Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933813AbcKNQz6 (ORCPT ); Mon, 14 Nov 2016 11:55:58 -0500 Received: from ec2-52-27-115-49.us-west-2.compute.amazonaws.com ([52.27.115.49]:33765 "EHLO osg.samsung.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933197AbcKNQz5 (ORCPT ); Mon, 14 Nov 2016 11:55:57 -0500 Subject: Re: BUG: KASAN: use-after-free in snd_usb_audio_free To: Takashi Iwai , Shuah Khan References: Cc: alsa-devel@alsa-project.org, LKML , Shuah Khan From: Shuah Khan Message-ID: Date: Mon, 14 Nov 2016 09:55:54 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1014 Lines: 40 On 11/14/2016 03:25 AM, Takashi Iwai wrote: > On Sat, 12 Nov 2016 00:34:38 +0100, > Shuah Khan wrote: >> >> Hi Takashi, >> >> I am seeing the following use-after-free error when I disconnect an >> USB speaker. I saw this on 4.9-rc4 and 4.8.7. There might be race >> condition between the disconnect and pcm close perhaps. > > Thanks, this looks like a new discovery. > Could you check whether the patch below works? > > > Takashi > > --- > diff --git a/sound/usb/card.c b/sound/usb/card.c > index 9e5276d6dda0..2ddc034673a8 100644 > --- a/sound/usb/card.c > +++ b/sound/usb/card.c > @@ -315,7 +315,8 @@ static int snd_usb_audio_free(struct snd_usb_audio *chip) > snd_usb_endpoint_free(ep); > > mutex_destroy(&chip->mutex); > - dev_set_drvdata(&chip->dev->dev, NULL); > + if (!atomic_read(&chip->shutdown)) > + dev_set_drvdata(&chip->dev->dev, NULL); > kfree(chip); > return 0; > } > Hi Takashi, The patch fixed the problem on 4.9-rc4. Didn't get a chance to test it on 4.8.7. thanks, -- Shuah