Re: [PATCH v2] media: chips-media: wave5: Move src_buf Removal to finish_encode

[Nicolas Dufresne]

Le vendredi 20 mars 2026 à 13:05 -0500, Brandon Brnich a écrit :
> During encoder processing, there is a case where the IRQ response could
> return the buffer back to userspace via v4l2_m2m_buf_done call. In this
> time, userspace could queue up this same buffer before start_encode removes
> the index from the ready queue. This would then lead to a case where the
> buffer in the ready queue could be a self loop due to the
> WRITE_ONCE(prev->next, new) call in __list_add.
> 
> When __list_del is finally called, the loop is already made so nothing
> points back to ready queue list head and pointers are poisoned.
> 
> A buffer should not be marked as DONE before the buffer is removed from
> m2m ready queue. Move removal entirely to finish_encode.
> 
> Signed-off-by: Brandon Brnich <b-brnich@xxxxxx>

Reviewed-by: Nicolas Dufresne <nicolas.dufresne@xxxxxxxxxxxxx>

> ---
> 
> V2:
>  - Update function to use reported index from encoder
>  - Fix reported media CI bot style errors with brackets
> 
>  .../chips-media/wave5/wave5-vpu-enc.c         | 29 +++----------------
>  1 file changed, 4 insertions(+), 25 deletions(-)
> 
> diff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> index 7613fcdbafed..c605a91718d8 100644
> --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c
> @@ -226,13 +226,6 @@ static int start_encode(struct vpu_instance *inst, u32 *fail_res)
>  	} else {
>  		dev_dbg(inst->dev->dev, "%s: wave5_vpu_enc_start_one_frame success\n",
>  			__func__);
> -		/*
> -		 * Remove the source buffer from the ready-queue now and finish
> -		 * it in the videobuf2 framework once the index is returned by the
> -		 * firmware in finish_encode
> -		 */
> -		if (src_buf)
> -			v4l2_m2m_src_buf_remove_by_idx(m2m_ctx, src_buf->vb2_buf.index);
>  	}
>  
>  	return 0;
> @@ -259,27 +252,13 @@ static void wave5_vpu_enc_finish_encode(struct vpu_instance *inst)
>  		__func__,  enc_output_info.pic_type, enc_output_info.recon_frame_index,
>  		enc_output_info.enc_src_idx, enc_output_info.enc_pic_byte, enc_output_info.pts);
>  
> -	/*
> -	 * The source buffer will not be found in the ready-queue as it has been
> -	 * dropped after sending of the encode firmware command, locate it in
> -	 * the videobuf2 queue directly
> -	 */
>  	if (enc_output_info.enc_src_idx >= 0) {
> -		struct vb2_buffer *vb = vb2_get_buffer(v4l2_m2m_get_src_vq(m2m_ctx),
> -						       enc_output_info.enc_src_idx);
> -		if (vb->state != VB2_BUF_STATE_ACTIVE)
> -			dev_warn(inst->dev->dev,
> -				 "%s: encoded buffer (%d) was not in ready queue %i.",
> -				 __func__, enc_output_info.enc_src_idx, vb->state);
> -		else
> -			src_buf = to_vb2_v4l2_buffer(vb);
> -
> -		if (src_buf) {
> +		src_buf = v4l2_m2m_src_buf_remove_by_idx(m2m_ctx, enc_output_info.enc_src_idx);
> +		if (!src_buf) {
> +			dev_warn(inst->dev->dev, "%s: no source buffer found\n", __func__);
> +		} else {
>  			inst->timestamp = src_buf->vb2_buf.timestamp;
>  			v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_DONE);
> -		} else {
> -			dev_warn(inst->dev->dev, "%s: no source buffer with index: %d found\n",
> -				 __func__, enc_output_info.enc_src_idx);
>  		}
>  	}
>

Attachment: signature.asc
Description: This is a digitally signed message part