All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ak4117: Do not free priv until timer handler hasn't actually stopped using it
@ 2014-02-14 11:47 Kirill Tkhai
  2014-02-14 13:17 ` Takashi Iwai
  0 siblings, 1 reply; 2+ messages in thread
From: Kirill Tkhai @ 2014-02-14 11:47 UTC (permalink / raw)
  To: Jaroslav Kysela, Takashi Iwai; +Cc: tkhai, alsa-devel

Function del_timer() does not guarantee that timer was really deleted.
If the timer handler is beeing executed at the moment, the function
does nothing. So, it's possible to use already freed memory in the handler:

[ref: Documentation/DocBook/kernel-locking.tmpl]

This was found using grep and compile-tested only.

Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
CC: Jaroslav Kysela <perex@perex.cz>
CC: Takashi Iwai <tiwai@suse.de>
---
 sound/i2c/other/ak4117.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/i2c/other/ak4117.c b/sound/i2c/other/ak4117.c
index 40e33c9..88452e8 100644
--- a/sound/i2c/other/ak4117.c
+++ b/sound/i2c/other/ak4117.c
@@ -62,7 +62,7 @@ static void reg_dump(struct ak4117 *ak4117)
 
 static void snd_ak4117_free(struct ak4117 *chip)
 {
-	del_timer(&chip->timer);
+	del_timer_sync(&chip->timer);
 	kfree(chip);
 }
 

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] ak4117: Do not free priv until timer handler hasn't actually stopped using it
  2014-02-14 11:47 [PATCH] ak4117: Do not free priv until timer handler hasn't actually stopped using it Kirill Tkhai
@ 2014-02-14 13:17 ` Takashi Iwai
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2014-02-14 13:17 UTC (permalink / raw)
  To: Kirill Tkhai; +Cc: tkhai, alsa-devel

At Fri, 14 Feb 2014 15:47:57 +0400,
Kirill Tkhai wrote:
> 
> Function del_timer() does not guarantee that timer was really deleted.
> If the timer handler is beeing executed at the moment, the function
> does nothing. So, it's possible to use already freed memory in the handler:
> 
> [ref: Documentation/DocBook/kernel-locking.tmpl]
> 
> This was found using grep and compile-tested only.

Thanks, applied.


Takashi

> 
> Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
> CC: Jaroslav Kysela <perex@perex.cz>
> CC: Takashi Iwai <tiwai@suse.de>
> ---
>  sound/i2c/other/ak4117.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/i2c/other/ak4117.c b/sound/i2c/other/ak4117.c
> index 40e33c9..88452e8 100644
> --- a/sound/i2c/other/ak4117.c
> +++ b/sound/i2c/other/ak4117.c
> @@ -62,7 +62,7 @@ static void reg_dump(struct ak4117 *ak4117)
>  
>  static void snd_ak4117_free(struct ak4117 *chip)
>  {
> -	del_timer(&chip->timer);
> +	del_timer_sync(&chip->timer);
>  	kfree(chip);
>  }
>  
> 
> 
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-02-14 13:17 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-14 11:47 [PATCH] ak4117: Do not free priv until timer handler hasn't actually stopped using it Kirill Tkhai
2014-02-14 13:17 ` Takashi Iwai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.