ak4117: Do not free priv until timer handler hasn't actually stopped using it
diff mbox

Message ID 1392378477.5384.29.camel@tkhai
State Accepted
Delegated to: Takashi Iwai
Headers show

Commit Message

Kirill Tkhai Feb. 14, 2014, 11:47 a.m. UTC
Function del_timer() does not guarantee that timer was really deleted.
If the timer handler is beeing executed at the moment, the function
does nothing. So, it's possible to use already freed memory in the handler:

[ref: Documentation/DocBook/kernel-locking.tmpl]

This was found using grep and compile-tested only.

Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
CC: Jaroslav Kysela <perex@perex.cz>
CC: Takashi Iwai <tiwai@suse.de>
---
 sound/i2c/other/ak4117.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Takashi Iwai Feb. 14, 2014, 1:17 p.m. UTC | #1
At Fri, 14 Feb 2014 15:47:57 +0400,
Kirill Tkhai wrote:
> 
> Function del_timer() does not guarantee that timer was really deleted.
> If the timer handler is beeing executed at the moment, the function
> does nothing. So, it's possible to use already freed memory in the handler:
> 
> [ref: Documentation/DocBook/kernel-locking.tmpl]
> 
> This was found using grep and compile-tested only.

Thanks, applied.


Takashi

> 
> Signed-off-by: Kirill Tkhai <ktkhai@parallels.com>
> CC: Jaroslav Kysela <perex@perex.cz>
> CC: Takashi Iwai <tiwai@suse.de>
> ---
>  sound/i2c/other/ak4117.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/i2c/other/ak4117.c b/sound/i2c/other/ak4117.c
> index 40e33c9..88452e8 100644
> --- a/sound/i2c/other/ak4117.c
> +++ b/sound/i2c/other/ak4117.c
> @@ -62,7 +62,7 @@ static void reg_dump(struct ak4117 *ak4117)
>  
>  static void snd_ak4117_free(struct ak4117 *chip)
>  {
> -	del_timer(&chip->timer);
> +	del_timer_sync(&chip->timer);
>  	kfree(chip);
>  }
>  
> 
> 
>

Patch
diff mbox

diff --git a/sound/i2c/other/ak4117.c b/sound/i2c/other/ak4117.c
index 40e33c9..88452e8 100644
--- a/sound/i2c/other/ak4117.c
+++ b/sound/i2c/other/ak4117.c
@@ -62,7 +62,7 @@  static void reg_dump(struct ak4117 *ak4117)
 
 static void snd_ak4117_free(struct ak4117 *chip)
 {
-	del_timer(&chip->timer);
+	del_timer_sync(&chip->timer);
 	kfree(chip);
 }