In the Linux kernel, the following vulnerability has been resolved:
ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs
The dreamcastcard->timer could schedule the spudmawork and the spudmawork could also arm the dreamcastcard->timer.
When the sndpcmsubstream is closing, the aicachannel will be deallocated. But it could still be dereferenced in the worker thread. The reason is that deltimer() will return directly regardless of whether the timer handler is running or not and the worker could be rescheduled in the timer handler. As a result, the UAF bug will happen. The racy situation is shown below:
(Thread 1) | (Thread 2)
sndaicapcmpcmclose() | ... | runspudma() //worker | modtimer() flushwork() | deltimer() | aicaperiodelapsed() //timer kfree(dreamcastcard->channel) | schedulework() | runspu_dma() //worker ... | dreamcastcard->channel-> //USE
In order to mitigate this bug and other possible corner cases, call modtimer() conditionally in runspudma(), then implement PCM syncstop op to cancel both the timer and worker. The sync_stop op will be called from PCM core appropriately when needed.