git: e42c82678219 - main - snd_dummy: Drain callout during detach
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 18 Oct 2024 08:44:58 UTC
The branch main has been updated by christos:
URL: https://cgit.FreeBSD.org/src/commit/?id=e42c8267821952407d4f4064026058aeaaa741ac
commit e42c8267821952407d4f4064026058aeaaa741ac
Author: Christos Margiolis <christos@FreeBSD.org>
AuthorDate: 2024-10-18 08:40:08 +0000
Commit: Christos Margiolis <christos@FreeBSD.org>
CommitDate: 2024-10-18 08:40:08 +0000
snd_dummy: Drain callout during detach
If we do not enter dummy_chan_trigger() before detaching, we'll get a
use-after-free since the callout(9) callback might be called after
having been detached.
Sponsored by: The FreeBSD Foundation
MFC after: 2 days
Reviewed by: dev_submerge.ch, markj, emaste
Differential Revision: https://reviews.freebsd.org/D46715
---
sys/dev/sound/dummy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/dev/sound/dummy.c b/sys/dev/sound/dummy.c
index f8193a73fcc8..c1cd4dff15f9 100644
--- a/sys/dev/sound/dummy.c
+++ b/sys/dev/sound/dummy.c
@@ -327,6 +327,7 @@ dummy_detach(device_t dev)
struct dummy_softc *sc = device_get_softc(dev);
int err;
+ callout_drain(&sc->callout);
err = pcm_unregister(dev);
snd_mtxfree(sc->lock);