Re: [PATCH v2] ALSA: scarlett2: Add the number of endpoints checked was 0

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Takashi Iwai <tiwai@suse.de>
To: Edward Adam Davis <eadavis@qq.com>
Cc: g@b4.vu, linux-kernel@vger.kernel.org,
	linux-sound@vger.kernel.org, linux-usb@vger.kernel.org,
	perex@perex.cz,
	syzbot+ae893a8901067fde2741@syzkaller.appspotmail.com,
	syzkaller-bugs@googlegroups.com, tiwai@suse.com
Subject: Re: [PATCH v2] ALSA: scarlett2: Add the number of endpoints checked was 0
Date: Mon, 09 Mar 2026 11:29:07 +0100	[thread overview]
Message-ID: <87cy1dnvnw.wl-tiwai@suse.de> (raw)
In-Reply-To: <87h5qpnwu5.wl-tiwai@suse.de>

On Mon, 09 Mar 2026 11:03:46 +0100,
Takashi Iwai wrote:
> 
> On Mon, 09 Mar 2026 10:57:03 +0100,
> Edward Adam Davis wrote:
> > 
> > The user constructed a corrupted USB device, causing the USB device
> > enumeration phase to fail to resolve any endpoints. This resulted in
> > a null pointer dereference reported in [1] when the USB sound card
> > driver executed probe to initialize the mixer. 
> > 
> > To avoid the problem reported in [1], a check was added to ensure that
> > the number of endpoints contained in the interface was 0 when creating
> > mixer controls for the Focusrite Scarlett 2nd/3rd Gen USB sound card.
> > 
> > [1]
> > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > RIP: 0010:usb_endpoint_num include/uapi/linux/usb/ch9.h:479 [inline]
> > RIP: 0010:scarlett2_find_fc_interface sound/usb/mixer_scarlett2.c:8261 [inline]
> > RIP: 0010:scarlett2_init_private sound/usb/mixer_scarlett2.c:8295 [inline]
> > RIP: 0010:snd_scarlett2_controls_create sound/usb/mixer_scarlett2.c:8684 [inline]
> > RIP: 0010:snd_scarlett2_init.cold+0xbad/0x6c79 sound/usb/mixer_scarlett2.c:9407
> > Call Trace:
> >  snd_usb_mixer_apply_create_quirk+0x1c21/0x2b80 sound/usb/mixer_quirks.c:4446
> >  snd_usb_create_mixer+0x7a2/0x1910 sound/usb/mixer.c:3641
> >  usb_audio_probe+0xf6d/0x3a90 sound/usb/card.c:1033
> > 
> > Reported-by: syzbot+ae893a8901067fde2741@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=ae893a8901067fde2741 
> > Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> > ---
> > v1 -> v2: move the check to scarlett2
> > 
> >  sound/usb/mixer_scarlett2.c | 9 +++++++++
> >  1 file changed, 9 insertions(+)
> > 
> > diff --git a/sound/usb/mixer_scarlett2.c b/sound/usb/mixer_scarlett2.c
> > index ef3150581eab..4b300226f16c 100644
> > --- a/sound/usb/mixer_scarlett2.c
> > +++ b/sound/usb/mixer_scarlett2.c
> > @@ -9393,6 +9393,15 @@ int snd_scarlett2_init(struct usb_mixer_interface *mixer)
> >  		return 0;
> >  	}
> >  
> > +	if (get_iface_desc(mixer->hostif)->bNumEndpoints == 0) {
> > +		usb_audio_err(chip,
> > +			"%s: There are no endpoints for %04x:%04x\n",
> > +			__func__,
> > +			USB_ID_VENDOR(chip->usb_id),
> > +			USB_ID_PRODUCT(chip->usb_id));
> > +		return 0;
> 
> This should be an error.  It's obviously a broken descriptor, and this
> is the code specific to the certain configuration.

... and that check alone doesn't cover all cases, I'm afraid.  The
scarlett2 driver code parses over multiple interfaces.

I guess rather a patch like below should cover better.


thanks,

Takashi

--- a/sound/usb/mixer_scarlett2.c
+++ b/sound/usb/mixer_scarlett2.c
@@ -8251,6 +8251,8 @@ static int scarlett2_find_fc_interface(struct usb_device *dev,
 
 		if (desc->bInterfaceClass != 255)
 			continue;
+		if (desc->bNumEndpoints < 1)
+			continue;
 
 		epd = get_endpoint(intf->altsetting, 0);
 		private->bInterfaceNumber = desc->bInterfaceNumber;

next prev parent reply	other threads:[~2026-03-09 10:29 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-08  4:12 [syzbot] [sound?] general protection fault in snd_scarlett2_init syzbot
2026-03-09  6:52 ` Edward Adam Davis
2026-03-09  7:31   ` syzbot
2026-03-09  7:32 ` [PATCH] ALSA: usb-audio: Add the number of endpoints checked was 0 Edward Adam Davis
2026-03-09  8:11   ` Takashi Iwai
2026-03-09  9:57     ` [PATCH v2] ALSA: scarlett2: " Edward Adam Davis
2026-03-09 10:03       ` Takashi Iwai
2026-03-09 10:29         ` Takashi Iwai [this message]
2026-03-09 10:11       ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87cy1dnvnw.wl-tiwai@suse.de \
    --to=tiwai@suse.de \
    --cc=eadavis@qq.com \
    --cc=g@b4.vu \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sound@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=perex@perex.cz \
    --cc=syzbot+ae893a8901067fde2741@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tiwai@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.