The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely.
Therefore, to prevent this, the error timer must be killed before freeing the heap memory.
Cc: stable@vger.kernel.org Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") Signed-off-by: Jeongjun Park aha310510@gmail.com --- sound/usb/midi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c index acb3bf92857c..8d15f1caa92b 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) { int i;
+ timer_shutdown_sync(&umidi->error_timer); + for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; if (ep->out) @@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) snd_usbmidi_in_endpoint_delete(ep->in); } mutex_destroy(&umidi->mutex); - timer_shutdown_sync(&umidi->error_timer); kfree(umidi); }
--
On Sat, 27 Sep 2025 06:41:06 +0200, Jeongjun Park wrote:
The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely.
Therefore, to prevent this, the error timer must be killed before freeing the heap memory.
Cc: stable@vger.kernel.org Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") Signed-off-by: Jeongjun Park aha310510@gmail.com
I suppose it's a fix for the recent syzbot reports? https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
I had the very same fix in mind, as posted in https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de so I'll happily apply if that's the case (and it was verified to work). I'm just back from vacation and trying to catch up things.
thanks,
Takashi
sound/usb/midi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c index acb3bf92857c..8d15f1caa92b 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) { int i;
- timer_shutdown_sync(&umidi->error_timer);
- for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; if (ep->out)
@@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) snd_usbmidi_in_endpoint_delete(ep->in); } mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer); kfree(umidi);
} --
Hi,
Takashi Iwai tiwai@suse.de wrote:
On Sat, 27 Sep 2025 06:41:06 +0200, Jeongjun Park wrote:
The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely.
Therefore, to prevent this, the error timer must be killed before freeing the heap memory.
Cc: stable@vger.kernel.org Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") Signed-off-by: Jeongjun Park aha310510@gmail.com
I suppose it's a fix for the recent syzbot reports? https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
Oh, I didn't know it was already reported on syzbot.
I had the very same fix in mind, as posted in https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de so I'll happily apply if that's the case (and it was verified to work). I'm just back from vacation and trying to catch up things.
Although it's difficult to disclose right now, I have already completed writing a PoC that triggers a UAF due to the error timer in a slightly different way than the backtrace reported to syzbot, and I have confirmed that no bugs occur when testing this patch through this PoC.
thanks,
Takashi
sound/usb/midi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c index acb3bf92857c..8d15f1caa92b 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) { int i;
timer_shutdown_sync(&umidi->error_timer);for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) { struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i]; if (ep->out)@@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) snd_usbmidi_in_endpoint_delete(ep->in); } mutex_destroy(&umidi->mutex);
timer_shutdown_sync(&umidi->error_timer); kfree(umidi);}
--
Regards, Jeongjun Park
On Sat, 27 Sep 2025 10:48:02 +0200, Jeongjun Park wrote:
Hi,
Takashi Iwai tiwai@suse.de wrote:
On Sat, 27 Sep 2025 06:41:06 +0200, Jeongjun Park wrote:
The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the endpoint delete, a race condition to UAF still occurs, albeit rarely.
Therefore, to prevent this, the error timer must be killed before freeing the heap memory.
Cc: stable@vger.kernel.org Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal") Signed-off-by: Jeongjun Park aha310510@gmail.com
I suppose it's a fix for the recent syzbot reports? https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
Oh, I didn't know it was already reported on syzbot.
I had the very same fix in mind, as posted in https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de so I'll happily apply if that's the case (and it was verified to work). I'm just back from vacation and trying to catch up things.
Although it's difficult to disclose right now, I have already completed writing a PoC that triggers a UAF due to the error timer in a slightly different way than the backtrace reported to syzbot, and I have confirmed that no bugs occur when testing this patch through this PoC.
OK, so this sounds like a coincidence, but it's very likely the same issue, so I'm going to put mark those syzbot reports.
thanks,
Takashi
linux-stable-mirror@lists.linaro.org
-
Jeongjun Park -
Takashi Iwai