Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2510616pxj; Mon, 10 May 2021 04:52:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxz+sLf5aw/d4QIh/R2CeTHUuqt0nuoQNJlhjsM0o7OH0UrYXIIKmfDLALXHCQU42GSXHP9 X-Received: by 2002:a17:906:bc8e:: with SMTP id lv14mr25192569ejb.418.1620647576432; Mon, 10 May 2021 04:52:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620647576; cv=none; d=google.com; s=arc-20160816; b=kh0FzLOCsw/p0Xp9qpTU3Jc1k+slwyrO6YZzKuyCMSQwOKC1QZwvCrPPm++UDBtUHI 5CZ6NVLfUVfBW3Xc/Ikfk+hOTDFf6MVkhyk20Y76sHM/inKYTf6cEjT04l6cgliTTTPb Z2dIcEq11iBh1kGOqYTd3MvEWQaSQIQkDrxqJKc0NGX6AxsqH0GJ5Pm9CnrCm3H3WcLf 8/MHLNrZiuqCEnVT1smNUmwxlYSieQyHyNSfBP5CXh6NFrT31icxikToKJ4UTdMAilMY IkW6Ci+eqgL5p+fhqRGSng5v4BviUrKT6FgpT3gMnKYcPwW9rhPrdr+lGUMbea+N4clD BT3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=61BEFHa9fpK8VnJrazQQel/YF5BAR0WOip43nAEA8JA=; b=Tr6muarjOUdubuaqhfrWOydHHnrGiYnOiWT2b4IWHyB5t7XwnwvQgMdQCHTMCW6BPo tc7/Leyhf2WY6zKzbHVTTJSI/AA+7bruF7n7K5o+/y50FTUWRovStRyOzYeUMSxf/Ne4 0SYwpxleLw9ADKc1G8/vho2acH/+KMOcKJUyvoitC09VzDshwPGmgJ1XyoXvnjZ1Xaxe BHgCpHavUukYHVCflMDtBTs58Un6k7SlDSzPgZy8kEKeZWMk48oJnhjb94zObvfHrf3O nm9ARpHkTyWHqSrA0Hd77pHsOO0K/engGSvrjtb8GNJfMC/Gua3soISLDK9WffGX1E0v 9q3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vNVILZ5r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e23si13423228ejt.510.2021.05.10.04.52.28; Mon, 10 May 2021 04:52:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vNVILZ5r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242254AbhEJLlb (ORCPT + 99 others); Mon, 10 May 2021 07:41:31 -0400 Received: from mail.kernel.org ([198.145.29.99]:52714 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235067AbhEJK5g (ORCPT ); Mon, 10 May 2021 06:57:36 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3325F6195E; Mon, 10 May 2021 10:51:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620643903; bh=jSFnpPCMOcIv5/ncZmQy4KGPp60iGDNp1gQ4t8bTZgo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vNVILZ5r3xw/nQiGSZnJn3Xz2AFIREEre+EplSDua+D7eeCw9F0IqJZTl279FY1i4 kH3zHAWICm2tIWSb92k9V40XtOENhtStz0mFW5Abf3BANcMkybiwOWz4xpY63I17yg OD4eMX/Guh6pVhjPP5ZvjdFfwNFGK4nIUxkwwOx0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 5.11 206/342] media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove() Date: Mon, 10 May 2021 12:19:56 +0200 Message-Id: <20210510102016.897368645@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210510102010.096403571@linuxfoundation.org> References: <20210510102010.096403571@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit 7f820ab5d4eebfe2d970d32a76ae496a6c286f0f ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/i2c/tda1997x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c index a09bf0a39d05..89bb7e6dc7a4 100644 --- a/drivers/media/i2c/tda1997x.c +++ b/drivers/media/i2c/tda1997x.c @@ -2804,7 +2804,7 @@ static int tda1997x_remove(struct i2c_client *client) media_entity_cleanup(&sd->entity); v4l2_ctrl_handler_free(&state->hdl); regulator_bulk_disable(TDA1997X_NUM_SUPPLIES, state->supplies); - cancel_delayed_work(&state->delayed_work_enable_hpd); + cancel_delayed_work_sync(&state->delayed_work_enable_hpd); mutex_destroy(&state->page_lock); mutex_destroy(&state->lock); -- 2.30.2