* [PATCH v2 5.10.y] ALSA: usb-audio: fix null pointer dereference on pointer cs_desc
@ 2026-05-31 15:29 Vasiliy Kovalev
2026-06-02 18:21 ` Sasha Levin
0 siblings, 1 reply; 2+ messages in thread
From: Vasiliy Kovalev @ 2026-05-31 15:29 UTC (permalink / raw)
To: stable; +Cc: Ben Hutchings, Takashi Iwai, alsa-devel, lvc-project, kovalev
From: Chengfeng Ye <cyeaa@connect.ust.hk>
commit b97053df0f04747c3c1e021ecbe99db675342954 upstream.
The pointer cs_desc return from snd_usb_find_clock_source could
be null, so there is a potential null pointer dereference issue.
Fix this by adding a null check before dereference.
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Link: https://lore.kernel.org/r/20211024111736.11342-1-cyeaa@connect.ust.hk
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Fixes: 1dc669fed61a ("ALSA: usb-audio: UAC2: support read-only freq control")
[ kovalev: bp to fix CVE-2021-47211; added Fixes tag; the null
check was added into both UAC2 and UAC3 branches since the
older kernel still has the clock source lookup split between
snd_usb_find_clock_source() and snd_usb_find_clock_source_v3()
(see upstream commit 9ec730052fa2); return -ENXIO instead of 0
to match upstream behavior, where the caller reaches the clock
validation path and returns -ENXIO ]
Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
---
v2:
- Return -ENXIO instead of 0 on missing cs_desc to match upstream
behavior. Suggested by Ben Hutchings.
Link: https://lore.kernel.org/all/ca469f4a22fe4688bbf88c355d074ae5be16a621.camel@decadent.org.uk/
v1:
Link: https://lore.kernel.org/all/20260421132047.38233-1-kovalev@altlinux.org/
---
sound/usb/clock.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 197a6b7d8..8759e20c4 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -646,11 +646,17 @@ static int set_sample_rate_v2v3(struct snd_usb_audio *chip, int iface,
struct uac3_clock_source_descriptor *cs_desc;
cs_desc = snd_usb_find_clock_source_v3(chip->ctrl_intf, clock);
+
+ if (!cs_desc)
+ return -ENXIO;
bmControls = le32_to_cpu(cs_desc->bmControls);
} else {
struct uac_clock_source_descriptor *cs_desc;
cs_desc = snd_usb_find_clock_source(chip->ctrl_intf, clock);
+
+ if (!cs_desc)
+ return -ENXIO;
bmControls = cs_desc->bmControls;
}
--
2.50.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH v2 5.10.y] ALSA: usb-audio: fix null pointer dereference on pointer cs_desc
2026-05-31 15:29 [PATCH v2 5.10.y] ALSA: usb-audio: fix null pointer dereference on pointer cs_desc Vasiliy Kovalev
@ 2026-06-02 18:21 ` Sasha Levin
0 siblings, 0 replies; 2+ messages in thread
From: Sasha Levin @ 2026-06-02 18:21 UTC (permalink / raw)
To: stable, Vasiliy Kovalev
Cc: Sasha Levin, Ben Hutchings, Takashi Iwai, alsa-devel, lvc-project
On Sat, May 31, 2026 at 06:29:50PM +0300, Vasiliy Kovalev wrote:
> [PATCH v2 5.10.y] ALSA: usb-audio: fix null pointer dereference on pointer cs_desc
Now applied to 5.10.y.
Thanks,
Sasha
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-02 18:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-31 15:29 [PATCH v2 5.10.y] ALSA: usb-audio: fix null pointer dereference on pointer cs_desc Vasiliy Kovalev
2026-06-02 18:21 ` Sasha Levin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.