[media] s2255: Do not free fw_data until timer handler has actually stopped using it

Function del_timer() does not guarantee that timer was really deleted.
If the timer handler is beeing executed at the moment, the function
does nothing. So, we have a race between del_timer() and kfree(), and
it's possible to use already freed memory in the handler.

Signed-off-by: Kirill Tkhai <tkhai@yandex.ru>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c
index e019dd63ed42..185be72cab14 100644
--- a/drivers/media/usb/s2255/s2255drv.c
+++ b/drivers/media/usb/s2255/s2255drv.c
@@ -1521,7 +1521,7 @@ static void s2255_destroy(struct s2255_dev *dev)
         /* board shutdown stops the read pipe if it is running */
         s2255_board_shutdown(dev);
         /* make sure firmware still not trying to load */
-        del_timer(&dev->timer);  /* only started in .probe and .open */
+        del_timer_sync(&dev->timer);  /* only started in .probe and .open */
         if (dev->fw_data->fw_urb) {
                 usb_kill_urb(dev->fw_data->fw_urb);
                 usb_free_urb(dev->fw_data->fw_urb);
@@ -2351,7 +2351,7 @@ errorREQFW:
 errorFWDATA2:
         usb_free_urb(dev->fw_data->fw_urb);
 errorFWURB:
-        del_timer(&dev->timer);
+        del_timer_sync(&dev->timer);
 errorEP:
         usb_put_dev(dev->udev);
 errorUDEV: