[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <11c2bce1e5286ad3a9a5be2ee59c2beac168f135.camel@mediatek.com>
Date: Tue, 7 Mar 2023 10:12:49 +0000
From: Irui Wang (王瑞) <Irui.Wang@...iatek.com>
To: "zyytlz.wz@....com" <zyytlz.wz@....com>,
Kyrie Wu (吴晗) <Kyrie.Wu@...iatek.com>,
"angelogioacchino.delregno@...labora.com"
<angelogioacchino.delregno@...labora.com>,
"hackerzheng666@...il.com" <hackerzheng666@...il.com>
CC: "linux-mediatek@...ts.infradead.org"
<linux-mediatek@...ts.infradead.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-media@...r.kernel.org" <linux-media@...r.kernel.org>,
"mchehab@...nel.org" <mchehab@...nel.org>,
"alex000young@...il.com" <alex000young@...il.com>,
Bin Liu (刘彬) <bin.liu@...iatek.com>,
"linux-arm-kernel@...ts.infradead.org"
<linux-arm-kernel@...ts.infradead.org>,
"matthias.bgg@...il.com" <matthias.bgg@...il.com>,
"1395428693sheep@...il.com" <1395428693sheep@...il.com>
Subject: Re: [RESEND PATCH] media: mtk-jpeg: Fix use after free bug due to
uncanceled work
Dear Angelo and Zheng,
Thanks for your patch and comments.
Dear Kyrie,
Please help to check this, thanks.
Best Regards
On Tue, 2023-03-07 at 10:49 +0100, AngeloGioacchino Del Regno wrote:
> Il 07/03/23 10:27, Zheng Hacker ha scritto:
> > Hi,
> >
> > Is there anyone who can help with this? I can provide more details
> > like invoking chain if needed.
> >
>
> Providing more details is always good. Please do.
>
> Meanwhile, adding Irui Wang to the loop: he's doing mtk-jpeg.
>
> Regards,
> Angelo
>
> > Thanks,
> > Zheng
> >
> > Zheng Wang <zyytlz.wz@....com> 于2023年3月6日周一 14:28写道:
> > >
> > > In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with
> > > mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run
> > > and mtk_jpeg_enc_device_run may be called to start the
> > > work.
> > > If we remove the module which will call mtk_jpeg_remove
> > > to make cleanup, there may be a unfinished work. The
> > > possible sequence is as follows, which will cause a
> > > typical UAF bug.
> > >
> > > Fix it by canceling the work before cleanup in the
> > > mtk_jpeg_remove
> > >
> > > CPU0 CPU1
> > >
> > > |mtk_jpeg_job_timeout_work
> > > mtk_jpeg_remove |
> > > v4l2_m2m_release |
> > > kfree(m2m_dev); |
> > > |
> > > | v4l2_m2m_get_curr_priv
> > > | m2m_dev->curr_ctx //use
> > >
> > > Signed-off-by: Zheng Wang <zyytlz.wz@....com>
> > > ---
> > > drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> > > b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> > > index 969516a940ba..364513e7897e 100644
> > > --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> > > +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c
> > > @@ -1793,7 +1793,7 @@ static int mtk_jpeg_probe(struct
> > > platform_device *pdev)
> > > static int mtk_jpeg_remove(struct platform_device *pdev)
> > > {
> > > struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev);
> > > -
> > > + cancel_delayed_work(&jpeg->job_timeout_work);
> > > pm_runtime_disable(&pdev->dev);
> > > video_unregister_device(jpeg->vdev);
> > > v4l2_m2m_release(jpeg->m2m_dev);
> > > --
> > > 2.25.1
> > >
>
>
>
Powered by blists - more mailing lists