From patchwork Thu Oct 27 03:12:36 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steven Rostedt <rostedt@goodmis.org>
X-Patchwork-Id: 11527
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:a40e:b0:83:7221:86ba with SMTP id ck14csp203077dyb;
        Wed, 26 Oct 2022 20:24:34 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM5WnFDq6ehYZeoWT3qHdM5UN8emEdFUzfL0TsECFpPeKaeLNSwiDeLq5PVAt4IDrHL4gCU9
X-Received: by 2002:a17:90b:4d8b:b0:20a:e256:fdd8 with SMTP id
 oj11-20020a17090b4d8b00b0020ae256fdd8mr7758754pjb.4.1666841073843;
        Wed, 26 Oct 2022 20:24:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666841073; cv=none;
        d=google.com; s=arc-20160816;
        b=aS5aOZ5sSWM2cF4SEWtoNZ1qs+1PZ90ZqLyOleVJhPvcnFBzC71AIBDpEsAWo3JnHa
         wj5Ry+KayIXXFjvTcyFCgRKXMC5V7Z4S02n5LNkPAe0FzcntYNO+9MZYGQlZmQuMhPFR
         ohgqoszmnNvni0CYBHHgYG3pAHc9DUMwmLZxADpnc3PjuRPBEhjHOsY1Bh315tHv+S4n
         d8PIYPtibwcZH8vGpkDOUJ0N6+hxdFLSFKN01Ai7O/YQtS6gi6/heNaV7UQDZO+6eUpc
         hrL1DU+NeMXrnbeeL95X9k5/G2DXeWt8c1dW1J7skiyqlp7j02l89cmiM25ItslVCeYK
         3ADQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:subject:cc:to:from:date;
        bh=KdpsCbRmUoaD9jnRba0gzaeeP+s97CMfXG55KgiOrf0=;
        b=kIo7gCi2buI5g4JOtiF8gWVNNUP3Rv/j5G2B0LJhh5vmCJfEIBPDmlg8J3EfZEXsXu
         dvh+boMe8GmqdSSbeZK0wkj0NxclFzMH9JrPGTJTaykmtSBRBuPOd5ijlrKu4lmlDOUi
         Bq9VU2W9RZNMb4iEQW6P1lLL1XAYZsWlNbJfvljssuwjNi6yT89L1zNyc0pWv7IfRl1O
         8s0enRDWhMJCDWoNgL5qj0vPppTowVhpcqM04QdzUy7TJ/cRB+qHxPmcY59AHG/lOjHm
         H9bXBjo34NOKgyG9AT3JBGn7U333RjmgOAk0kV1Crc0TDCBbfJz0qfX8eGi2QH9CsjmX
         ylAg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 lb10-20020a17090b4a4a00b0020d401a03b5si288489pjb.180.2022.10.26.20.23.38;
        Wed, 26 Oct 2022 20:24:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233672AbiJ0DMb (ORCPT <rfc822;hiifong.im@gmail.com> + 99 others);
        Wed, 26 Oct 2022 23:12:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34422 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229441AbiJ0DM2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 26 Oct 2022 23:12:28 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org
 [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 25B1EDB76E
        for <linux-kernel@vger.kernel.org>;
 Wed, 26 Oct 2022 20:12:26 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 5AD7EB82488
        for <linux-kernel@vger.kernel.org>;
 Thu, 27 Oct 2022 03:12:25 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id CC712C433D6;
        Thu, 27 Oct 2022 03:12:22 +0000 (UTC)
Date: Wed, 26 Oct 2022 23:12:36 -0400
From: Steven Rostedt <rostedt@goodmis.org>
To: LKML <linux-kernel@vger.kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Guenter Roeck <linux@roeck-us.net>,
        Stephen Boyd <sboyd@kernel.org>,
        Jaroslav Kysela <perex@perex.cz>,
        Takashi Iwai <tiwai@suse.com>, alsa-devel@alsa-project.org
Subject: [PATCH] ALSA: Use del_timer_sync() before freeing timer
Message-ID: <20221026231236.6834b551@gandalf.local.home>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00,
        HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747809545702438801?=
X-GMAIL-MSGID: =?utf-8?q?1747809545702438801?=

From: "Steven Rostedt (Google)" <rostedt@goodmis.org>

The current code for freeing the emux timer is extremely dangerous:

  CPU0				CPU1
  ----				----
snd_emux_timer_callback()
			    snd_emux_free()
			      spin_lock(&emu->voice_lock)
			      del_timer(&emu->tlist); <-- returns immediately
			      spin_unlock(&emu->voice_lock);
			      [..]
			      kfree(emu);

  spin_lock(&emu->voice_lock);

 [BOOM!]

Instead just use del_timer_sync() which will wait for the timer to finish
before continuing. No need to check if the timer is active or not when
doing so.

This doesn't fix the race of a possible re-arming of the timer, but at
least it won't use the data that has just been freed.

Cc: stable@vger.kernel.org
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
---
 sound/synth/emux/emux.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/sound/synth/emux/emux.c b/sound/synth/emux/emux.c
index 5ed8e36d2e04..a2ee78809cfb 100644
--- a/sound/synth/emux/emux.c
+++ b/sound/synth/emux/emux.c
@@ -131,10 +131,7 @@ int snd_emux_free(struct snd_emux *emu)
 	if (! emu)
 		return -EINVAL;
 
-	spin_lock_irqsave(&emu->voice_lock, flags);
-	if (emu->timer_active)
-		del_timer(&emu->tlist);
-	spin_unlock_irqrestore(&emu->voice_lock, flags);
+	del_timer_sync(&emu->tlist);
 
 	snd_emux_proc_free(emu);
 	snd_emux_delete_virmidi(emu);