Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp9025733rwp; Wed, 19 Jul 2023 20:59:47 -0700 (PDT) X-Google-Smtp-Source: APBJJlGDdsMAujLutr2zx+Mg60lBj0qd0appLYAp50jar1DovaHfpWuHQh8Ip+6uBHiXuhocjOf8 X-Received: by 2002:a05:6358:98a7:b0:134:ed9b:15a7 with SMTP id q39-20020a05635898a700b00134ed9b15a7mr5269080rwa.30.1689825587613; Wed, 19 Jul 2023 20:59:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689825587; cv=none; d=google.com; s=arc-20160816; b=DwU8KuMoR4Gm4lOJO9SMGb3yNR0NXRXpJPLugiXYtoOa+IBJS/0oaj4vnXo/TPYR5M snO9xbdFj7k6vybPQGSkV5YUXsadU2BW/LiXnkB+wQ/2asFSIF7XfNQVcVmHcpd57wgG mfSulGuRhJabYbzjXJ+anToAzjWeRsE7Qg1nm/j2yvoQbvyJIApDnOeRaCWzEnajTR7d hMoV5IWG1ETBCjnmfNQ2+GbPoBSJPA8/MGtq73zskgTB8c3Po1gI47rOGnmrqOxw5Qnd WVAyQTfqKifV2QX8erHkRs/qrUGuFHPOhKtkWecBfMQHV+TIGXEhi8iieu1EX36o/GlI w3jA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=lSjRK2q1L9TAgulU0uKFfXHGPLF469L5iIGjDG8jzbg=; fh=8/bIiRDHLonK45RUNJZEzEbSSv7IWZy5Cnl5Oo+PGiI=; b=rpWWvLMGf3UB7ERW1D2C+7wVQer4J5N4WsUkCLgnqU9yMNlk8lNKs+YDTQJOkkh/Ao fGsnqZwYF+6vFd7L7yMXTa6ro8hEFSrkzafwu9AcdeocWNQKrAc0OPl49KW5+4PbgKjG hBwFLR5ttdLkz4voB/zf8MnKXE3+ISEpymRULHwBur/uUdy0B5UL0MmK+/NRGQBlhDL/ AyHKdPx2ClwljkMm7O+27iS0BkEzNjUIMqgKLDMWLL25IKwZpM3Y2LBl15UZ+f3/EW6t H5VDTiIC0J45pi1IB9tJiDkC2nF0+RbdajmChs+FClorTIX7JIxSKsy2L5sps0SjQG70 GaEw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FmeTyNor; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x20-20020a656ab4000000b005633b3dcefesi4212358pgu.578.2023.07.19.20.59.35; Wed, 19 Jul 2023 20:59:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=FmeTyNor; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229922AbjGTDkS (ORCPT + 99 others); Wed, 19 Jul 2023 23:40:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47344 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229729AbjGTDkP (ORCPT ); Wed, 19 Jul 2023 23:40:15 -0400 Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com [IPv6:2607:f8b0:4864:20::a32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA3BC2107 for ; Wed, 19 Jul 2023 20:40:13 -0700 (PDT) Received: by mail-vk1-xa32.google.com with SMTP id 71dfb90a1353d-481389cd087so120198e0c.2 for ; Wed, 19 Jul 2023 20:40:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1689824413; x=1690429213; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=lSjRK2q1L9TAgulU0uKFfXHGPLF469L5iIGjDG8jzbg=; b=FmeTyNoriwl9eaAi4UWOvHlnCraMY6GehOzN23WwXZRmcok3v6POEoNGHEu94dxVB8 XV4VcCfpZYkmClWeuwO/dz2ibDjqJ8d55lxTA46EwDPzcxh4fhnBC7Tdws3NBkdTIflj r1NHovSBoV0qsV6wHj6W6XPQiDFsT3TG4VhK0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689824413; x=1690429213; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lSjRK2q1L9TAgulU0uKFfXHGPLF469L5iIGjDG8jzbg=; b=Obfemm+Kh9nzj0qu6LNKfw4kkpRazMn4+ePN6WTb9xtDUL5leYilSRezIlRHf5in9N Womo9h8cJNLc97l2P3b/Qr2+eoufBS/a6yrletCRtazARmSjjepEXrpoF3Qg3a1NlVW7 xY5Otg7BbRHW3Zep/hnZAP1vUqyaPG5WszB6j/owzS4wmnNf3YNCS78eWCW/GW7eS7HN 9BpqE3tpoweNUH1fqDLjg70JKK2CllwaVw1paroEYW144yLsoZb4zstpj+zhwASkwp/6 LctOqXiSycZ+Gf5ZGTfWOw4CFybog8UQ7DVOg6p7cuKJ30rGVwr/MpcbIld3U28sqbv1 LPnw== X-Gm-Message-State: ABy/qLaO/K3U3nVKH/T7065RFEN1Eq6hshNHmrlI5Q6Mw0rWqP0lN1fZ mWCoRIWQlo0otN8GVja22TVUw10lpoHI1BTlYTMyBg== X-Received: by 2002:a05:6102:387:b0:443:516b:782 with SMTP id m7-20020a056102038700b00443516b0782mr1896634vsq.33.1689824412895; Wed, 19 Jul 2023 20:40:12 -0700 (PDT) MIME-Version: 1.0 References: <20230707092414.866760-1-zyytlz.wz@163.com> In-Reply-To: <20230707092414.866760-1-zyytlz.wz@163.com> From: Chen-Yu Tsai Date: Thu, 20 Jul 2023 11:40:01 +0800 Message-ID: Subject: Re: [RESEND PATCH v2] media: mtk-jpeg: Fix use after free bug due to uncanceled work To: Zheng Wang Cc: Kyrie.Wu@mediatek.com, bin.liu@mediatek.com, mchehab@kernel.org, matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, Irui.Wang@mediatek.com, security@kernel.org, hackerzheng666@gmail.com, 1395428693sheep@gmail.com, alex000young@gmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 7, 2023 at 5:25=E2=80=AFPM Zheng Wang wrote= : > > In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with > mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run > and mtk_jpeg_enc_device_run may be called to start the > work. > If we remove the module which will call mtk_jpeg_remove > to make cleanup, there may be a unfinished work. The > possible sequence is as follows, which will cause a > typical UAF bug. > > Fix it by canceling the work before cleanup in the mtk_jpeg_remove > > CPU0 CPU1 > > |mtk_jpeg_job_timeout_work > mtk_jpeg_remove | > v4l2_m2m_release | > kfree(m2m_dev); | > | > | v4l2_m2m_get_curr_priv > | m2m_dev->curr_ctx //use > Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder= Driver") > Signed-off-by: Zheng Wang Reviewed-by: Chen-Yu Tsai