Dne ponedeljek, 13. marec 2023 ob 17:31:20 CET je Zheng Wang napisal(a):
> In cedrus_probe, dev->watchdog_work is bound with cedrus_watchdog function.
> In cedrus_device_run, it will started by schedule_delayed_work. If there is
> an unfinished work in cedrus_remove, there may be a race condition and
> trigger UAF bug.
>
> CPU0 CPU1
>
> |cedrus_watchdog
>
> cedrus_remove |
> v4l2_m2m_release |
> kfree(m2m_dev) |
>
> | v4l2_m2m_get_curr_priv
> |
> | m2m_dev //use
>
> Fix it by canceling the worker in cedrus_remove.
>
> Fixes: 7c38a551bda1 ("media: cedrus: Add watchdog for job completion")
> Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
> ---
> v2:
> - use cancel_delayed_work_sync instead and add Fixes
> label suggested by Hans Verkuil
> ---
> drivers/staging/media/sunxi/cedrus/cedrus.c | 1 +
> 1 file changed, 1 insertion(+)
>
Acked-by: Jernej Skrabec <jernej.skrabec@xxxxxxxxx>
Best regards,
Jernej
> diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c
> b/drivers/staging/media/sunxi/cedrus/cedrus.c index
> a43d5ff66716..a50a4d0a8f71 100644
> --- a/drivers/staging/media/sunxi/cedrus/cedrus.c
> +++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
> @@ -547,6 +547,7 @@ static int cedrus_remove(struct platform_device *pdev)
> {
> struct cedrus_dev *dev = platform_get_drvdata(pdev);
>
> + cancel_delayed_work_sync(&dev->watchdog_work);
> if (media_devnode_is_registered(dev->mdev.devnode)) {
> media_device_unregister(&dev->mdev);
> v4l2_m2m_unregister_media_controller(dev->m2m_dev);
