[PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

Next message: syzbot: "Re: [syzbot] [ext4?] KASAN: slab-use-after-free Read in __ext4_check_dir_entry"
Previous message: kernel test robot: "Re: [PATCH v3 03/12] media: v4l: fwnode: Support ACPI's _PLD for v4l2_fwnode_device_parse"
Next in thread: Takashi Iwai: "Re: [PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeongjun Park

Date: Sat Sep 27 2025 - 00:43:32 EST

The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
removal") patched a UAF issue caused by the error timer.

However, because the error timer kill added in this patch occurs after the
endpoint delete, a race condition to UAF still occurs, albeit rarely.

Therefore, to prevent this, the error timer must be killed before freeing
the heap memory.

Cc: <stable@xxxxxxxxxxxxxxx>
Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx>
---
sound/usb/midi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index acb3bf92857c..8d15f1caa92b 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;

+ timer_shutdown_sync(&umidi->error_timer);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
if (ep->out)
@@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
snd_usbmidi_in_endpoint_delete(ep->in);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}

--