Re: [PATCH] ALSA: pcm: keep linked runtime alive while draining

[Guangshuo Li]

Hi Takashi,

Thanks for the review and the pointer.

On Fri, 5 Jun 2026 at 14:24, Takashi Iwai <tiwai@xxxxxxx> wrote:
>
> On Fri, 05 Jun 2026 07:16:37 +0200,
> Guangshuo Li wrote:
> >
> > snd_pcm_drain() may select a runtime from a linked playback stream and
> > queue a stack wait entry on its embedded sleep waitqueue. The function
> > then drops the stream lock and sleeps before removing the wait entry.
> >
> > commit 9b1dbd69ba6f ("ALSA: pcm: fix use-after-free on linked stream
> > runtime in snd_pcm_drain()") cached scalar fields from the linked
> > runtime before dropping the stream lock, because a concurrent close can
> > unlink the stream and free its runtime. The same lifetime issue remains
> > for runtime->sleep. If the linked runtime is detached while the wait
> > entry is queued, remove_wait_queue() can later operate on a freed or
> > reused waitqueue, or the stack wait entry can remain linked to freed
> > memory.
> >
> > Take snd_pcm_link_rwsem for read while the wait entry is queued on the
> > linked runtime. Acquire it before re-taking the stream lock, matching the
> > link/unlink lock order, and drop it only after the wait entry has been
> > removed.
> >
> > Fixes: 21cb2a2ec581 ("[ALSA] Fix races between PCM drain and other ops")
> > Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
>
> This should have been already fixed by the commit 88fe2e365872
>   ALSA: PCM: Fix wait queue list corruption in snd_pcm_drain() on
>   linked streams
> in for-linus branch of sound.git tree.
> Please check whether the issue still occurs.
>
>
> thanks,
>
> Takashi

I missed commit 88fe2e365872 ("ALSA: PCM: Fix wait queue list corruption
in snd_pcm_drain() on linked streams") in the sound.git for-linus branch.
After checking it, it addresses the waitqueue corruption case I was
looking at.

Thanks,
Guangshuo