CVE-2023-52491

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run<br /> <br /> In mtk_jpeg_probe, &amp;jpeg-&gt;job_timeout_work is bound with<br /> mtk_jpeg_job_timeout_work.<br /> <br /> In mtk_jpeg_dec_device_run, if error happens in<br /> mtk_jpeg_set_dec_dst, it will finally start the worker while<br /> mark the job as finished by invoking v4l2_m2m_job_finish.<br /> <br /> There are two methods to trigger the bug. If we remove the<br /> module, it which will call mtk_jpeg_remove to make cleanup.<br /> The possible sequence is as follows, which will cause a<br /> use-after-free bug.<br /> <br /> CPU0 CPU1<br /> mtk_jpeg_dec_... |<br /> start worker |<br /> |mtk_jpeg_job_timeout_work<br /> mtk_jpeg_remove |<br /> v4l2_m2m_release |<br /> kfree(m2m_dev); |<br /> |<br /> | v4l2_m2m_get_curr_priv<br /> | m2m_dev-&gt;curr_ctx //use<br /> <br /> If we close the file descriptor, which will call mtk_jpeg_release,<br /> it will have a similar sequence.<br /> <br /> Fix this bug by starting timeout worker only if started jpegdec worker<br /> successfully. Then v4l2_m2m_job_finish will only be called in<br /> either mtk_jpeg_job_timeout_work or mtk_jpeg_dec_device_run.