* [PATCH] ak4117: Do not free priv until timer handler hasn't actually stopped using it
@ 2014-02-14 11:47 Kirill Tkhai
2014-02-14 13:17 ` Takashi Iwai
0 siblings, 1 reply; 2+ messages in thread
From: Kirill Tkhai @ 2014-02-14 11:47 UTC (permalink / raw)
To: Jaroslav Kysela, Takashi Iwai; +Cc: tkhai, alsa-devel
Function del_timer() does not guarantee that timer was really deleted.
If the timer handler is beeing executed at the moment, the function
does nothing. So, it's possible to use already freed memory in the handler:
[ref: Documentation/DocBook/kernel-locking.tmpl]
This was found using grep and compile-tested only.
Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
CC: Jaroslav Kysela <perex@perex.cz>
CC: Takashi Iwai <tiwai@suse.de>
---
sound/i2c/other/ak4117.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/i2c/other/ak4117.c b/sound/i2c/other/ak4117.c
index 40e33c9..88452e8 100644
--- a/sound/i2c/other/ak4117.c
+++ b/sound/i2c/other/ak4117.c
@@ -62,7 +62,7 @@ static void reg_dump(struct ak4117 *ak4117)
static void snd_ak4117_free(struct ak4117 *chip)
{
- del_timer(&chip->timer);
+ del_timer_sync(&chip->timer);
kfree(chip);
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ak4117: Do not free priv until timer handler hasn't actually stopped using it
2014-02-14 11:47 [PATCH] ak4117: Do not free priv until timer handler hasn't actually stopped using it Kirill Tkhai
@ 2014-02-14 13:17 ` Takashi Iwai
0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2014-02-14 13:17 UTC (permalink / raw)
To: Kirill Tkhai; +Cc: tkhai, alsa-devel
At Fri, 14 Feb 2014 15:47:57 +0400,
Kirill Tkhai wrote:
>
> Function del_timer() does not guarantee that timer was really deleted.
> If the timer handler is beeing executed at the moment, the function
> does nothing. So, it's possible to use already freed memory in the handler:
>
> [ref: Documentation/DocBook/kernel-locking.tmpl]
>
> This was found using grep and compile-tested only.
Thanks, applied.
Takashi
>
> Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
> CC: Jaroslav Kysela <perex@perex.cz>
> CC: Takashi Iwai <tiwai@suse.de>
> ---
> sound/i2c/other/ak4117.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sound/i2c/other/ak4117.c b/sound/i2c/other/ak4117.c
> index 40e33c9..88452e8 100644
> --- a/sound/i2c/other/ak4117.c
> +++ b/sound/i2c/other/ak4117.c
> @@ -62,7 +62,7 @@ static void reg_dump(struct ak4117 *ak4117)
>
> static void snd_ak4117_free(struct ak4117 *chip)
> {
> - del_timer(&chip->timer);
> + del_timer_sync(&chip->timer);
> kfree(chip);
> }
>
>
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-02-14 13:17 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-14 11:47 [PATCH] ak4117: Do not free priv until timer handler hasn't actually stopped using it Kirill Tkhai
2014-02-14 13:17 ` Takashi Iwai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.