git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Takashi Iwai <tiwai@suse.de>
	Mon, 20 Apr 2026 06:17:20 +0000 (08:17 +0200)
committer	Takashi Iwai <tiwai@suse.de>
	Mon, 20 Apr 2026 15:59:19 +0000 (17:59 +0200)
commit	8146cd333d235ed32d48bb803fdf743472d7c783
tree	7cf7101fa9de08bd719345f62bad80bb7dcf5a8c	tree \| snapshot
parent	93985110329d9a66101c3de37aa7232f8c0bc3c9	commit \| diff

ALSA: core: Fix potential data race at fasync handling

In snd_fasync_work_fn(), which is the offload work for traversing and
processing the pending fasync list, the call of kill_fasync() is done
outside the snd_fasync_lock for avoiding deadlocks.  The problem is
that its the references of fasync->on, fasync->signal and fasync->poll
are done there also outside the lock.  Since these may be modified by
snd_kill_fasync() call concurrently from other process, inconsistent
values might be passed to kill_fasync().  Although there shouldn't be
critical UAF, it's still better to be addressed.

This patch moves the kill_fasync() argument evaluations inside the
snd_fasync_lock for avoiding the data races above.  The handling in
fasync->on flag is optimized in the loop to skip directly.

Also, for more clarity, snd_fasync_free() takes the lock and unlink
the pending entry more directly instead of clearing fasync->on flag.

Reported-by: Jake Lamberson <lamberson.jake@gmail.com>
Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260420061721.3253644-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>