[PATCH] ALSA: usb-audio: avoid kobject path lookup in DualSense match

[PATCH] ALSA: usb-audio: avoid kobject path lookup in DualSense match

[Darvell Long]

The DualSense jack-detection input handler verifies that a matching input
device belongs to the same physical controller by building kobject path
strings for both the input device and the USB audio device, then comparing
the path prefix.

This was observed when a weak physical connection caused the controller
to rapidly disconnect and reconnect. During that repeated hotplug,
snd_dualsense_ih_match() can run while the controller's USB device is
being disconnected. kobject_get_path() walks ancestor kobjects and
dereferences their names; if the USB device kobject name is no longer
valid, this can fault in strlen():

  RIP: 0010:strlen+0x10/0x30
  Call Trace:
   kobject_get_path+0x34/0x150
   snd_dualsense_ih_match+0x49/0xd0 [snd_usb_audio]
   input_register_device+0x566/0x6a0
   ps_probe+0xb89/0x1590 [hid_playstation]

The same ownership check can be done without building kobject path
strings. The input device is parented below the HID device, USB interface
and USB device, so walking the input device parent chain and comparing
against the mixer USB device preserves the check without dereferencing
kobject names during disconnect.

Fixes: 79d561c4ec04 ("ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5")
Cc: <stable@vger.kernel.org>
Assisted-by: Cute:gpt-5.5
Signed-off-by: Darvell Long <contact@darvell.me>
---
 sound/usb/mixer_quirks.c | 46 ++++++++++++----------------------------------
 1 file changed, 12 insertions(+), 34 deletions(-)

diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
index 50c42a4..912b8b8 100644
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -567,46 +567,30 @@ static bool snd_dualsense_ih_match(struct input_handler *handler,
 {
 	struct dualsense_mixer_elem_info *mei;
 	struct usb_device *snd_dev;
-	char *input_dev_path, *usb_dev_path;
-	size_t usb_dev_path_len;
-	bool match = false;
+	struct device *parent;

 	mei = container_of(handler, struct dualsense_mixer_elem_info, ih);
 	snd_dev = mei->info.head.mixer->chip->dev;

-	input_dev_path = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
-	if (!input_dev_path) {
-		dev_warn(&snd_dev->dev, "Failed to get input dev path\n");
-		return false;
-	}
-
-	usb_dev_path = kobject_get_path(&snd_dev->dev.kobj, GFP_KERNEL);
-	if (!usb_dev_path) {
-		dev_warn(&snd_dev->dev, "Failed to get USB dev path\n");
-		goto free_paths;
-	}
-
 	/*
 	 * Ensure the VID:PID matched input device supposedly owned by the
 	 * hid-playstation driver belongs to the actual hardware handled by
-	 * the current USB audio device, which implies input_dev_path being
-	 * a subpath of usb_dev_path.
+	 * the current USB audio device.
 	 *
 	 * This verification is necessary when there is more than one identical
 	 * controller attached to the host system.
+	 *
+	 * The input device is registered below the HID device, USB interface and
+	 * USB device, so compare the parent chain directly instead of building
+	 * kobject path strings. This avoids dereferencing kobject names while the
+	 * USB device hierarchy is being torn down during disconnect.
 	 */
-	usb_dev_path_len = strlen(usb_dev_path);
-	if (usb_dev_path_len >= strlen(input_dev_path))
-		goto free_paths;
-
-	usb_dev_path[usb_dev_path_len] = '/';
-	match = !memcmp(input_dev_path, usb_dev_path, usb_dev_path_len + 1);
-
-free_paths:
-	kfree(input_dev_path);
-	kfree(usb_dev_path);
+	for (parent = dev->dev.parent; parent; parent = parent->parent) {
+		if (parent == &snd_dev->dev)
+			return true;
+	}

-	return match;
+	return false;
 }
 
 static int snd_dualsense_ih_connect(struct input_handler *handler,

Re: [PATCH] ALSA: usb-audio: avoid kobject path lookup in DualSense match

[Takashi Iwai]

On Wed, 24 Jun 2026 16:37:23 +0200,
Darvell Long wrote:
> 
> The DualSense jack-detection input handler verifies that a matching input
> device belongs to the same physical controller by building kobject path
> strings for both the input device and the USB audio device, then comparing
> the path prefix.
> 
> This was observed when a weak physical connection caused the controller
> to rapidly disconnect and reconnect. During that repeated hotplug,
> snd_dualsense_ih_match() can run while the controller's USB device is
> being disconnected. kobject_get_path() walks ancestor kobjects and
> dereferences their names; if the USB device kobject name is no longer
> valid, this can fault in strlen():
> 
>   RIP: 0010:strlen+0x10/0x30
>   Call Trace:
>    kobject_get_path+0x34/0x150
>    snd_dualsense_ih_match+0x49/0xd0 [snd_usb_audio]
>    input_register_device+0x566/0x6a0
>    ps_probe+0xb89/0x1590 [hid_playstation]
> 
> The same ownership check can be done without building kobject path
> strings. The input device is parented below the HID device, USB interface
> and USB device, so walking the input device parent chain and comparing
> against the mixer USB device preserves the check without dereferencing
> kobject names during disconnect.
> 
> Fixes: 79d561c4ec04 ("ALSA: usb-audio: Add mixer quirk for Sony DualSense PS5")
> Cc: <stable@vger.kernel.org>
> Assisted-by: Cute:gpt-5.5
> Signed-off-by: Darvell Long <contact@darvell.me>

Thanks, applied now.


Takashi