[PATCH] media: cedrus: fix use after free bug in cedrus_remove due to race condition

[Ma Ke]

In cedrus_probe, dev->watchdog_work is bound with cedrus_watchdog. Then
cedrus_device_run may be called to start the work.

If we close the file or remove the module which will call cedrus_release and
cedrus_remove to make cleanup, there may be an unfinished work. The possible
sequence is as follows, which will cause a typical UAF bug.

The same thing will happen in cedrus_release, and use ctx after freeing it.

Fix it by canceling the work before cleanup in cedrus_release.

Signed-off-by: Ma Ke <make_ruc2021 at 163.com>
---
 drivers/staging/media/sunxi/cedrus/cedrus.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/media/sunxi/cedrus/cedrus.c b/drivers/staging/media/sunxi/cedrus/cedrus.c
index 8e248d4a0aec..0a2cb615d717 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
@@ -404,6 +404,8 @@ static int cedrus_release(struct file *file)
 	struct cedrus_ctx *ctx = container_of(file->private_data,
 					      struct cedrus_ctx, fh);
 
+	cancel_delayed_work_sync(&ctx->dev->watchdog_work);
+
 	mutex_lock(&dev->dev_mutex);
 
 	v4l2_fh_del(&ctx->fh);
-- 
2.37.2