tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ALSA: usb-audio: us144mkii: Fix null-deref in tascam_midi_in_urb_complete()

The smatch tool reported a potential null pointer dereference in
tascam_midi_in_urb_complete(). The 'tascam' variable, derived from
'urb->context', was checked for nullity in one place, but dereferenced
without a check in several other places.

This patch fixes the issue by adding a null check at the beginning of
the function. If 'tascam' is null, the function now safely exits.
This prevents any potential crashes from null pointer dereferences.

It also fixes a latent bug where 'usb_put_urb()' could
be called twice for the same URB on submission failure, which would
lead to a use-after-free error.

Fixes: 67afec157fe6 ("ALSA: usb-audio: us144mkii: Add MIDI support and mixer controls")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202508192109.lcMrINK1-lkp@intel.com/
Signed-off-by: Šerif Rami <ramiserifpersia@gmail.com>
Link: https://patch.msgid.link/20250819185133.10464-1-ramiserifpersia@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>

authored by

Šerif Rami and committed by
Takashi Iwai 0c5e2ae2 d9f06338

+6 -2
+6 -2
sound/usb/usx2y/us144mkii_midi.c
··· 41 41 struct tascam_card *tascam = urb->context; 42 42 int ret; 43 43 44 + if (!tascam) 45 + goto out; 46 + 44 47 if (urb->status) { 45 48 if (urb->status != -ENOENT && urb->status != -ECONNRESET && 46 49 urb->status != -ESHUTDOWN && urb->status != -EPROTO) { ··· 54 51 goto out; 55 52 } 56 53 57 - if (tascam && atomic_read(&tascam->midi_in_active) && 54 + if (atomic_read(&tascam->midi_in_active) && 58 55 urb->actual_length > 0) { 59 56 kfifo_in_spinlocked(&tascam->midi_in_fifo, urb->transfer_buffer, 60 57 urb->actual_length, &tascam->midi_in_lock); ··· 68 65 dev_err(tascam->card->dev, 69 66 "Failed to resubmit MIDI IN URB: error %d\n", ret); 70 67 usb_unanchor_urb(urb); 71 - usb_put_urb(urb); 68 + goto out; 72 69 } 70 + 73 71 out: 74 72 usb_put_urb(urb); 75 73 }