[PATCH 1/2] ALSA: timer: avoid past-the-end iterator in snd_timer_dev_register()

From: Maoyi Xie <maoyixie.tju@gmail.com>
To: Takashi Iwai <tiwai@suse.de>, Jaroslav Kysela <perex@perex.cz>
Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] ALSA: timer: avoid past-the-end iterator in snd_timer_dev_register()
Date: Tue, 19 May 2026 03:40:22 +0800	[thread overview]
Message-ID: <20260518194023.1667857-2-maoyixie.tju@gmail.com> (raw)
In-Reply-To: <20260518194023.1667857-1-maoyixie.tju@gmail.com>

snd_timer_dev_register() walks snd_timer_list looking for the
ordered insertion point and on loop fall-through passes
&timer1->device_list to list_add_tail():

    list_for_each_entry(timer1, &snd_timer_list, device_list) {
            ...
            break;        /* on found-position */
            ...
    }
    list_add_tail(&timer->device_list, &timer1->device_list);

When the loop walks all entries without break, timer1 is
past-the-end. &timer1->device_list aliases &snd_timer_list (the
list head) via container_of offset cancellation, so the insert
lands at the list tail. That is the intended behaviour, but the
access is undefined per C11 even though it works in practice.

Track an explicit insert_before pointer initialised to the list
head and overwritten to &timer1->device_list only when the loop
breaks early. The observable behaviour is unchanged.

Fixes: 9244b2c3079f ("[ALSA] alsa core: convert to list_for_each_entry*")
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 sound/core/timer.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

--- a/sound/core/timer.c	2026-05-18 19:17:08.274971549 +0800
+++ b/sound/core/timer.c	2026-05-18 19:17:46.598676455 +0800
@@ -1007,6 +1007,7 @@
 {
 	struct snd_timer *timer = dev->device_data;
 	struct snd_timer *timer1;
+	struct list_head *insert_before = &snd_timer_list;
 
 	if (snd_BUG_ON(!timer || !timer->hw.start || !timer->hw.stop))
 		return -ENXIO;
@@ -1016,28 +1017,36 @@
 
 	guard(mutex)(&register_mutex);
 	list_for_each_entry(timer1, &snd_timer_list, device_list) {
-		if (timer1->tmr_class > timer->tmr_class)
+		if (timer1->tmr_class > timer->tmr_class) {
+			insert_before = &timer1->device_list;
 			break;
+		}
 		if (timer1->tmr_class < timer->tmr_class)
 			continue;
 		if (timer1->card && timer->card) {
-			if (timer1->card->number > timer->card->number)
+			if (timer1->card->number > timer->card->number) {
+				insert_before = &timer1->device_list;
 				break;
+			}
 			if (timer1->card->number < timer->card->number)
 				continue;
 		}
-		if (timer1->tmr_device > timer->tmr_device)
+		if (timer1->tmr_device > timer->tmr_device) {
+			insert_before = &timer1->device_list;
 			break;
+		}
 		if (timer1->tmr_device < timer->tmr_device)
 			continue;
-		if (timer1->tmr_subdevice > timer->tmr_subdevice)
+		if (timer1->tmr_subdevice > timer->tmr_subdevice) {
+			insert_before = &timer1->device_list;
 			break;
+		}
 		if (timer1->tmr_subdevice < timer->tmr_subdevice)
 			continue;
 		/* conflicts.. */
 		return -EBUSY;
 	}
-	list_add_tail(&timer->device_list, &timer1->device_list);
+	list_add_tail(&timer->device_list, insert_before);
 	return 0;
 }
 
-- 
2.34.1

next prev parent reply	other threads:[~2026-05-18 19:40 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-18 16:00 ALSA: iterator used after loop end in timer/seq port registration? Maoyi Xie
2026-05-18 19:26 ` Takashi Iwai
2026-05-18 19:40   ` [PATCH 0/2] ALSA: avoid past-the-end iterators in timer/seq port registration Maoyi Xie
2026-05-18 19:40     ` Maoyi Xie [this message]
2026-05-18 19:40     ` [PATCH 2/2] ALSA: seq: avoid past-the-end iterator in snd_seq_create_port() Maoyi Xie
2026-05-19  5:39     ` [PATCH 0/2] ALSA: avoid past-the-end iterators in timer/seq port registration Takashi Iwai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260518194023.1667857-2-maoyixie.tju@gmail.com \
    --to=maoyixie.tju@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sound@vger.kernel.org \
    --cc=perex@perex.cz \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.