handle_uaudio_stream_req() resolves an interface index with
info_idx_from_ifnum(), which returns -EINVAL when no interface matches.
The enable branch and the response: cleanup label both guard against a
negative index, but the disable branch does not: it forms
info = &uadev[pcm_card_num].info[info_idx] and dereferences it.
uadev[].info is a pointer allocated only when a stream is first enabled,
so a negative info_idx on the disable path is unsafe in two ways:
- If the card was never enabled, .info is NULL and &info[-EINVAL] is a
wild pointer; reading info->data_ep_pipe faults (kernel oops).
- If the card was enabled at least once (.info allocated) and the
disable names an interface that does not match, &info[-EINVAL] points
before the allocation; info->data_ep_pipe / info->sync_ep_pipe are an
out-of-bounds slab read and, when non-zero, an out-of-bounds 4-byte
write (both pipe fields are cleared to 0). That is memory corruption,
not just a NULL dereference.
The request is reachable from unprivileged local userspace over
AF_QIPCRTR. Reject a disable request with no resolved interface, matching
the guard the enable path already has.
Fixes: 326bbc348298a ("ALSA: usb-audio: qcom: Introduce QC USB SND offloading support")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@gmail.com>
Link: https://patch.msgid.link/20260618025126.1862954-2-michael.bommarito@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
projects / thirdparty / kernel / linux.git / commitdiff
