[lvc-project] [PATCH 5.10.y] ALSA: usb-audio: fix null pointer dereference on pointer cs_desc
Vasiliy Kovalev
kovalev at altlinux.org
Tue Apr 21 16:20:47 MSK 2026
From: Chengfeng Ye <cyeaa at connect.ust.hk>
commit b97053df0f04747c3c1e021ecbe99db675342954 upstream.
The pointer cs_desc return from snd_usb_find_clock_source could
be null, so there is a potential null pointer dereference issue.
Fix this by adding a null check before dereference.
Signed-off-by: Chengfeng Ye <cyeaa at connect.ust.hk>
Link: https://lore.kernel.org/r/20211024111736.11342-1-cyeaa@connect.ust.hk
Signed-off-by: Takashi Iwai <tiwai at suse.de>
Fixes: 1dc669fed61a ("ALSA: usb-audio: UAC2: support read-only freq control")
[ kovalev: bp to fix CVE-2021-47211; added Fixes tag; the null
check was added into both UAC2 and UAC3 branches since the
older kernel still has the clock source lookup split between
snd_usb_find_clock_source() and snd_usb_find_clock_source_v3()
(see upstream commit 9ec730052fa2) ]
Signed-off-by: Vasiliy Kovalev <kovalev at altlinux.org>
---
sound/usb/clock.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 197a6b7d8ad6..3d5d4f3aafce 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -646,11 +646,17 @@ static int set_sample_rate_v2v3(struct snd_usb_audio *chip, int iface,
struct uac3_clock_source_descriptor *cs_desc;
cs_desc = snd_usb_find_clock_source_v3(chip->ctrl_intf, clock);
+
+ if (!cs_desc)
+ return 0;
bmControls = le32_to_cpu(cs_desc->bmControls);
} else {
struct uac_clock_source_descriptor *cs_desc;
cs_desc = snd_usb_find_clock_source(chip->ctrl_intf, clock);
+
+ if (!cs_desc)
+ return 0;
bmControls = cs_desc->bmControls;
}
--
2.50.1
More information about the lvc-project
mailing list