Re:[PATCH 6.1 407/600] media: mtk-jpeg: Fix use after free bug due to uncanceled work

王征 <zyytlz.wz@xxxxxxx> · Tue, 10 Oct 2023 22:16:01 +0800 (CST)

Hi,

Sorry to bother you for I didn't know how to submit patch to a specific branch.
Could you please push this patch to 5.10 branch? The chrome-os is affcted by this issue.

Best regards,
Zheng Wang

At 2023-09-11 20:47:20, "Greg Kroah-Hartman" <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>6.1-stable review patch.  If anyone has any objections, please let me know.
>
>------------------
>
>From: Zheng Wang <zyytlz.wz@xxxxxxx>
>
>[ Upstream commit c677d7ae83141d390d1253abebafa49c962afb52 ]
>
>In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with
>mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run
>and mtk_jpeg_enc_device_run may be called to start the
>work.
>If we remove the module which will call mtk_jpeg_remove
>to make cleanup, there may be a unfinished work. The
>possible sequence is as follows, which will cause a
>typical UAF bug.
>
>Fix it by canceling the work before cleanup in the mtk_jpeg_remove
>
>CPU0                  CPU1
>
>                    |mtk_jpeg_job_timeout_work
>mtk_jpeg_remove     |
>  v4l2_m2m_release  |
>    kfree(m2m_dev); |
>                    |
>                    | v4l2_m2m_get_curr_priv
>                    |   m2m_dev->curr_ctx //use
>Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver")
>Signed-off-by: Zheng Wang <zyytlz.wz@xxxxxxx>
>Reviewed-by: Alexandre Mergnat <amergnat@xxxxxxxxxxxx>
>Reviewed-by: Chen-Yu Tsai <wenst@xxxxxxxxxxxx>
>Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@xxxxxxxxxxxxx>
>Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
>Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
>---
> drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
>index 3071b61946c3b..e9a4f8abd21c5 100644
>--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
>+++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
>@@ -1412,6 +1412,7 @@ static int mtk_jpeg_remove(struct platform_device *pdev)
> {
> 	struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev);
> 
>+	cancel_delayed_work_sync(&jpeg->job_timeout_work);
> 	pm_runtime_disable(&pdev->dev);
> 	video_unregister_device(jpeg->vdev);
> 	v4l2_m2m_release(jpeg->m2m_dev);
>-- 
>2.40.1
>
>