Call flush_work() on failure and disconnect. Work initialize and schedule
in smsusb_onresponse(). it should be freed in smsusb_stop_streaming().
Signed-off-by: Arvind Yadav <arvind.yadav.cs@xxxxxxxxx>
---
This bug report by Andrey Konovalov "usb/media/smsusb: use-after-free in
worker_thread".
changes in v2 :
call flush_work() in smsusb_stop_streaming().
drivers/media/usb/siano/smsusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c
index 8c1f926..8142ba4 100644
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -192,6 +192,8 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev)
for (i = 0; i < MAX_URBS; i++) {
usb_kill_urb(&dev->surbs[i].urb);
+ flush_work(&dev->surbs[i].wq);
+
if (dev->surbs[i].cb) {
smscore_putbuffer(dev->coredev, dev->surbs[i].cb);
dev->surbs[i].cb = NULL;
--
2.7.4
