MIRRORS/linux-imx
1
0
Fork 0
mirror of https://github.com/nxp-imx/linux-imx.git synced 2025-07-08 10:25:20 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

media: venus: fix use after free bug in venus_remove due to race condition

Browse Source 
commit c5a85ed88e upstream.

in venus_probe, core->work is bound with venus_sys_error_handler, which is
used to handle error. The code use core->sys_err_done to make sync work.
The core->work is started in venus_event_notify.

If we call venus_remove, there might be an unfished work. The possible
sequence is as follows:

CPU0                  CPU1

                     |venus_sys_error_handler
venus_remove         |
hfi_destroy	 		 |
venus_hfi_destroy	 |
kfree(hdev);	     |
                     |hfi_reinit
					 |venus_hfi_queues_reinit
                     |//use hdev

Fix it by canceling the work in venus_remove.

Cc: stable@vger.kernel.org
Fixes: af2c3834c8 ("[media] media: venus: adding core part and helper functions")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Zheng Wang 2024-06-18 14:55:59 +05:30 committed by Greg Kroah-Hartman
parent 56770d1e01
commit b0686aedc5
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
drivers/media/platform/qcom/venus/core.c
View File

@ -424,6 +424,7 @@ static void venus_remove(struct platform_device *pdev)
struct device *dev = core->dev; struct device *dev = core->dev;
int ret; int ret;
cancel_delayed_work_sync(&core->work);
ret = pm_runtime_get_sync(dev); ret = pm_runtime_get_sync(dev);
WARN_ON(ret < 0); WARN_ON(ret < 0);