• Takashi Iwai's avatar
    ALSA: dummy: Fix a use-after-free at closing · d5dbbe65
    Takashi Iwai authored
    syzkaller fuzzer spotted a potential use-after-free case in snd-dummy
    driver when hrtimer is used as backend:
    > ==================================================================
    > BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68
    >  Read of size 8 by task syz-executor/8984
    > =============================================================================
    > BUG kmalloc-192 (Not tainted): kasan: bad access detected
    > -----------------------------------------------------------------------------
    >
    > Disabling lock debugging due to kernel taint
    > INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632
    > ....
    > [<      none      >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464
    > ....
    > INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1
    > [<      none      >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481
    > ....
    > Call Trace:
    >  [<ffffffff8179e59e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333
    >  [<     inline     >] rb_set_parent include/linux/rbtree_augmented.h:111
    >  [<     inline     >] __rb_erase_augmented include/linux/rbtree_augmented.h:218
    >  [<ffffffff82ca5787>] rb_erase+0x1b17/0x2010 lib/rbtree.c:427
    >  [<ffffffff82cb02e8>] timerqueue_del+0x78/0x170 lib/timerqueue.c:86
    >  [<ffffffff814d0c80>] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903
    >  [<     inline     >] remove_hrtimer kernel/time/hrtimer.c:945
    >  [<ffffffff814d23da>] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046
    >  [<ffffffff814d2742>] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066
    >  [<ffffffff85420531>] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417
    >  [<ffffffff854228bf>] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507
    >  [<ffffffff85392170>] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106
    >  [<ffffffff85391b26>] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956
    >  [<ffffffff85391e01>] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974
    >  [<     inline     >] snd_pcm_stop sound/core/pcm_native.c:1139
    >  [<ffffffff8539754d>] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784
    >  [<ffffffff8539d3be>] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805
    >  [<ffffffff8539ee91>] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976
    >  [<ffffffff8539f2ec>] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020
    >  [<ffffffff853d9a44>] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693
    >  [<ffffffff853da27d>] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483
    >  .....
    
    A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which
    is called certainly before other blocking ops.
    Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    d5dbbe65
Name
Last commit
Last update
..
mpu401 Loading commit data...
opl3 Loading commit data...
opl4 Loading commit data...
pcsp Loading commit data...
vx Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
aloop.c Loading commit data...
dummy.c Loading commit data...
ml403-ac97cr.c Loading commit data...
mtpav.c Loading commit data...
mts64.c Loading commit data...
pcm-indirect2.c Loading commit data...
pcm-indirect2.h Loading commit data...
portman2x4.c Loading commit data...
serial-u16550.c Loading commit data...
virmidi.c Loading commit data...