Re: [PATCH] ASoC: soc-core: fix use-after-free in snd_soc_unbind_card()

Next message: Dmitry Baryshkov: "Re: [PATCH v4 3/3] arm64: dts: qcom: glymur-crd: Enable USB support"
Previous message: Rosen Penev: "Re: [PATCH] gpio: ljca: reduce struct allocation"
In reply to: Mark Brown: "Re: [PATCH] ASoC: soc-core: fix use-after-free in snd_soc_unbind_card()"
Next in thread: matteo.cotifava: "[PATCH v2 0/2] ASoC: soc-core: fix use-after-free in close_delayed_work"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: matteo.cotifava

Date: Mon Mar 09 2026 - 17:49:18 EST

On Mon, Mar 09, 2026 at 03:01:40PM +0000, Mark Brown wrote:
> That's exactly what flush_delayed_work() is supposed to do? Are you
> sure whatever you're seeing isn't that something is managing to schedule
> new work after the cancellations?

You're right, I was wrong about flush_delayed_work() in v1.

Looking at it more carefully, I believe the issue is exactly what you
suggested: new work gets scheduled after the flush. Specifically,
snd_card_disconnect_sync() inside soc_cleanup_card_resources() can
trigger PCM closes which call snd_soc_dapm_stream_stop(), scheduling
new delayed work after the flush in snd_soc_unbind_card() has already
completed.

> These are two separate changes which should be in two separate commits.

Agreed, split in v2.

> This now guarantees that we don't execute any queued work, presumably
> something was expecting it to do something...

Dropped the cancel approach entirely. v2 keeps flush and adds a second
one in soc_cleanup_card_resources() after snd_card_disconnect_sync()
(so no new work can be scheduled) and before DAIs/widgets are freed.

v2 incoming.

Thanks,
Matteo