Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2567723pxb; Sat, 6 Feb 2021 00:35:34 -0800 (PST) X-Google-Smtp-Source: ABdhPJyHjXM0HX3vVLc247JkbwzjpAN2uogD5FqRh81ssb8QfRURCDKd5v6Y2JlfIq0ObOFcBezu X-Received: by 2002:a17:906:7754:: with SMTP id o20mr8171558ejn.192.1612600533786; Sat, 06 Feb 2021 00:35:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612600533; cv=none; d=google.com; s=arc-20160816; b=gLcYGYnvBgsSYsKV0gWVoj9JKjfXPWl5pcAWsREjz3iHj+7hpKkXdrfULNUS+cgb7l lQ34GQcn4Vh7AXaVtJc3rNfT5T6LYgthRf47/hr8PGB0J6wSyMI3sYtSm5+8h5dRWa8U pTKTtJOpv1d5zn7DdvTZi7sZgGaK580pU+Etodyz3LvjqNqd+VzHFgPdcZa+pPARq/7H eMTlwH0zPWCX+3yJVuUYB3hrLTXczkXuMe5UTFOFDXG17NRqd2ufL6uCf9NC/K0r8tuu Ru4GqCqu5n/ZOVQ1lVuxF1f84bQFRkmExRCJbXUl0v8aQuUAiWutr835FQ9ubFpUN0lh nI5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date; bh=W2X1ujYpSvUV8F87gvT5TwG0nyN3wh2f/bcLhOFHU8I=; b=SIcJ5xaZZjxYRDW0EsUlcff8EH3iEnvNA0WaPr90c6T6ovcX6t6Xj/AWMEK0D+FXNL Cw6cSkDnZaxEZYmIW+fd4CPRbi2wkMnnmel9ZZtXRok77QbgYAEYeWY5l0H6b5HliXkh l4EGlRDAxcIXSwOiIoKKhvE5TBKotskGfkIiJEu7dvoV879PKARXhZs+rgVwvND9+w99 XiJbOC8fyOwerS8GTmJvqyrd+RHxhfpk4pwcij6eAGM4zvh8kQyKvXPmeQ+BkxE1Gr6k PHYUA6p7cKAVygQ4sz59SPcC85+SeddXClU53Vji0BhTfalH4uDVkQLRwqXUZrmYsIUT 5VGQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p92si7872166edd.367.2021.02.06.00.35.09; Sat, 06 Feb 2021 00:35:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229756AbhBFIdl (ORCPT + 99 others); Sat, 6 Feb 2021 03:33:41 -0500 Received: from mx2.suse.de ([195.135.220.15]:58314 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229684AbhBFIdk (ORCPT ); Sat, 6 Feb 2021 03:33:40 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id C71CBAC43; Sat, 6 Feb 2021 08:32:57 +0000 (UTC) Date: Sat, 06 Feb 2021 09:32:57 +0100 Message-ID: From: Takashi Iwai To: Hillf Danton Cc: Mikhail Gavrilov , zonque@gmail.com, LKML , alsa-devel@alsa-project.org, linux-usb@vger.kernel.org Subject: Re: BUG: KASAN: use-after-free in snd_complete_urb+0x109e/0x1740 [snd_usb_audio] (5.11-rc6) In-Reply-To: <20210206081333.7472-1-hdanton@sina.com> References: <20210206081333.7472-1-hdanton@sina.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 06 Feb 2021 09:13:33 +0100, Hillf Danton wrote: > > On Sat, 6 Feb 2021 Takashi Iwai wrote: > > > Due to the reconnecting key word mentioned, no fix to > > > d0f09d1e4a88 ("ALSA: usb-audio: Refactoring endpoint URB deactivation") > > > will be added. > > > > > > What is added is to capture EP_FLAG_STOPPING and remove the one > > > second wait limit if the reconnecting acts may make it easier to > > > repro the uaf. The diff is only for idea show. > > > > If my understanding is right, this won't change. The problem is > > rather the lack of this function call itself, i.e. the missing > > synchronization for the stream stop. > > Thanks for taking a look at it. > > > > It worked casually in the past because the endpoint resource is > > released at a later point that is after all streams are really closed. > > Now it's released earlier and hitting the UAF. > > And add it if I dont misread you. > > Hillf > > --- a/sound/usb/endpoint.c > +++ b/sound/usb/endpoint.c > @@ -832,24 +832,14 @@ void snd_usb_endpoint_suspend(struct snd > */ > static int wait_clear_urbs(struct snd_usb_endpoint *ep) > { > - unsigned long end_time = jiffies + msecs_to_jiffies(1000); > - int alive; > - > - if (!test_bit(EP_FLAG_STOPPING, &ep->flags)) > - return 0; > - > + WARN_ON_ONCE(!test_bit(EP_FLAG_STOPPING, &ep->flags)); EP_FLAG_STOPPING is normally zero, hence putting a WARN_ON() shows just a false-positive. > do { > - alive = bitmap_weight(&ep->active_mask, ep->nurbs); > - if (!alive) > + if (!bitmap_weight(&ep->active_mask, ep->nurbs)) > break; > > schedule_timeout_uninterruptible(1); > - } while (time_before(jiffies, end_time)); > + } while (1); > > - if (alive) > - usb_audio_err(ep->chip, > - "timeout: still %d active urbs on EP #%x\n", > - alive, ep->ep_num); The original report didn't show the error, so it's not about the timeout. You're likely scratching a wrong surface, I'm afraid. > clear_bit(EP_FLAG_STOPPING, &ep->flags); > > ep->sync_sink = NULL; > @@ -1433,7 +1423,7 @@ void snd_usb_endpoint_stop(struct snd_us > WRITE_ONCE(ep->sync_source->sync_sink, NULL); > > if (!atomic_dec_return(&ep->running)) > - stop_and_unlink_urbs(ep, false, false); > + stop_and_unlink_urbs(ep, false, true); Please don't. This will lead to a sleep-in-atomic Oops. Takashi