On Sat, 06 Feb 2021 08:48:05 +0100, Takashi Iwai wrote:
On Sat, 06 Feb 2021 06:45:32 +0100, Hillf Danton wrote:
Due to the reconnecting key word mentioned, no fix to d0f09d1e4a88 ("ALSA: usb-audio: Refactoring endpoint URB deactivation") will be added.
What is added is to capture EP_FLAG_STOPPING and remove the one second wait limit if the reconnecting acts may make it easier to repro the uaf. The diff is only for idea show.
If my understanding is right, this won't change. The problem is rather the lack of this function call itself, i.e. the missing synchronization for the stream stop.
It worked casually in the past because the endpoint resource is released at a later point that is after all streams are really closed. Now it's released earlier and hitting the UAF.
... and reading the code in a closer look, my guess was also wrong. The sync should have happened in snd_usb_endpoint_release(), and this didn't change for quite some time. So my previous fix won't be effective, too, I'm afraid. (And Hilif's patch won't help, either; if it's effective, there must have been a timeout error in the original case.)
That said, I don't think this is a newly introduced regression, and race the condition could be in a hairy detail.
Mikhail, can you reproduce this bug reliably?
Takashi