[Linux Kernel Bug] general protection fault in try_to_register_card
5 views
Skip to first unread message
Jiaming Zhang
Oct 12, 2025, 7:12:38 AM (8 days ago) Oct 12
to linux...@vger.kernel.org, pe...@perex.cz, ti...@suse.com, bro...@kernel.org, cryo...@uniontech.com, gre...@linuxfoundation.org, linux-...@vger.kernel.org, pierre-lou...@linux.dev, quic_...@quicinc.com, syzk...@googlegroups.com
Dear Linux kernel developers and maintainers:
We are writing to report a general protection fault discovered in the
kernel with our modified syzkaller. This bug is reproducible on the
latest version (commit 67029a49db6c1f21106a1b5fcdd0ea234a6e0711).
The kernel console output, kernel config, syzkaller reproducer, and C
reproducer are attached to this email to help analysis. The KASAN
report from kernel (commit 67029a49), formatted by syz-symbolize, is
listed below:
==================================================================
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
usb 1-1: new full-speed USB device number 2 using dummy_hcd
usb 1-1: not running at top speed; connect to a high speed hub
usb 1-1: config 2 has an invalid interface number: 131 but max is 3
usb 1-1: config 2 has an invalid interface number: 160 but max is 3
usb 1-1: config 2 has an invalid descriptor of length 0, skipping
remainder of the config
usb 1-1: config 2 has 2 interfaces, different from the descriptor's value: 4
usb 1-1: config 2 has no interface number 0
usb 1-1: config 2 has no interface number 1
usb 1-1: config 2 interface 160 altsetting 9 has an invalid descriptor
for endpoint zero, skipping
usb 1-1: config 2 interface 160 altsetting 9 has 2 endpoint
descriptors, different from the interface descriptor's value: 16
usb 1-1: config 2 interface 131 has no altsetting 0
usb 1-1: config 2 interface 160 has no altsetting 0
usb 1-1: New USB device found, idVendor=0dba, idProduct=5000, bcdDevice=3a.c9
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: MBOX3: Initialized.
Oops: general protection fault, probably for non-canonical address
0xdffffc000000001c: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000000e0-0x00000000000000e7]
CPU: 1 UID: 0 PID: 793 Comm: kworker/1:2 Not tainted
6.17.0-12904-g67029a49db6c #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_interface_claimed include/linux/usb.h:918 [inline]
RIP: 0010:try_to_register_card+0x248/0x300 sound/usb/card.c:896
Code: de cd 30 f9 49 8b 3f 44 89 f6 e8 43 e5 fa fd 49 89 c6 49 81 c6
e0 00 00 00 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c
08 00 74 08 4c 89 f7 e8 aa cd 30 f9 49 83 3e 00 74 73 e8 ff
RSP: 0018:ffffc9000462eb80 EFLAGS: 00010202
RAX: 000000000000001c RBX: ffff888049b02a30 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000a0
RBP: ffffc9000462ec30 R08: ffffc9000462e9e7 R09: 1ffff920008c5d3c
R10: dffffc0000000000 R11: ffffffff88f59950 R12: 00000000000000f8
R13: 1ffff11009360559 R14: 00000000000000e0 R15: ffff888049b02a38
FS: 0000000000000000(0000) GS:ffff8880ec976000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f86fb0e16f8 CR3: 0000000028a6b000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
usb_audio_probe+0x143f/0x1e60 sound/usb/card.c:1039
usb_probe_interface+0x668/0xc30 drivers/usb/core/driver.c:396
really_probe+0x26d/0x9f0 drivers/base/dd.c:659
__driver_probe_device+0x190/0x390 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b7/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_set_configuration+0x1a5c/0x20b0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
really_probe+0x26d/0x9f0 drivers/base/dd.c:659
__driver_probe_device+0x190/0x390 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b7/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_new_device+0xb9d/0x1a00 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x290c/0x49a0 drivers/usb/core/hub.c:5952
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:usb_interface_claimed include/linux/usb.h:918 [inline]
RIP: 0010:try_to_register_card+0x248/0x300 sound/usb/card.c:896
Code: de cd 30 f9 49 8b 3f 44 89 f6 e8 43 e5 fa fd 49 89 c6 49 81 c6
e0 00 00 00 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c
08 00 74 08 4c 89 f7 e8 aa cd 30 f9 49 83 3e 00 74 73 e8 ff
RSP: 0018:ffffc9000462eb80 EFLAGS: 00010202
RAX: 000000000000001c RBX: ffff888049b02a30 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000a0
RBP: ffffc9000462ec30 R08: ffffc9000462e9e7 R09: 1ffff920008c5d3c
R10: dffffc0000000000 R11: ffffffff88f59950 R12: 00000000000000f8
R13: 1ffff11009360559 R14: 00000000000000e0 R15: ffff888049b02a38
FS: 0000000000000000(0000) GS:ffff8880ec976000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f067e010980 CR3: 0000000024315000 CR4: 0000000000752ef0
PKRU: 55555554
----------------
Code disassembly (best guess):
0: de cd fmulp %st,%st(5)
2: 30 f9 xor %bh,%cl
4: 49 8b 3f mov (%r15),%rdi
7: 44 89 f6 mov %r14d,%esi
a: e8 43 e5 fa fd call 0xfdfae552
f: 49 89 c6 mov %rax,%r14
12: 49 81 c6 e0 00 00 00 add $0xe0,%r14
19: 4c 89 f0 mov %r14,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 f7 mov %r14,%rdi
33: e8 aa cd 30 f9 call 0xf930cde2
38: 49 83 3e 00 cmpq $0x0,(%r14)
3c: 74 73 je 0xb1
3e: e8 .byte 0xe8
3f: ff .byte 0xff
==================================================================
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang.
We are writing to report a general protection fault discovered in the
kernel with our modified syzkaller. This bug is reproducible on the
latest version (commit 67029a49db6c1f21106a1b5fcdd0ea234a6e0711).
The kernel console output, kernel config, syzkaller reproducer, and C
reproducer are attached to this email to help analysis. The KASAN
report from kernel (commit 67029a49), formatted by syz-symbolize, is
listed below:
==================================================================
e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
usb 1-1: new full-speed USB device number 2 using dummy_hcd
usb 1-1: not running at top speed; connect to a high speed hub
usb 1-1: config 2 has an invalid interface number: 131 but max is 3
usb 1-1: config 2 has an invalid interface number: 160 but max is 3
usb 1-1: config 2 has an invalid descriptor of length 0, skipping
remainder of the config
usb 1-1: config 2 has 2 interfaces, different from the descriptor's value: 4
usb 1-1: config 2 has no interface number 0
usb 1-1: config 2 has no interface number 1
usb 1-1: config 2 interface 160 altsetting 9 has an invalid descriptor
for endpoint zero, skipping
usb 1-1: config 2 interface 160 altsetting 9 has 2 endpoint
descriptors, different from the interface descriptor's value: 16
usb 1-1: config 2 interface 131 has no altsetting 0
usb 1-1: config 2 interface 160 has no altsetting 0
usb 1-1: New USB device found, idVendor=0dba, idProduct=5000, bcdDevice=3a.c9
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: MBOX3: Initialized.
Oops: general protection fault, probably for non-canonical address
0xdffffc000000001c: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000000e0-0x00000000000000e7]
CPU: 1 UID: 0 PID: 793 Comm: kworker/1:2 Not tainted
6.17.0-12904-g67029a49db6c #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_interface_claimed include/linux/usb.h:918 [inline]
RIP: 0010:try_to_register_card+0x248/0x300 sound/usb/card.c:896
Code: de cd 30 f9 49 8b 3f 44 89 f6 e8 43 e5 fa fd 49 89 c6 49 81 c6
e0 00 00 00 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c
08 00 74 08 4c 89 f7 e8 aa cd 30 f9 49 83 3e 00 74 73 e8 ff
RSP: 0018:ffffc9000462eb80 EFLAGS: 00010202
RAX: 000000000000001c RBX: ffff888049b02a30 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000a0
RBP: ffffc9000462ec30 R08: ffffc9000462e9e7 R09: 1ffff920008c5d3c
R10: dffffc0000000000 R11: ffffffff88f59950 R12: 00000000000000f8
R13: 1ffff11009360559 R14: 00000000000000e0 R15: ffff888049b02a38
FS: 0000000000000000(0000) GS:ffff8880ec976000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f86fb0e16f8 CR3: 0000000028a6b000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
usb_audio_probe+0x143f/0x1e60 sound/usb/card.c:1039
usb_probe_interface+0x668/0xc30 drivers/usb/core/driver.c:396
really_probe+0x26d/0x9f0 drivers/base/dd.c:659
__driver_probe_device+0x190/0x390 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b7/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_set_configuration+0x1a5c/0x20b0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
really_probe+0x26d/0x9f0 drivers/base/dd.c:659
__driver_probe_device+0x190/0x390 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b7/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_new_device+0xb9d/0x1a00 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x290c/0x49a0 drivers/usb/core/hub.c:5952
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:usb_interface_claimed include/linux/usb.h:918 [inline]
RIP: 0010:try_to_register_card+0x248/0x300 sound/usb/card.c:896
Code: de cd 30 f9 49 8b 3f 44 89 f6 e8 43 e5 fa fd 49 89 c6 49 81 c6
e0 00 00 00 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c
08 00 74 08 4c 89 f7 e8 aa cd 30 f9 49 83 3e 00 74 73 e8 ff
RSP: 0018:ffffc9000462eb80 EFLAGS: 00010202
RAX: 000000000000001c RBX: ffff888049b02a30 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000000000a0
RBP: ffffc9000462ec30 R08: ffffc9000462e9e7 R09: 1ffff920008c5d3c
R10: dffffc0000000000 R11: ffffffff88f59950 R12: 00000000000000f8
R13: 1ffff11009360559 R14: 00000000000000e0 R15: ffff888049b02a38
FS: 0000000000000000(0000) GS:ffff8880ec976000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f067e010980 CR3: 0000000024315000 CR4: 0000000000752ef0
PKRU: 55555554
----------------
Code disassembly (best guess):
0: de cd fmulp %st,%st(5)
2: 30 f9 xor %bh,%cl
4: 49 8b 3f mov (%r15),%rdi
7: 44 89 f6 mov %r14d,%esi
a: e8 43 e5 fa fd call 0xfdfae552
f: 49 89 c6 mov %rax,%r14
12: 49 81 c6 e0 00 00 00 add $0xe0,%r14
19: 4c 89 f0 mov %r14,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 f7 mov %r14,%rdi
33: e8 aa cd 30 f9 call 0xf930cde2
38: 49 83 3e 00 cmpq $0x0,(%r14)
3c: 74 73 je 0xb1
3e: e8 .byte 0xe8
3f: ff .byte 0xff
==================================================================
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang.
Greg KH
Oct 12, 2025, 7:18:19 AM (8 days ago) Oct 12
to Jiaming Zhang, linux...@vger.kernel.org, pe...@perex.cz, ti...@suse.com, bro...@kernel.org, cryo...@uniontech.com, linux-...@vger.kernel.org, pierre-lou...@linux.dev, quic_...@quicinc.com, syzk...@googlegroups.com
proper interface here, right? Care to make up a simple patch for this
so that you get the credit for fixing the issue as you can test it
easily?
thanks,
greg k-h
Jiaming Zhang
Oct 14, 2025, 12:02:00 AM (6 days ago) Oct 14
to gre...@linuxfoundation.org, bro...@kernel.org, cryo...@uniontech.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, pierre-lou...@linux.dev, quic_...@quicinc.com, r7725...@gmail.com, syzk...@googlegroups.com, ti...@suse.com
Hi Greg,
Thanks for the guidance. You're right, the root cause of this issue is
that a USB audio device is created without a proper interface.
To fix this issue, I added a check for the NULL return value in
try_to_register_card() before calling usb_interface_claimed().
I have tested patch with the reproducer on the latest version (v6.18-rc1),
the issue was not triggered again.
Please let me know if any changes are needed.
Best regards,
Jiaming Zhang
---
In try_to_register_card(), the return value of usb_ifnum_to_if() is
passed directly to usb_interface_claimed() without a NULL check, which
will lead to a NULL pointer dereference when creating an invalid
USB audio device. Fix this by adding a check to ensure the interface
pointer is valid before passing it to usb_interface_claimed().
Reported-by: Jiaming Zhang <r7725...@gmail.com>
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
sound/usb/card.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c
index 1d5a65eac933..270dad84d825 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -891,10 +891,16 @@ get_alias_quirk(struct usb_device *dev, unsigned int id)
*/
static int try_to_register_card(struct snd_usb_audio *chip, int ifnum)
{
+ struct usb_interface *iface;
+
if (check_delayed_register_option(chip) == ifnum ||
- chip->last_iface == ifnum ||
- usb_interface_claimed(usb_ifnum_to_if(chip->dev, chip->last_iface)))
+ chip->last_iface == ifnum)
+ return snd_card_register(chip->card);
+
+ iface = usb_ifnum_to_if(chip->dev, chip->last_iface);
+ if (iface && usb_interface_claimed(iface))
return snd_card_register(chip->card);
+
return 0;
}
--
2.34.1
Thanks for the guidance. You're right, the root cause of this issue is
that a USB audio device is created without a proper interface.
To fix this issue, I added a check for the NULL return value in
try_to_register_card() before calling usb_interface_claimed().
I have tested patch with the reproducer on the latest version (v6.18-rc1),
the issue was not triggered again.
Please let me know if any changes are needed.
Best regards,
Jiaming Zhang
---
In try_to_register_card(), the return value of usb_ifnum_to_if() is
passed directly to usb_interface_claimed() without a NULL check, which
will lead to a NULL pointer dereference when creating an invalid
USB audio device. Fix this by adding a check to ensure the interface
pointer is valid before passing it to usb_interface_claimed().
Reported-by: Jiaming Zhang <r7725...@gmail.com>
Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
---
sound/usb/card.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c
index 1d5a65eac933..270dad84d825 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -891,10 +891,16 @@ get_alias_quirk(struct usb_device *dev, unsigned int id)
*/
static int try_to_register_card(struct snd_usb_audio *chip, int ifnum)
{
+ struct usb_interface *iface;
+
if (check_delayed_register_option(chip) == ifnum ||
- chip->last_iface == ifnum ||
- usb_interface_claimed(usb_ifnum_to_if(chip->dev, chip->last_iface)))
+ chip->last_iface == ifnum)
+ return snd_card_register(chip->card);
+
+ iface = usb_ifnum_to_if(chip->dev, chip->last_iface);
+ if (iface && usb_interface_claimed(iface))
return snd_card_register(chip->card);
+
return 0;
}
--
2.34.1
Greg KH
Oct 14, 2025, 1:26:48 AM (6 days ago) Oct 14
to Jiaming Zhang, bro...@kernel.org, cryo...@uniontech.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, pierre-lou...@linux.dev, quic_...@quicinc.com, syzk...@googlegroups.com, ti...@suse.com
On Tue, Oct 14, 2025 at 12:01:49PM +0800, Jiaming Zhang wrote:
> Hi Greg,
>
> Thanks for the guidance. You're right, the root cause of this issue is
> that a USB audio device is created without a proper interface.
>
> To fix this issue, I added a check for the NULL return value in
> try_to_register_card() before calling usb_interface_claimed().
> I have tested patch with the reproducer on the latest version (v6.18-rc1),
> the issue was not triggered again.
>
> Please let me know if any changes are needed.
>
> Best regards,
> Jiaming Zhang
Can you resend this without this text above the changelog comment?
> Hi Greg,
>
> Thanks for the guidance. You're right, the root cause of this issue is
> that a USB audio device is created without a proper interface.
>
> To fix this issue, I added a check for the NULL return value in
> try_to_register_card() before calling usb_interface_claimed().
> I have tested patch with the reproducer on the latest version (v6.18-rc1),
> the issue was not triggered again.
>
> Please let me know if any changes are needed.
>
> Best regards,
> Jiaming Zhang
> ---
>
> In try_to_register_card(), the return value of usb_ifnum_to_if() is
> passed directly to usb_interface_claimed() without a NULL check, which
> will lead to a NULL pointer dereference when creating an invalid
> USB audio device. Fix this by adding a check to ensure the interface
> pointer is valid before passing it to usb_interface_claimed().
>
> Reported-by: Jiaming Zhang <r7725...@gmail.com>
> Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
thanks,
greg k-h
Takashi Iwai
Oct 14, 2025, 1:53:40 AM (6 days ago) Oct 14
to Jiaming Zhang, Greg KH, bro...@kernel.org, cryo...@uniontech.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, pierre-lou...@linux.dev, quic_...@quicinc.com, syzk...@googlegroups.com, ti...@suse.com
And, pointing to the bug report thread via Closes tag would be nicer,
too.
The code change itself looks good, so only those cosmetic things.
thanks,
Takashi
Jiaming Zhang
Oct 15, 2025, 1:16:55 AM (5 days ago) Oct 15
to ti...@suse.de, gre...@linuxfoundation.org, bro...@kernel.org, cryo...@uniontech.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, pierre-lou...@linux.dev, quic_...@quicinc.com, r7725...@gmail.com, syzk...@googlegroups.com, ti...@suse.com
Hi Greg, Takashi,
Thanks for your suggestions. I have updated the commit message.
Please let me know if any changes are needed.
Best regards,
Jiaming Zhang
Jiaming Zhang (1):
ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card
sound/usb/card.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--
2.34.1
Thanks for your suggestions. I have updated the commit message.
Please let me know if any changes are needed.
Best regards,
Jiaming Zhang
ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card
sound/usb/card.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
2.34.1
Jiaming Zhang
Oct 15, 2025, 1:17:01 AM (5 days ago) Oct 15
to ti...@suse.de, gre...@linuxfoundation.org, bro...@kernel.org, cryo...@uniontech.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, pierre-lou...@linux.dev, quic_...@quicinc.com, r7725...@gmail.com, syzk...@googlegroups.com, ti...@suse.com
In try_to_register_card(), the return value of usb_ifnum_to_if() is
passed directly to usb_interface_claimed() without a NULL check, which
will lead to a NULL pointer dereference when creating an invalid
USB audio device. Fix this by adding a check to ensure the interface
pointer is valid before passing it to usb_interface_claimed().
Fixes: 39efc9c ("ALSA: usb-audio: Fix last interface check for registration")
passed directly to usb_interface_claimed() without a NULL check, which
will lead to a NULL pointer dereference when creating an invalid
USB audio device. Fix this by adding a check to ensure the interface
pointer is valid before passing it to usb_interface_claimed().
Closes: https://lore.kernel.org/all/CANypQFYtQxHL5ghREs-BujZG413RPJGnO5TH=xjFBKp...@mail.gmail.com/
sound/usb/card.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
1 file changed, 8 insertions(+), 2 deletions(-)
Takashi Iwai
Oct 15, 2025, 4:18:58 AM (5 days ago) Oct 15
to Jiaming Zhang, ti...@suse.de, gre...@linuxfoundation.org, bro...@kernel.org, cryo...@uniontech.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, pierre-lou...@linux.dev, quic_...@quicinc.com, syzk...@googlegroups.com, ti...@suse.com
On Wed, 15 Oct 2025 07:16:45 +0200,
Jiaming Zhang wrote:
>
> In try_to_register_card(), the return value of usb_ifnum_to_if() is
> passed directly to usb_interface_claimed() without a NULL check, which
> will lead to a NULL pointer dereference when creating an invalid
> USB audio device. Fix this by adding a check to ensure the interface
> pointer is valid before passing it to usb_interface_claimed().
>
> Fixes: 39efc9c ("ALSA: usb-audio: Fix last interface check for registration")
> Closes: https://lore.kernel.org/all/CANypQFYtQxHL5ghREs-BujZG413RPJGnO5TH=xjFBKp...@mail.gmail.com/
> Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
Thanks, applied now.
Jiaming Zhang wrote:
>
> In try_to_register_card(), the return value of usb_ifnum_to_if() is
> passed directly to usb_interface_claimed() without a NULL check, which
> will lead to a NULL pointer dereference when creating an invalid
> USB audio device. Fix this by adding a check to ensure the interface
> pointer is valid before passing it to usb_interface_claimed().
>
> Fixes: 39efc9c ("ALSA: usb-audio: Fix last interface check for registration")
> Closes: https://lore.kernel.org/all/CANypQFYtQxHL5ghREs-BujZG413RPJGnO5TH=xjFBKp...@mail.gmail.com/
> Signed-off-by: Jiaming Zhang <r7725...@gmail.com>
The Fixes tag should have 12 letter IDs, and I corrected it.
Takashi
Reply all
Reply to author
Forward
0 new messages