Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp4775432rdb; Fri, 15 Sep 2023 11:51:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEdacnh45mnFm89DAGuZk+33Q/JRYQToYz3ozo7DSgHHi8Lw+lC4Blmx7CxRC/SAnVA14Lx X-Received: by 2002:a17:90b:4393:b0:268:2500:b17e with SMTP id in19-20020a17090b439300b002682500b17emr2577275pjb.23.1694803860238; Fri, 15 Sep 2023 11:51:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694803860; cv=none; d=google.com; s=arc-20160816; b=hIaG2XcEGm9mtQHimuv+MyygZb/1HCDIblmxyNhqxYQeFrNcSfR2p/CrX9KefO5GnI QL0hVvI9xg8raK6A66G9CL7bKiir5zdmLPHmVPRJQ/qD/2xReIh5gNx3iN+Ohd1YjkTT wF/FQdsbSR/ttrgN9ghosi4OTF2WonYHKce7vzGzUUwc8D1cvW3kNqp66VK3nZQgivX2 NR47WWxB+f1GpUr2wDIBBpifSGqLSj/5R2Ay9QhV4tTJOiAhUZlXBX3865AjjlAnarKm L4fvPeOBdGvXdMSeHxsT50Dh/NwBcxC81bnJim5r0H/mhJsxutq/167cziBDsksJDHhX jVzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Hh5TOPI/HhnIdtullXY4j7ld3pDUYM1OrpNZGBcpK+c=; fh=MaUMMEhBf32ChTcBZQquhmV8+vKC6Obw/njYh2AuWqI=; b=hcKLV5qDPt/EIUzWFWCtPHmqL7wP5dptyr+yY9ojUkxj55evwM8uDT7/L+Zc1fWeDs YLd7W7ZGJKcB5heVR4Uhe4/DNGtYYalp3YsWXd5GwtKf354vopP7DEf0zlDdVfZO0KU/ Rr3nUKrfcuc4IIOhAn8mxhsHmphe99YwC7LLwV727HMrfoRS0JVe0TRD7zudUUCNC9Hi 26jcVvrwgPhHgxG/BJxeMCJaa521tN2YpWe5ApcdcusminCTpv5YxBqNm9vq1Z0gc3qH pI47mDQZ+2SRuGM3vxnTwoFbQjaMf0Bgso/Cna3slB5t2O8me67cW6jXk8b30v/Bojg3 1T6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@vanguardiasur-com-ar.20230601.gappssmtp.com header.s=20230601 header.b=1CbbeA4r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id i130-20020a639d88000000b00577ffc501d2si3103501pgd.173.2023.09.15.11.50.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Sep 2023 11:51:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@vanguardiasur-com-ar.20230601.gappssmtp.com header.s=20230601 header.b=1CbbeA4r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 13DEA8239DEE; Fri, 15 Sep 2023 02:07:55 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232929AbjIOJH4 (ORCPT + 99 others); Fri, 15 Sep 2023 05:07:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232003AbjIOJHz (ORCPT ); Fri, 15 Sep 2023 05:07:55 -0400 Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09BD73C3B for ; Fri, 15 Sep 2023 02:05:32 -0700 (PDT) Received: by mail-ot1-x330.google.com with SMTP id 46e09a7af769-6c09f50ae00so154440a34.0 for ; Fri, 15 Sep 2023 02:05:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vanguardiasur-com-ar.20230601.gappssmtp.com; s=20230601; t=1694768712; x=1695373512; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Hh5TOPI/HhnIdtullXY4j7ld3pDUYM1OrpNZGBcpK+c=; b=1CbbeA4r0p1ECqCdgkXV0gc/OvtXDULXDgGFqqFQL/sczdwTNIinaSK7egiYeeqi6U GM0mFfdcyz5merxa5GCL/NfTWPgfhz99I2oOW4F7rtFwRCANko5M5zkz9r1bSCOnewIq HA5lbYUBXgCzVxzrDXgpgUzx6cKrf4nvXd65dexizt4/JdFv3aGSxsyzpvtgDQ1R2p5f Tr9snj8r1kaaklSUAX8pA2BCGxMjShVE1kQI3B04YELVHbMKTe6Hv415XqV2IOXl0yyx /DjI+IHZruaPygXFmL+PXzNeygSA1LizL1fi3GH3bpzMr9RZUuvDlHTUSBZBIeWlgA+3 1kUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694768712; x=1695373512; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Hh5TOPI/HhnIdtullXY4j7ld3pDUYM1OrpNZGBcpK+c=; b=tJ12fclTKRl0AbZCOfVZb30HfWRTZe/I46OV0IY5JORniwiiL55e4QuWB7o8m4kFoU 2vZfmKFOCQuTCgn+AwoDezdvxZIGrirFLKGFDBusz6btSEOAHR35BKUcO7gGsQarhq4B hlNTM3075EZNvByf4eNMR1x61xLibVfgylMtEr6n69k2FZQJ05AHdNnu23IGrUUGG3gl odZP+kw5ox3TbfglXAvVYaTM4oUFYV3+R7AlsluF5+gBXo6FSSl7ou4J0COvHeYssst+ vMFD20Jhr7dknZ/0vBOy31xshTwZp+jVUlZwXZfqOGGxUiguJbnlJVrN1vICL2+fIo7R 0KwA== X-Gm-Message-State: AOJu0Yz2T2nTisZ4H5d97tg52TqpWsIR1tKMplLyjb+y78oFVGIXggwk KTV78sHJXHCvbncc7AlOPpRbAKZHSQHDivrjH8o24w== X-Received: by 2002:a05:6820:2081:b0:573:3a3b:594b with SMTP id bz1-20020a056820208100b005733a3b594bmr1377984oob.1.1694768711683; Fri, 15 Sep 2023 02:05:11 -0700 (PDT) MIME-Version: 1.0 References: <20230915065043.3401840-1-make_ruc2021@163.com> In-Reply-To: <20230915065043.3401840-1-make_ruc2021@163.com> From: Ezequiel Garcia Date: Fri, 15 Sep 2023 11:05:00 +0200 Message-ID: Subject: Re: [PATCH] media: verisilicon: fix use after free bug in hantro_remove due to race condition To: Ma Ke Cc: p.zabel@pengutronix.de, mchehab@kernel.org, linux-media@vger.kernel.org, linux-rockchip@lists.infradead.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 15 Sep 2023 02:07:55 -0700 (PDT) Hi Ma, This was already discussed: https://patchwork.kernel.org/project/linux-media/patch/20230313154132.36841= 81-1-zyytlz.wz@163.com/ Thanks, Ezequiel On Fri, Sep 15, 2023 at 8:51=E2=80=AFAM Ma Ke wrote: > > In hantro_probe, vpu->watchdog_work is bound with hantro_watchdog functio= n. In > hantro_end_prepare_run, it will started by schedule_delayed_work. If ther= e is an > unfinished work in hantro_remove, there may be a race condition and trigg= er UAF > bug. > > Signed-off-by: Ma Ke > --- > drivers/media/platform/verisilicon/hantro_drv.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/media/platform/verisilicon/hantro_drv.c b/drivers/me= dia/platform/verisilicon/hantro_drv.c > index 423fc85d79ee..1a5b3a85c520 100644 > --- a/drivers/media/platform/verisilicon/hantro_drv.c > +++ b/drivers/media/platform/verisilicon/hantro_drv.c > @@ -1187,6 +1187,7 @@ static void hantro_remove(struct platform_device *p= dev) > > v4l2_info(&vpu->v4l2_dev, "Removing %s\n", pdev->name); > > + cancel_delayed_work_sync(&vpu->watchdog_work); > media_device_unregister(&vpu->mdev); > hantro_remove_dec_func(vpu); > hantro_remove_enc_func(vpu); > -- > 2.37.2 >