[PATCH 3.14 45/53] ALSA: dummy: Fix a use-after-free at closing
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: 2016-07-25 21:11:16
Also in:
lkml
3.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai <redacted> commit d5dbbe6569481bf12dcbe3e12cff72c5f78d272c upstream. syzkaller fuzzer spotted a potential use-after-free case in snd-dummy driver when hrtimer is used as backend:
================================================================== BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr ffff88005e5b6f68 Read of size 8 by task syz-executor/8984 ============================================================================= BUG kmalloc-192 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: Allocated in 0xbbbbbbbbbbbbbbbb age=18446705582212484632 .... [< none >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464 .... INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1 [< none >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481 .... Call Trace: [<ffffffff8179e59e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:333 [< inline >] rb_set_parent include/linux/rbtree_augmented.h:111 [< inline >] __rb_erase_augmented include/linux/rbtree_augmented.h:218 [<ffffffff82ca5787>] rb_erase+0x1b17/0x2010 lib/rbtree.c:427 [<ffffffff82cb02e8>] timerqueue_del+0x78/0x170 lib/timerqueue.c:86 [<ffffffff814d0c80>] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903 [< inline >] remove_hrtimer kernel/time/hrtimer.c:945 [<ffffffff814d23da>] hrtimer_try_to_cancel+0x22a/0x570 kernel/time/hrtimer.c:1046 [<ffffffff814d2742>] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066 [<ffffffff85420531>] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417 [<ffffffff854228bf>] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507 [<ffffffff85392170>] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106 [<ffffffff85391b26>] snd_pcm_action_single+0x76/0x120 sound/core/pcm_native.c:956 [<ffffffff85391e01>] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974 [< inline >] snd_pcm_stop sound/core/pcm_native.c:1139 [<ffffffff8539754d>] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784 [<ffffffff8539d3be>] snd_pcm_common_ioctl1+0xfae/0x2150 sound/core/pcm_native.c:2805 [<ffffffff8539ee91>] snd_pcm_capture_ioctl1+0x2a1/0x5e0 sound/core/pcm_native.c:2976 [<ffffffff8539f2ec>] snd_pcm_kernel_ioctl+0x11c/0x160 sound/core/pcm_native.c:3020 [<ffffffff853d9a44>] snd_pcm_oss_sync+0x3a4/0xa30 sound/core/oss/pcm_oss.c:1693 [<ffffffff853da27d>] snd_pcm_oss_release+0x1ad/0x280 sound/core/oss/pcm_oss.c:2483 .....
A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which is called certainly before other blocking ops. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Takashi Iwai <redacted> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- sound/drivers/dummy.c | 1 + 1 file changed, 1 insertion(+)
--- a/sound/drivers/dummy.c
+++ b/sound/drivers/dummy.c@@ -422,6 +422,7 @@ static int dummy_hrtimer_stop(struct snd static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm) { + hrtimer_cancel(&dpcm->timer); tasklet_kill(&dpcm->tasklet); }