| From: Sean Young <sean@mess.org> |
| Date: Tue, 6 Mar 2018 08:57:57 -0500 |
| Subject: media: rc: oops in ir_timer_keyup after device unplug |
| |
| commit 8d4068810d9926250dd2435719a080b889eb44c3 upstream. |
| |
| If there is IR in the raw kfifo when ir_raw_event_unregister() is called, |
| then kthread_stop() causes ir_raw_event_thread to be scheduled, decode |
| some scancodes and re-arm timer_keyup. The timer_keyup then fires when |
| the rc device is long gone. |
| |
| Signed-off-by: Sean Young <sean@mess.org> |
| Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com> |
| [bwh: Backported to 3.16: |
| - There's no timer_repeat to move |
| - Adjust context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| --- a/drivers/media/rc/rc-main.c |
| +++ b/drivers/media/rc/rc-main.c |
| @@ -1427,13 +1427,13 @@ void rc_unregister_device(struct rc_dev |
| if (!dev) |
| return; |
| |
| - del_timer_sync(&dev->timer_keyup); |
| - |
| clear_bit(dev->devno, ir_core_dev_number); |
| |
| if (dev->driver_type == RC_DRIVER_IR_RAW) |
| ir_raw_event_unregister(dev); |
| |
| + del_timer_sync(&dev->timer_keyup); |
| + |
| /* Freeing the table should also call the stop callback */ |
| ir_free_table(&dev->rc_map); |
| IR_dprintk(1, "Freed keycode table\n"); |
