This is a note to let you know that I've just added the patch titled ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove() to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: asoc-sof_es8336-fix-possible-use-after-free-in-sof_e.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 130bbbe92f1d8884ada78693852fbfef33c4f483 Author: Yang Yingliang <yangyingliang@xxxxxxxxxx> Date: Mon Dec 5 22:37:21 2022 +0800 ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove() [ Upstream commit 1b41beaa7a58467505ec3023af8aad74f878b888 ] sof_es8336_remove() calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Fixes: 89cdb224f2ab ("ASoC: sof_es8336: reduce pop noise on speaker") Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx> Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@xxxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20221205143721.3988988-1-yangyingliang@xxxxxxxxxx Signed-off-by: Mark Brown <broonie@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/sound/soc/intel/boards/sof_es8336.c b/sound/soc/intel/boards/sof_es8336.c index 70713e4b07dc..773e5d1d87d4 100644 --- a/sound/soc/intel/boards/sof_es8336.c +++ b/sound/soc/intel/boards/sof_es8336.c @@ -783,7 +783,7 @@ static int sof_es8336_remove(struct platform_device *pdev) struct snd_soc_card *card = platform_get_drvdata(pdev); struct sof_es8336_private *priv = snd_soc_card_get_drvdata(card); - cancel_delayed_work(&priv->pcm_pop_work); + cancel_delayed_work_sync(&priv->pcm_pop_work); gpiod_put(priv->gpio_speakers); device_remove_software_node(priv->codec_dev); put_device(priv->codec_dev);