lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Mar 2011 18:40:58 -0700 From: Russ Dill <russ.dill@...il.com> To: linux-kernel@...r.kernel.org Cc: Takashi Iwai <tiwai@...e.de> Subject: snd_card_disconnect race (sound/core/init.c) With slub poisoning on, I'm seeing an oops in snd_disconnect_release with slub poison (6b6b6b6b). Investigating, snd_card_disconnect looks to be the possible culprit: 333 spin_lock(&card->files_lock); 334 mfile = card->files; 335 while (mfile) { 336 file = mfile->file; 337 338 /* it's critical part, use endless loop */ 339 /* we have no room to fail */ 340 mfile->disconnected_f_op = mfile->file->f_op; 341 342 spin_lock(&shutdown_lock); 343 list_add(&mfile->shutdown_list, &shutdown_files); 344 spin_unlock(&shutdown_lock); 345 346 mfile->file->f_op = &snd_shutdown_f_ops; 347 fops_get(mfile->file->f_op); 348 349 mfile = mfile->next; 350 } 351 spin_unlock(&card->files_lock); I'm not aware of any locking that would prevent the original release function running concurrently if it were started before line 346 was executed. The original release functions (such as snd_hwdep_release) call snd_card_remove_file which frees the mfile object which would have been just added to the shutdown_files list leading to a use of freed (or in my case poisoned) memory later on down the line when the shutdown_files gets walked again. It seems that 118dd6bf (ALSA: Clean up snd_monitor_file management, v2.6.30) may have either introduced this problem or made it worse since snd_card_file_remove previously removed items from the shutdown_files list before freeing them. I'm currently experiencing these crashes on 2.6.32.26, but I can't find any changes that would cause them not to occur on later kernel versions. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists