From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30A56C433DB for ; Sat, 6 Feb 2021 07:49:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E770164F8C for ; Sat, 6 Feb 2021 07:49:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229691AbhBFHss (ORCPT ); Sat, 6 Feb 2021 02:48:48 -0500 Received: from mx2.suse.de ([195.135.220.15]:51738 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229492AbhBFHsr (ORCPT ); Sat, 6 Feb 2021 02:48:47 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id ACDDBACB0; Sat, 6 Feb 2021 07:48:05 +0000 (UTC) Date: Sat, 06 Feb 2021 08:48:05 +0100 Message-ID: From: Takashi Iwai To: Hillf Danton Cc: Mikhail Gavrilov , zonque@gmail.com, LKML , alsa-devel@alsa-project.org, linux-usb@vger.kernel.org Subject: Re: BUG: KASAN: use-after-free in snd_complete_urb+0x109e/0x1740 [snd_usb_audio] (5.11-rc6) In-Reply-To: <20210206054533.120-1-hdanton@sina.com> References: <20210206054533.120-1-hdanton@sina.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org On Sat, 06 Feb 2021 06:45:32 +0100, Hillf Danton wrote: > > Due to the reconnecting key word mentioned, no fix to > d0f09d1e4a88 ("ALSA: usb-audio: Refactoring endpoint URB deactivation") > will be added. > > What is added is to capture EP_FLAG_STOPPING and remove the one > second wait limit if the reconnecting acts may make it easier to > repro the uaf. The diff is only for idea show. If my understanding is right, this won't change. The problem is rather the lack of this function call itself, i.e. the missing synchronization for the stream stop. It worked casually in the past because the endpoint resource is released at a later point that is after all streams are really closed. Now it's released earlier and hitting the UAF. Takashi > > --- a/sound/usb/endpoint.c > +++ b/sound/usb/endpoint.c > @@ -832,24 +832,14 @@ void snd_usb_endpoint_suspend(struct snd > */ > static int wait_clear_urbs(struct snd_usb_endpoint *ep) > { > - unsigned long end_time = jiffies + msecs_to_jiffies(1000); > - int alive; > - > - if (!test_bit(EP_FLAG_STOPPING, &ep->flags)) > - return 0; > - > + WARN_ON_ONCE(!test_bit(EP_FLAG_STOPPING, &ep->flags)); > do { > - alive = bitmap_weight(&ep->active_mask, ep->nurbs); > - if (!alive) > + if (!bitmap_weight(&ep->active_mask, ep->nurbs)) > break; > > schedule_timeout_uninterruptible(1); > - } while (time_before(jiffies, end_time)); > + } while (1); > > - if (alive) > - usb_audio_err(ep->chip, > - "timeout: still %d active urbs on EP #%x\n", > - alive, ep->ep_num); > clear_bit(EP_FLAG_STOPPING, &ep->flags); > > ep->sync_sink = NULL; >