Re: [PATCH 0/2] ALSA: avoid past-the-end iterators in timer/seq port registration

Next message: Robertus Diawan Chris: "[PATCH] ASoC: soc-utils: Add missing va_end in snd_soc_ret()"
Previous message: Takashi Iwai: "Re: [PATCH] ALSA: ice1724: Fix blocking open for independent surround PCMs"
In reply to: Maoyi Xie: "[PATCH 1/2] ALSA: timer: avoid past-the-end iterator in snd_timer_dev_register()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Tue May 19 2026 - 01:39:48 EST

On Mon, 18 May 2026 21:40:21 +0200,
Maoyi Xie wrote:
>
> Two fixes in sound/core that remove past-the-end iterator
> use of the shape
>
> list_for_each_entry(iter, head, member) {
> if (...) break;
> }
> list_add_tail(&new, &iter->member);
>
> When the loop walks all entries without break, iter is past
> the end and &iter->member aliases the list head via
> container_of offset cancellation. The insert lands at the
> list tail, which is the intended behaviour, but the access
> is undefined per C11.
>
> Takashi Iwai confirmed on the inquiry thread that both sites
> are bugs introduced by commit 9244b2c3079f ("[ALSA] alsa core:
> convert to list_for_each_entry*"). The original list_for_each()
> loop terminated at the list head; the conversion to
> list_for_each_entry() left the post-loop access using the
> container struct, which aliases the head via offset
> cancellation.
>
> The patched code tracks an explicit insert_before pointer
> initialised to the list head and overwritten to &iter->member
> only when the loop breaks early. Observable behaviour is
> unchanged.
>
> Inquiry thread:
> https://lore.kernel.org/linux-sound/?q=iterator+used+after+loop+end+in+timer
>
> Maoyi Xie (2):
> ALSA: timer: avoid past-the-end iterator in snd_timer_dev_register()
> ALSA: seq: avoid past-the-end iterator in snd_seq_create_port()

Applied both patches now. Thanks.

Takashi