The cancel_delayed_work_sync() call was missed, causing a use-after-free in corsair_void_remove(). Reported-by: yan kang <kangyan91@xxxxxxxxxxx> Reported-by: yue sun <samsun1006219@xxxxxxxxx> Closes: https://lore.kernel.org/all/SY8P300MB042106286A2536707D2FB736A1E42@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ Closes: https://lore.kernel.org/all/SY8P300MB0421872E0AE934C9616FA61EA1E42@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ Fixes: 6ea2a6fd3872 ("HID: corsair-void: Add Corsair Void headset family driver") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Stuart Hayhurst <stuart.a.hayhurst@xxxxxxxxx> --- drivers/hid/hid-corsair-void.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hid/hid-corsair-void.c b/drivers/hid/hid-corsair-void.c index 6ece56b850fc..bd8f3d849b58 100644 --- a/drivers/hid/hid-corsair-void.c +++ b/drivers/hid/hid-corsair-void.c @@ -726,6 +726,7 @@ static void corsair_void_remove(struct hid_device *hid_dev) if (drvdata->battery) power_supply_unregister(drvdata->battery); + cancel_delayed_work_sync(&drvdata->delayed_status_work); cancel_delayed_work_sync(&drvdata->delayed_firmware_work); sysfs_remove_group(&hid_dev->dev.kobj, &corsair_void_attr_group); } -- 2.47.1
