]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
media: chips-media: wave5: Release m2m_ctx after Instance Removed from List
authorBrandon Brnich <b-brnich@ti.com>
Thu, 2 Apr 2026 18:45:53 +0000 (13:45 -0500)
committerHans Verkuil <hverkuil+cisco@kernel.org>
Mon, 4 May 2026 07:31:04 +0000 (09:31 +0200)
commit7cdbd7bb21949a8fda10c7104a2b12ee363cbf5c
treeefc0ac2dc753bb637da861c03b1fe4ef7a5f3997
parent4ae45bf4663ed93c61e9f716e81455122fb66ee2
media: chips-media: wave5: Release m2m_ctx after Instance Removed from List

Possible use after free if IRQ thread manages to obtain spinlock between
m2m_ctx release and wave5_release function removing stream instance from
list of active instances. The IRQ thread looks for the m2m_ctx which is
freed so null pointer dereference occurs.

Signed-off-by: Brandon Brnich <b-brnich@ti.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Tested-by: Jackson Lee <jackson.lee@chipsnmedia.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
drivers/media/platform/chips-media/wave5/wave5-helper.c