diff options
| author | Takashi Iwai <tiwai@suse.de> | 2014-06-25 08:24:47 -0400 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2014-06-26 04:33:35 -0400 |
| commit | 92a586bdc06de6629dae1b357dac221253f55ff8 (patch) | |
| tree | e171b5669ae5ebc62c8167e41f9d849382b3bd59 /sound/usb/endpoint.c | |
| parent | 8b3dfdaf0c25a584cb31d04d2574115cf2d422ab (diff) | |
ALSA: usb-audio: Fix races at disconnection and PCM closing
When a USB-audio device is disconnected while PCM is still running, we
still see some race: the disconnect callback calls
snd_usb_endpoint_free() that calls release_urbs() and then kfree()
while a PCM stream would be closed at the same time and calls
stop_endpoints() that leads to wait_clear_urbs(). That is, the EP
object might be deallocated while a PCM stream is syncing with
wait_clear_urbs() with the same EP.
Basically calling multiple wait_clear_urbs() would work fine, also
calling wait_clear_urbs() and release_urbs() would work, too, as
wait_clear_urbs() just reads some fields in ep. The problem is the
succeeding kfree() in snd_pcm_endpoint_free().
This patch moves out the EP deallocation into the later point, the
destructor callback. At this stage, all PCMs must have been already
closed, so it's safe to free the objects.
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound/usb/endpoint.c')
| -rw-r--r-- | sound/usb/endpoint.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c index 289f582c9130..114e3e7ff511 100644 --- a/sound/usb/endpoint.c +++ b/sound/usb/endpoint.c | |||
| @@ -987,19 +987,30 @@ void snd_usb_endpoint_deactivate(struct snd_usb_endpoint *ep) | |||
| 987 | } | 987 | } |
| 988 | 988 | ||
| 989 | /** | 989 | /** |
| 990 | * snd_usb_endpoint_release: Tear down an snd_usb_endpoint | ||
| 991 | * | ||
| 992 | * @ep: the endpoint to release | ||
| 993 | * | ||
| 994 | * This function does not care for the endpoint's use count but will tear | ||
| 995 | * down all the streaming URBs immediately. | ||
| 996 | */ | ||
| 997 | void snd_usb_endpoint_release(struct snd_usb_endpoint *ep) | ||
| 998 | { | ||
| 999 | release_urbs(ep, 1); | ||
| 1000 | } | ||
| 1001 | |||
| 1002 | /** | ||
| 990 | * snd_usb_endpoint_free: Free the resources of an snd_usb_endpoint | 1003 | * snd_usb_endpoint_free: Free the resources of an snd_usb_endpoint |
| 991 | * | 1004 | * |
| 992 | * @ep: the list header of the endpoint to free | 1005 | * @ep: the list header of the endpoint to free |
| 993 | * | 1006 | * |
| 994 | * This function does not care for the endpoint's use count but will tear | 1007 | * This free all resources of the given ep. |
| 995 | * down all the streaming URBs immediately and free all resources. | ||
| 996 | */ | 1008 | */ |
| 997 | void snd_usb_endpoint_free(struct list_head *head) | 1009 | void snd_usb_endpoint_free(struct list_head *head) |
| 998 | { | 1010 | { |
| 999 | struct snd_usb_endpoint *ep; | 1011 | struct snd_usb_endpoint *ep; |
| 1000 | 1012 | ||
| 1001 | ep = list_entry(head, struct snd_usb_endpoint, list); | 1013 | ep = list_entry(head, struct snd_usb_endpoint, list); |
| 1002 | release_urbs(ep, 1); | ||
| 1003 | kfree(ep); | 1014 | kfree(ep); |
| 1004 | } | 1015 | } |
| 1005 | 1016 | ||