Paths

Table of Contentst

-
sys/dev/sound/
-
dev/
-
sound/
9/9
dummy.c

snd_dummy: Drain callout during detach
ClosedPublic
Actions

Authored by christos on Sep 20 2024, 2:57 PM.

Details

Reviewers

markj
emaste
dev_submerge.ch

Commits

rG8065f1af82d1: snd_dummy: Drain callout during detach
rGe42c82678219: snd_dummy: Drain callout during detach

Summary

If we do not enter dummy_chan_trigger() before detaching, we'll get a
use-after-free since the callout(9) callback might be called after
having been detached.

Sponsored by: The FreeBSD Foundation
MFC after: 2 days

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 59538
Build 56425: arc lint + arc unit

Event Timeline

christos created this revision.Sep 20 2024, 2:57 PM

Herald added a subscriber: imp. · View Herald TranscriptSep 20 2024, 2:57 PM

christos requested review of this revision.Sep 20 2024, 2:57 PM

Harbormaster completed remote builds in B59538: Diff 143539.Sep 20 2024, 2:57 PM

callout_drain perhaps?

In D46715#1065214, @emaste wrote:

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

In D46715#1065271, @christos wrote:

In D46715#1065214, @emaste wrote:

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

Yes, it ensures that the callout won't be running while dummy_detach() runs concurrently. This patch makes the use-after-free harder to hit, but doesn't fix it completely.

In D46715#1065298, @markj wrote:

In D46715#1065271, @christos wrote:

In D46715#1065214, @emaste wrote:

callout_drain perhaps?

callout_drain() will wait for the callout to finish, instead of stopping it immediately. Is there an advantage to using this?

Yes, it ensures that the callout won't be running while dummy_detach() runs concurrently. This patch makes the use-after-free harder to hit, but doesn't fix it completely.

If the callout stops before pcm_unregister() is called, read/write operations will have stopped already in the case of snd_dummy, so we shouldn't hit any use-after-free. That being said, I guess it could be made even more robust by check whether &sc->chans[i] is NULL in the dummy_chan_io() loop, even though the channels pointed to by sc->chans are freed in pcm_unregister().

christos retitled this revision from snd_dummy: Cancel callout during detach to snd_dummy: Drain callout during detach.Sep 21 2024, 3:13 PM

Use callout_drain().

Harbormaster completed remote builds in B59554: Diff 143573.Sep 21 2024, 3:13 PM

markj accepted this revision.Sep 21 2024, 3:18 PM

This revision is now accepted and ready to land.Sep 21 2024, 3:18 PM

emaste accepted this revision.Sep 21 2024, 5:20 PM

dev_submerge.ch accepted this revision.Sep 28 2024, 4:37 PM

Closed by commit rGe42c82678219: snd_dummy: Drain callout during detach (authored by christos). · Explain WhyOct 18 2024, 8:45 AM

This revision was automatically updated to reflect the committed changes.

christos added a commit: rGe42c82678219: snd_dummy: Drain callout during detach.

christos added a commit: rG8065f1af82d1: snd_dummy: Drain callout during detach.Oct 20 2024, 11:22 AM

Revision Contents
Changeset List

Path

Size

sys/

dev/

sound/

dummy.c

1 line

Diff 143539

View Options

sys/dev/sound/dummy.c

Show First 20 Lines • Show All 110 Lines • ▼ Show 20 Lines	do_buff_decode(u_int8_t *databuf, size_t len,
int done = 0;		int done = 0;
static u_char mask[] = {0, 0x01, 0x03, 0x07, 0x0f,		static u_char mask[] = {0, 0x01, 0x03, 0x07, 0x0f,
0x1f, 0x3f, 0x7f, 0xff};		0x1f, 0x3f, 0x7f, 0xff};
int value;		int value;
u_char *base = databuf;		u_char *base = databuf;
char *intendp;		char *intendp;
char letter;		char letter;
char field_name[80];		char field_name[80];

# define ARG_PUT(ARG) \		# define ARG_PUT(ARG) \
		cemUnsubmitted Done Inline Actions 99% of the time assert(3) will just compile out in userspace. Does this library have any other use of assert(3) (i.e. does it expect anybody to actually compile with -DDEBUG or whatever)? cem: 99% of the time assert(3) will just compile out in userspace. Does this library have any other…
		ngieAuthorUnsubmitted Done Inline Actions It doesn't. I'll remove the asserts since they're inconsistent, but will add this to a list of items that need to be fixed in libcam, from an API perspective. ngie: It doesn't. I'll remove the asserts since they're inconsistent, but will add this to a list of…
		markjUnsubmitted Done Inline Actions assert(3) is opt-out. You need to compile with -DNDEBUG to disable them. We only do that in bsd.{lib,prog}.mk if WITHOUT_ASSERT_DEBUG is set. So they're on by default AFAIK. markj: assert(3) is opt-out. You need to compile with -DNDEBUG to disable them. We only do that in bsd.
		cemUnsubmitted Done Inline Actions For some (incorrect) reason I thought -DNDEBUG got inserted automatically at -O1 and higher. It looks like that is not the case for compilers. However, toolchains (autoconf, CMake, FreeBSD build process) may insert the flag automatically for optimized builds. cem: For some (incorrect) reason I thought -DNDEBUG got inserted automatically at -O1 and higher.
do \		do \
{ \		{ \
if (!suppress) \		if (!suppress) \
{ \		{ \
if (arg_put) \		if (arg_put) \
(*arg_put)(puthook, (letter == 't' ? \		(*arg_put)(puthook, (letter == 't' ? \
'b' : letter), \		'b' : letter), \
(void *)((long)(ARG)), width, \		(void *)((long)(ARG)), width, \
field_name); \		field_name); \
else \		else \
(va_arg(ap, int )) = (ARG); \		(va_arg(ap, int )) = (ARG); \
		cemUnsubmitted Done Inline Actions Wowza. cem: Wowza.
		ngieAuthorUnsubmitted Done Inline Actions Yup.. ngie: Yup..
assigned++; \		assigned++; \
} \		} \
field_name[0] = 0; \		field_name[0] = 0; \
suppress = 0; \		suppress = 0; \
} while (0)		} while (0)

u_char bits = 0; /* For bit fields */		u_char bits = 0; /* For bit fields */
int shift = 0; /* Bits already shifted out */		int shift = 0; /* Bits already shifted out */
▲ Show 20 Lines • Show All 517 Lines • ▼ Show 20 Lines	#endif

return encoded;		return encoded;
}		}

int		int
csio_decode(struct ccb_scsiio csio, const char fmt, ...)		csio_decode(struct ccb_scsiio csio, const char fmt, ...)
{		{
va_list ap;		va_list ap;
		int retval;

va_start(ap, fmt);		va_start(ap, fmt);

return(do_buff_decode(csio->data_ptr, (size_t)csio->dxfer_len,		retval = do_buff_decode(csio->data_ptr, (size_t)csio->dxfer_len, 0, 0,
0, 0, fmt, ap));		fmt, ap);

		va_end(ap);

		return (retval);
}		}

int		int
csio_decode_visit(struct ccb_scsiio csio, const char fmt,		csio_decode_visit(struct ccb_scsiio csio, const char fmt,
void (arg_put)(void , int, void , int, char ),		void (arg_put)(void , int, void , int, char ),
void *puthook)		void *puthook)
{		{
va_list ap;		va_list ap;
		int retval;

/*		/*
* We need some way to output things; we can't do it without		* We need some way to output things; we can't do it without
* the arg_put function.		* the arg_put function.
*/		*/
if (arg_put == NULL)		if (arg_put == NULL)
return(-1);		return (-1);

bzero(&ap, sizeof(ap));		bzero(&ap, sizeof(ap));
		cemUnsubmitted Done Inline Actions This is probably not a portable assumption. cem: This is probably not a portable assumption.
		ngieAuthorUnsubmitted Done Inline Actions Agreed. ngie: Agreed.

return(do_buff_decode(csio->data_ptr, (size_t)csio->dxfer_len,		retval = do_buff_decode(csio->data_ptr, (size_t)csio->dxfer_len,
arg_put, puthook, fmt, ap));		arg_put, puthook, fmt, ap);

		va_end(ap);
		cemUnsubmitted Done Inline Actions No va_start here. cem: No va_start here.

		return (retval);
}		}

int		int
buff_decode(u_int8_t buff, size_t len, const char fmt, ...)		buff_decode(u_int8_t buff, size_t len, const char fmt, ...)
{		{
va_list ap;		va_list ap;
		int retval;

va_start(ap, fmt);		va_start(ap, fmt);

return(do_buff_decode(buff, len, 0, 0, fmt, ap));		retval = do_buff_decode(buff, len, 0, 0, fmt, ap);

		va_end(ap);

		return (retval);
}		}

int		int
buff_decode_visit(u_int8_t buff, size_t len, const char fmt,		buff_decode_visit(u_int8_t buff, size_t len, const char fmt,
void (arg_put)(void , int, void , int, char ),		void (arg_put)(void , int, void , int, char ),
void *puthook)		void *puthook)
{		{
va_list ap;		va_list ap;
Show All 19 Lines	csio_build(struct ccb_scsiio csio, u_int8_t data_ptr, u_int32_t dxfer_len,
u_int32_t flags, int retry_count, int timeout, const char *cmd_spec,		u_int32_t flags, int retry_count, int timeout, const char *cmd_spec,
...)		...)
{		{
size_t cmdlen;		size_t cmdlen;
int retval;		int retval;
va_list ap;		va_list ap;

if (csio == NULL)		if (csio == NULL)
return(0);		return (0);

bzero(csio, sizeof(struct ccb_scsiio));		bzero(csio, sizeof(struct ccb_scsiio));

va_start(ap, cmd_spec);		va_start(ap, cmd_spec);

if ((retval = do_encode(csio->cdb_io.cdb_bytes, SCSI_MAX_CDBLEN,		if ((retval = do_encode(csio->cdb_io.cdb_bytes, SCSI_MAX_CDBLEN,
&cmdlen, NULL, NULL, cmd_spec, ap)) == -1)		&cmdlen, NULL, NULL, cmd_spec, ap)) == -1)
return(retval);		goto done;

cam_fill_csio(csio,		cam_fill_csio(csio,
/* retries */ retry_count,		/* retries */ retry_count,
/* cbfcnp */ NULL,		/* cbfcnp */ NULL,
/* flags */ flags,		/* flags */ flags,
/* tag_action */ MSG_SIMPLE_Q_TAG,		/* tag_action */ MSG_SIMPLE_Q_TAG,
/* data_ptr */ data_ptr,		/* data_ptr */ data_ptr,
/* dxfer_len */ dxfer_len,		/* dxfer_len */ dxfer_len,
/* sense_len */ SSD_FULL_SIZE,		/* sense_len */ SSD_FULL_SIZE,
/* cdb_len */ cmdlen,		/* cdb_len */ cmdlen,
/* timeout */ timeout ? timeout : 5000);		/* timeout */ timeout ? timeout : 5000);

		done:
		va_end(ap);

return(retval);		return (retval);
}		}

int		int
csio_build_visit(struct ccb_scsiio csio, u_int8_t data_ptr,		csio_build_visit(struct ccb_scsiio csio, u_int8_t data_ptr,
u_int32_t dxfer_len, u_int32_t flags, int retry_count,		u_int32_t dxfer_len, u_int32_t flags, int retry_count,
int timeout, const char *cmd_spec,		int timeout, const char *cmd_spec,
int (arg_get)(void hook, char field_name), void gethook)		int (arg_get)(void hook, char field_name), void gethook)
{		{
Show All 32 Lines	csio_build_visit(struct ccb_scsiio csio, u_int8_t data_ptr,

return(retval);		return(retval);
}		}

int		int
csio_encode(struct ccb_scsiio csio, const char fmt, ...)		csio_encode(struct ccb_scsiio csio, const char fmt, ...)
{		{
va_list ap;		va_list ap;
		int retval;

if (csio == NULL)		if (csio == NULL)
return(0);		return (0);

va_start(ap, fmt);		va_start(ap, fmt);

return(do_encode(csio->data_ptr, csio->dxfer_len, 0, 0, 0, fmt, ap));		retval = do_encode(csio->data_ptr, csio->dxfer_len, 0, 0, 0, fmt, ap);

		va_end(ap);

		return (retval);
}		}

int		int
buff_encode_visit(u_int8_t buff, size_t len, const char fmt,		buff_encode_visit(u_int8_t buff, size_t len, const char fmt,
int (arg_get)(void hook, char field_name), void gethook)		int (arg_get)(void hook, char field_name), void gethook)
{		{
va_list ap;		va_list ap;

Show All 30 Lines

snd_dummy: Drain callout during detachClosedPublicActions