提交 df1542dd 编写于 作者: Z Zheng Wang 提交者: Zhang Xiaoxu

media: rkvdec: fix use after free bug in rkvdec_remove

stable inclusion
from stable-v5.10.180
commit de19d02d734ef29f5dbd2c12fe810fa960ecd83f
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7EDZ3
CVE: CVE-2023-35829

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=de19d02d734ef29f5dbd2c12fe810fa960ecd83f

--------------------------------

[ Upstream commit 3228cec2 ]

In rkvdec_probe, rkvdec->watchdog_work is bound with
rkvdec_watchdog_func. Then rkvdec_vp9_run may
be called to start the work.

If we remove the module which will call rkvdec_remove
 to make cleanup, there may be a unfinished work.
 The possible sequence is as follows, which will
 cause a typical UAF bug.

Fix it by canceling the work before cleanup in rkvdec_remove.

CPU0                  CPU1

                    |rkvdec_watchdog_func
rkvdec_remove       |
 rkvdec_v4l2_cleanup|
  v4l2_m2m_release  |
    kfree(m2m_dev); |
                    |
                    | v4l2_m2m_get_curr_priv
                    |   m2m_dev->curr_ctx //use

Fixes: cd33c830 ("media: rkvdec: Add the rkvdec driver")
Signed-off-by: NZheng Wang <zyytlz.wz@163.com>
Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: NMauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NZhang Xiaoxu <zhangxiaoxu5@huawei.com>
上级 7ac36644
......@@ -1077,6 +1077,8 @@ static int rkvdec_remove(struct platform_device *pdev)
{
struct rkvdec_dev *rkvdec = platform_get_drvdata(pdev);
cancel_delayed_work_sync(&rkvdec->watchdog_work);
rkvdec_v4l2_cleanup(rkvdec);
pm_runtime_disable(&pdev->dev);
pm_runtime_dont_use_autosuspend(&pdev->dev);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册