From: syzbot <syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure
Date: Sat, 25 Apr 2026 07:43:17 -0700 [thread overview]
Message-ID: <69ecd305.a00a0220.7773.001b.GAE@google.com> (raw)
In-Reply-To: <69ec231a.a00a0220.7773.000c.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
create_card() takes a reference on the USB device with usb_get_dev()
and stores the matching usb_put_dev() in card_free(), which is
installed as the snd_card's ->private_free destructor.
However, ->private_free is only assigned near the end of init_card(),
after several failure points (usb_set_interface(), EP type checks,
usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
timeout). When any of those fail, init_card() returns an error to
snd_probe(), which calls snd_card_free(card). Because ->private_free
is still NULL, card_free() never runs, the usb_get_dev() reference
is not dropped, and the struct usb_device leaks along with its
descriptor allocations and device_private.
syzbot reproduces this with a malformed UAC3 device whose only valid
altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
fails with -EIO and triggers the leak.
Move the ->private_free assignment into create_card(), immediately
after usb_get_dev(), so that every error path reaching snd_card_free()
balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
free_urbs, kfree) already tolerate the partially-initialized state
because the chip private area is zero-initialized by snd_card_new().
Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
sound/usb/caiaq/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee..ad9f744b496b 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -423,6 +423,7 @@ static int create_card(struct usb_device *usb_dev,
cdev = caiaqdev(card);
cdev->chip.dev = usb_get_dev(usb_dev);
+ card->private_free = card_free;
cdev->chip.card = card;
cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
le16_to_cpu(usb_dev->descriptor.idProduct));
@@ -511,7 +512,6 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
scnprintf(card->longname, sizeof(card->longname), "%s %s (%s)",
cdev->vendor_name, cdev->product_name, usbpath);
- card->private_free = card_free;
err = setup_card(cdev);
if (err < 0)
return err;
--
2.43.0
next prev parent reply other threads:[~2026-04-25 14:43 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-25 2:12 [syzbot] [usb?] memory leak in hub_event (4) syzbot
2026-04-25 6:36 ` Forwarded: [PATCH] usb: core: fix memory leak in usb_new_device() error path syzbot
2026-04-25 7:52 ` Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure syzbot
2026-04-25 8:58 ` Forwarded: [PATCH] usb: core: hub: fix memory leak in hub_port_connect syzbot
2026-04-25 9:36 ` syzbot
2026-04-25 12:54 ` Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure syzbot
2026-04-25 14:43 ` syzbot [this message]
2026-04-26 2:33 ` Hillf Danton
2026-04-27 11:40 ` [syzbot] [usb?] memory leak in hub_event (4) Oliver Neukum
2026-04-27 12:37 ` syzbot
2026-04-27 14:19 ` Alan Stern
2026-04-28 11:33 ` Oliver Neukum
2026-04-28 15:12 ` Alan Stern
2026-04-29 10:42 ` [PATCH] usb: core: hcd: fix possible deadlock in rh control transfers Oliver Neukum
2026-04-29 19:04 ` Alan Stern
2026-04-29 19:13 ` Oliver Neukum
2026-04-29 19:18 ` Alan Stern
2026-04-29 10:45 ` [PATCH] sound: usb: caiaq: fix reference leak in probe error Oliver Neukum
2026-04-29 10:53 ` Takashi Iwai
2026-04-29 11:05 ` Oliver Neukum
2026-04-29 19:42 ` kernel test robot
2026-04-30 5:33 ` kernel test robot
2026-04-30 11:02 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69ecd305.a00a0220.7773.001b.GAE@google.com \
--to=syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.