Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2538042pxj; Mon, 10 May 2021 05:27:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyjoTZ4JE81Y/5AitZMaiUmXp/yzQ2tH3E0/KBTRHFyWvZvRm1U1JjMjadU6/788VQ72dkC X-Received: by 2002:a92:b751:: with SMTP id c17mr22144954ilm.121.1620649656692; Mon, 10 May 2021 05:27:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620649656; cv=none; d=google.com; s=arc-20160816; b=VAvk+PHXVT7pVetfX10fTRHwp+Cc0PhP+X1NkXyPx6drRx69B1/JG0cTCSM9y3WXoy fwJHJuW/ZwWdGY7nf/hE61b23yHoOfcgPEZXIV6idmAdeSdPWXQFSxreczs3+q5Qk+j3 UopgBUFeOLxnTql9gwPt01a7ZR4s2ks0YsBaFXNgLy6uEhjHyz+DsZxx3uz33JYr0YAE hYgmnt28P67etuuyaKgI1IMGGM+5m6q2egRkw/f4DyGs+Yn2qH88zlVuWwSXavu8llcs TFT1BlOOoFYCiFTY0+ohI5jyE6wdztTVHWwxu8qPX6MifRLJIoz3mxWs9brSkNhaQhEA mCFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VI/9c1aHq1Q0RlFaxzIlly22xChcN5P6J+zouprAdRk=; b=XG23PLTpvhvWQTQzu0DvL4IeoH4TWKnxlBHSf3HeL1JDGlDOvGKK2A2D6LilqycJQ8 /tCFc+7UrlT3uX667+qa+iucNHU+OSqCE1uHwTyuFRhGLf70nPCkuGb6mm7ymKt27L5k WNf9vQjI4hi/GXGa6lVnTcss85xlode4w5xPoQ+HMZRO2D94DXYMs/5Hh9slbU7dcpIJ r1rIhZhUfW9nKVVVi2+JSeS2JR2HLduW0jxxzXb8Jamq7AYlReF2lACf53Y3PdEf8Duw DTi72DszGHVJeXz+STQ24OQsLo30qkdI8/Fz8yg3RfPPxNG1QArtRhltGk9C1ZK/dYSS aZvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="T7Lt/xFx"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j24si15660963jad.22.2021.05.10.05.27.24; Mon, 10 May 2021 05:27:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="T7Lt/xFx"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234744AbhEJM1V (ORCPT + 99 others); Mon, 10 May 2021 08:27:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:49920 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237207AbhEJLLf (ORCPT ); Mon, 10 May 2021 07:11:35 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 3F0C461883; Mon, 10 May 2021 11:08:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620644893; bh=kW+Kz7+iyT/blgzYJhQ6JJtZ8Tz4bngwHmfpwDRDbB8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=T7Lt/xFx6nVyPmOfnyQi6CzOSeVsL7SThZ3pj5Kd8Zbpw5cGDziTtYgjgpnD5Bkvc UgAmTi00yiXZ14MUfXQ9rFMuM9qvC5mHRXNHFsXOVzEptXEXk0f+csrFBfYJey82/g 22crBTLa5GS7bclzk7zqytMtJ4MWIXxUuvMsHxUA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 5.12 233/384] media: i2c: adv7842: fix possible use-after-free in adv7842_remove() Date: Mon, 10 May 2021 12:20:22 +0200 Message-Id: <20210510102022.573929827@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210510102014.849075526@linuxfoundation.org> References: <20210510102014.849075526@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit 4a15275b6a18597079f18241c87511406575179a ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/i2c/adv7842.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c index 0855f648416d..f7d2b6cd3008 100644 --- a/drivers/media/i2c/adv7842.c +++ b/drivers/media/i2c/adv7842.c @@ -3586,7 +3586,7 @@ static int adv7842_remove(struct i2c_client *client) struct adv7842_state *state = to_state(sd); adv7842_irq_enable(sd, false); - cancel_delayed_work(&state->delayed_work_enable_hotplug); + cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); v4l2_device_unregister_subdev(sd); media_entity_cleanup(&sd->entity); adv7842_unregister_clients(sd); -- 2.30.2