From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:51709 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752583AbcGYA31 (ORCPT ); Sun, 24 Jul 2016 20:29:27 -0400 Subject: Patch "ALSA: dummy: Fix a use-after-free at closing" has been added to the 4.4-stable tree To: tiwai@suse.de, dvyukov@google.com, gregkh@linuxfoundation.org Cc: , From: Date: Sun, 24 Jul 2016 17:29:42 -0700 Message-ID: <14694065826376@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled ALSA: dummy: Fix a use-after-free at closing to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: alsa-dummy-fix-a-use-after-free-at-closing.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From d5dbbe6569481bf12dcbe3e12cff72c5f78d272c Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Fri, 24 Jun 2016 15:15:26 +0200 Subject: ALSA: dummy: Fix a use-after-free at closing From: Takashi Iwai commit d5dbbe6569481bf12dcbe3e12cff72c5f78d272c upstream. syzkaller fuzzer spotted a potential use-after-free case in snd-dummy driver when hrtimer is used as backend: > ================================================================== > BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68 > Read of size 8 by task syz-executor/8984 > ============================================================================= > BUG kmalloc-192 (Not tainted): kasan: bad access detected > ----------------------------------------------------------------------------- > > Disabling lock debugging due to kernel taint > INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632 > .... > [< none >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464 > .... > INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1 > [< none >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481 > .... > Call Trace: > [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333 > [< inline >] rb_set_parent include/linux/rbtree_augmented.h:111 > [< inline >] __rb_erase_augmented include/linux/rbtree_augmented.h:218 > [] rb_erase+0x1b17/0x2010 lib/rbtree.c:427 > [] timerqueue_del+0x78/0x170 lib/timerqueue.c:86 > [] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903 > [< inline >] remove_hrtimer kernel/time/hrtimer.c:945 > [] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046 > [] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066 > [] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417 > [] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507 > [] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106 > [] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956 > [] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974 > [< inline >] snd_pcm_stop sound/core/pcm_native.c:1139 > [] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784 > [] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805 > [] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976 > [] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020 > [] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693 > [] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483 > ..... A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which is called certainly before other blocking ops. Reported-by: Dmitry Vyukov Tested-by: Dmitry Vyukov Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/drivers/dummy.c | 1 + 1 file changed, 1 insertion(+) --- a/sound/drivers/dummy.c +++ b/sound/drivers/dummy.c @@ -420,6 +420,7 @@ static int dummy_hrtimer_stop(struct snd static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm) { + hrtimer_cancel(&dpcm->timer); tasklet_kill(&dpcm->tasklet); } Patches currently in stable-queue which might be from tiwai@suse.de are queue-4.4/alsa-hda-fix-the-headset-mic-jack-detection-on-dell-machine.patch queue-4.4/alsa-ctl-stop-notification-after-disconnection.patch queue-4.4/alsa-dummy-fix-a-use-after-free-at-closing.patch queue-4.4/alsa-timer-fix-negative-queue-usage-by-racy-accesses.patch queue-4.4/alsa-hda-fix-use-after-free-after-module-unload.patch queue-4.4/alsa-hda-realtek-add-new-pin-definition-in-alc225-pin-quirk-table.patch queue-4.4/alsa-hda-add-pci-id-for-kabylake-h.patch queue-4.4/alsa-pcm-free-chmap-at-pcm-free-callback-too.patch queue-4.4/alsa-au88x0-fix-calculation-in-vortex_wtdma_bufshift.patch queue-4.4/alsa-hda-realtek-add-lenovo-l460-to-docking-unit-fixup.patch queue-4.4/alsa-echoaudio-fix-memory-allocation.patch queue-4.4/alsa-hda-realtek-add-two-more-thinkpad-ids-5050-5053-for-tpt460-fixup.patch queue-4.4/alsa-hda-fix-read-before-array-start.patch queue-4.4/alsa-hda-add-amd-stoney-pci-id-with-proper-driver-caps.patch