| From 862fa160ae0771b1e562da9c8b52d8f0bc5c8344 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Tue, 16 Jun 2020 14:09:21 +0200 |
| Subject: [PATCH] ALSA: usb-audio: Fix potential use-after-free of streams |
| |
| commit ff58bbc7b9704a5869204176f804eff57307fef0 upstream. |
| |
| With the recent full-duplex support of implicit feedback streams, an |
| endpoint can be still running after closing the capture stream as long |
| as the playback stream with the sync-endpoint is running. In such a |
| state, the URBs are still be handled and they may call retire_data_urb |
| callback, which tries to transfer the data from the PCM buffer. Since |
| the PCM stream gets closed, this may lead to use-after-free. |
| |
| This patch adds the proper clearance of the callback at stopping the |
| capture stream for addressing the possible UAF above. |
| |
| Fixes: 10ce77e4817f ("ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback") |
| Link: https://lore.kernel.org/r/20200616120921.12249-1-tiwai@suse.de |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c |
| index ccc1fba59df2..a07155faaac6 100644 |
| --- a/sound/usb/pcm.c |
| +++ b/sound/usb/pcm.c |
| @@ -1739,6 +1739,7 @@ static int snd_usb_substream_playback_trigger(struct snd_pcm_substream *substrea |
| return 0; |
| case SNDRV_PCM_TRIGGER_STOP: |
| stop_endpoints(subs, false); |
| + subs->data_endpoint->retire_data_urb = NULL; |
| subs->running = 0; |
| return 0; |
| case SNDRV_PCM_TRIGGER_PAUSE_PUSH: |
| -- |
| 2.27.0 |
| |
