CVE-2026-45963
Description
In the Linux kernel, the following vulnerability has been resolved:
ASoC: nau8821: Cancel delayed work on component remove
Attempting to unload the driver while a jack detection work is pending would likely crash the kernel when it is eventually scheduled for execution:
[ 1984.896308] BUG: unable to handle page fault for address: ffffffffc10c2a20 [...] [ 1984.896388] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ 1984.896396] Workqueue: events nau8821_jdet_work [snd_soc_nau8821] [ 1984.896414] RIP: 0010:__mutex_lock+0x9f/0x11d0 [...] [ 1984.896504] Call Trace: [ 1984.896511] [ 1984.896524] ? snd_soc_dapm_disable_pin+0x26/0x60 [snd_soc_core] [ 1984.896572] ? snd_soc_dapm_disable_pin+0x26/0x60 [snd_soc_core] [ 1984.896596] snd_soc_dapm_disable_pin+0x26/0x60 [snd_soc_core] [ 1984.896622] nau8821_jdet_work+0xeb/0x1e0 [snd_soc_nau8821] [ 1984.896636] process_one_work+0x211/0x590 [ 1984.896649] ? srso_return_thunk+0x5/0x5f [ 1984.896670] worker_thread+0x1cd/0x3a0
Cancel unscheduled jdet_work or wait for its execution to finish before the component driver gets removed.
Affected products
2Patches
43955767ec39dASoC: nau8821: Cancel delayed work on component remove
2 files changed · +18 −2
sound/soc/codecs/nau8821.c+9 −1 modifieddiff --git a/sound/soc/codecs/nau8821.c b/sound/soc/codecs/nau8821.c index 2d25a182f4abe5..2e2714b475012d 100644 --- a/sound/soc/codecs/nau8821.c +++ b/sound/soc/codecs/nau8821.c @@ -1264,6 +1264,14 @@ static int nau8821_component_probe(struct snd_soc_component *component) return 0; } +static void nau8821_component_remove(struct snd_soc_component *component) +{ + struct nau8821 *nau8821 = snd_soc_component_get_drvdata(component); + + if (nau8821->jdet_active) + cancel_delayed_work_sync(&nau8821->jdet_work); +}; + /** * nau8821_calc_fll_param - Calculate FLL parameters. * @fll_in: external clock provided to codec. @@ -1621,6 +1629,7 @@ static int __maybe_unused nau8821_resume(struct snd_soc_component *component) static const struct snd_soc_component_driver nau8821_component_driver = { .probe = nau8821_component_probe, + .remove = nau8821_component_remove, .set_sysclk = nau8821_set_sysclk, .set_pll = nau8821_set_fll, .set_bias_level = nau8821_set_bias_level, -- cgit 1.3-korg
sound/soc/codecs/nau8821.c+9 −1 modifieddiff --git a/sound/soc/codecs/nau8821.c b/sound/soc/codecs/nau8821.c index 2d25a182f4abe5..2e2714b475012d 100644 --- a/sound/soc/codecs/nau8821.c +++ b/sound/soc/codecs/nau8821.c @@ -1264,6 +1264,14 @@ static int nau8821_component_probe(struct snd_soc_component *component) return 0; } +static void nau8821_component_remove(struct snd_soc_component *component) +{ + struct nau8821 *nau8821 = snd_soc_component_get_drvdata(component); + + if (nau8821->jdet_active) + cancel_delayed_work_sync(&nau8821->jdet_work); +}; + /** * nau8821_calc_fll_param - Calculate FLL parameters. * @fll_in: external clock provided to codec. @@ -1621,6 +1629,7 @@ static int __maybe_unused nau8821_resume(struct snd_soc_component *component) static const struct snd_soc_component_driver nau8821_component_driver = { .probe = nau8821_component_probe, + .remove = nau8821_component_remove, .set_sysclk = nau8821_set_sysclk, .set_pll = nau8821_set_fll, .set_bias_level = nau8821_set_bias_level, -- cgit 1.3-korg
dbd3fd05cddfASoC: nau8821: Cancel delayed work on component remove
2 files changed · +18 −2
sound/soc/codecs/nau8821.c+9 −1 modifieddiff --git a/sound/soc/codecs/nau8821.c b/sound/soc/codecs/nau8821.c index 2d25a182f4abe5..2e2714b475012d 100644 --- a/sound/soc/codecs/nau8821.c +++ b/sound/soc/codecs/nau8821.c @@ -1264,6 +1264,14 @@ static int nau8821_component_probe(struct snd_soc_component *component) return 0; } +static void nau8821_component_remove(struct snd_soc_component *component) +{ + struct nau8821 *nau8821 = snd_soc_component_get_drvdata(component); + + if (nau8821->jdet_active) + cancel_delayed_work_sync(&nau8821->jdet_work); +}; + /** * nau8821_calc_fll_param - Calculate FLL parameters. * @fll_in: external clock provided to codec. @@ -1621,6 +1629,7 @@ static int __maybe_unused nau8821_resume(struct snd_soc_component *component) static const struct snd_soc_component_driver nau8821_component_driver = { .probe = nau8821_component_probe, + .remove = nau8821_component_remove, .set_sysclk = nau8821_set_sysclk, .set_pll = nau8821_set_fll, .set_bias_level = nau8821_set_bias_level, -- cgit 1.3-korg
sound/soc/codecs/nau8821.c+9 −1 modifieddiff --git a/sound/soc/codecs/nau8821.c b/sound/soc/codecs/nau8821.c index 2d25a182f4abe5..2e2714b475012d 100644 --- a/sound/soc/codecs/nau8821.c +++ b/sound/soc/codecs/nau8821.c @@ -1264,6 +1264,14 @@ static int nau8821_component_probe(struct snd_soc_component *component) return 0; } +static void nau8821_component_remove(struct snd_soc_component *component) +{ + struct nau8821 *nau8821 = snd_soc_component_get_drvdata(component); + + if (nau8821->jdet_active) + cancel_delayed_work_sync(&nau8821->jdet_work); +}; + /** * nau8821_calc_fll_param - Calculate FLL parameters. * @fll_in: external clock provided to codec. @@ -1621,6 +1629,7 @@ static int __maybe_unused nau8821_resume(struct snd_soc_component *component) static const struct snd_soc_component_driver nau8821_component_driver = { .probe = nau8821_component_probe, + .remove = nau8821_component_remove, .set_sysclk = nau8821_set_sysclk, .set_pll = nau8821_set_fll, .set_bias_level = nau8821_set_bias_level, -- cgit 1.3-korg
3955767ec39dASoC: nau8821: Cancel delayed work on component remove
2 files changed · +18 −2
sound/soc/codecs/nau8821.c+9 −1 modifieddiff --git a/sound/soc/codecs/nau8821.c b/sound/soc/codecs/nau8821.c index 2d25a182f4abe5..2e2714b475012d 100644 --- a/sound/soc/codecs/nau8821.c +++ b/sound/soc/codecs/nau8821.c @@ -1264,6 +1264,14 @@ static int nau8821_component_probe(struct snd_soc_component *component) return 0; } +static void nau8821_component_remove(struct snd_soc_component *component) +{ + struct nau8821 *nau8821 = snd_soc_component_get_drvdata(component); + + if (nau8821->jdet_active) + cancel_delayed_work_sync(&nau8821->jdet_work); +}; + /** * nau8821_calc_fll_param - Calculate FLL parameters. * @fll_in: external clock provided to codec. @@ -1621,6 +1629,7 @@ static int __maybe_unused nau8821_resume(struct snd_soc_component *component) static const struct snd_soc_component_driver nau8821_component_driver = { .probe = nau8821_component_probe, + .remove = nau8821_component_remove, .set_sysclk = nau8821_set_sysclk, .set_pll = nau8821_set_fll, .set_bias_level = nau8821_set_bias_level, -- cgit 1.3-korg
sound/soc/codecs/nau8821.c+9 −1 modifieddiff --git a/sound/soc/codecs/nau8821.c b/sound/soc/codecs/nau8821.c index 2d25a182f4abe5..2e2714b475012d 100644 --- a/sound/soc/codecs/nau8821.c +++ b/sound/soc/codecs/nau8821.c @@ -1264,6 +1264,14 @@ static int nau8821_component_probe(struct snd_soc_component *component) return 0; } +static void nau8821_component_remove(struct snd_soc_component *component) +{ + struct nau8821 *nau8821 = snd_soc_component_get_drvdata(component); + + if (nau8821->jdet_active) + cancel_delayed_work_sync(&nau8821->jdet_work); +}; + /** * nau8821_calc_fll_param - Calculate FLL parameters. * @fll_in: external clock provided to codec. @@ -1621,6 +1629,7 @@ static int __maybe_unused nau8821_resume(struct snd_soc_component *component) static const struct snd_soc_component_driver nau8821_component_driver = { .probe = nau8821_component_probe, + .remove = nau8821_component_remove, .set_sysclk = nau8821_set_sysclk, .set_pll = nau8821_set_fll, .set_bias_level = nau8821_set_bias_level, -- cgit 1.3-korg
dbd3fd05cddfASoC: nau8821: Cancel delayed work on component remove
2 files changed · +18 −2
sound/soc/codecs/nau8821.c+9 −1 modifieddiff --git a/sound/soc/codecs/nau8821.c b/sound/soc/codecs/nau8821.c index 2d25a182f4abe5..2e2714b475012d 100644 --- a/sound/soc/codecs/nau8821.c +++ b/sound/soc/codecs/nau8821.c @@ -1264,6 +1264,14 @@ static int nau8821_component_probe(struct snd_soc_component *component) return 0; } +static void nau8821_component_remove(struct snd_soc_component *component) +{ + struct nau8821 *nau8821 = snd_soc_component_get_drvdata(component); + + if (nau8821->jdet_active) + cancel_delayed_work_sync(&nau8821->jdet_work); +}; + /** * nau8821_calc_fll_param - Calculate FLL parameters. * @fll_in: external clock provided to codec. @@ -1621,6 +1629,7 @@ static int __maybe_unused nau8821_resume(struct snd_soc_component *component) static const struct snd_soc_component_driver nau8821_component_driver = { .probe = nau8821_component_probe, + .remove = nau8821_component_remove, .set_sysclk = nau8821_set_sysclk, .set_pll = nau8821_set_fll, .set_bias_level = nau8821_set_bias_level, -- cgit 1.3-korg
sound/soc/codecs/nau8821.c+9 −1 modifieddiff --git a/sound/soc/codecs/nau8821.c b/sound/soc/codecs/nau8821.c index 2d25a182f4abe5..2e2714b475012d 100644 --- a/sound/soc/codecs/nau8821.c +++ b/sound/soc/codecs/nau8821.c @@ -1264,6 +1264,14 @@ static int nau8821_component_probe(struct snd_soc_component *component) return 0; } +static void nau8821_component_remove(struct snd_soc_component *component) +{ + struct nau8821 *nau8821 = snd_soc_component_get_drvdata(component); + + if (nau8821->jdet_active) + cancel_delayed_work_sync(&nau8821->jdet_work); +}; + /** * nau8821_calc_fll_param - Calculate FLL parameters. * @fll_in: external clock provided to codec. @@ -1621,6 +1629,7 @@ static int __maybe_unused nau8821_resume(struct snd_soc_component *component) static const struct snd_soc_component_driver nau8821_component_driver = { .probe = nau8821_component_probe, + .remove = nau8821_component_remove, .set_sysclk = nau8821_set_sysclk, .set_pll = nau8821_set_fll, .set_bias_level = nau8821_set_bias_level, -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing cleanup of delayed workqueue item on driver removal allows a use-after-free when the jack detection work runs after the component driver has been unloaded."
Attack vector
An attacker with the ability to trigger driver module unloading (e.g., via hot-unplug or rmmod) while a jack detection work item is pending can cause a use-after-free. The workqueue function `nau8821_jdet_work` accesses driver data structures that have already been freed, leading to a kernel page fault [patch_id=2660938]. The crash manifests as a page fault in `__mutex_lock` called from `snd_soc_dapm_disable_pin` within the work handler [patch_id=2660938]. No special network or authentication preconditions are required beyond the ability to unload the sound codec module.
Affected code
The vulnerability is in `sound/soc/codecs/nau8821.c`. The `nau8821_component_probe` function schedules delayed work (`nau8821->jdet_work`) but no corresponding `remove` callback existed to cancel it. The `nau8821_jdet_work` function is the workqueue handler that crashes after module removal [patch_id=2660938].
What the fix does
The patch adds a `nau8821_component_remove` callback that calls `cancel_delayed_work_sync(&nau8821->jdet_work)` when `jdet_active` is set [patch_id=2660938]. This ensures any pending or executing jack detection work is either cancelled or waited upon before the component driver is removed. The new `.remove` function pointer is registered in the `nau8821_component_driver` struct [patch_id=2660938]. This closes the race between driver removal and delayed work execution.
Preconditions
- configThe nau8821 sound codec driver must be loaded and have jack detection active (nau8821->jdet_active set).
- inputAn attacker must be able to trigger driver module removal (e.g., hot-unplug of the audio device or rmmod of snd_soc_nau8821).
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.