media: rkvdec: fix use after free bug in rkvdec_remove
stable inclusion from stable-v5.10.180 commit de19d02d734ef29f5dbd2c12fe810fa960ecd83f category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I7EDZ3 CVE: CVE-2023-35829 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=de19d02d734ef29f5dbd2c12fe810fa960ecd83f -------------------------------- [ Upstream commit 3228cec2 ] In rkvdec_probe, rkvdec->watchdog_work is bound with rkvdec_watchdog_func. Then rkvdec_vp9_run may be called to start the work. If we remove the module which will call rkvdec_remove to make cleanup, there may be a unfinished work. The possible sequence is as follows, which will cause a typical UAF bug. Fix it by canceling the work before cleanup in rkvdec_remove. CPU0 CPU1 |rkvdec_watchdog_func rkvdec_remove | rkvdec_v4l2_cleanup| v4l2_m2m_release | kfree(m2m_dev); | | | v4l2_m2m_get_curr_priv | m2m_dev->curr_ctx //use Fixes: cd33c830 ("media: rkvdec: Add the rkvdec driver") Signed-off-by: NZheng Wang <zyytlz.wz@163.com> Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by: NMauro Carvalho Chehab <mchehab@kernel.org> Signed-off-by: NSasha Levin <sashal@kernel.org> Signed-off-by: NZhang Xiaoxu <zhangxiaoxu5@huawei.com>
Showing
想要评论请 注册 或 登录