From: "matteo.cotifava" <cotifavamatteo@gmail.com>
To: broonie@kernel.org
Cc: cotifavamatteo@gmail.com, cujomalainey@chromium.org,
lgirdwood@gmail.com, linux-kernel@vger.kernel.org,
linux-sound@vger.kernel.org, perex@perex.cz, srini@kernel.org,
tiwai@suse.com
Subject: Re: [PATCH] ASoC: soc-core: fix use-after-free in snd_soc_unbind_card()
Date: Mon, 9 Mar 2026 22:49:06 +0100 [thread overview]
Message-ID: <20260309214906.543639-1-cotifavamatteo@gmail.com> (raw)
In-Reply-To: <17591222-b9f7-4056-9c13-4a2ccd0788df@sirena.org.uk>
On Mon, Mar 09, 2026 at 03:01:40PM +0000, Mark Brown wrote:
> That's exactly what flush_delayed_work() is supposed to do? Are you
> sure whatever you're seeing isn't that something is managing to schedule
> new work after the cancellations?
You're right, I was wrong about flush_delayed_work() in v1.
Looking at it more carefully, I believe the issue is exactly what you
suggested: new work gets scheduled after the flush. Specifically,
snd_card_disconnect_sync() inside soc_cleanup_card_resources() can
trigger PCM closes which call snd_soc_dapm_stream_stop(), scheduling
new delayed work after the flush in snd_soc_unbind_card() has already
completed.
> These are two separate changes which should be in two separate commits.
Agreed, split in v2.
> This now guarantees that we don't execute any queued work, presumably
> something was expecting it to do something...
Dropped the cancel approach entirely. v2 keeps flush and adds a second
one in soc_cleanup_card_resources() after snd_card_disconnect_sync()
(so no new work can be scheduled) and before DAIs/widgets are freed.
v2 incoming.
Thanks,
Matteo
next prev parent reply other threads:[~2026-03-09 21:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-08 11:09 [PATCH] ASoC: soc-core: fix use-after-free in snd_soc_unbind_card() Matteo Cotifava
2026-03-09 15:01 ` Mark Brown
2026-03-09 21:49 ` matteo.cotifava [this message]
2026-03-09 21:54 ` [PATCH v2 0/2] ASoC: soc-core: fix use-after-free in close_delayed_work matteo.cotifava
2026-03-09 21:54 ` [PATCH v2 1/2] ASoC: soc-core: drop delayed_work_pending() check before flush matteo.cotifava
2026-03-09 21:54 ` [PATCH v2 2/2] ASoC: soc-core: flush delayed work before removing DAIs and widgets matteo.cotifava
2026-03-09 22:08 ` [PATCH v2 0/2] ASoC: soc-core: fix use-after-free in close_delayed_work Mark Brown
2026-03-10 0:36 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260309214906.543639-1-cotifavamatteo@gmail.com \
--to=cotifavamatteo@gmail.com \
--cc=broonie@kernel.org \
--cc=cujomalainey@chromium.org \
--cc=lgirdwood@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=perex@perex.cz \
--cc=srini@kernel.org \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.