Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-25 13:41:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
051e0840ff
linux/sound
History
Duoming Zhou 051e0840ff ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs 
The dreamcastcard->timer could schedule the spu_dma_work and the
spu_dma_work could also arm the dreamcastcard->timer.

When the snd_pcm_substream is closing, the aica_channel will be
deallocated. But it could still be dereferenced in the worker
thread. The reason is that del_timer() will return directly
regardless of whether the timer handler is running or not and
the worker could be rescheduled in the timer handler. As a result,
the UAF bug will happen. The racy situation is shown below:

      (Thread 1)                 |      (Thread 2)
snd_aicapcm_pcm_close()          |
 ...                             |  run_spu_dma() //worker
                                 |    mod_timer()
  flush_work()                   |
  del_timer()                    |  aica_period_elapsed() //timer
  kfree(dreamcastcard->channel)  |    schedule_work()
                                 |  run_spu_dma() //worker
  ...                            |    dreamcastcard->channel-> //USE

In order to mitigate this bug and other possible corner cases,
call mod_timer() conditionally in run_spu_dma(), then implement
PCM sync_stop op to cancel both the timer and worker. The sync_stop
op will be called from PCM core appropriately when needed.

Fixes: 198de43d75 ("[ALSA] Add ALSA support for the SEGA Dreamcast PCM device")
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Message-ID: <20240326094238.95442-1-duoming@zju.edu.cn>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2024-03-26 12:18:54 +01:00
..
ac97 ALSA: ac97: fix build regression 2024-01-03 11:47:04 +01:00
aoa ALSA: aoa: make soundbus_bus_type const 2024-02-15 13:48:03 +01:00
arm ALSA: aaci: Delete unused variable in aaci_do_suspend 2024-03-12 12:30:51 +01:00
atmel ALSA: Explicitly include correct DT includes 2023-07-16 14:50:56 +02:00
core ALSA: control: Fix unannotated kfree() cleanup 2024-03-20 07:30:48 +01:00
drivers ALSA: pcsp: Replace with DEFINE_SIMPLE_DEV_PM_OPS() 2024-02-12 11:50:24 +01:00
firewire Merge branch 'for-linus' into for-next 2024-02-21 11:17:06 +01:00
hda ALSA: hda: intel-nhlt: add intel_nhlt_ssp_device_type() function 2024-03-22 12:40:46 +01:00
i2c
isa ALSA: wavefront: copy userspace array safely 2023-11-20 12:38:31 +01:00
mips
oss OSS: dmasound/paula: Convert to platform remove callback returning void 2023-11-09 17:44:52 +01:00
parisc
pci ALSA: hda: cs35l56: Set the init_done flag before component_add() 2024-03-25 17:19:46 +01:00
pcmcia
ppc ALSA: Explicitly include correct DT includes 2023-07-16 14:50:56 +02:00
sh ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs 2024-03-26 12:18:54 +01:00
soc ASoC: SOF: ipc4-topology: support NHLT device type 2024-03-22 12:40:46 +01:00
sparc ALSA: Explicitly include correct DT includes 2023-07-16 14:50:56 +02:00
spi ALSA: at73c213: Replace with DEFINE_SIMPLE_DEV_PM_OPS() 2024-02-12 11:50:25 +01:00
synth ALSA: synth: Save a few bytes of memory when registering a 'snd_emux' 2024-01-22 13:04:22 +01:00
usb Revert "ALSA: usb-audio: Name feature ctl using output if input is PCM" 2024-03-17 09:32:49 +01:00
virtio ALSA: virtio: Fix "Coverity: virtsnd_kctl_tlv_op(): Uninitialized variables" warning. 2024-02-16 15:01:31 +01:00
x86 drm/edid: include drm_eld.h only where required 2023-11-09 16:47:31 +02:00
xen ALSA: xen: Fix -Wformat-truncation warning 2023-09-15 13:21:35 +02:00
ac97_bus.c ALSA: mark all struct bus_type as const 2023-12-30 10:10:41 +01:00
Kconfig This pull request contains the following changes for UML: 2023-09-04 11:32:21 -07:00
last.c
Makefile
sound_core.c