From: Takashi Iwai <tiwai@suse.de>
To: Jiaming Zhang <r772577952@gmail.com>
Cc: g@b4.vu, perex@perex.cz, tiwai@suse.com,
linux-sound@vger.kernel.org, syzkaller@googlegroups.com,
linux-kernel@vger.kernel.org
Subject: Re: [Linux Kernel Bug] general protection fault in snd_fcp_init
Date: Thu, 25 Jun 2026 13:44:34 +0200 [thread overview]
Message-ID: <87echuvo7x.wl-tiwai@suse.de> (raw)
In-Reply-To: <CANypQFb1EHj0xX8bA1WxSOSK-5xca6ZNKzOQcp12=s=puY7VFw@mail.gmail.com>
On Thu, 25 Jun 2026 12:24:49 +0200,
Jiaming Zhang wrote:
>
> Dear Linux kernel developers and maintainers,
>
> We are writing to report a general protection fault discovered in the
> sound subsystem with our modified syzkaller. The issue is reproducible
> on the latest version of linux (v7.1, commit
> 8cd9520d35a6c38db6567e97dd93b1f11f185dc6). Below is the KASAN report:
>
> ---
> input: AT Translated Set 2 keyboard as
> /devices/platform/i8042/serio0/input/input1
> input: ImExPS/2 Generic Explorer Mouse as
> /devices/platform/i8042/serio1/input/input3
> faux_driver regulatory: Direct firmware load for regulatory.db failed
> with error -2
> faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
> cfg80211: failed to load regulatory.db
> usb 1-1: Using ep0 maxpacket: 32
> usb 1-1: unable to get BOS descriptor or descriptor too short
> usb 1-1: config 1 has an invalid descriptor of length 0, skipping
> remainder of the config
> usb 1-1: config 1 has 2 interfaces, different from the descriptor's value: 3
> usb 1-1: New USB device found, idVendor=1235, idProduct=821d, bcdDevice= 0.40
> usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
> usb 1-1: Product: syz
> usb 1-1: Manufacturer: syz
> usb 1-1: SerialNumber: syz
> Oops: general protection fault, probably for non-canonical address
> 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 0 UID: 0 PID: 801 Comm: kworker/0:2 Not tainted 7.1.0 #14 PREEMPT(full)
> Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix,
> 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:usb_endpoint_num include/uapi/linux/usb/ch9.h:483 [inline]
> RIP: 0010:fcp_find_fc_interface sound/usb/fcp.c:1089 [inline]
> RIP: 0010:snd_fcp_init+0x42a/0x920 sound/usb/fcp.c:1112
> Code: 9a 88 01 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 4d 89
> fc 0f 85 bc 03 00 00 44 88 33 49 8d 5d 02 48 89 d8 48 c1 e8 03 <42> 0f
> b6 04 20 84 c0 0f 85 c0 03 00 00 44 0f b6 33 41 80 e6 0f 48
> RSP: 0018:ffffc9000441e760 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
> RDX: ffff888026b71c00 RSI: 00000000000000ff RDI: ffff888041f68b20
> RBP: ffffc9000441e850 R08: 0000000000000003 R09: 0000000000000000
> R10: dffffc0000000000 R11: ffffed1004d6e38b R12: dffffc0000000000
> R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff888098af7000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055efe3be0ff0 CR3: 000000004b5a7000 CR4: 0000000000752ef0
> PKRU: 55555554
> Call Trace:
> <TASK>
> snd_usb_mixer_apply_create_quirk+0x1579/0x1a70 sound/usb/mixer_quirks.c:4454
> snd_usb_create_mixer+0x1ae6/0x27c0 sound/usb/mixer.c:3802
> usb_audio_probe+0x1892/0x2310 sound/usb/card.c:1035
> usb_probe_interface+0x659/0xc80 drivers/usb/core/driver.c:396
> call_driver_probe drivers/base/dd.c:-1 [inline]
> really_probe+0x267/0xb10 drivers/base/dd.c:709
> __driver_probe_device+0x1f7/0x420 drivers/base/dd.c:871
> driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
> __device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
> bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:500
> __device_attach+0x2b7/0x430 drivers/base/dd.c:1101
> device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
> bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
> device_add+0x7e9/0xbb0 drivers/base/core.c:3706
> usb_set_configuration+0x1a5c/0x20f0 drivers/usb/core/message.c:2268
> usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
> usb_probe_device+0x1c4/0x3c0 drivers/usb/core/driver.c:291
> call_driver_probe drivers/base/dd.c:-1 [inline]
> really_probe+0x267/0xb10 drivers/base/dd.c:709
> __driver_probe_device+0x1f7/0x420 drivers/base/dd.c:871
> driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
> __device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
> bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:500
> __device_attach+0x2b7/0x430 drivers/base/dd.c:1101
> device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
> bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
> device_add+0x7e9/0xbb0 drivers/base/core.c:3706
> usb_new_device+0xb9d/0x1a30 drivers/usb/core/hub.c:2695
> hub_port_connect drivers/usb/core/hub.c:5567 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
> port_event drivers/usb/core/hub.c:5871 [inline]
> hub_event+0x2885/0x4cf0 drivers/usb/core/hub.c:5953
> process_one_work kernel/workqueue.c:3314 [inline]
> process_scheduled_works+0xb4b/0x1840 kernel/workqueue.c:3397
> worker_thread+0x8a3/0xda0 kernel/workqueue.c:3478
> kthread+0x38a/0x480 kernel/kthread.c:436
> ret_from_fork+0x509/0xb70 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> </TASK>
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:usb_endpoint_num include/uapi/linux/usb/ch9.h:483 [inline]
> RIP: 0010:fcp_find_fc_interface sound/usb/fcp.c:1089 [inline]
> RIP: 0010:snd_fcp_init+0x42a/0x920 sound/usb/fcp.c:1112
> Code: 9a 88 01 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 4d 89
> fc 0f 85 bc 03 00 00 44 88 33 49 8d 5d 02 48 89 d8 48 c1 e8 03 <42> 0f
> b6 04 20 84 c0 0f 85 c0 03 00 00 44 0f b6 33 41 80 e6 0f 48
> RSP: 0018:ffffc9000441e760 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
> RDX: ffff888026b71c00 RSI: 00000000000000ff RDI: ffff888041f68b20
> RBP: ffffc9000441e850 R08: 0000000000000003 R09: 0000000000000000
> R10: dffffc0000000000 R11: ffffed1004d6e38b R12: dffffc0000000000
> R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff888098af7000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005645e3e76808 CR3: 000000000e14a000 CR4: 0000000000752ef0
> PKRU: 55555554
> ----------------
> Code disassembly (best guess), 1 bytes skipped:
> 0: 88 01 mov %al,(%rcx)
> 2: 00 00 add %al,(%rax)
> 4: 48 89 d8 mov %rbx,%rax
> 7: 48 c1 e8 03 shr $0x3,%rax
> b: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
> 10: 84 c0 test %al,%al
> 12: 4d 89 fc mov %r15,%r12
> 15: 0f 85 bc 03 00 00 jne 0x3d7
> 1b: 44 88 33 mov %r14b,(%rbx)
> 1e: 49 8d 5d 02 lea 0x2(%r13),%rbx
> 22: 48 89 d8 mov %rbx,%rax
> 25: 48 c1 e8 03 shr $0x3,%rax
> * 29: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping
> instruction
> 2e: 84 c0 test %al,%al
> 30: 0f 85 c0 03 00 00 jne 0x3f6
> 36: 44 0f b6 33 movzbl (%rbx),%r14d
> 3a: 41 80 e6 0f and $0xf,%r14b
> 3e: 48 rex.W
> ---
>
> The root cause is that the malicious USB device provides a
> vendor-specific interface with no endpoint descriptors. During USB
> descriptor parsing, no endpoint array is allocated for that alternate
> setting, so altsetting->endpoint remains NULL. fcp_find_fc_interface()
> does not check bNumEndpoints before calling get_endpoint(..., 0), and
> the resulting endpoint descriptor pointer is later dereferenced by
> usb_endpoint_num(), leading to null-ptr-deref.
>
> A potential fix is as follows:
>
> ```
> diff --git a/sound/usb/fcp.c b/sound/usb/fcp.c
> index 0fc4d063c48a..c45dbe4d4532 100644
> --- a/sound/usb/fcp.c
> +++ b/sound/usb/fcp.c
> @@ -1083,6 +1083,8 @@ static int fcp_find_fc_interface(struct
> usb_mixer_interface *mixer)
>
> if (desc->bInterfaceClass != 255)
> continue;
> + if (desc->bNumEndpoints < 1)
> + continue;
>
> epd = get_endpoint(intf->altsetting, 0);
> private->bInterfaceNumber = desc->bInterfaceNumber;
> ```
>
> On my machine, the reproducer no longer triggers the issue with the
> above patch. If this solution is acceptable, we are happy to submit a
> formal patch.
>
> The kernel console output, kernel config, syzkaller reproducer, and C
> reproducer are also available at google drive:
> https://drive.google.com/drive/folders/1hE9rfMe-sNFwcrt_tPLiwzpYD1iJ7Hma?usp=sharing
>
> Please let me know if any further information is required.
The patch looks reasonable. Could you just submit a proper patch?
thanks,
Takashi
next prev parent reply other threads:[~2026-06-25 11:44 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-25 10:24 [Linux Kernel Bug] general protection fault in snd_fcp_init Jiaming Zhang
2026-06-25 11:44 ` Takashi Iwai [this message]
2026-06-25 13:49 ` [PATCH] ALSA: FCP: Fix NULL pointer dereference in interface lookup Jiaming Zhang
2026-06-26 5:47 ` Takashi Iwai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87echuvo7x.wl-tiwai@suse.de \
--to=tiwai@suse.de \
--cc=g@b4.vu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sound@vger.kernel.org \
--cc=perex@perex.cz \
--cc=r772577952@gmail.com \
--cc=syzkaller@googlegroups.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.