In cedrus_probe, dev->watchdog_work is bound with cedrus_watchdog. Then cedrus_device_run may be called to start the work. If we close the file or remove the module which will call cedrus_release and cedrus_remove to make cleanup, there may be an unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. The same thing will happen in cedrus_release, and use ctx after freeing it. Fix it by canceling the work before cleanup in cedrus_release. Signed-off-by: Ma Ke <make_ruc2021@xxxxxxx> --- drivers/staging/media/sunxi/cedrus/cedrus.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c index 8e248d4a0aec..0a2cb615d717 100644 --- a/drivers/staging/media/sunxi/cedrus/cedrus.c +++ b/drivers/staging/media/sunxi/cedrus/cedrus.c @@ -404,6 +404,8 @@ static int cedrus_release(struct file *file) struct cedrus_ctx *ctx = container_of(file->private_data, struct cedrus_ctx, fh); + cancel_delayed_work_sync(&ctx->dev->watchdog_work); + mutex_lock(&dev->dev_mutex); v4l2_fh_del(&ctx->fh); -- 2.37.2
