ALSA: core: Serialize deferred fasync state checks

snd_fasync_helper() updates fasync->on under snd_fasync_lock, and
snd_fasync_work_fn() now also evaluates fasync->on under the same
lock. snd_kill_fasync() still tests the flag before taking the lock,
leaving an unsynchronized read against FASYNC enable/disable updates.

Move the enabled-state check into the locked section.

Also clear fasync->on under snd_fasync_lock in snd_fasync_free()
before unlinking the pending entry. Together with the locked sender-side
check, this publishes teardown before flushing the deferred work and
prevents a racing sender from requeueing the entry after free has
started.

Fixes: ef34a0ae7a26 ("ALSA: core: Add async signal helpers")
Fixes: 8146cd333d23 ("ALSA: core: Fix potential data race at fasync handling")
Cc: stable@vger.kernel.org
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260506-alsa-core-fasync-on-lock-v1-1-ea48c77d6ca4@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

diff --git a/sound/core/misc.c b/sound/core/misc.c
index 5aca09edf9718a9155e3da716c80943f916d7eec..833124c8e4fa83d188473493e44d7f86bc5532e7 100644 (file)
--- a/sound/core/misc.c
+++ b/sound/core/misc.c
@@ -148,9 +148,11 @@ EXPORT_SYMBOL_GPL(snd_fasync_helper);
 
 void snd_kill_fasync(struct snd_fasync *fasync, int signal, int poll)
 {
-       if (!fasync || !fasync->on)
+       if (!fasync)
                return;
        guard(spinlock_irqsave)(&snd_fasync_lock);
+       if (!fasync->on)
+               return;
        fasync->signal = signal;
        fasync->poll = poll;
        list_move(&fasync->list, &snd_fasync_list);
@@ -163,8 +165,10 @@ void snd_fasync_free(struct snd_fasync *fasync)
        if (!fasync)
                return;
 
-       scoped_guard(spinlock_irq, &snd_fasync_lock)
+       scoped_guard(spinlock_irq, &snd_fasync_lock) {
+               fasync->on = 0;
                list_del_init(&fasync->list);
+       }
 
        flush_work(&snd_fasync_work);
        kfree(fasync);