[PATCH] [media] sound/usb: fix NULL dereference in usb_audio_probe()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nicolai Stange <nicstange@gmail.com>
To: Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>
Cc: Shuah Khan <shuahkh@osg.samsung.com>,
	Mauro Carvalho Chehab <mchehab@osg.samsung.com>,
	Nicolai Stange <nicstange@gmail.com>,
	alsa-devel@alsa-project.org, linux-kernel@vger.kernel.org
Subject: [PATCH] [media] sound/usb: fix NULL dereference in usb_audio_probe()
Date: Tue, 15 Mar 2016 13:35:06 +0100	[thread overview]
Message-ID: <1458045306-4170-1-git-send-email-nicstange@gmail.com> (raw)

With commit

  aebb2b89bff0 ("[media] sound/usb: Use Media Controller API to share
                 media resources")

an access to quirk->media_device without checking for quirk != NULL has
been introduced in usb_audio_probe().

With a Plantronics USB headset (device ID 0x047f:0xc010) attached,
this results in the following splat at boot time:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000014
  IP: [<ffffffffa089aa6c>] usb_audio_probe+0x2cc/0x9a0 [snd_usb_audio]
  Oops: 0000 [#1] SMP
  [...]
  CPU: 2 PID: 696 Comm: systemd-udevd Not tainted 4.5.0-next-20160315 #13
  Hardware name: Dell Inc. Latitude E6540/0725FP, BIOS A10 06/26/2014
  task: ffff88021c88d7c0 ti: ffff88003d5b0000 task.ti: ffff88003d5b0000
  RIP: 0010:[<ffffffffa089aa6c>]  [<ffffffffa089aa6c>]
                                usb_audio_probe+0x2cc/0x9a0 [snd_usb_audio]
  [...]
  Call Trace:
   [<ffffffff815a8e16>] usb_probe_interface+0x136/0x2d0
   [<ffffffff81509edc>] driver_probe_device+0x22c/0x440
   [<ffffffff8150a1c1>] __driver_attach+0xd1/0xf0
   [<ffffffff8150a0f0>] ? driver_probe_device+0x440/0x440
   [<ffffffff815077ec>] bus_for_each_dev+0x6c/0xc0
   [<ffffffff815095ce>] driver_attach+0x1e/0x20
   [<ffffffff81509013>] bus_add_driver+0x1c3/0x280
   [<ffffffff8150ab10>] driver_register+0x60/0xe0
   [<ffffffff815a7711>] usb_register_driver+0x81/0x140
   [<ffffffffa08c7000>] ? 0xffffffffa08c7000
   [<ffffffffa08c701e>] usb_audio_driver_init+0x1e/0x1000 [snd_usb_audio]
   [<ffffffff81002123>] do_one_initcall+0xb3/0x1f0
   [<ffffffff811fb091>] ? __vunmap+0x81/0xd0
   [<ffffffff8121b8d2>] ? kmem_cache_alloc_trace+0x182/0x1d0
   [<ffffffff811b0267>] ? do_init_module+0x27/0x1d8
   [<ffffffff811b029f>] do_init_module+0x5f/0x1d8
   [<ffffffff8112ce35>] load_module+0x1fe5/0x27a0
   [<ffffffff81129870>] ? __symbol_put+0x60/0x60
   [<ffffffff81241690>] ? vfs_read+0x110/0x130
   [<ffffffff8112d866>] SYSC_finit_module+0xe6/0x120
   [<ffffffff8112d8be>] SyS_finit_module+0xe/0x10
   [<ffffffff81003d94>] do_syscall_64+0x64/0x110
   [<ffffffff817c0b61>] entry_SYSCALL64_slow_path+0x25/0x25

After encountering this, the system-udevd process seems to be blocked
until it is killed when hitting its timeout of 3min.

In analogy to the other accesses to members of quirk in usb_audio_probe(),
check for quirk != NULL before accessing its ->media_device.

Fixes: aebb2b89bff0 ("[media] sound/usb: Use Media Controller API to share
                      media resources")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
---
 Applicable to linux-next-20160315.

 sound/usb/card.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/card.c b/sound/usb/card.c
index 63244bb..479621e 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -612,7 +612,7 @@ static int usb_audio_probe(struct usb_interface *intf,
 	if (err < 0)
 		goto __error;
 
-	if (quirk->media_device) {
+	if (quirk && quirk->media_device) {
 		/* don't want to fail when media_snd_device_create() fails */
 		media_snd_device_create(chip, intf);
 	}
-- 
2.7.2

next             reply	other threads:[~2016-03-15 12:35 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-03-15 12:35 Nicolai Stange [this message]
2016-03-15 12:41 ` [PATCH] [media] sound/usb: fix NULL dereference in usb_audio_probe() Takashi Iwai
2016-03-15 12:41   ` Takashi Iwai
2016-03-15 14:53   ` Mauro Carvalho Chehab
2016-03-15 14:53     ` Mauro Carvalho Chehab
2016-03-15 15:00     ` Nicolai Stange
2016-03-15 15:00       ` Nicolai Stange
2016-03-15 13:37 ` Shuah Khan
2016-03-15 13:37   ` Shuah Khan

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:63244bb dfblob:479621e )
 OR (
bs:"[PATCH] [media] sound/usb: fix NULL dereference in usb_audio_probe()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1458045306-4170-1-git-send-email-nicstange@gmail.com \
    --to=nicstange@gmail.com \
    --cc=alsa-devel@alsa-project.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mchehab@osg.samsung.com \
    --cc=perex@perex.cz \
    --cc=shuahkh@osg.samsung.com \
    --cc=tiwai@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.