media: mtk-jpeg: Fix null-ptr-deref during unload module

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The workqueue should be destroyed in mtk_jpeg_core.c since commit
09aea13ecf6f ("media: mtk-jpeg: refactor some variables"), otherwise
the below calltrace can be easily triggered.

[ 677.862514] Unable to handle kernel paging request at virtual address dfff800000000023
[ 677.863633] KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
...
[ 677.879654] CPU: 6 PID: 1071 Comm: modprobe Tainted: G O 6.8.12-mtk+gfa1a78e5d24b+ #17
...
[ 677.882838] pc : destroy_workqueue+0x3c/0x770
[ 677.883413] lr : mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]
[ 677.884314] sp : ffff80008ad974f0
[ 677.884744] x29: ffff80008ad974f0 x28: ffff0000d7115580 x27: ffff0000dd691070
[ 677.885669] x26: ffff0000dd691408 x25: ffff8000844af3e0 x24: ffff80008ad97690
[ 677.886592] x23: ffff0000e051d400 x22: ffff0000dd691010 x21: dfff800000000000
[ 677.887515] x20: 0000000000000000 x19: 0000000000000000 x18: ffff800085397ac0
[ 677.888438] x17: 0000000000000000 x16: ffff8000801b87c8 x15: 1ffff000115b2e10
[ 677.889361] x14: 00000000f1f1f1f1 x13: 0000000000000000 x12: ffff7000115b2e4d
[ 677.890285] x11: 1ffff000115b2e4c x10: ffff7000115b2e4c x9 : ffff80000aa43e90
[ 677.891208] x8 : 00008fffeea4d1b4 x7 : ffff80008ad97267 x6 : 0000000000000001
[ 677.892131] x5 : ffff80008ad97260 x4 : ffff7000115b2e4d x3 : 0000000000000000
[ 677.893054] x2 : 0000000000000023 x1 : dfff800000000000 x0 : 0000000000000118
[ 677.893977] Call trace:
[ 677.894297] destroy_workqueue+0x3c/0x770
[ 677.894826] mtk_jpegdec_destroy_workqueue+0x70/0x88 [mtk_jpeg_dec_hw]
[ 677.895677] devm_action_release+0x50/0x90
[ 677.896211] release_nodes+0xe8/0x170
[ 677.896688] devres_release_all+0xf8/0x178
[ 677.897219] device_unbind_cleanup+0x24/0x170
[ 677.897785] device_release_driver_internal+0x35c/0x480
[ 677.898461] device_release_driver+0x20/0x38
...
[ 677.912665] ---[ end trace 0000000000000000 ]---

Fixes: 09aea13ecf6f ("media: mtk-jpeg: refactor some variables")
Cc: <stable@vger.kernel.org>
Signed-off-by: Guoqing Jiang <guoqing.jiang@canonical.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

authored by

Guoqing Jiang and committed by

Hans Verkuil 2 years ago 17af2b39 2c21fd53

+10 -11

2 changed files

expand all

drivers

media

platform

mediatek

jpeg

mtk_jpeg_core.c

mtk_jpeg_dec_hw.c

+10

drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c

··· 1293 1293 return 0; 1294 1294 } 1295 1295 1296 + static void mtk_jpeg_destroy_workqueue(void *data) 1297 + { 1298 + destroy_workqueue(data); 1299 + } 1300 + 1296 1301 static int mtk_jpeg_probe(struct platform_device *pdev) 1297 1302 { 1298 1303 struct mtk_jpeg_dev *jpeg; ··· 1342 1337 | WQ_FREEZABLE); 1343 1338 if (!jpeg->workqueue) 1344 1339 return -EINVAL; 1340 + ret = devm_add_action_or_reset(&pdev->dev, 1341 + mtk_jpeg_destroy_workqueue, 1342 + jpeg->workqueue); 1343 + if (ret) 1344 + return ret; 1345 1345 } 1346 1346 1347 1347 ret = v4l2_device_register(&pdev->dev, &jpeg->v4l2_dev);

-11

drivers/media/platform/mediatek/jpeg/mtk_jpeg_dec_hw.c

··· 578 578 return 0; 579 579 } 580 580 581 - static void mtk_jpegdec_destroy_workqueue(void *data) 582 - { 583 - destroy_workqueue(data); 584 - } 585 - 586 581 static int mtk_jpegdec_hw_probe(struct platform_device *pdev) 587 582 { 588 583 struct mtk_jpegdec_clk *jpegdec_clk; ··· 600 605 601 606 dev->plat_dev = pdev; 602 607 dev->dev = &pdev->dev; 603 - 604 - ret = devm_add_action_or_reset(&pdev->dev, 605 - mtk_jpegdec_destroy_workqueue, 606 - master_dev->workqueue); 607 - if (ret) 608 - return ret; 609 608 610 609 spin_lock_init(&dev->hw_lock); 611 610 dev->hw_state = MTK_JPEG_HW_IDLE;