Re: [PATCH] ALSA: pcm: keep linked runtime alive while draining

Next message: Ian Rogers: "[PATCH v3] perf clang-format: Prioritize Python.h and expand other categories"
Previous message: Gavin Shan: "Re: [PATCH v14 29/44] arm64: RMI: Runtime faulting of memory"
In reply to: Guangshuo Li: "[PATCH] ALSA: pcm: keep linked runtime alive while draining"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Fri Jun 05 2026 - 02:24:23 EST

On Fri, 05 Jun 2026 07:16:37 +0200,
Guangshuo Li wrote:
>
> snd_pcm_drain() may select a runtime from a linked playback stream and
> queue a stack wait entry on its embedded sleep waitqueue. The function
> then drops the stream lock and sleeps before removing the wait entry.
>
> commit 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream
> runtime in snd_pcm_drain()") cached scalar fields from the linked
> runtime before dropping the stream lock, because a concurrent close can
> unlink the stream and free its runtime. The same lifetime issue remains
> for runtime->sleep. If the linked runtime is detached while the wait
> entry is queued, remove_wait_queue() can later operate on a freed or
> reused waitqueue, or the stack wait entry can remain linked to freed
> memory.
>
> Take snd_pcm_link_rwsem for read while the wait entry is queued on the
> linked runtime. Acquire it before re-taking the stream lock, matching the
> link/unlink lock order, and drop it only after the wait entry has been
> removed.
>
> Fixes: 21cb2a2ec581 ("[ALSA] Fix races between PCM drain and other ops")
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>

This should have been already fixed by the commit 88fe2e365872
ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on
linked streams
in for-linus branch of sound.git tree.
Please check whether the issue still occurs.

thanks,

Takashi