Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp4508958rdb;
        Fri, 15 Sep 2023 04:40:22 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHokhWXHGVq93eTzxUY2WbW6+JlTEN+PtCMQnIPkV3nJ1cBYLHYapnDenuO/KhvAg2BXcPv
X-Received: by 2002:a05:6870:218e:b0:1bb:a912:9339 with SMTP id l14-20020a056870218e00b001bba9129339mr1765954oae.7.1694778022319;
        Fri, 15 Sep 2023 04:40:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694778022; cv=none;
        d=google.com; s=arc-20160816;
        b=r8rjOVy9dMiaoEkdnehAQgiSHPDtKA/aMoaKGwPkK/W3wF6e0zeFKPudZgBue2Gr04
         pvnQtfgvYaJu96RdIwuwfEhUDaE17wu5LW1ikkzEIgJx4+4rKLTV16j0erigkCRrxqFm
         NHk8lqhJ3Hf3okcOWyqebwGfXyCWcI9G3biyhxGdIDPaeCAaQvozJ1EjLzk5RmuhlvQb
         dpQrA+HGwoj0lq8NTEwXbS7ySav1oxFcw1V2SYHfbEXGP2yGascpSAGeJhkPsY0OLFbB
         gQv9b3t5NzDNm3xu/NdWiQXhJ06TzPrpvWopFcaI4qJ+e075ozvG1uH8UcQTKxMrXjgb
         0h8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=REgnbYsNP87q+IDgfamZH5y9dcDqs2/HXwkY1MoJems=;
        fh=G5extIo2RsvzF4+c9hUNLb3g8Qya938HAOQZjeJsESA=;
        b=fBmRWzF8pj+UaaolMTDbxDdOuNmX1wIFbFFVT4/2SYg8/BiRGBa1emv9LrYLTVFMLY
         UWIJnCBwb+P2pFq5uBr5uZyO+uPcgMc3t6Y6M50F9NeyU1Ec1F14BpXiwYCRVxd6r7aP
         Z0z12JzMTDLrWD+y74eVIGoMtWgUl3AgbticOcmJulFzH20v62fZ1yIDfNrBakO3ys9R
         AW8cKil5KmXamNy732YrQDfSBLRlhGQIXaLDMpeEg5nb/NmxV3ky6R9xgBfj8qeMz3Jr
         ltGO0W9hBNWBqQKSIZN5569UGz1nlc6c5G8Iky/NhvEtZWXuN6T1Y2wvXxnch8/Wk22f
         1nNQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b="c2/w8N/2";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1])
        by mx.google.com with ESMTPS id s4-20020a656904000000b00573fdbfc5c8si3131235pgq.606.2023.09.15.04.40.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 15 Sep 2023 04:40:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b="c2/w8N/2";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id E9D66811342D;
	Fri, 15 Sep 2023 00:06:47 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232608AbjIOHGr (ORCPT <rfc822;benlin170369@gmail.com>
        + 99 others); Fri, 15 Sep 2023 03:06:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60968 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232594AbjIOHGq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 15 Sep 2023 03:06:46 -0400
X-Greylist: delayed 904 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Fri, 15 Sep 2023 00:06:39 PDT
Received: from m15.mail.163.com (m15.mail.163.com [45.254.50.219])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 31585E6;
        Fri, 15 Sep 2023 00:06:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
        s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=REgnb
        YsNP87q+IDgfamZH5y9dcDqs2/HXwkY1MoJems=; b=c2/w8N/2crOMnfY8K9kei
        Ie3VTwaALPEQtdPmiQWNI12Zs358PaAcD9/Gpe7wrWtkKxxFil8G2k5E6NMDZDZ+
        EfDNpASERckjbsALx2FHo4v+YT2CWzfwnPC+sdLXaI2EyqTZImhCgyoFtW1jZ9E4
        zTy8UWDK2/DXFcdIPfOeLM=
Received: from icess-ProLiant-DL380-Gen10.. (unknown [183.174.60.14])
        by zwqz-smtp-mta-g0-1 (Coremail) with SMTP id _____wCHjlLF_gNlQF1GAQ--.58113S4;
        Fri, 15 Sep 2023 14:50:56 +0800 (CST)
From:   Ma Ke <make_ruc2021@163.com>
To:     ezequiel@vanguardiasur.com.ar, p.zabel@pengutronix.de,
        mchehab@kernel.org
Cc:     linux-media@vger.kernel.org, linux-rockchip@lists.infradead.org,
        linux-kernel@vger.kernel.org, Ma Ke <make_ruc2021@163.com>
Subject: [PATCH] media: verisilicon: fix use after free bug in hantro_remove due to race condition
Date:   Fri, 15 Sep 2023 14:50:43 +0800
Message-Id: <20230915065043.3401840-1-make_ruc2021@163.com>
X-Mailer: git-send-email 2.37.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: _____wCHjlLF_gNlQF1GAQ--.58113S4
X-Coremail-Antispam: 1Uf129KBjvdXoWruF17Zr48Kr48GFWkCF1DGFg_yoWDAFX_ur
        97WF1xWryqkFn5t3Z8trsa9ryIvFs0kFs5WF1ftr1UZa4DX3WrXFsFvrZFv34UWay7uF9x
        Cr45GFWakFnxCjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
        9fnUUvcSsGvfC2KfnxnUUI43ZEXa7xRMo7KDUUUUU==
X-Originating-IP: [183.174.60.14]
X-CM-SenderInfo: 5pdnvshuxfjiisr6il2tof0z/1tbiyBHrC1p7Lwsm3gAAsE
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Fri, 15 Sep 2023 00:06:48 -0700 (PDT)

In hantro_probe, vpu->watchdog_work is bound with hantro_watchdog function. In
hantro_end_prepare_run, it will started by schedule_delayed_work. If there is an
unfinished work in hantro_remove, there may be a race condition and trigger UAF
bug.

Signed-off-by: Ma Ke <make_ruc2021@163.com>
---
 drivers/media/platform/verisilicon/hantro_drv.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/platform/verisilicon/hantro_drv.c b/drivers/media/platform/verisilicon/hantro_drv.c
index 423fc85d79ee..1a5b3a85c520 100644
--- a/drivers/media/platform/verisilicon/hantro_drv.c
+++ b/drivers/media/platform/verisilicon/hantro_drv.c
@@ -1187,6 +1187,7 @@ static void hantro_remove(struct platform_device *pdev)
 
 	v4l2_info(&vpu->v4l2_dev, "Removing %s\n", pdev->name);
 
+	cancel_delayed_work_sync(&vpu->watchdog_work);
 	media_device_unregister(&vpu->mdev);
 	hantro_remove_dec_func(vpu);
 	hantro_remove_enc_func(vpu);
-- 
2.37.2