From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Fan Wu <fanwu01@zju.edu.cn>,
Nicolas Dufresne <nicolas.dufresne@collabora.com>,
Hans Verkuil <hverkuil+cisco@kernel.org>
Subject: [PATCH 7.0 66/76] media: mediatek: vcodec: fix use-after-free in encoder release path
Date: Mon, 20 Apr 2026 17:42:17 +0200 [thread overview]
Message-ID: <20260420153913.223077452@linuxfoundation.org> (raw)
In-Reply-To: <20260420153910.810034134@linuxfoundation.org>
7.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fan Wu <fanwu01@zju.edu.cn>
commit 76e35091ffc722ba39b303e48bc5d08abb59dd56 upstream.
The fops_vcodec_release() function frees the context structure (ctx)
without first cancelling any pending or running work in ctx->encode_work.
This creates a race window where the workqueue handler (mtk_venc_worker)
may still be accessing the context memory after it has been freed.
Race condition:
CPU 0 (release path) CPU 1 (workqueue)
--------------------- ------------------
fops_vcodec_release()
v4l2_m2m_ctx_release()
v4l2_m2m_cancel_job()
// waits for m2m job "done"
mtk_venc_worker()
v4l2_m2m_job_finish()
// m2m job "done"
// BUT worker still running!
// post-job_finish access:
other ctx dereferences
// UAF if ctx already freed
// returns (job "done")
kfree(ctx) // ctx freed
Root cause: The v4l2_m2m_ctx_release() only waits for the m2m job
lifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle.
After v4l2_m2m_job_finish() is called, the m2m framework considers
the job complete and v4l2_m2m_ctx_release() returns, but the worker
function continues executing and may still access ctx.
The work is queued during encode operations via:
queue_work(ctx->dev->encode_workqueue, &ctx->encode_work)
The worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx
fields even after calling v4l2_m2m_job_finish().
This vulnerability was confirmed with KASAN by running an instrumented
test module that widens the post-job_finish race window. KASAN detected:
BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180
Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12
Workqueue: mtk_vcodec_enc_wq mtk_venc_worker
Allocated by task 47:
__kasan_kmalloc+0x7f/0x90
fops_vcodec_open+0x85/0x1a0
Freed by task 47:
__kasan_slab_free+0x43/0x70
kfree+0xee/0x3a0
fops_vcodec_release+0xb7/0x190
Fix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx).
This ensures the workqueue handler is both cancelled (if pending) and
synchronized (waits for any running handler to complete) before the
context is freed.
Placement rationale: The fix is placed after v4l2_ctrl_handler_free()
and before list_del_init(&ctx->list). At this point, all m2m operations
are done (v4l2_m2m_ctx_release() has returned), and we need to ensure
the workqueue is synchronized before removing ctx from the list and
freeing it.
Note: The open error path does NOT need cancel_work_sync() because
INIT_WORK() only initializes the work structure - it does not schedule
it. Work is only scheduled later during device_run() operations.
Fixes: 0934d3759615 ("media: mediatek: vcodec: separate decoder and encoder")
Cc: stable@vger.kernel.org
Signed-off-by: Fan Wu <fanwu01@zju.edu.cn>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c
+++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c
@@ -215,6 +215,15 @@ static int fops_vcodec_release(struct fi
v4l2_fh_exit(&ctx->fh);
v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
+ /*
+ * Cancel any pending encode work before freeing the context.
+ * Although v4l2_m2m_ctx_release() waits for m2m job completion,
+ * the workqueue handler (mtk_venc_worker) may still be accessing
+ * the context after v4l2_m2m_job_finish() returns. Without this,
+ * a use-after-free occurs when the worker accesses ctx after kfree.
+ */
+ cancel_work_sync(&ctx->encode_work);
+
spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_del_init(&ctx->list);
spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
next prev parent reply other threads:[~2026-04-20 15:46 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-20 15:41 [PATCH 7.0 00/76] 7.0.1-rc1 review Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 01/76] nfc: llcp: add missing return after LLCP_CLOSED checks Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 02/76] x86/CPU: Fix FPDSS on Zen1 Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 03/76] can: raw: fix ro->uniq use-after-free in raw_rcv() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 04/76] i2c: s3c24xx: check the size of the SMBUS message before using it Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 05/76] staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 06/76] HID: alps: fix NULL pointer dereference in alps_raw_event() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 07/76] HID: core: clamp report_size in s32ton() to avoid undefined shift Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 08/76] net: usb: cdc-phonet: fix skb frags[] overflow in rx_complete() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 09/76] NFC: digital: Bounds check NFC-A cascade depth in SDD response handler Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 10/76] drm/vc4: platform_get_irq_byname() returns an int Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 11/76] bnge: return after auxiliary_device_uninit() in error path Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 12/76] ALSA: usx2y: us144mkii: fix NULL deref on missing interface 0 Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 13/76] ALSA: fireworks: bound device-supplied status before string array lookup Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 14/76] fbdev: tdfxfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 15/76] usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 16/76] usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 17/76] usb: gadget: renesas_usb3: validate endpoint index in standard request handlers Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 18/76] smb: client: fix off-by-8 bounds check in check_wsl_eas() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 19/76] smb: client: fix OOB reads parsing symlink error response Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 20/76] ksmbd: validate EaNameLength in smb2_get_ea() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 21/76] ksmbd: require 3 sub-authorities before reading sub_auth[2] Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 22/76] ksmbd: fix mechToken leak when SPNEGO decode fails after token alloc Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 23/76] smb: client: avoid double-free in smbd_free_send_io() after smbd_send_batch_flush() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 24/76] smb: server: avoid double-free in smb_direct_free_sendmsg after smb_direct_flush_send_list() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 25/76] usbip: validate number_of_packets in usbip_pack_ret_submit() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 26/76] usb: typec: fusb302: Switch to threaded IRQ handler Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 27/76] usb: storage: Expand range of matched versions for VL817 quirks entry Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 28/76] USB: cdc-acm: Add quirks for Yoga Book 9 14IAH10 INGENIC touchscreen Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 29/76] usb: gadget: f_hid: dont call cdev_init while cdev in use Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 30/76] usb: port: add delay after usb_hub_set_port_power() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 31/76] fbdev: udlfb: avoid divide-by-zero on FBIOPUT_VSCREENINFO Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 32/76] scripts/gdb/symbols: handle module path parameters Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 33/76] scripts: generate_rust_analyzer.py: avoid FD leak Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 34/76] wifi: rtw88: fix device leak on probe failure Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 35/76] staging: sm750fb: fix division by zero in ps_to_hz() Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 36/76] selftests/mm: hmm-tests: dont hardcode THP size to 2MB Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 37/76] USB: serial: option: add Telit Cinterion FN990A MBIM composition Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 38/76] Docs/admin-guide/mm/damon/reclaim: warn commit_inputs vs param updates race Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 39/76] Docs/admin-guide/mm/damon/lru_sort: " Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 40/76] ALSA: ctxfi: Limit PTP to a single page Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 41/76] dcache: Limit the minimal number of bucket to two Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 42/76] vfio/xe: Reorganize the init to decouple migration from reset Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 43/76] arm64: mm: Handle invalid large leaf mappings correctly Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 44/76] media: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 45/76] ocfs2: fix possible deadlock between unlink and dio_end_io_write Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 46/76] ocfs2: fix use-after-free in ocfs2_fault() when VM_FAULT_RETRY Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 47/76] ocfs2: handle invalid dinode in ocfs2_group_extend Greg Kroah-Hartman
2026-04-20 15:41 ` [PATCH 7.0 48/76] PCI: endpoint: pci-epf-vntb: Stop cmd_handler work in epf_ntb_epc_cleanup Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 49/76] PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 50/76] KVM: selftests: Remove duplicate LAUNCH_UPDATE_VMSA call in SEV-ES migrate test Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 51/76] KVM: SEV: Reject attempts to sync VMSA of an already-launched/encrypted vCPU Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 52/76] KVM: SEV: Protect *all* of sev_mem_enc_register_region() with kvm->lock Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 53/76] KVM: SEV: Disallow LAUNCH_FINISH if vCPUs are actively being created Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 54/76] KVM: SEV: Lock all vCPUs when synchronzing VMSAs for SNP launch finish Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 55/76] KVM: SEV: Drop WARN on large size for KVM_MEMORY_ENCRYPT_REG_REGION Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 56/76] mm: call ->free_folio() directly in folio_unmap_invalidate() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 57/76] checkpatch: add support for Assisted-by tag Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 58/76] x86-64: rename misleadingly named __copy_user_nocache() function Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 59/76] x86: rename and clean up __copy_from_user_inatomic_nocache() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 60/76] x86-64/arm64/powerpc: clean up and rename __copy_from_user_flushcache Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 61/76] KVM: x86: Use scratch field in MMIO fragment to hold small write values Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 62/76] ASoC: qcom: q6apm: move component registration to unmanaged version Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 63/76] mm/kasan: fix double free for kasan pXds Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 64/76] mm: blk-cgroup: fix use-after-free in cgwb_release_workfn() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 65/76] media: vidtv: fix nfeeds state corruption on start_streaming failure Greg Kroah-Hartman
2026-04-20 15:42 ` Greg Kroah-Hartman [this message]
2026-04-20 15:42 ` [PATCH 7.0 67/76] media: em28xx: fix use-after-free in em28xx_v4l2_open() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 68/76] hwmon: (powerz) Fix use-after-free on USB disconnect Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 69/76] ALSA: 6fire: fix use-after-free on disconnect Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 70/76] bcache: fix cached_dev.sb_bio use-after-free and crash Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 71/76] wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 72/76] media: as102: fix to not free memory after the device is registered in as102_usb_probe() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 73/76] nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 74/76] media: vidtv: fix pass-by-value structs causing MSAN warnings Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 75/76] media: hackrf: fix to not free memory after the device is registered in hackrf_probe() Greg Kroah-Hartman
2026-04-20 15:42 ` [PATCH 7.0 76/76] mm/userfaultfd: fix hugetlb fault mutex hash calculation Greg Kroah-Hartman
2026-04-20 17:32 ` [PATCH 7.0 00/76] 7.0.1-rc1 review Ronald Warsow
2026-04-20 18:17 ` Florian Fainelli
2026-04-20 21:58 ` Luna Jernberg
2026-04-20 22:28 ` Peter Schneider
2026-04-20 23:08 ` Takeshi Ogasawara
2026-04-21 6:52 ` Ron Economos
2026-04-21 8:09 ` Brett A C Sheffield
2026-04-21 10:22 ` Miguel Ojeda
2026-04-21 16:45 ` Shuah Khan
2026-04-21 16:47 ` Josh Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420153913.223077452@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fanwu01@zju.edu.cn \
--cc=hverkuil+cisco@kernel.org \
--cc=nicolas.dufresne@collabora.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox