From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
Takashi Iwai <tiwai@suse.de>
Subject: [PATCH 4.13 092/109] ALSA: seq: Cancel pending autoload work at unbinding device
Date: Sun, 24 Sep 2017 22:33:53 +0200 [thread overview]
Message-ID: <20170924203356.799554791@linuxfoundation.org> (raw)
In-Reply-To: <20170924203353.104695385@linuxfoundation.org>
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 upstream.
ALSA sequencer core has a mechanism to load the enumerated devices
automatically, and it's performed in an off-load work. This seems
causing some race when a sequencer is removed while the pending
autoload work is running. As syzkaller spotted, it may lead to some
use-after-free:
BUG: KASAN: use-after-free in snd_rawmidi_dev_seq_free+0x69/0x70
sound/core/rawmidi.c:1617
Write of size 8 at addr ffff88006c611d90 by task kworker/2:1/567
CPU: 2 PID: 567 Comm: kworker/2:1 Not tainted 4.13.0+ #29
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: events autoload_drivers
Call Trace:
__dump_stack lib/dump_stack.c:16 [inline]
dump_stack+0x192/0x22c lib/dump_stack.c:52
print_address_description+0x78/0x280 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x230/0x340 mm/kasan/report.c:409
__asan_report_store8_noabort+0x1c/0x20 mm/kasan/report.c:435
snd_rawmidi_dev_seq_free+0x69/0x70 sound/core/rawmidi.c:1617
snd_seq_dev_release+0x4f/0x70 sound/core/seq_device.c:192
device_release+0x13f/0x210 drivers/base/core.c:814
kobject_cleanup lib/kobject.c:648 [inline]
kobject_release lib/kobject.c:677 [inline]
kref_put include/linux/kref.h:70 [inline]
kobject_put+0x145/0x240 lib/kobject.c:694
put_device+0x25/0x30 drivers/base/core.c:1799
klist_devices_put+0x36/0x40 drivers/base/bus.c:827
klist_next+0x264/0x4a0 lib/klist.c:403
next_device drivers/base/bus.c:270 [inline]
bus_for_each_dev+0x17e/0x210 drivers/base/bus.c:312
autoload_drivers+0x3b/0x50 sound/core/seq_device.c:117
process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097
worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231
kthread+0x324/0x3f0 kernel/kthread.c:231
ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425
The fix is simply to assure canceling the autoload work at removing
the device.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq_device.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/core/seq_device.c
+++ b/sound/core/seq_device.c
@@ -148,8 +148,10 @@ void snd_seq_device_load_drivers(void)
flush_work(&autoload_work);
}
EXPORT_SYMBOL(snd_seq_device_load_drivers);
+#define cancel_autoload_drivers() cancel_work_sync(&autoload_work)
#else
#define queue_autoload_drivers() /* NOP */
+#define cancel_autoload_drivers() /* NOP */
#endif
/*
@@ -159,6 +161,7 @@ static int snd_seq_device_dev_free(struc
{
struct snd_seq_device *dev = device->device_data;
+ cancel_autoload_drivers();
put_device(&dev->dev);
return 0;
}
next prev parent reply other threads:[~2017-09-24 20:43 UTC|newest]
Thread overview: 117+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-24 20:32 [PATCH 4.13 000/109] 4.13.4-stable review Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 001/109] orangefs: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-09-26 0:08 ` Mike Marshall
2017-09-24 20:32 ` [PATCH 4.13 002/109] <linux/uaccess.h>: Fix copy_in_user() declaration Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 003/109] IB/hfi1: Revert egress pkey check enforcement Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 004/109] IB/{qib, hfi1}: Avoid flow control testing for RDMA write operation Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 005/109] IB/mlx5: Fix cached MR allocation flow Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 006/109] srcu: Provide ordering for CPU not involved in grace period Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 007/109] smp/hotplug: Handle removal correctly in cpuhp_store_callbacks() Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 008/109] Input: xpad - validate USB endpoint type during probe Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 009/109] drm/amdgpu: read reg in each iterator of psp_wait_for loop Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 010/109] tty: improve tty_insert_flip_char() fast path Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 011/109] tty: improve tty_insert_flip_char() slow path Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 012/109] tty: fix __tty_insert_flip_char regression Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 013/109] pinctrl: samsung: Fix invalid register offset used for Exynos5433 external interrupts Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 014/109] pinctrl: samsung: Fix NULL pointer exception on external interrupts on S3C24xx Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 015/109] pinctrl/amd: save pin registers over suspend/resume Greg Kroah-Hartman
2017-09-26 14:07 ` Petr Mladek
2017-09-27 8:39 ` Greg Kroah-Hartman
2017-09-27 11:29 ` Petr Mladek
2017-09-27 13:49 ` Linus Walleij
2017-09-27 13:51 ` Linus Walleij
2017-09-24 20:32 ` [PATCH 4.13 016/109] Input: i8042 - add Gigabyte P57 to the keyboard reset table Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 017/109] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 018/109] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 019/109] MIPS: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 020/109] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 021/109] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 022/109] MIPS: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 023/109] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix NaN propagation Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 024/109] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of infinite inputs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 025/109] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of zero inputs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 026/109] MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Clean up "maddf_flags" enumeration Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 027/109] MIPS: math-emu: <MADDF|MSUBF>.S: Fix accuracy (32-bit case) Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 028/109] MIPS: math-emu: <MADDF|MSUBF>.D: Fix accuracy (64-bit case) Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 029/109] docs: disable KASLR when debugging kernel Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 030/109] crypto: ccp - Fix XTS-AES-128 support on v5 CCPs Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 031/109] crypto: scompress - dont sleep with preemption disabled Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 034/109] [PATCH - RESEND] crypto: AF_ALG - remove SGL terminator indicator when chaining Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 035/109] regulator: cpcap: Fix standby mode Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 036/109] wcn36xx: Introduce mutual exclusion of fw configuration Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 037/109] ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.13 038/109] ext4: fix incorrect quotaoff if the quota feature is enabled Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 039/109] ext4: fix quota inconsistency during orphan cleanup for read-only mounts Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 040/109] cxl: Fix driver use count Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 041/109] powerpc/powernv/npu: Move tlb flush before launching ATSD Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 042/109] powerpc/pseries: Dont attempt to acquire drc during memory hot add for assigned lmbs Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 043/109] powerpc: Fix DAR reporting when alignment handler faults Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 044/109] block: Relax a check in blk_start_queue() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 045/109] block: directly insert blk-mq request from blk_insert_cloned_request() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 046/109] md/bitmap: copy correct data for bitmap super Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 047/109] md/bitmap: disable bitmap_resize for file-backed bitmaps Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 048/109] skd: Avoid that module unloading triggers a use-after-free Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 049/109] skd: Submit requests to firmware before triggering the doorbell Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 050/109] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 051/109] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 052/109] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 053/109] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 054/109] scsi: zfcp: fix missing trace records for early returns in TMF eh handlers Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 055/109] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 056/109] scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 057/109] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 058/109] scsi: qedi: off by one in qedi_get_cmd_from_tid() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 059/109] scsi: aacraid: Fix command send race condition Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 060/109] scsi: megaraid_sas: mismatch of allocated MFI frame size and length exposed in MFI MPT pass through command Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 061/109] scsi: megaraid_sas: set minimum value of resetwaittime to be 1 secs Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 062/109] scsi: megaraid_sas: Check valid aen class range to avoid kernel panic Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 063/109] scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 064/109] scsi: storvsc: fix memory leak on ring buffer busy Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 065/109] scsi: sg: factor out sg_fill_request_table() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 066/109] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 067/109] scsi: qla2xxx: Update fw_started flags at qpair creation Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 068/109] scsi: qla2xxx: Correction to vha->vref_count timeout Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 069/109] scsi: qla2xxx: Fix target multiqueue configuration Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 070/109] scsi: qla2xxx: Use BIT_6 to acquire FAWWPN from switch Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 071/109] scsi: qla2xxx: Use fabric name for Get Port Speed command Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 072/109] scsi: qla2xxx: Fix an integer overflow in sysfs code Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 073/109] mailbox: bcm-flexrm-mailbox: Fix mask used in CMPL_START_ADDR_VALUE() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 074/109] ftrace: Fix debug preempt config name in stack_tracer_{en,dis}able Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 075/109] ftrace: Fix selftest goto location on error Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 076/109] ftrace: Fix memleak when unregistering dynamic ops when tracing disabled Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 077/109] tracing: Add barrier to trace_printk() buffer nesting modification Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 078/109] tracing: Fix clear of RECORDED_TGID flag when disabling trace event Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 079/109] tracing: Apply trace_clock changes to instance max buffer Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 080/109] ARC: Re-enable MMU upon Machine Check exception Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 081/109] PCI: shpchp: Enable bridge bus mastering if MSI is enabled Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 082/109] PCI: pciehp: Report power fault only once until we clear it Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 083/109] net/netfilter/nf_conntrack_core: Fix net_conntrack_lock() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 084/109] s390/mm: fix local TLB flushing vs. detach of an mm address space Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 085/109] s390/mm: fix race on mm->context.flush_mm Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 086/109] media: v4l2-compat-ioctl32: Fix timespec conversion Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 087/109] media: Revert "[media] lirc_dev: remove superfluous get/put_device() calls" Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 088/109] media: venus: fix copy/paste error in return_buf_error Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 089/109] media: uvcvideo: Prevent heap overflow when accessing mapped controls Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 090/109] media: adv7180: add missing adv7180cp, adv7180st i2c device IDs Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 091/109] PM / devfreq: Fix memory leak when fail to register device Greg Kroah-Hartman
2017-09-24 20:33 ` Greg Kroah-Hartman [this message]
2017-09-24 20:33 ` [PATCH 4.13 093/109] bcache: initialize dirty stripes in flash_dev_run() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 094/109] bcache: Fix leak of bdev reference Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 095/109] bcache: do not subtract sectors_to_gc for bypassed IO Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 096/109] bcache: correct cache_dirty_target in __update_writeback_rate() Greg Kroah-Hartman
2017-09-24 20:33 ` [PATCH 4.13 097/109] bcache: Correct return value for sysfs attach errors Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 099/109] bcache: fix for gc and write-back race Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 100/109] bcache: fix bch_hprint crash and improve output Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 101/109] sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 102/109] iwlwifi: add workaround to disable wide channels in 5GHz Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 103/109] mac80211: fix VLAN handling with TXQs Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 104/109] mac80211_hwsim: Use proper TX power Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 105/109] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 106/109] mac80211: fix deadlock in driver-managed RX BA session start Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 107/109] genirq: Make sparse_irq_lock protect what it should protect Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 108/109] genirq/msi: Fix populating multiple interrupts Greg Kroah-Hartman
2017-09-24 20:34 ` [PATCH 4.13 109/109] genirq: Fix cpumask check in __irq_startup_managed() Greg Kroah-Hartman
2017-09-25 1:05 ` [PATCH 4.13 000/109] 4.13.4-stable review Guenter Roeck
2017-09-25 6:29 ` Greg Kroah-Hartman
2017-09-25 23:13 ` Shuah Khan
2017-09-26 7:38 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170924203356.799554791@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox