Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp413510pxj; Thu, 20 May 2021 12:14:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzfxcst64ohV2Nz4zdiOIQ1V+/ZIrxkTMy9KifaNJDVRFuOiNn5TONefk51cPIh6a9ubNog X-Received: by 2002:aa7:db57:: with SMTP id n23mr6632704edt.229.1621538084155; Thu, 20 May 2021 12:14:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621538084; cv=none; d=google.com; s=arc-20160816; b=YIteQ2SxdGDo/oqrFwEd/uU+8GRkMiYFwzcAJ+kN0HF/N0JLpn03LgZf+gQFmG0i/L J5Lo6IsIvzz3KANaPwRJqNhZdbc0/TYDP1J76qkPfyoSW/pamq2fVyrKWcbX1QUcqgOD DYge0Tk82sFNedfvEMx0wOhnR1EMHsGXduh1UGMfqZLqrnPOlA5aenVz+Qk8zIct6qLJ 4H0X8bvu9d/1v28dIPf6bEUU2rXZT32CmF6kBJBlDZAWd3YkfwwkfU5hJGgx+t28GmJ8 f9hZahTnTqagMdE4rTVofLaaPlIKUTEZXS0p/dxfz9r8gP+NnUU6paqjnDNsrYnmD1oU ELRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=h7u7lLScP5F0n4L9HdwUwUndHZIl56bylZdLG6jgHzU=; b=nHE4HF/MxjXd/z54unJTsV0ZuCly26VznIb7u/gMcEGAWDaOiSnHsXDX9HAzGK/5fa L2UqFnptSlO+rOO/xrNZntl3bPtvstLT+ZrbX7R7ayQEcu/HlQn5tC9RpklLvEJuI0Vo MZFpLepN1XB/aqLIuHj+25reFdqvu79MWEjCEK3G8iixGWhcMxLX7KPjbvbsKWBfgGQL WoFO6+itBfCWQU5Vle9EjCGo66NGyi8ylk9O873nHyLescIfzrTcyEP/SK59R1+H2gcq UNyFG6lFKEArRswZc0JpAL98THL7hq6QTir9DvMGm8SA7+u2Ns+66HQzminE/jdcKoFe +c7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HnV79eSj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id nc38si4060299ejc.570.2021.05.20.12.14.20; Thu, 20 May 2021 12:14:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=HnV79eSj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237131AbhETKcq (ORCPT + 99 others); Thu, 20 May 2021 06:32:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:50934 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236385AbhETKTb (ORCPT ); Thu, 20 May 2021 06:19:31 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 81ED6619B5; Thu, 20 May 2021 09:47:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621504034; bh=nHKqf+ia+pBTvLRLxNJX69EmoMpzURZPC99nq04ng0w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HnV79eSj06tzkBEmpJ3HGjhhutwx2MBhVQ5K7SDsr51QneuaOvBgjbwKF/mSOiinB cSdBtenOPUz6nfu9aiHL+Ii9cWRf+toOjAGW6lLfRI/WUCRFPaI0sKmACNCbvQszMr DmQLT2vSV9U91MC+2ZyKEliPPRUoYUGFygu/iGN8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , Yang Yingliang , Hans Verkuil , Mauro Carvalho Chehab , Sasha Levin Subject: [PATCH 4.14 065/323] media: i2c: adv7842: fix possible use-after-free in adv7842_remove() Date: Thu, 20 May 2021 11:19:17 +0200 Message-Id: <20210520092122.334297987@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092120.115153432@linuxfoundation.org> References: <20210520092120.115153432@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Yang Yingliang [ Upstream commit 4a15275b6a18597079f18241c87511406575179a ] This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- drivers/media/i2c/adv7842.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c index dcce8d030e5d..c28bf94a7409 100644 --- a/drivers/media/i2c/adv7842.c +++ b/drivers/media/i2c/adv7842.c @@ -3599,7 +3599,7 @@ static int adv7842_remove(struct i2c_client *client) struct adv7842_state *state = to_state(sd); adv7842_irq_enable(sd, false); - cancel_delayed_work(&state->delayed_work_enable_hotplug); + cancel_delayed_work_sync(&state->delayed_work_enable_hotplug); v4l2_device_unregister_subdev(sd); media_entity_cleanup(&sd->entity); adv7842_unregister_clients(sd); -- 2.30.2