Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output
From: Takashi Iwai
Date: Sat Sep 27 2025 - 06:29:19 EST
On Sat, 27 Sep 2025 12:03:03 +0200,
syzbot wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
OK, so another fix is needed in addition.
Let's try the below.
#syz test upstream master
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -240,6 +240,9 @@ static void snd_usbmidi_in_urb_complete(struct urb *urb)
{
struct snd_usb_midi_in_endpoint *ep = urb->context;
+ if (ep->umidi->disconnected)
+ return;
+
if (urb->status == 0) {
dump_urb("received", urb->transfer_buffer, urb->actual_length);
ep->umidi->usb_protocol_ops->input(ep, urb->transfer_buffer,
@@ -275,6 +278,10 @@ static void snd_usbmidi_out_urb_complete(struct urb *urb)
wake_up(&ep->drain_wait);
}
spin_unlock_irqrestore(&ep->buffer_lock, flags);
+
+ if (ep->umidi->disconnected)
+ return;
+
if (urb->status < 0) {
int err = snd_usbmidi_urb_error(urb);
if (err < 0) {
@@ -1522,6 +1529,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;
+ timer_shutdown_sync(&umidi->error_timer);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
if (ep->out)
@@ -1530,7 +1539,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
snd_usbmidi_in_endpoint_delete(ep->in);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}