From nobody Thu Apr  9 10:30:00 2026
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com
 [209.85.128.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09D1036D4F9
	for <linux-kernel@vger.kernel.org>; Mon,  9 Mar 2026 21:54:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.53
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1773093286; cv=none;
 b=Dio8/2xpi18c2fECCrF1rwFIJ+jbKLonsxqFF3DHyd3UHLbWx2CIa/6ac5m6oz6iGxWRu4/ucoDksmXyVAywoCeHFhnKzuaGH0vKrHTNRthEz/PDi7Rus9LstYy6vuE80OwaSpFaLzQo/t2+XjefQHZiN77njod4qi4MiE66RXo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1773093286; c=relaxed/simple;
	bh=C33DOxHImWrnDW6KjCtlo5uItxER0s/IpidwGgDf/KI=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:
	 MIME-Version;
 b=G1MaDq/DJo044PoldgtApFWCX8chNfAPjdN/l4RKbLgvgcvzRFaJvqRdHs5F0dOHfXaZpvf629xjwkIh+24JvEJqlmQIH1X9JdXL2pPryWnhhiaqMc2sqkuzPqhs41d6ZQsFCqJnj8nuHaRi6V4gL1lCl897GmC/sZmIGMIrmuc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=F1UR7+KC; arc=none smtp.client-ip=209.85.128.53
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="F1UR7+KC"
Received: by mail-wm1-f53.google.com with SMTP id
 5b1f17b1804b1-4853510b4f3so27271005e9.0
        for <linux-kernel@vger.kernel.org>;
 Mon, 09 Mar 2026 14:54:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1773093282; x=1773698082;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=s4AKh+0u2hvnYhJKZG8MkqOVX69TGjNVm5i0dGiGa4Q=;
        b=F1UR7+KCU4+fwBHBzwmzlkgmUzYraTwHmJmo234+RCeF4sOdVwfi+cV1zMTcAjVxA+
         4mu7x8ZmqncKBrhC7DIN8lAXOUveFfYJKMEVPFQOb4/YCtyd6OpfiMqDbcECOj9fIEAp
         dvXikGyw8sRe3FvuXi2pzVfAUGyIxxROw+wFkv82mnrd3rS75d+uuC8H9LfwZxVrf4s5
         KjK6vUbO04a2q5g0uY4Qjd52AYRjLHAIULRuwFLWmgCO9K1UgwjhO7HSJ6KVvFNVhwX9
         QZmLNmdbuuPYpTKn3kb1KU/brCiZ47yFlT0uc3KOa7aIa7+e8WGA/ZDWeIECKldr0t/l
         iyLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1773093282; x=1773698082;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=s4AKh+0u2hvnYhJKZG8MkqOVX69TGjNVm5i0dGiGa4Q=;
        b=pOaTIsjIozG8yxGo8h/c9b07TWpe0acPjaO9uINFj/Rc1M32eo8Vx11YFbWMdxpYNt
         1SO9HPcT17kinUwub1UPqNgO2NnPkA+GNQ6PXLRl3Odqxy2Zvj1CgmMlzaK9m2MS6XsE
         CsNueJ3amCz9w5Nk/+YlcWngWnnKaekk6ns8sL+WSW5NNnl40dJFXO7z4Gx0dqXE8U0Z
         OBgcKtxpDAQlc5ahxsGmsffyFBAHFQqfyoI3gYriEjwi99wVYPtUQvepW5LrfN5Lf2rV
         LJMslG5K0m67GUXv/LfcJEa32yFfMzXptoVswGerNifWiSFwNfwCclor0wQd+49YETdF
         qdpQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCXkLq/JhlYleM5uGkT/zTNGMxYyCcaiggrBRMHNIRQJlvva7yWuqJtQzKN0v8OmcYqCelh6YpzL8pMp/9A=@vger.kernel.org
X-Gm-Message-State: AOJu0YwcFAgjU/KLzu6b82lY3PN9dOQc7ImjhPRLo/ozevDWIqGsWK4l
	D4kKdL55OnvFKq9EgI42fJFDQrDMnjGbUYnaTvRhb19cOkMqIXcj80M=
X-Gm-Gg: ATEYQzysruYhiyR7VKB7UmVuw0JA3jr3fBi8GHido6idPvxtLiRjcuKPgIRd7iK1rgl
	ZzQr7BASE8p2j42WhRQJnlXfGM8pFU7DKbAWILVp0Nr71X1ticiLSAyl5mBLDWPxK5zTRtyw7SE
	uaDi0MouoJBdGIccIoOwqccB7v62rgI4CZdv7GDfGItPcJdfkjqcyRZ5csBPkT9SRwU8ZahcEWk
	3ex/f3oNJ46BleAaqZsVrfULZ34ugMQjFLwKdEb41M0/9Xnld4PvPR+vOFI7Ss0c1DqxDsIDz2J
	O5U+7M9R/wRSpWzJ34kiJZDOP5EgySpN4ob2lD+sjPCR8D996X72gHgH3D19BgdtVcuVxE21/uf
	PJ9lN0x+AoymUhxq20bgwZFQkvMooWOteVJoIhV+Rz89synJV3TtgftSSXhOpz9DmrYJUKtDtuf
	Lc3MTjBpjfjUPP9x2er5kPsdpIdOKvsI7ThdJS2q5wM4Q=
X-Received: by 2002:a05:600c:c173:b0:485:3812:36dc with SMTP id
 5b1f17b1804b1-485381238b3mr107933245e9.9.1773093282075;
        Mon, 09 Mar 2026 14:54:42 -0700 (PDT)
Received: from localhost.localdomain
 ([2a01:e11:2401:e440:4d43:1ae9:c232:cc4d])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48541a900easm28183845e9.9.2026.03.09.14.54.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 09 Mar 2026 14:54:41 -0700 (PDT)
From: "matteo.cotifava" <cotifavamatteo@gmail.com>
To: broonie@kernel.org
Cc: cotifavamatteo@gmail.com,
	cujomalainey@chromium.org,
	lgirdwood@gmail.com,
	linux-kernel@vger.kernel.org,
	linux-sound@vger.kernel.org,
	perex@perex.cz,
	srini@kernel.org,
	tiwai@suse.com
Subject: [PATCH v2 2/2] ASoC: soc-core: flush delayed work before removing
 DAIs and widgets
Date: Mon,  9 Mar 2026 22:54:12 +0100
Message-Id: <20260309215412.545628-3-cotifavamatteo@gmail.com>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20260309215412.545628-1-cotifavamatteo@gmail.com>
References: <17591222-b9f7-4056-9c13-4a2ccd0788df@sirena.org.uk>
 <20260309215412.545628-1-cotifavamatteo@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When a sound card is unbound while a PCM stream is open, a
use-after-free can occur in snd_soc_dapm_stream_event(), called from
the close_delayed_work workqueue handler.

During unbind, snd_soc_unbind_card() flushes delayed work and then
calls soc_cleanup_card_resources(). Inside cleanup,
snd_card_disconnect_sync() releases all PCM file descriptors, and
the resulting PCM close path can call snd_soc_dapm_stream_stop()
which schedules new delayed work with a pmdown_time timer delay.
Since this happens after the flush in snd_soc_unbind_card(), the
new work is not caught. soc_remove_link_components() then frees
DAPM widgets before this work fires, leading to the use-after-free.

The existing flush in soc_free_pcm_runtime() also cannot help as it
runs after soc_remove_link_components() has already freed the widgets.

Add a flush in soc_cleanup_card_resources() after
snd_card_disconnect_sync() (after which no new PCM closes can
schedule further delayed work) and before soc_remove_link_dais()
and soc_remove_link_components() (which tear down the structures the
delayed work accesses).

Fixes: e894efef9ac7 ("ASoC: core: add support to card rebind")
Signed-off-by: Matteo Cotifava <cotifavamatteo@gmail.com>
---
 sound/soc/soc-core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index e5ac8ae1665d..cf826c2a8b59 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -2121,6 +2121,9 @@ static void soc_cleanup_card_resources(struct snd_soc=
_card *card)
 	for_each_card_rtds(card, rtd)
 		if (rtd->initialized)
 			snd_soc_link_exit(rtd);
+	/* flush delayed work before removing DAIs and DAPM widgets */
+	snd_soc_flush_all_delayed_work(card);
+
 	/* remove and free each DAI */
 	soc_remove_link_dais(card);
 	soc_remove_link_components(card);
--=20
2.39.5