2.6.35-longterm review patch. If anyone has any objections, please let me know.
------------------ From: Takashi Iwai <[email protected]> commit a45e3d6b13e97506b616980c0f122c3389bcefa4 upstream. This patch fixes a race between snd_card_file_remove() and snd_card_disconnect(). When the card is added to shutdown_files list in snd_card_disconnect(), but it's freed in snd_card_file_remove() at the same time, the shutdown_files list gets corrupted. The list member must be freed in snd_card_file_remove() as well. Reported-and-tested-by: Russ Dill <[email protected]> Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Andi Kleen <[email protected]> --- sound/core/init.c | 4 ++++ 1 file changed, 4 insertions(+) Index: linux-2.6.35.y/sound/core/init.c =================================================================== --- linux-2.6.35.y.orig/sound/core/init.c 2011-03-29 22:50:15.095872154 -0700 +++ linux-2.6.35.y/sound/core/init.c 2011-03-29 23:03:03.293215905 -0700 @@ -848,6 +848,7 @@ return -ENOMEM; mfile->file = file; mfile->disconnected_f_op = NULL; + INIT_LIST_HEAD(&mfile->shutdown_list); spin_lock(&card->files_lock); if (card->shutdown) { spin_unlock(&card->files_lock); @@ -883,6 +884,9 @@ list_for_each_entry(mfile, &card->files_list, list) { if (mfile->file == file) { list_del(&mfile->list); + spin_lock(&shutdown_lock); + list_del(&mfile->shutdown_list); + spin_unlock(&shutdown_lock); if (mfile->disconnected_f_op) fops_put(mfile->disconnected_f_op); found = mfile; _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
