Jernej Škrabec <jernej.skrabec@xxxxxxxxx> 于2023年3月15日周三 03:53写道:
>
> Dne ponedeljek, 13. marec 2023 ob 17:31:20 CET je Zheng Wang napisal(a):
> > In cedrus_probe, dev->watchdog_work is bound with cedrus_watchdog function.
> > In cedrus_device_run, it will started by schedule_delayed_work. If there is
> > an unfinished work in cedrus_remove, there may be a race condition and
> > trigger UAF bug.
> >
> > CPU0 CPU1
> >
> > |cedrus_watchdog
> >
> > cedrus_remove |
> > v4l2_m2m_release |
> > kfree(m2m_dev) |
> >
> > | v4l2_m2m_get_curr_priv
> > |
> > | m2m_dev //use
> >
> > Fix it by canceling the worker in cedrus_remove.
> >
> > Fixes: 7c38a551bda1 ("media: cedrus: Add watchdog for job completion")
> > Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
> > ---
> > v2:
> > - use cancel_delayed_work_sync instead and add Fixes
> > label suggested by Hans Verkuil
> > ---
> > drivers/staging/media/sunxi/cedrus/cedrus.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
>
> Acked-by: Jernej Skrabec <jernej.skrabec@xxxxxxxxx>
>
Thanks for your review.
Best regards,
Zheng
> Best regards,
> Jernej
>
> > diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c
> > b/drivers/staging/media/sunxi/cedrus/cedrus.c index
> > a43d5ff66716..a50a4d0a8f71 100644
> > --- a/drivers/staging/media/sunxi/cedrus/cedrus.c
> > +++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
> > @@ -547,6 +547,7 @@ static int cedrus_remove(struct platform_device *pdev)
> > {
> > struct cedrus_dev *dev = platform_get_drvdata(pdev);
> >
> > + cancel_delayed_work_sync(&dev->watchdog_work);
> > if (media_devnode_is_registered(dev->mdev.devnode)) {
> > media_device_unregister(&dev->mdev);
> > v4l2_m2m_unregister_media_controller(dev->m2m_dev);
>
>
>
>
