In the Linux kernel, the following vulnerability has been resolved:
ASoC: rt5645: Fix errorenous cleanup order
There is a logic error when removing rt5645 device as the function rt5645i2cremove() first cancel the &rt5645->jackdetectwork and delete the &rt5645->btnchecktimer latter. However, since the timer handler rt5645btncheckcallback() will re-queue the jackdetect_work, this cleanup order is buggy.
That is, once the deltimersync in rt5645i2cremove is concurrently run with the rt5645btncheckcallback, the canceled jackdetect_work will be rescheduled again, leading to possible use-after-free.
This patch fix the issue by placing the deltimersync function before the canceldelayedwork_sync.