| Message ID | 20221205143721.3988988-1-yangyingliang@huawei.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 1b41beaa7a58467505ec3023af8aad74f878b888 |
| Headers | show |
| Series | ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove() | expand |
On 12/5/22 08:37, Yang Yingliang wrote: > sof_es8336_remove() calls cancel_delayed_work(). However, that > function does not wait until the work function finishes. This > means that the callback function may still be running after > the driver's remove function has finished, which would result > in a use-after-free. > > Fix by calling cancel_delayed_work_sync(), which ensures that > the work is properly cancelled, no longer running, and unable > to re-schedule itself. > > Fixes: 89cdb224f2ab ("ASoC: sof_es8336: reduce pop noise on speaker") > Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> > --- > sound/soc/intel/boards/sof_es8336.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sound/soc/intel/boards/sof_es8336.c b/sound/soc/intel/boards/sof_es8336.c > index 70713e4b07dc..773e5d1d87d4 100644 > --- a/sound/soc/intel/boards/sof_es8336.c > +++ b/sound/soc/intel/boards/sof_es8336.c > @@ -783,7 +783,7 @@ static int sof_es8336_remove(struct platform_device *pdev) > struct snd_soc_card *card = platform_get_drvdata(pdev); > struct sof_es8336_private *priv = snd_soc_card_get_drvdata(card); > > - cancel_delayed_work(&priv->pcm_pop_work); > + cancel_delayed_work_sync(&priv->pcm_pop_work); > gpiod_put(priv->gpio_speakers); > device_remove_software_node(priv->codec_dev); > put_device(priv->codec_dev);
On Mon, 5 Dec 2022 22:37:21 +0800, Yang Yingliang wrote: > sof_es8336_remove() calls cancel_delayed_work(). However, that > function does not wait until the work function finishes. This > means that the callback function may still be running after > the driver's remove function has finished, which would result > in a use-after-free. > > Fix by calling cancel_delayed_work_sync(), which ensures that > the work is properly cancelled, no longer running, and unable > to re-schedule itself. > > [...] Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next Thanks! [1/1] ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove() commit: 1b41beaa7a58467505ec3023af8aad74f878b888 All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
diff --git a/sound/soc/intel/boards/sof_es8336.c b/sound/soc/intel/boards/sof_es8336.c index 70713e4b07dc..773e5d1d87d4 100644 --- a/sound/soc/intel/boards/sof_es8336.c +++ b/sound/soc/intel/boards/sof_es8336.c @@ -783,7 +783,7 @@ static int sof_es8336_remove(struct platform_device *pdev) struct snd_soc_card *card = platform_get_drvdata(pdev); struct sof_es8336_private *priv = snd_soc_card_get_drvdata(card); - cancel_delayed_work(&priv->pcm_pop_work); + cancel_delayed_work_sync(&priv->pcm_pop_work); gpiod_put(priv->gpio_speakers); device_remove_software_node(priv->codec_dev); put_device(priv->codec_dev);
sof_es8336_remove() calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Fixes: 89cdb224f2ab ("ASoC: sof_es8336: reduce pop noise on speaker") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- sound/soc/intel/boards/sof_es8336.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)