Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp929290rdb; Tue, 19 Sep 2023 14:55:16 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGj10J+14qoBgGZb4e3etRneWQ2Veg6kbCccm6qbZySRCaOd6tZGF/ejp6KCBFeuOicpOm5 X-Received: by 2002:a17:902:8b83:b0:1c1:ec40:9321 with SMTP id ay3-20020a1709028b8300b001c1ec409321mr639232plb.60.1695160516593; Tue, 19 Sep 2023 14:55:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695160516; cv=none; d=google.com; s=arc-20160816; b=qjqzcK+4aPgGEMBSzjwqzAgNzczN5ur/UI5cr0LF44p8MUyWvrcRwLNThcs8LUkbHu AXuxu937UiccY8L495IOuEgMYIUCF5VzkhLrGuS3E4hHnZlx2IhEF6zzl88y7gWTRNWq 0t6GY6HwwKm3rl7ZO2ufEIsfsu3hUrmMEdNW/pKNnotWsn+jttO6rCf3AthINu5shmo1 sidqm8tskn+MtzprPFMAK8BCMU3zFpzdeyRUTwypcD6c0TK9rGYP1WxuxSmF6t/pGrwl W4dPIvqXsVs7kmT7zijUOn/R5btEzLG72dsh/+v9Y9yID4BMbMa1YZwn21Bz27aOZSA7 fSTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:references :cc:to:from:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=AFbDR6t0K38pyX7+4JTYkuMmYcxx7I5Alx9o/xWJWV0=; fh=RWh3I9/hEcBOvb5JAyOJsXGFlqYXGiK80KVpTaTs/Oo=; b=dsURiC25BvUN8JHSWVrjdoS+Zx1uWz+IgCh3z8z9cU1DzdlYGCHHcOD67nQVu/zLXP G8DqXx3XE7LwJfX5gxfBQHQW9kucUeljXmyL7HAWUyWMBENsdWbCooH7XDrVLO7SNXuk 7pYanP9XxMzSW2oydR9/P+3RWQ8dstglVrBdz9LTTBGAf92NHNtpVcCIzMDZ1JKZHgsk N3eJTVL8Q8kc/j9+iwZ6X5BkEsI6riMR/4TMFUPd/TNJv1wXxDUZgrsvKJ5l0YNZryLV HWQPAHNQ8+V4q/pfRHnXOzAf3nQbW2PxEh4V1q6WgihUkTap9N4x3ig0TquQmw4laB5e V8lg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=GRnH7Phb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id z1-20020a170903018100b001c584378322si3147710plg.619.2023.09.19.14.55.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Sep 2023 14:55:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=GRnH7Phb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 4720B821FD0A; Tue, 19 Sep 2023 11:26:05 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232364AbjISSZ7 (ORCPT + 99 others); Tue, 19 Sep 2023 14:25:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35502 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232237AbjISSZ5 (ORCPT ); Tue, 19 Sep 2023 14:25:57 -0400 Received: from madras.collabora.co.uk (madras.collabora.co.uk [46.235.227.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DDFE79E; Tue, 19 Sep 2023 11:25:51 -0700 (PDT) Received: from [192.168.2.59] (109-252-153-31.dynamic.spd-mgts.ru [109.252.153.31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: dmitry.osipenko) by madras.collabora.co.uk (Postfix) with ESMTPSA id B09AE660319E; Tue, 19 Sep 2023 19:25:49 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1695147950; bh=Y03o1iTpNXjxrNlIz4kiT40Tw5yePhhDd5i17lzN0Kw=; h=Date:Subject:From:To:Cc:References:In-Reply-To:From; b=GRnH7PhbECO0rLL158hqddE6ZOaUKo/ng/abZs9H48AHSNmeK40gf5ez6gx1xw041 nqp+KRz6DqSOTsqHpUDUxgTKBLyeTiGRSgz9gzKDDRUuJNshZ3AyQyze5F/zAF8q0x ZS6s4i3RcHcfe1kr9lZMTANKCRcd5Bubg312JW8CYtpeXBaoTxp7PrscI8UxsVyEU9 e+LvnicvOCdtFUE8V0aYFeEJjcJe2X2l46TceO+/dVyKX4eFCu2IfFsuuZIsHcqR7n bRNEPW1Q1kw5NE5iZsrtvKxETAhQVf7s114oogG9OC0JUNq2b7tvDqI+KhO7cbEINF 6UFAGNAIsSMpQ== Message-ID: <9b47d551-991b-5a60-39cf-3d47fbf68ea4@collabora.com> Date: Tue, 19 Sep 2023 21:25:47 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [RESEND PATCH v2] media: mtk-jpeg: Fix use after free bug due to uncanceled work Content-Language: en-US From: Dmitry Osipenko To: Zheng Hacker , AngeloGioacchino Del Regno Cc: Zheng Wang , Kyrie.Wu@mediatek.com, bin.liu@mediatek.com, mchehab@kernel.org, matthias.bgg@gmail.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, Irui.Wang@mediatek.com, security@kernel.org, 1395428693sheep@gmail.com, alex000young@gmail.com, Collabora Kernel ML References: <20230707092414.866760-1-zyytlz.wz@163.com> <8c8bd3ec-a5a4-32e4-45b5-ee16eeeac246@collabora.com> <54b14ebe-b51b-2744-328d-2adcdaaf6d0e@collabora.com> <4d533beb-f416-1b22-6d9d-cee7f3cfdad1@collabora.com> In-Reply-To: <4d533beb-f416-1b22-6d9d-cee7f3cfdad1@collabora.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 19 Sep 2023 11:26:05 -0700 (PDT) On 9/19/23 21:24, Dmitry Osipenko wrote: > On 8/31/23 11:18, Zheng Hacker wrote: >>> The v4l2_m2m_ctx_release() already should wait for the job_timeout_work >>> completion or for the interrupt fire. Apparently it doesn't work in >>> yours case. You'll need to debug why v4l job or job_timeout_work is >>> running after v4l2_m2m_ctx_release(), it shouldn't happen. >>> >> Yes, v4l2_m2m_cancel_job waits for m2m_ctx->job_flags to be ~TRANS_RUNNING, >> the mtk_jpeg_job_timeout_work will finally invoke v4l2_m2m_job_finish >> to trigger that. >> >> However, this is not the only path to call v4l2_m2m_job_finish. Here >> is a invoking chain: >> v4l_streamon >> ->v4l2_m2m_ioctl_streamon >> ->v4l2_m2m_streamon >> ->v4l2_m2m_try_schedule >> ->v4l2_m2m_try_run >> ->mtk_jpeg_dec_device_run >> ->schedule_delayed_work(&jpeg->job_timeout_work... >> ->error path goto dec_end >> ->v4l2_m2m_job_finish >> >> In some specific situation, it starts the worker and also calls >> v4l2_m2m_job_finish, which might >> make v4l2_m2m_cancel_job continues. > > Then the error path should cancel the job_timeout_work, or better job s/job/timeout work/ > needs to be run after the dec/enc has been started and not before. > > Looking further at the code, I'm confused by this hunk: > > mtk_jpeg_dec_start(comp_jpeg[hw_id]->reg_base); > v4l2_m2m_job_finish(jpeg->m2m_dev, ctx->fh.m2m_ctx); > > The job should be marked as finished when h/w has finished processing > the job and not right after the job has been started. So the job is > always completed and mtk_jpeg_job_timeout_work() doesn't work as > expected, am I missing something? > -- Best regards, Dmitry