• Takashi Iwai's avatar
    ALSA: dummy: Fix a use-after-free at closing · d5dbbe65
    Takashi Iwai authored
    syzkaller fuzzer spotted a potential use-after-free case in snd-dummy
    driver when hrtimer is used as backend:
    > ==================================================================
    > BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68
    >  Read of size 8 by task syz-executor/8984
    > =============================================================================
    > BUG kmalloc-192 (Not tainted): kasan: bad access detected
    > -----------------------------------------------------------------------------
    >
    > Disabling lock debugging due to kernel taint
    > INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632
    > ....
    > [<      none      >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464
    > ....
    > INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1
    > [<      none      >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481
    > ....
    > Call Trace:
    >  [<ffffffff8179e59e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333
    >  [<     inline     >] rb_set_parent include/linux/rbtree_augmented.h:111
    >  [<     inline     >] __rb_erase_augmented include/linux/rbtree_augmented.h:218
    >  [<ffffffff82ca5787>] rb_erase+0x1b17/0x2010 lib/rbtree.c:427
    >  [<ffffffff82cb02e8>] timerqueue_del+0x78/0x170 lib/timerqueue.c:86
    >  [<ffffffff814d0c80>] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903
    >  [<     inline     >] remove_hrtimer kernel/time/hrtimer.c:945
    >  [<ffffffff814d23da>] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046
    >  [<ffffffff814d2742>] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066
    >  [<ffffffff85420531>] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417
    >  [<ffffffff854228bf>] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507
    >  [<ffffffff85392170>] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106
    >  [<ffffffff85391b26>] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956
    >  [<ffffffff85391e01>] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974
    >  [<     inline     >] snd_pcm_stop sound/core/pcm_native.c:1139
    >  [<ffffffff8539754d>] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784
    >  [<ffffffff8539d3be>] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805
    >  [<ffffffff8539ee91>] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976
    >  [<ffffffff8539f2ec>] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020
    >  [<ffffffff853d9a44>] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693
    >  [<ffffffff853da27d>] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483
    >  .....
    
    A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which
    is called certainly before other blocking ops.
    Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    d5dbbe65
Name
Last commit
Last update
..
aoa Loading commit data...
arm Loading commit data...
atmel Loading commit data...
core Loading commit data...
drivers Loading commit data...
firewire Loading commit data...
hda Loading commit data...
i2c Loading commit data...
isa Loading commit data...
mips Loading commit data...
oss Loading commit data...
parisc Loading commit data...
pci Loading commit data...
pcmcia Loading commit data...
ppc Loading commit data...
sh Loading commit data...
soc Loading commit data...
sparc Loading commit data...
spi Loading commit data...
synth Loading commit data...
usb Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
ac97_bus.c Loading commit data...
last.c Loading commit data...
sound_core.c Loading commit data...
sound_firmware.c Loading commit data...