From: Takashi Iwai <tiwai@xxxxxxx> commit 68359a1ad8447c99732ebeab8c169bfed543667a upstream. Recently syzkaller reported a UAF in LINE6 driver, and it's likely because we call cancel_delayed_work() at the disconnect callback instead of cancel_delayed_work_sync(). Let's use the correct one instead. Reported-by: syzbot+145012a46658ac00fc9e@xxxxxxxxxxxxxxxxxxxxxxxxx Suggested-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/s5hlfjr4gio.wl-tiwai@xxxxxxx Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- sound/usb/line6/driver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/sound/usb/line6/driver.c +++ b/sound/usb/line6/driver.c @@ -835,7 +835,7 @@ void line6_disconnect(struct usb_interfa if (WARN_ON(usbdev != line6->usbdev)) return; - cancel_delayed_work(&line6->startup_work); + cancel_delayed_work_sync(&line6->startup_work); if (line6->urb_listen != NULL) line6_stop_listen(line6);
