[PATCH 1/2] ALSA: caiaq: fix use-after-free and double-free in setup_card()

[PATCH 1/2] ALSA: caiaq: fix use-after-free and double-free in setup_card()

[Berk Cem Goksel]

When snd_card_register() fails in setup_card(), snd_card_free() is
called on the card, but there is no return statement afterwards.
Execution falls through to snd_usb_caiaq_control_init(cdev), which
dereferences members of the just-freed card, resulting in a
use-after-free.

setup_card() is void and init_card() still returns 0 on this path,
so snd_probe() leaves the freed card pointer in the USB interface's
private data via usb_set_intfdata(). When the device is later
disconnected, snd_usb_caiaq_disconnect() calls
snd_card_free_when_closed() on that same pointer, producing a
double-free and slab corruption.

Add the missing return so a failed snd_card_register() cleanly
aborts setup without touching freed memory.

The issue is reachable by any caiaq-compatible USB device whose
descriptors cause snd_card_register() to fail. It was reproduced
with raw-gadget + dummy_hcd on 7.0.0-rc5 (arm64, KASAN).

Fixes: 523f1dce7096 ("ALSA: snd-usb-caiaq: add support for NI Audio Kontrol 1")
Cc: stable@vger.kernel.org
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
---
 sound/usb/caiaq/device.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -369,6 +369,7 @@
 	if (ret < 0) {
 		dev_err(dev, "snd_card_register() returned %d\n", ret);
 		snd_card_free(cdev->chip.card);
+		return;
 	}

 	ret = snd_usb_caiaq_control_init(cdev);

[PATCH 2/2] ALSA: caiaq: take a reference on the USB device in create_card()

[Berk Cem Goksel]

The caiaq driver stores a pointer to the parent USB device in
cdev->chip.dev but never takes a reference on it. The card's
private_free callback, snd_usb_caiaq_card_free(), can run
asynchronously via snd_card_free_when_closed() after the USB
device has already been disconnected and freed, so any access to
cdev->chip.dev in that path dereferences a freed usb_device.

On top of the refcounting issue, the current card_free implementation
calls usb_reset_device(cdev->chip.dev). A reset in a free callback
is inappropriate: the device is going away, the call takes the
device lock in a teardown context, and the reset races with the
disconnect path that the callback is already cleaning up after.

Take a reference on the USB device in create_card() with
usb_get_dev(), drop it with usb_put_dev() in the free callback,
and remove the usb_reset_device() call.

Fixes: 523f1dce7096 ("ALSA: snd-usb-caiaq: add support for NI Audio Kontrol 1")
Cc: stable@vger.kernel.org
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
---
 sound/usb/caiaq/device.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -385,7 +385,8 @@
 	snd_usb_caiaq_input_free(cdev);
 #endif
 	snd_usb_caiaq_audio_free(cdev);
-	usb_reset_device(cdev->chip.dev);
+	if (cdev->chip.dev)
+		usb_put_dev(cdev->chip.dev);
 }

 static int create_card(struct usb_device *usb_dev,
@@ -411,7 +412,7 @@
 		return err;

 	cdev = caiaqdev(card);
-	cdev->chip.dev = usb_dev;
+	cdev->chip.dev = usb_get_dev(usb_dev);
 	cdev->chip.card = card;
 	cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
 				  le16_to_cpu(usb_dev->descriptor.idProduct));

Re: [PATCH 1/2] ALSA: caiaq: fix use-after-free and double-free in setup_card()

[Takashi Iwai]

On Fri, 10 Apr 2026 06:59:03 +0200,
Berk Cem Goksel wrote:
> 
> When snd_card_register() fails in setup_card(), snd_card_free() is
> called on the card, but there is no return statement afterwards.
> Execution falls through to snd_usb_caiaq_control_init(cdev), which
> dereferences members of the just-freed card, resulting in a
> use-after-free.
> 
> setup_card() is void and init_card() still returns 0 on this path,
> so snd_probe() leaves the freed card pointer in the USB interface's
> private data via usb_set_intfdata(). When the device is later
> disconnected, snd_usb_caiaq_disconnect() calls
> snd_card_free_when_closed() on that same pointer, producing a
> double-free and slab corruption.
> 
> Add the missing return so a failed snd_card_register() cleanly
> aborts setup without touching freed memory.
> 
> The issue is reachable by any caiaq-compatible USB device whose
> descriptors cause snd_card_register() to fail. It was reproduced
> with raw-gadget + dummy_hcd on 7.0.0-rc5 (arm64, KASAN).
> 
> Fixes: 523f1dce7096 ("ALSA: snd-usb-caiaq: add support for NI Audio Kontrol 1")
> Cc: stable@vger.kernel.org
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>

The code fix itself looks fine, but the Fixes tag above points to a
non-existing commit.  What tree are you using?


thanks,

Takashi


> ---
>  sound/usb/caiaq/device.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
> --- a/sound/usb/caiaq/device.c
> +++ b/sound/usb/caiaq/device.c
> @@ -369,6 +369,7 @@
>  	if (ret < 0) {
>  		dev_err(dev, "snd_card_register() returned %d\n", ret);
>  		snd_card_free(cdev->chip.card);
> +		return;
>  	}
> 
>  	ret = snd_usb_caiaq_control_init(cdev);

Re: [PATCH 2/2] ALSA: caiaq: take a reference on the USB device in create_card()

[Takashi Iwai]

On Fri, 10 Apr 2026 06:59:04 +0200,
Berk Cem Goksel wrote:
> 
> The caiaq driver stores a pointer to the parent USB device in
> cdev->chip.dev but never takes a reference on it. The card's
> private_free callback, snd_usb_caiaq_card_free(), can run
> asynchronously via snd_card_free_when_closed() after the USB
> device has already been disconnected and freed, so any access to
> cdev->chip.dev in that path dereferences a freed usb_device.
> 
> On top of the refcounting issue, the current card_free implementation
> calls usb_reset_device(cdev->chip.dev). A reset in a free callback
> is inappropriate: the device is going away, the call takes the
> device lock in a teardown context, and the reset races with the
> disconnect path that the callback is already cleaning up after.
> 
> Take a reference on the USB device in create_card() with
> usb_get_dev(), drop it with usb_put_dev() in the free callback,
> and remove the usb_reset_device() call.
> 
> Fixes: 523f1dce7096 ("ALSA: snd-usb-caiaq: add support for NI Audio Kontrol 1")
> Cc: stable@vger.kernel.org
> Cc: Andrey Konovalov <andreyknvl@gmail.com>
> Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
> ---
>  sound/usb/caiaq/device.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
> --- a/sound/usb/caiaq/device.c
> +++ b/sound/usb/caiaq/device.c
> @@ -385,7 +385,8 @@
>  	snd_usb_caiaq_input_free(cdev);
>  #endif
>  	snd_usb_caiaq_audio_free(cdev);
> -	usb_reset_device(cdev->chip.dev);
> +	if (cdev->chip.dev)
> +		usb_put_dev(cdev->chip.dev);

usb_put_dev() itself has a NULL check, so you can pass as is, too.
And, the Fixes tag is incorrect in this patch, too.


thanks,

Takashi

>  }
> 
>  static int create_card(struct usb_device *usb_dev,
> @@ -411,7 +412,7 @@
>  		return err;
> 
>  	cdev = caiaqdev(card);
> -	cdev->chip.dev = usb_dev;
> +	cdev->chip.dev = usb_get_dev(usb_dev);
>  	cdev->chip.card = card;
>  	cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
>  				  le16_to_cpu(usb_dev->descriptor.idProduct));