From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B87C9C433F5 for ; Wed, 3 Nov 2021 03:28:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7EDF460F56 for ; Wed, 3 Nov 2021 03:28:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230054AbhKCDak (ORCPT ); Tue, 2 Nov 2021 23:30:40 -0400 Received: from szxga08-in.huawei.com ([45.249.212.255]:27106 "EHLO szxga08-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229506AbhKCDai (ORCPT ); Tue, 2 Nov 2021 23:30:38 -0400 Received: from dggeme762-chm.china.huawei.com (unknown [172.30.72.54]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4HkXGq4Q85z1DHxq; Wed, 3 Nov 2021 11:25:55 +0800 (CST) Received: from [10.174.179.252] (10.174.179.252) by dggeme762-chm.china.huawei.com (10.3.19.108) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.15; Wed, 3 Nov 2021 11:27:59 +0800 Subject: Re: [PATCH -next] ALSA: timer: Fix use-after-free problem To: Takashi Iwai CC: , , , , , , References: <20211102134107.35126-1-wangwensheng4@huawei.com> From: "wangwensheng (C)" Message-ID: <3b02dd76-d952-e38e-bc0c-c8a121919720@huawei.com> Date: Wed, 3 Nov 2021 11:27:58 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.179.252] X-ClientProxiedBy: dggeme706-chm.china.huawei.com (10.1.199.102) To dggeme762-chm.china.huawei.com (10.3.19.108) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ÔÚ 2021/11/2 22:10, Takashi Iwai дµÀ: > On Tue, 02 Nov 2021 14:41:07 +0100, > Wang Wensheng wrote: >> >> When the timer instance was add into ack_list but was not currently in >> process, the user could stop it via snd_timer_stop1() without delete it >> from the ack_list. Then the user could free the timer instance and when >> it was actually processed UAF occurred. >> >> This issue could be reproduced via testcase snd_timer01 in ltp - running >> several instances of that testcase at the same time. >> >> What I actually met was that the ack_list of the timer broken and the >> kernel went into deadloop with irqoff. That could be detected by >> hardlockup detector on board or when we run it on qemu, we could use gdb >> to dump the ack_list when the console has no response. >> >> To fix this issue, we introduce a new flag SNDRV_TIMER_IFLG_ACKING to >> indicate the state where the timer instance is in ack_list but not >> currently processed and check against the new flag in snd_timer_stop1() >> and delete it from ack_list if the flag is set. >> >> Signed-off-by: Wang Wensheng > > Thanks for the patch. Just through a quick glance, I wonder whether > it'd be easier to do list_del_init(&timeri->ack_list) unconditionally > before the check of timeri->flags in snd_timer1_stop(). Ditto for > active_list. So something like: > Thanks for your suggestions. It looks much more efficient and easier and is also effective. I will take this as a second version. > --- a/sound/core/timer.c > +++ b/sound/core/timer.c > @@ -624,13 +624,13 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop) > if (!timer) > return -EINVAL; > spin_lock_irqsave(&timer->lock, flags); > + list_del_init(&timeri->ack_list); > + list_del_init(&timeri->active_list); > if (!(timeri->flags & (SNDRV_TIMER_IFLG_RUNNING | > SNDRV_TIMER_IFLG_START))) { > result = -EBUSY; > goto unlock; > } > - list_del_init(&timeri->ack_list); > - list_del_init(&timeri->active_list); > if (timer->card && timer->card->shutdown) > goto unlock; > if (stop) { > > > Takashi