CVE-2026-53193

In the Linux kernel, the following vulnerability has been resolved:

ALSA: timer: Forcibly close timer instances at closing

When snd timer object is freed via snd timer free() and still pending snd timer instance objects are assigned to the timer object, it tries to unlink all instances and just set NULL to each ti->timer, then releases the resources immediately. The problem is, however, when there are slave timer instances that are associated with a master instance linked to this timer: namely, those slave instances still point to the freed timer object although the master instance is unlinked, which may lead to user-after-free. The bug can be easily triggered particularly when a new userspace-driven timers (CONFIG SND UTIMER) is involved, since it can create and delete the timer object via a simple file open/close, while the other applications may keep accessing to that timer.

This patch is an attempt to paper over the problem above: now instead of just unlinking, call snd timer close locked forcibly for each pending timer instance, so that all assigned slave timer instances are properly detached, too. Since snd timer close() might be called later by the driver that created that instance, the check of SNDRV TIMER IFLG DEAD is added at the beginning, too.