Re: [PATCH] ALSA: 6fire: fix use-after-free on disconnect

Next message: Kuniyuki Iwashima: "Re: [PATCH net-next v7 10/10] selftests: net: Add tests for team driver decoupled tx and rx control"
Previous message: Rodolfo Giometti: "Re: [PATCH v3 2/3] pps: convert pps_device lock to raw_spinlock for PREEMPT_RT"
In reply to: Berk Cem Goksel: "[PATCH] ALSA: 6fire: fix use-after-free on disconnect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Takashi Iwai

Date: Fri Apr 10 2026 - 02:40:10 EST

On Fri, 10 Apr 2026 07:13:41 +0200,
Berk Cem Goksel wrote:
>
> In usb6fire_chip_abort(), the chip struct is allocated as the card's
> private data (via snd_card_new with sizeof(struct sfire_chip)). When
> snd_card_free_when_closed() is called and no file handles are open, the
> card and embedded chip are freed synchronously. The subsequent
> chip->card = NULL write then hits freed slab memory.
>
> Call trace:
> usb6fire_chip_abort sound/usb/6fire/chip.c:59 [inline]
> usb6fire_chip_disconnect+0x348/0x358 sound/usb/6fire/chip.c:182
> usb_unbind_interface+0x1a8/0x88c drivers/usb/core/driver.c:458
> ...
> hub_event+0x1a04/0x4518 drivers/usb/core/hub.c:5953
>
> Fix by moving the card lifecycle out of usb6fire_chip_abort() and into
> usb6fire_chip_disconnect(). The card pointer is saved in a local
> before any teardown, snd_card_disconnect() is called first to prevent
> new opens, URBs are aborted while chip is still valid, and
> snd_card_free_when_closed() is called last so chip is never accessed
> after the card may be freed.
>
> Fixes: a0810c3d6dd2 ("ALSA: 6fire: Release resources at card release")
> Cc: stable@xxxxxxxxxxxxxxx
> Cc: Andrey Konovalov <andreyknvl@xxxxxxxxx>
> Signed-off-by: Berk Cem Goksel <berkcgoksel@xxxxxxxxx>

Applied now. Thanks.

Takashi