In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: q6apm: move component registration to unmanaged version
q6apm component registers dais dynamically from ASoC toplology, which are allocated using device managed version apis. Allocating both component and dynamic dais using managed version could lead to incorrect free ordering, dai will be freed while component still holding references to it.
Fix this issue by moving component to unmanged version so that the dai pointers are only freeded after the component is removed.
================================================================== BUG: KASAN: slab-use-after-free in sndsocdelcomponentunlocked+0x3d4/0x400 [sndsoccore] Read of size 8 at addr ffff00084493a6e8 by task kworker/u48:0/3426 Tainted: [W]=WARN Hardware name: LENOVO 21N2ZC5PUS/21N2ZC5PUS, BIOS N42ET57W (1.31 ) 08/08/2024 Workqueue: pdrnotifierwq pdrnotifierwork [pdrinterface] Call trace: showstack+0x28/0x7c (C) dumpstacklvl+0x60/0x80 printreport+0x160/0x4b4 kasanreport+0xac/0xfc __asanreportload8noabort+0x20/0x34 sndsocdelcomponentunlocked+0x3d4/0x400 [sndsoccore] sndsocunregistercomponentbydriver+0x50/0x88 [sndsoccore] devmcomponentrelease+0x30/0x5c [sndsoccore] devresreleaseall+0x13c/0x210 deviceunbindcleanup+0x20/0x190 devicereleasedriverinternal+0x350/0x468 devicereleasedriver+0x18/0x30 busremovedevice+0x1a0/0x35c devicedel+0x314/0x7f0 deviceunregister+0x20/0xbc aprremovedevice+0x5c/0x7c [apr] deviceforeachchild+0xd8/0x160 aprpdstatus+0x7c/0xa8 [apr] pdrnotifierwork+0x114/0x240 [pdrinterface] processonework+0x500/0xb70 workerthread+0x630/0xfb0 kthread+0x370/0x6c0 retfromfork+0x10/0x20
Allocated by task 77: kasansavestack+0x40/0x68 kasansavetrack+0x20/0x40 kasansavealloc_info+0x44/0x58 __kasan_kmalloc+0xbc/0xdc __kmallocnodetrackcallernoprof+0x1f4/0x620 devmkmalloc+0x7c/0x1c8 sndsocregisterdai+0x50/0x4f0 [sndsoccore] soctplgpcmelemsload+0x55c/0x1eb8 [sndsoccore] sndsoctplgcomponentload+0x4f8/0xb60 [sndsoccore] audioreachtplginit+0x124/0x1fc [sndq6apm] q6apmaudioprobe+0x10/0x1c [sndq6apm] sndsoccomponentprobe+0x5c/0x118 [sndsoccore] socprobecomponent+0x44c/0xaf0 [sndsoccore] sndsocbindcard+0xad0/0x2370 [sndsoccore] sndsocregistercard+0x3b0/0x4c0 [sndsoccore] devmsndsocregistercard+0x50/0xc8 [sndsoccore] x1e80100platformprobe+0x208/0x368 [sndsocx1e80100] platformprobe+0xc0/0x188 really_probe+0x188/0x804 __driverprobedevice+0x158/0x358 driverprobedevice+0x60/0x190 __deviceattachdriver+0x16c/0x2a8 bus_foreachdrv+0x100/0x194 _deviceattach+0x174/0x380 deviceinitialprobe+0x14/0x20 busprobedevice+0x124/0x154 deferredprobeworkfunc+0x140/0x220 processonework+0x500/0xb70 workerthread+0x630/0xfb0 kthread+0x370/0x6c0 retfromfork+0x10/0x20
Freed by task 3426: kasansavestack+0x40/0x68 kasansavetrack+0x20/0x40 __kasansavefree_info+0x4c/0x80 __kasanslabfree+0x78/0xa0 kfree+0x100/0x4a4 devresreleaseall+0x144/0x210 deviceunbindcleanup+0x20/0x190 devicereleasedriverinternal+0x350/0x468 devicereleasedriver+0x18/0x30 busremovedevice+0x1a0/0x35c devicedel+0x314/0x7f0 deviceunregister+0x20/0xbc aprremovedevice+0x5c/0x7c [apr] deviceforeachchild+0xd8/0x160 aprpdstatus+0x7c/0xa8 [apr] pdrnotifierwork+0x114/0x240 [pdrinterface] processonework+0x500/0xb70 workerthread+0x630/0xfb0 kthread+0x370/0x6c0 retfromfork+0x10/0x20
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31587.json"
}