| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTi=ivaNVF2Jsz2rmxT-Pe2hs0jMUv7XZQ6K=2-d6@mail.gmail.com>
Date: Thu, 24 Mar 2011 10:23:25 -0700
From: Russ Dill <russ.dill@...il.com>
To: Takashi Iwai <tiwai@...e.de>
Cc: linux-kernel@...r.kernel.org
Subject: Re: snd_card_disconnect race (sound/core/init.c)
On Thu, Mar 24, 2011 at 1:58 AM, Takashi Iwai <tiwai@...e.de> wrote:
> At Thu, 24 Mar 2011 01:19:43 -0700,
> Russ Dill wrote:
>>
>> On Wed, Mar 23, 2011 at 11:43 PM, Takashi Iwai <tiwai@...e.de> wrote:
>> > At Wed, 23 Mar 2011 18:40:58 -0700,
>> > Russ Dill wrote:
>> >>
>> >> With slub poisoning on, I'm seeing an oops in snd_disconnect_release
>> >> with slub poison (6b6b6b6b). Investigating, snd_card_disconnect looks
>> >> to be the possible culprit:
>> >>
>> >> 333 spin_lock(&card->files_lock);
>> >> 334 mfile = card->files;
>> >> 335 while (mfile) {
>> >> 336 file = mfile->file;
>> >> 337
>> >> 338 /* it's critical part, use endless loop */
>> >> 339 /* we have no room to fail */
>> >> 340 mfile->disconnected_f_op = mfile->file->f_op;
>> >> 341
>> >> 342 spin_lock(&shutdown_lock);
>> >> 343 list_add(&mfile->shutdown_list, &shutdown_files);
>> >> 344 spin_unlock(&shutdown_lock);
>> >> 345
>> >> 346 mfile->file->f_op = &snd_shutdown_f_ops;
>> >> 347 fops_get(mfile->file->f_op);
>> >> 348
>> >> 349 mfile = mfile->next;
>> >> 350 }
>> >> 351 spin_unlock(&card->files_lock);
>> >>
>> >> I'm not aware of any locking that would prevent the original release
>> >> function running concurrently if it were started before line 346 was
>> >> executed. The original release functions (such as snd_hwdep_release)
>> >> call snd_card_remove_file which frees the mfile object which would
>> >> have been just added to the shutdown_files list leading to a use of
>> >> freed (or in my case poisoned) memory later on down the line when the
>> >> shutdown_files gets walked again.
>> >>
>> >> It seems that 118dd6bf (ALSA: Clean up snd_monitor_file management,
>> >> v2.6.30) may have either introduced this problem or made it worse
>> >> since snd_card_file_remove previously removed items from the
>> >> shutdown_files list before freeing them.
>> >>
>> >> I'm currently experiencing these crashes on 2.6.32.26, but I can't
>> >> find any changes that would cause them not to occur on later kernel
>> >> versions.
>> >
>> > Which device are you using? USB-audio had a known problem at
>> > disconnection, for example, and it was fixed recently.
>> >
>>
>> I'm using USB-audio. I tried back-porting a couple of patches, to no avail:
>>
>> ALSA: usb-audio: fix oops due to cleanup race when disconnecting
>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=382225e6
>>
>> ALSA: usb - Release capture substream URBs properly
>> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=76195fb0
>>
>> Backing out 118dd6bf fixes the problem. The app that is running when
>> this crash occurs does full duplex streaming and segfaults while the
>> USB-audio device is going away. I'd have to check, but I think its
>> actually segfaulting it response to a disconnect of another piece of
>> the composite device the USB-audio device is part of, so the release
>> may actually be happening at the time the snd_card_disconnect is
>> occurring. I don't see any locking that would prevent bad things from
>> happening in this case, and the shutdown_files list is definitely
>> poisoned.
>
> OK, what about the patch below?
>
>
> Takashi
>
> ---
> From: Takashi Iwai <tiwai@...e.de>
> Subject: [PATCH] ALSA: Fix yet another race in disconnection
>
> This patch fixes a race between snd_card_file_remove() and
> snd_card_disconnect(). When the card is added to shutdown_files list
> in snd_card_disconnect(), but it's freed in snd_card_file_remove() at
> the same time, the shutdown_files list gets corrupted. The list member
> must be freed in snd_card_file_remove() as well.
>
> Reported-by: Russ Dill <russ.dill@...il.com>
> Signed-off-by: Takashi Iwai <tiwai@...e.de>
> ---
> sound/core/init.c | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/sound/core/init.c b/sound/core/init.c
> index 3e65da2..a0080aa 100644
> --- a/sound/core/init.c
> +++ b/sound/core/init.c
> @@ -848,6 +848,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file)
> return -ENOMEM;
> mfile->file = file;
> mfile->disconnected_f_op = NULL;
> + INIT_LIST_HEAD(&mfile->shutdown_list);
> spin_lock(&card->files_lock);
> if (card->shutdown) {
> spin_unlock(&card->files_lock);
> @@ -883,6 +884,9 @@ int snd_card_file_remove(struct snd_card *card, struct file *file)
> list_for_each_entry(mfile, &card->files_list, list) {
> if (mfile->file == file) {
> list_del(&mfile->list);
> + spin_lock(&shutdown_lock);
> + list_del(&mfile->shutdown_list);
> + spin_unlock(&shutdown_lock);
> if (mfile->disconnected_f_op)
> fops_put(mfile->disconnected_f_op);
> found = mfile;
> --
> 1.7.4.1
It looks sane, I'll run it through my torture (about 24hr) testing and
let you know.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists