media: rc: oops in ir_timer_keyup after device unplug

If there is IR in the raw kfifo when ir_raw_event_unregister() is called,
then kthread_stop() causes ir_raw_event_thread to be scheduled, decode
some scancodes and re-arm timer_keyup. The timer_keyup then fires when
the rc device is long gone.

Cc: stable@vger.kernel.org
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

diff --git a/drivers/media/rc/rc-main.c b/drivers/media/rc/rc-main.c
index 4a95210..8621761 100644 (file)
--- a/drivers/media/rc/rc-main.c
+++ b/drivers/media/rc/rc-main.c
@@ -1932,12 +1932,12 @@ void rc_unregister_device(struct rc_dev *dev)
        if (!dev)
                return;
 
-       del_timer_sync(&dev->timer_keyup);
-       del_timer_sync(&dev->timer_repeat);
-
        if (dev->driver_type == RC_DRIVER_IR_RAW)
                ir_raw_event_unregister(dev);
 
+       del_timer_sync(&dev->timer_keyup);
+       del_timer_sync(&dev->timer_repeat);
+
        rc_free_rx_device(dev);
 
        mutex_lock(&dev->lock);