ASoC: Intel: Cancel hsw_notification_work before freeing the stream

I suppose there is a possibility that hsw_notification_work() may run after
sst_hsw_stream_free() which can lead to a kernel crash since struct
sst_hsw_stream is freed at that point and
stream = container_of(work, struct sst_hsw_stream, notify_work) is not valid
when hsw_notification_work() is run.

Reported-by: Derek Basehore <dbasehore@chromium.org>
Reported-by: Wenkai Du <wenkai.du@intel.com>
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Mark Brown <broonie@linaro.org>

diff --git a/sound/soc/intel/sst-haswell-ipc.c b/sound/soc/intel/sst-haswell-ipc.c
index 6c0b4f2..5bcf596 100644 (file)
--- a/sound/soc/intel/sst-haswell-ipc.c
+++ b/sound/soc/intel/sst-haswell-ipc.c
@@ -1207,6 +1207,7 @@ int sst_hsw_stream_free(struct sst_hsw *hsw, struct sst_hsw_stream *stream)
        trace_hsw_stream_free_req(stream, &stream->free_req);
 
 out:
+       cancel_work_sync(&stream->notify_work);
        spin_lock_irqsave(&sst->spinlock, flags);
        list_del(&stream->node);
        kfree(stream);