From: Wang Wensheng <wangwensheng4@huawei.com> To: <perex@perex.cz>, <tiwai@suse.com>, <wangwensheng4@huawei.com>, <broonie@kernel.org>, <joe@perches.com>, <alsa-devel@alsa-project.org>, <linux-kernel@vger.kernel.org> Cc: <rui.xiang@huawei.com> Subject: [PATCH -next v2] ALSA: timer: Fix use-after-free problem Date: Wed, 3 Nov 2021 03:35:17 +0000 [thread overview] Message-ID: <20211103033517.80531-1-wangwensheng4@huawei.com> (raw) When the timer instance was add into ack_list but was not currently in process, the user could stop it via snd_timer_stop1() without delete it from the ack_list. Then the user could free the timer instance and when it was actually processed UAF occurred. This issue could be reproduced via testcase snd_timer01 in ltp - running several instances of that testcase at the same time. What I actually met was that the ack_list of the timer broken and the kernel went into deadloop with irqoff. That could be detected by hardlockup detector on board or when we run it on qemu, we could use gdb to dump the ack_list when the console has no response. To fix this issue, we delete the timer instance from ack_list and active_list unconditionally in snd_timer_stop1(). Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com> Suggested-by: Takashi Iwai <tiwai@suse.de> --- sound/core/timer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index 92b7008fcdb8..4f9bab931951 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -624,13 +624,13 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop) if (!timer) return -EINVAL; spin_lock_irqsave(&timer->lock, flags); + list_del_init(&timeri->ack_list); + list_del_init(&timeri->active_list); if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START))) { result = -EBUSY; goto unlock; } - list_del_init(&timeri->ack_list); - list_del_init(&timeri->active_list); if (timer->card && timer->card->shutdown) goto unlock; if (stop) { -- 2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Wang Wensheng <wangwensheng4@huawei.com> To: <perex@perex.cz>, <tiwai@suse.com>, <wangwensheng4@huawei.com>, <broonie@kernel.org>, <joe@perches.com>, <alsa-devel@alsa-project.org>, <linux-kernel@vger.kernel.org> Cc: rui.xiang@huawei.com Subject: [PATCH -next v2] ALSA: timer: Fix use-after-free problem Date: Wed, 3 Nov 2021 03:35:17 +0000 [thread overview] Message-ID: <20211103033517.80531-1-wangwensheng4@huawei.com> (raw) When the timer instance was add into ack_list but was not currently in process, the user could stop it via snd_timer_stop1() without delete it from the ack_list. Then the user could free the timer instance and when it was actually processed UAF occurred. This issue could be reproduced via testcase snd_timer01 in ltp - running several instances of that testcase at the same time. What I actually met was that the ack_list of the timer broken and the kernel went into deadloop with irqoff. That could be detected by hardlockup detector on board or when we run it on qemu, we could use gdb to dump the ack_list when the console has no response. To fix this issue, we delete the timer instance from ack_list and active_list unconditionally in snd_timer_stop1(). Signed-off-by: Wang Wensheng <wangwensheng4@huawei.com> Suggested-by: Takashi Iwai <tiwai@suse.de> --- sound/core/timer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index 92b7008fcdb8..4f9bab931951 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -624,13 +624,13 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop) if (!timer) return -EINVAL; spin_lock_irqsave(&timer->lock, flags); + list_del_init(&timeri->ack_list); + list_del_init(&timeri->active_list); if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START))) { result = -EBUSY; goto unlock; } - list_del_init(&timeri->ack_list); - list_del_init(&timeri->active_list); if (timer->card && timer->card->shutdown) goto unlock; if (stop) { -- 2.17.1
next reply other threads:[~2021-11-03 3:37 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-11-03 3:35 Wang Wensheng [this message] 2021-11-03 3:35 ` [PATCH -next v2] ALSA: timer: Fix use-after-free problem Wang Wensheng 2021-11-03 15:52 ` Takashi Iwai 2021-11-03 15:52 ` Takashi Iwai 2021-11-03 16:06 ` Takashi Iwai 2021-11-03 16:06 ` Takashi Iwai
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20211103033517.80531-1-wangwensheng4@huawei.com \ --to=wangwensheng4@huawei.com \ --cc=alsa-devel@alsa-project.org \ --cc=broonie@kernel.org \ --cc=joe@perches.com \ --cc=linux-kernel@vger.kernel.org \ --cc=perex@perex.cz \ --cc=rui.xiang@huawei.com \ --cc=tiwai@suse.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.