| Message ID | 1398324876-901-1-git-send-email-jarkko.nikula@linux.intel.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | de30a2ccb20d9baf5dac8a9c8ba8f0d9d5f4361e |
| Headers | show |
On Thu, Apr 24, 2014 at 10:34:36AM +0300, Jarkko Nikula wrote: > I suppose there is a possibility that hsw_notification_work() may run after > sst_hsw_stream_free() which can lead to a kernel crash since struct > sst_hsw_stream is freed at that point and > stream = container_of(work, struct sst_hsw_stream, notify_work) is not valid > when hsw_notification_work() is run. Applied, thanks.
diff --git a/sound/soc/intel/sst-haswell-ipc.c b/sound/soc/intel/sst-haswell-ipc.c index 6c0b4f247a86..5bcf5963a0ba 100644 --- a/sound/soc/intel/sst-haswell-ipc.c +++ b/sound/soc/intel/sst-haswell-ipc.c @@ -1207,6 +1207,7 @@ int sst_hsw_stream_free(struct sst_hsw *hsw, struct sst_hsw_stream *stream) trace_hsw_stream_free_req(stream, &stream->free_req); out: + cancel_work_sync(&stream->notify_work); spin_lock_irqsave(&sst->spinlock, flags); list_del(&stream->node); kfree(stream);
I suppose there is a possibility that hsw_notification_work() may run after sst_hsw_stream_free() which can lead to a kernel crash since struct sst_hsw_stream is freed at that point and stream = container_of(work, struct sst_hsw_stream, notify_work) is not valid when hsw_notification_work() is run. Reported-by: Derek Basehore <dbasehore@chromium.org> Reported-by: Wenkai Du <wenkai.du@intel.com> Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com> --- Untested, I don't have at the moment Haswell to test this and Liam hasn't seen this patch yet so ack/tested-by from him might be good to have :-) --- sound/soc/intel/sst-haswell-ipc.c | 1 + 1 file changed, 1 insertion(+)