In the Linux kernel, the following vulnerability has been resolved:
media: mtk-jpeg: Fix use after free bug due to error path handling in mtkjpegdecdevicerun
In mtkjpegprobe, &jpeg->jobtimeoutwork is bound with mtkjpegjobtimeoutwork.
In mtkjpegdecdevicerun, if error happens in mtkjpegsetdecdst, it will finally start the worker while mark the job as finished by invoking v4l2m2mjob_finish.
There are two methods to trigger the bug. If we remove the module, it which will call mtkjpegremove to make cleanup. The possible sequence is as follows, which will cause a use-after-free bug.
CPU0 CPU1 mtkjpegdec... | start worker | |mtkjpegjobtimeoutwork mtkjpegremove | v4l2m2mrelease | kfree(m2mdev); | | | v4l2m2mgetcurrpriv | m2mdev->currctx //use
If we close the file descriptor, which will call mtkjpegrelease, it will have a similar sequence.
Fix this bug by starting timeout worker only if started jpegdec worker successfully. Then v4l2m2mjobfinish will only be called in either mtkjpegjobtimeoutwork or mtkjpegdecdevice_run.