| From d5dbbe6569481bf12dcbe3e12cff72c5f78d272c Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Fri, 24 Jun 2016 15:15:26 +0200 |
| Subject: ALSA: dummy: Fix a use-after-free at closing |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit d5dbbe6569481bf12dcbe3e12cff72c5f78d272c upstream. |
| |
| syzkaller fuzzer spotted a potential use-after-free case in snd-dummy |
| driver when hrtimer is used as backend: |
| > ================================================================== |
| > BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68 |
| > Read of size 8 by task syz-executor/8984 |
| > ============================================================================= |
| > BUG kmalloc-192 (Not tainted): kasan: bad access detected |
| > ----------------------------------------------------------------------------- |
| > |
| > Disabling lock debugging due to kernel taint |
| > INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632 |
| > .... |
| > [< none >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464 |
| > .... |
| > INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1 |
| > [< none >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481 |
| > .... |
| > Call Trace: |
| > [<ffffffff8179e59e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333 |
| > [< inline >] rb_set_parent include/linux/rbtree_augmented.h:111 |
| > [< inline >] __rb_erase_augmented include/linux/rbtree_augmented.h:218 |
| > [<ffffffff82ca5787>] rb_erase+0x1b17/0x2010 lib/rbtree.c:427 |
| > [<ffffffff82cb02e8>] timerqueue_del+0x78/0x170 lib/timerqueue.c:86 |
| > [<ffffffff814d0c80>] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903 |
| > [< inline >] remove_hrtimer kernel/time/hrtimer.c:945 |
| > [<ffffffff814d23da>] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046 |
| > [<ffffffff814d2742>] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066 |
| > [<ffffffff85420531>] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417 |
| > [<ffffffff854228bf>] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507 |
| > [<ffffffff85392170>] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106 |
| > [<ffffffff85391b26>] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956 |
| > [<ffffffff85391e01>] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974 |
| > [< inline >] snd_pcm_stop sound/core/pcm_native.c:1139 |
| > [<ffffffff8539754d>] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784 |
| > [<ffffffff8539d3be>] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805 |
| > [<ffffffff8539ee91>] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976 |
| > [<ffffffff8539f2ec>] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020 |
| > [<ffffffff853d9a44>] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693 |
| > [<ffffffff853da27d>] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483 |
| > ..... |
| |
| A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which |
| is called certainly before other blocking ops. |
| |
| Reported-by: Dmitry Vyukov <dvyukov@google.com> |
| Tested-by: Dmitry Vyukov <dvyukov@google.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/drivers/dummy.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/sound/drivers/dummy.c |
| +++ b/sound/drivers/dummy.c |
| @@ -420,6 +420,7 @@ static int dummy_hrtimer_stop(struct snd |
| |
| static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm) |
| { |
| + hrtimer_cancel(&dpcm->timer); |
| tasklet_kill(&dpcm->tasklet); |
| } |
| |