Received: by 2002:a05:7412:f690:b0:e2:908c:2ebd with SMTP id ej16csp586804rdb; Thu, 19 Oct 2023 12:57:22 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHH92C9Y5KOkFMN8KiQijnbCYousMyhdCqRI/kfU0JbWWaLUnp5997p+HSde/ThBZlFVNdM X-Received: by 2002:a05:6a21:7742:b0:16b:977d:f7cf with SMTP id bc2-20020a056a21774200b0016b977df7cfmr3269783pzc.36.1697745442650; Thu, 19 Oct 2023 12:57:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697745442; cv=none; d=google.com; s=arc-20160816; b=V3GgDPDMKulCz5U6LJozsN4YvEgme7EnkzCp7z1rYo/fjEQB0rQvu4m84qneTktJaQ h3SWH4cMTbKlvUfI+soSXc8NQmuVWYAz0o5pnJTZbgq59ihPAO6Ui6lkaKv+eJpL5yhx Re718LODUPy2gg2nsCyvBlTw0rdflexiqkAKieUtK8ZE5JCFPAAOG7M+Ng/H3nDsmMfw J7K+e66hcwSfzF+vSQVyMxbtSOgDF3zN03XJ1bqnYQhV9cgEQ2yzKpXComzdejJ3Voka PNv+oDMBSCU7GsAGCn/ETHwcbBjHDvFr8wnyT4W6gethe+TlaMyFXEPH3sU2IuZZj80o PXrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=MAxN79BTDDU+c4UJTWyBroJMaNClKuyPXZ3ITF+x6Ww=; fh=P2HXWJ175HpeY79dovAuE94oky5k9YeOqHnkIxjz0jQ=; b=zNL+zVGH4wTEHVdWrE16864+NWcCmddpDYqlUUYfk0BUpnj/uqhopUXyyCuf7IJqvd 2OevPVgTQiFXgIqg3I2SyCi4zi7v/PVTu2nLsOmGnPK3ikC/FofNTmdcQu/Pr8KAOCUV o9J+aXzLqUiTtbsI1l6kRIHIvFPeJ13jKhJfWgqne75EZ6T5aJvi+vSoH0ZxZN53CZOC zdh6HgT5pP+QIniKyD9CULhP0I4EXVRUj4WV+9q7uUEhSpJXr6JO8Vrv/EJ7uweM6ovs gS0E7GNs7RiuK5iReRlWHSaDH9PUCsDMHGbdV3k2SXFJ/nHVoXcBeca3H/KXfqQtURPk N0Mw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=OAwxKFiM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id k184-20020a6384c1000000b005893b7094easi276549pgd.554.2023.10.19.12.57.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Oct 2023 12:57:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=OAwxKFiM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id E271880BC11B; Thu, 19 Oct 2023 12:56:30 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235527AbjJST4M (ORCPT + 99 others); Thu, 19 Oct 2023 15:56:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230079AbjJST4L (ORCPT ); Thu, 19 Oct 2023 15:56:11 -0400 Received: from madras.collabora.co.uk (madras.collabora.co.uk [46.235.227.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1AC64E8; Thu, 19 Oct 2023 12:56:08 -0700 (PDT) Received: from [192.168.2.39] (109-252-153-31.dynamic.spd-mgts.ru [109.252.153.31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dmitry.osipenko) by madras.collabora.co.uk (Postfix) with ESMTPSA id A29506607346; Thu, 19 Oct 2023 20:56:05 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1697745366; bh=9S5WCALTYlD5YiF0ahDBN6EG/01T9j/IJBVoGdrQIxo=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=OAwxKFiMBtnWwN5Ym/JHSOPGn+D1On/E1gBE5GsJ9Hf3tsPBzdaaaf41XVcYgIL45 eGpf2wZdh7YS976DDCmZJvJvIYY+eLq4pWxNiFMzBHSCsWR6gf5jpG3+ttERgzIDkN raH9UOWnyh4p7SiqDr2UbIrjWKnnxYzbxaRQGYvu85Wqal2BR8Zig2mq20r93HUQ5q gq5I8rrmV/m54eElUL5FevSpsJPGIxfYzpgYx8rNX5OaaStT0s60DHNAK6T9DxNoGG qseVIH/OH1vli5FxnTph7uBIVNWVjNXXxl43Kb4Y3TJszdQJcg9XOzBIU2E/ZI0W+5 1XlR93sazvAMg== Message-ID: <6a9fda43-9391-eaba-11f6-87d4ff966cb1@collabora.com> Date: Thu, 19 Oct 2023 22:56:02 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [RESEND PATCH v2] media: mtk-jpeg: Fix use after free bug due to uncanceled work Content-Language: en-US To: Zheng Hacker Cc: AngeloGioacchino Del Regno , Zheng Wang , Kyrie.Wu@mediatek.com, bin.liu@mediatek.com, mchehab@kernel.org, matthias.bgg@gmail.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, Irui.Wang@mediatek.com, security@kernel.org, 1395428693sheep@gmail.com, alex000young@gmail.com, Collabora Kernel ML References: <20230707092414.866760-1-zyytlz.wz@163.com> <8c8bd3ec-a5a4-32e4-45b5-ee16eeeac246@collabora.com> <54b14ebe-b51b-2744-328d-2adcdaaf6d0e@collabora.com> <4d533beb-f416-1b22-6d9d-cee7f3cfdad1@collabora.com> From: Dmitry Osipenko In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Thu, 19 Oct 2023 12:56:31 -0700 (PDT) On 10/8/23 12:13, Zheng Hacker wrote: > Dmitry Osipenko 于2023年9月20日周三 02:24写道: >> >> On 8/31/23 11:18, Zheng Hacker wrote: >>>> The v4l2_m2m_ctx_release() already should wait for the job_timeout_work >>>> completion or for the interrupt fire. Apparently it doesn't work in >>>> yours case. You'll need to debug why v4l job or job_timeout_work is >>>> running after v4l2_m2m_ctx_release(), it shouldn't happen. >>>> >>> Yes, v4l2_m2m_cancel_job waits for m2m_ctx->job_flags to be ~TRANS_RUNNING, >>> the mtk_jpeg_job_timeout_work will finally invoke v4l2_m2m_job_finish >>> to trigger that. >>> >>> However, this is not the only path to call v4l2_m2m_job_finish. Here >>> is a invoking chain: >>> v4l_streamon >>> ->v4l2_m2m_ioctl_streamon >>> ->v4l2_m2m_streamon >>> ->v4l2_m2m_try_schedule >>> ->v4l2_m2m_try_run >>> ->mtk_jpeg_dec_device_run >>> ->schedule_delayed_work(&jpeg->job_timeout_work... >>> ->error path goto dec_end >>> ->v4l2_m2m_job_finish >>> >>> In some specific situation, it starts the worker and also calls >>> v4l2_m2m_job_finish, which might >>> make v4l2_m2m_cancel_job continues. >> >> Then the error path should cancel the job_timeout_work, or better job >> needs to be run after the dec/enc has been started and not before. >> > > Hi, > > Sorry for my late reply for I just went on a long vacation. > > Get it. I'll write another patch and change the summary to the lack of > canceling job in error path. > >> Looking further at the code, I'm confused by this hunk: >> >> mtk_jpeg_dec_start(comp_jpeg[hw_id]->reg_base); >> v4l2_m2m_job_finish(jpeg->m2m_dev, ctx->fh.m2m_ctx); >> >> The job should be marked as finished when h/w has finished processing >> the job and not right after the job has been started. So the job is >> always completed and mtk_jpeg_job_timeout_work() doesn't work as >> expected, am I missing something? > > After reading the code I still don't know. I didn't see any function > like mtk_jpeg_dec_end. The same thing > happens on mtk_jpeg_enc_start. I think I'd better fix the first > problem and wait for someone familiar with > the second part. I missed that the code mentioned above is related to the multi-core hw version, while you care about single-core. Nevertheless, the multi-core device_run() looks incorrect, So, the error code paths need to be corrected. Please try to revert yours fix and test this change: diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c index 0051f372a66c..fd3b0587fcad 100644 --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c @@ -1254,9 +1254,6 @@ static void mtk_jpegdec_worker(struct work_struct *work) v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); - schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); - mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, @@ -1266,6 +1263,9 @@ static void mtk_jpegdec_worker(struct work_struct *work) goto setdst_end; } + schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); + spin_lock_irqsave(&comp_jpeg[hw_id]->hw_lock, flags); ctx->total_frame_num++; mtk_jpeg_dec_reset(comp_jpeg[hw_id]->reg_base); @@ -1330,13 +1330,13 @@ static void mtk_jpeg_dec_device_run(void *priv) if (ret < 0) goto dec_end; - schedule_delayed_work(&jpeg->job_timeout_work, - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); - mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) goto dec_end; + schedule_delayed_work(&jpeg->job_timeout_work, + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); + spin_lock_irqsave(&jpeg->hw_lock, flags); mtk_jpeg_dec_reset(jpeg->reg_base); mtk_jpeg_dec_set_config(jpeg->reg_base, -- Best regards, Dmitry