ALSA: usb-audio: Fix NULL pointer deference in try_to_register_card

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In try_to_register_card(), the return value of usb_ifnum_to_if() is
passed directly to usb_interface_claimed() without a NULL check, which
will lead to a NULL pointer dereference when creating an invalid
USB audio device. Fix this by adding a check to ensure the interface
pointer is valid before passing it to usb_interface_claimed().

Fixes: 39efc9c8a973 ("ALSA: usb-audio: Fix last interface check for registration")
Closes: https://lore.kernel.org/all/CANypQFYtQxHL5ghREs-BujZG413RPJGnO5TH=xjFBKpPts33tA@mail.gmail.com/
Signed-off-by: Jiaming Zhang <r772577952@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

authored by

Jiaming Zhang and committed by

Takashi Iwai 5 months ago 28412b48 d41f68df

+8 -2

1 changed file

expand all

sound

usb

card.c

+8 -2

sound/usb/card.c

··· 891 891 */ 892 892 static int try_to_register_card(struct snd_usb_audio *chip, int ifnum) 893 893 { 894 + struct usb_interface *iface; 895 + 894 896 if (check_delayed_register_option(chip) == ifnum || 895 - chip->last_iface == ifnum || 896 - usb_interface_claimed(usb_ifnum_to_if(chip->dev, chip->last_iface))) 897 + chip->last_iface == ifnum) 897 898 return snd_card_register(chip->card); 899 + 900 + iface = usb_ifnum_to_if(chip->dev, chip->last_iface); 901 + if (iface && usb_interface_claimed(iface)) 902 + return snd_card_register(chip->card); 903 + 898 904 return 0; 899 905 } 900 906