Skip to content

[ciqlts8_6] ALSA: usb-audio: Fix potential overflow of PCM transfer buffer#974

Merged
roxanan1996 merged 1 commit intociqlts8_6from
{ciq_kernel_automation}_ciqlts8_6
Mar 16, 2026
Merged

[ciqlts8_6] ALSA: usb-audio: Fix potential overflow of PCM transfer buffer#974
roxanan1996 merged 1 commit intociqlts8_6from
{ciq_kernel_automation}_ciqlts8_6

Conversation

@ciq-kernel-automation
Copy link

@ciq-kernel-automation ciq-kernel-automation bot commented Mar 16, 2026

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer

jira VULN-161123
cve CVE-2025-40269
commit-author Takashi Iwai <tiwai@suse.de>
commit 05a1fc5efdd8560f34a3af39c9cf1e1526cc3ddf

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 23m 31s 25m 37s
aarch64 9m 46s 11m 12s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed
x86_64 110 30
aarch64 64 23

Test Comparison

x86_64:

  • ✅ Status: Passed - Within acceptable threshold (±3 tests)
  • Compared against: ciqlts8_6

aarch64:

  • ✅ Status: Passed - Within acceptable threshold (±3 tests)
  • Compared against: ciqlts8_6

🤖 This PR was automatically generated by GitHub Actions
Run ID: 22999932394

ALSA: usb-audio: Fix potential overflow of PCM transfer buffer
46eb762 
jira VULN-161123
cve CVE-2025-40269
commit-author Takashi Iwai <tiwai@suse.de>
commit 05a1fc5

The PCM stream data in USB-audio driver is transferred over USB URB
packet buffers, and each packet size is determined dynamically.  The
packet sizes are limited by some factors such as wMaxPacketSize USB
descriptor.  OTOH, in the current code, the actually used packet sizes
are determined only by the rate and the PPS, which may be bigger than
the size limit above.  This results in a buffer overflow, as reported
by syzbot.

Basically when the limit is smaller than the calculated packet size,
it implies that something is wrong, most likely a weird USB
descriptor.  So the best option would be just to return an error at
the parameter setup time before doing any further operations.

This patch introduces such a sanity check, and returns -EINVAL when
the packet size is greater than maxpacksize.  The comparison with
ep->packsize[1] alone should suffice since it's always equal or
greater than ep->packsize[0].

	Reported-by: syzbot+bfd77469c8966de076f7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bfd77469c8966de076f7
Link: https://lore.kernel.org/690b6b46.050a0220.3d0d33.0054.GAE@google.com
	Cc: Lizhi Xu <lizhi.xu@windriver.com>
	Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20251109091211.12739-1-tiwai@suse.de
	Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 05a1fc5)
	Signed-off-by: CIQ Kernel Automation <ciq_kernel_automation@ciq.com>
@github-actions
Copy link

github-actions bot commented Mar 16, 2026

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/23151423379

@github-actions
Copy link

github-actions bot commented Mar 16, 2026

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/23151423379

@roxanan1996 roxanan1996 merged commit 5cdfabb into ciqlts8_6 Mar 16, 2026
29 of 31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roxanan1996 roxanan1996 roxanan1996 approved these changes

@shreeya-patel98 shreeya-patel98 shreeya-patel98 approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@roxanan1996 @shreeya-patel98