From 0584ffa548b6e59aceb027112f23a55f0133400e Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Mon, 8 Aug 2011 12:24:46 +0200 Subject: ALSA: timer - Fix Oops at closing slave timer A slave-timer instance has no timer reference, and this results in NULL-dereference at stopping the timer, typically called at closing the device. Reference: https://bugzilla.kernel.org/show_bug.cgi?id=40682 Cc: Signed-off-by: Takashi Iwai --- sound/core/timer.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'sound/core/timer.c') diff --git a/sound/core/timer.c b/sound/core/timer.c index 7c1cbf0a0dc..950eed0c098 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -531,6 +531,8 @@ int snd_timer_stop(struct snd_timer_instance *timeri) if (err < 0) return err; timer = timeri->timer; + if (!timer) + return -EINVAL; spin_lock_irqsave(&timer->lock, flags); timeri->cticks = timeri->ticks; timeri->pticks = 0; -- cgit v1.2.3-70-g09d2 From 94094c8aaeded11f8b99734b9ebdaada20b5f24a Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Mon, 8 Aug 2011 12:28:22 +0200 Subject: ALSA: timer - Add NULL-check for invalid slave timer Just to be sure. Signed-off-by: Takashi Iwai --- sound/core/timer.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'sound/core/timer.c') diff --git a/sound/core/timer.c b/sound/core/timer.c index 950eed0c098..67ebf1c21c0 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -328,6 +328,8 @@ int snd_timer_close(struct snd_timer_instance *timeri) mutex_unlock(®ister_mutex); } else { timer = timeri->timer; + if (snd_BUG_ON(!timer)) + goto out; /* wait, until the active callback is finished */ spin_lock_irq(&timer->lock); while (timeri->flags & SNDRV_TIMER_IFLG_CALLBACK) { @@ -353,6 +355,7 @@ int snd_timer_close(struct snd_timer_instance *timeri) } mutex_unlock(®ister_mutex); } + out: if (timeri->private_free) timeri->private_free(timeri); kfree(timeri->owner); -- cgit v1.2.3-70-g09d2