Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp1880586rda; Tue, 24 Oct 2023 06:18:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFwHHgKXbfuF69xji7eMXKnJMTbcb73DYQm66dqhyT8e9meUv0YlA4/TCNCU0RC7wGQD1I7 X-Received: by 2002:a17:90a:9a90:b0:27d:4ede:75b0 with SMTP id e16-20020a17090a9a9000b0027d4ede75b0mr11860998pjp.16.1698153519716; Tue, 24 Oct 2023 06:18:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698153519; cv=none; d=google.com; s=arc-20160816; b=B5v7WWC9JIsJaMV4UVFLcY2JUR8CdDgZ5LqY0SrAWtIxusMInFsu1BbQjeM49uAxbA SAzB0FaAgnXb/KK8k7hTauPP8QkDch6TClBkUI0gRFNKv/GSdJC8rey2JrJCE+/4avr2 gsAE5HLKWVvWsQz/9iOhf0CqjXYM0HLwGIb8jyqZX1yNpPICP476qLfSgR1/XmY4JC7C ur0mhGwhXbDOk+nqTNhJoA2YfB0o/yIYL3N5U71H72EDhwpo6joU7INrTQBKHcSK/gxi DAT8v64XYxbIMYULSUis2zm7+FZYL52+hi6/ZNqbfvDVWZ5HeU8p3aZf6XhQZHs419J5 wUbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=1669Hl6Ks0FQv/7szMzI1OYODzfDqUz/lTvAbJbZ7pQ=; fh=A6jj4n8ofwLf5sa1DtErwx3wNHKAJ25A1jmSppHJYg0=; b=uJI9hKX6l9Htg6MtFDdOqcbOwBeZb1FIicMPOqXz8RL2vtq5LJzkujx/4YeTstQ8xa RwpY47KPrJuaBIdLAdky0Kvuwuoylp2jU1u7G4EPMJPclAolhejZ9qtKCXLQWjy7/2Up S42fhra7z33xAzhi1A7e0Ix1s68OotbGyZIw1+HeyLdcegdfaiqwvL/0snk0YxlL8gbK h6+EQr2wOe7bFs4x4bmesg2LIzNyfIAKd7QhfFIGx9nIhq+CKqWahOrHkxXZbYsbA+yk JyVyXsdKy3rwpQXjb60eGw0e6fvlbNi9kC1dTx8z7Nzgw5hEHj4l10NnPJHy00RgFrC2 QuAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=J9AOWejT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id bb18-20020a17090b009200b002790b1320d4si11029575pjb.84.2023.10.24.06.18.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Oct 2023 06:18:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=J9AOWejT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id BC73D8056C5C; Tue, 24 Oct 2023 06:18:35 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234283AbjJXNSW (ORCPT + 99 others); Tue, 24 Oct 2023 09:18:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50606 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234255AbjJXNSV (ORCPT ); Tue, 24 Oct 2023 09:18:21 -0400 Received: from madras.collabora.co.uk (madras.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e5ab]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0437DE8; Tue, 24 Oct 2023 06:18:17 -0700 (PDT) Received: from [192.168.2.43] (109-252-153-31.dynamic.spd-mgts.ru [109.252.153.31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: dmitry.osipenko) by madras.collabora.co.uk (Postfix) with ESMTPSA id E7E0A6606F65; Tue, 24 Oct 2023 14:18:14 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1698153496; bh=ZdNDKOXjLrdi253ASqG3On1nms5VdNUTOFAf7syjdvQ=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=J9AOWejTF4j3Axawxdi6Wese0sV0Fgpn1yfckKxnBdUMW9QbJ4aXHxWPq24gSILSI TWA1G3NavJBoB0+HoRgbISU9iHdWULRDF89dYFpMCs83a/lrtAstQrBuOoEuf/MZq9 mwPlx6EbSW9dzk+I3aaPxRSKlfk6GvxrocDsuRxS/UMkgjPVfXKh2wH5EhHayCdwpu qfe7hoXfms7HHUgh0znYH0vvU+NVW24crg++n5pVMw7//VS65gFjTjfO7Uhlqmh1bh 39zvb35EdAq9PZVGQts+k5ToyDyexWRc3HM0Nu926LXPdpMdQtVWWGIAdXFe1QmUJA H/zfqim9qdkug== Message-ID: <46f704c2-ba42-4e16-d798-ea2171e5ba16@collabora.com> Date: Tue, 24 Oct 2023 16:18:11 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 Subject: Re: [PATCH] media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run Content-Language: en-US To: Zheng Wang Cc: Kyrie.Wu@mediatek.com, bin.liu@mediatek.com, mchehab@kernel.org, matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com, linux-media@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, Irui.Wang@mediatek.com, security@kernel.org, hackerzheng666@gmail.com, 1395428693sheep@gmail.com, alex000young@gmail.com, amergnat@baylibre.com, wenst@chromium.org, stable@vger.kernel.org References: <20231020040732.2499269-1-zyytlz.wz@163.com> From: Dmitry Osipenko In-Reply-To: <20231020040732.2499269-1-zyytlz.wz@163.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Tue, 24 Oct 2023 06:18:35 -0700 (PDT) On 10/20/23 07:07, Zheng Wang wrote: > In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with > mtk_jpeg_job_timeout_work. > > In mtk_jpeg_dec_device_run, if error happens in > mtk_jpeg_set_dec_dst, it will finally start the worker while > mark the job as finished by invoking v4l2_m2m_job_finish. > > There are two methods to trigger the bug. If we remove the > module, it which will call mtk_jpeg_remove to make cleanup. > The possible sequence is as follows, which will cause a > use-after-free bug. > > CPU0 CPU1 > mtk_jpeg_dec_... | > start worker | > |mtk_jpeg_job_timeout_work > mtk_jpeg_remove | > v4l2_m2m_release | > kfree(m2m_dev); | > | > | v4l2_m2m_get_curr_priv > | m2m_dev->curr_ctx //use > > If we close the file descriptor, which will call mtk_jpeg_release, > it will have a similar sequence. > > Fix this bug by start timeout worker only if started jpegdec worker > successfully so the v4l2_m2m_job_finish will only be called on > either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run. > > This patch also reverts commit c677d7ae8314 > ("media: mtk-jpeg: Fix use after free bug due to uncanceled work") > for this patch also fixed the use-after-free bug mentioned before. > Before mtk_jpeg_remove is invoked, mtk_jpeg_release must be invoked > to close opened files. And it will call v4l2_m2m_cancel_job to wait > for the timeout worker finished so the canceling in mtk_jpeg_remove > is unnecessary. > > Fixes: b2f0d2724ba4 ("[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver") > Signed-off-by: Zheng Wang > Signed-off-by: Dmitry Osipenko > Cc: stable@vger.kernel.org > --- > .../media/platform/mediatek/jpeg/mtk_jpeg_core.c | 13 ++++++------- > 1 file changed, 6 insertions(+), 7 deletions(-) > > diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c > index 7194f88edc0f..c3456c700c07 100644 > --- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c > +++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c > @@ -1021,13 +1021,13 @@ static void mtk_jpeg_dec_device_run(void *priv) > if (ret < 0) > goto dec_end; > > - schedule_delayed_work(&jpeg->job_timeout_work, > - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > - > mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); > if (mtk_jpeg_set_dec_dst(ctx, &jpeg_src_buf->dec_param, &dst_buf->vb2_buf, &fb)) > goto dec_end; > > + schedule_delayed_work(&jpeg->job_timeout_work, > + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > + > spin_lock_irqsave(&jpeg->hw_lock, flags); > mtk_jpeg_dec_reset(jpeg->reg_base); > mtk_jpeg_dec_set_config(jpeg->reg_base, > @@ -1403,7 +1403,6 @@ static void mtk_jpeg_remove(struct platform_device *pdev) > { > struct mtk_jpeg_dev *jpeg = platform_get_drvdata(pdev); > > - cancel_delayed_work_sync(&jpeg->job_timeout_work); > pm_runtime_disable(&pdev->dev); > video_unregister_device(jpeg->vdev); > v4l2_m2m_release(jpeg->m2m_dev); > @@ -1750,9 +1749,6 @@ static void mtk_jpegdec_worker(struct work_struct *work) > v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx); > v4l2_m2m_dst_buf_remove(ctx->fh.m2m_ctx); > > - schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, > - msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > - > mtk_jpeg_set_dec_src(ctx, &src_buf->vb2_buf, &bs); > if (mtk_jpeg_set_dec_dst(ctx, > &jpeg_src_buf->dec_param, > @@ -1762,6 +1758,9 @@ static void mtk_jpegdec_worker(struct work_struct *work) > goto setdst_end; > } > > + schedule_delayed_work(&comp_jpeg[hw_id]->job_timeout_work, > + msecs_to_jiffies(MTK_JPEG_HW_TIMEOUT_MSEC)); > + > spin_lock_irqsave(&comp_jpeg[hw_id]->hw_lock, flags); > ctx->total_frame_num++; > mtk_jpeg_dec_reset(comp_jpeg[hw_id]->reg_base); What about to split this patch into 3 patches: 1. will remove cancel_delayed_work_sync() 2. will update mtk_jpeg_dec_device_run() 3. will update mtk_jpegdec_worker() The reason for splitting is because the multi-core mtk_jpegdec_worker() doesn't present in older stable kernels, and thus, the patch isn't backportable as-is. -- Best regards, Dmitry