[PATCH 4.14 54/92] media: rc: oops in ir_timer_keyup after device unplug
From: Greg Kroah-Hartman
Date: Fri Jul 20 2018 - 08:39:21 EST
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young <sean@xxxxxxxx>
commit 8d4068810d9926250dd2435719a080b889eb44c3 upstream.
If there is IR in the raw kfifo when ir_raw_event_unregister() is called,
then kthread_stop() causes ir_raw_event_thread to be scheduled, decode
some scancodes and re-arm timer_keyup. The timer_keyup then fires when
the rc device is long gone.
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Sean Young <sean@xxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/media/rc/rc-main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -1824,11 +1824,11 @@ void rc_unregister_device(struct rc_dev
if (!dev)
return;
- del_timer_sync(&dev->timer_keyup);
-
if (dev->driver_type == RC_DRIVER_IR_RAW)
ir_raw_event_unregister(dev);
+ del_timer_sync(&dev->timer_keyup);
+
rc_free_rx_device(dev);
device_del(&dev->dev);