Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936692AbcKKXel (ORCPT ); Fri, 11 Nov 2016 18:34:41 -0500 Received: from mail-it0-f48.google.com ([209.85.214.48]:37988 "EHLO mail-it0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934163AbcKKXej (ORCPT ); Fri, 11 Nov 2016 18:34:39 -0500 MIME-Version: 1.0 From: Shuah Khan Date: Fri, 11 Nov 2016 16:34:38 -0700 Message-ID: Subject: BUG: KASAN: use-after-free in snd_usb_audio_free To: tiwai@suse.de Cc: alsa-devel@alsa-project.org, shuahkh@osg.samsung.com, LKML Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4918 Lines: 95 Hi Takashi, I am seeing the following use-after-free error when I disconnect an USB speaker. I saw this on 4.9-rc4 and 4.8.7. There might be race condition between the disconnect and pcm close perhaps. -- Shuah [ 1099.305137] ================================================================== [ 1099.305172] BUG: KASAN: use-after-free in snd_usb_audio_free+0x134/0x160 [snd_usb_audio] at addr ffff8801c863ce10 [ 1099.305180] Write of size 8 by task pulseaudio/2244 [ 1099.305189] CPU: 0 PID: 2244 Comm: pulseaudio Not tainted 4.8.7 #8 [ 1099.305192] Hardware name: Hewlett-Packard HP ProBook 6475b/180F, BIOS 68TTU Ver. F.04 08/03/2012 [ 1099.305196] ffff8801c863d480 ffff8801ca6bfae8 ffffffff81b31473 ffff8801fa403040 [ 1099.305207] ffff8801c863cc80 ffff8801ca6bfb10 ffffffff81564ef1 ffff8801ca6bfba0 [ 1099.305217] ffff8801c863cc80 ffff8801fa403040 ffff8801ca6bfb90 ffffffff8156518a [ 1099.305227] Call Trace: [ 1099.305236] [] dump_stack+0x67/0x94 [ 1099.305244] [] kasan_object_err+0x21/0x70 [ 1099.305250] [] kasan_report_error+0x1fa/0x4e0 [ 1099.305256] [] ? kasan_slab_free+0x87/0xb0 [ 1099.305262] [] __asan_report_store8_noabort+0x43/0x50 [ 1099.305280] [] ? snd_usb_audio_free+0x134/0x160 [snd_usb_audio] [ 1099.305297] [] snd_usb_audio_free+0x134/0x160 [snd_usb_audio] [ 1099.305316] [] snd_usb_audio_dev_free+0x31/0x40 [snd_usb_audio] [ 1099.305324] [] __snd_device_free+0x12a/0x210 [ 1099.305329] [] snd_device_free_all+0x85/0xd0 [ 1099.305335] [] release_card_device+0x34/0x130 [ 1099.305342] [] device_release+0x76/0x1e0 [ 1099.305348] [] kobject_release+0x107/0x370 [ 1099.305353] [] kobject_put+0x4e/0xa0 [ 1099.305358] [] put_device+0x17/0x20 [ 1099.305363] [] snd_card_file_remove+0x2ed/0x3d0 [ 1099.305369] [] snd_ctl_release+0x277/0x380 [ 1099.305374] [] snd_disconnect_release+0x276/0x3a0 [ 1099.305380] [] __fput+0x1fc/0x6c0 [ 1099.305385] [] ____fput+0xe/0x10 [ 1099.305392] [] task_work_run+0xde/0x140 [ 1099.305398] [] exit_to_usermode_loop+0x140/0x170 [ 1099.305405] [] syscall_return_slowpath+0x16a/0x1a0 [ 1099.305411] [] entry_SYSCALL_64_fastpath+0xa6/0xa8 [ 1099.305417] Object at ffff8801c863cc80, in cache kmalloc-2048 size: 2048 [ 1099.305422] Allocated: [ 1099.305427] PID = 1788 [ 1099.305432] [] save_stack_trace+0x2b/0x50 [ 1099.305440] [] save_stack+0x46/0xd0 [ 1099.305446] [] kasan_kmalloc+0xad/0xe0 [ 1099.305453] [] kmem_cache_alloc_trace+0xfa/0x240 [ 1099.305460] [] usb_alloc_dev+0x57/0xc90 [ 1099.305467] [] hub_event+0xf1d/0x35f0 [ 1099.305473] [] process_one_work+0x68a/0x19f0 [ 1099.305479] [] worker_thread+0xd9/0x12f0 [ 1099.305485] [] kthread+0x1d4/0x270 [ 1099.305490] [] ret_from_fork+0x1f/0x40 [ 1099.305497] Freed: [ 1099.305502] PID = 1788 [ 1099.305506] [] save_stack_trace+0x2b/0x50 [ 1099.305512] [] save_stack+0x46/0xd0 [ 1099.305519] [] kasan_slab_free+0x71/0xb0 [ 1099.305526] [] kfree+0xd9/0x280 [ 1099.305531] [] usb_release_dev+0xde/0x110 [ 1099.305537] [] device_release+0x76/0x1e0 [ 1099.305544] [] kobject_release+0x107/0x370 [ 1099.305550] [] kobject_put+0x4e/0xa0 [ 1099.305555] [] put_device+0x17/0x20 [ 1099.305562] [] usb_disconnect+0x4d8/0x8b0 [ 1099.305568] [] hub_event+0xe20/0x35f0 [ 1099.305573] [] process_one_work+0x68a/0x19f0 [ 1099.305579] [] worker_thread+0xd9/0x12f0 [ 1099.305585] [] kthread+0x1d4/0x270 [ 1099.305591] [] ret_from_fork+0x1f/0x40 [ 1099.305597] Memory state around the buggy address: [ 1099.305605] ffff8801c863cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1099.305612] ffff8801c863cd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1099.305618] >ffff8801c863ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1099.305623] ^ [ 1099.305629] ffff8801c863ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1099.305635] ffff8801c863cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1099.305639] ================================================================== [ 1099.305643] Disabling lock debugging due to kernel taint