From: Takashi Iwai <tiwai@suse.de>
To: cujomalainey@chromium.org
Cc: alsa-devel@alsa-project.org,
Doug Anderson <dianders@chromium.org>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
Zheyu Ma <zheyuma97@gmail.com>, Dan Carpenter <error27@gmail.com>,
"Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>,
Clement Lecigne <clecigne@google.com>,
Ivan Orlov <ivan.orlov0322@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: [PATCH] sound: core: fix device ownership model in card and pcm
Date: Wed, 02 Aug 2023 08:42:27 +0200 [thread overview]
Message-ID: <87cz06djxo.wl-tiwai@suse.de> (raw)
In-Reply-To: <20230801171928.1460120-1-cujomalainey@chromium.org>
On Tue, 01 Aug 2023 19:18:41 +0200,
cujomalainey@chromium.org wrote:
>
> From: Curtis Malainey <cujomalainey@chromium.org>
>
> The current implementation of how devices are released is valid for
> production use cases (root control of memory is handled by card_dev, all
> other devices are no-ops).
>
> This model does not work though in a kernel hacking environment where
> KASAN and delayed release on kobj is enabled. If the card_dev device is
> released before any of the child objects a use-after-free bug is caught
> by KASAN as the delayed release still has a reference to the devices
> that were freed by the card_dev release. Also both snd_card and snd_pcm
> both own two devices internally, so even if they released independently,
> the shared struct would result in another use after free.
>
> Solution is to move the child devices into their own memory so they can
> be handled independently and released on their own schedule.
>
> Signed-off-by: Curtis Malainey <cujomalainey@chromium.org>
> Cc: Doug Anderson <dianders@chromium.org>
Thanks, it's an interesting bug.
I'm not much against the proposed solution, but still this has to be
carefully evaluated. So, could you give more details about the bug
itself? It's related with CONFIG_DEBUG_KOBJECT_RELEASE, right?
In which condition it's triggered and how the UAF looks like?
Takashi
next prev parent reply other threads:[~2023-08-02 6:46 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-01 17:18 [PATCH] sound: core: fix device ownership model in card and pcm cujomalainey
2023-08-02 3:29 ` kernel test robot
2023-08-02 3:51 ` kernel test robot
2023-08-02 6:42 ` Takashi Iwai [this message]
2023-08-02 17:06 ` Curtis Malainey
2023-08-02 17:43 ` [PATCH v2] " cujomalainey
2023-08-03 6:49 ` Greg Kroah-Hartman
2023-08-03 9:46 ` Dan Carpenter
2023-08-03 9:49 ` [PATCH] " Dan Carpenter
2023-08-03 13:06 ` Takashi Iwai
2023-08-03 15:35 ` Takashi Iwai
2023-08-03 23:39 ` Curtis Malainey
2023-08-04 8:58 ` Takashi Iwai
2023-08-04 19:17 ` Curtis Malainey
2023-08-05 8:09 ` Takashi Iwai
2023-08-06 18:32 ` Takashi Iwai
2023-08-07 13:43 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87cz06djxo.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=alsa-devel@alsa-project.org \
--cc=clecigne@google.com \
--cc=cujomalainey@chromium.org \
--cc=dianders@chromium.org \
--cc=error27@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=ivan.orlov0322@gmail.com \
--cc=maciej.szmigiero@oracle.com \
--cc=perex@perex.cz \
--cc=tiwai@suse.com \
--cc=zheyuma97@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.