diff options
| author | Takashi Iwai <tiwai@suse.de> | 2020-06-16 14:09:21 +0200 |
|---|---|---|
| committer | Sasha Levin <sashal@kernel.org> | 2020-06-30 15:36:47 -0400 |
| commit | 3621616af99bac4cf55728265ce886f36e6a3fed (patch) | |
| tree | f95f50f746566f47ea0a242e1ff84eb33747bb35 /sound/usb | |
| parent | 335add4ac891c3c5094e5b30cce004322f284ca4 (diff) | |
ALSA: usb-audio: Fix potential use-after-free of streams
[ Upstream commit ff58bbc7b9704a5869204176f804eff57307fef0 ]
With the recent full-duplex support of implicit feedback streams, an
endpoint can be still running after closing the capture stream as long
as the playback stream with the sync-endpoint is running. In such a
state, the URBs are still be handled and they may call retire_data_urb
callback, which tries to transfer the data from the PCM buffer. Since
the PCM stream gets closed, this may lead to use-after-free.
This patch adds the proper clearance of the callback at stopping the
capture stream for addressing the possible UAF above.
Fixes: 10ce77e4817f ("ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback")
Link: https://lore.kernel.org/r/20200616120921.12249-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'sound/usb')
| -rw-r--r-- | sound/usb/pcm.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c index 6c391e5fad2a..c36e6c97d09a 100644 --- a/sound/usb/pcm.c +++ b/sound/usb/pcm.c @@ -1778,6 +1778,7 @@ static int snd_usb_substream_capture_trigger(struct snd_pcm_substream *substream return 0; case SNDRV_PCM_TRIGGER_STOP: stop_endpoints(subs, false); + subs->data_endpoint->retire_data_urb = NULL; subs->running = 0; return 0; case SNDRV_PCM_TRIGGER_PAUSE_PUSH: |