From nobody Thu Apr 9 09:02:04 2026 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 072FF36D4E7 for ; Mon, 9 Mar 2026 21:54:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773093281; cv=none; b=RcL0XB/WrI3Cw5cTTr0iP0ayiy4JHf0CwQY/zGGiMFWqghVIXZM0rf+Y0m2FSIJsA6SxMUDj+IL8Yg7aexjhibWADxLfXkxEW6vLkolz7A836osZAiS7DMFPcB6LrDzb2CzM3gKszuCuKkCMLZwOgvcGGRW7nuPx2zai5dvFiJI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773093281; c=relaxed/simple; bh=xJJ+aAAUWIYX+T7gb/L79FWjjHl1aKkxOExGsg/yL20=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=eUceFqf62ygVwSxrU7KhncUIC8ZmCp6Hdi2vugBbOYo/OTbmi+QiXqjQySo0UUpJHS5G999LVJPwcYz/lOiDIDZYUSO0hYZah1bWz+dZ6pmdzHTKn2NJa97JizfgwdZ9+/0ncYOcNoL/xxMmpYrCVpp1zq7BBe+c8AVWhyHuNVg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dldilH2l; arc=none smtp.client-ip=209.85.128.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dldilH2l" Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-485345e1013so14319365e9.1 for ; Mon, 09 Mar 2026 14:54:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773093277; x=1773698077; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Aagr+RSl7ZMZ1uHk4kYU5Ynmd9OOsesO87GYrHN5PyU=; b=dldilH2lEeJc9K0XPbn4tN2E53ZKm+0sMgphzktTzvniRKthbptjaoCipx+4skx+AY nePTUqcFmsWM+e1S02D0m9rgaex8hVV3f8wJPenp4prqZ5/E5oGRNY8FJIPPRpmzN4IO 4V653DHFgCc9VBtV7zHs6Wa8rWk/mtF8RcVx+pXW6Cyp1QNB3R6ilgIWsPr5+cd24J0Y IupnF0FFpDoEbNk/qNTh8WaF4csACJ/pg2NESDWioceAbpF/SJkl+sQYS0DpiX+Ox+54 F5pLDuTMCkBWWXjKXWsCn9TQ7qhpzdj5w/Hb94jbucGvfr/oApYOm/5TMHAkBY2cgU5g KKFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773093277; x=1773698077; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Aagr+RSl7ZMZ1uHk4kYU5Ynmd9OOsesO87GYrHN5PyU=; b=WI+9U8PjumiPe4M1sG6gFQc2tsInBN1/KlvY2dpzTkkQV6063xAK36XK/1+suFcfKV F/cLFaMV2TU6neQrcLAm7ITZKThDDZvn9Yt9QN6DzAVQJ5pIDkl9kSY7EDefjnzDPu8v GxSif0bVMxG0lkvfrKh4iE4RDrIit4zv6kR1WLBa+WA0YokAq/11WE0IwbfdXfZmoPw+ 9Y/FShoeXcpg3P1NEFouStoLIOyNDjiOIc/I4xtBz0e930IptzvZK0PNULYJVwunTT/h 7ThFTlN8Nc12lgJnowEXvlKnOaPrv69L6NEx1/LgUvRMIJwPI5REW9rY4s4NJaEb/EEp Z4iA== X-Forwarded-Encrypted: i=1; AJvYcCVDXl+6Vi+73kb56uGUwXTmFYlo2nvEkcy+oW06hNHD1dVBeG0hG+bvFG95iWoKz/AhwLB8Jh+e1iLORBQ=@vger.kernel.org X-Gm-Message-State: AOJu0YytBK/zxz+hyoElDb4Pf7xHx82plbwPtbXaKtVdRWRd0u6qZj4E krGVL0F40xE0j/M/HjT1cam7OL0LwtRq/QhEO+OIHLPx+MzreobwGuM= X-Gm-Gg: ATEYQzwHuXIyztirlAzodHbBRts9YAGc9ZY5pNDllq3QIubnIjhpJ/G8mHsNZ0nT+LS ExVgdQtxKakDxre+hd+pOMO+zSSSooZegr+fwe3DI/Z7dI5ms+LhJZnFZ1j5P5iAndTjjSgTj0o ytpGEWdLX6xQ673ZLccmrY4IwYs7ulKohVEBjr3GcXhi7WV+lrZRhT++Lg0ZgyOMcnsxj4gaYXn MfkVladx+PfbTzwr0ngZSxse/4eZiNjmyDuXmn9e/9nF0NttxKewCtlImMZtCrctqUm7aIMy922 UDbqNDml/g93+dmj6jHIoZDM8QnAzNAFGzfjsrJqbPNJBx9uw1pptJlCqCi7Z4AIwHHhMfr/Mkr No23f83bvL6/2i6hOJPOKGvYIdJbKp910sTWMMj/NZQEchnZCzWqUzc+N5RwED+GZXjY8pCPCCB 6ADTxwxYcpa3GMVEeGKRVn7fOfzo6mjR4BeyvYtV2HYdI= X-Received: by 2002:a05:600c:8b53:b0:485:3b33:f4b6 with SMTP id 5b1f17b1804b1-4854192dd55mr15703755e9.0.1773093277187; Mon, 09 Mar 2026 14:54:37 -0700 (PDT) Received: from localhost.localdomain ([2a01:e11:2401:e440:4d43:1ae9:c232:cc4d]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48541a900easm28183845e9.9.2026.03.09.14.54.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2026 14:54:36 -0700 (PDT) From: "matteo.cotifava" To: broonie@kernel.org Cc: cotifavamatteo@gmail.com, cujomalainey@chromium.org, lgirdwood@gmail.com, linux-kernel@vger.kernel.org, linux-sound@vger.kernel.org, perex@perex.cz, srini@kernel.org, tiwai@suse.com Subject: [PATCH v2 1/2] ASoC: soc-core: drop delayed_work_pending() check before flush Date: Mon, 9 Mar 2026 22:54:11 +0100 Message-Id: <20260309215412.545628-2-cotifavamatteo@gmail.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20260309215412.545628-1-cotifavamatteo@gmail.com> References: <17591222-b9f7-4056-9c13-4a2ccd0788df@sirena.org.uk> <20260309215412.545628-1-cotifavamatteo@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The delayed_work_pending() check before flush_delayed_work() in soc_free_pcm_runtime() is unnecessary and racy. flush_delayed_work() is safe to call unconditionally - it is a no-op when no work is pending. Remove the check. The original check was added by commit 9c9b65203492 ("ASoC: core: only flush inited work during free") but delayed_work_pending() followed by flush_delayed_work() has a time-of-check/time-of-use window where work can become pending between the two calls. Fixes: 9c9b65203492 ("ASoC: core: only flush inited work during free") Signed-off-by: Matteo Cotifava --- sound/soc/soc-core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index d0fffef65daf..e5ac8ae1665d 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -462,8 +462,7 @@ static void soc_free_pcm_runtime(struct snd_soc_pcm_run= time *rtd) =20 list_del(&rtd->list); =20 - if (delayed_work_pending(&rtd->delayed_work)) - flush_delayed_work(&rtd->delayed_work); + flush_delayed_work(&rtd->delayed_work); snd_soc_pcm_component_free(rtd); =20 /* --=20 2.39.5 From nobody Thu Apr 9 09:02:04 2026 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09D1036D4F9 for ; Mon, 9 Mar 2026 21:54:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773093286; cv=none; b=Dio8/2xpi18c2fECCrF1rwFIJ+jbKLonsxqFF3DHyd3UHLbWx2CIa/6ac5m6oz6iGxWRu4/ucoDksmXyVAywoCeHFhnKzuaGH0vKrHTNRthEz/PDi7Rus9LstYy6vuE80OwaSpFaLzQo/t2+XjefQHZiN77njod4qi4MiE66RXo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773093286; c=relaxed/simple; bh=C33DOxHImWrnDW6KjCtlo5uItxER0s/IpidwGgDf/KI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=G1MaDq/DJo044PoldgtApFWCX8chNfAPjdN/l4RKbLgvgcvzRFaJvqRdHs5F0dOHfXaZpvf629xjwkIh+24JvEJqlmQIH1X9JdXL2pPryWnhhiaqMc2sqkuzPqhs41d6ZQsFCqJnj8nuHaRi6V4gL1lCl897GmC/sZmIGMIrmuc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=F1UR7+KC; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="F1UR7+KC" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-4853510b4f3so27271005e9.0 for ; Mon, 09 Mar 2026 14:54:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773093282; x=1773698082; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=s4AKh+0u2hvnYhJKZG8MkqOVX69TGjNVm5i0dGiGa4Q=; b=F1UR7+KCU4+fwBHBzwmzlkgmUzYraTwHmJmo234+RCeF4sOdVwfi+cV1zMTcAjVxA+ 4mu7x8ZmqncKBrhC7DIN8lAXOUveFfYJKMEVPFQOb4/YCtyd6OpfiMqDbcECOj9fIEAp dvXikGyw8sRe3FvuXi2pzVfAUGyIxxROw+wFkv82mnrd3rS75d+uuC8H9LfwZxVrf4s5 KjK6vUbO04a2q5g0uY4Qjd52AYRjLHAIULRuwFLWmgCO9K1UgwjhO7HSJ6KVvFNVhwX9 QZmLNmdbuuPYpTKn3kb1KU/brCiZ47yFlT0uc3KOa7aIa7+e8WGA/ZDWeIECKldr0t/l iyLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773093282; x=1773698082; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=s4AKh+0u2hvnYhJKZG8MkqOVX69TGjNVm5i0dGiGa4Q=; b=pOaTIsjIozG8yxGo8h/c9b07TWpe0acPjaO9uINFj/Rc1M32eo8Vx11YFbWMdxpYNt 1SO9HPcT17kinUwub1UPqNgO2NnPkA+GNQ6PXLRl3Odqxy2Zvj1CgmMlzaK9m2MS6XsE CsNueJ3amCz9w5Nk/+YlcWngWnnKaekk6ns8sL+WSW5NNnl40dJFXO7z4Gx0dqXE8U0Z OBgcKtxpDAQlc5ahxsGmsffyFBAHFQqfyoI3gYriEjwi99wVYPtUQvepW5LrfN5Lf2rV LJMslG5K0m67GUXv/LfcJEa32yFfMzXptoVswGerNifWiSFwNfwCclor0wQd+49YETdF qdpQ== X-Forwarded-Encrypted: i=1; AJvYcCXkLq/JhlYleM5uGkT/zTNGMxYyCcaiggrBRMHNIRQJlvva7yWuqJtQzKN0v8OmcYqCelh6YpzL8pMp/9A=@vger.kernel.org X-Gm-Message-State: AOJu0YwcFAgjU/KLzu6b82lY3PN9dOQc7ImjhPRLo/ozevDWIqGsWK4l D4kKdL55OnvFKq9EgI42fJFDQrDMnjGbUYnaTvRhb19cOkMqIXcj80M= X-Gm-Gg: ATEYQzysruYhiyR7VKB7UmVuw0JA3jr3fBi8GHido6idPvxtLiRjcuKPgIRd7iK1rgl ZzQr7BASE8p2j42WhRQJnlXfGM8pFU7DKbAWILVp0Nr71X1ticiLSAyl5mBLDWPxK5zTRtyw7SE uaDi0MouoJBdGIccIoOwqccB7v62rgI4CZdv7GDfGItPcJdfkjqcyRZ5csBPkT9SRwU8ZahcEWk 3ex/f3oNJ46BleAaqZsVrfULZ34ugMQjFLwKdEb41M0/9Xnld4PvPR+vOFI7Ss0c1DqxDsIDz2J O5U+7M9R/wRSpWzJ34kiJZDOP5EgySpN4ob2lD+sjPCR8D996X72gHgH3D19BgdtVcuVxE21/uf PJ9lN0x+AoymUhxq20bgwZFQkvMooWOteVJoIhV+Rz89synJV3TtgftSSXhOpz9DmrYJUKtDtuf Lc3MTjBpjfjUPP9x2er5kPsdpIdOKvsI7ThdJS2q5wM4Q= X-Received: by 2002:a05:600c:c173:b0:485:3812:36dc with SMTP id 5b1f17b1804b1-485381238b3mr107933245e9.9.1773093282075; Mon, 09 Mar 2026 14:54:42 -0700 (PDT) Received: from localhost.localdomain ([2a01:e11:2401:e440:4d43:1ae9:c232:cc4d]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48541a900easm28183845e9.9.2026.03.09.14.54.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 09 Mar 2026 14:54:41 -0700 (PDT) From: "matteo.cotifava" To: broonie@kernel.org Cc: cotifavamatteo@gmail.com, cujomalainey@chromium.org, lgirdwood@gmail.com, linux-kernel@vger.kernel.org, linux-sound@vger.kernel.org, perex@perex.cz, srini@kernel.org, tiwai@suse.com Subject: [PATCH v2 2/2] ASoC: soc-core: flush delayed work before removing DAIs and widgets Date: Mon, 9 Mar 2026 22:54:12 +0100 Message-Id: <20260309215412.545628-3-cotifavamatteo@gmail.com> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20260309215412.545628-1-cotifavamatteo@gmail.com> References: <17591222-b9f7-4056-9c13-4a2ccd0788df@sirena.org.uk> <20260309215412.545628-1-cotifavamatteo@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When a sound card is unbound while a PCM stream is open, a use-after-free can occur in snd_soc_dapm_stream_event(), called from the close_delayed_work workqueue handler. During unbind, snd_soc_unbind_card() flushes delayed work and then calls soc_cleanup_card_resources(). Inside cleanup, snd_card_disconnect_sync() releases all PCM file descriptors, and the resulting PCM close path can call snd_soc_dapm_stream_stop() which schedules new delayed work with a pmdown_time timer delay. Since this happens after the flush in snd_soc_unbind_card(), the new work is not caught. soc_remove_link_components() then frees DAPM widgets before this work fires, leading to the use-after-free. The existing flush in soc_free_pcm_runtime() also cannot help as it runs after soc_remove_link_components() has already freed the widgets. Add a flush in soc_cleanup_card_resources() after snd_card_disconnect_sync() (after which no new PCM closes can schedule further delayed work) and before soc_remove_link_dais() and soc_remove_link_components() (which tear down the structures the delayed work accesses). Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind") Signed-off-by: Matteo Cotifava --- sound/soc/soc-core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c index e5ac8ae1665d..cf826c2a8b59 100644 --- a/sound/soc/soc-core.c +++ b/sound/soc/soc-core.c @@ -2121,6 +2121,9 @@ static void soc_cleanup_card_resources(struct snd_soc= _card *card) for_each_card_rtds(card, rtd) if (rtd->initialized) snd_soc_link_exit(rtd); + /* flush delayed work before removing DAIs and DAPM widgets */ + snd_soc_flush_all_delayed_work(card); + /* remove and free each DAI */ soc_remove_link_dais(card); soc_remove_link_components(card); --=20 2.39.5