Linux Sound subsystem development
 help / color / mirror / Atom feed
* [PATCH] ALSA: usx2y: us144mkii: fix work UAF on disconnect
@ 2026-07-01  9:52 HyeongJun An
  2026-07-01 11:56 ` Takashi Iwai
  0 siblings, 1 reply; 2+ messages in thread
From: HyeongJun An @ 2026-07-01  9:52 UTC (permalink / raw)
  To: Takashi Iwai, Jaroslav Kysela
  Cc: Šerif Rami, linux-sound, linux-kernel, HyeongJun An, stable

tascam_disconnect() cancels capture_work and midi_in_work before
usb_kill_anchored_urbs() kills the capture/MIDI-in URBs.  Those URBs
self-resubmit, and their completion handlers reschedule the work.

A URB that completes in the small window between cancel_work_sync() and
usb_kill_anchored_urbs() therefore re-arms the work after its only
cancel.  Nothing cancels it again before snd_card_free() frees the
card-private tascam structure, so the work handler then runs on freed
memory.

Kill the anchored URBs before cancelling the work; once the work is
cancelled no remaining URB can complete to re-arm it.

Fixes: c1bb0c13e430 ("ALSA: usb-audio: us144mkii: Implement audio capture and decoding")
Cc: stable@vger.kernel.org
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
 sound/usb/usx2y/us144mkii.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/sound/usb/usx2y/us144mkii.c b/sound/usb/usx2y/us144mkii.c
index 94553b61013c..58ef23146f20 100644
--- a/sound/usb/usx2y/us144mkii.c
+++ b/sound/usb/usx2y/us144mkii.c
@@ -585,19 +585,24 @@ static void tascam_disconnect(struct usb_interface *intf)
 		return;
 
 	if (intf->cur_altsetting->desc.bInterfaceNumber == 0) {
-		/* Ensure all deferred work is complete before freeing resources */
 		snd_card_disconnect(tascam->card);
-		cancel_work_sync(&tascam->stop_work);
-		cancel_work_sync(&tascam->capture_work);
-		cancel_work_sync(&tascam->midi_in_work);
-		cancel_work_sync(&tascam->midi_out_work);
-		cancel_work_sync(&tascam->stop_pcm_work);
 
+		/*
+		 * Kill the URBs before cancelling the work, so a late URB
+		 * completion cannot re-arm a work that then runs after
+		 * snd_card_free().
+		 */
 		usb_kill_anchored_urbs(&tascam->playback_anchor);
 		usb_kill_anchored_urbs(&tascam->capture_anchor);
 		usb_kill_anchored_urbs(&tascam->feedback_anchor);
 		usb_kill_anchored_urbs(&tascam->midi_in_anchor);
 		usb_kill_anchored_urbs(&tascam->midi_out_anchor);
+
+		cancel_work_sync(&tascam->stop_work);
+		cancel_work_sync(&tascam->capture_work);
+		cancel_work_sync(&tascam->midi_in_work);
+		cancel_work_sync(&tascam->midi_out_work);
+		cancel_work_sync(&tascam->stop_pcm_work);
 		timer_delete_sync(&tascam->error_timer);
 		tascam_free_urbs(tascam);
 		snd_card_free(tascam->card);
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] ALSA: usx2y: us144mkii: fix work UAF on disconnect
  2026-07-01  9:52 [PATCH] ALSA: usx2y: us144mkii: fix work UAF on disconnect HyeongJun An
@ 2026-07-01 11:56 ` Takashi Iwai
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2026-07-01 11:56 UTC (permalink / raw)
  To: HyeongJun An
  Cc: Takashi Iwai, Jaroslav Kysela, Šerif Rami, linux-sound,
	linux-kernel, stable

On Wed, 01 Jul 2026 11:52:31 +0200,
HyeongJun An wrote:
> 
> tascam_disconnect() cancels capture_work and midi_in_work before
> usb_kill_anchored_urbs() kills the capture/MIDI-in URBs.  Those URBs
> self-resubmit, and their completion handlers reschedule the work.
> 
> A URB that completes in the small window between cancel_work_sync() and
> usb_kill_anchored_urbs() therefore re-arms the work after its only
> cancel.  Nothing cancels it again before snd_card_free() frees the
> card-private tascam structure, so the work handler then runs on freed
> memory.
> 
> Kill the anchored URBs before cancelling the work; once the work is
> cancelled no remaining URB can complete to re-arm it.
> 
> Fixes: c1bb0c13e430 ("ALSA: usb-audio: us144mkii: Implement audio capture and decoding")
> Cc: stable@vger.kernel.org
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: HyeongJun An <sammiee5311@gmail.com>

Applied now.  Thanks.


Takashi

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-01 11:56 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-01  9:52 [PATCH] ALSA: usx2y: us144mkii: fix work UAF on disconnect HyeongJun An
2026-07-01 11:56 ` Takashi Iwai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox