At closing a USB MIDI output substream, there might be still a pending work, which would eventually access the rawmidi runtime object that is being released. For fixing the race, make sure to cancel the pending work at closing.
Reported-by: syzbot+6912c9592caca7ca0e7d@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/000000000000e7e75005dfd07cf6@google.com Signed-off-by: Takashi Iwai tiwai@suse.de --- sound/usb/midi.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c index 7c6ca2b433a5..344fbeadf161 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1145,6 +1145,9 @@ static int snd_usbmidi_output_open(struct snd_rawmidi_substream *substream)
static int snd_usbmidi_output_close(struct snd_rawmidi_substream *substream) { + struct usbmidi_out_port *port = substream->runtime->private_data; + + cancel_work_sync(&port->ep->work); return substream_open(substream, 0, 0); }