From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from r3-22.sinamail.sina.com.cn (r3-22.sinamail.sina.com.cn [202.108.3.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6906208D0 for ; Sun, 26 Apr 2026 02:35:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.108.3.22 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777170953; cv=none; b=qIEDdL3T78Oqhk+3av2UgdApUmXedJV6Ki7JDVjeDZbhisOJ/yWYbcd/F4GMCYbQ8b0gJ0oxx4ewkRtPpIImy5zMriWm00iFtxEbm6SFpdSB2s3Zllr0qnDOpZ+7xQm47YaQltCvpLtR2s0I3FkL7bdb8hkQqtd/ATV7pgePCzs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777170953; c=relaxed/simple; bh=+xrASXP7CSRnhHIffk8vUI+RgWeQDu9LHQNEZHXGBZs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uzYwXQYN5HgEuxM8o4vejQUT4sD+z+l2PHH/l9lX6IiNsB1WvDcTnm27a+qdo9CgwVyAc4s6Kscf4SIL13VExVE76BW3wQGne+zkGWn1pM+1dTeA3uDhUzG6T3G8tSC3jrKuegMf+j4a/C937Jf8oeUF/4njOt76EpPZFYAUwSY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com; spf=pass smtp.mailfrom=sina.com; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b=abR8ffK6; arc=none smtp.client-ip=202.108.3.22 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sina.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sina.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=sina.com header.i=@sina.com header.b="abR8ffK6" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sina.com; s=201208; t=1777170949; bh=zZTnNY8vYXJrlTEm5CKDXB0qx3f20FDaHqHx0zxRYWY=; h=From:Subject:Date:Message-ID; b=abR8ffK6Qxs7oR8c50pIxseuD8gKiQTIH/6ef7qPn0fLGX1couiXVJh9LDOj/mCgY guexb3ACdd3kasSLeiokpnI1pnqZH6CGvN5YwpGdD9AR921yJSKdl7t58CLFHlQjej VYSHM71BvR9YijnKZi7Zc5rctqYrWMJ2dPcwLo40= X-SMAIL-HELO: localhost.localdomain Received: from unknown (HELO localhost.localdomain)([114.249.62.144]) by sina.com (10.54.253.33) with ESMTP id 69ED797000002316; Sun, 26 Apr 2026 10:33:21 +0800 (CST) X-Sender: hdanton@sina.com X-Auth-ID: hdanton@sina.com Authentication-Results: sina.com; spf=none smtp.mailfrom=hdanton@sina.com; dkim=none header.i=none; dmarc=none action=none header.from=hdanton@sina.com X-SMAIL-MID: 5487186685151 X-SMAIL-UIID: F038E1979A3C401A8030CF78AC86644A-20260426-103321-1 From: Hillf Danton To: Deepanshu Kartikey Cc: syzbot , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure Date: Sun, 26 Apr 2026 10:33:10 +0800 Message-ID: <20260426023311.2069-1-hdanton@sina.com> In-Reply-To: <69ecd305.a00a0220.7773.001b.GAE@google.com> References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit > Date: Sat, 25 Apr 2026 07:43:17 -0700 > For archival purposes, forwarding an incoming command email to > linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. > > *** > > Subject: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure > Author: kartikey406@gmail.com > Deepanshu, can you please correctly fill your Cc list as required to avoid this forwarded message which is a waste of net bandwidth? > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master > > > > create_card() takes a reference on the USB device with usb_get_dev() > and stores the matching usb_put_dev() in card_free(), which is > installed as the snd_card's ->private_free destructor. > > However, ->private_free is only assigned near the end of init_card(), > after several failure points (usb_set_interface(), EP type checks, > usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its > timeout). When any of those fail, init_card() returns an error to > snd_probe(), which calls snd_card_free(card). Because ->private_free > is still NULL, card_free() never runs, the usb_get_dev() reference > is not dropped, and the struct usb_device leaks along with its > descriptor allocations and device_private. > > syzbot reproduces this with a malformed UAC3 device whose only valid > altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call > fails with -EIO and triggers the leak. > > Move the ->private_free assignment into create_card(), immediately > after usb_get_dev(), so that every error path reaching snd_card_free() > balances the reference. card_free()'s callees (snd_usb_caiaq_input_free, > free_urbs, kfree) already tolerate the partially-initialized state > because the chip private area is zero-initialized by snd_card_new(). > > Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560 > Signed-off-by: Deepanshu Kartikey > --- > sound/usb/caiaq/device.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c > index 8af0c04041ee..ad9f744b496b 100644 > --- a/sound/usb/caiaq/device.c > +++ b/sound/usb/caiaq/device.c > @@ -423,6 +423,7 @@ static int create_card(struct usb_device *usb_dev, > > cdev = caiaqdev(card); > cdev->chip.dev = usb_get_dev(usb_dev); > + card->private_free = card_free; > cdev->chip.card = card; > cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor), > le16_to_cpu(usb_dev->descriptor.idProduct)); > @@ -511,7 +512,6 @@ static int init_card(struct snd_usb_caiaqdev *cdev) > scnprintf(card->longname, sizeof(card->longname), "%s %s (%s)", > cdev->vendor_name, cdev->product_name, usbpath); > > - card->private_free = card_free; > err = setup_card(cdev); > if (err < 0) > return err; > -- > 2.43.0