From: Takashi Iwai tiwai@suse.de
commit 68359a1ad8447c99732ebeab8c169bfed543667a upstream.
Recently syzkaller reported a UAF in LINE6 driver, and it's likely because we call cancel_delayed_work() at the disconnect callback instead of cancel_delayed_work_sync(). Let's use the correct one instead.
Reported-by: syzbot+145012a46658ac00fc9e@syzkaller.appspotmail.com Suggested-by: Alan Stern stern@rowland.harvard.edu Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/s5hlfjr4gio.wl-tiwai@suse.de Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- sound/usb/line6/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c index 0193d4989107..18b436e7a2cc 100644 --- a/sound/usb/line6/driver.c +++ b/sound/usb/line6/driver.c @@ -835,7 +835,7 @@ void line6_disconnect(struct usb_interface *interface) if (WARN_ON(usbdev != line6->usbdev)) return;
- cancel_delayed_work(&line6->startup_work); + cancel_delayed_work_sync(&line6->startup_work);
if (line6->urb_listen != NULL) line6_stop_listen(line6);