• Zheng Wang's avatar
    media: dm1105: Fix use after free bug in dm1105_remove due to race condition · 5abda7a1
    Zheng Wang authored
    In dm1105_probe, it called dm1105_ir_init and bound
    &dm1105->ir.work with dm1105_emit_key.
    When it handles IRQ request with dm1105_irq,
    it may call schedule_work to start the work.
    
    When we call dm1105_remove to remove the driver, there
    may be a sequence as follows:
    
    Fix it by finishing the work before cleanup in dm1105_remove
    
    CPU0                  CPU1
    
                        |dm1105_emit_key
    dm1105_remove      |
      dm1105_ir_exit       |
        rc_unregister_device |
        rc_free_device  |
        rc_dev_release  |
        kfree(dev);     |
                        |
                        | rc_keydown
                        |   //use
    
    Fixes: 34d2f9bf ("V4L/DVB: dm1105: use dm1105_dev & dev instead of dm1105dvb")
    Signed-off-by: default avatarZheng Wang <zyytlz.wz@163.com>
    Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
    5abda7a1
dm1105.c 28.7 KB