Patch "media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 20 Jan 2024 20:00:14 -0500

This is a note to let you know that I've just added the patch titled

    media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     media-mtk-jpeg-remove-cancel-worker-in-mtk_jpeg_remo.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1fcec02ec4f66fa83043400d197f3d46f12041d5
Author: Zheng Wang <zyytlz.wz@xxxxxxx>
Date:   Mon Nov 6 15:48:09 2023 +0100

    media: mtk-jpeg: Remove cancel worker in mtk_jpeg_remove to avoid the crash of multi-core JPEG devices
    
    [ Upstream commit d8212c5c87c143ca01b78f6bf61244af07e0058e ]
    
    This patch reverts commit c677d7ae8314
    ("media: mtk-jpeg: Fix use after free bug due to uncanceled work").
    The job_timeout_work is initialized only for
    the single-core JPEG device so it will cause the crash for multi-core
    JPEG devices.
    
    Fix it by removing the cancel_delayed_work_sync function.
    
    Fixes: c677d7ae8314 ("media: mtk-jpeg: Fix use after free bug due to uncanceled work")
    Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
    Signed-off-by: Dmitry Osipenko <dmitry.osipenko@xxxxxxxxxxxxx>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
index 7194f88edc0f..60425c99a2b8 100644
--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
+++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
@@ -1403,7 +1403,6 @@ static void mtk_jpeg_remove(struct platform_device *pdev)
 {
 	struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev);
 
-	cancel_delayed_work_sync(&jpeg->job_timeout_work);
 	pm_runtime_disable(&pdev->dev);
 	video_unregister_device(jpeg->vdev);
 	v4l2_m2m_release(jpeg->m2m_dev);







