From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: media: meson: vdec: Fix NULL pointer dereference in ISR handlers Date: Thu, 04 Jun 2026 15:48:47 +1000 Message-ID: In-Reply-To: <20260530094326.11892-8-linux.amoon@gmail.com> References: <20260530094326.11892-1-linux.amoon@gmail.com> <20260530094326.11892-8-linux.amoon@gmail.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Patch Review **Incomplete fix =E2=80=94 READ_ONCE without WRITE_ONCE:** The patch uses `= READ_ONCE()` on the read side: ```c sess =3D READ_ONCE(core->cur_sess); ``` But the writes to `core->cur_sess` in patches 2 and 5 are plain stores prot= ected by a mutex: ```c core->cur_sess =3D sess; /* in start_streaming */ core->cur_sess =3D NULL; /* in stop_streaming */ ``` For `READ_ONCE()` to be meaningful, the matching writes should use `WRITE_O= NCE()`. Without it, the compiler could still tear the write, though in prac= tice pointer writes on ARM64 are atomic. Still, for correctness, `WRITE_ONC= E()` should be added to the write side. **Insufficient fix =E2=80=94 TOCTOU on session fields:** Even with the NULL= check, there's a race: ```c sess =3D READ_ONCE(core->cur_sess); if (!sess) return IRQ_NONE; /* sess could be freed right here by stop_streaming */ sess->last_irq_jiffies =3D get_jiffies_64(); ``` After the NULL check, `stop_streaming` can still run, clear `cur_sess`, and= proceed to free session resources. The session pointer obtained by READ_ON= CE is not pinned. This requires either: - Disabling interrupts during teardown (`disable_irq()` before clearing `cu= r_sess`), or - Using RCU to protect the session pointer, or - Some other synchronization. The IRQ is registered with `IRQF_ONESHOT` and uses a threaded handler, so `= disable_irq_nosync()` / `synchronize_irq()` before clearing `cur_sess` woul= d be the typical kernel pattern. **Unnecessary variable:** The `ret` variable in `vdec_isr`: ```c irqreturn_t ret =3D IRQ_HANDLED; ... ret =3D sess->fmt_out->codec_ops->isr(sess); return ret; ``` The initial assignment `ret =3D IRQ_HANDLED` is dead code since `ret` is un= conditionally overwritten. Just return the call result directly. --- Generated by Claude Code Patch Reviewer