[PATCH] ALSA: FCP: Fix NULL pointer dereference in interface lookup

Next message: David Hildenbrand (Arm): "Re: [PATCH] mm/page_vma_mapped: guard check_pmd() with CONFIG_TRANSPARENT_HUGEPAGE"
Previous message: Eugenio Perez Martin: "Re: [PATCH] vhost/net: fix clear_user start address in VHOST_GET_FEATURES_ARRAY"
In reply to: Takashi Iwai: "Re: [Linux Kernel Bug] general protection fault in snd_fcp_init"
Next in thread: Takashi Iwai: "Re: [PATCH] ALSA: FCP: Fix NULL pointer dereference in interface lookup"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiaming Zhang

Date: Thu Jun 25 2026 - 09:50:03 EST

A malformed USB device can provide a vendor-specific interface without
any endpoint descriptors. fcp_find_fc_interface() currently selects the
first vendor-specific interface and reads endpoint 0 from it, without
checking whether the interface actually has any endpoints.

When bNumEndpoints is zero, no endpoint array is allocated for the parsed
alternate setting, so get_endpoint(..., 0) yields an invalid endpoint
descriptor pointer. Dereferencing it through usb_endpoint_num() then
triggers a NULL pointer dereference.

Skip vendor-specific interfaces that do not have any endpoints.

Fixes: 46757a3e7d50 ("ALSA: FCP: Add Focusrite Control Protocol driver")
Reported-by: Jiaming Zhang <r772577952@xxxxxxxxx>
Closes: https://lore.kernel.org/lkml/CANypQFb1EHj0xX8bA1WxSOSK-5xca6ZNKzOQcp12=s=puY7VFw@xxxxxxxxxxxxxx/
Signed-off-by: Jiaming Zhang <r772577952@xxxxxxxxx>
---
sound/usb/fcp.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/sound/usb/fcp.c b/sound/usb/fcp.c
index ea746bdb36ff..6f5dcd35e1d4 100644
--- a/sound/usb/fcp.c
+++ b/sound/usb/fcp.c
@@ -1083,6 +1083,8 @@ static int fcp_find_fc_interface(struct usb_mixer_interface *mixer)

if (desc->bInterfaceClass != 255)
continue;
+ if (desc->bNumEndpoints < 1)
+ continue;

epd = get_endpoint(intf->altsetting, 0);
private->bInterfaceNumber = desc->bInterfaceNumber;

base-commit: ab9de95c9cf952332ab79453b4b5d1bfca8e514f
--
2.43.0