Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2547093pxj; Mon, 10 May 2021 05:39:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwvuiQpSLFU2lSWKyWDbv4QcgrCKkU06M62vJ8xMABIZElWiBcxcYPSDDqftL3OTD/jBKmK X-Received: by 2002:a17:906:3d7:: with SMTP id c23mr26093957eja.188.1620650376254; Mon, 10 May 2021 05:39:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620650376; cv=none; d=google.com; s=arc-20160816; b=BltUL/Y0DzcdCUodGmtE1tW0pMZpwDlwsfs/rrJe+8fPE6Uq5k7UTyFLbZ74euILwJ /LTZvWEnAzu/x3s/Kiq0TtNqY/uVR0CNl6zLVeacMTyFnLtkpwX9MG/pthflKMH4PpzG o4i1JqXZMYT6i/jZ4TIhS/gl6ET1Cbe5YjkVmp4gpdRjR8Xb+Y/Nht7vpOUbekDhYLhl cVfbnd9O+3xxHdVFrch5uDYgYzaNkEMmnI4OMlCyZ9ur9ngq8qgmdgVpzKAtmR8F3lwk TcHsDBWtwzMTBPxzmUh/mh/ObolRCAiw6tiq3v/snOUP5LfbothCrEGEe8kCl7CyCbG7 GYYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GI6qVZfJX+R2jb6S8i6/KvvGy1dHaPJ2QRg/nYQajxM=; b=HudoLN7QiwMYHJFHTnxOOJAo8ZO30NZfzMS3FiN8kstg3Fyz9w6OkO+jceKXNue99C 07eallOXvFAli5i6f0rs/U/b/rzOoX+zah4F3TRmkOuMz3WxfjpG33dq6s2c3cTmd9Y7 8K65G+Np/84mYl6rdgyoYf54m4709C702647T1BjC/1Y83KYZd4E4qh5Hk4a35vA5Kfm pP4F5F6rTDXeb4KXJe3wdCYva4IxT/0yYFHEd71DqWC37BcHl5/2QOemsysWJnmohxLF 4rGghD+42VwYoLpTJQ58X38+2CoMMafE8iVEhJpGcte9BNp9JJaH3p1MxR92mp4FBaB6 YBnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Izs6yfnQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ka15si4151104ejc.148.2021.05.10.05.39.12; Mon, 10 May 2021 05:39:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Izs6yfnQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346475AbhEJMbd (ORCPT + 99 others); Mon, 10 May 2021 08:31:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:46088 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237195AbhEJLLe (ORCPT ); Mon, 10 May 2021 07:11:34 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A0B1061288; Mon, 10 May 2021 11:08:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620644884; bh=j5njG6kfjfeKS8Pe74lDvSoVoXEqAO/FDdLBo589vLg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Izs6yfnQ0BfreIG3n3V9tsB98IPl9Cl1hNN5tIhP6q1ZyDeTtsRb+fnCEtEj1qDhB Re0w4lopcPL6meUeFcX6u7YatSn9E1MYhtIHvKJqulZ8l09bMQTEe3gMmZA2Mn2BiP 4WzgzIGjuL7clVzarvCbme8WLB5WPN5OcVmixCcw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 5.12 229/384] media: tc358743: fix possible use-after-free in tc358743_remove() Date: Mon, 10 May 2021 12:20:18 +0200 Message-Id: <20210510102022.446972619@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210510102014.849075526@linuxfoundation.org> References: <20210510102014.849075526@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit 6107a4fdf8554a7aa9488bdc835bb010062fa8a9 ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/i2c/tc358743.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index 831b5b54fd78..1b309bb743c7 100644 --- a/drivers/media/i2c/tc358743.c +++ b/drivers/media/i2c/tc358743.c @@ -2193,7 +2193,7 @@ static int tc358743_remove(struct i2c_client *client) del_timer_sync(&state->timer); flush_work(&state->work_i2c_poll); } - cancel_delayed_work(&state->delayed_work_enable_hotplug); + cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); cec_unregister_adapter(state->cec_adap); v4l2_async_unregister_subdev(sd); v4l2_device_unregister_subdev(sd); -- 2.30.2