Page MenuHomeFreeBSD

snd_dummy: Drain callout during detach
ClosedPublic

Authored by christos on Sep 20 2024, 2:57 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Nov 25, 12:52 PM
Unknown Object (File)
Wed, Nov 20, 1:48 AM
Unknown Object (File)
Tue, Nov 19, 11:33 PM
Unknown Object (File)
Tue, Nov 19, 11:33 PM
Unknown Object (File)
Sat, Nov 16, 6:06 AM
Unknown Object (File)
Fri, Nov 1, 4:39 AM
Unknown Object (File)
Fri, Nov 1, 2:29 AM
Unknown Object (File)
Oct 28 2024, 11:50 AM
Subscribers

Details

Summary

If we do not enter dummy_chan_trigger() before detaching, we'll get a
use-after-free since the callout(9) callback might be called after
having been detached.

Sponsored by: The FreeBSD Foundation
MFC after: 2 days

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 59538
Build 56425: arc lint + arc unit

Event Timeline

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

Yes, it ensures that the callout won't be running while dummy_detach() runs concurrently. This patch makes the use-after-free harder to hit, but doesn't fix it completely.

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

Yes, it ensures that the callout won't be running while dummy_detach() runs concurrently. This patch makes the use-after-free harder to hit, but doesn't fix it completely.

If the callout stops before pcm_unregister() is called, read/write operations will have stopped already in the case of snd_dummy, so we shouldn't hit any use-after-free. That being said, I guess it could be made even more robust by check whether &sc->chans[i] is NULL in the dummy_chan_io() loop, even though the channels pointed to by sc->chans are freed in pcm_unregister().

christos retitled this revision from snd_dummy: Cancel callout during detach to snd_dummy: Drain callout during detach.Sep 21 2024, 3:13 PM
This revision is now accepted and ready to land.Sep 21 2024, 3:18 PM
This revision was automatically updated to reflect the committed changes.