Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp9222117rwp;
        Thu, 20 Jul 2023 01:10:35 -0700 (PDT)
X-Google-Smtp-Source: APBJJlH7qZK8ch+rUAl9OIxsVV3vDfypuHuV8upfv6mT0+lo7T+DrCk8Y0biIyKjvd//hxFgrD4k
X-Received: by 2002:a50:ed15:0:b0:51d:9ddf:f0f6 with SMTP id j21-20020a50ed15000000b0051d9ddff0f6mr4123956eds.36.1689840634991;
        Thu, 20 Jul 2023 01:10:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689840634; cv=none;
        d=google.com; s=arc-20160816;
        b=GcJxO16d9xCIEOHbrACsvB8lHxYN2YzQ7f+2s0WGBSBKRh2VWvz+BdLJ9nS6Y6hT1A
         WRtRwNLIckrKrxMRYk8XndeONV7hmbwbD58q9hChWkSlsLwXWL4UnOGYqpiWajNUFjCU
         RCoH9eajz4DAXOMKDQw8bZGUdxCBxizupXBpFv51eS4b8BULPQjxiur9YVW7PuDvrYdD
         OhZWRX6l1LK3/VRtBVxaEywfyCxBeg2IPKRhqbOcB7fNLzO9bODZrsJuZw+g6XmB/Tc+
         0kV+Fq58vHsaoZynpY7+lYNpSq0Q0D+GyNeuYlm6MbTQNQNKFpwtQE6Nt8C5bBolVm3x
         N6qA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=vNNrU4BsJciwt5e49zB74nJsHYN3uqX95qmBM+H2GsE=;
        fh=pSazyAip3TQkl66w7FIXkYObL6JeEmc+YTT89pONZmA=;
        b=BHHNer/0t22BF44ohOaMauEzsKAHDCacIfYz+1MmVWa3S9LhekXeqRTOxuXXs9JYP0
         kVu3Mv7FoAapu8mFosYjqWhC1IJkfYCmuottqN+wpjvoJlYDvkevT2HLlVWQmEthaQ7b
         uxA8qikzQa84/5KGawc9i1drjmd5Wnx2mEyuPyxCzRT4D9BkwblkVB27shzUECR2I4QH
         7a052r/aB+CO+D1Et3izHm+0mjgPHZYb4TDKnlSZNokM0nyi4UsK2VoxfmWHhKI6+Pen
         Y4iYX7p4UlPmmfIx9QtK+X5bmIyME2Z3uLPj7mZBJOklFDB7dbvh8QyowL8lAKPx6hCt
         fYNw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b=gcAqBmgd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a3-20020aa7d743000000b0051d7fa84adbsi471799eds.301.2023.07.20.01.10.10;
        Thu, 20 Jul 2023 01:10:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b=gcAqBmgd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230430AbjGTHpN (ORCPT <rfc822;andreacani85to@gmail.com>
        + 99 others); Thu, 20 Jul 2023 03:45:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34012 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231705AbjGTHpJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 Jul 2023 03:45:09 -0400
Received: from madras.collabora.co.uk (madras.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e5ab])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0D5F7213D;
        Thu, 20 Jul 2023 00:45:08 -0700 (PDT)
Received: from [192.168.1.100] (2-237-20-237.ip236.fastwebnet.it [2.237.20.237])
        (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits))
        (No client certificate requested)
        (Authenticated sender: kholk11)
        by madras.collabora.co.uk (Postfix) with ESMTPSA id DD3F2660707E;
        Thu, 20 Jul 2023 08:45:06 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com;
        s=mail; t=1689839107;
        bh=rgSn9DWoFWUAm/Y0pTg4nWPsIDpMJSJrwWH1cSs9tnk=;
        h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
        b=gcAqBmgd+oAnAri/JPEFpV2Yyrt9NdM06QT3VWpsjqfzIBmhFoeUSpDVOdLeGbLNy
         QGBh/cah2lyrLpxEP2bKq/WpLjFeMAyUt+Hki6f2m9MtX45P+YHdoG3G+5dG0OSnnw
         VV/eseh1JZ2Ci5TBLMWHiSLuBKy049eXLCjzDM/VZrwtgymPPI+AMpXJ9xnufX7nVz
         cypd0/SDfA9pSpuyzpUqhlAcuN4u6X+kCwDMnebdG60ktZ5DHkUD5mQyKnp0Oi3rx/
         azPOPbxtlSsBoyRr+bzt8OroYDabKfpWhTDpBkRticKl1RjqRloXeDtbtAUAYKroaY
         GrzmdnQxLuJ5A==
Message-ID: <03449762-33b9-3e86-c65f-4bb9e0e917c6@collabora.com>
Date:   Thu, 20 Jul 2023 09:45:05 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.12.0
Subject: Re: [RESEND PATCH v2] media: mtk-jpeg: Fix use after free bug due to
 uncanceled work
Content-Language: en-US
To:     Zheng Wang <zyytlz.wz@163.com>, Kyrie.Wu@mediatek.com
Cc:     bin.liu@mediatek.com, mchehab@kernel.org, matthias.bgg@gmail.com,
        linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-arm-kernel@lists.infradead.org,
        linux-mediatek@lists.infradead.org, Irui.Wang@mediatek.com,
        security@kernel.org, hackerzheng666@gmail.com,
        1395428693sheep@gmail.com, alex000young@gmail.com
References: <20230707092414.866760-1-zyytlz.wz@163.com>
From:   AngeloGioacchino Del Regno 
        <angelogioacchino.delregno@collabora.com>
In-Reply-To: <20230707092414.866760-1-zyytlz.wz@163.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,
        RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Il 07/07/23 11:24, Zheng Wang ha scritto:
> In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with
> mtk_jpeg_job_timeout_work. Then mtk_jpeg_dec_device_run
> and mtk_jpeg_enc_device_run may be called to start the
> work.
> If we remove the module which will call mtk_jpeg_remove
> to make cleanup, there may be a unfinished work. The
> possible sequence is as follows, which will cause a
> typical UAF bug.
> 
> Fix it by canceling the work before cleanup in the mtk_jpeg_remove
> 
> CPU0                  CPU1
> 
>                      |mtk_jpeg_job_timeout_work
> mtk_jpeg_remove     |
>    v4l2_m2m_release  |
>      kfree(m2m_dev); |
>                      |
>                      | v4l2_m2m_get_curr_priv
>                      |   m2m_dev->curr_ctx //use
> Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver")
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>

Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>