tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ALSA: usb-audio: Kill timer properly at removal

The USB-audio MIDI code initializes the timer, but in a rare case, the
driver might be freed without the disconnect call. This leaves the
timer in an active state while the assigned object is released via
snd_usbmidi_free(), which ends up with a kernel warning when the debug
configuration is enabled, as spotted by fuzzer.

For avoiding the problem, put timer_shutdown_sync() at
snd_usbmidi_free(), so that the timer can be killed properly.
While we're at it, replace the existing timer_delete_sync() at the
disconnect callback with timer_shutdown_sync(), too.

Reported-by: syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/681c70d7.050a0220.a19a9.00c6.GAE@google.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250519212031.14436-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>

Takashi Iwai 0718a78f ff05770d

+2 -1
+2 -1
sound/usb/midi.c
··· 1530 1530 snd_usbmidi_in_endpoint_delete(ep->in); 1531 1531 } 1532 1532 mutex_destroy(&umidi->mutex); 1533 + timer_shutdown_sync(&umidi->error_timer); 1533 1534 kfree(umidi); 1534 1535 } 1535 1536 ··· 1554 1553 spin_unlock_irq(&umidi->disc_lock); 1555 1554 up_write(&umidi->disc_rwsem); 1556 1555 1557 - timer_delete_sync(&umidi->error_timer); 1556 + timer_shutdown_sync(&umidi->error_timer); 1558 1557 1559 1558 for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { 1560 1559 struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];