CVE-2024-56531 - Linux Kernel ALSA USB Disconnect Vulnerability Explained
In June 2024, a vulnerability was found and patched in the Linux kernel's Advanced Linux Sound Architecture (ALSA) caiaq USB audio driver. Tracked as CVE-2024-56531, this bug could cause the kernel to become sluggish or even trigger a soft lockup when a compatible USB sound device was disconnected. Let’s break down what happened, how it works, and what developers and users need to know.
What was the Problem? (snd_card_free vs snd_card_free_when_closed)
When you unplug a USB sound device using the caiaq driver (like some Native Instruments sound cards), the driver's disconnect callback in the kernel was calling snd_card_free(). This function waits until every process using the card (every open file descriptor) is closed before it finishes.
That means, if you had a program still talking to the sound card when it was unplugged, the disconnect logic would hang until that program exited or closed the sound card, taking a long time. Because this code runs during USB disconnect (which should finish quickly), it would stall other USB processes, sometimes leading to what's called a _kernel soft lockup_.
In simple terms:
Unplugging your sound card could freeze, slow, or break other USB stuff while the kernel waited for sound-using programs to close.
The Fix: snd_card_free_when_closed
The solution was pretty simple:
Instead of making the disconnect logic _wait_, use a function (snd_card_free_when_closed()) that just starts the release process, returning right away. The card is fully released _later_, after all users finish. This means the USB disconnect callback can complete instantly, as it should.
Here’s a simple diagram
| Before (BAD) | After (GOOD) |
|------------------------------|---------------------------------|
| USB disconnect: | USB disconnect: |
| → Wait on all programs… | → Mark card for async release |
| → If any are open, block USB | → Disconnect returns instantly |
| → Can trigger soft lockup | → Card closed later, safely |
Relevant Kernel Code Snippet
Here's a real-life kernel patch that solves it. Notice the use of snd_card_free_when_closed() in the disconnect function now:
// OLD (problematic) version:
static void snd_caiaq_dev_disconnect(struct usb_interface *intf) {
struct snd_card *card = usb_get_intfdata(intf);
if (card) {
snd_card_free(card); // <-- This waits, can block
usb_set_intfdata(intf, NULL);
}
}
// NEW (patched, safe) version:
static void snd_caiaq_dev_disconnect(struct usb_interface *intf) {
struct snd_card *card = usb_get_intfdata(intf);
if (card) {
snd_card_free_when_closed(card); // <-- Returns immediately
usb_set_intfdata(intf, NULL);
}
}
In addition, the release of resources is moved from the disconnect function to the card's destructor, splitting the "disconnect" and "free" phases.
How could someone use this vulnerability?
While this bug isn't a classic security exploit (it doesn't allow privilege escalation or code execution), a malicious user could intentionally hold open a sound device file (for example, by running a simple command like cat /dev/snd/pcmCDp) and then unplug the corresponding USB sound card. This would stall the disconnect callback, potentially blocking other USB device operations or administration tasks, and on systems with repeated occurrences, could contribute to system instability.
Plug in any supported caiaq USB sound card.
2. Open the sound device in a program (e.g., aplay or a custom script that holds the audio device open).
Original Kernel Patch:
ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
Linux Kernel Security Tracker:
CVE-2024-56531 entry (openwall)
- Kernel Source Browser
Always disconnect and resource-release in kernel (especially USB) drivers as _quickly_ as possible.
- If you are a user: update your kernel if you use caiaq-based sound cards, especially on servers or production workstations.
Timeline
Published on: 12/27/2024 14:15:32 UTC
Last modified on: 05/04/2025 09:57:26 UTC