1. Patchew
  2. linux
  3. View series

[PATCH] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES

Cássio Gabriel posted 1 patch 2 months ago 
sound/usb/format.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
Posted by Cássio Gabriel 2 months ago 
parse_uac2_sample_rate_range() caps the number of enumerated
rates at MAX_NR_RATES, but it only breaks out of the current
rate loop. A malformed UAC2 RANGE response with additional
triplets continues parsing the remaining triplets and repeatedly
prints "invalid uac2 rates" while probe still holds
register_mutex.

Stop the whole parse once the cap is reached and return the
number of rates collected so far.

Fixes: 4fa0e81b8350 ("ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()")
Cc: stable@vger.kernel.org
Reported-by: syzbot+d56178c27a4710960820@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d56178c27a4710960820
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
 sound/usb/format.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/format.c b/sound/usb/format.c
index 030b4307927a..4830f9f93ad7 100644
--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -470,7 +470,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip,
 			nr_rates++;
 			if (nr_rates >= MAX_NR_RATES) {
 				usb_audio_err(chip, "invalid uac2 rates\n");
-				break;
+				return nr_rates;
 			}
 
 skip_rate:

---
base-commit: 894f1f133f8ee078d25813ebe10c8c3f396a57c8
change-id: 20260415-usb-audio-uac2-rate-cap-38396ea54348

Best regards,
--  
Cássio Gabriel <cassiogabrielcontato@gmail.com>
Re: [PATCH] ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES
Posted by Takashi Iwai 2 months ago 
On Wed, 15 Apr 2026 17:04:53 +0200,
Cássio Gabriel wrote:
> 
> parse_uac2_sample_rate_range() caps the number of enumerated
> rates at MAX_NR_RATES, but it only breaks out of the current
> rate loop. A malformed UAC2 RANGE response with additional
> triplets continues parsing the remaining triplets and repeatedly
> prints "invalid uac2 rates" while probe still holds
> register_mutex.
> 
> Stop the whole parse once the cap is reached and return the
> number of rates collected so far.
> 
> Fixes: 4fa0e81b8350 ("ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()")
> Cc: stable@vger.kernel.org
> Reported-by: syzbot+d56178c27a4710960820@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d56178c27a4710960820
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>

Thanks, applied now.


Takashi

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.