From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BEA182E6CA6 for ; Fri, 10 Apr 2026 05:13:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775798031; cv=none; b=U4TtFQZAr2r9WE1ExG0HeMqMt/OACvC4zFpTualS/OERstnepdEggu2ITxQuQGhfzUTS1QPxMcpfU1Dfo30gKv1bp0XWaCsOkZR7uRy4xI5RWQBQ1SVtLwdKoi1CBAdl8zGLxCJvg3x7tzO9Q98WBLqLSHC8DihX/Ufp17ijfeo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775798031; c=relaxed/simple; bh=s5fpXjIkhtlnDKMlfUjkhC0TSxbru1oy54/jPyduY7w=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=NpPftUKoEEZRKoo8jZVUOUc+L3nl82O9h7nfy5bkg/JkYb4N9YywKURefAT4nwH7TaAcp7M5ZwCCnOmuop9Hz9rzJnqwUGjYj0OW2Es/XkrZnlPBu4aByNmV1/aKwPFAbR/4hN8CeL0l40+NMMwsH5NvbFi7+DPflay4paWz4KA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kOsDZn0V; arc=none smtp.client-ip=209.85.210.178 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kOsDZn0V" Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-823c56765fdso1165385b3a.1 for ; Thu, 09 Apr 2026 22:13:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775798029; x=1776402829; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Ip96ksr0TNIaLn5SBuG1rHY2Vx5CuZDHx4f8G1URE3U=; b=kOsDZn0V8BiixpdX/R5//HWQmoLmutwBGzL2zrtirzc6Lj0n8BrNIXjLGnXK6NkC84 /qsbN2wVtnrscTdqoTmFq2Kz7bCEvi0rGtQPfR0Gs9Pbe12CKgo7ovsGgO7EhmRwJVLm 99GcaADJce2S+TyL5lFyw4X2q128r5CXb5VbHaJsslHFzDUDS/deSvjRt/IHSCAoP+ST xo5B+8q/HahZzqEXvUTDqpJ/SKu31znGvNq7GASmS8DVuqKREC3nlLclDtejoEckuG2F 5rQmdZLG3pHqeDhE/Vh1P/gqB9XaR59eGzk190o0f04kaTY50azoRMA9AHg2aMeH2WGY rlMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775798029; x=1776402829; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Ip96ksr0TNIaLn5SBuG1rHY2Vx5CuZDHx4f8G1URE3U=; b=HI2jgVyndRyZRDN0LBHs7b8sMMpqp+3qlpgVgcZUsdiFD08IJ8yGwQeezfI0GGiTlm GYB4EoMq6nla1qsT1vgIXme1nQgayPGgEzKPXMZqhix9IEDV668hhxA99OEOEN7qbB3W iNpdpd3SYbq7Nq/S0vv4GfFyX5Yd/eNeb/ej70epN6SGkNTE86SH7eI9olNdbs5VXMHv 7oWFGffycvXSA+ZbOIGSw3r3NxtGKEdcCSRvQAsuD+OBqPM+EQQQBwKlI+q8pg1up5gr s/Fymz8bEB8eOLmY69W8QaecVxJpNW8ipffulRXUB7+9ZYySE6N0RPIfo62S9/IZj/yG tciw== X-Forwarded-Encrypted: i=1; AJvYcCXjDvq2GIYiBeg9QeL7KqkNdWvQX6QvLDQAMqStYpcetKCdtSj8rAG4VXpbiDGzbdoRizum81BHRqmIkkQ=@vger.kernel.org X-Gm-Message-State: AOJu0YytUYtJmGLK/+uUUgBPMa2HG1PsXUMmIPeHwFRMvPOzh8FKx8mv 3JwS/V0XWd5z7zGkJzIo1TQw1nKkc3LHFayBBBzA+vTnSoVViAsyjkZi X-Gm-Gg: AeBDiesbYYX0vM6+SBb+mtw+RS4kmG/a1Su3P00eY1j+XdT20On0EhCd2Q+5JZxJXYf UYIc0TXUClPOFj5yydpRGRaeVqoRl5ajy8rnNfm0BqgV4/FBnLKO7LEC/4C0IeSe2Y00b2X4LIy Bzc3+syP8WXQm+GlQ14OuCdCbzyxggeUIEiVgjdgDJ6IRV37XlZoE8IvCJPhBDooDOF5tzdzQ1V GhXIVqX0IXJ6ZbYlmU8mv8Va7E+aH7c379LGYImFBY9/trqaSdNGx32xzViLiA4TZmLphzvJ4AL aOIdpu6EoR/sBpyArvag0GLki/TJRFqUxSPzPhXJ748nvlRrxinvy6i7tEybRIW5fC7WjH/qcU7 9m/3BMNMol1IrDt0kctn7h0ighyscvcnnqbtDA3RZLMExGoPfKMdOm+7o4c6/RV0RvMAx6kymqK OTrF/zbNbbTwTqrkQRxkqhRRrkXt0/YVDKf0GARdCA6WZ/jeAA8+MuBe0NcXpyEfV528Hv5bwKo vL7BBRr8AsH68ptVpZkqgKyIBZ8nviqPg== X-Received: by 2002:a05:6a00:124a:b0:81f:be3c:9c9e with SMTP id d2e1a72fcca58-82f0c297e11mr1989065b3a.33.1775798028953; Thu, 09 Apr 2026 22:13:48 -0700 (PDT) Received: from localhost.localdomain (59-190-207-251f1.hyg2.eonet.ne.jp. [59.190.207.251]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82f0c33de57sm1295283b3a.21.2026.04.09.22.13.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Apr 2026 22:13:48 -0700 (PDT) From: Berk Cem Goksel To: Jaroslav Kysela , Takashi Iwai Cc: Andrey Konovalov , stable@vger.kernel.org, linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] ALSA: 6fire: fix use-after-free on disconnect Date: Fri, 10 Apr 2026 08:13:41 +0300 Message-Id: <20260410051341.1069716-1-berkcgoksel@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In usb6fire_chip_abort(), the chip struct is allocated as the card's private data (via snd_card_new with sizeof(struct sfire_chip)). When snd_card_free_when_closed() is called and no file handles are open, the card and embedded chip are freed synchronously. The subsequent chip->card = NULL write then hits freed slab memory. Call trace: usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 ... hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 Fix by moving the card lifecycle out of usb6fire_chip_abort() and into usb6fire_chip_disconnect(). The card pointer is saved in a local before any teardown, snd_card_disconnect() is called first to prevent new opens, URBs are aborted while chip is still valid, and snd_card_free_when_closed() is called last so chip is never accessed after the card may be freed. Fixes: a0810c3d6dd2 ("ALSA: 6fire: Release resources at card release") Cc: stable@vger.kernel.org Cc: Andrey Konovalov Signed-off-by: Berk Cem Goksel --- Patch applies to 7.0-rc6 (upstream master 5619b098e2fb). Tested on 7.0.0-rc5 (arm64) with KASAN: [ 11.274798] BUG: KASAN: slab-use-after-free in usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] [ 11.274798] BUG: KASAN: slab-use-after-free in usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 [ 11.275503] Write of size 8 at addr ffff000013230a98 by task kworker/0:1/12 [ 11.276469] CPU: 0 UID: 0 PID: 12 Comm: kworker/0:1 Not tainted 7.0.0-rc5-g663cf2b1ad64-dirty #10 PREEMPT [ 11.276485] Hardware name: linux,dummy-virt (DT) [ 11.276504] Workqueue: usb_hub_wq hub_event [ 11.276562] Call trace: [ 11.276582] show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) [ 11.276616] dump_stack_lvl+0x138/0x1c8 lib/dump_stack.c:120 [ 11.276666] print_report+0x118/0x5d4 mm/kasan/report.c:482 [ 11.276669] kasan_report+0xc0/0x100 mm/kasan/report.c:595 [ 11.276678] __asan_report_store8_noabort+0x20/0x2c mm/kasan/report_generic.c:386 [ 11.276684] usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline] [ 11.276688] usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182 [ 11.276692] usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458 [ 11.276697] device_release_driver_internal+0x450/0x63c drivers/base/dd.c:1367 [ 11.276699] bus_remove_device+0x2a0/0x4f4 drivers/base/bus.c:657 [ 11.276701] device_del+0x31c/0x870 drivers/base/core.c:3880 [ 11.276720] usb_disable_device+0x2e8/0x6ec drivers/usb/core/message.c:1476 [ 11.276737] usb_disconnect+0x294/0x8d8 drivers/usb/core/hub.c:2345 [ 11.276776] hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953 [ 11.276836] process_one_work+0x8a4/0x1dc0 kernel/workqueue.c:3276 [ 11.276850] worker_thread+0x57c/0xcac kernel/workqueue.c:3440 [ 11.276888] kthread+0x3e4/0x494 kernel/kthread.c:436 [ 11.276890] ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 [ 11.339324] Allocated by task 12: [ 11.339765] kasan_save_stack+0x3c/0x64 mm/kasan/common.c:57 [ 11.340193] kasan_save_track+0x20/0x3c mm/kasan/common.c:78 [ 11.340615] __kasan_kmalloc+0xb8/0xbc mm/kasan/common.c:415 [ 11.341108] snd_card_new+0x70/0x11c sound/core/init.c:184 [ 11.341555] usb6fire_chip_probe+0x298/0x864 sound/usb/6fire/chip.c:120 [ 11.353835] Freed by task 12: [ 11.354171] kasan_save_stack+0x3c/0x64 mm/kasan/common.c:57 [ 11.354599] kasan_save_track+0x20/0x3c mm/kasan/common.c:78 [ 11.355023] kasan_save_free_info+0x4c/0x78 mm/kasan/generic.c:584 [ 11.355505] __kasan_slab_free+0x5c/0x88 mm/kasan/common.c:285 [ 11.355945] kfree+0x164/0x61c mm/slub.c:6483 [ 11.356285] snd_card_do_free sound/core/init.c:597 [inline] [ 11.356778] release_card_device+0x16c/0x1fc sound/core/init.c:153 [ 11.357221] snd_card_free_when_closed+0x30/0x44 sound/core/init.c:612 [ 11.357696] usb6fire_chip_abort sound/usb/6fire/chip.c:58 [inline] [ 11.358103] usb6fire_chip_disconnect+0x298/0x358 sound/usb/6fire/chip.c:182 sound/usb/6fire/chip.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/sound/usb/6fire/chip.c b/sound/usb/6fire/chip.c index 5ff78814e687..874f6cd503ca 100644 --- a/sound/usb/6fire/chip.c +++ b/sound/usb/6fire/chip.c @@ -53,11 +53,6 @@ static void usb6fire_chip_abort(struct sfire_chip *chip) usb6fire_comm_abort(chip); if (chip->control) usb6fire_control_abort(chip); - if (chip->card) { - snd_card_disconnect(chip->card); - snd_card_free_when_closed(chip->card); - chip->card = NULL; - } } } @@ -168,6 +163,7 @@ static int usb6fire_chip_probe(struct usb_interface *intf, static void usb6fire_chip_disconnect(struct usb_interface *intf) { struct sfire_chip *chip; + struct snd_card *card; chip = usb_get_intfdata(intf); if (chip) { /* if !chip, fw upload has been performed */ @@ -178,8 +174,19 @@ static void usb6fire_chip_disconnect(struct usb_interface *intf) chips[chip->regidx] = NULL; } + /* + * Save card pointer before teardown. + * snd_card_free_when_closed() may free card (and + * the embedded chip) immediately, so it must be + * called last and chip must not be accessed after. + */ + card = chip->card; chip->shutdown = true; + if (card) + snd_card_disconnect(card); usb6fire_chip_abort(chip); + if (card) + snd_card_free_when_closed(card); } } } -- 2.34.1