media: amphion: Fix race between m2m job_abort and device_run

Ming Qian · gregkh · commit 42dc622776f3 · 2026-05-17T17:13:27.000+02:00
commit 8cd35ce upstream. Fix kernel panic caused by race condition where v4l2_m2m_ctx_release() frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run with the same context. Race sequence: v4l2_m2m_try_run(): v4l2_m2m_ctx_release(): lock/unlock v4l2_m2m_cancel_job() job_abort() v4l2_m2m_job_finish() kfree(m2m_ctx) <- frees ctx device_run() <- use-after-free crash at 0x538 Crash trace: Unable to handle kernel read from unreadable memory at virtual address 0000000000000538 v4l2_m2m_try_run+0x78/0x138 v4l2_m2m_device_run_work+0x14/0x20 The amphion vpu driver does not rely on the m2m framework's device_run callback to perform encode/decode operations. Fix the race by preventing m2m framework job scheduling entirely: - Add job_ready callback returning 0 (no jobs ready for m2m framework) - Remove job_abort callback to avoid the race condition Fixes: 3cd0845 ("media: amphion: add vpu v4l2 m2m support") Cc: stable@vger.kernel.org Signed-off-by: Ming Qian <ming.qian@oss.nxp.com> Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com> Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/media/platform/amphion/vpu_v4l2.c b/drivers/media/platform/amphion/vpu_v4l2.c
@@ -441,17 +441,14 @@ static void vpu_m2m_device_run(void *priv)
 {
 }
 
-static void vpu_m2m_job_abort(void *priv)
+static int vpu_m2m_job_ready(void *priv)
 {
-	struct vpu_inst *inst = priv;
-	struct v4l2_m2m_ctx *m2m_ctx = inst->fh.m2m_ctx;
-
-	v4l2_m2m_job_finish(m2m_ctx->m2m_dev, m2m_ctx);
+	return 0;
 }
 
 static const struct v4l2_m2m_ops vpu_m2m_ops = {
 	.device_run = vpu_m2m_device_run,
-	.job_abort = vpu_m2m_job_abort
+	.job_ready = vpu_m2m_job_ready,
 };
 
 static int vpu_vb2_queue_setup(struct vb2_queue *vq,

Original file line number	Diff line number	Diff line change
`@@ -441,17 +441,14 @@ static void vpu_m2m_device_run(void *priv)`
`441`	`441`	`{`
`442`	`442`	`}`
`443`	`443`
`444`		`-static void vpu_m2m_job_abort(void *priv)`
	`444`	`+static int vpu_m2m_job_ready(void *priv)`
`445`	`445`	`{`
`446`		`- struct vpu_inst *inst = priv;`
`447`		`- struct v4l2_m2m_ctx *m2m_ctx = inst->fh.m2m_ctx;`
`448`		`-`
`449`		`- v4l2_m2m_job_finish(m2m_ctx->m2m_dev, m2m_ctx);`
	`446`	`+ return 0;`
`450`	`447`	`}`
`451`	`448`
`452`	`449`	`static const struct v4l2_m2m_ops vpu_m2m_ops = {`
`453`	`450`	`.device_run = vpu_m2m_device_run,`
`454`		`- .job_abort = vpu_m2m_job_abort`
	`451`	`+ .job_ready = vpu_m2m_job_ready,`
`455`	`452`	`};`
`456`	`453`
`457`	`454`	`static int vpu_vb2_queue_setup(struct vb2_queue *vq,`