Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2461412pxj; Mon, 10 May 2021 03:38:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyozrZAPixZoEAVT+uYWxB5lXSOKeK590giPr9XmIo0kcHKu36WOjvTr6WFKXKFF2z157II X-Received: by 2002:a50:fe19:: with SMTP id f25mr28697454edt.341.1620643126221; Mon, 10 May 2021 03:38:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620643126; cv=none; d=google.com; s=arc-20160816; b=hJoFABpjgoQZyPVhF1/iHoyMjHTM00Bby8+zE2e6i7Qx5GX3LJWKX0q6X9sWlZUB4C tCWU3WRzgr+VlqFbMAeRYc7MTnZnqAzkYIj3BWUU958pS2d37yDxLvrRqqFr5nDY3iQx pMIIyt0gpdF+QAopnr2hF0bZKGKN+zy9CeyqxgSqdGtaXa2O+BNonMmjERHWrlJlzrWV IiJCUe4UVfvvXyk2piXiax4i4Qw5QwbIY8oEkY+LV4WJYKIxami7mGLQTXEp5kSNqJcl 5dPRRSoqPT51eZUVK0Jjd8oNwj9qzHWDqGJ3ZK1HhDyIy2DJHt4lyb0Zvnzp/ZE++Om9 bIeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cAJvOTRkHbUFJMF8eeUD78cwHWrR5LJx6Hgh+BMNdWs=; b=zW7b77G0nP/Sh+xj7i72luICBIcR4TsrPnI/oMyAHOZroTgzyaaYyg3j/Jf1zRz1mj qR1dUNiWiGy2yiOVx5kBSNl6RQi/1mVF+RYpF9BXaK8efcACK91NR5OCwILU6PZD2zwf AfMToIa47MVlaF0psIoJzuuJjjwdX0BczA4BbNMjPw8AKHjzahgetqbiUnEYHZmMked0 TMaEcRmntMJnVSZSIjtop3JxEYeKDbw2UndlS/H0cKFUaFWphu5Wk2xydji9BO0CJrp8 tAcGcMBxaq/My4k/3MSAaUEOC7LjHP942AACBjSVIHrKwFTx+qk2EYYv5oaIlQsLMEO1 TeHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=I6n9K8tu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r1si4462285ejd.259.2021.05.10.03.38.22; Mon, 10 May 2021 03:38:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=I6n9K8tu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231381AbhEJKiO (ORCPT + 99 others); Mon, 10 May 2021 06:38:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:40468 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232223AbhEJKdp (ORCPT ); Mon, 10 May 2021 06:33:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 21246614A7; Mon, 10 May 2021 10:27:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620642465; bh=vTb31YzKtHMvMdueKvKNtoz0SHfmU8NPxkhT+E+o4yk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I6n9K8tu7cX5CjBk6NL9Z/moWgVPGetSgKcBHWP0UVhGZVBdiiUxPTQfd3tWtoZ3b tiJSQ9aK7DlIB0/KXrybqLju9QmmKDCzr2UTGIBd8x79nFWImiOnqc3rga/d/Y32D6 2ojpeIngD76v/6LoCEA03XeONVbGT1CXNysPaiVE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 5.4 105/184] media: tc358743: fix possible use-after-free in tc358743_remove() Date: Mon, 10 May 2021 12:19:59 +0200 Message-Id: <20210510101953.628062549@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210510101950.200777181@linuxfoundation.org> References: <20210510101950.200777181@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit 6107a4fdf8554a7aa9488bdc835bb010062fa8a9 ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/i2c/tc358743.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index cff99cf61ed4..114c084c4aec 100644 --- a/drivers/media/i2c/tc358743.c +++ b/drivers/media/i2c/tc358743.c @@ -2192,7 +2192,7 @@ static int tc358743_remove(struct i2c_client *client) del_timer_sync(&state->timer); flush_work(&state->work_i2c_poll); } - cancel_delayed_work(&state->delayed_work_enable_hotplug); + cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); cec_unregister_adapter(state->cec_adap); v4l2_async_unregister_subdev(sd); v4l2_device_unregister_subdev(sd); -- 2.30.2