[Linux Kernel Bug] general protection fault in snd_fcp_init
From: Jiaming Zhang
Date: Thu Jun 25 2026 - 06:25:38 EST
Dear Linux kernel developers and maintainers,
We are writing to report a general protection fault discovered in the
sound subsystem with our modified syzkaller. The issue is reproducible
on the latest version of linux (v7.1, commit
8cd9520d35a6c38db6567e97dd93b1f11f185dc6). Below is the KASAN report:
---
input: AT Translated Set 2 keyboard as
/devices/platform/i8042/serio0/input/input1
input: ImExPS/2 Generic Explorer Mouse as
/devices/platform/i8042/serio1/input/input3
faux_driver regulatory: Direct firmware load for regulatory.db failed
with error -2
faux_driver regulatory: Falling back to sysfs fallback for: regulatory.db
cfg80211: failed to load regulatory.db
usb 1-1: Using ep0 maxpacket: 32
usb 1-1: unable to get BOS descriptor or descriptor too short
usb 1-1: config 1 has an invalid descriptor of length 0, skipping
remainder of the config
usb 1-1: config 1 has 2 interfaces, different from the descriptor's value: 3
usb 1-1: New USB device found, idVendor=1235, idProduct=821d, bcdDevice= 0.40
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 UID: 0 PID: 801 Comm: kworker/0:2 Not tainted 7.1.0 #14 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix,
1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_endpoint_num include/uapi/linux/usb/ch9.h:483 [inline]
RIP: 0010:fcp_find_fc_interface sound/usb/fcp.c:1089 [inline]
RIP: 0010:snd_fcp_init+0x42a/0x920 sound/usb/fcp.c:1112
Code: 9a 88 01 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 4d 89
fc 0f 85 bc 03 00 00 44 88 33 49 8d 5d 02 48 89 d8 48 c1 e8 03 <42> 0f
b6 04 20 84 c0 0f 85 c0 03 00 00 44 0f b6 33 41 80 e6 0f 48
RSP: 0018:ffffc9000441e760 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff888026b71c00 RSI: 00000000000000ff RDI: ffff888041f68b20
RBP: ffffc9000441e850 R08: 0000000000000003 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed1004d6e38b R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff888098af7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055efe3be0ff0 CR3: 000000004b5a7000 CR4: 0000000000752ef0
PKRU: 55555554
Call Trace:
<TASK>
snd_usb_mixer_apply_create_quirk+0x1579/0x1a70 sound/usb/mixer_quirks.c:4454
snd_usb_create_mixer+0x1ae6/0x27c0 sound/usb/mixer.c:3802
usb_audio_probe+0x1892/0x2310 sound/usb/card.c:1035
usb_probe_interface+0x659/0xc80 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xb10 drivers/base/dd.c:709
__driver_probe_device+0x1f7/0x420 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:500
__device_attach+0x2b7/0x430 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a5c/0x20f0 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3c0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xb10 drivers/base/dd.c:709
__driver_probe_device+0x1f7/0x420 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:500
__device_attach+0x2b7/0x430 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0xb9d/0x1a30 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2885/0x4cf0 drivers/usb/core/hub.c:5953
process_one_work kernel/workqueue.c:3314 [inline]
process_scheduled_works+0xb4b/0x1840 kernel/workqueue.c:3397
worker_thread+0x8a3/0xda0 kernel/workqueue.c:3478
kthread+0x38a/0x480 kernel/kthread.c:436
ret_from_fork+0x509/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:usb_endpoint_num include/uapi/linux/usb/ch9.h:483 [inline]
RIP: 0010:fcp_find_fc_interface sound/usb/fcp.c:1089 [inline]
RIP: 0010:snd_fcp_init+0x42a/0x920 sound/usb/fcp.c:1112
Code: 9a 88 01 00 00 48 89 d8 48 c1 e8 03 42 0f b6 04 38 84 c0 4d 89
fc 0f 85 bc 03 00 00 44 88 33 49 8d 5d 02 48 89 d8 48 c1 e8 03 <42> 0f
b6 04 20 84 c0 0f 85 c0 03 00 00 44 0f b6 33 41 80 e6 0f 48
RSP: 0018:ffffc9000441e760 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff888026b71c00 RSI: 00000000000000ff RDI: ffff888041f68b20
RBP: ffffc9000441e850 R08: 0000000000000003 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed1004d6e38b R12: dffffc0000000000
R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff888098af7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005645e3e76808 CR3: 000000000e14a000 CR4: 0000000000752ef0
PKRU: 55555554
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 88 01 mov %al,(%rcx)
2: 00 00 add %al,(%rax)
4: 48 89 d8 mov %rbx,%rax
7: 48 c1 e8 03 shr $0x3,%rax
b: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax
10: 84 c0 test %al,%al
12: 4d 89 fc mov %r15,%r12
15: 0f 85 bc 03 00 00 jne 0x3d7
1b: 44 88 33 mov %r14b,(%rbx)
1e: 49 8d 5d 02 lea 0x2(%r13),%rbx
22: 48 89 d8 mov %rbx,%rax
25: 48 c1 e8 03 shr $0x3,%rax
* 29: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax <-- trapping
instruction
2e: 84 c0 test %al,%al
30: 0f 85 c0 03 00 00 jne 0x3f6
36: 44 0f b6 33 movzbl (%rbx),%r14d
3a: 41 80 e6 0f and $0xf,%r14b
3e: 48 rex.W
---
The root cause is that the malicious USB device provides a
vendor-specific interface with no endpoint descriptors. During USB
descriptor parsing, no endpoint array is allocated for that alternate
setting, so altsetting->endpoint remains NULL. fcp_find_fc_interface()
does not check bNumEndpoints before calling get_endpoint(..., 0), and
the resulting endpoint descriptor pointer is later dereferenced by
usb_endpoint_num(), leading to null-ptr-deref.
A potential fix is as follows:
```
diff --git a/sound/usb/fcp.c b/sound/usb/fcp.c
index 0fc4d063c48a..c45dbe4d4532 100644
--- a/sound/usb/fcp.c
+++ b/sound/usb/fcp.c
@@ -1083,6 +1083,8 @@ static int fcp_find_fc_interface(struct
usb_mixer_interface *mixer)
if (desc->bInterfaceClass != 255)
continue;
+ if (desc->bNumEndpoints < 1)
+ continue;
epd = get_endpoint(intf->altsetting, 0);
private->bInterfaceNumber = desc->bInterfaceNumber;
```
On my machine, the reproducer no longer triggers the issue with the
above patch. If this solution is acceptable, we are happy to submit a
formal patch.
The kernel console output, kernel config, syzkaller reproducer, and C
reproducer are also available at google drive:
https://drive.google.com/drive/folders/1hE9rfMe-sNFwcrt_tPLiwzpYD1iJ7Hma?usp=sharing
Please let me know if any further information is required.
Best Regards,
Jiaming Zhang