Problem: The cmd_complete_work work could potentially run after resources are freed in disconnect(). This could cause user-after-free issues. Solution: Reorder disconnect() calls, and explicitly cancel the work using cancel_work_sync(). Signed-off-by: Sven Van Asbroeck <TheSven73@xxxxxxxxxxxxxx> --- Samuel, I'm unfamiliar with this driver, and I don't have the h/w, so I cannot test it. This is just a suggestion on how to fix a potential issue. Sven drivers/nfc/port100.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c index bb43cebda9dc..66d1bda9208c 100644 --- a/drivers/nfc/port100.c +++ b/drivers/nfc/port100.c @@ -1630,19 +1630,19 @@ static void port100_disconnect(struct usb_interface *interface) struct port100 *dev; dev = usb_get_intfdata(interface); - usb_set_intfdata(interface, NULL); nfc_digital_unregister_device(dev->nfc_digital_dev); - nfc_digital_free_device(dev->nfc_digital_dev); - usb_kill_urb(dev->in_urb); usb_kill_urb(dev->out_urb); + cancel_work_sync(&dev->cmd_complete_work); + usb_free_urb(dev->in_urb); usb_free_urb(dev->out_urb); usb_put_dev(dev->udev); - + nfc_digital_free_device(dev->nfc_digital_dev); kfree(dev->cmd); + usb_set_intfdata(interface, NULL); nfc_info(&interface->dev, "Sony Port-100 NFC device disconnected\n"); } -- 2.17.1
