ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES

CassivsGabriellis · gregkh · commit ab5ba9fd1387 · 2026-05-17T17:13:25.000+02:00
commit 3c318f9 upstream. parse_uac2_sample_rate_range() caps the number of enumerated rates at MAX_NR_RATES, but it only breaks out of the current rate loop. A malformed UAC2 RANGE response with additional triplets continues parsing the remaining triplets and repeatedly prints "invalid uac2 rates" while probe still holds register_mutex. Stop the whole parse once the cap is reached and return the number of rates collected so far. Fixes: 4fa0e81 ("ALSA: usb-audio: fix possible hang and overflow in parse_uac2_sample_rate_range()") Cc: stable@vger.kernel.org Reported-by: syzbot+d56178c27a4710960820@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=d56178c27a4710960820 Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260415-usb-audio-uac2-rate-cap-v1-1-5ecbafc120d8@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/sound/usb/format.c b/sound/usb/format.c
@@ -461,7 +461,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip,
 			nr_rates++;
 			if (nr_rates >= MAX_NR_RATES) {
 				usb_audio_err(chip, "invalid uac2 rates\n");
-				break;
+				return nr_rates;
 			}
 
 skip_rate:

Original file line number	Diff line number	Diff line change
`@@ -461,7 +461,7 @@ static int parse_uac2_sample_rate_range(struct snd_usb_audio *chip,`
`461`	`461`	`nr_rates++;`
`462`	`462`	`if (nr_rates >= MAX_NR_RATES) {`
`463`	`463`	`usb_audio_err(chip, "invalid uac2 rates\n");`
`464`		`- break;`
	`464`	`+ return nr_rates;`
`465`	`465`	`}`
`466`	`466`
`467`	`467`	`skip_rate:`