When multiple plug-in and plug-out events occur, there is a risk of encountering a NULL pointer dereference leading to a kernel panic during a headset use-case. this issue arises in the snd_usb_endpoint_close function
To avoid check if ep->iface_ref is not null before decrementing its opened count. If ep->iface_ref is null, we skip the decrement and the subsequent logic.
Signed-off-by: Rajashekar kuruva quic_kuruva@quicinc.com --- sound/usb/endpoint.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c index 8f65349a06d3..0e3101b7e392 100644 --- a/sound/usb/endpoint.c +++ b/sound/usb/endpoint.c @@ -950,7 +950,7 @@ void snd_usb_endpoint_close(struct snd_usb_audio *chip, usb_audio_dbg(chip, "Closing EP 0x%x (count %d)\n", ep->ep_num, ep->opened);
- if (!--ep->iface_ref->opened && + if (ep->iface_ref && !--ep->iface_ref->opened && !(chip->quirk_flags & QUIRK_FLAG_IFACE_SKIP_CLOSE)) endpoint_set_interface(chip, ep, false);