media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run
Message ID | 20231020040732.2499269-1-zyytlz.wz@163.com (mailing list archive) |
---|---|
State | Superseded |
Headers |
Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from <linux-media-owner@vger.kernel.org>) id 1qtgol-002j90-Nb; Fri, 20 Oct 2023 04:09:02 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346941AbjJTEI5 (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Fri, 20 Oct 2023 00:08:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346919AbjJTEIs (ORCPT <rfc822;linux-media@vger.kernel.org>); Fri, 20 Oct 2023 00:08:48 -0400 Received: from m15.mail.163.com (m15.mail.163.com [45.254.50.220]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 97B07CE; Thu, 19 Oct 2023 21:08:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=bTNEU KYdQRSbEH26367Xfr03nDSYmfPUQGyQW1vivyY=; b=G/USLP+1mCvkTnGsCm3pB L5zQiknSe/xWAbyT9fXRy6BoyqxGKe2PJ5yL2lbaSNDC9sk3xSsoZ/ICkox2CdkH IiRcJ88Ter66vsRGPAB/5Lj0y0aK+kxt29nYBz2tP3p6Ol2iW41Z7IUIPE2oFRTA 67jGUMJQw6hmZMYYQDO6LM= Received: from leanderwang-LC4.localdomain (unknown [111.206.145.21]) by zwqz-smtp-mta-g1-4 (Coremail) with SMTP id _____wDXfs0G_TFl9X8bBA--.28481S2; Fri, 20 Oct 2023 12:07:35 +0800 (CST) From: Zheng Wang <zyytlz.wz@163.com> To: dmitry.osipenko@collabora.com Cc: Kyrie.Wu@mediatek.com, bin.liu@mediatek.com, mchehab@kernel.org, matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, Irui.Wang@mediatek.com, security@kernel.org, hackerzheng666@gmail.com, 1395428693sheep@gmail.com, alex000young@gmail.com, amergnat@baylibre.com, wenst@chromium.org, Zheng Wang <zyytlz.wz@163.com>, stable@vger.kernel.org Subject: [PATCH] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run Date: Fri, 20 Oct 2023 12:07:32 +0800 Message-Id: <20231020040732.2499269-1-zyytlz.wz@163.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: _____wDXfs0G_TFl9X8bBA--.28481S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxZw1xtFWktFy5Xr13Jw4fKrg_yoWrGw15pr Zagw4DCFWUJrZ0gr4UA3WUZFyrC3s8tr12qr4Sgws3Z343Xrs7tr10ya4xtFWIyFZrCFyr Zr48W34xJr4DZFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zR1rWrUUUUU= X-Originating-IP: [111.206.145.21] X-CM-SenderInfo: h2113zf2oz6qqrwthudrp/xtbBdgcPU2DkpkVL4gAAsj X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -4.8 (----) X-LSpam-Report: No, score=-4.8 required=5.0 tests=BAYES_00=-1.9,DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,FREEMAIL_FORGED_FROMDOMAIN=0.001,FREEMAIL_FROM=0.001,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3 autolearn=ham autolearn_force=no |
Series |
media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run
|
|
Commit Message
Zheng Wang
Oct. 20, 2023, 4:07 a.m. UTC
In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the job as finished by invoking v4l2_m2m_job_finish. There are two methods to trigger the bug. If we remove the module, it which will call mtk_jpeg_remove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_... | start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use If we close the file descriptor, which will call mtk_jpeg_release, it will have a similar sequence. Fix this bug by start timeout worker only if started jpegdec worker successfully so the v4l2_m2m_job_finish will only be called on either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. This patch also reverts commit c677d7ae8314 ("media: mtk-jpeg: Fix use after free bug due to uncanceled work") for this patch also fixed the use-after-free bug mentioned before. Before mtk_jpeg_remove is invoked, mtk_jpeg_release must be invoked to close opened files. And it will call v4l2_m2m_cancel_job to wait for the timeout worker finished so the canceling in mtk_jpeg_remove is unnecessary. Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") Signed-off-by: Zheng Wang <zyytlz.wz@163.com> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Cc: stable@vger.kernel.org --- .../media/platform/mediatek/jpeg/mtk_jpeg_core.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-)
Comments
Il 20/10/23 06:07, Zheng Wang ha scritto: > In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with > mtk_jpeg_job_timeout_work. > > In mtk_jpeg_dec_device_run, if error happens in > mtk_jpeg_set_dec_dst, it will finally start the worker while > mark the job as finished by invoking v4l2_m2m_job_finish. > > There are two methods to trigger the bug. If we remove the > module, it which will call mtk_jpeg_remove to make cleanup. > The possible sequence is as follows, which will cause a > use-after-free bug. > > CPU0 CPU1 > mtk_jpeg_dec_... | > start worker | > |mtk_jpeg_job_timeout_work > mtk_jpeg_remove | > v4l2_m2m_release | > kfree(m2m_dev); | > | > | v4l2_m2m_get_curr_priv > | m2m_dev->curr_ctx //use > > If we close the file descriptor, which will call mtk_jpeg_release, > it will have a similar sequence. > > Fix this bug by start timeout worker only if started jpegdec worker > successfully so the v4l2_m2m_job_finish will only be called on > either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. > > This patch also reverts commit c677d7ae8314 > ("media: mtk-jpeg: Fix use after free bug due to uncanceled work") > for this patch also fixed the use-after-free bug mentioned before. > Before mtk_jpeg_remove is invoked, mtk_jpeg_release must be invoked > to close opened files. And it will call v4l2_m2m_cancel_job to wait > for the timeout worker finished so the canceling in mtk_jpeg_remove > is unnecessary. > > Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Alexandre Mergnat <amergnat@baylibre.com> On 20/10/2023 06:07, Zheng Wang wrote: > In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with > mtk_jpeg_job_timeout_work. In mtk_jpeg_dec_device_run, if error happens > in mtk_jpeg_set_dec_dst, it will finally start the worker while mark the > job as finished by invoking v4l2_m2m_job_finish. There are two methods > to trigger the bug. If we remove the module, it which will call > mtk_jpeg_remove to make cleanup. The possible sequence is as follows, > which will cause a use-after-free bug. CPU0 CPU1 mtk_jpeg_dec_... | > start worker | |mtk_jpeg_job_timeout_work mtk_jpeg_remove | > v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | > m2m_dev->curr_ctx //use If we close the file descriptor, which will call > mtk_jpeg_release, it will have a similar sequence. Fix this bug by start > timeout worker only if started jpegdec worker successfully so the > v4l2_m2m_job_finish will only be called on either > mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. This patch also > reverts commit c677d7ae8314 ("media: mtk-jpeg: Fix use after free bug > due to uncanceled work") for this patch also fixed the use-after-free > bug mentioned before. Before mtk_jpeg_remove is invoked, > mtk_jpeg_release must be invoked to close opened files. And it will call > v4l2_m2m_cancel_job to wait for the timeout worker finished so the > canceling in mtk_jpeg_remove is unnecessary.
On 10/20/23 07:07, Zheng Wang wrote: > In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with > mtk_jpeg_job_timeout_work. > > In mtk_jpeg_dec_device_run, if error happens in > mtk_jpeg_set_dec_dst, it will finally start the worker while > mark the job as finished by invoking v4l2_m2m_job_finish. > > There are two methods to trigger the bug. If we remove the > module, it which will call mtk_jpeg_remove to make cleanup. > The possible sequence is as follows, which will cause a > use-after-free bug. > > CPU0 CPU1 > mtk_jpeg_dec_... | > start worker | > |mtk_jpeg_job_timeout_work > mtk_jpeg_remove | > v4l2_m2m_release | > kfree(m2m_dev); | > | > | v4l2_m2m_get_curr_priv > | m2m_dev->curr_ctx //use > > If we close the file descriptor, which will call mtk_jpeg_release, > it will have a similar sequence. > > Fix this bug by start timeout worker only if started jpegdec worker > successfully so the v4l2_m2m_job_finish will only be called on > either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. > > This patch also reverts commit c677d7ae8314 > ("media: mtk-jpeg: Fix use after free bug due to uncanceled work") > for this patch also fixed the use-after-free bug mentioned before. > Before mtk_jpeg_remove is invoked, mtk_jpeg_release must be invoked > to close opened files. And it will call v4l2_m2m_cancel_job to wait > for the timeout worker finished so the canceling in mtk_jpeg_remove > is unnecessary. > > Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> > Cc: stable@vger.kernel.org > --- > .../media/platform/mediatek/jpeg/mtk_jpeg_core.c | 13 ++++++------- > 1 file changed, 6 insertions(+), 7 deletions(-) > > diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c > index 7194f88edc0f..c3456c700c07 100644 > --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c > +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c > @@ -1021,13 +1021,13 @@ static void mtk_jpeg_dec_device_run(void *priv) > if (ret < 0) > goto dec_end; > > - schedule_delayed_work(&jpeg->job_timeout_work, > - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > - > mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); > if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) > goto dec_end; > > + schedule_delayed_work(&jpeg->job_timeout_work, > + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > + > spin_lock_irqsave(&jpeg->hw_lock, flags); > mtk_jpeg_dec_reset(jpeg->reg_base); > mtk_jpeg_dec_set_config(jpeg->reg_base, > @@ -1403,7 +1403,6 @@ static void mtk_jpeg_remove(struct platform_device *pdev) > { > struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); > > - cancel_delayed_work_sync(&jpeg->job_timeout_work); > pm_runtime_disable(&pdev->dev); > video_unregister_device(jpeg->vdev); > v4l2_m2m_release(jpeg->m2m_dev); > @@ -1750,9 +1749,6 @@ static void mtk_jpegdec_worker(struct work_struct *work) > v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); > v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); > > - schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, > - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > - > mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); > if (mtk_jpeg_set_dec_dst(ctx, > &jpeg_src_buf->dec_param, > @@ -1762,6 +1758,9 @@ static void mtk_jpegdec_worker(struct work_struct *work) > goto setdst_end; > } > > + schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, > + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > + > spin_lock_irqsave(&comp_jpeg[hw_id]->hw_lock, flags); > ctx->total_frame_num++; > mtk_jpeg_dec_reset(comp_jpeg[hw_id]->reg_base); What about to split this patch into 3 patches: 1. will remove cancel_delayed_work_sync() 2. will update mtk_jpeg_dec_device_run() 3. will update mtk_jpegdec_worker() The reason for splitting is because the multi-core mtk_jpegdec_worker() doesn't present in older stable kernels, and thus, the patch isn't backportable as-is.
Get it. I'll figure it out how to split up. Thanks, Zheng Dmitry Osipenko <dmitry.osipenko@collabora.com> 于2023年10月24日周二 21:18写道: > > On 10/20/23 07:07, Zheng Wang wrote: > > In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with > > mtk_jpeg_job_timeout_work. > > > > In mtk_jpeg_dec_device_run, if error happens in > > mtk_jpeg_set_dec_dst, it will finally start the worker while > > mark the job as finished by invoking v4l2_m2m_job_finish. > > > > There are two methods to trigger the bug. If we remove the > > module, it which will call mtk_jpeg_remove to make cleanup. > > The possible sequence is as follows, which will cause a > > use-after-free bug. > > > > CPU0 CPU1 > > mtk_jpeg_dec_... | > > start worker | > > |mtk_jpeg_job_timeout_work > > mtk_jpeg_remove | > > v4l2_m2m_release | > > kfree(m2m_dev); | > > | > > | v4l2_m2m_get_curr_priv > > | m2m_dev->curr_ctx //use > > > > If we close the file descriptor, which will call mtk_jpeg_release, > > it will have a similar sequence. > > > > Fix this bug by start timeout worker only if started jpegdec worker > > successfully so the v4l2_m2m_job_finish will only be called on > > either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. > > > > This patch also reverts commit c677d7ae8314 > > ("media: mtk-jpeg: Fix use after free bug due to uncanceled work") > > for this patch also fixed the use-after-free bug mentioned before. > > Before mtk_jpeg_remove is invoked, mtk_jpeg_release must be invoked > > to close opened files. And it will call v4l2_m2m_cancel_job to wait > > for the timeout worker finished so the canceling in mtk_jpeg_remove > > is unnecessary. > > > > Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > > Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com> > > Cc: stable@vger.kernel.org > > --- > > .../media/platform/mediatek/jpeg/mtk_jpeg_core.c | 13 ++++++------- > > 1 file changed, 6 insertions(+), 7 deletions(-) > > > > diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c > > index 7194f88edc0f..c3456c700c07 100644 > > --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c > > +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c > > @@ -1021,13 +1021,13 @@ static void mtk_jpeg_dec_device_run(void *priv) > > if (ret < 0) > > goto dec_end; > > > > - schedule_delayed_work(&jpeg->job_timeout_work, > > - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > > - > > mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); > > if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) > > goto dec_end; > > > > + schedule_delayed_work(&jpeg->job_timeout_work, > > + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > > + > > spin_lock_irqsave(&jpeg->hw_lock, flags); > > mtk_jpeg_dec_reset(jpeg->reg_base); > > mtk_jpeg_dec_set_config(jpeg->reg_base, > > @@ -1403,7 +1403,6 @@ static void mtk_jpeg_remove(struct platform_device *pdev) > > { > > struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); > > > > - cancel_delayed_work_sync(&jpeg->job_timeout_work); > > pm_runtime_disable(&pdev->dev); > > video_unregister_device(jpeg->vdev); > > v4l2_m2m_release(jpeg->m2m_dev); > > @@ -1750,9 +1749,6 @@ static void mtk_jpegdec_worker(struct work_struct *work) > > v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); > > v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); > > > > - schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, > > - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > > - > > mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); > > if (mtk_jpeg_set_dec_dst(ctx, > > &jpeg_src_buf->dec_param, > > @@ -1762,6 +1758,9 @@ static void mtk_jpegdec_worker(struct work_struct *work) > > goto setdst_end; > > } > > > > + schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, > > + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > > + > > spin_lock_irqsave(&comp_jpeg[hw_id]->hw_lock, flags); > > ctx->total_frame_num++; > > mtk_jpeg_dec_reset(comp_jpeg[hw_id]->reg_base); > > What about to split this patch into 3 patches: > > 1. will remove cancel_delayed_work_sync() > 2. will update mtk_jpeg_dec_device_run() > 3. will update mtk_jpegdec_worker() > > The reason for splitting is because the multi-core mtk_jpegdec_worker() > doesn't present in older stable kernels, and thus, the patch isn't > backportable as-is. > > -- > Best regards, > Dmitry >
diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 7194f88edc0f..c3456c700c07 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1021,13 +1021,13 @@ static void mtk_jpeg_dec_device_run(void *priv) if (ret < 0) goto dec_end; - schedule_delayed_work(&jpeg->job_timeout_work, - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); - mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) goto dec_end; + schedule_delayed_work(&jpeg->job_timeout_work, + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); + spin_lock_irqsave(&jpeg->hw_lock, flags); mtk_jpeg_dec_reset(jpeg->reg_base); mtk_jpeg_dec_set_config(jpeg->reg_base, @@ -1403,7 +1403,6 @@ static void mtk_jpeg_remove(struct platform_device *pdev) { struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); - cancel_delayed_work_sync(&jpeg->job_timeout_work); pm_runtime_disable(&pdev->dev); video_unregister_device(jpeg->vdev); v4l2_m2m_release(jpeg->m2m_dev); @@ -1750,9 +1749,6 @@ static void mtk_jpegdec_worker(struct work_struct *work) v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); - schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); - mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, @@ -1762,6 +1758,9 @@ static void mtk_jpegdec_worker(struct work_struct *work) goto setdst_end; } + schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); + spin_lock_irqsave(&comp_jpeg[hw_id]->hw_lock, flags); ctx->total_frame_num++; mtk_jpeg_dec_reset(comp_jpeg[hw_id]->reg_base);