Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp593186pxb; Wed, 3 Nov 2021 09:08:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx1rOBwmQY8aYQQaJqcFR2zKqOUXeUlMioU057eOCAuMSw7T+OR7oHFxsC2SmSmewf2Y6d7 X-Received: by 2002:a05:6e02:15c9:: with SMTP id q9mr30892956ilu.298.1635955721981; Wed, 03 Nov 2021 09:08:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635955721; cv=none; d=google.com; s=arc-20160816; b=HMAKWW3Z7FZAGLmgB4ULeTAhDwEelDMRwtV+Vca5CHS2rt7m0t3GEfQSDp7FjlBad0 X5GbP3LwRQv1eBmWRz30HrbndrXgaPT+VMoIs19NroomPUoSnoCZtOTu031vFKbiKKYk K/SGIpyikm+nS5NBEA8Jwix8H9ruhHOMwlGdi8iaPmGKzBa1K4YQAoZCYC6ENw2Yztcv Q5+CO4Gs9PyjFCSrAQUZ/sj3I9X/fPrIuPreMtMEwkPlx8k9WlWPuDyJeEva3uWfwK4F Gxu5FSIxxfKjgXt48XbjVj7dUGG8T6/dHLQsT6KSjODiPYA7NVA5+7GqFEemqqMK9EOU 9quQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date:dkim-signature:dkim-signature; bh=c0mHsJ6qQaBk3pcqi2j3lzukH4beIAHJNv0ekMXLZ+s=; b=Zru2QASlXaQLBMpmTanEdagYP/3KIxjuw4cvyyBYGq9CxMXVqSvwBW9EKovTTgHWqp G1ug04vlHIJ9KxJrK0xd/dzz85ZTucEB/k+dkp39rD7jntIFOnKW9oFf3RXR3fhctoWE eeIFHdCaXlpV6XWIsv9VyvR//nvENfrjajgaD7njy8Jq4LU2E5gK2IYLNK3CcDyIVmN6 cpuvjmePVmYTi3FBL5+GvXVZ0jzwZ56s+KV+L0OnxnQiyPu5c9dvO11y7++SQREJJ0TJ Y3NZ3XeoGly0BlLC7fUrJfS2KqWc6xnM+Uzf07FbafjOOlST1rdBShOlNOlWcXB4hSWr ctwg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=FrdWvGUF; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t2si3714455jam.80.2021.11.03.09.08.27; Wed, 03 Nov 2021 09:08:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=FrdWvGUF; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232723AbhKCQJT (ORCPT + 99 others); Wed, 3 Nov 2021 12:09:19 -0400 Received: from smtp-out1.suse.de ([195.135.220.28]:35622 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232749AbhKCQJT (ORCPT ); Wed, 3 Nov 2021 12:09:19 -0400 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id B639E21952; Wed, 3 Nov 2021 16:06:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1635955601; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=c0mHsJ6qQaBk3pcqi2j3lzukH4beIAHJNv0ekMXLZ+s=; b=FrdWvGUFPyxDPd6M8w0E+p9x/NLna2i7bXyuEjCXk7ClS+MEmARVqCbS6CPc5W4AIAK69O cwXP4+/bCJrSm7b80uCw3IoBjvDeqqZH2pdFNIDXBmzh0Ib5HRis/tGntwi69Tr1/JY9WD ifiTBKJsstrNvrYhERtG6J/riwMiOz4= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1635955601; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=c0mHsJ6qQaBk3pcqi2j3lzukH4beIAHJNv0ekMXLZ+s=; b=9ixKY4jExs6qVivLdHvvTzLsNkYj4gdzAZT1jqSzEXqNOfz7UHu0FYLWlDcBtlF1Zyx1v3 9M5VPvLkScwhBoAA== Received: from alsa1.suse.de (alsa1.suse.de [10.160.4.42]) by relay2.suse.de (Postfix) with ESMTP id 95798A3B8B; Wed, 3 Nov 2021 16:06:41 +0000 (UTC) Date: Wed, 03 Nov 2021 17:06:41 +0100 Message-ID: From: Takashi Iwai To: Wang Wensheng Cc: , , , , , , Subject: Re: [PATCH -next v2] ALSA: timer: Fix use-after-free problem In-Reply-To: References: <20211103033517.80531-1-wangwensheng4@huawei.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 03 Nov 2021 16:52:31 +0100, Takashi Iwai wrote: > > On Wed, 03 Nov 2021 04:35:17 +0100, > Wang Wensheng wrote: > > > > When the timer instance was add into ack_list but was not currently in > > process, the user could stop it via snd_timer_stop1() without delete it > > from the ack_list. Then the user could free the timer instance and when > > it was actually processed UAF occurred. > > > > This issue could be reproduced via testcase snd_timer01 in ltp - running > > several instances of that testcase at the same time. > > > > What I actually met was that the ack_list of the timer broken and the > > kernel went into deadloop with irqoff. That could be detected by > > hardlockup detector on board or when we run it on qemu, we could use gdb > > to dump the ack_list when the console has no response. > > > > To fix this issue, we delete the timer instance from ack_list and > > active_list unconditionally in snd_timer_stop1(). > > > > Signed-off-by: Wang Wensheng > > Suggested-by: Takashi Iwai > > Thanks, applied now. BTW, while reviewing the patch, I noticed that we have also the similar code path for a slave timer instance that has the same kind of linked list entries. I'll submit the corresponding fix patch. Takashi