* [Linux Kernel Bug] general protection fault in snd_fcp_init
@ 2026-06-25 10:24 Jiaming Zhang
2026-06-25 11:44 ` Takashi Iwai
0 siblings, 1 reply; 4+ messages in thread
From: Jiaming Zhang @ 2026-06-25 10:24 UTC (permalink / raw)
To: g, perex, tiwai, linux-sound; +Cc: syzkaller, linux-kernel
Dear Linux kernel developers and maintainers,
We are writing to report a general protection fault discovered in the
sound subsystem with our modified syzkaller. The issue is reproducible
on the latest version of linux (v7.1, commit
8cd9520d35a6c38db6567e97dd93b1f11f185dc6). Below is the KASAN report:
---
input: AT Translated Set 2 keyboard as
/devices/platform/i8042/serio0/input/input1
input: ImExPS/2 Generic Explorer Mouse as
/devices/platform/i8042/serio1/input/input3
faux_driver regulatory: Direct firmware load for regulatory.db failed
with error -2
faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
cfg80211: failed to load regulatory.db
usb 1-1: Using ep0 maxpacket: 32
usb 1-1: unable to get BOS descriptor or descriptor too short
usb 1-1: config 1 has an invalid descriptor of length 0, skipping
remainder of the config
usb 1-1: config 1 has 2 interfaces, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=1235, idProduct=821d, bcdDevice= 0.40
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 801 Comm: kworker/0:2 Not tainted 7.1.0 #14 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix,
1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_endpoint_num include/uapi/linux/usb/ch9.h:483 [inline]
RIP: 0010:fcp_find_fc_interface sound/usb/fcp.c:1089 [inline]
RIP: 0010:snd_fcp_init+0x42a/0x920 sound/usb/fcp.c:1112
Code: 9a 88 01 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 4d 89
fc 0f 85 bc 03 00 00 44 88 33 49 8d 5d 02 48 89 d8 48 c1 e8 03 <42> 0f
b6 04 20 84 c0 0f 85 c0 03 00 00 44 0f b6 33 41 80 e6 0f 48
RSP: 0018:ffffc9000441e760 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff888026b71c00 RSI: 00000000000000ff RDI: ffff888041f68b20
RBP: ffffc9000441e850 R08: 0000000000000003 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed1004d6e38b R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff888098af7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055efe3be0ff0 CR3: 000000004b5a7000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
snd_usb_mixer_apply_create_quirk+0x1579/0x1a70 sound/usb/mixer_quirks.c:4454
snd_usb_create_mixer+0x1ae6/0x27c0 sound/usb/mixer.c:3802
usb_audio_probe+0x1892/0x2310 sound/usb/card.c:1035
usb_probe_interface+0x659/0xc80 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xb10 drivers/base/dd.c:709
__driver_probe_device+0x1f7/0x420 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:500
__device_attach+0x2b7/0x430 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a5c/0x20f0 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3c0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xb10 drivers/base/dd.c:709
__driver_probe_device+0x1f7/0x420 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:500
__device_attach+0x2b7/0x430 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0xb9d/0x1a30 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2885/0x4cf0 drivers/usb/core/hub.c:5953
process_one_work kernel/workqueue.c:3314 [inline]
process_scheduled_works+0xb4b/0x1840 kernel/workqueue.c:3397
worker_thread+0x8a3/0xda0 kernel/workqueue.c:3478
kthread+0x38a/0x480 kernel/kthread.c:436
ret_from_fork+0x509/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:usb_endpoint_num include/uapi/linux/usb/ch9.h:483 [inline]
RIP: 0010:fcp_find_fc_interface sound/usb/fcp.c:1089 [inline]
RIP: 0010:snd_fcp_init+0x42a/0x920 sound/usb/fcp.c:1112
Code: 9a 88 01 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 4d 89
fc 0f 85 bc 03 00 00 44 88 33 49 8d 5d 02 48 89 d8 48 c1 e8 03 <42> 0f
b6 04 20 84 c0 0f 85 c0 03 00 00 44 0f b6 33 41 80 e6 0f 48
RSP: 0018:ffffc9000441e760 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff888026b71c00 RSI: 00000000000000ff RDI: ffff888041f68b20
RBP: ffffc9000441e850 R08: 0000000000000003 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed1004d6e38b R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff888098af7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005645e3e76808 CR3: 000000000e14a000 CR4: 0000000000752ef0
PKRU: 55555554
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 88 01 mov %al,(%rcx)
2: 00 00 add %al,(%rax)
4: 48 89 d8 mov %rbx,%rax
7: 48 c1 e8 03 shr $0x3,%rax
b: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
10: 84 c0 test %al,%al
12: 4d 89 fc mov %r15,%r12
15: 0f 85 bc 03 00 00 jne 0x3d7
1b: 44 88 33 mov %r14b,(%rbx)
1e: 49 8d 5d 02 lea 0x2(%r13),%rbx
22: 48 89 d8 mov %rbx,%rax
25: 48 c1 e8 03 shr $0x3,%rax
* 29: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping
instruction
2e: 84 c0 test %al,%al
30: 0f 85 c0 03 00 00 jne 0x3f6
36: 44 0f b6 33 movzbl (%rbx),%r14d
3a: 41 80 e6 0f and $0xf,%r14b
3e: 48 rex.W
---
The root cause is that the malicious USB device provides a
vendor-specific interface with no endpoint descriptors. During USB
descriptor parsing, no endpoint array is allocated for that alternate
setting, so altsetting->endpoint remains NULL. fcp_find_fc_interface()
does not check bNumEndpoints before calling get_endpoint(..., 0), and
the resulting endpoint descriptor pointer is later dereferenced by
usb_endpoint_num(), leading to null-ptr-deref.
A potential fix is as follows:
```
diff --git a/sound/usb/fcp.c b/sound/usb/fcp.c
index 0fc4d063c48a..c45dbe4d4532 100644
--- a/sound/usb/fcp.c
+++ b/sound/usb/fcp.c
@@ -1083,6 +1083,8 @@ static int fcp_find_fc_interface(struct
usb_mixer_interface *mixer)
if (desc->bInterfaceClass != 255)
continue;
+ if (desc->bNumEndpoints < 1)
+ continue;
epd = get_endpoint(intf->altsetting, 0);
private->bInterfaceNumber = desc->bInterfaceNumber;
```
On my machine, the reproducer no longer triggers the issue with the
above patch. If this solution is acceptable, we are happy to submit a
formal patch.
The kernel console output, kernel config, syzkaller reproducer, and C
reproducer are also available at google drive:
https://drive.google.com/drive/folders/1hE9rfMe-sNFwcrt_tPLiwzpYD1iJ7Hma?usp=sharing
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Linux Kernel Bug] general protection fault in snd_fcp_init
2026-06-25 10:24 [Linux Kernel Bug] general protection fault in snd_fcp_init Jiaming Zhang
@ 2026-06-25 11:44 ` Takashi Iwai
2026-06-25 13:49 ` [PATCH] ALSA: FCP: Fix NULL pointer dereference in interface lookup Jiaming Zhang
0 siblings, 1 reply; 4+ messages in thread
From: Takashi Iwai @ 2026-06-25 11:44 UTC (permalink / raw)
To: Jiaming Zhang; +Cc: g, perex, tiwai, linux-sound, syzkaller, linux-kernel
On Thu, 25 Jun 2026 12:24:49 +0200,
Jiaming Zhang wrote:
>
> Dear Linux kernel developers and maintainers,
>
> We are writing to report a general protection fault discovered in the
> sound subsystem with our modified syzkaller. The issue is reproducible
> on the latest version of linux (v7.1, commit
> 8cd9520d35a6c38db6567e97dd93b1f11f185dc6). Below is the KASAN report:
>
> ---
> input: AT Translated Set 2 keyboard as
> /devices/platform/i8042/serio0/input/input1
> input: ImExPS/2 Generic Explorer Mouse as
> /devices/platform/i8042/serio1/input/input3
> faux_driver regulatory: Direct firmware load for regulatory.db failed
> with error -2
> faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
> cfg80211: failed to load regulatory.db
> usb 1-1: Using ep0 maxpacket: 32
> usb 1-1: unable to get BOS descriptor or descriptor too short
> usb 1-1: config 1 has an invalid descriptor of length 0, skipping
> remainder of the config
> usb 1-1: config 1 has 2 interfaces, different from the descriptor's value: 3
> usb 1-1: New USB device found, idVendor=1235, idProduct=821d, bcdDevice= 0.40
> usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
> usb 1-1: Product: syz
> usb 1-1: Manufacturer: syz
> usb 1-1: SerialNumber: syz
> Oops: general protection fault, probably for non-canonical address
> 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> CPU: 0 UID: 0 PID: 801 Comm: kworker/0:2 Not tainted 7.1.0 #14 PREEMPT(full)
> Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix,
> 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:usb_endpoint_num include/uapi/linux/usb/ch9.h:483 [inline]
> RIP: 0010:fcp_find_fc_interface sound/usb/fcp.c:1089 [inline]
> RIP: 0010:snd_fcp_init+0x42a/0x920 sound/usb/fcp.c:1112
> Code: 9a 88 01 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 4d 89
> fc 0f 85 bc 03 00 00 44 88 33 49 8d 5d 02 48 89 d8 48 c1 e8 03 <42> 0f
> b6 04 20 84 c0 0f 85 c0 03 00 00 44 0f b6 33 41 80 e6 0f 48
> RSP: 0018:ffffc9000441e760 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
> RDX: ffff888026b71c00 RSI: 00000000000000ff RDI: ffff888041f68b20
> RBP: ffffc9000441e850 R08: 0000000000000003 R09: 0000000000000000
> R10: dffffc0000000000 R11: ffffed1004d6e38b R12: dffffc0000000000
> R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff888098af7000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000055efe3be0ff0 CR3: 000000004b5a7000 CR4: 0000000000752ef0
> PKRU: 55555554
> Call Trace:
> <TASK>
> snd_usb_mixer_apply_create_quirk+0x1579/0x1a70 sound/usb/mixer_quirks.c:4454
> snd_usb_create_mixer+0x1ae6/0x27c0 sound/usb/mixer.c:3802
> usb_audio_probe+0x1892/0x2310 sound/usb/card.c:1035
> usb_probe_interface+0x659/0xc80 drivers/usb/core/driver.c:396
> call_driver_probe drivers/base/dd.c:-1 [inline]
> really_probe+0x267/0xb10 drivers/base/dd.c:709
> __driver_probe_device+0x1f7/0x420 drivers/base/dd.c:871
> driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
> __device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
> bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:500
> __device_attach+0x2b7/0x430 drivers/base/dd.c:1101
> device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
> bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
> device_add+0x7e9/0xbb0 drivers/base/core.c:3706
> usb_set_configuration+0x1a5c/0x20f0 drivers/usb/core/message.c:2268
> usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
> usb_probe_device+0x1c4/0x3c0 drivers/usb/core/driver.c:291
> call_driver_probe drivers/base/dd.c:-1 [inline]
> really_probe+0x267/0xb10 drivers/base/dd.c:709
> __driver_probe_device+0x1f7/0x420 drivers/base/dd.c:871
> driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
> __device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
> bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:500
> __device_attach+0x2b7/0x430 drivers/base/dd.c:1101
> device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
> bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
> device_add+0x7e9/0xbb0 drivers/base/core.c:3706
> usb_new_device+0xb9d/0x1a30 drivers/usb/core/hub.c:2695
> hub_port_connect drivers/usb/core/hub.c:5567 [inline]
> hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
> port_event drivers/usb/core/hub.c:5871 [inline]
> hub_event+0x2885/0x4cf0 drivers/usb/core/hub.c:5953
> process_one_work kernel/workqueue.c:3314 [inline]
> process_scheduled_works+0xb4b/0x1840 kernel/workqueue.c:3397
> worker_thread+0x8a3/0xda0 kernel/workqueue.c:3478
> kthread+0x38a/0x480 kernel/kthread.c:436
> ret_from_fork+0x509/0xb70 arch/x86/kernel/process.c:158
> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> </TASK>
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:usb_endpoint_num include/uapi/linux/usb/ch9.h:483 [inline]
> RIP: 0010:fcp_find_fc_interface sound/usb/fcp.c:1089 [inline]
> RIP: 0010:snd_fcp_init+0x42a/0x920 sound/usb/fcp.c:1112
> Code: 9a 88 01 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 4d 89
> fc 0f 85 bc 03 00 00 44 88 33 49 8d 5d 02 48 89 d8 48 c1 e8 03 <42> 0f
> b6 04 20 84 c0 0f 85 c0 03 00 00 44 0f b6 33 41 80 e6 0f 48
> RSP: 0018:ffffc9000441e760 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
> RDX: ffff888026b71c00 RSI: 00000000000000ff RDI: ffff888041f68b20
> RBP: ffffc9000441e850 R08: 0000000000000003 R09: 0000000000000000
> R10: dffffc0000000000 R11: ffffed1004d6e38b R12: dffffc0000000000
> R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
> FS: 0000000000000000(0000) GS:ffff888098af7000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00005645e3e76808 CR3: 000000000e14a000 CR4: 0000000000752ef0
> PKRU: 55555554
> ----------------
> Code disassembly (best guess), 1 bytes skipped:
> 0: 88 01 mov %al,(%rcx)
> 2: 00 00 add %al,(%rax)
> 4: 48 89 d8 mov %rbx,%rax
> 7: 48 c1 e8 03 shr $0x3,%rax
> b: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
> 10: 84 c0 test %al,%al
> 12: 4d 89 fc mov %r15,%r12
> 15: 0f 85 bc 03 00 00 jne 0x3d7
> 1b: 44 88 33 mov %r14b,(%rbx)
> 1e: 49 8d 5d 02 lea 0x2(%r13),%rbx
> 22: 48 89 d8 mov %rbx,%rax
> 25: 48 c1 e8 03 shr $0x3,%rax
> * 29: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping
> instruction
> 2e: 84 c0 test %al,%al
> 30: 0f 85 c0 03 00 00 jne 0x3f6
> 36: 44 0f b6 33 movzbl (%rbx),%r14d
> 3a: 41 80 e6 0f and $0xf,%r14b
> 3e: 48 rex.W
> ---
>
> The root cause is that the malicious USB device provides a
> vendor-specific interface with no endpoint descriptors. During USB
> descriptor parsing, no endpoint array is allocated for that alternate
> setting, so altsetting->endpoint remains NULL. fcp_find_fc_interface()
> does not check bNumEndpoints before calling get_endpoint(..., 0), and
> the resulting endpoint descriptor pointer is later dereferenced by
> usb_endpoint_num(), leading to null-ptr-deref.
>
> A potential fix is as follows:
>
> ```
> diff --git a/sound/usb/fcp.c b/sound/usb/fcp.c
> index 0fc4d063c48a..c45dbe4d4532 100644
> --- a/sound/usb/fcp.c
> +++ b/sound/usb/fcp.c
> @@ -1083,6 +1083,8 @@ static int fcp_find_fc_interface(struct
> usb_mixer_interface *mixer)
>
> if (desc->bInterfaceClass != 255)
> continue;
> + if (desc->bNumEndpoints < 1)
> + continue;
>
> epd = get_endpoint(intf->altsetting, 0);
> private->bInterfaceNumber = desc->bInterfaceNumber;
> ```
>
> On my machine, the reproducer no longer triggers the issue with the
> above patch. If this solution is acceptable, we are happy to submit a
> formal patch.
>
> The kernel console output, kernel config, syzkaller reproducer, and C
> reproducer are also available at google drive:
> https://drive.google.com/drive/folders/1hE9rfMe-sNFwcrt_tPLiwzpYD1iJ7Hma?usp=sharing
>
> Please let me know if any further information is required.
The patch looks reasonable. Could you just submit a proper patch?
thanks,
Takashi
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] ALSA: FCP: Fix NULL pointer dereference in interface lookup
2026-06-25 11:44 ` Takashi Iwai
@ 2026-06-25 13:49 ` Jiaming Zhang
2026-06-26 5:47 ` Takashi Iwai
0 siblings, 1 reply; 4+ messages in thread
From: Jiaming Zhang @ 2026-06-25 13:49 UTC (permalink / raw)
To: tiwai; +Cc: g, linux-kernel, linux-sound, perex, r772577952, syzkaller, tiwai
A malformed USB device can provide a vendor-specific interface without
any endpoint descriptors. fcp_find_fc_interface() currently selects the
first vendor-specific interface and reads endpoint 0 from it, without
checking whether the interface actually has any endpoints.
When bNumEndpoints is zero, no endpoint array is allocated for the parsed
alternate setting, so get_endpoint(..., 0) yields an invalid endpoint
descriptor pointer. Dereferencing it through usb_endpoint_num() then
triggers a NULL pointer dereference.
Skip vendor-specific interfaces that do not have any endpoints.
Fixes: 46757a3e7d50 ("ALSA: FCP: Add Focusrite Control Protocol driver")
Reported-by: Jiaming Zhang <r772577952@gmail.com>
Closes: https://lore.kernel.org/lkml/CANypQFb1EHj0xX8bA1WxSOSK-5xca6ZNKzOQcp12=s=puY7VFw@mail.gmail.com/
Signed-off-by: Jiaming Zhang <r772577952@gmail.com>
---
sound/usb/fcp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/usb/fcp.c b/sound/usb/fcp.c
index ea746bdb36ff..6f5dcd35e1d4 100644
--- a/sound/usb/fcp.c
+++ b/sound/usb/fcp.c
@@ -1083,6 +1083,8 @@ static int fcp_find_fc_interface(struct usb_mixer_interface *mixer)
if (desc->bInterfaceClass != 255)
continue;
+ if (desc->bNumEndpoints < 1)
+ continue;
epd = get_endpoint(intf->altsetting, 0);
private->bInterfaceNumber = desc->bInterfaceNumber;
base-commit: ab9de95c9cf952332ab79453b4b5d1bfca8e514f
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] ALSA: FCP: Fix NULL pointer dereference in interface lookup
2026-06-25 13:49 ` [PATCH] ALSA: FCP: Fix NULL pointer dereference in interface lookup Jiaming Zhang
@ 2026-06-26 5:47 ` Takashi Iwai
0 siblings, 0 replies; 4+ messages in thread
From: Takashi Iwai @ 2026-06-26 5:47 UTC (permalink / raw)
To: Jiaming Zhang
Cc: tiwai, g, linux-kernel, linux-sound, perex, syzkaller, tiwai
On Thu, 25 Jun 2026 15:49:33 +0200,
Jiaming Zhang wrote:
>
> A malformed USB device can provide a vendor-specific interface without
> any endpoint descriptors. fcp_find_fc_interface() currently selects the
> first vendor-specific interface and reads endpoint 0 from it, without
> checking whether the interface actually has any endpoints.
>
> When bNumEndpoints is zero, no endpoint array is allocated for the parsed
> alternate setting, so get_endpoint(..., 0) yields an invalid endpoint
> descriptor pointer. Dereferencing it through usb_endpoint_num() then
> triggers a NULL pointer dereference.
>
> Skip vendor-specific interfaces that do not have any endpoints.
>
> Fixes: 46757a3e7d50 ("ALSA: FCP: Add Focusrite Control Protocol driver")
> Reported-by: Jiaming Zhang <r772577952@gmail.com>
> Closes: https://lore.kernel.org/lkml/CANypQFb1EHj0xX8bA1WxSOSK-5xca6ZNKzOQcp12=s=puY7VFw@mail.gmail.com/
> Signed-off-by: Jiaming Zhang <r772577952@gmail.com>
Applied now. Thanks.
Takashi
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-26 5:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-25 10:24 [Linux Kernel Bug] general protection fault in snd_fcp_init Jiaming Zhang
2026-06-25 11:44 ` Takashi Iwai
2026-06-25 13:49 ` [PATCH] ALSA: FCP: Fix NULL pointer dereference in interface lookup Jiaming Zhang
2026-06-26 5:47 ` Takashi Iwai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox