From patchwork Thu Sep 5 12:38:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 826015 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D4C4BCE7B19 for ; Fri, 6 Sep 2024 13:56:27 +0000 (UTC) Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 16241EB6; Fri, 6 Sep 2024 15:56:16 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 16241EB6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1725630986; bh=lit5iBxVDFpk4ULIy0i42xv115wo/uqoPdVZId53JPk=; h=From:Date:To:Cc:Subject:In-Reply-To:List-Id:List-Archive: List-Help:List-Owner:List-Post:List-Subscribe:List-Unsubscribe: From; b=rIBfVUpX2JH8FPvBhMnugtiIngAGClMbJhOazQw7t5u1gwnXEgRyjPPIDBM/zxJkf 3PXd0ZhxjO69gbx7/mfeZHx89fq7ESbB/0vM7X5e0zmumx0wk9k9+M7vUsFIimPLFz BeafiI0WkJCuQ1cawRhIopl/v7WmevsBucsGaCvo= Received: by alsa1.perex.cz (Postfix, from userid 50401) id A240AF80672; Fri, 6 Sep 2024 15:55:02 +0200 (CEST) Received: from mailman-core.alsa-project.org (mailman-core.alsa-project.org [10.254.200.10]) by alsa1.perex.cz (Postfix) with ESMTP id F3CD6F8063D; Fri, 6 Sep 2024 15:55:01 +0200 (CEST) Received: by alsa1.perex.cz (Postfix, from userid 50401) id 88B1FF8032D; Thu, 5 Sep 2024 14:38:20 +0200 (CEST) Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id C0B94F8014C for ; Thu, 5 Sep 2024 14:38:18 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz C0B94F8014C Authentication-Results: alsa1.perex.cz; dkim=pass (2048-bit key, unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=W1bDbcht Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-42bbc70caa4so5767125e9.0 for ; Thu, 05 Sep 2024 05:38:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1725539897; x=1726144697; darn=alsa-project.org; h=in-reply-to:content-disposition:mime-version:message-id:subject:cc :to:date:from:from:to:cc:subject:date:message-id:reply-to; bh=k8tBVBv6hqzsh3Y7wmsPJR+JvC6LY/bf7F+mJ4H3uNA=; b=W1bDbchtrCF7gsp0oSF9tFjDBsN/FpaWjZUrYfBpkLfjRLyKl8aBHtmG9p98pq0Dyr G0H2arqzX9VHyY11F/ywTTvGwyNWjbe/wpHmDjRVwzEp6l3jvg2l3Pa6Mvp41zHJkyCd yz4LANEU7lb8F68Iv9iXybayPG6KfISO8jlvNvDBJvyKPm++sfmQwqgQ+elIp53cK+ub z0EEtSi7VyBw7wlEH1KXsxHYczmaYXipejkS5w5y0D1QS9hl4TY8+1HuTwOoBBxEd2ZF TLqs7Yv21r35qicReUo5dX3P+Fa3C8PsgzoIqztYYeGRsX2hdQf9VgA1XRgI4BHgb2R2 KSAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725539897; x=1726144697; h=in-reply-to:content-disposition:mime-version:message-id:subject:cc :to:date:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=k8tBVBv6hqzsh3Y7wmsPJR+JvC6LY/bf7F+mJ4H3uNA=; b=taZjOIMNL3HcBJjdS10GxaccjzXHGKHWzZ9e8J2e6OeXIBpkcW4A2Vsq6RTBLvyfRo mEdacMYdbUJlsUPPDiVy7LwdoFJtn4G2C1nEVuUaQrbIXAU70+QeMNv/P9iQuOpu4yT1 fNMJYXJg6/qJ7bPifWXD7PWJgTb1bUpH8bnZ5HdRi36ioO5xLeD3SUdBlL//JNAoI9X+ tiPsnTmDsa9V28I9bePn1basB4fTzU+IklAe800PTPOhPSQPEdFENFd0phej9TVIX2Wc jV5CAiWk+n9uWmJ7ZN7xLK7gCGIVuybpugW769vMYht33m1xOSR+Z0Pa7BRvPwwUKQSu yACQ== X-Forwarded-Encrypted: i=1; AJvYcCWVamZqFv+3mvaHyiRixQOwSs01hWMFk85NOigPEvbdwYdO9EpTrrl+I2H56fgnN1P5sYBNdA7+zqdF@alsa-project.org X-Gm-Message-State: AOJu0YynqGO9Tt0r+gqMJ5vZ8RnNZldwyBeV98+WqssZo0MhB4Kl0Oo8 /S+qm+h52CKdDVajURQ9pz17AVzH9aLazhehWdQ7OnXxrEuMStdruFAKLw0hi+A= X-Google-Smtp-Source: AGHT+IEUeJhq6nXQUzmxvES2TVSIG9etjyshwco7odL0scyeNSEVlHlJx1JBy6Ds2ivDpmh9lPiSVQ== X-Received: by 2002:a05:600c:1551:b0:428:ea8e:b48a with SMTP id 5b1f17b1804b1-42c8de5f5c3mr51960955e9.8.1725539897504; Thu, 05 Sep 2024 05:38:17 -0700 (PDT) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42bbc127ec5sm205513245e9.19.2024.09.05.05.38.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Sep 2024 05:38:17 -0700 (PDT) From: Hillf Danton X-Google-Original-From: Hillf Danton Date: Thu, 5 Sep 2024 15:38:13 +0300 To: Takashi Iwai Cc: Jaroslav Kysela , Takashi Iwai , Hillf Danton , alsa-devel@alsa-project.org, stable@vger.kernel.org Subject: [PATCH 2/2 4.19.y] ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check Message-ID: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <76c0ef6b-f4bf-41f7-ad36-55f5b4b3180a@stanley.mountain> X-MailFrom: dan.carpenter@linaro.org X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-alsa-devel.alsa-project.org-0; header-match-alsa-devel.alsa-project.org-1 Message-ID-Hash: 3SQV4QIOXFXYZJAAGSUO76IKWMZG4O4S X-Message-ID-Hash: 3SQV4QIOXFXYZJAAGSUO76IKWMZG4O4S X-Mailman-Approved-At: Fri, 06 Sep 2024 13:54:43 +0000 X-Mailman-Version: 3.3.9 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: [ Upstream commit 5d78e1c2b7f4be00bbe62141603a631dc7812f35 ] syzbot found the following crash on: general protection fault: 0000 [#1] SMP KASAN RIP: 0010:snd_usb_pipe_sanity_check+0x80/0x130 sound/usb/helper.c:75 Call Trace: snd_usb_motu_microbookii_communicate.constprop.0+0xa0/0x2fb sound/usb/quirks.c:1007 snd_usb_motu_microbookii_boot_quirk sound/usb/quirks.c:1051 [inline] snd_usb_apply_boot_quirk.cold+0x163/0x370 sound/usb/quirks.c:1280 usb_audio_probe+0x2ec/0x2010 sound/usb/card.c:576 usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361 really_probe+0x281/0x650 drivers/base/dd.c:548 .... It was introduced in commit 801ebf1043ae for checking pipe and endpoint types. It is fixed by adding a check of the ep pointer in question. BugLink: https://syzkaller.appspot.com/bug?extid=d59c4387bfb6eced94e2 Reported-by: syzbot Fixes: 801ebf1043ae ("ALSA: usb-audio: Sanity checks for each pipe and EP types") Cc: Andrey Konovalov Signed-off-by: Hillf Danton Signed-off-by: Takashi Iwai Signed-off-by: Dan Carpenter --- sound/usb/helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/usb/helper.c b/sound/usb/helper.c index b1cc9499c57e..029489b490ca 100644 --- a/sound/usb/helper.c +++ b/sound/usb/helper.c @@ -85,7 +85,7 @@ int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe) struct usb_host_endpoint *ep; ep = usb_pipe_endpoint(dev, pipe); - if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) + if (!ep || usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)]) return -EINVAL; return 0; }