]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
media: chips-media: wave5: Move src_buf Removal to finish_encode
authorBrandon Brnich <b-brnich@ti.com>
Fri, 20 Mar 2026 18:05:26 +0000 (13:05 -0500)
committerHans Verkuil <hverkuil+cisco@kernel.org>
Mon, 4 May 2026 06:35:14 +0000 (08:35 +0200)
During encoder processing, there is a case where the IRQ response could
return the buffer back to userspace via v4l2_m2m_buf_done call. In this
time, userspace could queue up this same buffer before start_encode removes
the index from the ready queue. This would then lead to a case where the
buffer in the ready queue could be a self loop due to the
WRITE_ONCE(prev->next, new) call in __list_add.

When __list_del is finally called, the loop is already made so nothing
points back to ready queue list head and pointers are poisoned.

A buffer should not be marked as DONE before the buffer is removed from
m2m ready queue. Move removal entirely to finish_encode.

Fixes: 9707a6254a8a6 ("media: chips-media: wave5: Add the v4l2 layer")
Cc: stable@vger.kernel.org
Signed-off-by: Brandon Brnich <b-brnich@ti.com>
Tested-by: Jackson Lee <jackson.lee@chipsnmedia.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c

index 7613fcdbafedb45ba778d1e6faaf298b1ec13c5e..c605a91718d8bb97d7a0a731518a78fa4de8d7e7 100644 (file)
@@ -226,13 +226,6 @@ static int start_encode(struct vpu_instance *inst, u32 *fail_res)
        } else {
                dev_dbg(inst->dev->dev, "%s: wave5_vpu_enc_start_one_frame success\n",
                        __func__);
-               /*
-                * Remove the source buffer from the ready-queue now and finish
-                * it in the videobuf2 framework once the index is returned by the
-                * firmware in finish_encode
-                */
-               if (src_buf)
-                       v4l2_m2m_src_buf_remove_by_idx(m2m_ctx, src_buf->vb2_buf.index);
        }
 
        return 0;
@@ -259,27 +252,13 @@ static void wave5_vpu_enc_finish_encode(struct vpu_instance *inst)
                __func__,  enc_output_info.pic_type, enc_output_info.recon_frame_index,
                enc_output_info.enc_src_idx, enc_output_info.enc_pic_byte, enc_output_info.pts);
 
-       /*
-        * The source buffer will not be found in the ready-queue as it has been
-        * dropped after sending of the encode firmware command, locate it in
-        * the videobuf2 queue directly
-        */
        if (enc_output_info.enc_src_idx >= 0) {
-               struct vb2_buffer *vb = vb2_get_buffer(v4l2_m2m_get_src_vq(m2m_ctx),
-                                                      enc_output_info.enc_src_idx);
-               if (vb->state != VB2_BUF_STATE_ACTIVE)
-                       dev_warn(inst->dev->dev,
-                                "%s: encoded buffer (%d) was not in ready queue %i.",
-                                __func__, enc_output_info.enc_src_idx, vb->state);
-               else
-                       src_buf = to_vb2_v4l2_buffer(vb);
-
-               if (src_buf) {
+               src_buf = v4l2_m2m_src_buf_remove_by_idx(m2m_ctx, enc_output_info.enc_src_idx);
+               if (!src_buf) {
+                       dev_warn(inst->dev->dev, "%s: no source buffer found\n", __func__);
+               } else {
                        inst->timestamp = src_buf->vb2_buf.timestamp;
                        v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_DONE);
-               } else {
-                       dev_warn(inst->dev->dev, "%s: no source buffer with index: %d found\n",
-                                __func__, enc_output_info.enc_src_idx);
                }
        }