[PATCH v4 1/3] media: meson: vdec: Fix memory leak in error path of vdec_open

sashiko-bot at kernel.org sashiko-bot at kernel.org
Thu May 21 01:09:27 PDT 2026 

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Incorrect teardown order in `vdec_close()` causes use-after-destroy of the V4L2 control handler's mutex.
--

commit 82e916771a779b02500f97d58e344bb93ca8e9ca
Author: Anand Moon <linux.amoon at gmail.com>

media: meson: vdec: Fix memory leak in error path of vdec_open

This commit introduces a proper err_m2m_ctx_release label in the error path
of vdec_open() to ensure the m2m context is released before releasing the m2m
device. It also attempts to free the V4L2 control handler memory in
vdec_close() to fix a resource leak.

Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t

> diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
> --- a/drivers/staging/media/meson/vdec/vdec.c
> +++ b/drivers/staging/media/meson/vdec/vdec.c

[ ... ]

> @@ -926,6 +928,7 @@ static int vdec_close(struct file *file)
>  
>  	v4l2_m2m_ctx_release(sess->m2m_ctx);
>  	v4l2_m2m_release(sess->m2m_dev);
> +	v4l2_ctrl_handler_free(&sess->ctrl_handler);

[Severity: High]
Could this specific ordering cause a use-after-destroy of the V4L2 control
handler's mutex?

If an application has subscribed to a V4L2 control event, v4l2_fh_exit()
unconditionally calls v4l2_event_unsubscribe_all(). This unsubscribe logic
eventually invokes v4l2_ctrl_del_event(), which attempts to lock the
control handler's mutex.

Since v4l2_ctrl_handler_free() destroys the mutex:

v4l2_ctrl_handler_free()
    mutex_destroy(&hdl->_lock);

Calling it before v4l2_fh_exit() could lead to operating on a destroyed mutex
and potentially cause a kernel panic if mutex debugging is enabled.

Should v4l2_ctrl_handler_free() be called after v4l2_fh_del() and
v4l2_fh_exit() instead?

>  	v4l2_fh_del(&sess->fh, file);
>  	v4l2_fh_exit(&sess->fh);
>

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260521073449.10057-1-linux.amoon@gmail.com?part=1

More information about the linux-amlogic mailing list