Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4988029pxb; Tue, 2 Nov 2021 20:30:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyqz0psL+wT2nJG7jn1pY6lR0I7YsbnlnanXGl6zSp77Wd9rlpCZw6a8VhO75F8Xzln8Syx X-Received: by 2002:a05:6e02:486:: with SMTP id b6mr28991166ils.9.1635910214272; Tue, 02 Nov 2021 20:30:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635910214; cv=none; d=google.com; s=arc-20160816; b=bB1tm1QdmRkJckFA8ZNjH4QfC11qPu3oG4s2KTpjmkNDyPNgxyOkBeXWkMAdhV3DJD Rh+b0+fu288UrlLap3khrt3pYq8R5cpFY5bu5OZ1Tq4j/IzK62II3Vxx2YpOPGMl6FVp C/0UC9AzgiJ2YmkQWd/RgFp1BB6WXBFD9NWtPWnGPObKw0zyhp8CH0yW4g3L8OeiuB0b YYj6moDFHyeIFGl1Gzju3mzqrMB1DDMqpbRMxOaWvyIlSacJcu7JClxMp4+JzjtnI+kF HPwyM7m6HlMRPPV3JpkMb/1J1iCXZMZJDSa3w16pR9TNOY/OVm1lNipj8vXPotzVqyZX gZ5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=UYMUSPhwshNIkYSt0ZKyepsDdyeWuru1f6CjB3zBuRU=; b=hDews6tSc8E46PSar66P1n1lRWu1wHOSweuk+czEUMk0uy6x8OZAQLGXferMlJjjJI V7h9YOzmENbox8/FOlEoFM/cdQsxQRugajA5jmGBX1cbmOBDDALl27CsMxkayOqpZ0ha hw084Zv9HH8cB5xO8ZQKttJtZe95ICBN94V6sfG2e8GFuFNauHhDB4QEzOg+/TYZrl+S khfVU/DgTXRKm+22F+f3NMeb6d+ThtEebQL1glKDHotAdjvUHGr/PB6OG6eA0AO4Kp5x f4QH/l69h1zOEkoVoZsVtE4NEcBukg2hutUvsc6cRBDxO2b5aftO2+hT5s4DbCj1Hkip MfQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w17si1892792jad.68.2021.11.02.20.29.54; Tue, 02 Nov 2021 20:30:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229974AbhKCDaj (ORCPT + 99 others); Tue, 2 Nov 2021 23:30:39 -0400 Received: from szxga08-in.huawei.com ([45.249.212.255]:27106 "EHLO szxga08-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229506AbhKCDai (ORCPT ); Tue, 2 Nov 2021 23:30:38 -0400 Received: from dggeme762-chm.china.huawei.com (unknown [172.30.72.54]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4HkXGq4Q85z1DHxq; Wed, 3 Nov 2021 11:25:55 +0800 (CST) Received: from [10.174.179.252] (10.174.179.252) by dggeme762-chm.china.huawei.com (10.3.19.108) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.15; Wed, 3 Nov 2021 11:27:59 +0800 Subject: Re: [PATCH -next] ALSA: timer: Fix use-after-free problem To: Takashi Iwai CC: , , , , , , References: <20211102134107.35126-1-wangwensheng4@huawei.com> From: "wangwensheng (C)" Message-ID: <3b02dd76-d952-e38e-bc0c-c8a121919720@huawei.com> Date: Wed, 3 Nov 2021 11:27:58 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.179.252] X-ClientProxiedBy: dggeme706-chm.china.huawei.com (10.1.199.102) To dggeme762-chm.china.huawei.com (10.3.19.108) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ?? 2021/11/2 22:10, Takashi Iwai ะด??: > On Tue, 02 Nov 2021 14:41:07 +0100, > Wang Wensheng wrote: >> >> When the timer instance was add into ack_list but was not currently in >> process, the user could stop it via snd_timer_stop1() without delete it >> from the ack_list. Then the user could free the timer instance and when >> it was actually processed UAF occurred. >> >> This issue could be reproduced via testcase snd_timer01 in ltp - running >> several instances of that testcase at the same time. >> >> What I actually met was that the ack_list of the timer broken and the >> kernel went into deadloop with irqoff. That could be detected by >> hardlockup detector on board or when we run it on qemu, we could use gdb >> to dump the ack_list when the console has no response. >> >> To fix this issue, we introduce a new flag SNDRV_TIMER_IFLG_ACKING to >> indicate the state where the timer instance is in ack_list but not >> currently processed and check against the new flag in snd_timer_stop1() >> and delete it from ack_list if the flag is set. >> >> Signed-off-by: Wang Wensheng > > Thanks for the patch. Just through a quick glance, I wonder whether > it'd be easier to do list_del_init(&timeri->ack_list) unconditionally > before the check of timeri->flags in snd_timer1_stop(). Ditto for > active_list. So something like: > Thanks for your suggestions. It looks much more efficient and easier and is also effective. I will take this as a second version. > --- a/sound/core/timer.c > +++ b/sound/core/timer.c > @@ -624,13 +624,13 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop) > if (!timer) > return -EINVAL; > spin_lock_irqsave(&timer->lock, flags); > + list_del_init(&timeri->ack_list); > + list_del_init(&timeri->active_list); > if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | > SNDRV_TIMER_IFLG_START))) { > result = -EBUSY; > goto unlock; > } > - list_del_init(&timeri->ack_list); > - list_del_init(&timeri->active_list); > if (timer->card && timer->card->shutdown) > goto unlock; > if (stop) { > > > Takashi