[PATCH v2 0/2] ASoC: soc-core: fix use-after-free in close_delayed_work

Next message: matteo.cotifava: "[PATCH v2 2/2] ASoC: soc-core: flush delayed work before removing DAIs and widgets"
Previous message: matteo.cotifava: "[PATCH v2 1/2] ASoC: soc-core: drop delayed_work_pending() check before flush"
In reply to: matteo.cotifava: "Re: [PATCH] ASoC: soc-core: fix use-after-free in snd_soc_unbind_card()"
Next in thread: matteo.cotifava: "[PATCH v2 1/2] ASoC: soc-core: drop delayed_work_pending() check before flush"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: matteo.cotifava

Date: Mon Mar 09 2026 - 17:55:12 EST

Fix a use-after-free in snd_soc_dapm_stream_event() triggered when a
sound card is unbound while a PCM close delayed work is pending.

As Mark pointed out in v1 review, flush_delayed_work() does handle
pending timers correctly. The actual issue appears to be new work
getting scheduled after the flush: snd_card_disconnect_sync() inside
soc_cleanup_card_resources() can trigger PCM closes which call
snd_soc_dapm_stream_stop(), scheduling new delayed work after the
flush in snd_soc_unbind_card() has already completed. If the timer
fires after soc_remove_link_components() frees the DAPM widgets,
the work accesses freed memory.

v1 -> v2:
- Split into two patches as requested
- Dropped cancel_delayed_work_sync() approach, kept flush as suggested
- Added a flush in soc_cleanup_card_resources() after disconnect_sync
(so no new work can be scheduled) and before DAIs/widgets are freed

matteo.cotifava (2):
ASoC: soc-core: drop delayed_work_pending() check before flush
ASoC: soc-core: flush delayed work before removing DAIs and widgets

sound/soc/soc-core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

--
2.39.5