From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Takashi Iwai <tiwai@suse.de>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Andrey Konovalov <andreyknvl@google.com>
Subject: Re: [PATCH 3.18 08/19] ALSA: usb-audio: Kill stray URB at exiting
Date: Tue, 17 Oct 2017 16:07:52 +0200 [thread overview]
Message-ID: <20171017140752.GA1486@kroah.com> (raw)
In-Reply-To: <s5hpo9nylk5.wl-tiwai@suse.de>
On Mon, Oct 16, 2017 at 08:50:02PM +0200, Takashi Iwai wrote:
> On Mon, 16 Oct 2017 18:11:59 +0200,
> Greg Kroah-Hartman wrote:
> >
> > 3.18-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Takashi Iwai <tiwai@suse.de>
> >
> > commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream.
> >
> > USB-audio driver may leave a stray URB for the mixer interrupt when it
> > exits by some error during probe. This leads to a use-after-free
> > error as spotted by syzkaller like:
> > ==================================================================
> > BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
> > Call Trace:
> > <IRQ>
> > __dump_stack lib/dump_stack.c:16
> > dump_stack+0x292/0x395 lib/dump_stack.c:52
> > print_address_description+0x78/0x280 mm/kasan/report.c:252
> > kasan_report_error mm/kasan/report.c:351
> > kasan_report+0x23d/0x350 mm/kasan/report.c:409
> > __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
> > snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
> > __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
> > ....
> >
> > Allocated by task 1484:
> > save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
> > save_stack+0x43/0xd0 mm/kasan/kasan.c:447
> > set_track mm/kasan/kasan.c:459
> > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
> > kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
> > kmalloc ./include/linux/slab.h:493
> > kzalloc ./include/linux/slab.h:666
> > snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
> > create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
> > snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
> > create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
> > snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
> > usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
> > ....
> >
> > Freed by task 1484:
> > save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
> > save_stack+0x43/0xd0 mm/kasan/kasan.c:447
> > set_track mm/kasan/kasan.c:459
> > kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
> > slab_free_hook mm/slub.c:1390
> > slab_free_freelist_hook mm/slub.c:1412
> > slab_free mm/slub.c:2988
> > kfree+0xf6/0x2f0 mm/slub.c:3919
> > snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
> > snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
> > __snd_device_free+0x1ff/0x380 sound/core/device.c:91
> > snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
> > snd_card_do_free sound/core/init.c:461
> > release_card_device+0x47/0x170 sound/core/init.c:181
> > device_release+0x13f/0x210 drivers/base/core.c:814
> > ....
> >
> > Actually such a URB is killed properly at disconnection when the
> > device gets probed successfully, and what we need is to apply it for
> > the error-path, too.
> >
> > In this patch, we apply snd_usb_mixer_disconnect() at releasing.
> > Also introduce a new flag, disconnected, to struct usb_mixer_interface
> > for not performing the disconnection procedure twice.
> >
> > Reported-by: Andrey Konovalov <andreyknvl@google.com>
> > Tested-by: Andrey Konovalov <andreyknvl@google.com>
> > Signed-off-by: Takashi Iwai <tiwai@suse.de>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > ---
> > sound/usb/mixer.c | 12 ++++++++++--
> > sound/usb/mixer.h | 2 ++
> > 2 files changed, 12 insertions(+), 2 deletions(-)
> >
> > --- a/sound/usb/mixer.c
> > +++ b/sound/usb/mixer.c
> > @@ -2157,6 +2157,9 @@ static int parse_audio_unit(struct mixer
> >
> > static void snd_usb_mixer_free(struct usb_mixer_interface *mixer)
> > {
> > + /* kill pending URBs */
> > + snd_usb_mixer_disconnect(mixer);
> > +
> > kfree(mixer->id_elems);
> > if (mixer->urb) {
> > kfree(mixer->urb->transfer_buffer);
> > @@ -2501,8 +2504,13 @@ void snd_usb_mixer_disconnect(struct lis
> > /* stop any bus activity of a mixer */
> > static void snd_usb_mixer_inactivate(struct usb_mixer_interface *mixer)
> > {
> > - usb_kill_urb(mixer->urb);
> > - usb_kill_urb(mixer->rc_urb);
> > + if (mixer->disconnected)
> > + return;
> > + if (mixer->urb)
> > + usb_kill_urb(mixer->urb);
> > + if (mixer->rc_urb)
> > + usb_kill_urb(mixer->rc_urb);
> > + mixer->disconnected = true;
>
> This looks applied wrongly, as already caught by kbuild bot.
> The snd_usb_mixer_disconnect() argument changed in the later kernel,
> thus the patch couldn't be applied cleanly as is.
>
> Below is the revised patch (but only compile-tested).
Ah, my fault for missing the build warning, thanks for the update, now
applied and pushed out.
greg k-h
next prev parent reply other threads:[~2017-10-17 14:07 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-16 16:11 [PATCH 3.18 00/19] 3.18.76-stable review Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 01/19] ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 02/19] CIFS: Reconnect expired SMB sessions Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 03/19] HID: usbhid: fix out-of-bounds bug Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 05/19] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 06/19] usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 07/19] iommu/amd: Finish TLB flush in amd_iommu_unmap() Greg Kroah-Hartman
2017-10-16 16:11 ` [PATCH 3.18 08/19] ALSA: usb-audio: Kill stray URB at exiting Greg Kroah-Hartman
2017-10-16 18:50 ` Takashi Iwai
2017-10-17 14:07 ` Greg Kroah-Hartman [this message]
2017-10-16 16:12 ` [PATCH 3.18 09/19] ALSA: seq: Fix use-after-free at creating a port Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 10/19] ALSA: seq: Fix copy_from_user() call inside lock Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 11/19] ALSA: caiaq: Fix stray URB at probe error path Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 12/19] usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 13/19] direct-io: Prevent NULL pointer access in submit_page_section Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 14/19] fix unbalanced page refcounting in bio_map_user_iov Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 15/19] USB: serial: cp210x: add support for ELV TFD500 Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 16/19] USB: serial: option: add support for TP-Link LTE module Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 17/19] USB: serial: qcserial: add Dell DW5818, DW5819 Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 18/19] USB: serial: console: fix use-after-free after failed setup Greg Kroah-Hartman
2017-10-16 16:12 ` [PATCH 3.18 19/19] ALSA: seq: Fix missing NULL check at remove_events ioctl Greg Kroah-Hartman
2017-10-16 23:42 ` [PATCH 3.18 00/19] 3.18.76-stable review Shuah Khan
2017-10-17 0:23 ` Guenter Roeck
[not found] ` <59e53ebe.532f1c0a.7d93d.9f31@mx.google.com>
2017-10-17 13:22 ` Greg Kroah-Hartman
2017-10-19 12:21 ` Kevin Hilman
2017-10-19 13:45 ` Guillaume Tucker
2017-10-17 14:40 ` Greg Kroah-Hartman
2017-10-17 18:12 ` Shuah Khan
2017-10-18 7:09 ` Greg Kroah-Hartman
[not found] ` <CALpmF+Fgzn6mzp_ReEfcQ7t=LvSTK5uDP_jftV_Cf1dBf1h0wQ@mail.gmail.com>
2017-10-18 7:09 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171017140752.GA1486@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.