From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 3.14 45/53] ALSA: dummy: Fix a use-after-free at closing
Date: Mon, 25 Jul 2016 13:55:27 -0700 [thread overview]
Message-ID: <20160725203516.341301397@linuxfoundation.org> (raw)
In-Reply-To: <20160725203514.202312855@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit d5dbbe6569481bf12dcbe3e12cff72c5f78d272c upstream.
syzkaller fuzzer spotted a potential use-after-free case in snd-dummy
driver when hrtimer is used as backend:
> ==================================================================
> BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68
> Read of size 8 by task syz-executor/8984
> =============================================================================
> BUG kmalloc-192 (Not tainted): kasan: bad access detected
> -----------------------------------------------------------------------------
>
> Disabling lock debugging due to kernel taint
> INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632
> ....
> [< none >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464
> ....
> INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1
> [< none >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481
> ....
> Call Trace:
> [<ffffffff8179e59e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333
> [< inline >] rb_set_parent include/linux/rbtree_augmented.h:111
> [< inline >] __rb_erase_augmented include/linux/rbtree_augmented.h:218
> [<ffffffff82ca5787>] rb_erase+0x1b17/0x2010 lib/rbtree.c:427
> [<ffffffff82cb02e8>] timerqueue_del+0x78/0x170 lib/timerqueue.c:86
> [<ffffffff814d0c80>] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903
> [< inline >] remove_hrtimer kernel/time/hrtimer.c:945
> [<ffffffff814d23da>] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046
> [<ffffffff814d2742>] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066
> [<ffffffff85420531>] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417
> [<ffffffff854228bf>] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507
> [<ffffffff85392170>] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106
> [<ffffffff85391b26>] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956
> [<ffffffff85391e01>] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974
> [< inline >] snd_pcm_stop sound/core/pcm_native.c:1139
> [<ffffffff8539754d>] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784
> [<ffffffff8539d3be>] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805
> [<ffffffff8539ee91>] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976
> [<ffffffff8539f2ec>] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020
> [<ffffffff853d9a44>] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693
> [<ffffffff853da27d>] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483
> .....
A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which
is called certainly before other blocking ops.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/drivers/dummy.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/drivers/dummy.c
+++ b/sound/drivers/dummy.c
@@ -422,6 +422,7 @@ static int dummy_hrtimer_stop(struct snd
static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm)
{
+ hrtimer_cancel(&dpcm->timer);
tasklet_kill(&dpcm->tasklet);
}
next prev parent reply other threads:[~2016-07-25 21:11 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-25 20:54 [PATCH 3.14 00/53] 3.14.74-stable review Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 01/53] crypto: ux500 - memmove the right size Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 02/53] sit: correct IP protocol used in ipip6_err Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 03/53] ipmr/ip6mr: Initialize the last assert time of mfc entries Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 04/53] net: alx: Work around the DMA RX overflow issue Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 05/53] usb: quirks: Add no-lpm quirk for Acer C120 LED Projector Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 06/53] usb: musb: Stop bulk endpoint while queue is rotated Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 07/53] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 08/53] mac80211: mesh: flush mesh paths unconditionally Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 09/53] mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 10/53] IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 11/53] powerpc/iommu: Remove the dependency on EEH struct in DDW mechanism Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 12/53] powerpc/pseries: Fix PCI config address for DDW Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 13/53] powerpc/tm: Always reclaim in start_thread() for exec() class syscalls Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 14/53] USB: EHCI: declare hostpc register as zero-length array Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 15/53] x86, build: copy ldlinux.c32 to image.iso Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 16/53] kprobes/x86: Clear TF bit in fault on single-stepping Greg Kroah-Hartman
2016-07-25 20:54 ` [PATCH 3.14 17/53] x86/amd_nb: Fix boot crash on non-AMD systems Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 18/53] make nfs_atomic_open() call d_drop() on all ->open_context() errors Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 19/53] NFS: Fix another OPEN_DOWNGRADE bug Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 20/53] ARM: 8578/1: mm: ensure pmd_present only checks the valid bit Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 21/53] mm: Export migrate_page_move_mapping and migrate_page_copy Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 22/53] UBIFS: Implement ->migratepage() Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 23/53] posix_acl: Add set_posix_acl Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 24/53] nfsd: check permissions when setting ACLs Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 25/53] signal: remove warning about using SI_TKILL in rt_[tg]sigqueueinfo Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 28/53] KEYS: potential uninitialized variable Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 29/53] kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 30/53] HID: elo: kill not flush the work Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 31/53] HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 32/53] tracing: Handle NULL formats in hold_module_trace_bprintk_format() Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 33/53] base: make module_create_drivers_dir race-free Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 34/53] drm/radeon: fix asic initialization for virtualized environments Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 36/53] perf/x86: Honor the architectural performance monitoring version Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 37/53] perf/x86: Fix undefined shift on 32-bit kernels Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 38/53] iio: Fix error handling in iio_trigger_attach_poll_func Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 39/53] staging: iio: accel: fix error check Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 40/53] iio: accel: kxsd9: fix the usage of spi_w8r8() Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 41/53] iio:ad7266: Fix broken regulator error handling Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 42/53] iio:ad7266: Fix support for optional regulators Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 43/53] iio:ad7266: Fix probe deferral for vref Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 44/53] tty/vt/keyboard: fix OOB access in do_compute_shiftstate() Greg Kroah-Hartman
2016-07-25 20:55 ` Greg Kroah-Hartman [this message]
2016-07-25 20:55 ` [PATCH 3.14 46/53] ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift() Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 47/53] ALSA: ctl: Stop notification after disconnection Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 48/53] scsi: fix race between simultaneous decrements of ->host_failed Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 49/53] Fix reconnect to not defer smb3 session reconnect long after socket reconnect Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 50/53] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7 Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 51/53] tmpfs: dont undo fallocate past its last page Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 52/53] tmpfs: fix regression hang in fallocate undo Greg Kroah-Hartman
2016-07-25 20:55 ` [PATCH 3.14 53/53] s390/seccomp: fix error return for filtered system calls Greg Kroah-Hartman
2016-07-26 1:52 ` [PATCH 3.14 00/53] 3.14.74-stable review Shuah Khan
2016-07-26 13:50 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160725203516.341301397@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dvyukov@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox