[PATCH 0/3] ALSA: more fixes for timer

Next message: Nico Pache: "[PATCH mm-unstable v1 2/3] mm/migrate.c: Prevent folio splitting from interacting with KSM"
Previous message: Sergio Paracuellos: "Re: [PATCH v3] gpio: mt7621: fix interrupt banks mapping on gpio chips"
Next in thread: Takashi Iwai: "[PATCH 1/3] ALSA: timer: Manage timer object with kref"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Tue Jun 09 2026 - 07:55:46 EST

Hi,

as there are still open holes in ALSA timer code that may lead to
UAFs, here is a patch to address more drastically, by introducing the
refcounting for the timer object's lifecycle. With this change, the
previous workaround is no longer needed, hence it's reverted in the
second patch. And, the third one is to assure the pending work being
finished at freeing. I don't think we've received a report about it,
but just to be sure.

This is targeted for 7.2.

Takashi

===

Takashi Iwai (3):
ALSA: timer: Manage timer object with kref
Revert "ALSA: timer: Fix UAF at snd_timer_user_params()"
ALSA: timer: Disable work at freeing timer object

include/sound/timer.h | 6 +++
sound/core/seq/seq_timer.c | 11 ++--
sound/core/timer.c | 107 +++++++++++++++++++++++++++----------
sound/core/timer_compat.c | 5 +-
4 files changed, 97 insertions(+), 32 deletions(-)

--
2.54.0