• Takashi Iwai's avatar
    ALSA: usb-audio: Fix race against the error recovery URB submission · 1a6bb2da
    Takashi Iwai authored
    commit 9b7e5208 upstream.
    
    USB MIDI driver has an error recovery mechanism to resubmit the URB in
    the delayed timer handler, and this may race with the standard start /
    stop operations.  Although both start and stop operations themselves
    don't race with each other due to the umidi->mutex protection, but
    this isn't applied to the timer handler.
    
    For fixing this potential race, the following changes are applied:
    
    - Since the timer handler can't use the mutex, we apply the
      umidi->disc_lock protection at each input stream URB submission;
      this also needs to change the GFP flag to GFP_ATOMIC
    - Add a check of the URB refcount and skip if already submitted
    - Move the timer cancel call at disconnection to the beginning of the
      procedure; this assures the in-flight timer handler is gone properly
      before killing all pending URBs
    
    Reported-by: syzbot+0f4ecfe6a2c322c81728@syzkaller.appspotmail.com
    Reported-by: syzbot+5f1d24c49c1d2c427497@syzkaller.appspotmail.com
    Cc: <stable@vger.kernel.org>
    Link: https://lore.kernel.org/r/20200710160656.16819-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    1a6bb2da
midi.c 68.7 KB