From: Hans Verkuil <hverkuil@xxxxxxxxx>
onetland: cherry-picked from cust/cisco/r28n-cisco: def9fd009919
If the wait for completion was interrupted, then make sure to cancel
any delayed work.
This can only happen if a transmit is waiting for a reply, and you press
Ctrl-C or reboot/poweroff or something like that which interrupts the
thread waiting for the reply and then proceeds to delete the CEC message.
Since the delayed work wasn't canceled, once it would trigger it referred
to stale data and resulted in a kernel oops.
Signed-off-by: Hans Verkuil <hans.verkuil@xxxxxxxxx>
Fixes: 05f525b833e8 ("cec: add new tx/rx status bits to detect aborts/timeouts")
Cc: <stable@xxxxxxxxxxxxxxx> # for v4.18 and up
diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c
index 0ab3a2a73b23..c00ab539ab90 100644
--- a/drivers/media/cec/cec-adap.c
+++ b/drivers/media/cec/cec-adap.c
@@ -822,6 +822,8 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg,
*/
mutex_unlock(&adap->lock);
wait_for_completion_killable(&data->c);
+ if (!data->completed)
+ cancel_delayed_work_sync(&data->work);
mutex_lock(&adap->lock);
/* Cancel the transmit if it was interrupted */
--
2.20.1
