Hello, Takashi, Jaroslav, all,
Please, see the research and the following patch on a double-free bug in
[snd-usb-audio].
1) The upstream commits 0f886ca1, 902eb7fd and 447d6275f (many thanks to
Takashi Iwai) revealed that there is a double-free bug in [snd-usb-audio]
module due to alloc/free logic flaw in snd_usb_add_audio_stream() function. A
double-free leads to kernel structure/list/slab corruptions and shortly to
null-deref, GPF or lockup.
2.1) Let me describe what happens with the current code in usb_audio_probe(),
create_fixed_stream_quirk() and snd_usb_add_audio_stream():
> [ sound/usb/card.c ]
> static int usb_audio_probe(struct usb_interface *intf,
> const struct usb_device_id *usb_id)
> {
> ...
> if (quirk && quirk->ifnum != QUIRK_NO_INTERFACE) {
> /* need some special handlings */
> err = snd_usb_create_quirk(chip, intf, &usb_audio_driver,
> quirk);
> if (err < 0)
> goto __error;
> }
> ...
> __error:
> if (chip) {
> if (!chip->num_interfaces)
> snd_card_free(chip->card);
Somewhere in the middle of usb_audio_probe() the function
snd_usb_create_quirk() is called, and if it returns with an error and no
interfaces were created, the sound card is destroyed with
"snd_card_free(chip->card)".
2.2) create_fixed_stream_quirk() is called from snd_usb_create_quirk():
> [ sound/usb/quirks.c ]
> static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
> struct usb_interface *iface,
> struct usb_driver *driver,
> const struct snd_usb_audio_quirk *quirk)
> {
> struct audioformat *fp;
> struct usb_host_interface *alts;
> struct usb_interface_descriptor *altsd;
> ...
> fp = kmemdup(quirk->data, sizeof(*fp), GFP_KERNEL);
> ...
> (*) stream = (fp->endpoint & USB_DIR_IN)
> (*) ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
> (*) err = snd_usb_add_audio_stream(chip, stream, fp);
> (*) if (err < 0)
> (*) goto error;
>
> if (fp->iface !=
> get_iface_desc(&iface->altsetting[0])->bInterfaceNumber ||
> fp->altset_idx >= iface->num_altsetting) {
> err = -EINVAL;
> goto error;
> }
> alts = &iface->altsetting[fp->altset_idx];
> altsd = get_iface_desc(alts);
> if (altsd->bNumEndpoints < 1) {
> err = -EINVAL;
> goto error;
> }
> ...
> error:
> kfree(fp);
> kfree(rate_table);
> return err;
> }
2.3) *fp is allocated and passed to snd_usb_add_audio_stream() where
snd_usb_init_substream() is called:
> [ sound/usb/stream.c ]
> int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
> int stream,
> struct audioformat *fp)
> {
> struct snd_usb_stream *as;
> struct snd_usb_substream *subs;
> struct snd_pcm *pcm;
> ...
> /* create a new pcm */
> as = kzalloc(sizeof(*as), GFP_KERNEL);
> ...
> snd_usb_init_substream(as, stream, fp);
2.4) In turn snd_usb_init_substream() adds audioformat *fp by its &fp->list to
substream's fmt_list list:
> [ sound/usb/stream.c ]
> static void snd_usb_init_substream(struct snd_usb_stream *as,
> int stream,
> struct audioformat *fp)
> {
> struct snd_usb_substream *subs = &as->substream[stream];
>
> INIT_LIST_HEAD(&subs->fmt_list);
> ...
> list_add_tail(&fp->list, &subs->fmt_list);
> subs->num_formats++;
2.5) Things go bad from this point in case snd_usb_add_audio_stream() or the
caller go the error path. The bug is that the caller frees (see "error:
kfree(fp);" code) *fp on the error path, BUT the pointer to the already-freed
memory remains in the substream's fmt_list list.
The double-free happens after create_fixed_stream_quirk() returns with an error
and usb_audio_probe() calls
snd_card_free()->...->snd_usb_audio_pcm_free()->free_substream(). As
subs->fmt_list is already corrupted, iterating it with
list_for_each_entry_safe() leads to any and unpredictable results.
> static void free_substream(struct snd_usb_substream *subs)
> {
> struct audioformat *fp, *n;
> ...
> list_for_each_entry_safe(fp, n, &subs->fmt_list, list) {
> ...
> kfree(fp);
3.1) The crash is reproduceable by faking the USB device with no endpoints as
described in https://bugzilla.redhat.com/show_bug.cgi?id=1283355 and
https://bugzilla.redhat.com/show_bug.cgi?id=1283358.
Please see as a proof the following kernel log with debug printing added to the
code. First, *fp is added to fmt_list in snd_usb_init_substream():
[ 322.797223] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 322.974083] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint
descriptors, different from the interface descriptor's value: 0
[ 322.987031] usb 1-1: New USB device found, idVendor=045e, idProduct=0283
[ 322.998318] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 323.083913] media: Linux media interface: v0.10
[ 323.231249] init_substream: add_tail() fp=ffff88003364ba80
fp->list.next=ffff8800b1e898b8 fp->list.prev=ffff8800b1e898b8
fmt_list=ffff8800b1e898b8 fmt_list.next=ffff88003364ba80 prev=ffff88003364ba80
num_formats=1
As you can see we have a correct list here with head at
fmt_list=ffff8800b1e898b8 and single element fp=ffff88003364ba80.
3.2) The code finds out that there are too few endpoints present and goes the
error path (to the "error:" label):
[ 323.307927] usb 1-1: too few endpoints
[ 323.312964] trace-before-free: substream-0 ffff8800b1e89818 numf 1 fmt_list
ffff8800b1e898b8 next ffff88003364ba80
[ 323.353759] fp=ffff88003364ba80 next=ffff8800b1e898b8 prev=ffff8800b1e898b8
rate=(null) chmap=(null)
[ 323.362118] struct sane
As you can see the substream's fmt_list is sane at this point.
3.3) After "kfree(fp)" in the error path of create_fixed_stream_quirk() *fp is
freed, BUT the pointer to the freed memory remains in fmt_list. After *fp is
freed the list is corrupted and contains trash:
[ 323.371752] KFREE(fp) ffff88003364ba80
[ 323.380383] trace-after-free: substream-0 ffff8800b1e89818 numf 1 fmt_list
ffff8800b1e898b8 next ffff88003364ba80
[ 323.400003] fp=ffff88003364ba80 next=ffff88003364bf80 prev=ffff8800b1e898b8
rate=(null) chmap=(null)
[ 323.406786] fp=ffff88003364bf80 next= (null) prev= (null)
rate=(null) chmap=(null)
[ 323.422211] next == NULL: FAIL, struct INSANE
[ 323.436706] KFREE(rate_table) (null)
3.4) After error return from create_fixed_stream_quirk() the sound card is
destroyed with "snd_card_free(chip->card)" in usb_audio_probe(). In the end
free_substream() is called:
[ 323.511256] usb 1-1: snd_usb_create_quirk() failed: -22
[ 323.565108] list_for_each_entry_safe(): fp=ffff88003364ba80
n=ffff88003364bf80
[ 323.586337] kfree fp ffff88003364ba80 <<<
DOUBLE-FREE
[ 323.588509] loop-end: fp=ffff88003364ba80 n=ffff88003364bf80
[ 323.599969] list_for_each_entry_safe(): fp=ffff88003364bf80 n=(null)
[ 323.610460] kfree fp ffff88003364bf80 <<<
FREEING SOMEONE ELSE'S MEMORY
[ 323.613181] loop-end: fp=ffff88003364bf80 n=(null) <<<
NULL-PTR DEREF
...
[ 324.247113] BUG: unable to handle kernel NULL pointer dereference at
(null)
[ 324.247533] IP: [<ffffffffc02d40ef>] free_substream.part.0+0xef/0x100
[snd_usb_audio]
[ 324.248088] PGD 0
[ 324.248088] Oops: 0000 [#1] SMP
[ 324.248088] Modules linked in: snd_usb_audio(+) snd_usbmidi_lib snd_hwdep ...
[ 324.248088] CPU: 2 PID: 767 Comm: systemd-udevd Not tainted 4.5.0-vladis #25
[ 324.248088] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 324.248088] task: ffff880034718000 ti: ffff8800b2fbc000 task.ti:
ffff8800b2fbc000
[ 324.248088] RIP: 0010:[<ffffffffc02d40ef>] [<ffffffffc02d40ef>]
free_substream.part.0+0xef/0x100 [snd_usb_audio]
[ 324.248088] RSP: 0018:ffff8800b2fbf898 EFLAGS: 00010217
...
[ 324.248088] Call Trace:
[ 324.248088] [<ffffffffc02d43fa>] snd_usb_audio_pcm_free+0x9a/0xa0
[snd_usb_audio]
[ 324.248088] [<ffffffffc028d982>] snd_pcm_free+0x32/0xa0 [snd_pcm]
[ 324.248088] [<ffffffffc028da02>] snd_pcm_dev_free+0x12/0x20 [snd_pcm]
[ 324.248088] [<ffffffffc027d279>] __snd_device_free+0x29/0x70 [snd]
[ 324.248088] [<ffffffffc027d660>] snd_device_free_all+0x30/0x60 [snd]
[ 324.248088] [<ffffffffc02777a4>] release_card_device+0x34/0x90 [snd]
[ 324.248088] [<ffffffff815ae2b2>] device_release+0x32/0x90
[ 324.248088] [<ffffffff81455f8a>] kobject_release+0x7a/0x190
[ 324.248088] [<ffffffff81455e47>] kobject_put+0x27/0x50
[ 324.248088] [<ffffffff815ae5f7>] put_device+0x17/0x20
[ 324.248088] [<ffffffffc0277b57>] snd_card_free+0x67/0x90 [snd]
[ 324.248088] [<ffffffffc02c4f14>] usb_audio_probe+0x754/0x9d0 [snd_usb_audio]
...
4.1) The suggested patch consists of 2 changes. First, I suppose we should move
the code in create_fixed_stream_quirk() marked as "(*)" (see above) after "if
(altsd->bNumEndpoints < 1)" check. This way no allocations is done if we go an
error path. I've checked that fp->iface and fp->altset_idx are not changed in
snd_usb_add_audio_stream() and functions called from it, so it is safe to swap
these 2 pieces of code.
4.2) The problem with double-free still remains. I've verified that all the
callers of snd_usb_add_audio_stream() free *fp in case of error:
$ git grep snd_usb_add_audio_stream
sound/usb/quirks.c: err = snd_usb_add_audio_stream(chip, stream, fp);
> * err = snd_usb_add_audio_stream(chip, stream, fp);
> * if (err < 0)
> * goto error;
> * error:
> * kfree(fp);
> * kfree(rate_table);
> * return err;
sound/usb/quirks.c: err = snd_usb_add_audio_stream(chip, stream, fp);
> * err = snd_usb_add_audio_stream(chip, stream, fp);
> * if (err < 0) {
> * kfree(fp);
> * return err;
> * }
sound/usb/stream.c: err = snd_usb_add_audio_stream(chip, stream,
fp);
> * err = snd_usb_add_audio_stream(chip, stream, fp);
> * if (err < 0) {
> * kfree(fp->rate_table);
> * kfree(fp->chmap);
> * kfree(fp);
> * return err;
> * }
This means that snd_usb_add_audio_stream() should remove *fp from the
substream's fmt_list list on the error path, if it was already added. Such
places are:
> int snd_usb_add_audio_stream(struct snd_usb_audio *chip, int stream, struct
> audioformat *fp)
> {
> struct snd_usb_stream *as;
> struct snd_usb_substream *subs;
> struct snd_pcm *pcm;
> int err;
>
> list_for_each_entry(as, &chip->pcm_list, list) {
> subs = &as->substream[stream];
> ...
> list_add_tail(&fp->list, &subs->fmt_list); <<< ADDING
> fp HERE
> subs->num_formats++;
> return 0; <<< NO
> ERROR PATH HERE
> }
> }
>
> /* look for an empty stream */
> list_for_each_entry(as, &chip->pcm_list, list) {
> subs = &as->substream[stream];
> ...
> snd_usb_init_substream(as, stream, fp); <<< ADDING fp HERE,
> IF add_chmap() FAILS
> return add_chmap(as->pcm, stream, subs); <<< fp SHOULD BE
> REMOVED FROM fmt_list
> }
>
> /* create a new pcm */
> as = kzalloc(sizeof(*as), GFP_KERNEL);
> err = snd_pcm_new(chip->card, "USB Audio", chip->pcm_devs,
> ...
> if (err < 0) { <<< fp IS NOT ADDED YET HERE, SO FINE
> kfree(as);
> return err;
> }
> ...
> snd_usb_init_substream(as, stream, fp); <<< ADDING fp
> HERE
> ... <<< IF
> add_chmap() FAILS fp SHOULD
> return add_chmap(pcm, stream, &as->substream[stream]); <<< BE
> REMOVED FROM fmt_list
> }
add_chmap() itself does not add anything to fmt_list list, so we indeed need to
remove only the single list element from the list. Having all the above in
mind, the patch follows.
4.3) How to handle possible error paths after successful call to
snd_usb_add_audio_stream() in create_fixed_stream_quirk() is d
iscussable. Properly it should be like the below, but I believe it is
overcomplication here would and stick to a simple error_after_add_audio_stream:
label:
> error2:
> snd_usb_del_audio_stream(...something...);
> error:
> kfree(fp);
> kfree(rate_table);
> return err;
Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer
