--- /dev/null
+From stable+bounces-73597-greg=kroah.com@vger.kernel.org Thu Sep 5 14:38:24 2024
+From: Hillf Danton <dan.carpenter@linaro.org>
+Date: Thu, 5 Sep 2024 15:38:13 +0300
+Subject: ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check
+To: Takashi Iwai <tiwai@suse.de>
+Cc: Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>, Hillf Danton <hdanton@sina.com>, alsa-devel@alsa-project.org, stable@vger.kernel.org
+Message-ID: <d830ede4-1736-4548-94b3-51a21fa935c3@stanley.mountain>
+Content-Disposition: inline
+
+From: Hillf Danton <dan.carpenter@linaro.org>
+
+[ Upstream commit 5d78e1c2b7f4be00bbe62141603a631dc7812f35 ]
+
+syzbot found the following crash on:
+
+ general protection fault: 0000 [#1] SMP KASAN
+ RIP: 0010:snd_usb_pipe_sanity_check+0x80/0x130 sound/usb/helper.c:75
+ Call Trace:
+ snd_usb_motu_microbookii_communicate.constprop.0+0xa0/0x2fb sound/usb/quirks.c:1007
+ snd_usb_motu_microbookii_boot_quirk sound/usb/quirks.c:1051 [inline]
+ snd_usb_apply_boot_quirk.cold+0x163/0x370 sound/usb/quirks.c:1280
+ usb_audio_probe+0x2ec/0x2010 sound/usb/card.c:576
+ usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
+ really_probe+0x281/0x650 drivers/base/dd.c:548
+ ....
+
+It was introduced in commit 801ebf1043ae for checking pipe and endpoint
+types. It is fixed by adding a check of the ep pointer in question.
+
+BugLink: https://syzkaller.appspot.com/bug?extid=d59c4387bfb6eced94e2
+Reported-by: syzbot <syzbot+d59c4387bfb6eced94e2@syzkaller.appspotmail.com>
+Fixes: 801ebf1043ae ("ALSA: usb-audio: Sanity checks for each pipe and EP types")
+Cc: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/usb/helper.c
++++ b/sound/usb/helper.c
+@@ -85,7 +85,7 @@ int snd_usb_pipe_sanity_check(struct usb
+ struct usb_host_endpoint *ep;
+
+ ep = usb_pipe_endpoint(dev, pipe);
+- if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
++ if (!ep || usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
+ return -EINVAL;
+ return 0;
+ }
--- /dev/null
+From stable+bounces-73596-greg=kroah.com@vger.kernel.org Thu Sep 5 14:38:22 2024
+From: Takashi Iwai <dan.carpenter@linaro.org>
+Date: Thu, 5 Sep 2024 15:38:07 +0300
+Subject: ALSA: usb-audio: Sanity checks for each pipe and EP types
+To: Jaroslav Kysela <perex@perex.cz>
+Cc: Takashi Iwai <tiwai@suse.com>, Hillf Danton <hdanton@sina.com>, alsa-devel@alsa-project.org, stable@vger.kernel.org
+Message-ID: <599b79d0-0c0f-425e-b2a2-1af9f81539b8@stanley.mountain>
+Content-Disposition: inline
+
+From: Takashi Iwai <dan.carpenter@linaro.org>
+
+[ Upstream commit 801ebf1043ae7b182588554cc9b9ad3c14bc2ab5 ]
+
+The recent USB core code performs sanity checks for the given pipe and
+EP types, and it can be hit by manipulated USB descriptors by syzbot.
+For making syzbot happier, this patch introduces a local helper for a
+sanity check in the driver side and calls it at each place before the
+message handling, so that we can avoid the WARNING splats.
+
+Reported-by: syzbot+d952e5e28f5fb7718d23@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/helper.c | 17 +++++++++++++++++
+ sound/usb/helper.h | 1 +
+ sound/usb/quirks.c | 14 +++++++++++---
+ 3 files changed, 29 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/helper.c
++++ b/sound/usb/helper.c
+@@ -76,6 +76,20 @@ void *snd_usb_find_csint_desc(void *buff
+ return NULL;
+ }
+
++/* check the validity of pipe and EP types */
++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe)
++{
++ static const int pipetypes[4] = {
++ PIPE_CONTROL, PIPE_ISOCHRONOUS, PIPE_BULK, PIPE_INTERRUPT
++ };
++ struct usb_host_endpoint *ep;
++
++ ep = usb_pipe_endpoint(dev, pipe);
++ if (usb_pipetype(pipe) != pipetypes[usb_endpoint_type(&ep->desc)])
++ return -EINVAL;
++ return 0;
++}
++
+ /*
+ * Wrapper for usb_control_msg().
+ * Allocates a temp buffer to prevent dmaing from/to the stack.
+@@ -88,6 +102,9 @@ int snd_usb_ctl_msg(struct usb_device *d
+ void *buf = NULL;
+ int timeout;
+
++ if (snd_usb_pipe_sanity_check(dev, pipe))
++ return -EINVAL;
++
+ if (size > 0) {
+ buf = kmemdup(data, size, GFP_KERNEL);
+ if (!buf)
+--- a/sound/usb/helper.h
++++ b/sound/usb/helper.h
+@@ -7,6 +7,7 @@ unsigned int snd_usb_combine_bytes(unsig
+ void *snd_usb_find_desc(void *descstart, int desclen, void *after, u8 dtype);
+ void *snd_usb_find_csint_desc(void *descstart, int desclen, void *after, u8 dsubtype);
+
++int snd_usb_pipe_sanity_check(struct usb_device *dev, unsigned int pipe);
+ int snd_usb_ctl_msg(struct usb_device *dev, unsigned int pipe,
+ __u8 request, __u8 requesttype, __u16 value, __u16 index,
+ void *data, __u16 size);
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -743,11 +743,13 @@ static int snd_usb_novation_boot_quirk(s
+ static int snd_usb_accessmusic_boot_quirk(struct usb_device *dev)
+ {
+ int err, actual_length;
+-
+ /* "midi send" enable */
+ static const u8 seq[] = { 0x4e, 0x73, 0x52, 0x01 };
++ void *buf;
+
+- void *buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
++ if (snd_usb_pipe_sanity_check(dev, usb_sndintpipe(dev, 0x05)))
++ return -EINVAL;
++ buf = kmemdup(seq, ARRAY_SIZE(seq), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+ err = usb_interrupt_msg(dev, usb_sndintpipe(dev, 0x05), buf,
+@@ -772,7 +774,11 @@ static int snd_usb_accessmusic_boot_quir
+
+ static int snd_usb_nativeinstruments_boot_quirk(struct usb_device *dev)
+ {
+- int ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
++ int ret;
++
++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
++ return -EINVAL;
++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+ 0xaf, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 0, NULL, 0, 1000);
+
+@@ -879,6 +885,8 @@ static int snd_usb_axefx3_boot_quirk(str
+
+ dev_dbg(&dev->dev, "Waiting for Axe-Fx III to boot up...\n");
+
++ if (snd_usb_pipe_sanity_check(dev, usb_sndctrlpipe(dev, 0)))
++ return -EINVAL;
+ /* If the Axe-Fx III has not fully booted, it will timeout when trying
+ * to enable the audio streaming interface. A more generous timeout is
+ * used here to detect when the Axe-Fx III has finished booting as the
projects / thirdparty / kernel / stable-queue.git / commitdiff
