Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2548074pxb;
        Fri, 5 Feb 2021 23:53:43 -0800 (PST)
X-Google-Smtp-Source: ABdhPJyRe78YP+DeADxoxtEnr/fg+An3Juwwz1xRZK9NoRCckowJnUlbjGNAryJdXjkt9k/uLWX1
X-Received: by 2002:a05:6402:11c7:: with SMTP id j7mr7234146edw.290.1612598023398;
        Fri, 05 Feb 2021 23:53:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1612598023; cv=none;
        d=google.com; s=arc-20160816;
        b=RZs3aUfoOc5XWt3ayPkrFAUBXZNIvJc43AEnKUTjcdqPiAePQHAVoK783Gg3GZUkgJ
         p59cJs16SO4XNd8+vaA3SeFbCYl4FSozvDrnAMmx4db+bwI7xhMItvApl1puaAplt1jG
         +93NtP2PR/7odPeU4A7rl9ufKbUmAqPHfyXqGyQcVuGYql/NocF2R8PnVi9busPTr19g
         ieqgIv8aNfMUtsu+YiiINZbe22BLSGbOZLGAygVEYNC5A1ZI+eQCcUEcvVE0HCbuSksu
         XLHCo1ngWtj9R0diMjX1blyL1R33szrW+FpsnjA3Pe9cX2wNogHpfwupa+WC//TM8LT0
         +m8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:references:in-reply-to
         :subject:cc:to:from:message-id:date;
        bh=/riNyJEkXCWh5Y1+X2rCZx0nVNf6dMs5fQoBWWg8hCE=;
        b=oNw5t3zHS80jx2RpDJg7RptSgGX/oy4nIX6ceFLUdfWcW5c8GNIyFm/Eui1JrDgwVY
         dTqUHUFDBmsK6byT3FTHoP6cFTYZLwHEgPFmOjX7NNjFyZchTxFtEX+fzO4+8KsGvJt9
         fjalyrHZJEuw4fuyevtDBrWTTMvhitFHsHfxT6QBMmdjnVHK9ybZc/oqfvTV6ZECoIJZ
         /HEy8IlhZoMrNTTnIUdQk1CqjzQczLBjJbYobnNJ6DI8X9mLJb/ATZp9TGkZwCOYmYbG
         Qz10DE6SiIv2tn7L2nV8IS6d5oFSIRgIDykS5mIADlRynRkGq5uQkWTOi8Seq9I5FwEo
         /fJQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id p13si7736980edj.483.2021.02.05.23.53.18;
        Fri, 05 Feb 2021 23:53:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229693AbhBFHst (ORCPT <rfc822;lkml.email@gmail.com> + 99 others);
        Sat, 6 Feb 2021 02:48:49 -0500
Received: from mx2.suse.de ([195.135.220.15]:51738 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S229492AbhBFHsr (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 6 Feb 2021 02:48:47 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id ACDDBACB0;
        Sat,  6 Feb 2021 07:48:05 +0000 (UTC)
Date:   Sat, 06 Feb 2021 08:48:05 +0100
Message-ID: <s5hpn1d1vt6.wl-tiwai@suse.de>
From:   Takashi Iwai <tiwai@suse.de>
To:     Hillf Danton <hdanton@sina.com>
Cc:     Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>, zonque@gmail.com,
        LKML <linux-kernel@vger.kernel.org>, alsa-devel@alsa-project.org,
        linux-usb@vger.kernel.org
Subject: Re: BUG: KASAN: use-after-free in snd_complete_urb+0x109e/0x1740 [snd_usb_audio] (5.11-rc6)
In-Reply-To: <20210206054533.120-1-hdanton@sina.com>
References: <CABXGCsOposU1A_HavA_jmtkJMKhDZgh5m1b_YJK1Es5wyE-hZw@mail.gmail.com>
        <20210206054533.120-1-hdanton@sina.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka)
 FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3
 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, 06 Feb 2021 06:45:32 +0100,
Hillf Danton wrote:
> 
> Due to the reconnecting key word mentioned, no fix to
> d0f09d1e4a88 ("ALSA: usb-audio: Refactoring endpoint URB deactivation")
> will be added.
> 
> What is added is to capture EP_FLAG_STOPPING and remove the one
> second wait limit if the reconnecting acts may make it easier to
> repro the uaf. The diff is only for idea show.

If my understanding is right, this won't change.  The problem is
rather the lack of this function call itself, i.e. the missing
synchronization for the stream stop.

It worked casually in the past because the endpoint resource is
released at a later point that is after all streams are really closed.
Now it's released earlier and hitting the UAF.


Takashi

> 
> --- a/sound/usb/endpoint.c
> +++ b/sound/usb/endpoint.c
> @@ -832,24 +832,14 @@ void snd_usb_endpoint_suspend(struct snd
>   */
>  static int wait_clear_urbs(struct snd_usb_endpoint *ep)
>  {
> -	unsigned long end_time = jiffies + msecs_to_jiffies(1000);
> -	int alive;
> -
> -	if (!test_bit(EP_FLAG_STOPPING, &ep->flags))
> -		return 0;
> -
> +	WARN_ON_ONCE(!test_bit(EP_FLAG_STOPPING, &ep->flags));
>  	do {
> -		alive = bitmap_weight(&ep->active_mask, ep->nurbs);
> -		if (!alive)
> +		if (!bitmap_weight(&ep->active_mask, ep->nurbs))
>  			break;
>  
>  		schedule_timeout_uninterruptible(1);
> -	} while (time_before(jiffies, end_time));
> +	} while (1);
>  
> -	if (alive)
> -		usb_audio_err(ep->chip,
> -			"timeout: still %d active urbs on EP #%x\n",
> -			alive, ep->ep_num);
>  	clear_bit(EP_FLAG_STOPPING, &ep->flags);
>  
>  	ep->sync_sink = NULL;
>