From: Takashi Iwai <[email protected]> commit 68359a1ad8447c99732ebeab8c169bfed543667a upstream.
Recently syzkaller reported a UAF in LINE6 driver, and it's likely because we call cancel_delayed_work() at the disconnect callback instead of cancel_delayed_work_sync(). Let's use the correct one instead. Reported-by: [email protected] Suggested-by: Alan Stern <[email protected]> Cc: <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- sound/usb/line6/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/sound/usb/line6/driver.c +++ b/sound/usb/line6/driver.c @@ -820,7 +820,7 @@ void line6_disconnect(struct usb_interfa if (WARN_ON(usbdev != line6->usbdev)) return; - cancel_delayed_work(&line6->startup_work); + cancel_delayed_work_sync(&line6->startup_work); if (line6->urb_listen != NULL) line6_stop_listen(line6);
