On Sat, 06 Feb 2021 09:28:51 +0100,
Takashi Iwai wrote:
>
> On Sat, 06 Feb 2021 08:48:05 +0100,
> Takashi Iwai wrote:
> >
> > On Sat, 06 Feb 2021 06:45:32 +0100,
> > Hillf Danton wrote:
> > >
> > > Due to the reconnecting key word mentioned, no fix to
> > > d0f09d1e4a88 ("ALSA: usb-audio: Refactoring endpoint URB deactivation")
> > > will be added.
> > >
> > > What is added is to capture EP_FLAG_STOPPING and remove the one
> > > second wait limit if the reconnecting acts may make it easier to
> > > repro the uaf. The diff is only for idea show.
> >
> > If my understanding is right, this won't change. The problem is
> > rather the lack of this function call itself, i.e. the missing
> > synchronization for the stream stop.
> >
> > It worked casually in the past because the endpoint resource is
> > released at a later point that is after all streams are really closed.
> > Now it's released earlier and hitting the UAF.
>
> ... and reading the code in a closer look, my guess was also wrong.
> The sync should have happened in snd_usb_endpoint_release(), and this
> didn't change for quite some time. So my previous fix won't be
> effective, too, I'm afraid. (And Hilif's patch won't help, either; if
> it's effective, there must have been a timeout error in the original
> case.)
>
> That said, I don't think this is a newly introduced regression, and
> race the condition could be in a hairy detail.
>
> Mikhail, can you reproduce this bug reliably?
And if you can reproduce the problem, please try the
topic/pcm-sync-stop-fixes branch of my sound git tree
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
Takashi
