mirror of
https://github.com/torvalds/linux.git
synced 2026-05-27 16:44:58 +02:00
34c519feef
The mtk_jpeg_release() function frees the context structure (ctx) without
first cancelling any pending or running work in ctx->jpeg_work. This
creates a race window where the workqueue callback may still be accessing
the context memory after it has been freed.
Race condition:
CPU 0 (release) CPU 1 (workqueue)
---------------- ------------------
close()
mtk_jpeg_release()
mtk_jpegenc_worker()
ctx = work->data
// accessing ctx
kfree(ctx) // freed!
access ctx // UAF!
The work is queued via queue_work() during JPEG encode/decode operations
(via mtk_jpeg_device_run). If the device is closed while work is pending
or running, the work handler will access freed memory.
Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This
ordering is critical: if cancel_work_sync() is called after mutex_lock(),
and the work handler also tries to acquire the same mutex, it would cause
a deadlock.
Note: The open error path does NOT need cancel_work_sync() because
INIT_WORK() only initializes the work structure - it does not schedule
it. Work is only scheduled later during ioctl operations.
Fixes:
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| mtk_jpeg_core.c | ||
| mtk_jpeg_core.h | ||
| mtk_jpeg_dec_hw.c | ||
| mtk_jpeg_dec_hw.h | ||
| mtk_jpeg_dec_parse.c | ||
| mtk_jpeg_dec_parse.h | ||
| mtk_jpeg_dec_reg.h | ||
| mtk_jpeg_enc_hw.c | ||
| mtk_jpeg_enc_hw.h | ||