[PATCH] ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove()

[Pierre-Louis Bossart]

On 12/5/22 08:37, Yang Yingliang wrote:
> sof_es8336_remove() calls cancel_delayed_work(). However, that
> function does not wait until the work function finishes. This
> means that the callback function may still be running after
> the driver's remove function has finished, which would result
> in a use-after-free.
> 
> Fix by calling cancel_delayed_work_sync(), which ensures that
> the work is properly cancelled, no longer running, and unable
> to re-schedule itself.
> 
> Fixes: 89cdb224f2ab ("ASoC: sof_es8336: reduce pop noise on speaker")
> Signed-off-by: Yang Yingliang <yangyingliang at huawei.com>

Acked-by: Pierre-Louis Bossart <pierre-louis.bossart at linux.intel.com>

> ---
>  sound/soc/intel/boards/sof_es8336.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/soc/intel/boards/sof_es8336.c b/sound/soc/intel/boards/sof_es8336.c
> index 70713e4b07dc..773e5d1d87d4 100644
> --- a/sound/soc/intel/boards/sof_es8336.c
> +++ b/sound/soc/intel/boards/sof_es8336.c
> @@ -783,7 +783,7 @@ static int sof_es8336_remove(struct platform_device *pdev)
>  	struct snd_soc_card *card = platform_get_drvdata(pdev);
>  	struct sof_es8336_private *priv = snd_soc_card_get_drvdata(card);
>  
> -	cancel_delayed_work(&priv->pcm_pop_work);
> +	cancel_delayed_work_sync(&priv->pcm_pop_work);
>  	gpiod_put(priv->gpio_speakers);
>  	device_remove_software_node(priv->codec_dev);
>  	put_device(priv->codec_dev);