diff mbox series

sound: usb: increase snd_card alloc size

Message ID 20230922005152.163640-1-ricardo@marliere.net (mailing list archive)
State New, archived
Headers show
Series sound: usb: increase snd_card alloc size | expand

Commit Message

Ricardo B. Marliere Sept. 22, 2023, 12:51 a.m. UTC 
Syzbot reports a slab-out-of-bounds read of a snd_card object. When
snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the
extra_size argument, which is not enough in this case.

Relevant logs below:

BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910
Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777
(...)
The buggy address belongs to the object at ffff8880436a2000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1 bytes to the right of
 allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)

Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.com/
Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
---
 sound/usb/card.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Takashi Iwai Sept. 22, 2023, 8:46 a.m. UTC | #1 
On Fri, 22 Sep 2023 02:51:53 +0200,
Ricardo B. Marliere wrote:
> 
> Syzbot reports a slab-out-of-bounds read of a snd_card object. When
> snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the
> extra_size argument, which is not enough in this case.
> 
> Relevant logs below:
> 
> BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910
> Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777
> (...)
> The buggy address belongs to the object at ffff8880436a2000
>  which belongs to the cache kmalloc-4k of size 4096
> The buggy address is located 1 bytes to the right of
>  allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
> 
> Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m
> Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
> ---
>  sound/usb/card.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/usb/card.c b/sound/usb/card.c
> index 1b2edc0fd2e9..6578326d33e8 100644
> --- a/sound/usb/card.c
> +++ b/sound/usb/card.c
> @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf,
>  	}
>  
>  	err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
> -			   sizeof(*chip), &card);
> +			   sizeof(*chip) + 2, &card);

Sorry, it's no-no.  We have to fix the cause of the OOB access instead
of papering over with a random number of increase.

Unfortunately, most important piece of information is trimmed in the
changelog, so I can't judge what's going on.  The only useful info
there is that it's something to do with imon driver, but it's
completely independent from USB-audio.  How does it access to the
external memory allocated by snd-usb-audio driver at all?

Before jumping to the solution, we must understand the problem.


thanks,

Takashi
Takashi Iwai Sept. 22, 2023, 9:49 a.m. UTC | #2 
On Fri, 22 Sep 2023 10:46:26 +0200,
Takashi Iwai wrote:
> 
> On Fri, 22 Sep 2023 02:51:53 +0200,
> Ricardo B. Marliere wrote:
> > 
> > Syzbot reports a slab-out-of-bounds read of a snd_card object. When
> > snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the
> > extra_size argument, which is not enough in this case.
> > 
> > Relevant logs below:
> > 
> > BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910
> > Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777
> > (...)
> > The buggy address belongs to the object at ffff8880436a2000
> >  which belongs to the cache kmalloc-4k of size 4096
> > The buggy address is located 1 bytes to the right of
> >  allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
> > 
> > Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m
> > Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
> > ---
> >  sound/usb/card.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/sound/usb/card.c b/sound/usb/card.c
> > index 1b2edc0fd2e9..6578326d33e8 100644
> > --- a/sound/usb/card.c
> > +++ b/sound/usb/card.c
> > @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf,
> >  	}
> >  
> >  	err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
> > -			   sizeof(*chip), &card);
> > +			   sizeof(*chip) + 2, &card);
> 
> Sorry, it's no-no.  We have to fix the cause of the OOB access instead
> of papering over with a random number of increase.
> 
> Unfortunately, most important piece of information is trimmed in the
> changelog, so I can't judge what's going on.  The only useful info
> there is that it's something to do with imon driver, but it's
> completely independent from USB-audio.  How does it access to the
> external memory allocated by snd-usb-audio driver at all?
> 
> Before jumping to the solution, we must understand the problem.

Now I took a look at the syzbot URL and got more info.

Through a quick glance, my wild guess is that two different drivers
are bound to two interfaces of the device, the first one to usb-audio
and the second one to imon.  And imon driver blindly assumes that the
first interface is bound with imon, too, and that can be the cause.
A patch like below (totally untested!) might fix the problem.

Can you reproduce the problem in your side?  Or did you pick this up
randomly without testing?

In anyway, let's put media people to Cc.


thanks,

Takashi

--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface,
 		goto fail;
 	}
 
+	if (first_if->dev.driver != interface->dev.driver) {
+		dev_err(&interface->dev, "inconsistent driver matching\n");
+		ret = -EINVAL;
+		goto fail;
+	}
+
 	if (ifnum == 0) {
 		ictx = imon_init_intf0(interface, id);
 		if (!ictx) {
Ricardo B. Marliere Sept. 22, 2023, 9:56 a.m. UTC | #3 
On 23/09/22 10:46AM, Takashi Iwai wrote:
> On Fri, 22 Sep 2023 02:51:53 +0200,
> Ricardo B. Marliere wrote:
> > 
> > Syzbot reports a slab-out-of-bounds read of a snd_card object. When
> > snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the
> > extra_size argument, which is not enough in this case.
> > 
> > Relevant logs below:
> > 
> > BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910
> > Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777
> > (...)
> > The buggy address belongs to the object at ffff8880436a2000
> >  which belongs to the cache kmalloc-4k of size 4096
> > The buggy address is located 1 bytes to the right of
> >  allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
> > 
> > Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m
> > Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
> > ---
> >  sound/usb/card.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/sound/usb/card.c b/sound/usb/card.c
> > index 1b2edc0fd2e9..6578326d33e8 100644
> > --- a/sound/usb/card.c
> > +++ b/sound/usb/card.c
> > @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf,
> >  	}
> >  
> >  	err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
> > -			   sizeof(*chip), &card);
> > +			   sizeof(*chip) + 2, &card);
> 
> Sorry, it's no-no.  We have to fix the cause of the OOB access instead
> of papering over with a random number of increase.

Hey Takashi, you are right.

> Unfortunately, most important piece of information is trimmed in the
> changelog, so I can't judge what's going on.  The only useful info
> there is that it's something to do with imon driver, but it's
> completely independent from USB-audio.  How does it access to the
> external memory allocated by snd-usb-audio driver at all?
> 
> Before jumping to the solution, we must understand the problem.

The link mentioned in the "Closes:" tag contains the logs pasted below.
I will continue to investigate the root cause of this oob access, please
let me know if you have any clue I should look into.

Thanks for reviewing!
-	Ricardo

==================================================================
BUG: KASAN: slab-out-of-bounds in imon_init_intf1 drivers/media/rc/imon.c:2323 [inline]
BUG: KASAN: slab-out-of-bounds in imon_probe+0x298f/0x38f0 drivers/media/rc/imon.c:2449
Read of size 1 at addr ffff888069cbac71 by task kworker/1:3/5066

CPU: 1 PID: 5066 Comm: kworker/1:3 Not tainted 6.5.0-rc7-next-20230821-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 imon_init_intf1 drivers/media/rc/imon.c:2323 [inline]
 imon_probe+0x298f/0x38f0 drivers/media/rc/imon.c:2449
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x11f1/0x1b40 drivers/base/core.c:3623
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x11f1/0x1b40 drivers/base/core.c:3623
 usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2589
 hub_port_connect drivers/usb/core/hub.c:5440 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
 port_event drivers/usb/core/hub.c:5740 [inline]
 hub_event+0x2daf/0x4e00 drivers/usb/core/hub.c:5822
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
 </TASK>

Allocated by task 5066:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:198 [inline]
 __do_kmalloc_node mm/slab_common.c:1004 [inline]
 __kmalloc+0x60/0x100 mm/slab_common.c:1017
 kmalloc include/linux/slab.h:604 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 snd_card_new+0x74/0x110 sound/core/init.c:184
 snd_usb_audio_create sound/usb/card.c:621 [inline]
 usb_audio_probe+0x1905/0x3c60 sound/usb/card.c:827
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x11f1/0x1b40 drivers/base/core.c:3623
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2207
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:830
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:958
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x11f1/0x1b40 drivers/base/core.c:3623
 usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2589
 hub_port_connect drivers/usb/core/hub.c:5440 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5580 [inline]
 port_event drivers/usb/core/hub.c:5740 [inline]
 hub_event+0x2daf/0x4e00 drivers/usb/core/hub.c:5822
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

The buggy address belongs to the object at ffff888069cba000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1 bytes to the right of
 allocated 3184-byte region [ffff888069cba000, ffff888069cbac70)

The buggy address belongs to the physical page:
page:ffffea0001a72e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x69cb8
head:ffffea0001a72e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000000840 ffff888012c42140 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 27, tgid 27 (kworker/1:1), ts 97911259229, free_ts 34249861969
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2cf/0x340 mm/page_alloc.c:1530
 prep_new_page mm/page_alloc.c:1537 [inline]
 get_page_from_freelist+0x10d7/0x31b0 mm/page_alloc.c:3213
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4469
 alloc_pages+0x1a9/0x270 mm/mempolicy.c:2298
 alloc_slab_page mm/slub.c:1870 [inline]
 allocate_slab+0x251/0x380 mm/slub.c:2017
 new_slab mm/slub.c:2070 [inline]
 ___slab_alloc+0x8be/0x1570 mm/slub.c:3223
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3322
 __slab_alloc_node mm/slub.c:3375 [inline]
 slab_alloc_node mm/slub.c:3468 [inline]
 __kmem_cache_alloc_node+0x137/0x350 mm/slub.c:3517
 __do_kmalloc_node mm/slab_common.c:1003 [inline]
 __kmalloc_node_track_caller+0x50/0x100 mm/slab_common.c:1024
 kmalloc_reserve+0xef/0x270 net/core/skbuff.c:575
 __alloc_skb+0x12b/0x330 net/core/skbuff.c:644
 alloc_skb include/linux/skbuff.h:1286 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
 nsim_dev_trap_report_work+0x29e/0xc70 drivers/net/netdevsim/dev.c:850
 process_one_work+0x887/0x15d0 kernel/workqueue.c:2630
 process_scheduled_works kernel/workqueue.c:2703 [inline]
 worker_thread+0x8bb/0x1290 kernel/workqueue.c:2784
 kthread+0x33a/0x430 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1130 [inline]
 free_unref_page_prepare+0x476/0xa40 mm/page_alloc.c:2342
 free_unref_page+0x33/0x3b0 mm/page_alloc.c:2435
 free_contig_range+0xb6/0x190 mm/page_alloc.c:6385
 destroy_args+0x768/0x990 mm/debug_vm_pgtable.c:1028
 debug_vm_pgtable+0x1d7e/0x3e00 mm/debug_vm_pgtable.c:1408
 do_one_initcall+0x117/0x630 init/main.c:1232
 do_initcall_level init/main.c:1294 [inline]
 do_initcalls init/main.c:1310 [inline]
 do_basic_setup init/main.c:1329 [inline]
 kernel_init_freeable+0x5c2/0x900 init/main.c:1547
 kernel_init+0x1c/0x2a0 init/main.c:1437
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

Memory state around the buggy address:
 ffff888069cbab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888069cbab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888069cbac00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
                                                             ^
 ffff888069cbac80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888069cbad00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Ricardo B. Marliere Sept. 22, 2023, 10:37 a.m. UTC | #4 
On 23/09/22 11:49AM, Takashi Iwai wrote:
> On Fri, 22 Sep 2023 10:46:26 +0200,
> Takashi Iwai wrote:
> > 
> > On Fri, 22 Sep 2023 02:51:53 +0200,
> > Ricardo B. Marliere wrote:
> > > 
> > > Syzbot reports a slab-out-of-bounds read of a snd_card object. When
> > > snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the
> > > extra_size argument, which is not enough in this case.
> > > 
> > > Relevant logs below:
> > > 
> > > BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910
> > > Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777
> > > (...)
> > > The buggy address belongs to the object at ffff8880436a2000
> > >  which belongs to the cache kmalloc-4k of size 4096
> > > The buggy address is located 1 bytes to the right of
> > >  allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
> > > 
> > > Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com
> > > Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m
> > > Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
> > > ---
> > >  sound/usb/card.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/sound/usb/card.c b/sound/usb/card.c
> > > index 1b2edc0fd2e9..6578326d33e8 100644
> > > --- a/sound/usb/card.c
> > > +++ b/sound/usb/card.c
> > > @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf,
> > >  	}
> > >  
> > >  	err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
> > > -			   sizeof(*chip), &card);
> > > +			   sizeof(*chip) + 2, &card);
> > 
> > Sorry, it's no-no.  We have to fix the cause of the OOB access instead
> > of papering over with a random number of increase.
> > 
> > Unfortunately, most important piece of information is trimmed in the
> > changelog, so I can't judge what's going on.  The only useful info
> > there is that it's something to do with imon driver, but it's
> > completely independent from USB-audio.  How does it access to the
> > external memory allocated by snd-usb-audio driver at all?
> > 
> > Before jumping to the solution, we must understand the problem.
> 
> Now I took a look at the syzbot URL and got more info.
> 
> Through a quick glance, my wild guess is that two different drivers
> are bound to two interfaces of the device, the first one to usb-audio
> and the second one to imon.  And imon driver blindly assumes that the
> first interface is bound with imon, too, and that can be the cause.
> A patch like below (totally untested!) might fix the problem.
> 
> Can you reproduce the problem in your side?  Or did you pick this up
> randomly without testing?

Thanks for the valuable info! I tested your proposed patch and it works.
Will you send it as a proper patch or can the maintainers pick it from
here?

> 
> In anyway, let's put media people to Cc.
> 
> 
> thanks,
> 
> Takashi
> 
> --- a/drivers/media/rc/imon.c
> +++ b/drivers/media/rc/imon.c
> @@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface,
>  		goto fail;
>  	}
>  
> +	if (first_if->dev.driver != interface->dev.driver) {
> +		dev_err(&interface->dev, "inconsistent driver matching\n");
> +		ret = -EINVAL;
> +		goto fail;
> +	}
> +
>  	if (ifnum == 0) {
>  		ictx = imon_init_intf0(interface, id);
>  		if (!ictx) {

Tested-by: Ricardo B. Marliere <ricardo@marliere.net>


Linux garage 6.6.0-rc2-next-20230921-dirty #15 SMP PREEMPT_DYNAMIC Fri Sep 22 07:29:07 -03 2023 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Sep 19 21:04:06 UTC 2023 on ttyS0
10:31:03 root@garage ~
# ./syz-execprog repsyz
2023/09/22 10:31:08 parsed 1 programs
[   43.416521][ T8175] cc1plus (8175) used greatest stack depth: 22080 bytes left
[   43.470240][ T8179] cc1plus (8179) used greatest stack depth: 22008 bytes left
[   49.171720][ T8224] Adding 124996k swap on ./swap-file.  Priority:0 extents:23 across:1427660k
[   49.178542][ T8224] syz-executor (8224) used greatest stack depth: 21096 bytes left
2023/09/22 10:31:15 executed programs: 0
[   49.233026][   T55] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   49.234270][   T55] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   49.235218][   T55] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   49.236338][   T55] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   49.237283][   T55] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   49.238146][   T55] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   49.355885][ T8240] chnl_net:caif_netlink_parms(): no params data found
[   49.395950][ T8240] bridge0: port 1(bridge_slave_0) entered blocking state
[   49.396944][ T8240] bridge0: port 1(bridge_slave_0) entered disabled state
[   49.397714][ T8240] bridge_slave_0: entered allmulticast mode
[   49.398831][ T8240] bridge_slave_0: entered promiscuous mode
[   49.401610][ T8240] bridge0: port 2(bridge_slave_1) entered blocking state
[   49.402380][ T8240] bridge0: port 2(bridge_slave_1) entered disabled state
[   49.403189][ T8240] bridge_slave_1: entered allmulticast mode
[   49.404311][ T8240] bridge_slave_1: entered promiscuous mode
[   49.421315][ T8240] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   49.423376][ T8240] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   49.440902][ T8240] team0: Port device team_slave_0 added
[   49.442592][ T8240] team0: Port device team_slave_1 added
[   49.457205][ T8240] batman_adv: batadv0: Adding interface: batadv_slave_0
[   49.458088][ T8240] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   49.461793][ T8240] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   49.464566][ T8240] batman_adv: batadv0: Adding interface: batadv_slave_1
[   49.465329][ T8240] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   49.468023][ T8240] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   49.491775][ T8240] hsr_slave_0: entered promiscuous mode
[   49.493000][ T8240] hsr_slave_1: entered promiscuous mode
[   49.576424][ T8240] netdevsim netdevsim1 netdevsim0: renamed from eth0
[   49.580029][ T8240] netdevsim netdevsim1 netdevsim1: renamed from eth1
[   49.582870][ T8240] netdevsim netdevsim1 netdevsim2: renamed from eth2
[   49.585559][ T8240] netdevsim netdevsim1 netdevsim3: renamed from eth3
[   49.598460][ T8240] bridge0: port 2(bridge_slave_1) entered blocking state
[   49.599405][ T8240] bridge0: port 2(bridge_slave_1) entered forwarding state
[   49.600596][ T8240] bridge0: port 1(bridge_slave_0) entered blocking state
[   49.601368][ T8240] bridge0: port 1(bridge_slave_0) entered forwarding state
[   49.632834][ T8240] 8021q: adding VLAN 0 to HW filter on device bond0
[   49.638691][   T23] bridge0: port 1(bridge_slave_0) entered disabled state
[   49.651679][   T23] bridge0: port 2(bridge_slave_1) entered disabled state
[   49.656749][ T8240] 8021q: adding VLAN 0 to HW filter on device team0
[   49.661350][   T31] bridge0: port 1(bridge_slave_0) entered blocking state
[   49.662190][   T31] bridge0: port 1(bridge_slave_0) entered forwarding state
[   49.673212][  T765] bridge0: port 2(bridge_slave_1) entered blocking state
[   49.674679][  T765] bridge0: port 2(bridge_slave_1) entered forwarding state
[   49.698632][ T8240] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   49.702458][ T8240] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   49.778155][ T8240] 8021q: adding VLAN 0 to HW filter on device batadv0
[   49.802649][ T8240] veth0_vlan: entered promiscuous mode
[   49.806107][ T8240] veth1_vlan: entered promiscuous mode
[   49.818270][ T8240] veth0_macvtap: entered promiscuous mode
[   49.822124][ T8240] veth1_macvtap: entered promiscuous mode
[   49.829757][ T8240] batman_adv: batadv0: Interface activated: batadv_slave_0
[   49.833955][ T8240] batman_adv: batadv0: Interface activated: batadv_slave_1
[   49.836876][ T8240] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   49.837861][ T8240] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   49.838840][ T8240] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   49.840126][ T8240] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   49.893587][ T8569] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   49.894469][ T8569] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   49.917314][ T8569] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   49.918127][ T8569] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   49.961690][ T8587] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
[   49.965046][ T8587] misc raw-gadget: fail, usb_gadget_register_driver returned -16
[   50.219962][  T765] usb 2-1: new high-speed USB device number 2 using dummy_hcd
[   50.459682][  T765] usb 2-1: Using ep0 maxpacket: 16
[   50.579830][  T765] usb 2-1: config 1 has too many interfaces: 163, using maximum allowed: 32
[   50.581753][  T765] usb 2-1: config 1 has an invalid descriptor of length 7, skipping remainder of the config
[   50.583812][  T765] usb 2-1: config 1 has 3 interfaces, different from the descriptor's value: 163
[   50.585682][  T765] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x1 has an invalid bInterval 0, changing to 7
[   50.587870][  T765] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x1 has invalid wMaxPacketSize 0
[   50.590104][  T765] usb 2-1: too many endpoints for config 1 interface 2 altsetting 0: 128, using maximum allowed: 30
[   50.592292][  T765] usb 2-1: config 1 interface 2 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 128
[   50.594921][  T765] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has an invalid bInterval 62, changing to 7
[   50.597128][  T765] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has invalid maxpacket 41992, setting to 1024
[   50.749794][  T765] usb 2-1: New USB device found, idVendor=15c2, idProduct=0039, bcdDevice=80.f3
[   50.751765][  T765] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   50.753415][  T765] usb 2-1: Product: syz
[   50.754255][  T765] usb 2-1: Manufacturer: syz
[   50.755247][  T765] usb 2-1: SerialNumber: syz
[   50.805761][  T765] imon:imon_find_endpoints: no valid input (IR) endpoint found
[   50.807506][  T765] imon 2-1:1.0: unable to initialize intf0, err -19
[   50.808934][  T765] imon:imon_probe: failed to initialize context!
[   50.810288][  T765] imon 2-1:1.0: unable to register, err -19
[   51.069921][  T765] usb 2-1: 2:1 : UAC_AS_GENERAL descriptor not found
[   51.113716][  T765] imon 2-1:1.1: inconsistent driver matching
[   51.121438][  T765] imon 2-1:1.1: unable to register, err -22
[   51.122866][  T765] imon: probe of 2-1:1.1 failed with error -22
[   51.132274][  T765] usb 2-1: USB disconnect, device number 2
[   51.270491][ T4485] Bluetooth: hci0: command 0x0409 tx timeout
10:31:17 root@garage ~
#
Takashi Iwai Sept. 22, 2023, 11:10 a.m. UTC | #5 
On Fri, 22 Sep 2023 12:37:02 +0200,
Ricardo B. Marliere wrote:
> 
> On 23/09/22 11:49AM, Takashi Iwai wrote:
> > On Fri, 22 Sep 2023 10:46:26 +0200,
> > Takashi Iwai wrote:
> > > 
> > > On Fri, 22 Sep 2023 02:51:53 +0200,
> > > Ricardo B. Marliere wrote:
> > > > 
> > > > Syzbot reports a slab-out-of-bounds read of a snd_card object. When
> > > > snd_usb_audio_create calls snd_card_new, it passes sizeof(*chip) as the
> > > > extra_size argument, which is not enough in this case.
> > > > 
> > > > Relevant logs below:
> > > > 
> > > > BUG: KASAN: slab-out-of-bounds in imon_probe+0x2983/0x3910
> > > > Read of size 1 at addr ffff8880436a2c71 by task kworker/1:2/777
> > > > (...)
> > > > The buggy address belongs to the object at ffff8880436a2000
> > > >  which belongs to the cache kmalloc-4k of size 4096
> > > > The buggy address is located 1 bytes to the right of
> > > >  allocated 3184-byte region [ffff8880436a2000, ffff8880436a2c70)
> > > > 
> > > > Reported-by: syzbot+59875ffef5cb9c9b29e9@syzkaller.appspotmail.com
> > > > Closes: https://lore.kernel.org/all/000000000000a838aa0603cc74d6@google.co/m
> > > > Signed-off-by: Ricardo B. Marliere <ricardo@marliere.net>
> > > > ---
> > > >  sound/usb/card.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > 
> > > > diff --git a/sound/usb/card.c b/sound/usb/card.c
> > > > index 1b2edc0fd2e9..6578326d33e8 100644
> > > > --- a/sound/usb/card.c
> > > > +++ b/sound/usb/card.c
> > > > @@ -619,7 +619,7 @@ static int snd_usb_audio_create(struct usb_interface *intf,
> > > >  	}
> > > >  
> > > >  	err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
> > > > -			   sizeof(*chip), &card);
> > > > +			   sizeof(*chip) + 2, &card);
> > > 
> > > Sorry, it's no-no.  We have to fix the cause of the OOB access instead
> > > of papering over with a random number of increase.
> > > 
> > > Unfortunately, most important piece of information is trimmed in the
> > > changelog, so I can't judge what's going on.  The only useful info
> > > there is that it's something to do with imon driver, but it's
> > > completely independent from USB-audio.  How does it access to the
> > > external memory allocated by snd-usb-audio driver at all?
> > > 
> > > Before jumping to the solution, we must understand the problem.
> > 
> > Now I took a look at the syzbot URL and got more info.
> > 
> > Through a quick glance, my wild guess is that two different drivers
> > are bound to two interfaces of the device, the first one to usb-audio
> > and the second one to imon.  And imon driver blindly assumes that the
> > first interface is bound with imon, too, and that can be the cause.
> > A patch like below (totally untested!) might fix the problem.
> > 
> > Can you reproduce the problem in your side?  Or did you pick this up
> > randomly without testing?
> 
> Thanks for the valuable info! I tested your proposed patch and it works.
> Will you send it as a proper patch or can the maintainers pick it from
> here?

Good to hear!  Then I'll submit a proper patch later.
Thanks for quick testing.


Takashi

> 
> > 
> > In anyway, let's put media people to Cc.
> > 
> > 
> > thanks,
> > 
> > Takashi
> > 
> > --- a/drivers/media/rc/imon.c
> > +++ b/drivers/media/rc/imon.c
> > @@ -2427,6 +2427,12 @@ static int imon_probe(struct usb_interface *interface,
> >  		goto fail;
> >  	}
> >  
> > +	if (first_if->dev.driver != interface->dev.driver) {
> > +		dev_err(&interface->dev, "inconsistent driver matching\n");
> > +		ret = -EINVAL;
> > +		goto fail;
> > +	}
> > +
> >  	if (ifnum == 0) {
> >  		ictx = imon_init_intf0(interface, id);
> >  		if (!ictx) {
> 
> Tested-by: Ricardo B. Marliere <ricardo@marliere.net>
> 
> 
> Linux garage 6.6.0-rc2-next-20230921-dirty #15 SMP PREEMPT_DYNAMIC Fri Sep 22 07:29:07 -03 2023 x86_64
> 
> The programs included with the Debian GNU/Linux system are free software;
> the exact distribution terms for each program are described in the
> individual files in /usr/share/doc/*/copyright.
> 
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> Last login: Tue Sep 19 21:04:06 UTC 2023 on ttyS0
> 10:31:03 root@garage ~
> # ./syz-execprog repsyz
> 2023/09/22 10:31:08 parsed 1 programs
> [   43.416521][ T8175] cc1plus (8175) used greatest stack depth: 22080 bytes left
> [   43.470240][ T8179] cc1plus (8179) used greatest stack depth: 22008 bytes left
> [   49.171720][ T8224] Adding 124996k swap on ./swap-file.  Priority:0 extents:23 across:1427660k
> [   49.178542][ T8224] syz-executor (8224) used greatest stack depth: 21096 bytes left
> 2023/09/22 10:31:15 executed programs: 0
> [   49.233026][   T55] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
> [   49.234270][   T55] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
> [   49.235218][   T55] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
> [   49.236338][   T55] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
> [   49.237283][   T55] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
> [   49.238146][   T55] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
> [   49.355885][ T8240] chnl_net:caif_netlink_parms(): no params data found
> [   49.395950][ T8240] bridge0: port 1(bridge_slave_0) entered blocking state
> [   49.396944][ T8240] bridge0: port 1(bridge_slave_0) entered disabled state
> [   49.397714][ T8240] bridge_slave_0: entered allmulticast mode
> [   49.398831][ T8240] bridge_slave_0: entered promiscuous mode
> [   49.401610][ T8240] bridge0: port 2(bridge_slave_1) entered blocking state
> [   49.402380][ T8240] bridge0: port 2(bridge_slave_1) entered disabled state
> [   49.403189][ T8240] bridge_slave_1: entered allmulticast mode
> [   49.404311][ T8240] bridge_slave_1: entered promiscuous mode
> [   49.421315][ T8240] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
> [   49.423376][ T8240] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
> [   49.440902][ T8240] team0: Port device team_slave_0 added
> [   49.442592][ T8240] team0: Port device team_slave_1 added
> [   49.457205][ T8240] batman_adv: batadv0: Adding interface: batadv_slave_0
> [   49.458088][ T8240] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
> [   49.461793][ T8240] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
> [   49.464566][ T8240] batman_adv: batadv0: Adding interface: batadv_slave_1
> [   49.465329][ T8240] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
> [   49.468023][ T8240] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
> [   49.491775][ T8240] hsr_slave_0: entered promiscuous mode
> [   49.493000][ T8240] hsr_slave_1: entered promiscuous mode
> [   49.576424][ T8240] netdevsim netdevsim1 netdevsim0: renamed from eth0
> [   49.580029][ T8240] netdevsim netdevsim1 netdevsim1: renamed from eth1
> [   49.582870][ T8240] netdevsim netdevsim1 netdevsim2: renamed from eth2
> [   49.585559][ T8240] netdevsim netdevsim1 netdevsim3: renamed from eth3
> [   49.598460][ T8240] bridge0: port 2(bridge_slave_1) entered blocking state
> [   49.599405][ T8240] bridge0: port 2(bridge_slave_1) entered forwarding state
> [   49.600596][ T8240] bridge0: port 1(bridge_slave_0) entered blocking state
> [   49.601368][ T8240] bridge0: port 1(bridge_slave_0) entered forwarding state
> [   49.632834][ T8240] 8021q: adding VLAN 0 to HW filter on device bond0
> [   49.638691][   T23] bridge0: port 1(bridge_slave_0) entered disabled state
> [   49.651679][   T23] bridge0: port 2(bridge_slave_1) entered disabled state
> [   49.656749][ T8240] 8021q: adding VLAN 0 to HW filter on device team0
> [   49.661350][   T31] bridge0: port 1(bridge_slave_0) entered blocking state
> [   49.662190][   T31] bridge0: port 1(bridge_slave_0) entered forwarding state
> [   49.673212][  T765] bridge0: port 2(bridge_slave_1) entered blocking state
> [   49.674679][  T765] bridge0: port 2(bridge_slave_1) entered forwarding state
> [   49.698632][ T8240] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
> [   49.702458][ T8240] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
> [   49.778155][ T8240] 8021q: adding VLAN 0 to HW filter on device batadv0
> [   49.802649][ T8240] veth0_vlan: entered promiscuous mode
> [   49.806107][ T8240] veth1_vlan: entered promiscuous mode
> [   49.818270][ T8240] veth0_macvtap: entered promiscuous mode
> [   49.822124][ T8240] veth1_macvtap: entered promiscuous mode
> [   49.829757][ T8240] batman_adv: batadv0: Interface activated: batadv_slave_0
> [   49.833955][ T8240] batman_adv: batadv0: Interface activated: batadv_slave_1
> [   49.836876][ T8240] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
> [   49.837861][ T8240] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
> [   49.838840][ T8240] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
> [   49.840126][ T8240] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
> [   49.893587][ T8569] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
> [   49.894469][ T8569] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
> [   49.917314][ T8569] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
> [   49.918127][ T8569] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
> [   49.961690][ T8587] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy
> [   49.965046][ T8587] misc raw-gadget: fail, usb_gadget_register_driver returned -16
> [   50.219962][  T765] usb 2-1: new high-speed USB device number 2 using dummy_hcd
> [   50.459682][  T765] usb 2-1: Using ep0 maxpacket: 16
> [   50.579830][  T765] usb 2-1: config 1 has too many interfaces: 163, using maximum allowed: 32
> [   50.581753][  T765] usb 2-1: config 1 has an invalid descriptor of length 7, skipping remainder of the config
> [   50.583812][  T765] usb 2-1: config 1 has 3 interfaces, different from the descriptor's value: 163
> [   50.585682][  T765] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x1 has an invalid bInterval 0, changing to 7
> [   50.587870][  T765] usb 2-1: config 1 interface 1 altsetting 1 endpoint 0x1 has invalid wMaxPacketSize 0
> [   50.590104][  T765] usb 2-1: too many endpoints for config 1 interface 2 altsetting 0: 128, using maximum allowed: 30
> [   50.592292][  T765] usb 2-1: config 1 interface 2 altsetting 0 has 0 endpoint descriptors, different from the interface descriptor's value: 128
> [   50.594921][  T765] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has an invalid bInterval 62, changing to 7
> [   50.597128][  T765] usb 2-1: config 1 interface 2 altsetting 1 endpoint 0x82 has invalid maxpacket 41992, setting to 1024
> [   50.749794][  T765] usb 2-1: New USB device found, idVendor=15c2, idProduct=0039, bcdDevice=80.f3
> [   50.751765][  T765] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
> [   50.753415][  T765] usb 2-1: Product: syz
> [   50.754255][  T765] usb 2-1: Manufacturer: syz
> [   50.755247][  T765] usb 2-1: SerialNumber: syz
> [   50.805761][  T765] imon:imon_find_endpoints: no valid input (IR) endpoint found
> [   50.807506][  T765] imon 2-1:1.0: unable to initialize intf0, err -19
> [   50.808934][  T765] imon:imon_probe: failed to initialize context!
> [   50.810288][  T765] imon 2-1:1.0: unable to register, err -19
> [   51.069921][  T765] usb 2-1: 2:1 : UAC_AS_GENERAL descriptor not found
> [   51.113716][  T765] imon 2-1:1.1: inconsistent driver matching
> [   51.121438][  T765] imon 2-1:1.1: unable to register, err -22
> [   51.122866][  T765] imon: probe of 2-1:1.1 failed with error -22
> [   51.132274][  T765] usb 2-1: USB disconnect, device number 2
> [   51.270491][ T4485] Bluetooth: hci0: command 0x0409 tx timeout
> 10:31:17 root@garage ~
> # 
>
diff mbox series

Patch

diff --git a/sound/usb/card.c b/sound/usb/card.c
index 1b2edc0fd2e9..6578326d33e8 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -619,7 +619,7 @@  static int snd_usb_audio_create(struct usb_interface *intf,
 	}
 
 	err = snd_card_new(&intf->dev, index[idx], id[idx], THIS_MODULE,
-			   sizeof(*chip), &card);
+			   sizeof(*chip) + 2, &card);
 	if (err < 0) {
 		dev_err(&dev->dev, "cannot create card instance %d\n", idx);
 		return err;