Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp70532rwi; Wed, 26 Oct 2022 20:47:32 -0700 (PDT) X-Google-Smtp-Source: AMsMyM44/URC5/lgukBKdXx1qlzg77ouiX9LcgsUZU7yLyLw7Su6cEVxZXrnzkRRnEr/0RiMzvwT X-Received: by 2002:a05:6402:1e89:b0:461:a8b5:402a with SMTP id f9-20020a0564021e8900b00461a8b5402amr20480752edf.336.1666842452041; Wed, 26 Oct 2022 20:47:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666842452; cv=none; d=google.com; s=arc-20160816; b=SoKfFRiQ4/SNLo6DN9Jg2dipsaLy6ZHXXUOS/8qq7jQLXKMMLK6HTMyxJ1fHphtXsS p+D2tn/S4plhs1v0K4zM5bcYFiOM7ySkvXneLeYPBX4PDRbsYjHldKMVIizd0U25A0Wq VjTReMKoQTdjPClA3GUOZurQwdOcT7qg4Zp2adum22AJDxfQ6x/E6PrPYJtlyaQqCzOd kIYXhCpjQxKQdh2EjgQlyrdURP4nqNJRSgCEKgN/nEJ0cATiTrb/7QYjHMxL98N5jkKI PKCYc2JXogmG0YuxXvfD0AeXZ/jL4m+8D3xb1+llTqYnVCbKd64IEWjJKJtCB8vF63PA q9QA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:subject:cc:to:from:date; bh=KdpsCbRmUoaD9jnRba0gzaeeP+s97CMfXG55KgiOrf0=; b=kIo7gCi2buI5g4JOtiF8gWVNNUP3Rv/j5G2B0LJhh5vmCJfEIBPDmlg8J3EfZEXsXu dvh+boMe8GmqdSSbeZK0wkj0NxclFzMH9JrPGTJTaykmtSBRBuPOd5ijlrKu4lmlDOUi Bq9VU2W9RZNMb4iEQW6P1lLL1XAYZsWlNbJfvljssuwjNi6yT89L1zNyc0pWv7IfRl1O 8s0enRDWhMJCDWoNgL5qj0vPppTowVhpcqM04QdzUy7TJ/cRB+qHxPmcY59AHG/lOjHm H9bXBjo34NOKgyG9AT3JBGn7U333RjmgOAk0kV1Crc0TDCBbfJz0qfX8eGi2QH9CsjmX ylAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nd12-20020a170907628c00b007313312730esi411274ejc.85.2022.10.26.20.47.06; Wed, 26 Oct 2022 20:47:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233672AbiJ0DMb (ORCPT + 99 others); Wed, 26 Oct 2022 23:12:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34422 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229441AbiJ0DM2 (ORCPT ); Wed, 26 Oct 2022 23:12:28 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25B1EDB76E for ; Wed, 26 Oct 2022 20:12:26 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5AD7EB82488 for ; Thu, 27 Oct 2022 03:12:25 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CC712C433D6; Thu, 27 Oct 2022 03:12:22 +0000 (UTC) Date: Wed, 26 Oct 2022 23:12:36 -0400 From: Steven Rostedt To: LKML Cc: Linus Torvalds , Thomas Gleixner , Guenter Roeck , Stephen Boyd , Jaroslav Kysela , Takashi Iwai , alsa-devel@alsa-project.org Subject: [PATCH] ALSA: Use del_timer_sync() before freeing timer Message-ID: <20221026231236.6834b551@gandalf.local.home> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: "Steven Rostedt (Google)" The current code for freeing the emux timer is extremely dangerous: CPU0 CPU1 ---- ---- snd_emux_timer_callback() snd_emux_free() spin_lock(&emu->voice_lock) del_timer(&emu->tlist); <-- returns immediately spin_unlock(&emu->voice_lock); [..] kfree(emu); spin_lock(&emu->voice_lock); [BOOM!] Instead just use del_timer_sync() which will wait for the timer to finish before continuing. No need to check if the timer is active or not when doing so. This doesn't fix the race of a possible re-arming of the timer, but at least it won't use the data that has just been freed. Cc: stable@vger.kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Steven Rostedt (Google) --- sound/synth/emux/emux.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/sound/synth/emux/emux.c b/sound/synth/emux/emux.c index 5ed8e36d2e04..a2ee78809cfb 100644 --- a/sound/synth/emux/emux.c +++ b/sound/synth/emux/emux.c @@ -131,10 +131,7 @@ int snd_emux_free(struct snd_emux *emu) if (! emu) return -EINVAL; - spin_lock_irqsave(&emu->voice_lock, flags); - if (emu->timer_active) - del_timer(&emu->tlist); - spin_unlock_irqrestore(&emu->voice_lock, flags); + del_timer_sync(&emu->tlist); snd_emux_proc_free(emu); snd_emux_delete_virmidi(emu); -- 2.35.1