Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3015637ybt; Mon, 29 Jun 2020 12:59:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyCQOZ+WY0OgAfgK+twsb9JZian3fosuAlunY0Mxij90Nb0fwWbdtG6ng++V9XTd6gUVECn X-Received: by 2002:a17:906:c459:: with SMTP id ck25mr16258899ejb.177.1593460797224; Mon, 29 Jun 2020 12:59:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593460797; cv=none; d=google.com; s=arc-20160816; b=qPZPEk/m9l9aF4Q3yJgk7EpoX8usTl69w9O8FXHIfdro52a6YaaFtiG4Qb2THVIE8W +ZsjVlpcRCkUBUMpFJQb1ZcmDWQgz1KL32v59smLJIykvzLXd7Gzv7wvxAcagNWWX3lq wON8NyXeUp3EkZTSEQPfxpV+e0dznw8AXvUUr8Unh452LngV9QQfJ8VgwnlGm52E2DOt 4nKiFLiEm/8KpOQoMq0KPz3MA6SrOyfnRn9ScvFe9+oGirFSSIS+TYLyrbulAhJlhXOD N0E4F/I2mfSjlqzWzYho5ptlsduQCY2UtmP95luMi3MI7BJBLKmXTrV/qvTtbhuxM4I5 w8rQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=CVvnXtHTa2KuFiuxSjIA42YLVAm0PEraJqzGd6gpPqM=; b=FeG34lUNBhptrz5hSJ2vzl29pPeWrUZWrYh8iKoxb8HSebK4y0o6ZlM7h0kjA9nLd7 G0EXTsZ9Zgxg5HG46qWed9oldScZPYWcC03VXVkAyFh7myK0n8ifO8OQPkmKq2o4JN6J tGaa+IYNLraXvA6bARENLr17HLGp4Hn/6LcwgTLGfnqYF4j1F8mhKQBZIL3lGkaWtvtD kEREeVpJwS+qYoWfPPbLLz8l2vOxJ96lQLcSXRsireYvEOWw8DZlc2wVL8MJc2NcGqig HDhrTuVzB+00djX9O19BLP2ssh5WGv8uyLcIHLDiuIOyRT1ZLOJsi0Yvy2xpns/MPPIV h7eg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="AO6Q3/Ud"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i18si351596ejy.71.2020.06.29.12.59.34; Mon, 29 Jun 2020 12:59:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="AO6Q3/Ud"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388429AbgF2T70 (ORCPT + 99 others); Mon, 29 Jun 2020 15:59:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:47674 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387581AbgF2TkR (ORCPT ); Mon, 29 Jun 2020 15:40:17 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 186A824858; Mon, 29 Jun 2020 15:25:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593444356; bh=ENQIO5wrC+XRqt1kOyEpZFTVoNYxGj9I27rIK7yKMmo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AO6Q3/UdS92AI8yxHB4aojF/Go4brSvnccYlolxNbvjwx48BZrRGCKKx8EFbt2eHE +qEQ6LsRIKwbd/KUZ0Xj0GVn0NM4lbhivg9VvE7baUBPoPobkeNr9a8GKdM8PXqjhz LeHZso9/So4D/Fs43WZYRwKLA3eT5mIArS8yzc5A= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Takashi Iwai , Sasha Levin Subject: [PATCH 5.4 032/178] ALSA: usb-audio: Fix potential use-after-free of streams Date: Mon, 29 Jun 2020 11:22:57 -0400 Message-Id: <20200629152523.2494198-33-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200629152523.2494198-1-sashal@kernel.org> References: <20200629152523.2494198-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.50-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-5.4.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 5.4.50-rc1 X-KernelTest-Deadline: 2020-07-01T15:25+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Takashi Iwai [ Upstream commit ff58bbc7b9704a5869204176f804eff57307fef0 ] With the recent full-duplex support of implicit feedback streams, an endpoint can be still running after closing the capture stream as long as the playback stream with the sync-endpoint is running. In such a state, the URBs are still be handled and they may call retire_data_urb callback, which tries to transfer the data from the PCM buffer. Since the PCM stream gets closed, this may lead to use-after-free. This patch adds the proper clearance of the callback at stopping the capture stream for addressing the possible UAF above. Fixes: 10ce77e4817f ("ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback") Link: https://lore.kernel.org/r/20200616120921.12249-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin --- sound/usb/pcm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c index 6c391e5fad2a7..c36e6c97d09ae 100644 --- a/sound/usb/pcm.c +++ b/sound/usb/pcm.c @@ -1778,6 +1778,7 @@ static int snd_usb_substream_capture_trigger(struct snd_pcm_substream *substream return 0; case SNDRV_PCM_TRIGGER_STOP: stop_endpoints(subs, false); + subs->data_endpoint->retire_data_urb = NULL; subs->running = 0; return 0; case SNDRV_PCM_TRIGGER_PAUSE_PUSH: -- 2.25.1