android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
124751d5e6
android_kernel_xiaomi_sm8450/sound/usb
History
Takashi Iwai 124751d5e6 ALSA: usb-audio: Kill stray URB at exiting 
USB-audio driver may leave a stray URB for the mixer interrupt when it
exits by some error during probe.  This leads to a use-after-free
error as spotted by syzkaller like:
  ==================================================================
  BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0
  Call Trace:
   <IRQ>
   __dump_stack lib/dump_stack.c:16
   dump_stack+0x292/0x395 lib/dump_stack.c:52
   print_address_description+0x78/0x280 mm/kasan/report.c:252
   kasan_report_error mm/kasan/report.c:351
   kasan_report+0x23d/0x350 mm/kasan/report.c:409
   __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430
   snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490
   __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779
   ....

  Allocated by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
   kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772
   kmalloc ./include/linux/slab.h:493
   kzalloc ./include/linux/slab.h:666
   snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540
   create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59
   snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560
   usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618
   ....

  Freed by task 1484:
   save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59
   save_stack+0x43/0xd0 mm/kasan/kasan.c:447
   set_track mm/kasan/kasan.c:459
   kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524
   slab_free_hook mm/slub.c:1390
   slab_free_freelist_hook mm/slub.c:1412
   slab_free mm/slub.c:2988
   kfree+0xf6/0x2f0 mm/slub.c:3919
   snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244
   snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250
   __snd_device_free+0x1ff/0x380 sound/core/device.c:91
   snd_device_free_all+0x8f/0xe0 sound/core/device.c:244
   snd_card_do_free sound/core/init.c:461
   release_card_device+0x47/0x170 sound/core/init.c:181
   device_release+0x13f/0x210 drivers/base/core.c:814
   ....

Actually such a URB is killed properly at disconnection when the
device gets probed successfully, and what we need is to apply it for
the error-path, too.

In this patch, we apply snd_usb_mixer_disconnect() at releasing.
Also introduce a new flag, disconnected, to struct usb_mixer_interface
for not performing the disconnection procedure twice.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-10 14:17:09 +02:00
..
6fire ALSA: 6fire: Use common error handling code in usb6fire_chip_probe() 2017-09-07 10:29:35 +02:00
bcd2000 ALSA: bcd2000: constify usb_device_id. 2017-08-06 22:20:08 +02:00
caiaq ALSA: usb: constify snd_pcm_ops structures 2017-08-19 11:02:27 +02:00
hiface ALSA: usb: constify snd_pcm_ops structures 2017-08-19 11:02:27 +02:00
line6 ALSA: line6: Fix leftover URB at error-path during probe 2017-10-09 16:17:18 +02:00
misc ALSA: usb: constify snd_pcm_ops structures 2017-08-19 11:02:27 +02:00
usx2y ALSA: usx2y: Suppress kernel warning at page allocation failures 2017-10-02 18:10:47 +02:00
card.c ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor 2017-09-22 16:21:31 +02:00
card.h ALSA: usb: use TEAC UD-H01 quirk for more devices 2016-08-22 11:39:56 +02:00
clock.c ALSA: usb-audio: Limit retrying sample rate reads 2016-04-29 11:49:04 +02:00
clock.h ALSA: usb-audio: UAC2: do clock validity check earlier 2013-04-04 08:30:59 +02:00
debug.h ALSA: usb-audio: make hwc_debug a noop in case HW_CONST_DEBUG is not set 2011-05-18 11:44:35 +02:00
endpoint.c ALSA: usb-audio: test EP_FLAG_RUNNING at urb completion 2017-01-05 07:35:17 +01:00
endpoint.h ALSA: usb-audio: Fix irq/process data synchronization 2017-01-05 07:35:00 +01:00
format.c ALSA: usb-audio: rmove print for failure of kmalloc 2016-08-22 11:41:02 +02:00
format.h ALSA: usb-audio: store protocol version in struct audioformat 2013-06-27 21:59:47 +02:00
helper.c ALSA: usb-audio: correct speed checking 2016-05-08 11:42:04 +02:00
helper.h ALSA: usb-audio: increase control transfer timeout 2011-09-27 09:21:48 +02:00
Kconfig ALSA: us122l: enable compile testing 2017-05-15 11:02:14 +02:00
Makefile ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk 2017-02-20 10:59:54 +01:00
midi.c ALSA: usb-audio: Put missing KERN_CONT prefix 2017-08-31 11:02:13 +02:00
midi.h ALSA: usb-audio: Refer to chip->usb_id for quirks and MIDI creation 2016-01-29 07:36:10 +01:00
mixer_maps.c ALSA: usb-audio: Change structure initialisation to C99 style 2016-06-17 16:58:41 +02:00
mixer_quirks.c ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices 2017-08-17 17:52:16 +02:00
mixer_quirks.h ALSA: usb-audio: Add a more accurate volume quirk for AudioQuest DragonFly 2015-12-14 10:13:17 +01:00
mixer_scarlett.c ALSA: usb-audio: constify snd_kcontrol_new structures 2017-02-21 22:02:03 +01:00
mixer_scarlett.h ALSA: usb-audio: Scarlett mixer interface for 6i6, 18i6, 18i8 and 18i20 2014-11-13 07:32:39 +01:00
mixer_us16x08.c ALSA: usb: Avoid VLA in mixer_us16x08.c 2017-05-31 08:46:19 +02:00
mixer_us16x08.h ALSA: usb-audio: Fix memory leak and corruption in mixer_us16x08.c 2017-02-22 14:24:09 +01:00
mixer.c ALSA: usb-audio: Kill stray URB at exiting 2017-10-10 14:17:09 +02:00
mixer.h ALSA: usb-audio: Kill stray URB at exiting 2017-10-10 14:17:09 +02:00
pcm.c ALSA: usb: constify snd_pcm_ops structures 2017-08-19 11:02:27 +02:00
pcm.h ALSA: usb: refine delay information with USB frame counter 2011-09-12 10:30:20 +02:00
power.h ALSA: usbaudio: implement USB autosuspend 2011-03-11 14:59:29 +01:00
proc.c ALSA: usb-audio: Avoid nested autoresume calls 2015-08-26 15:38:25 +02:00
proc.h ALSA: usb-audio: refactor code 2010-03-05 08:17:14 +01:00
quirks-table.h ALSA: usb-audio: Add quirk for Syntek STK1160 2016-10-27 12:07:19 +02:00
quirks.c ALSA: usb-audio: Add sample rate quirk for Plantronics P610 2017-10-09 14:10:11 +02:00
quirks.h ALSA: usb-audio: Refer to chip->usb_id for quirks and MIDI creation 2016-01-29 07:36:10 +01:00
stream.c ALSA: usb: Delete an error message for a failed memory allocation in two functions 2017-08-12 23:20:55 +02:00
stream.h ALSA: snd-usb: re-order code 2011-09-14 17:07:02 +02:00
usbaudio.h Merge branch 'for-linus' into for-next 2016-05-10 16:06:04 +02:00