diff options
| author | Michael Bommarito <michael.bommarito@gmail.com> | 2026-06-17 22:51:25 -0400 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2026-06-18 12:43:02 +0200 |
| commit | bdb640be82e645e2828731648f485224d0c2587b (patch) | |
| tree | 9874e9e9e37e8505788dc76d2d39ebd91b41a9d4 /mm/tests/git@git.tavy.me:linux.git | |
| parent | 4520fbbaedbeda8861f0f0bfbe50b3bca4deae08 (diff) | |
ALSA: usb-audio: qcom: reject stream disable with no active interface
handle_uaudio_stream_req() resolves an interface index with
info_idx_from_ifnum(), which returns -EINVAL when no interface matches.
The enable branch and the response: cleanup label both guard against a
negative index, but the disable branch does not: it forms
info = &uadev[pcm_card_num].info[info_idx] and dereferences it.
uadev[].info is a pointer allocated only when a stream is first enabled,
so a negative info_idx on the disable path is unsafe in two ways:
- If the card was never enabled, .info is NULL and &info[-EINVAL] is a
wild pointer; reading info->data_ep_pipe faults (kernel oops).
- If the card was enabled at least once (.info allocated) and the
disable names an interface that does not match, &info[-EINVAL] points
before the allocation; info->data_ep_pipe / info->sync_ep_pipe are an
out-of-bounds slab read and, when non-zero, an out-of-bounds 4-byte
write (both pipe fields are cleared to 0). That is memory corruption,
not just a NULL dereference.
The request is reachable from unprivileged local userspace over
AF_QIPCRTR. Reject a disable request with no resolved interface, matching
the guard the enable path already has.
Fixes: 326bbc348298a ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260618025126.1862954-2-michael.bommarito@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'mm/tests/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
