ALSA: Fix yet another race in disconnection
Takashi Iwai [Thu, 24 Mar 2011 08:50:15 +0000 (09:50 +0100)]
This patch fixes a race between snd_card_file_remove() and
snd_card_disconnect().  When the card is added to shutdown_files list
in snd_card_disconnect(), but it's freed in snd_card_file_remove() at
the same time, the shutdown_files list gets corrupted.  The list member
must be freed in snd_card_file_remove() as well.

Reported-and-tested-by: Russ Dill <russ.dill@gmail.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

sound/core/init.c

index 3e65da2..a0080aa 100644 (file)
@@ -848,6 +848,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file)
                return -ENOMEM;
        mfile->file = file;
        mfile->disconnected_f_op = NULL;
+       INIT_LIST_HEAD(&mfile->shutdown_list);
        spin_lock(&card->files_lock);
        if (card->shutdown) {
                spin_unlock(&card->files_lock);
@@ -883,6 +884,9 @@ int snd_card_file_remove(struct snd_card *card, struct file *file)
        list_for_each_entry(mfile, &card->files_list, list) {
                if (mfile->file == file) {
                        list_del(&mfile->list);
+                       spin_lock(&shutdown_lock);
+                       list_del(&mfile->shutdown_list);
+                       spin_unlock(&shutdown_lock);
                        if (mfile->disconnected_f_op)
                                fops_put(mfile->disconnected_f_op);
                        found = mfile;