[PATCH 2/2] ALSA: timer: Fix UAF at snd_timer_user_params()

Next message: Takashi Iwai: "Re: [PATCH] ALSA: seq: Fix partial userptr event expansion"
Previous message: Dan Carpenter: "Re: [PATCH v1 1/9] power: supply: max17042_battery: Put LSB units into defines"
In reply to: Takashi Iwai: "[PATCH 1/2] ALSA: timer: Forcibly close timer instances at closing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Sat Jun 06 2026 - 12:14:19 EST

At releasing a timer object, e.g. when a userspace timer
(CONFIG_SND_UTIMER) gets closed and snd_timer_free() is called, it
tries to detach the timer instances and release the resources.
However, it's still possible that other in-flight tasks are holding
the timer instance where the to-be-deleted timer object is associated,
and this may lead to racy accesses.

Fortunately, most of ioctls dealing with the timer instance list
already have the protection with register_mutex, and this also avoids
such races. But, SNDRV_TIMER_IOCTL_PARAMS isn't protected, hence the
concurrent ioctl may lead to use-after-free.

This patch just adds the guard with register_mutex to protect
snd_timer_user_params() for covering the code path as a quick
workaround. It's no hot-path but rather a rarely issued ioctl, so the
performance penalty doesn't matter.

Reported-by: Kyle Zeng <kylebot@xxxxxxxxxx>
Tested-by: Kyle Zeng <kylebot@xxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
---
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/sound/core/timer.c b/sound/core/timer.c
index 67fb1ecb33f0..3d72379e57a8 100644
--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -1811,6 +1811,7 @@ static int snd_timer_user_params(struct file *file,
struct snd_timer *t;
int err;

+ guard(mutex)(&register_mutex);
tu = file->private_data;
if (!tu->timeri)
return -EBADFD;
--
2.54.0