git: 8065f1af82d1 - stable/14 - snd_dummy: Drain callout during detach
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 20 Oct 2024 11:21:37 UTC
The branch stable/14 has been updated by christos:
URL: https://cgit.FreeBSD.org/src/commit/?id=8065f1af82d1443c83168a3e8dd82afc5f658d24
commit 8065f1af82d1443c83168a3e8dd82afc5f658d24
Author: Christos Margiolis <christos@FreeBSD.org>
AuthorDate: 2024-10-18 08:40:08 +0000
Commit: Christos Margiolis <christos@FreeBSD.org>
CommitDate: 2024-10-20 11:21:05 +0000
snd_dummy: Drain callout during detach
If we do not enter dummy_chan_trigger() before detaching, we'll get a
use-after-free since the callout(9) callback might be called after
having been detached.
Sponsored by: The FreeBSD Foundation
MFC after: 2 days
Reviewed by: dev_submerge.ch, markj, emaste
Differential Revision: https://reviews.freebsd.org/D46715
(cherry picked from commit e42c8267821952407d4f4064026058aeaaa741ac)
---
sys/dev/sound/dummy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/dev/sound/dummy.c b/sys/dev/sound/dummy.c
index f8193a73fcc8..c1cd4dff15f9 100644
--- a/sys/dev/sound/dummy.c
+++ b/sys/dev/sound/dummy.c
@@ -327,6 +327,7 @@ dummy_detach(device_t dev)
struct dummy_softc *sc = device_get_softc(dev);
int err;
+ callout_drain(&sc->callout);
err = pcm_unregister(dev);
snd_mtxfree(sc->lock);