[ Sasha's backport helper bot ]
Hi,
Found matching upstream commit: b909df18ce2a998afef81d58bbd1a05dc0788c40
Status in newer kernel trees: 6.12.y | Not found 6.11.y | Not found 6.6.y | Not found
Note: The patch differs from the upstream commit: --- 1: b909df18ce2a9 ! 1: 1b0dc2e079fb8 ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices @@ Commit message This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration.
- Signed-off-by: Benoît Sevens bsevens@google.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@kernel.org Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@google.com Signed-off-by: Takashi Iwai tiwai@suse.de + (cherry picked from commit b909df18ce2a998afef81d58bbd1a05dc0788c40) + Signed-off-by: Benoît Sevens bsevens@google.com
## sound/usb/quirks.c ## @@ sound/usb/quirks.c: int snd_usb_create_quirk(struct snd_usb_audio *chip, @@ sound/usb/quirks.c: static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
err = usb_reset_configuration(dev); if (err < 0) -@@ sound/usb/quirks.c: static void mbox3_setup_defaults(struct usb_device *dev) +@@ sound/usb/quirks.c: static void mbox3_setup_48_24_magic(struct usb_device *dev) static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) { struct usb_host_config *config = dev->actconfig; @@ sound/usb/quirks.c: static void mbox3_setup_defaults(struct usb_device *dev) int descriptor_size;
@@ sound/usb/quirks.c: static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) - dev_dbg(&dev->dev, "MBOX3: device initialised!\n"); + dev_dbg(&dev->dev, "device initialised!\n");
err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, - &dev->descriptor, sizeof(dev->descriptor)); - config = dev->actconfig; + &new_device_descriptor, sizeof(new_device_descriptor)); if (err < 0) - dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err); + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); + if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) -+ dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n", ++ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", + new_device_descriptor.bNumConfigurations); + else + memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.6.y | Success | Success |