Page MenuHomeFreeBSD
Differential D46715

snd_dummy: Drain callout during detach
AcceptedPublic
Actions

Authored by christos on Fri, Sep 20, 2:57 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Sep 29, 10:16 PM
Unknown Object (File)
Sun, Sep 29, 10:16 PM
Unknown Object (File)
Sun, Sep 29, 10:16 PM
Unknown Object (File)
Sat, Sep 28, 6:10 PM
Unknown Object (File)
Thu, Sep 26, 6:10 AM
Unknown Object (File)
Wed, Sep 25, 5:53 PM
Unknown Object (File)
Wed, Sep 25, 4:56 PM
Unknown Object (File)
Tue, Sep 24, 9:54 PM
View All 10 Files
Subscribers
imp

Details

Reviewers
markj
emaste
dev_submerge.ch
Summary

If we do not enter dummy_chan_trigger() before detaching, we'll get a
use-after-free since the callout(9) callback might be called after
having been detached.

Sponsored by: The FreeBSD Foundation
MFC after: 2 days

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 59554
Build 56441: arc lint + arc unit

Event Timeline

christos created this revision.Fri, Sep 20, 2:57 PM
Herald added a subscriber: imp. · View Herald TranscriptFri, Sep 20, 2:57 PM
christos requested review of this revision.Fri, Sep 20, 2:57 PM
Harbormaster completed remote builds in B59538: Diff 143539.Fri, Sep 20, 2:57 PM
emaste added a comment.Fri, Sep 20, 6:46 PM

callout_drain perhaps?

christos added a comment.Sat, Sep 21, 11:08 AM
In D46715#1065214, @emaste wrote:

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

markj added a comment.Sat, Sep 21, 12:48 PM
In D46715#1065271, @christos wrote:
In D46715#1065214, @emaste wrote:

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

Yes, it ensures that the callout won't be running while dummy_detach() runs concurrently. This patch makes the use-after-free harder to hit, but doesn't fix it completely.

christos added a comment.Sat, Sep 21, 12:56 PM
In D46715#1065298, @markj wrote:
In D46715#1065271, @christos wrote:
In D46715#1065214, @emaste wrote:

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

Yes, it ensures that the callout won't be running while dummy_detach() runs concurrently. This patch makes the use-after-free harder to hit, but doesn't fix it completely.

If the callout stops before pcm_unregister() is called, read/write operations will have stopped already in the case of snd_dummy, so we shouldn't hit any use-after-free. That being said, I guess it could be made even more robust by check whether &sc->chans[i] is NULL in the dummy_chan_io() loop, even though the channels pointed to by sc->chans are freed in pcm_unregister().

christos retitled this revision from snd_dummy: Cancel callout during detach to snd_dummy: Drain callout during detach.Sat, Sep 21, 3:13 PM
christos updated this revision to Diff 143573.Sat, Sep 21, 3:13 PM

Use callout_drain().

Harbormaster completed remote builds in B59554: Diff 143573.Sat, Sep 21, 3:13 PM
markj accepted this revision.Sat, Sep 21, 3:18 PM
This revision is now accepted and ready to land.Sat, Sep 21, 3:18 PM
emaste accepted this revision.Sat, Sep 21, 5:20 PM
dev_submerge.ch accepted this revision.Sat, Sep 28, 4:37 PM

Revision Contents
Changeset List

PathSize
sys/
dev/
sound/
1 line

Diff 143573

View Options

sys/dev/sound/dummy.c

Loading...