Skip to content

Commit

Permalink
ALSA: Use del_timer_sync() before freeing timer
Browse files Browse the repository at this point in the history 
The current code for freeing the emux timer is extremely dangerous:

  CPU0				CPU1
  ----				----
snd_emux_timer_callback()
			    snd_emux_free()
			      spin_lock(&emu->voice_lock)
			      del_timer(&emu->tlist); <-- returns immediately
			      spin_unlock(&emu->voice_lock);
			      [..]
			      kfree(emu);

  spin_lock(&emu->voice_lock);

 [BOOM!]

Instead just use del_timer_sync() which will wait for the timer to finish
before continuing. No need to check if the timer is active or not when
doing so.

This doesn't fix the race of a possible re-arming of the timer, but at
least it won't use the data that has just been freed.

[ Fixed unused variable warning by tiwai ]

Cc: [email protected]
Fixes: 1da177e ("Linux-2.6.12-rc2")
Signed-off-by: Steven Rostedt (Google) <[email protected]>
Reviewed-by: Guenter Roeck <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Takashi Iwai <[email protected]>
  • Loading branch information
@rostedt @tiwai
rostedt authored and tiwai committed Oct 27, 2022
1 parent 4a4c848 commit f0a8687
Showing 1 changed file with 1 addition and 6 deletions.
7 changes: 1 addition & 6 deletions sound/synth/emux/emux.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,15 +126,10 @@ EXPORT_SYMBOL(snd_emux_register);
*/
int snd_emux_free(struct snd_emux *emu)
{
unsigned long flags;

if (! emu)
return -EINVAL;

spin_lock_irqsave(&emu->voice_lock, flags);
if (emu->timer_active)
del_timer(&emu->tlist);
spin_unlock_irqrestore(&emu->voice_lock, flags);
del_timer_sync(&emu->tlist);

snd_emux_proc_free(emu);
snd_emux_delete_virmidi(emu);
Expand Down

0 comments on commit f0a8687

Please sign in to comment.