Syzkaller reported a general protection fault in snd_usbmidi_do_output(), caused by dereferencing a NULL URB pointer when accessing ep->urbs[urb_index].urb. This can happen in rare race conditions where the URB was not initialized or was already freed (e.g. during disconnect or after errors), and the output timer or other path tries to reuse it. Fix this by checking if the URB is NULL before accessing it, and skipping the current slot if it is. Reported-by: syzbot+f02665daa2abeef4a947@xxxxxxxxxxxxxxxxxxxxxxxxx Link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947 Signed-off-by: Brahmajit Das <listout@xxxxxxxxxxx> --- sound/usb/midi.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sound/usb/midi.c b/sound/usb/midi.c index acb3bf92857c..7919a39decb4 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -307,6 +307,10 @@ static void snd_usbmidi_do_output(struct snd_usb_midi_out_endpoint *ep) for (;;) { if (!(ep->active_urbs & (1 << urb_index))) { urb = ep->urbs[urb_index].urb; + if (!urb) { + // Skip this urb + goto next_urb; + } urb->transfer_buffer_length = 0; ep->umidi->usb_protocol_ops->output(ep, urb); if (urb->transfer_buffer_length == 0) @@ -319,6 +323,7 @@ static void snd_usbmidi_do_output(struct snd_usb_midi_out_endpoint *ep) break; ep->active_urbs |= 1 << urb_index; } +next_urb: if (++urb_index >= OUTPUT_URBS) urb_index = 0; if (urb_index == ep->next_urb) -- 2.51.0
