Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp579382pxb; Wed, 3 Nov 2021 08:57:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyojqp9Yv2smLIBsZxaJFmadgAIVPaY2jDWxc7n0gd2V9FgrTBY0rq1WpEj+TONQfEFQIvn X-Received: by 2002:a05:6402:327:: with SMTP id q7mr49620637edw.126.1635955034577; Wed, 03 Nov 2021 08:57:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635955034; cv=none; d=google.com; s=arc-20160816; b=I+0NI+nfux1PfnBvr57PLFKdOxnp8+D3Pd4wGz/PxmjyybgX3607A598l2Bzdmojh6 aeKFhueyQG9+5UibimrRXdL8Ii+eREWnc9WN+kJHZDFVcBcLMhZuRB9gf2tsRKJEPk9T H9yNHUMkKL7Cy4XAq0T4UvC7TiqX/iQqS035tArX33hLBwkCSIPIB62X19ToHDcAd8RT xlPiSnRHgpqKNsECkGYV1cZ2YUc9DmgMi4emvGjizBFU49qzi434dooGFAa9irb7PLgi GdX5pZXCit2+kY6WQwyy8INzCevLRAHIDLzPNKQJDw+WfnSwEsT0C681sQNWhbM1IWM/ cu+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature; bh=60dbNvRuq2+pDrxgqrR+rylMTFP+xsmOEnt2cj6YToc=; b=ieQ3HEMQDFo02SNUg7Y2dpkI4mfJjKRxwG5Qyy5GxkI9deQ1FuQj5V9ZOAeKTQRfq2 qh0yQENPGwo9GgQk9SzBmRrjGv0BsLfzqg1W4tmw3beG5KsCxUp/1Bs79pldHIDB3gh8 HIydWOZ+LsEPXRg6GdO5g+/xbqUmrZnjFBQOaTw7tZ4BOZMOa1xNZNNBIDAcJEcDOq45 0vI+tMR2wzTQwykDgGBJbR/mo3NW6JDq4lODkdeIXgX2ty8lxAOqwpziqqmWH6RQTP8g RYxLpcMS7hwEI9+v9xGc0kVYN8mAcJCSV7g8ZSL390owENlQdmDO885sJjlDuZnTZvni Ko0A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=E2XI9wAa; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h13si3520434ejs.401.2021.11.03.08.56.50; Wed, 03 Nov 2021 08:57:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=E2XI9wAa; dkim=neutral (no key) header.i=@suse.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231868AbhKCPzK (ORCPT + 99 others); Wed, 3 Nov 2021 11:55:10 -0400 Received: from smtp-out2.suse.de ([195.135.220.29]:58774 "EHLO smtp-out2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229885AbhKCPzJ (ORCPT ); Wed, 3 Nov 2021 11:55:09 -0400 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out2.suse.de (Postfix) with ESMTP id 58AE91FD38; Wed, 3 Nov 2021 15:52:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1635954752; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=60dbNvRuq2+pDrxgqrR+rylMTFP+xsmOEnt2cj6YToc=; b=E2XI9wAapZF7F6d2G0MiQqVizd3ExKXfknocGg8WIRvFlFt2bmcZ6mIwSkDwFfS85RFXQP MS5U6OIUkGa4Z8at4eTfk9Xkr2DLWONXD5PMPdxdKUPAnOuzpKytn6msjDo23vzMH4/s07 m9d98WzQQzuBZHVgGYWkzdeQOHdSQD0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1635954752; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=60dbNvRuq2+pDrxgqrR+rylMTFP+xsmOEnt2cj6YToc=; b=5Zt9wXExfnqQ1pRvQsG2f5Kmov/jHhXxhJA5QZxrExOk28KNGiGElC27d+wF5CsTXtxxVV RJH6KFbGH+1FHZDQ== Received: from alsa1.suse.de (alsa1.suse.de [10.160.4.42]) by relay2.suse.de (Postfix) with ESMTP id 2DC612C144; Wed, 3 Nov 2021 15:52:31 +0000 (UTC) Date: Wed, 03 Nov 2021 16:52:31 +0100 Message-ID: From: Takashi Iwai To: Wang Wensheng Cc: , , , , , , Subject: Re: [PATCH -next v2] ALSA: timer: Fix use-after-free problem In-Reply-To: <20211103033517.80531-1-wangwensheng4@huawei.com> References: <20211103033517.80531-1-wangwensheng4@huawei.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 03 Nov 2021 04:35:17 +0100, Wang Wensheng wrote: > > When the timer instance was add into ack_list but was not currently in > process, the user could stop it via snd_timer_stop1() without delete it > from the ack_list. Then the user could free the timer instance and when > it was actually processed UAF occurred. > > This issue could be reproduced via testcase snd_timer01 in ltp - running > several instances of that testcase at the same time. > > What I actually met was that the ack_list of the timer broken and the > kernel went into deadloop with irqoff. That could be detected by > hardlockup detector on board or when we run it on qemu, we could use gdb > to dump the ack_list when the console has no response. > > To fix this issue, we delete the timer instance from ack_list and > active_list unconditionally in snd_timer_stop1(). > > Signed-off-by: Wang Wensheng > Suggested-by: Takashi Iwai Thanks, applied now. Takashi