| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAO9qdTGktp71We9BAhsd3bewb9yKWyOjbnq2TQh0CaV7CqD6UA@mail.gmail.com> Date: Thu, 9 Oct 2025 21:42:04 +0900 From: Jeongjun Park <aha310510@...il.com> To: Greg KH <gregkh@...uxfoundation.org> Cc: stable@...r.kernel.org, Takashi Iwai <tiwai@...e.de>, syzbot+d8f72178ab6783a7daea@...kaller.appspotmail.com, Clemens Ladisch <clemens@...isch.de>, Jaroslav Kysela <perex@...ex.cz>, alsa-devel@...a-project.org, linux-sound@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 6.12.y 6.6.y 6.1.y 5.15.y 5.10.y 5.4.y] ALSA: usb-audio: Kill timer properly at removal Hi Greg, Greg KH <gregkh@...uxfoundation.org> wrote: > > On Thu, Oct 09, 2025 at 08:23:42PM +0900, Jeongjun Park wrote: > > Hi Greg, > > > > Greg KH <gregkh@...uxfoundation.org> wrote: > > > > > > On Wed, Oct 08, 2025 at 12:58:08AM +0900, Jeongjun Park wrote: > > > > From: Takashi Iwai <tiwai@...e.de> > > > > > > > > [ Upstream commit 0718a78f6a9f04b88d0dc9616cc216b31c5f3cf1 ] > > > > > > > > The USB-audio MIDI code initializes the timer, but in a rare case, the > > > > driver might be freed without the disconnect call. This leaves the > > > > timer in an active state while the assigned object is released via > > > > snd_usbmidi_free(), which ends up with a kernel warning when the debug > > > > configuration is enabled, as spotted by fuzzer. > > > > > > > > For avoiding the problem, put timer_shutdown_sync() at > > > > snd_usbmidi_free(), so that the timer can be killed properly. > > > > While we're at it, replace the existing timer_delete_sync() at the > > > > disconnect callback with timer_shutdown_sync(), too. > > > > > > > > Reported-by: syzbot+d8f72178ab6783a7daea@...kaller.appspotmail.com > > > > Closes: https://lore.kernel.org/681c70d7.050a0220.a19a9.00c6.GAE@google.com > > > > Cc: <stable@...r.kernel.org> > > > > Link: https://patch.msgid.link/20250519212031.14436-1-tiwai@suse.de > > > > Signed-off-by: Takashi Iwai <tiwai@...e.de> > > > > [ del_timer vs timer_delete differences ] > > > > Signed-off-by: Jeongjun Park <aha310510@...il.com> > > > > --- > > > > sound/usb/midi.c | 3 ++- > > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > > > diff --git a/sound/usb/midi.c b/sound/usb/midi.c > > > > index a792ada18863..c3de2b137435 100644 > > > > --- a/sound/usb/midi.c > > > > +++ b/sound/usb/midi.c > > > > @@ -1530,6 +1530,7 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi) > > > > snd_usbmidi_in_endpoint_delete(ep->in); > > > > } > > > > mutex_destroy(&umidi->mutex); > > > > + timer_shutdown_sync(&umidi->error_timer); > > > > > > This function is not in older kernel versions, you did not test this > > > build :( > > > > > > I've applied this to 6.6.y and newer, but for 6.1.y and older, please > > > use the proper function. > > > > Sorry, I didn't realize that the timer_shutdown_sync() implementation > > commit wasn't backported to versions prior to 6.2. > > > > But why wasn't this feature backported to previous versions? I understand > > that most drivers write separate patches for pre-6.2 versions that don't > > implement timer_shutdown_sync() to address this type of bug. > > Features are not backported to older kernels. If you want this fix in > an older kernel, then you need to either backport that feature, or fix > up the driver to use whatever was used before that function existed. I could write a separate patch to fix this bug, but I'm not happy that great features like timer_shutdown_sync() haven't been backported. So, I'll try to backport the "timers: Provide timer_shutdown[_sync]()" patch series sometime soon. > > thanks, > > greg k-h Regards, Jeongjun Park
Powered by blists - more mailing lists