Commit e5c33cdc authored by Cássio Gabriel's avatar Cássio Gabriel Committed by Takashi Iwai
Browse files

ALSA: aloop: Fix peer runtime UAF during format-change stop 



loopback_check_format() may stop the capture side when playback starts
with parameters that no longer match a running capture stream. Commit
826af7fa ("ALSA: aloop: Fix racy access at PCM trigger") moved
the peer lookup under cable->lock, but the actual snd_pcm_stop() still
runs after dropping that lock.

A concurrent close can clear the capture entry from cable->streams[] and
detach or free its runtime while the playback trigger path still holds a
stale peer substream pointer.

Keep a per-cable count of in-flight peer stops before dropping
cable->lock, and make free_cable() wait for those stops before
detaching the runtime. This preserves the existing behavior while
making the peer runtime lifetime explicit.

Reported-by: default avatar <syzbot+8fa95c41eafbc9d2ff6f@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=8fa95c41eafbc9d2ff6f


Fixes: 597603d6 ("ALSA: introduce the snd-aloop module for the PCM loopback")
Cc: stable@vger.kernel.org
Suggested-by: default avatarTakashi Iwai <tiwai@suse.com>
Signed-off-by: default avatarCássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260424-alsa-aloop-peer-stop-uaf-v2-1-94e68101db8a@gmail.com


Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
parent 901ac0ff

sound/drivers/aloop.c

+30 −13
Original line number Diff line number Diff line
@@ -99,6 +99,9 @@ struct loopback_ops { 
struct loopback_cable {

	spinlock_t lock;

	struct loopback_pcm *streams[2];

	/* in-flight peer stops running outside cable->lock */

	atomic_t stop_count;

	wait_queue_head_t stop_wait;

	struct snd_pcm_hardware hw;

	/* flags */

	unsigned int valid;
@@ -366,9 +369,12 @@ static int loopback_check_format(struct loopback_cable *cable, int stream) 
				return 0;

			if (stream == SNDRV_PCM_STREAM_CAPTURE)

				return -EIO;

			else if (cruntime->state == SNDRV_PCM_STATE_RUNNING)

			else if (cruntime->state == SNDRV_PCM_STATE_RUNNING) {

				/* close must not free the peer runtime below */

				atomic_inc(&cable->stop_count);

				stop_capture = true;

			}

		}



		setup = get_setup(dpcm_play);

		card = dpcm_play->loopback->card;
@@ -396,8 +402,11 @@ static int loopback_check_format(struct loopback_cable *cable, int stream) 
		}

	}



	if (stop_capture)

	if (stop_capture) {

		snd_pcm_stop(dpcm_capt->substream, SNDRV_PCM_STATE_DRAINING);

		if (atomic_dec_and_test(&cable->stop_count))

			wake_up(&cable->stop_wait);

	}



	return 0;

}
@@ -1049,24 +1058,30 @@ static void free_cable(struct snd_pcm_substream *substream) 
	struct loopback *loopback = substream->private_data;

	int dev = get_cable_index(substream);

	struct loopback_cable *cable;

	struct loopback_pcm *dpcm;

	bool other_alive;



	cable = loopback->cables[substream->number][dev];

	if (!cable)

		return;

	if (cable->streams[!substream->stream]) {

		/* other stream is still alive */

		guard(spinlock_irq)(&cable->lock);



	scoped_guard(spinlock_irq, &cable->lock) {

		cable->streams[substream->stream] = NULL;

	} else {

		struct loopback_pcm *dpcm = substream->runtime->private_data;

		other_alive = cable->streams[!substream->stream];

	}



	/* Pair with the stop_count increment in loopback_check_format(). */

	wait_event(cable->stop_wait, !atomic_read(&cable->stop_count));

	if (other_alive)

		return;



	dpcm = substream->runtime->private_data;

	if (cable->ops && cable->ops->close_cable && dpcm)

		cable->ops->close_cable(dpcm);

	/* free the cable */

	loopback->cables[substream->number][dev] = NULL;

	kfree(cable);

}

}



static int loopback_jiffies_timer_open(struct loopback_pcm *dpcm)

{
@@ -1260,6 +1275,8 @@ static int loopback_open(struct snd_pcm_substream *substream) 
			goto unlock;

		}

		spin_lock_init(&cable->lock);

		atomic_set(&cable->stop_count, 0);

		init_waitqueue_head(&cable->stop_wait);

		cable->hw = loopback_pcm_hardware;

		if (loopback->timer_source)

			cable->ops = &loopback_snd_timer_ops;