| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87ecpmp69f.wl-tiwai@suse.de>
Date: Tue, 25 Nov 2025 14:54:20 +0100
From: Takashi Iwai <tiwai@...e.de>
To: Pavel Machek <pavel@...x.de>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
tiwai@...e.de,
stable@...r.kernel.org,
patches@...ts.linux.dev,
linux-kernel@...r.kernel.org,
torvalds@...ux-foundation.org,
akpm@...ux-foundation.org,
linux@...ck-us.net,
shuah@...nel.org,
patches@...nelci.org,
lkft-triage@...ts.linaro.org,
jonathanh@...dia.com,
f.fainelli@...il.com,
sudipm.mukherjee@...il.com,
rwarsow@....de,
conor@...nel.org,
hargar@...rosoft.com,
broonie@...nel.org,
achill@...ill.org,
sr@...dewatkins.com
Subject: Re: [PATCH 6.12 000/185] 6.12.59-rc1 review
On Tue, 25 Nov 2025 14:20:31 +0100,
Pavel Machek wrote:
>
> On Fri 2025-11-21 14:10:27, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.12.59 release.
> > There are 185 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
>
>
> > Takashi Iwai <tiwai@...e.de>
> > ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
>
> This one is wrong for at least 6.12 and older.
>
> + if (ep->packsize[1] > ep->maxpacksize) {
> + usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n",
> + ep->maxpacksize, ep->cur_rate, ep->pps);
> + return -EINVAL;
> + }
>
> Needs to be err = -EINVAL; goto unlock;.
>
> (Or cherry pick guard() handling from newer kernels).
Thanks Pavel, a good catch!
A cherry-pick of the commit efea7a57370b for converting to guard()
doesn't seem to be cleanly applicable on 6.12.y, unfortunately.
So I guess it'd be easier to have a correction on the top instead,
something like below.
Takashi
-- 8< --
From: Takashi Iwai <tiwai@...e.de>
Subject: [PATCH v6.12.y] ALSA: usb-audio: Fix missing unlock at error path of
maxpacksize check
The recent backport of the upstream commit 05a1fc5efdd8 ("ALSA:
usb-audio: Fix potential overflow of PCM transfer buffer") on the
older stable kernels like 6.12.y was broken since it doesn't consider
the mutex unlock, where the upstream code manages with guard().
In the older code, we still need an explicit unlock.
This is a fix that corrects the error path, applied only on old stable
trees.
Reported-by: Pavel Machek <pavel@...x.de>
Closes: https://lore.kernel.org/aSWtH0AZH5+aeb+a@duo.ucw.cz
Fixes: 98e9d5e33bda ("ALSA: usb-audio: Fix potential overflow of PCM transfer buffer")
Signed-off-by: Takashi Iwai <tiwai@...e.de>
---
sound/usb/endpoint.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
index 7238f65cbcff..aa201e4744bf 100644
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -1389,7 +1389,8 @@ int snd_usb_endpoint_set_params(struct snd_usb_audio *chip,
if (ep->packsize[1] > ep->maxpacksize) {
usb_audio_dbg(chip, "Too small maxpacksize %u for rate %u / pps %u\n",
ep->maxpacksize, ep->cur_rate, ep->pps);
- return -EINVAL;
+ err = -EINVAL;
+ goto unlock;
}
/* calculate the frequency in 16.16 format */
--
2.52.0
Powered by blists - more mailing lists