Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp4994030pxb; Tue, 2 Nov 2021 20:38:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxBKXID63TBJk0/o/G7Sh1/QbHtB4h+sNO+IiLJ9FIVbbmR0mBoAP5l45LhDQWXq2ESRTsI X-Received: by 2002:a05:6e02:19c9:: with SMTP id r9mr27729157ill.98.1635910719862; Tue, 02 Nov 2021 20:38:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635910719; cv=none; d=google.com; s=arc-20160816; b=tjoYeuHn2DqWPS3uySONSqLRVxSmL8f788wdZ1un6aew+DfnCwkYVB1E5UH4kqd+LP oQrRzMPESpHN7Jnpvvx80I5SRzHG7nBjndCxAI5UiDK78zDPMgCBPd/5UlEG3Z0sc2vc rL+EwGIiO4prqSiRWcAYPjV9AlpxMISaG2qtogcgbaW2yOanDHLdcK57uJn13AFVg+I+ guxbZVhIWKkSxShtcfzyZJLdMMPArZMxGpqsbylYUupG1jfYkkucSZQu5us1CevbgwkM bvqs+Enln22AtCQqX5Jv61CXC+5/JXjP7oLsSlymRay8/080piZDQIBu1a6JEjVBu2of HEww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:subject:cc:to:from; bh=XDCUF5tVQRcfUuViAUr4/eKBVcP6oUB0uyOGYjz/1tw=; b=yZ+NyHpzOKHgpqJX9K5X5Wa7kNknjFL3BZMu6CtkxcLtHbuarUzupkngYBxITqxNCx /Qx9qmnK3CFV5KLfae6DHtdqSxXTJ7h693Jyj/WSSv8xb/3+UeePzYmVrYl28lLN0mFx FShn08b8hLXOWAuhnVaGZ7fSCL19ToG16/jikGOVUbroa33rLfEccxAKBHUxparQVw1H yvNUNWDLfuuOzkFoSSccvM698RqcD4ZJLvUkrwr9hLuUzt3+NFZNSe0pEqxhsVnj9+LO eF17rMbUF/ahGFlaAXrQr/1OcDZdXmM0oQMdfKK8RE7jFiexNZDWLWjCCG0ds48XhZwx Hnig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n3si1166281jac.29.2021.11.02.20.38.20; Tue, 02 Nov 2021 20:38:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230049AbhKCDjw (ORCPT + 99 others); Tue, 2 Nov 2021 23:39:52 -0400 Received: from szxga02-in.huawei.com ([45.249.212.188]:25348 "EHLO szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229746AbhKCDjv (ORCPT ); Tue, 2 Nov 2021 23:39:51 -0400 Received: from dggeme762-chm.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HkXQP1W8jzbhPk; Wed, 3 Nov 2021 11:32:29 +0800 (CST) Received: from huawei.com (10.175.112.208) by dggeme762-chm.china.huawei.com (10.3.19.108) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.15; Wed, 3 Nov 2021 11:37:13 +0800 From: Wang Wensheng To: , , , , , , CC: Subject: [PATCH -next v2] ALSA: timer: Fix use-after-free problem Date: Wed, 3 Nov 2021 03:35:17 +0000 Message-ID: <20211103033517.80531-1-wangwensheng4@huawei.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.175.112.208] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To dggeme762-chm.china.huawei.com (10.3.19.108) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When the timer instance was add into ack_list but was not currently in process, the user could stop it via snd_timer_stop1() without delete it from the ack_list. Then the user could free the timer instance and when it was actually processed UAF occurred. This issue could be reproduced via testcase snd_timer01 in ltp - running several instances of that testcase at the same time. What I actually met was that the ack_list of the timer broken and the kernel went into deadloop with irqoff. That could be detected by hardlockup detector on board or when we run it on qemu, we could use gdb to dump the ack_list when the console has no response. To fix this issue, we delete the timer instance from ack_list and active_list unconditionally in snd_timer_stop1(). Signed-off-by: Wang Wensheng Suggested-by: Takashi Iwai --- sound/core/timer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index 92b7008fcdb8..4f9bab931951 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -624,13 +624,13 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop) if (!timer) return -EINVAL; spin_lock_irqsave(&timer->lock, flags); + list_del_init(&timeri->ack_list); + list_del_init(&timeri->active_list); if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | SNDRV_TIMER_IFLG_START))) { result = -EBUSY; goto unlock; } - list_del_init(&timeri->ack_list); - list_del_init(&timeri->active_list); if (timer->card && timer->card->shutdown) goto unlock; if (stop) { -- 2.17.1