Received: by 2002:a05:6520:4211:b029:f4:110d:56bc with SMTP id o17csp2108232lkv; Thu, 20 May 2021 03:36:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfC7yUIk79UyFiwPe8vvMdOPlfz48q/VVt1UFc+fIk2Fodc43dfCk77KqIpZZcOmZTSU8U X-Received: by 2002:a92:cc4c:: with SMTP id t12mr4310533ilq.232.1621506975441; Thu, 20 May 2021 03:36:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621506975; cv=none; d=google.com; s=arc-20160816; b=zJNK7z2EpVQp6IxqK/PQAr6rnk2WjHYo8DDxTxrY2MIA2Tz6rtV8LptQ4kj3OIUc3e 4VHyRUTsMQkXu9nwmVnPszQ2EXqsS8I6W5hXdNGoyG5fGQyM1VUm4OBAuhhl8rGwgKyR IJbhMujMPTzjhIkbkp0044jQOXbxwoDB4Lo6iBID6PfbBZsaozIIAA6AHQbQBZLmzAaG juTcBDYKmG60bXX/dHcMI2+w+KMxFKDToJTk1Hv9VSKDa77+oX8c4tGIAmaP4r4dnBom Xm2TUnq61irP0ZlORio2djMr8nwRtdOV9r4OMjCciGiE1RChtt8vR0TW0wbwSfkx918p lvpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KBU/9SyzDZPZfU0GOfGMpqXZ1E/PkF3dV27rznsxkF8=; b=RY1EtTSiQxKNUyiPFmlWHnKiIZ5EybgWoN79+a2CMscUr8gENPkLc9E5jKf4ruCEM3 YPmILspyeM92mlWvQ0mavWgLlLZEAVmKzJ7QTFTtc8J3SGjW8h16TSIVd8BhwNjBizYu nenrzchRddJzkJh7uZ2a8S4p6LFuN51sHpyzCpO8VeiDuNB6rhB0NincTOCjf/bGqIGM yAkMZ8CWf+IGIeGjS7077TBdscpTOM1GgufGOIexd0lOks9Jf1x3WtGIaqWHFj9VQUH6 0RESRcXUq1VnCrdYayiHcRf7U0TWC7O3dG7MII1SdugmhowuiVDQapLPe57/QjHGpXXh Ek7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xxNubfNg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w17si2153437ilm.86.2021.05.20.03.35.42; Thu, 20 May 2021 03:36:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xxNubfNg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237824AbhETKfj (ORCPT + 99 others); Thu, 20 May 2021 06:35:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:51824 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236293AbhETKWh (ORCPT ); Thu, 20 May 2021 06:22:37 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6741A619EE; Thu, 20 May 2021 09:48:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621504111; bh=8TY0t/Ba2F9x7+OvzxIpXR9RQFp4mudCZseaX2LGbz8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xxNubfNgy9LwJ7MSDrPD00sz9RLFUPr9W92t9gcGgn1EZ5ShGgwlVdi/fQqX/AmJ8 G9XQiniK8e8+/k5wMUw/dk47IA9heFdaVrSxYtj5I/CTp19YaH++dW36XXUvZPAwWi dmNMLwzCscokug0oLMnFeyZMQK3lxEJ1CicKjxrE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 4.14 063/323] media: adv7604: fix possible use-after-free in adv76xx_remove() Date: Thu, 20 May 2021 11:19:15 +0200 Message-Id: <20210520092122.270534054@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092120.115153432@linuxfoundation.org> References: <20210520092120.115153432@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit fa56f5f1fe31c2050675fa63b84963ebd504a5b3 ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/i2c/adv7604.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c index 26c3ec573a56..3078d47d090a 100644 --- a/drivers/media/i2c/adv7604.c +++ b/drivers/media/i2c/adv7604.c @@ -3557,7 +3557,7 @@ static int adv76xx_remove(struct i2c_client *client) io_write(sd, 0x6e, 0); io_write(sd, 0x73, 0); - cancel_delayed_work(&state->delayed_work_enable_hotplug); + cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); v4l2_async_unregister_subdev(sd); media_entity_cleanup(&sd->entity); adv76xx_unregister_clients(to_state(sd)); -- 2.30.2