From 82fe037ea706ad12d67e22db70bc02b65c5e6686 Mon Sep 17 00:00:00 2001 From: Ajay Agarwal Date: Fri, 5 May 2017 15:05:51 +0530 Subject: [PATCH] sound: usb: Fix format desc usage for BADD 3.0 devices For a BADD device, the audioformat structure was directly being populated without initialising the format type descriptor. This can lead to a crash later when the format type and rates are being parsed but the NULL fmt desc is dereferenced. Fix this by allocating a dummy copy of fmt desc for BADD 3.0 devices and populating necessary fields. Change-Id: I80f33b0e400a9c522a800e989228da134100bb55 Signed-off-by: Ajay Agarwal --- sound/usb/stream.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/sound/usb/stream.c b/sound/usb/stream.c index 2bb503576134..a7d7c3a0ac3e 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -652,6 +652,16 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no) case UAC_VERSION_3: { int wMaxPacketSize; + /* + * Allocate a dummy instance of fmt and set format type + * to UAC_FORMAT_TYPE_I for BADD support; free fmt + * after its last usage + */ + fmt = kzalloc(sizeof(*fmt), GFP_KERNEL); + if (!fmt) + return -ENOMEM; + + fmt->bFormatType = UAC_FORMAT_TYPE_I; format = UAC_FORMAT_TYPE_I_PCM; clock = BADD_CLOCK_SOURCE; wMaxPacketSize = le16_to_cpu(get_endpoint(alts, 0) @@ -678,6 +688,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no) dev_err(&dev->dev, "%u:%d: invalid wMaxPacketSize\n", iface_no, altno); + kfree(fmt); continue; } } @@ -776,6 +787,8 @@ populate_fp: continue; } + if (protocol == UAC_VERSION_3) + kfree(fmt); /* Create chmap */ if (fp->channels != num_channels) chconfig = 0;