diff --git a/queue-5.15/media-venus-fix-enc-dec-destruction-order.patch b/queue-5.15/media-venus-fix-enc-dec-destruction-order.patch deleted file mode 100644 index 26624211269..00000000000 --- a/queue-5.15/media-venus-fix-enc-dec-destruction-order.patch +++ /dev/null @@ -1,74 +0,0 @@ -From d217789c5fcd7ae66a544f5d9d54db8d1b5084b4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:41 +0900 -Subject: media: venus: fix enc/dec destruction order - -From: Sergey Senozhatsky - -[ Upstream commit 6c9934c5a00ae722a98d1a06ed44b673514407b5 ] - -We destroy mutex-es too early as they are still taken in -v4l2_fh_exit()->v4l2_event_unsubscribe()->v4l2_ctrl_find(). - -We should destroy mutex-es right before kfree(). Also -do not vdec_ctrl_deinit() before v4l2_fh_exit(). - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Suggested-by: Tomasz Figa -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 7 ++++--- - drivers/media/platform/qcom/venus/venc.c | 6 +++--- - 2 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index 3cb8a284fc68f..af7352ce13990 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1642,13 +1642,14 @@ static int vdec_close(struct file *file) - cancel_work_sync(&inst->delayed_process_work); - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- vdec_ctrl_deinit(inst); - ida_destroy(&inst->dpb_ids); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ vdec_ctrl_deinit(inst); -+ -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - vdec_pm_put(inst, false); - -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index 4a439b4908ea7..c833ca05cd9ec 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1471,14 +1471,14 @@ static int venc_close(struct file *file) - - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- venc_ctrl_deinit(inst); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ venc_ctrl_deinit(inst); - - inst->enc_state = VENUS_ENC_STATE_DEINIT; -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - venc_pm_put(inst, false); - --- -2.43.0 - diff --git a/queue-5.15/media-venus-sync-with-threaded-irq-during-inst-destr.patch b/queue-5.15/media-venus-sync-with-threaded-irq-during-inst-destr.patch deleted file mode 100644 index 6dc37024a4b..00000000000 --- a/queue-5.15/media-venus-sync-with-threaded-irq-during-inst-destr.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 213c71f4f473485a45a56c6b4a38d82899abc8d2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:42 +0900 -Subject: media: venus: sync with threaded IRQ during inst destruction - -From: Sergey Senozhatsky - -[ Upstream commit 45b1a1b348ec178a599323f1ce7d7932aea8c6d4 ] - -When destroying an inst we should make sure that we don't race -against threaded IRQ (or pending IRQ), otherwise we can concurrently -kfree() inst context and inst itself. - -BUG: KASAN: slab-use-after-free in vb2_queue_error+0x80/0x90 -Call trace: -dump_backtrace+0x1c4/0x1f8 -show_stack+0x38/0x60 -dump_stack_lvl+0x168/0x1f0 -print_report+0x170/0x4c8 -kasan_report+0x94/0xd0 -__asan_report_load2_noabort+0x20/0x30 -vb2_queue_error+0x80/0x90 -venus_helper_vb2_queue_error+0x54/0x78 -venc_event_notify+0xec/0x158 -hfi_event_notify+0x878/0xd20 -hfi_process_msg_packet+0x27c/0x4e0 -venus_isr_thread+0x258/0x6e8 -hfi_isr_thread+0x70/0x90 -venus_isr_thread+0x34/0x50 -irq_thread_fn+0x88/0x130 -irq_thread+0x160/0x2c0 -kthread+0x294/0x328 -ret_from_fork+0x10/0x20 - -Allocated by task 20291: -kasan_set_track+0x4c/0x80 -kasan_save_alloc_info+0x28/0x38 -__kasan_kmalloc+0x84/0xa0 -kmalloc_trace+0x7c/0x98 -v4l2_m2m_ctx_init+0x74/0x280 -venc_open+0x444/0x6d0 -v4l2_open+0x19c/0x2a0 -chrdev_open+0x374/0x3f0 -do_dentry_open+0x710/0x10a8 -vfs_open+0x88/0xa8 -path_openat+0x1e6c/0x2700 -do_filp_open+0x1a4/0x2e0 -do_sys_openat2+0xe8/0x508 -do_sys_open+0x15c/0x1a0 -__arm64_sys_openat+0xa8/0xc8 -invoke_syscall+0xdc/0x270 -el0_svc_common+0x1ec/0x250 -do_el0_svc+0x54/0x70 -el0_svc+0x50/0xe8 -el0t_64_sync_handler+0x48/0x120 -el0t_64_sync+0x1a8/0x1b0 - -Freed by task 20291: - kasan_set_track+0x4c/0x80 - kasan_save_free_info+0x3c/0x60 - ____kasan_slab_free+0x124/0x1a0 - __kasan_slab_free+0x18/0x28 - __kmem_cache_free+0x134/0x300 - kfree+0xc8/0x1a8 - v4l2_m2m_ctx_release+0x44/0x60 - venc_close+0x78/0x130 [venus_enc] - v4l2_release+0x20c/0x2f8 - __fput+0x328/0x7f0 - ____fput+0x2c/0x48 - task_work_run+0x1e0/0x280 - get_signal+0xfb8/0x1190 - do_notify_resume+0x34c/0x16a8 - el0_svc+0x9c/0xe8 - el0t_64_sync_handler+0x48/0x120 - el0t_64_sync+0x1a8/0x1b0 - -Rearrange inst destruction. First remove the inst from the -core->instances list, second synchronize IRQ/IRQ-thread to -make sure that nothing else would see the inst while we take -it down. - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 12 +++++++++++- - drivers/media/platform/qcom/venus/venc.c | 12 +++++++++++- - 2 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index af7352ce13990..14b18abf3791f 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1640,10 +1640,20 @@ static int vdec_close(struct file *file) - vdec_pm_get(inst); - - cancel_work_sync(&inst->delayed_process_work); -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); - ida_destroy(&inst->dpb_ids); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - vdec_ctrl_deinit(inst); -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index c833ca05cd9ec..2eab3388433ea 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1469,9 +1469,19 @@ static int venc_close(struct file *file) - - venc_pm_get(inst); - -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - venc_ctrl_deinit(inst); --- -2.43.0 - diff --git a/queue-5.15/series b/queue-5.15/series index a9ee8ba6bba..99c9aed3b79 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -125,8 +125,6 @@ media-venus-addition-of-eos-event-support-for-encode.patch media-venus-addition-of-support-for-vidioc_try_encod.patch venus-venc-add-handling-for-vidioc_encoder_cmd.patch media-venus-provide-ctx-queue-lock-for-ioctl-synchro.patch -media-venus-fix-enc-dec-destruction-order.patch -media-venus-sync-with-threaded-irq-during-inst-destr.patch media-atomisp-remove-ifdef-has_no_hmem.patch media-atomisp-add-check-for-rgby_data-memory-allocat.patch platform-x86-panasonic-laptop-replace-snprintf-in-sh.patch diff --git a/queue-6.1/media-venus-fix-enc-dec-destruction-order.patch b/queue-6.1/media-venus-fix-enc-dec-destruction-order.patch deleted file mode 100644 index 7e254f20dfa..00000000000 --- a/queue-6.1/media-venus-fix-enc-dec-destruction-order.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 77f32e5eca6ecb78c6945e7e6884b588109d83e8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:41 +0900 -Subject: media: venus: fix enc/dec destruction order - -From: Sergey Senozhatsky - -[ Upstream commit 6c9934c5a00ae722a98d1a06ed44b673514407b5 ] - -We destroy mutex-es too early as they are still taken in -v4l2_fh_exit()->v4l2_event_unsubscribe()->v4l2_ctrl_find(). - -We should destroy mutex-es right before kfree(). Also -do not vdec_ctrl_deinit() before v4l2_fh_exit(). - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Suggested-by: Tomasz Figa -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 7 ++++--- - drivers/media/platform/qcom/venus/venc.c | 6 +++--- - 2 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index 3b51d603605ee..f2fc57b8938ba 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1711,13 +1711,14 @@ static int vdec_close(struct file *file) - cancel_work_sync(&inst->delayed_process_work); - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- vdec_ctrl_deinit(inst); - ida_destroy(&inst->dpb_ids); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ vdec_ctrl_deinit(inst); -+ -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - vdec_pm_put(inst, false); - -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index abd25720b96bc..9a23c1b1de8c2 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1487,14 +1487,14 @@ static int venc_close(struct file *file) - - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- venc_ctrl_deinit(inst); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ venc_ctrl_deinit(inst); - - inst->enc_state = VENUS_ENC_STATE_DEINIT; -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - venc_pm_put(inst, false); - --- -2.43.0 - diff --git a/queue-6.1/media-venus-sync-with-threaded-irq-during-inst-destr.patch b/queue-6.1/media-venus-sync-with-threaded-irq-during-inst-destr.patch deleted file mode 100644 index 32bd12ef4fe..00000000000 --- a/queue-6.1/media-venus-sync-with-threaded-irq-during-inst-destr.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 554be8e0e4a2ed5fc65eb171ae96089ce9ca06fe Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:42 +0900 -Subject: media: venus: sync with threaded IRQ during inst destruction - -From: Sergey Senozhatsky - -[ Upstream commit 45b1a1b348ec178a599323f1ce7d7932aea8c6d4 ] - -When destroying an inst we should make sure that we don't race -against threaded IRQ (or pending IRQ), otherwise we can concurrently -kfree() inst context and inst itself. - -BUG: KASAN: slab-use-after-free in vb2_queue_error+0x80/0x90 -Call trace: -dump_backtrace+0x1c4/0x1f8 -show_stack+0x38/0x60 -dump_stack_lvl+0x168/0x1f0 -print_report+0x170/0x4c8 -kasan_report+0x94/0xd0 -__asan_report_load2_noabort+0x20/0x30 -vb2_queue_error+0x80/0x90 -venus_helper_vb2_queue_error+0x54/0x78 -venc_event_notify+0xec/0x158 -hfi_event_notify+0x878/0xd20 -hfi_process_msg_packet+0x27c/0x4e0 -venus_isr_thread+0x258/0x6e8 -hfi_isr_thread+0x70/0x90 -venus_isr_thread+0x34/0x50 -irq_thread_fn+0x88/0x130 -irq_thread+0x160/0x2c0 -kthread+0x294/0x328 -ret_from_fork+0x10/0x20 - -Allocated by task 20291: -kasan_set_track+0x4c/0x80 -kasan_save_alloc_info+0x28/0x38 -__kasan_kmalloc+0x84/0xa0 -kmalloc_trace+0x7c/0x98 -v4l2_m2m_ctx_init+0x74/0x280 -venc_open+0x444/0x6d0 -v4l2_open+0x19c/0x2a0 -chrdev_open+0x374/0x3f0 -do_dentry_open+0x710/0x10a8 -vfs_open+0x88/0xa8 -path_openat+0x1e6c/0x2700 -do_filp_open+0x1a4/0x2e0 -do_sys_openat2+0xe8/0x508 -do_sys_open+0x15c/0x1a0 -__arm64_sys_openat+0xa8/0xc8 -invoke_syscall+0xdc/0x270 -el0_svc_common+0x1ec/0x250 -do_el0_svc+0x54/0x70 -el0_svc+0x50/0xe8 -el0t_64_sync_handler+0x48/0x120 -el0t_64_sync+0x1a8/0x1b0 - -Freed by task 20291: - kasan_set_track+0x4c/0x80 - kasan_save_free_info+0x3c/0x60 - ____kasan_slab_free+0x124/0x1a0 - __kasan_slab_free+0x18/0x28 - __kmem_cache_free+0x134/0x300 - kfree+0xc8/0x1a8 - v4l2_m2m_ctx_release+0x44/0x60 - venc_close+0x78/0x130 [venus_enc] - v4l2_release+0x20c/0x2f8 - __fput+0x328/0x7f0 - ____fput+0x2c/0x48 - task_work_run+0x1e0/0x280 - get_signal+0xfb8/0x1190 - do_notify_resume+0x34c/0x16a8 - el0_svc+0x9c/0xe8 - el0t_64_sync_handler+0x48/0x120 - el0t_64_sync+0x1a8/0x1b0 - -Rearrange inst destruction. First remove the inst from the -core->instances list, second synchronize IRQ/IRQ-thread to -make sure that nothing else would see the inst while we take -it down. - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 12 +++++++++++- - drivers/media/platform/qcom/venus/venc.c | 12 +++++++++++- - 2 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index f2fc57b8938ba..924891a4b5a7b 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1709,10 +1709,20 @@ static int vdec_close(struct file *file) - vdec_pm_get(inst); - - cancel_work_sync(&inst->delayed_process_work); -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); - ida_destroy(&inst->dpb_ids); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - vdec_ctrl_deinit(inst); -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index 9a23c1b1de8c2..45914237c9dc7 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1485,9 +1485,19 @@ static int venc_close(struct file *file) - - venc_pm_get(inst); - -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - venc_ctrl_deinit(inst); --- -2.43.0 - diff --git a/queue-6.1/series b/queue-6.1/series index 7734c935714..666a91cc1a3 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -122,8 +122,6 @@ selftests-resctrl-protect-against-array-overrun-duri.patch firmware-arm_scpi-check-the-dvfs-opp-count-returned-.patch venus-venc-add-handling-for-vidioc_encoder_cmd.patch media-venus-provide-ctx-queue-lock-for-ioctl-synchro.patch -media-venus-fix-enc-dec-destruction-order.patch -media-venus-sync-with-threaded-irq-during-inst-destr.patch media-atomisp-add-check-for-rgby_data-memory-allocat.patch platform-x86-panasonic-laptop-return-errno-correctly.patch drm-mm-mark-drm_mm_interval_tree-functions-with-__ma.patch diff --git a/queue-6.11/media-venus-fix-enc-dec-destruction-order.patch b/queue-6.11/media-venus-fix-enc-dec-destruction-order.patch deleted file mode 100644 index 035d0fbe206..00000000000 --- a/queue-6.11/media-venus-fix-enc-dec-destruction-order.patch +++ /dev/null @@ -1,74 +0,0 @@ -From b3670d4259d554178a9a849c131e5d793f6d1eef Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:41 +0900 -Subject: media: venus: fix enc/dec destruction order - -From: Sergey Senozhatsky - -[ Upstream commit 6c9934c5a00ae722a98d1a06ed44b673514407b5 ] - -We destroy mutex-es too early as they are still taken in -v4l2_fh_exit()->v4l2_event_unsubscribe()->v4l2_ctrl_find(). - -We should destroy mutex-es right before kfree(). Also -do not vdec_ctrl_deinit() before v4l2_fh_exit(). - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Suggested-by: Tomasz Figa -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 7 ++++--- - drivers/media/platform/qcom/venus/venc.c | 6 +++--- - 2 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index d12089370d91e..4af268e756883 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1750,13 +1750,14 @@ static int vdec_close(struct file *file) - cancel_work_sync(&inst->delayed_process_work); - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- vdec_ctrl_deinit(inst); - ida_destroy(&inst->dpb_ids); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ vdec_ctrl_deinit(inst); -+ -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - vdec_pm_put(inst, false); - -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index 3ec2fb8d9fab6..56777d3d630a5 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1517,14 +1517,14 @@ static int venc_close(struct file *file) - - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- venc_ctrl_deinit(inst); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ venc_ctrl_deinit(inst); - - inst->enc_state = VENUS_ENC_STATE_DEINIT; -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - venc_pm_put(inst, false); - --- -2.43.0 - diff --git a/queue-6.11/media-venus-sync-with-threaded-irq-during-inst-destr.patch b/queue-6.11/media-venus-sync-with-threaded-irq-during-inst-destr.patch deleted file mode 100644 index 2a9d288199b..00000000000 --- a/queue-6.11/media-venus-sync-with-threaded-irq-during-inst-destr.patch +++ /dev/null @@ -1,146 +0,0 @@ -From adf019e242ecd93c3f825e2ff3ba7978423ce71e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:42 +0900 -Subject: media: venus: sync with threaded IRQ during inst destruction - -From: Sergey Senozhatsky - -[ Upstream commit 45b1a1b348ec178a599323f1ce7d7932aea8c6d4 ] - -When destroying an inst we should make sure that we don't race -against threaded IRQ (or pending IRQ), otherwise we can concurrently -kfree() inst context and inst itself. - -BUG: KASAN: slab-use-after-free in vb2_queue_error+0x80/0x90 -Call trace: -dump_backtrace+0x1c4/0x1f8 -show_stack+0x38/0x60 -dump_stack_lvl+0x168/0x1f0 -print_report+0x170/0x4c8 -kasan_report+0x94/0xd0 -__asan_report_load2_noabort+0x20/0x30 -vb2_queue_error+0x80/0x90 -venus_helper_vb2_queue_error+0x54/0x78 -venc_event_notify+0xec/0x158 -hfi_event_notify+0x878/0xd20 -hfi_process_msg_packet+0x27c/0x4e0 -venus_isr_thread+0x258/0x6e8 -hfi_isr_thread+0x70/0x90 -venus_isr_thread+0x34/0x50 -irq_thread_fn+0x88/0x130 -irq_thread+0x160/0x2c0 -kthread+0x294/0x328 -ret_from_fork+0x10/0x20 - -Allocated by task 20291: -kasan_set_track+0x4c/0x80 -kasan_save_alloc_info+0x28/0x38 -__kasan_kmalloc+0x84/0xa0 -kmalloc_trace+0x7c/0x98 -v4l2_m2m_ctx_init+0x74/0x280 -venc_open+0x444/0x6d0 -v4l2_open+0x19c/0x2a0 -chrdev_open+0x374/0x3f0 -do_dentry_open+0x710/0x10a8 -vfs_open+0x88/0xa8 -path_openat+0x1e6c/0x2700 -do_filp_open+0x1a4/0x2e0 -do_sys_openat2+0xe8/0x508 -do_sys_open+0x15c/0x1a0 -__arm64_sys_openat+0xa8/0xc8 -invoke_syscall+0xdc/0x270 -el0_svc_common+0x1ec/0x250 -do_el0_svc+0x54/0x70 -el0_svc+0x50/0xe8 -el0t_64_sync_handler+0x48/0x120 -el0t_64_sync+0x1a8/0x1b0 - -Freed by task 20291: - kasan_set_track+0x4c/0x80 - kasan_save_free_info+0x3c/0x60 - ____kasan_slab_free+0x124/0x1a0 - __kasan_slab_free+0x18/0x28 - __kmem_cache_free+0x134/0x300 - kfree+0xc8/0x1a8 - v4l2_m2m_ctx_release+0x44/0x60 - venc_close+0x78/0x130 [venus_enc] - v4l2_release+0x20c/0x2f8 - __fput+0x328/0x7f0 - ____fput+0x2c/0x48 - task_work_run+0x1e0/0x280 - get_signal+0xfb8/0x1190 - do_notify_resume+0x34c/0x16a8 - el0_svc+0x9c/0xe8 - el0t_64_sync_handler+0x48/0x120 - el0t_64_sync+0x1a8/0x1b0 - -Rearrange inst destruction. First remove the inst from the -core->instances list, second synchronize IRQ/IRQ-thread to -make sure that nothing else would see the inst while we take -it down. - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 12 +++++++++++- - drivers/media/platform/qcom/venus/venc.c | 12 +++++++++++- - 2 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index 4af268e756883..b446046546403 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1748,10 +1748,20 @@ static int vdec_close(struct file *file) - vdec_pm_get(inst); - - cancel_work_sync(&inst->delayed_process_work); -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); - ida_destroy(&inst->dpb_ids); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - vdec_ctrl_deinit(inst); -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index 56777d3d630a5..b83f03abbf0aa 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1515,9 +1515,19 @@ static int venc_close(struct file *file) - - venc_pm_get(inst); - -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - venc_ctrl_deinit(inst); --- -2.43.0 - diff --git a/queue-6.11/series b/queue-6.11/series index c73017275a8..99090f7dfdd 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -204,8 +204,6 @@ selftests-resctrl-protect-against-array-overrun-duri.patch firmware-arm_scpi-check-the-dvfs-opp-count-returned-.patch media-ipu6-fix-dma-and-physical-address-debugging-me.patch media-ipu6-not-override-the-dma_ops-of-device-in-dri.patch -media-venus-fix-enc-dec-destruction-order.patch -media-venus-sync-with-threaded-irq-during-inst-destr.patch pwm-assume-a-disabled-pwm-to-emit-a-constant-inactiv.patch media-atomisp-add-check-for-rgby_data-memory-allocat.patch arm64-dts-rockchip-correct-analog-audio-name-on-indi.patch diff --git a/queue-6.12/media-venus-fix-enc-dec-destruction-order.patch b/queue-6.12/media-venus-fix-enc-dec-destruction-order.patch deleted file mode 100644 index 41576f05c04..00000000000 --- a/queue-6.12/media-venus-fix-enc-dec-destruction-order.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 99602d2e652f80adf0a16743352858e3f8167d68 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:41 +0900 -Subject: media: venus: fix enc/dec destruction order - -From: Sergey Senozhatsky - -[ Upstream commit 6c9934c5a00ae722a98d1a06ed44b673514407b5 ] - -We destroy mutex-es too early as they are still taken in -v4l2_fh_exit()->v4l2_event_unsubscribe()->v4l2_ctrl_find(). - -We should destroy mutex-es right before kfree(). Also -do not vdec_ctrl_deinit() before v4l2_fh_exit(). - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Suggested-by: Tomasz Figa -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 7 ++++--- - drivers/media/platform/qcom/venus/venc.c | 6 +++--- - 2 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index d12089370d91e..4af268e756883 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1750,13 +1750,14 @@ static int vdec_close(struct file *file) - cancel_work_sync(&inst->delayed_process_work); - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- vdec_ctrl_deinit(inst); - ida_destroy(&inst->dpb_ids); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ vdec_ctrl_deinit(inst); -+ -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - vdec_pm_put(inst, false); - -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index 3ec2fb8d9fab6..56777d3d630a5 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1517,14 +1517,14 @@ static int venc_close(struct file *file) - - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- venc_ctrl_deinit(inst); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ venc_ctrl_deinit(inst); - - inst->enc_state = VENUS_ENC_STATE_DEINIT; -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - venc_pm_put(inst, false); - --- -2.43.0 - diff --git a/queue-6.12/media-venus-sync-with-threaded-irq-during-inst-destr.patch b/queue-6.12/media-venus-sync-with-threaded-irq-during-inst-destr.patch deleted file mode 100644 index dcceff37f30..00000000000 --- a/queue-6.12/media-venus-sync-with-threaded-irq-during-inst-destr.patch +++ /dev/null @@ -1,146 +0,0 @@ -From b880ce8c2c6a0e86b200cc7de817144149a92fd6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:42 +0900 -Subject: media: venus: sync with threaded IRQ during inst destruction - -From: Sergey Senozhatsky - -[ Upstream commit 45b1a1b348ec178a599323f1ce7d7932aea8c6d4 ] - -When destroying an inst we should make sure that we don't race -against threaded IRQ (or pending IRQ), otherwise we can concurrently -kfree() inst context and inst itself. - -BUG: KASAN: slab-use-after-free in vb2_queue_error+0x80/0x90 -Call trace: -dump_backtrace+0x1c4/0x1f8 -show_stack+0x38/0x60 -dump_stack_lvl+0x168/0x1f0 -print_report+0x170/0x4c8 -kasan_report+0x94/0xd0 -__asan_report_load2_noabort+0x20/0x30 -vb2_queue_error+0x80/0x90 -venus_helper_vb2_queue_error+0x54/0x78 -venc_event_notify+0xec/0x158 -hfi_event_notify+0x878/0xd20 -hfi_process_msg_packet+0x27c/0x4e0 -venus_isr_thread+0x258/0x6e8 -hfi_isr_thread+0x70/0x90 -venus_isr_thread+0x34/0x50 -irq_thread_fn+0x88/0x130 -irq_thread+0x160/0x2c0 -kthread+0x294/0x328 -ret_from_fork+0x10/0x20 - -Allocated by task 20291: -kasan_set_track+0x4c/0x80 -kasan_save_alloc_info+0x28/0x38 -__kasan_kmalloc+0x84/0xa0 -kmalloc_trace+0x7c/0x98 -v4l2_m2m_ctx_init+0x74/0x280 -venc_open+0x444/0x6d0 -v4l2_open+0x19c/0x2a0 -chrdev_open+0x374/0x3f0 -do_dentry_open+0x710/0x10a8 -vfs_open+0x88/0xa8 -path_openat+0x1e6c/0x2700 -do_filp_open+0x1a4/0x2e0 -do_sys_openat2+0xe8/0x508 -do_sys_open+0x15c/0x1a0 -__arm64_sys_openat+0xa8/0xc8 -invoke_syscall+0xdc/0x270 -el0_svc_common+0x1ec/0x250 -do_el0_svc+0x54/0x70 -el0_svc+0x50/0xe8 -el0t_64_sync_handler+0x48/0x120 -el0t_64_sync+0x1a8/0x1b0 - -Freed by task 20291: - kasan_set_track+0x4c/0x80 - kasan_save_free_info+0x3c/0x60 - ____kasan_slab_free+0x124/0x1a0 - __kasan_slab_free+0x18/0x28 - __kmem_cache_free+0x134/0x300 - kfree+0xc8/0x1a8 - v4l2_m2m_ctx_release+0x44/0x60 - venc_close+0x78/0x130 [venus_enc] - v4l2_release+0x20c/0x2f8 - __fput+0x328/0x7f0 - ____fput+0x2c/0x48 - task_work_run+0x1e0/0x280 - get_signal+0xfb8/0x1190 - do_notify_resume+0x34c/0x16a8 - el0_svc+0x9c/0xe8 - el0t_64_sync_handler+0x48/0x120 - el0t_64_sync+0x1a8/0x1b0 - -Rearrange inst destruction. First remove the inst from the -core->instances list, second synchronize IRQ/IRQ-thread to -make sure that nothing else would see the inst while we take -it down. - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 12 +++++++++++- - drivers/media/platform/qcom/venus/venc.c | 12 +++++++++++- - 2 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index 4af268e756883..b446046546403 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1748,10 +1748,20 @@ static int vdec_close(struct file *file) - vdec_pm_get(inst); - - cancel_work_sync(&inst->delayed_process_work); -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); - ida_destroy(&inst->dpb_ids); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - vdec_ctrl_deinit(inst); -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index 56777d3d630a5..b83f03abbf0aa 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1515,9 +1515,19 @@ static int venc_close(struct file *file) - - venc_pm_get(inst); - -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - venc_ctrl_deinit(inst); --- -2.43.0 - diff --git a/queue-6.12/series b/queue-6.12/series index 59a862574ad..10ca6d3475d 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -168,8 +168,6 @@ firmware-arm_scpi-check-the-dvfs-opp-count-returned-.patch media-ipu6-fix-dma-and-physical-address-debugging-me.patch media-ipu6-not-override-the-dma_ops-of-device-in-dri.patch media-ipu6-remove-architecture-dma-ops-dependency-in.patch -media-venus-fix-enc-dec-destruction-order.patch -media-venus-sync-with-threaded-irq-during-inst-destr.patch pwm-assume-a-disabled-pwm-to-emit-a-constant-inactiv.patch media-atomisp-add-check-for-rgby_data-memory-allocat.patch arm64-dts-rockchip-correct-analog-audio-name-on-indi.patch diff --git a/queue-6.6/media-venus-fix-enc-dec-destruction-order.patch b/queue-6.6/media-venus-fix-enc-dec-destruction-order.patch deleted file mode 100644 index 49047cd5b5c..00000000000 --- a/queue-6.6/media-venus-fix-enc-dec-destruction-order.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 0d77f36c1ae77200d162e20f9cd107e3a257ebe3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:41 +0900 -Subject: media: venus: fix enc/dec destruction order - -From: Sergey Senozhatsky - -[ Upstream commit 6c9934c5a00ae722a98d1a06ed44b673514407b5 ] - -We destroy mutex-es too early as they are still taken in -v4l2_fh_exit()->v4l2_event_unsubscribe()->v4l2_ctrl_find(). - -We should destroy mutex-es right before kfree(). Also -do not vdec_ctrl_deinit() before v4l2_fh_exit(). - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Suggested-by: Tomasz Figa -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 7 ++++--- - drivers/media/platform/qcom/venus/venc.c | 6 +++--- - 2 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index 884ee6e9d4bd1..00aadf5907da4 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1750,13 +1750,14 @@ static int vdec_close(struct file *file) - cancel_work_sync(&inst->delayed_process_work); - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- vdec_ctrl_deinit(inst); - ida_destroy(&inst->dpb_ids); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ vdec_ctrl_deinit(inst); -+ -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - vdec_pm_put(inst, false); - -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index 44b13696cf82a..41c93d43ac545 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1517,14 +1517,14 @@ static int venc_close(struct file *file) - - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- venc_ctrl_deinit(inst); - hfi_session_destroy(inst); -- mutex_destroy(&inst->lock); -- mutex_destroy(&inst->ctx_q_lock); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); -+ venc_ctrl_deinit(inst); - - inst->enc_state = VENUS_ENC_STATE_DEINIT; -+ mutex_destroy(&inst->lock); -+ mutex_destroy(&inst->ctx_q_lock); - - venc_pm_put(inst, false); - --- -2.43.0 - diff --git a/queue-6.6/media-venus-sync-with-threaded-irq-during-inst-destr.patch b/queue-6.6/media-venus-sync-with-threaded-irq-during-inst-destr.patch deleted file mode 100644 index a42365908bb..00000000000 --- a/queue-6.6/media-venus-sync-with-threaded-irq-during-inst-destr.patch +++ /dev/null @@ -1,146 +0,0 @@ -From abd2a799d605b322d2fdf8db3b84dbb1fa05ad3d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 26 Oct 2024 01:56:42 +0900 -Subject: media: venus: sync with threaded IRQ during inst destruction - -From: Sergey Senozhatsky - -[ Upstream commit 45b1a1b348ec178a599323f1ce7d7932aea8c6d4 ] - -When destroying an inst we should make sure that we don't race -against threaded IRQ (or pending IRQ), otherwise we can concurrently -kfree() inst context and inst itself. - -BUG: KASAN: slab-use-after-free in vb2_queue_error+0x80/0x90 -Call trace: -dump_backtrace+0x1c4/0x1f8 -show_stack+0x38/0x60 -dump_stack_lvl+0x168/0x1f0 -print_report+0x170/0x4c8 -kasan_report+0x94/0xd0 -__asan_report_load2_noabort+0x20/0x30 -vb2_queue_error+0x80/0x90 -venus_helper_vb2_queue_error+0x54/0x78 -venc_event_notify+0xec/0x158 -hfi_event_notify+0x878/0xd20 -hfi_process_msg_packet+0x27c/0x4e0 -venus_isr_thread+0x258/0x6e8 -hfi_isr_thread+0x70/0x90 -venus_isr_thread+0x34/0x50 -irq_thread_fn+0x88/0x130 -irq_thread+0x160/0x2c0 -kthread+0x294/0x328 -ret_from_fork+0x10/0x20 - -Allocated by task 20291: -kasan_set_track+0x4c/0x80 -kasan_save_alloc_info+0x28/0x38 -__kasan_kmalloc+0x84/0xa0 -kmalloc_trace+0x7c/0x98 -v4l2_m2m_ctx_init+0x74/0x280 -venc_open+0x444/0x6d0 -v4l2_open+0x19c/0x2a0 -chrdev_open+0x374/0x3f0 -do_dentry_open+0x710/0x10a8 -vfs_open+0x88/0xa8 -path_openat+0x1e6c/0x2700 -do_filp_open+0x1a4/0x2e0 -do_sys_openat2+0xe8/0x508 -do_sys_open+0x15c/0x1a0 -__arm64_sys_openat+0xa8/0xc8 -invoke_syscall+0xdc/0x270 -el0_svc_common+0x1ec/0x250 -do_el0_svc+0x54/0x70 -el0_svc+0x50/0xe8 -el0t_64_sync_handler+0x48/0x120 -el0t_64_sync+0x1a8/0x1b0 - -Freed by task 20291: - kasan_set_track+0x4c/0x80 - kasan_save_free_info+0x3c/0x60 - ____kasan_slab_free+0x124/0x1a0 - __kasan_slab_free+0x18/0x28 - __kmem_cache_free+0x134/0x300 - kfree+0xc8/0x1a8 - v4l2_m2m_ctx_release+0x44/0x60 - venc_close+0x78/0x130 [venus_enc] - v4l2_release+0x20c/0x2f8 - __fput+0x328/0x7f0 - ____fput+0x2c/0x48 - task_work_run+0x1e0/0x280 - get_signal+0xfb8/0x1190 - do_notify_resume+0x34c/0x16a8 - el0_svc+0x9c/0xe8 - el0t_64_sync_handler+0x48/0x120 - el0t_64_sync+0x1a8/0x1b0 - -Rearrange inst destruction. First remove the inst from the -core->instances list, second synchronize IRQ/IRQ-thread to -make sure that nothing else would see the inst while we take -it down. - -Fixes: 7472c1c69138 ("[media] media: venus: vdec: add video decoder files") -Signed-off-by: Sergey Senozhatsky -Reviewed-by: Bryan O'Donoghue -Signed-off-by: Stanimir Varbanov -Signed-off-by: Hans Verkuil -Signed-off-by: Sasha Levin ---- - drivers/media/platform/qcom/venus/vdec.c | 12 +++++++++++- - drivers/media/platform/qcom/venus/venc.c | 12 +++++++++++- - 2 files changed, 22 insertions(+), 2 deletions(-) - -diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c -index 00aadf5907da4..d802ece8948fa 100644 ---- a/drivers/media/platform/qcom/venus/vdec.c -+++ b/drivers/media/platform/qcom/venus/vdec.c -@@ -1748,10 +1748,20 @@ static int vdec_close(struct file *file) - vdec_pm_get(inst); - - cancel_work_sync(&inst->delayed_process_work); -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); - ida_destroy(&inst->dpb_ids); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - vdec_ctrl_deinit(inst); -diff --git a/drivers/media/platform/qcom/venus/venc.c b/drivers/media/platform/qcom/venus/venc.c -index 41c93d43ac545..35f3f3a519cf4 100644 ---- a/drivers/media/platform/qcom/venus/venc.c -+++ b/drivers/media/platform/qcom/venus/venc.c -@@ -1515,9 +1515,19 @@ static int venc_close(struct file *file) - - venc_pm_get(inst); - -+ /* -+ * First, remove the inst from the ->instances list, so that -+ * to_instance() will return NULL. -+ */ -+ hfi_session_destroy(inst); -+ /* -+ * Second, make sure we don't have IRQ/IRQ-thread currently running -+ * or pending execution, which would race with the inst destruction. -+ */ -+ synchronize_irq(inst->core->irq); -+ - v4l2_m2m_ctx_release(inst->m2m_ctx); - v4l2_m2m_release(inst->m2m_dev); -- hfi_session_destroy(inst); - v4l2_fh_del(&inst->fh); - v4l2_fh_exit(&inst->fh); - venc_ctrl_deinit(inst); --- -2.43.0 - diff --git a/queue-6.6/series b/queue-6.6/series index 126163963c4..ffd0e334582 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -163,8 +163,6 @@ selftests-resctrl-refactor-fill_buf-functions.patch selftests-resctrl-fix-memory-overflow-due-to-unhandl.patch selftests-resctrl-protect-against-array-overrun-duri.patch firmware-arm_scpi-check-the-dvfs-opp-count-returned-.patch -media-venus-fix-enc-dec-destruction-order.patch -media-venus-sync-with-threaded-irq-during-inst-destr.patch media-atomisp-add-check-for-rgby_data-memory-allocat.patch arm64-dts-rockchip-correct-analog-audio-name-on-indi.patch hid-hyperv-streamline-driver-probe-to-avoid-devres-i.patch