aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYang Yingliang <yangyingliang@huawei.com>2021-04-06 21:50:53 +0800
committerHans Verkuil <hverkuil-cisco@xs4all.nl>2021-04-07 16:05:55 +0200
commit5ad16315fe2d67bb1be3ad64a465cf58ffdb1707 (patch)
treeff17a376b91b5d297d4e37115f9245791321da95
parent5de6f84701cac733755d1e4810cae3a3f48cf8f9 (diff)
media: i2c: adv7842: fix possible use-after-free in adv7842_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
-rw-r--r--drivers/media/i2c/adv7842.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c
index 21dbb7a594fb..8bd58ce07926 100644
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -3573,7 +3573,7 @@ static int adv7842_remove(struct i2c_client *client)
struct adv7842_state *state = to_state(sd);
adv7842_irq_enable(sd, false);
- cancel_delayed_work(&state->delayed_work_enable_hotplug);
+ cancel_delayed_work_sync(&state->delayed_work_enable_hotplug);
v4l2_device_unregister_subdev(sd);
media_entity_cleanup(&sd->entity);
adv7842_unregister_clients(sd);

Privacy Policy