[PATCH v4 1/3] media: meson: vdec: Fix memory leak in error path of vdec_open

Anand Moon linux.amoon at gmail.com
Thu May 21 10:42:59 PDT 2026 

Hi Sashiko,

Thanks for your  review comment,
On Thu, 21 May 2026 at 13:39, <sashiko-bot at kernel.org> wrote:
>
> Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
> - [High] Incorrect teardown order in `vdec_close()` causes use-after-destroy of the V4L2 control handler's mutex.
> --
>
> commit 82e916771a779b02500f97d58e344bb93ca8e9ca
> Author: Anand Moon <linux.amoon at gmail.com>
>
> media: meson: vdec: Fix memory leak in error path of vdec_open
>
> This commit introduces a proper err_m2m_ctx_release label in the error path
> of vdec_open() to ensure the m2m context is released before releasing the m2m
> device. It also attempts to free the V4L2 control handler memory in
> vdec_close() to fix a resource leak.
>
> Closes: https://lore.kernel.org/all/20260520045905.6ACBA1F000E9@smtp.kernel.org/#t
>
> > diff --git a/drivers/staging/media/meson/vdec/vdec.c b/drivers/staging/media/meson/vdec/vdec.c
> > --- a/drivers/staging/media/meson/vdec/vdec.c
> > +++ b/drivers/staging/media/meson/vdec/vdec.c
>
> [ ... ]
>
> > @@ -926,6 +928,7 @@ static int vdec_close(struct file *file)
> >
> >       v4l2_m2m_ctx_release(sess->m2m_ctx);
> >       v4l2_m2m_release(sess->m2m_dev);
> > +     v4l2_ctrl_handler_free(&sess->ctrl_handler);
>
> [Severity: High]
> Could this specific ordering cause a use-after-destroy of the V4L2 control
> handler's mutex?
>
> If an application has subscribed to a V4L2 control event, v4l2_fh_exit()
> unconditionally calls v4l2_event_unsubscribe_all(). This unsubscribe logic
> eventually invokes v4l2_ctrl_del_event(), which attempts to lock the
> control handler's mutex.
>
> Since v4l2_ctrl_handler_free() destroys the mutex:
>
> v4l2_ctrl_handler_free()
>     mutex_destroy(&hdl->_lock);
>
> Calling it before v4l2_fh_exit() could lead to operating on a destroyed mutex
> and potentially cause a kernel panic if mutex debugging is enabled.
>
> Should v4l2_ctrl_handler_free() be called after v4l2_fh_del() and
> v4l2_fh_exit() instead?
>
> >       v4l2_fh_del(&sess->fh, file);
> >       v4l2_fh_exit(&sess->fh);
> >
I will try to study and update in the next version.
>
> --
> Sashiko AI review · https://sashiko.dev/#/patchset/20260521073449.10057-1-linux.amoon@gmail.com?part=1

Thanks
-Anand

More information about the linux-amlogic mailing list