From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com,
Jeongjun Park <aha310510@gmail.com>, Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 6.12 24/35] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free
Date: Fri, 10 Oct 2025 15:16:26 +0200 [thread overview]
Message-ID: <20251010131332.665649277@linuxfoundation.org> (raw)
In-Reply-To: <20251010131331.785281312@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit 9f2c0ac1423d5f267e7f1d1940780fc764b0fee3 upstream.
The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the
endpoint delete, a race condition to UAF still occurs, albeit rarely.
Additionally, since kill-cleanup for urb is also missing, freed memory can
be accessed in interrupt context related to urb, which can cause UAF.
Therefore, to prevent this, error timer and urb must be killed before
freeing the heap memory.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/midi.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_
{
int i;
+ if (!umidi->disconnected)
+ snd_usbmidi_disconnect(&umidi->list);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
- if (ep->out)
- snd_usbmidi_out_endpoint_delete(ep->out);
- if (ep->in)
- snd_usbmidi_in_endpoint_delete(ep->in);
+ kfree(ep->out);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}
next prev parent reply other threads:[~2025-10-10 13:21 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-10 13:16 [PATCH 6.12 00/35] 6.12.52-rc1 review Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 01/35] wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait() Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 02/35] media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 03/35] USB: serial: option: add SIMCom 8230C compositions Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 04/35] Bluetooth: btusb: Add USB ID 2001:332a for D-Link AX9U rev. A1 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 05/35] wifi: rtlwifi: rtl8192cu: Dont claim USB ID 07b8:8188 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 06/35] wifi: rtl8xxxu: " Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 07/35] rust: block: fix `srctree/` links Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 08/35] ASoC: amd: acp: Adjust pdm gain value Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 09/35] dm-integrity: limit MAX_TAG_SIZE to 255 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 10/35] platform/x86/amd/pmc: Add MECHREVO Yilong15Pro to spurious_8042 list Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 11/35] perf subcmd: avoid crash in exclude_cmds when excludes is empty Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 12/35] platform/x86/amd/pmf: Support new ACPI ID AMDI0108 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 13/35] ASoC: rt5682s: Adjust SAR ADC button mode to fix noise issue Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 14/35] btrfs: ref-verify: handle damaged extent root tree Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 15/35] netfs: Prevent duplicate unlocking Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 16/35] can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 17/35] can: rcar_canfd: Fix controller mode setting Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 18/35] platform/x86/amd/pmc: Add Stellaris Slim Gen6 AMD to spurious 8042 quirks list Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 19/35] drm/amd : Update MES API header file for v11 & v12 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 20/35] drm/amd/include : MES v11 and v12 API header update Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 21/35] drm/amd/include : Update MES v12 API for fence update Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 22/35] drm/amdgpu: Enable MES lr_compute_wa by default Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 23/35] ALSA: usb-audio: Kill timer properly at removal Greg Kroah-Hartman
2025-10-10 13:16 ` Greg Kroah-Hartman [this message]
2025-10-10 13:16 ` [PATCH 6.12 25/35] hid: fix I2C read buffer overflow in raw_event() for mcp2221 Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 26/35] nvmem: layouts: fix automatic module loading Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 27/35] binder: fix double-free in dbitmap Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 28/35] serial: stm32: allow selecting console when the driver is module Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 29/35] staging: axis-fifo: fix maximum TX packet length check Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 30/35] staging: axis-fifo: fix TX handling on copy_from_user() failure Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 31/35] staging: axis-fifo: flush RX FIFO on read errors Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 32/35] driver core/PM: Set power.no_callbacks along with power.no_pm Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 33/35] crypto: rng - Ensure set_ent is always present Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 34/35] net/9p: fix double req put in p9_fd_cancelled Greg Kroah-Hartman
2025-10-10 13:16 ` [PATCH 6.12 35/35] KVM: x86: Dont (re)check L1 intercepts when completing userspace I/O Greg Kroah-Hartman
2025-10-10 17:15 ` [PATCH 6.12 00/35] 6.12.52-rc1 review Jon Hunter
2025-10-10 20:30 ` Brett Mastbergen
2025-10-10 22:21 ` Shuah Khan
2025-10-11 7:30 ` Pavel Machek
2025-10-11 8:59 ` Naresh Kamboju
2025-10-11 10:58 ` Mark Brown
2025-10-11 11:44 ` Ron Economos
2025-10-11 16:59 ` Brett A C Sheffield
2025-10-11 19:59 ` Peter Schneider
2025-10-12 9:30 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251010131332.665649277@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aha310510@gmail.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).