From nobody Sun Feb  8 20:34:49 2026
Received: from send004.gov-dooray.com (send004.gov-dooray.com [211.56.2.26])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id F08482EAB79
	for <linux-kernel@vger.kernel.org>; Tue, 11 Nov 2025 15:37:56 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=211.56.2.26
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1762875481; cv=none;
 b=rKgHngXo7ASGZEwjgYBOY6BgtJcaPhR5PVvjJ6nyPyep5QpIcWmevVYJ7HS2v8587QFtnjl/Zzdr1CP60yjrB+59+5H19WS3yjfGggPpInO/4Ue6e5HajcM3BEOK/9nFKsCdsmvnotaImOzL/8HIhDVCVUxXziTIqVWM6fFbzUQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1762875481; c=relaxed/simple;
	bh=hz4l2YAmbApubXE/DyWcLMkmPPD/9P8vW2pMCK6+nw0=;
	h=From:To:Cc:Message-ID:Subject:MIME-Version:Content-Type:Date;
 b=ib324JwIdS9O/VFPqZ4MtoVBy5Iw2Q5fJRYuPR6a8Ad+FxaFLXgXfYrDVV1pFKd1hiojr+Vb8uXbCzd9d/Xw70UkijsCIjvLzZ0uRQBRx6/LPGlxifZ1TaSvp7RfbX5pCJKMdi1wO+COneG8OgbB8gkNBNmUCmSxszbW0L9rfcs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=kaist.ac.kr;
 spf=pass smtp.mailfrom=kaist.ac.kr;
 dkim=pass (2048-bit key) header.d=kaist.ac.kr header.i=@kaist.ac.kr
 header.b=QfQBa1ME; arc=none smtp.client-ip=211.56.2.26
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=kaist.ac.kr
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=kaist.ac.kr
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kaist.ac.kr header.i=@kaist.ac.kr
 header.b="QfQBa1ME"
DKIM-Signature: a=rsa-sha256;
 b=QfQBa1ME9HYi7qB3YUb9VFfk3/L1ROXieEFcPDuSBTn8WFofxL8QThs4sqpal9mG5NN1p7naWk
  7XlARRMSA49ciHn6KR6OBUrGIty6dagsCj4In2E304fYSusg3Xip2YiYoL+apUjw4xI9JmDGfRex
  ajM7TLqWlt1jfIrUUF0UVW6Px0Fo4OvpY3avJL+eUW7tWcknGszx4oYtqH+lph0ObLP+rEUkzKiS
  jjLA7I/0ddPvG0WJIGflCxpPgj/2fuk6ofeg2Q1V1y2LcEiU8mT8G43DWPf5BeTA1TUAy6F/8ozX
  39nAcdB/bw5q1UjQ/3FMxFmppToy2qH8OWZpWinA==;
 c=relaxed/relaxed; s=dooray; d=kaist.ac.kr; v=1;
 bh=hz4l2YAmbApubXE/DyWcLMkmPPD/9P8vW2pMCK6+nw0=;
 h=From:To:Subject:Message-ID;
Dooray-Meta-Signature: wSOqMZWRKdGTgC0DkpRMwcW2KCo3EALNC6NAuK/V/KJKisFB9yWKU
  QD8mFjJOtwgpNdmjwyNDuTnnrvk3LuwAp67hZuqvy66co7oGDaA0i0WgJHQzW4jWuX1mgcPtBed/
  NuFTfC6HNwhX1jjTdswcHIam5CHwFtoykRBdU5EX1uWP6BSWAV7dIghyaNO21GTCZU4gy3S04N2v
  0DBfSpuYyXxEKali0VBoIr02wvKuGGg+kjelb3zJouvP7C4v1j5H4ZVdMj4+WpmmcPl73TklNq1M
  FDrtyQLVXeGPfKM/3Kgz4K+CBtpGvbioWni8sdkXgg9MZo/xxCrHIwQjGNQMWvQl4/IfMlpj3o0f
  A7Wz49mIJFHaQ5tTD0RcCzKhtN7
Received: from [183.107.24.242] (HELO 183.107.24.242) ([183.107.24.242]) by
 send004.gov-dooray.com with SMTP id aca878c469135852; Wed, 12 Nov 2025
 00:37:54 +0900
From: Haein Lee <lhi0729@kaist.ac.kr>
To: Takashi Iwai <tiwai@suse.de>, perex@perex.cz
Cc: linux-kernel@vger.kernel.org, linux-sound@vger.kernel.org
Message-ID: <vwhzmoba9j2f.vwhzmob9u9e2.g6@dooray.com>
Subject: 
 =?UTF-8?B?W1BBVENIIHYzXSBBTFNBOiB1c2ItYXVkaW86IEZpeCBOVUxMIHBvaW50ZXIgZGVyZWZlcmVuY2UgaW4gc25kX3VzYl9taXhlcl9jb250cm9sc19iYWRk?=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Dsn-Request: true
X-Dooray-Agent: mail-api
X-Dooray-Mail-Id: 4199096924239175367
Importance: Normal
X-Priority: Normal
X-MSMail-Priority: Normal
X-Dooray-Attached: c3+LUOpPU/IB7Wl+oemm0lw5HiI/bJHHYClX72L8E3o=
Content-Transfer-Encoding: quoted-printable
Sender: "Haein Lee" <lhi0729@kaist.ac.kr>
X-Dooray-Big-Attached: false
X-Dooray-ClientIp: 183.107.24.242
Date: Wed, 12 Nov 2025 00:37:54 +0900 (KST)
Content-Type: text/plain; charset="utf-8"

In snd_usb_create_streams(), for UAC version 3 devices, the Interface
Association Descriptor (IAD) is retrieved via usb_ifnum_to_if(). If this
call fails, a fallback routine attempts to obtain the IAD from the next
interface and sets a BADD profile. However, snd_usb_mixer_controls_badd()
assumes that the IAD retrieved from usb_ifnum_to_if() is always valid,
without performing a NULL check. This can lead to a NULL pointer
dereference when usb_ifnum_to_if() fails to find the interface descriptor.

This patch adds a NULL pointer check after calling usb_ifnum_to_if() in
snd_usb_mixer_controls_badd() to prevent the dereference.

This issue was discovered by syzkaller, which triggered the bug by sending
a crafted USB device descriptor.

Signed-off-by: Haein Lee <lhi0729@kaist.ac.kr>
---
 sound/usb/mixer.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 6f00e0d52382..72b900505d2c 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -3086,6 +3086,8 @@ static int snd_usb_mixer_controls_badd(struct usb_mix=
er_interface *mixer,
 	int i;
=20
 	assoc =3D usb_ifnum_to_if(dev, ctrlif)->intf_assoc;
+	if (!assoc)
+		return -EINVAL;
=20
 	/* Detect BADD capture/playback channels from AS EP descriptors */
 	for (i =3D 0; i < assoc->bInterfaceCount; i++) {
--=20
2.34.1