Re: [PATCH 0/2] media: meson: vdec: fix two more VP9 reference-frame lifetime bugs

Next message: Runyu Xiao: "[RFC] nvmet: clarify RCU-list traversal contract for PR registrants"
Previous message: Doruk Tan Ozturk: "Re: [PATCH v2 0/2] media: atomisp: validate user-supplied buffer sizes in two ioctl paths"
In reply to: Doruk Tan Ozturk: "[PATCH 2/2] media: meson: vdec: guard against NULL prev_frame in codec_vp9_set_mpred_mv()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Doruk Tan Ozturk

Date: Sat Jun 27 2026 - 09:02:20 EST

Please drop this series; both patches are wrong.

1/2 is mis-attributed: codec_vp9_flush_output() is the .drain handler and is
only followed by teardown (codec_vp9_stop), never a resume, so the "dangling
pointer on resume" path doesn't exist. The real stale-prev_frame deref is on
the source-change resume path, not flush.

2/2 fixes a real NULL deref but in the wrong place: the early return also skips
the current-frame MV-write register setup (HEVC_MPRED_MV_WR_START_ADDR /
HEVC_MPRED_MV_WPTR), leaving the hardware to DMA-write to a stale address.
Sashiko's review is correct. The right fix guards only the prev_frame reads
while keeping the cur_frame writes; I'll send that separately once tested.

The rm_noshow_frame() use-after-free ([PATCH v2] on the list) is independent
and unaffected.

Doruk