media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run

Vulnerability

In the Linux kernel's MediaTek JPEG decoder driver (mtk-jpeg), a use-after-free vulnerability exists in mtk_jpeg_dec_device_run [1]. The function binds jpeg->job_timeout_work to mtk_jpeg_job_timeout_work during probe. In the device run handler, if mtk_jpeg_set_dec_dst fails, the error path starts the timeout worker and then marks the job as finished via v4l2_m2m_job_finish. This creates a race condition where the timeout worker may access freed memory after module removal or file descriptor close. Versions affected are those prior to the fix commit.

Exploitation

An attacker can trigger this condition by forcing an error in mtk_jpeg_set_dec_dst (e.g., by exhausting resources) while concurrently removing the module or closing the file descriptor. No special privileges are required beyond access to the video device. The race window exists between the timeout worker execution and the cleanup path.

Impact

Successful exploitation leads to a use-after-free condition, which can result in memory corruption or privilege escalation. In the worst case, this could allow an attacker to execute arbitrary code in kernel context, leading to full system compromise.

Mitigation

The fix, included in Linux kernel commits, ensures the timeout worker is only started if the decoder worker starts successfully. Users should update to a kernel version containing the fix [1]. No workaround is available; vendors have released patches as part of their kernel updates.