Re: [PATCH] ASoC: soc-core: fix use-after-free in snd_soc_unbind_card()

[Mark Brown]

On Sun, Mar 08, 2026 at 12:09:31PM +0100, Matteo Cotifava wrote:

> snd_soc_flush_all_delayed_work(), but flush_delayed_work() does not
> execute if the delayed work timer has not fired yet and the work item
> has not been enqueued in the workqueue. Cleanup then frees DAPM

That's exactly what flush_delayed_work() is supposed to do?  Are you
sure whatever you're seeing isn't that something is managing to schedule
new work after the cancellations?

> Replace snd_soc_flush_all_delayed_work() with a new
> snd_soc_cancel_all_delayed_work() in the unbind path to guarantee
> that any pending or running delayed work is cancelled or awaited
> before card resources are released.

> Also fix soc_free_pcm_runtime() to use cancel_delayed_work_sync()
> unconditionally instead of the racy conditional flush. The original
> check of delayed_work_pending() followed by flush_delayed_work() has
> a time window where the work can become pending between the two
> calls.

These are two separate changes which should be in two separate commits.

> -	if (delayed_work_pending(&rtd->delayed_work))
> -		flush_delayed_work(&rtd->delayed_work);
> +	cancel_delayed_work_sync(&rtd->delayed_work);

This now guarantees that we don't execute any queued work, presumably
something was expecting it to do something...  We should probably drop
the check for pending work since flush ought to be safe if nothing was
scheduled, but it's not clear why you're jumping to cancellation.

Attachment: signature.asc
Description: PGP signature