aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai2020-06-16 14:09:21 +0200
committerTakashi Iwai2020-06-17 10:08:12 +0200
commitff58bbc7b9704a5869204176f804eff57307fef0 (patch)
tree6c7a236d00a9dff28e3d78123bf40b6c2c73e302
parenta0b03952a797591d4b6d6fa7b9b7872e27783729 (diff)
ALSA: usb-audio: Fix potential use-after-free of streams
With the recent full-duplex support of implicit feedback streams, an endpoint can be still running after closing the capture stream as long as the playback stream with the sync-endpoint is running. In such a state, the URBs are still be handled and they may call retire_data_urb callback, which tries to transfer the data from the PCM buffer. Since the PCM stream gets closed, this may lead to use-after-free. This patch adds the proper clearance of the callback at stopping the capture stream for addressing the possible UAF above. Fixes: 10ce77e4817f ("ALSA: usb-audio: Add duplex sound support for USB devices using implicit feedback") Link: https://lore.kernel.org/r/20200616120921.12249-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>
-rw-r--r--sound/usb/pcm.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c
index 84c0ae431936..a777d36c4f5a 100644
--- a/sound/usb/pcm.c
+++ b/sound/usb/pcm.c
@@ -1787,6 +1787,7 @@ static int snd_usb_substream_capture_trigger(struct snd_pcm_substream *substream
return 0;
case SNDRV_PCM_TRIGGER_STOP:
stop_endpoints(subs);
+ subs->data_endpoint->retire_data_urb = NULL;
subs->running = 0;
return 0;
case SNDRV_PCM_TRIGGER_PAUSE_PUSH: