git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Berk Cem Goksel <berkcgoksel@gmail.com>
	Tue, 20 Jan 2026 10:28:55 +0000 (13:28 +0300)
committer	Takashi Iwai <tiwai@suse.de>
	Tue, 20 Jan 2026 11:43:55 +0000 (12:43 +0100)
commit	930e69757b74c3ae083b0c3c7419bfe7f0edc7b2
tree	8debe87936bdcdb791a3a80bf4696ae48e04f127	tree \| snapshot
parent	b48fe9af1e60360baf09ca6b7a3cd6541f16e611	commit \| diff

ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free()

When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees
mixer->id_elems but the controls already added to the card still
reference the freed memory. Later when snd_card_register() runs,
the OSS mixer layer calls their callbacks and hits a use-after-free read.

Call trace:
  get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411
  get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241
  mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381
  snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887
  ...
  snd_card_register+0x4ed/0x6d0 sound/core/init.c:923
  usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025

Fix by calling snd_ctl_remove() for all mixer controls before freeing
id_elems. We save the next pointer first because snd_ctl_remove()
frees the current element.

Fixes: 6639b6c2367f ("[ALSA] usb-audio - add mixer control notifications")
Cc: stable@vger.kernel.org
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Signed-off-by: Berk Cem Goksel <berkcgoksel@gmail.com>
Link: https://patch.msgid.link/20260120102855.7300-1-berkcgoksel@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>