diff options
| author | Zheng Wang <[email protected]> | 2023-03-13 16:42:20 +0000 |
|---|---|---|
| committer | Mauro Carvalho Chehab <[email protected]> | 2023-04-10 14:20:25 +0100 |
| commit | 3228cec23b8b29215e18090c6ba635840190993d (patch) | |
| tree | 0054e868a537481042fa5ec28ff066c8c4b2855a /tools/perf/scripts/python/net_dropmonitor.py | |
| parent | 50d0a7aea4809cef87979d4669911276aa23b71f (diff) | |
media: rkvdec: fix use after free bug in rkvdec_remove
In rkvdec_probe, rkvdec->watchdog_work is bound with
rkvdec_watchdog_func. Then rkvdec_vp9_run may
be called to start the work.
If we remove the module which will call rkvdec_remove
to make cleanup, there may be a unfinished work.
The possible sequence is as follows, which will
cause a typical UAF bug.
Fix it by canceling the work before cleanup in rkvdec_remove.
CPU0 CPU1
|rkvdec_watchdog_func
rkvdec_remove |
rkvdec_v4l2_cleanup|
v4l2_m2m_release |
kfree(m2m_dev); |
|
| v4l2_m2m_get_curr_priv
| m2m_dev->curr_ctx //use
Fixes: cd33c830448b ("media: rkvdec: Add the rkvdec driver")
Signed-off-by: Zheng Wang <[email protected]>
Signed-off-by: Hans Verkuil <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/net_dropmonitor.py')
0 files changed, 0 insertions, 0 deletions