• Takashi Iwai's avatar
    ALSA: usb-audio: Fix races at disconnection and PCM closing · 92a586bd
    Takashi Iwai authored
    When a USB-audio device is disconnected while PCM is still running, we
    still see some race: the disconnect callback calls
    snd_usb_endpoint_free() that calls release_urbs() and then kfree()
    while a PCM stream would be closed at the same time and calls
    stop_endpoints() that leads to wait_clear_urbs().  That is, the EP
    object might be deallocated while a PCM stream is syncing with
    wait_clear_urbs() with the same EP.
    
    Basically calling multiple wait_clear_urbs() would work fine, also
    calling wait_clear_urbs() and release_urbs() would work, too, as
    wait_clear_urbs() just reads some fields in ep.  The problem is the
    succeeding kfree() in snd_pcm_endpoint_free().
    
    This patch moves out the EP deallocation into the later point, the
    destructor callback.  At this stage, all PCMs must have been already
    closed, so it's safe to free the objects.
    Reported-by: default avatarAlan Stern <stern@rowland.harvard.edu>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    92a586bd
endpoint.h 1.34 KB