Page MenuHomeFreeBSD
Differential D46715

snd_dummy: Drain callout during detach
ClosedPublic
Actions

Authored by christos on Sep 20 2024, 2:57 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Nov 16, 6:06 AM
Unknown Object (File)
Fri, Nov 1, 4:39 AM
Unknown Object (File)
Fri, Nov 1, 2:29 AM
Unknown Object (File)
Mon, Oct 28, 11:50 AM
Unknown Object (File)
Thu, Oct 24, 12:23 AM
Unknown Object (File)
Mon, Oct 21, 11:00 AM
Unknown Object (File)
Oct 18 2024, 11:12 AM
Unknown Object (File)
Oct 18 2024, 3:00 AM
View All 19 Files
Subscribers
imp

Details

Reviewers
markj
emaste
dev_submerge.ch
Commits
rG8065f1af82d1: snd_dummy: Drain callout during detach
rGe42c82678219: snd_dummy: Drain callout during detach
Summary

If we do not enter dummy_chan_trigger() before detaching, we'll get a
use-after-free since the callout(9) callback might be called after
having been detached.

Sponsored by: The FreeBSD Foundation
MFC after: 2 days

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

christos created this revision.Sep 20 2024, 2:57 PM
Herald added a subscriber: imp. · View Herald TranscriptSep 20 2024, 2:57 PM
christos requested review of this revision.Sep 20 2024, 2:57 PM
Harbormaster completed remote builds in B59538: Diff 143539.Sep 20 2024, 2:57 PM
emaste added a comment.Sep 20 2024, 6:46 PM

callout_drain perhaps?

christos added a comment.Sep 21 2024, 11:08 AM
In D46715#1065214, @emaste wrote:

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

markj added a comment.Sep 21 2024, 12:48 PM
In D46715#1065271, @christos wrote:
In D46715#1065214, @emaste wrote:

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

Yes, it ensures that the callout won't be running while dummy_detach() runs concurrently. This patch makes the use-after-free harder to hit, but doesn't fix it completely.

christos added a comment.Sep 21 2024, 12:56 PM
In D46715#1065298, @markj wrote:
In D46715#1065271, @christos wrote:
In D46715#1065214, @emaste wrote:

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

Yes, it ensures that the callout won't be running while dummy_detach() runs concurrently. This patch makes the use-after-free harder to hit, but doesn't fix it completely.

If the callout stops before pcm_unregister() is called, read/write operations will have stopped already in the case of snd_dummy, so we shouldn't hit any use-after-free. That being said, I guess it could be made even more robust by check whether &sc->chans[i] is NULL in the dummy_chan_io() loop, even though the channels pointed to by sc->chans are freed in pcm_unregister().

christos retitled this revision from snd_dummy: Cancel callout during detach to snd_dummy: Drain callout during detach.Sep 21 2024, 3:13 PM
christos updated this revision to Diff 143573.Sep 21 2024, 3:13 PM

Use callout_drain().

Harbormaster completed remote builds in B59554: Diff 143573.Sep 21 2024, 3:13 PM
markj accepted this revision.Sep 21 2024, 3:18 PM
This revision is now accepted and ready to land.Sep 21 2024, 3:18 PM
emaste accepted this revision.Sep 21 2024, 5:20 PM
dev_submerge.ch accepted this revision.Sep 28 2024, 4:37 PM
Closed by commit rGe42c82678219: snd_dummy: Drain callout during detach (authored by christos). · Explain WhyOct 18 2024, 8:45 AM
This revision was automatically updated to reflect the committed changes.
christos added a commit: rGe42c82678219: snd_dummy: Drain callout during detach.
christos added a commit: rG8065f1af82d1: snd_dummy: Drain callout during detach.Oct 20 2024, 11:22 AM

Revision Contents
Changeset List

PathSize
sys/
dev/
sound/
1 line

Diff 145087

View Options

sys/dev/sound/dummy.c

Loading...