Commit Graph

100 Commits

Author SHA1 Message Date
Takashi Iwai c0bcdbdff3 ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call.  The check was
intended obviously only for a kernel driver, but not for a user
interaction.  Let's fix it.

This was spotted by syzkaller fuzzer.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-01-18 14:40:07 +01:00
Takashi Sakamoto e1c78df1da ALSA: ctl: fix to handle several elements added by one operation for userspace element
An element instance can have several elements with the same feature.
Some userspace applications can add such an element instance by add
operation with the number of elements. Then, the element instance
gets a memory object to keep states of these elements.

But the element instance has just one memory object for the elements.
This causes the same result to each read/write operations to the
different elements.

This commit fixes this bug by allocating enough memory objects to the
element instance for each of elements.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-04-13 10:31:49 +02:00
Takashi Iwai c30cf8cbe5 ALSA: control: Fix a typo of SNDRV_CTL_ELEM_ACCESS_TLV_* with SNDRV_CTL_TLV_OP_*
The commit [39d118677baa: ALSA: ctl: evaluate macro instead of
numerical value] replaced the numbers with constants, but one place
was replaced wrongly with a different type.  Fixed now.

Fixes: 39d118677b ('ALSA: ctl: evaluate macro instead of numerical value')
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-04-12 09:18:14 +02:00
Takashi Sakamoto cab2ed7474 ALSA: ctl: fill identical information to return value when adding userspace elements
currently some members related identical information are not fiiled
in returned parameter of SNDRV_CTL_IOCTL_ELEM_ADD. This is not better
for userspace application.

This commit copies information to returned value. When failing to copy
into userspace, the added elements are going to be removed. Then, no
applications can lock these elements between adding and removing because
these are already locked.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-04-11 17:35:17 +02:00
Takashi Sakamoto c378c3b03c ALSA: ctl: fix a bug to return no identical information in info operation for userspace controls
In operations of SNDRV_CTL_IOCTL_ELEM_INFO, identical information in
returned value is cleared. This is not better to userspace application.

This commit confirms to return full identical information to the
operations.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-04-11 17:32:16 +02:00
Takashi Sakamoto c78497e010 ALSA: ctl: confirm to return all identical information in 'activate' event
When event originator doesn't set numerical ID in identical information,
the event data includes no numerical ID, thus userspace applications
cannot identify the control just by unique ID in event data.

This commit fix this bug so as the event data includes all of identical
information.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-04-11 17:31:31 +02:00
Takashi Sakamoto 39d118677b ALSA: ctl: evaluate macro instead of numerical value
SNDRV_CTL_TLV_OP_XXX is defined but not used in core code. Instead,
raw numerical value is evaluated.

This commit replaces these values to these macros for better looking.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-04-10 09:36:25 +02:00
Takashi Iwai e79d74ab25 ALSA: control: Fix breakage of user ctl element addition
In the commit [2225e79b9b03: 'ALSA: core: reduce stack usage related
to snd_ctl_new()'], the id field of the newly added kctl is untouched,
thus all attribute like name string remain empty.  The fix is just to
add the forgotten memcpy of the id field.

Fixes: 2225e79b9b ('ALSA: core: reduce stack usage related to snd_ctl_new()')
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-03-13 07:21:51 +01:00
Takashi Iwai e6826ef145 Merge branch 'for-linus' into for-next 2015-03-12 07:38:46 +01:00
Takashi Iwai be3bb8236d ALSA: control: Add sanity checks for user ctl id name string
There was no check about the id string of user control elements, so we
accepted even a control element with an empty string, which is
obviously bogus.  This patch adds more sanity checks of id strings.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-03-12 07:36:38 +01:00
Takashi Iwai ec0e9937aa ALSA: core: Drop superfluous error/debug messages after malloc failures
The kernel memory allocators already report the errors when the
requested allocation fails, thus we don't need to warn it again in
each caller side.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-03-10 15:42:14 +01:00
Takashi Sakamoto 2225e79b9b ALSA: core: reduce stack usage related to snd_ctl_new()
The callers of snd_ctl_new() need to have 'struct snd_kcontrol' data,
and pass the data as template. Then, the function allocates the structure
data again and copy from the template. This is a waste of resources.
Especially, the callers use large stack for the template.

This commit removes a need of template for the function, thus, changes
the prototype of snd_ctl_new(). Furthermore, this commit changes
the code of callers, snd_ctl_new1() and snd_ctl_elem_add() for better
shape.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-03-10 15:29:59 +01:00
Takashi Sakamoto 4ed56666b7 ALSA: core: use precomputed table to check userspace control params
The parameters can be decided in compile time.

This commit adds precomputed table to reduce calculating time.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-03-10 15:27:57 +01:00
Takashi Sakamoto e6ff3840dc ALSA: control: fix failure to return new numerical ID in 'replace' event data
In 'replace' event data, numerical ID of control is always invalid. This
commit fix this bug so as the event data has renewed numerical ID for
control.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-02-09 16:23:25 +01:00
Takashi Sakamoto d34890cf41 ALSA: control: fix failure to return numerical ID in 'add' event
Currently when adding a new control, the assigned numerical ID is not
set for event data, thus userspace applications cannot realize it just
by event data.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-02-08 15:31:09 +01:00
Takashi Iwai 40a4b26385 ALSA: Simplify snd_device_register() variants
Now that all callers have been replaced with
snd_device_register_for_dev(), let's drop the obsolete device
registration code and concentrate only on the code handling struct
device directly.  That said,

- remove the old snd_device_register(),
- rename snd_device_register_for_dev() with snd_device_register(),
- drop superfluous arguments from snd_device_register(),
- change snd_unregister_device() to pass the device pointer directly

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-02-02 17:01:26 +01:00
Takashi Iwai 0fcd9f4b3c ALSA: control: Embed struct device
This patch embeds a struct device for the control device into the card
object and avoid the device creation at registration time.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-02-02 14:42:41 +01:00
Takashi Iwai 23c18d4bfd ALSA: control: Provide a helper to look for the preferred subdevice
Instead of open-coding the search over the control file loop, provide
a helper function for the preferred subdevice assigned to the current
process.

Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2015-02-02 14:21:21 +01:00
Lars-Peter Clausen 31584ed18c ALSA: snd_ctl_activate_id(): Fix index look-up
We want to know the offset for the id that was passed to the function, not
the offset of the first id of the control (which is always 0).

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-11-07 14:25:07 +01:00
Takashi Iwai 12cddbd869 ALSA: control: Add missing kerneldoc comments to exported functions
A few functions have no proper documentation yet, so let's add them.
Along with it, remove superfluous blank line between the closing brace
and EXPORT_SYMBOL() line.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-10-30 13:44:34 +01:00
Takashi Iwai a7e6fb9915 ALSA: control: Allow to pass items zero to snd_ctl_enum_info()
Although this is weird, some drivers want to allow empty control
elements intentionally, e.g. the number of items may change depending
on the firmware status.  Let the function simply returning in such a
case.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-10-20 18:25:41 +02:00
Takashi Iwai df803e1389 ALSA: control: Warn if too long string is passed to snd_ctl_enum_info()
This allows us to catch the bugs in drivers easily.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-10-20 18:25:27 +02:00
Takashi Iwai 0cea76f339 ALSA: control: Define SNDRV_CTL_TLV_OP_* constants
Instead of hard-coded magic numbers, define constants for op_flag to
tlv callbacks.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-07-15 16:31:01 +02:00
Lars-Peter Clausen 883a1d49f0 ALSA: control: Make sure that id->index does not overflow
The ALSA control code expects that the range of assigned indices to a control is
continuous and does not overflow. Currently there are no checks to enforce this.
If a control with a overflowing index range is created that control becomes
effectively inaccessible and unremovable since snd_ctl_find_id() will not be
able to find it. This patch adds a check that makes sure that controls with a
overflowing index range can not be created.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-06-18 15:13:37 +02:00
Lars-Peter Clausen ac902c112d ALSA: control: Handle numid overflow
Each control gets automatically assigned its numids when the control is created.
The allocation is done by incrementing the numid by the amount of allocated
numids per allocation. This means that excessive creation and destruction of
controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
eventually overflow. Currently when this happens for the control that caused the
overflow kctl->id.numid + kctl->count will also over flow causing it to be
smaller than kctl->id.numid. Most of the code assumes that this is something
that can not happen, so we need to make sure that it won't happen

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-06-18 15:13:23 +02:00
Lars-Peter Clausen fd9f26e4ec ALSA: control: Don't access controls outside of protected regions
A control that is visible on the card->controls list can be freed at any time.
This means we must not access any of its memory while not holding the
controls_rw_lock. Otherwise we risk a use after free access.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-06-18 15:13:07 +02:00
Lars-Peter Clausen 82262a4662 ALSA: control: Fix replacing user controls
There are two issues with the current implementation for replacing user
controls. The first is that the code does not check if the control is actually a
user control and neither does it check if the control is owned by the process
that tries to remove it. That allows userspace applications to remove arbitrary
controls, which can cause a user after free if a for example a driver does not
expect a control to be removed from under its feed.

The second issue is that on one hand when a control is replaced the
user_ctl_count limit is not checked and on the other hand the user_ctl_count is
increased (even though the number of user controls does not change). This allows
userspace, once the user_ctl_count limit as been reached, to repeatedly replace
a control until user_ctl_count overflows. Once that happens new controls can be
added effectively bypassing the user_ctl_count limit.

Both issues can be fixed by instead of open-coding the removal of the control
that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
proper permission checks as well as decrements user_ctl_count after the control
has been removed.

Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
beginning of the function if the control already exists is removed. This is not
a problem though since the check is quite useless, because the lock that is
protecting the control list is released between the check and before adding the
new control to the list, which means that it is possible that a different
control with the same settings is added to the list after the check. Luckily
there is another check that is done while holding the lock in snd_ctl_add(), so
we'll rely on that to make sure that the same control is not added twice.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-06-18 15:12:49 +02:00
Lars-Peter Clausen 07f4d9d74a ALSA: control: Protect user controls against concurrent access
The user-control put and get handlers as well as the tlv do not protect against
concurrent access from multiple threads. Since the state of the control is not
updated atomically it is possible that either two write operations or a write
and a read operation race against each other. Both can lead to arbitrary memory
disclosure. This patch introduces a new lock that protects user-controls from
concurrent access. Since applications typically access controls sequentially
than in parallel a single lock per card should be fine.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-06-18 15:12:33 +02:00
Takashi Iwai bb00945749 ALSA: control: Use standard printk helpers
Use dev_err() & co as much as possible.  If not available (no device
assigned at the calling point), use pr_xxx() helpers instead.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-02-14 08:14:14 +01:00
Takashi Iwai 8eeaa2f9e0 ALSA: Replace with IS_ENABLED()
Replace the lengthy #if defined(XXX) || defined(XXX_MODULE) with the
new IS_ENABLED() macro.

The patch still doesn't cover all ifdefs.  For example, the dependency
on CONFIG_GAMEPORT is still open-coded because this also has an extra
dependency on MODULE.  Similarly, an open-coded ifdef in pcm_oss.c and
some sequencer-related stuff are left untouched.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-02-10 11:42:00 +01:00
Yacine Belkadi eb7c06e8e9 ALSA: add/change some comments describing function return values
script/kernel-doc reports the following type of warnings (when run in verbose
mode):

Warning(sound/core/init.c:152): No description found for return value of
'snd_card_create'

To fix that:
- add missing descriptions of function return values
- use "Return:" sections to describe those return values

Along the way:
- complete some descriptions
- fix some typos

Signed-off-by: Yacine Belkadi <yacine.belkadi.1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2013-03-12 08:32:53 +01:00
Takashi Iwai 0914f7961b ALSA: Avoid endless sleep after disconnect
When disconnect callback is called, each component should wake up
sleepers and check card->shutdown flag for avoiding the endless sleep
blocking the proper resource release.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-10-30 11:07:15 +01:00
Takashi Iwai a0830dbd4e ALSA: Add a reference counter to card instance
For more strict protection for wild disconnections, a refcount is
introduced to the card instance, and let it up/down when an object is
referred via snd_lookup_*() in the open ops.

The free-after-last-close check is also changed to check this refcount
instead of the empty list, too.

Reported-by: Matthieu CASTET <matthieu.castet@parrot.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-10-30 11:07:10 +01:00
Takashi Iwai a8d372f171 ALSA: control: Fix missing VOLATILE flag at creating controls
The SNDRV_CTL_ELEM_ACCESS_VOLATILE bit flag wasn't properly inherited
at creating control elements via snd_ctl_new1().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-09-06 18:01:16 +02:00
Jeffrin Jose bd483d4c6c ALSA: control - Fixe a trailing white space error
Fixed a trailing white space error detected
in sound/core/control.c by checkpatch.pl script.

Signed-off-by: Jeffrin Jose <ahiliation@yahoo.co.in>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2012-03-13 08:11:59 +01:00
Linus Torvalds 32aaeffbd4 Merge branch 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux
* 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux: (230 commits)
  Revert "tracing: Include module.h in define_trace.h"
  irq: don't put module.h into irq.h for tracking irqgen modules.
  bluetooth: macroize two small inlines to avoid module.h
  ip_vs.h: fix implicit use of module_get/module_put from module.h
  nf_conntrack.h: fix up fallout from implicit moduleparam.h presence
  include: replace linux/module.h with "struct module" wherever possible
  include: convert various register fcns to macros to avoid include chaining
  crypto.h: remove unused crypto_tfm_alg_modname() inline
  uwb.h: fix implicit use of asm/page.h for PAGE_SIZE
  pm_runtime.h: explicitly requires notifier.h
  linux/dmaengine.h: fix implicit use of bitmap.h and asm/page.h
  miscdevice.h: fix up implicit use of lists and types
  stop_machine.h: fix implicit use of smp.h for smp_processor_id
  of: fix implicit use of errno.h in include/linux/of.h
  of_platform.h: delete needless include <linux/module.h>
  acpi: remove module.h include from platform/aclinux.h
  miscdevice.h: delete unnecessary inclusion of module.h
  device_cgroup.h: delete needless include <linux/module.h>
  net: sch_generic remove redundant use of <linux/module.h>
  net: inet_timewait_sock doesnt need <linux/module.h>
  ...

Fix up trivial conflicts (other header files, and  removal of the ab3550 mfd driver) in
 - drivers/media/dvb/frontends/dibx000_common.c
 - drivers/media/video/{mt9m111.c,ov6650.c}
 - drivers/mfd/ab3550-core.c
 - include/linux/dmaengine.h
2011-11-06 19:44:47 -08:00
Olof Johansson 447c6f93ab ALSA: control: remove compilation warning on 32-bit
This was introduced by 'ALSA: control: add support for ENUMERATED user
space controls' which adds a u64 variable that gets cast to a pointer:

sound/core/control.c: In function 'snd_ctl_elem_init_enum_names':
sound/core/control.c:1089: warning: cast to pointer from integer of different size

Cast to uintptr_t before casting to pointer to avoid the warning.

Signed-off-by: Olof Johansson <olof@lixom.net>
[cl: replace long with uintptr_t]
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-11-06 11:22:15 +01:00
Paul Gortmaker da155d5b40 sound: Add module.h to the previously silent sound users
Lots of sound drivers were getting module.h via the implicit presence
of it in <linux/device.h> but we are going to clean that up.  So
fix up those users now.

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2011-10-31 19:31:21 -04:00
Clemens Ladisch 8d448162bd ALSA: control: add support for ENUMERATED user space controls
Handling of user control elements was implemented for all types except
ENUMERATED.  This type will be needed for the device-specific mixers of
upcoming FireWire drivers.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-10-09 09:09:11 +02:00
Lu Guanqun 08ede038a7 ALSA: core: release the constraint check for replace ops
Suppose the ALSA card already has a number of MAX_USER_CONTROLS controls, and
the user wants to replace one, it should not fail at this condition check.

Signed-off-by: Lu Guanqun <guanqun.lu@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-08-24 10:22:43 +02:00
Lu Guanqun 983929cafc ALSA: core: trivial code style fix
remove trailing tab on the line.

Signed-off-by: Lu Guanqun <guanqun.lu@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-08-24 10:22:34 +02:00
Luca Tettamanti 78fa2c4d24 ALSA: core: remove unused variables.
Drop a few variables that are never read.

Signed-off-by: Luca Tettamanti <kronos.it@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-05-26 08:19:04 +02:00
Dimitris Papastamos 66b5b9722b ALSA: Add snd_ctl_replace() to dynamically replace a control
Add a function to dynamically replace a given control.  If the
control does not already exist, a third parameter is used to determine
whether to actually add that control.  This is useful in cases where
downloadable firmware at runtime can add or replace existing controls.
A separate patch needs to be made to allow ALSA Mixer to render the
replaced controls on the fly.

Signed-off-by: Dimitris Papastamos <dp@opensource.wolfsonmicro.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-03-22 13:22:39 +01:00
Takashi Iwai d351cf4603 Merge branch 'topic/misc' into for-linus 2011-03-18 07:39:08 +01:00
Takashi Iwai 3cbdd75331 ALSA: Add snd_ctl_activate_id()
Added a new API function snd_ctl_activate_id() for activate / inactivate
the control element dynamically.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
2011-03-11 10:49:15 +00:00
Clemens Ladisch 0e82e5fa97 ALSA: control: clean up snd_ctl_hole_check()
The return value of snd_ctl_hole_check() is used only to detect whether
to continue the loop in snd_ctl_find_hole() or not, so we can simplify
the code by changing this return type to a boolean.  Also rename this
function to better show what it actually does.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-03-08 13:00:09 +01:00
Clemens Ladisch 7c73358771 ALSA: control: fix numid conflict check for new controls
The purpose of the snd_ctl_hole_check() function is to find conflicts
between the numerical IDs of the new control and those of any existing
controls.  However, it would fail to detect an existing control whose
count is smaller than the new control's count and whose interval of IDs
is entirely contained in the interval of the new control's IDs.

To fix this, use the correct formula to detect overlapping intervals,
which happens to simplify the condition.

This problem was not encountered so far because ALSA does not yet allow
drivers to allocate specific control IDs.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-03-08 12:59:48 +01:00
Clemens Ladisch 9600732b6c ALSA: core, oxygen, virtuoso: add an enum control info helper
Introduce the helper function snd_ctl_enum_info() to fill out the
elem_info fields for an enumerated control.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2011-01-10 16:46:53 +01:00
Dan Rosenberg 5591bf0722 ALSA: prevent heap corruption in snd_ctl_new()
The snd_ctl_new() function in sound/core/control.c allocates space for a
snd_kcontrol struct by performing arithmetic operations on a
user-provided size without checking for integer overflow.  If a user
provides a large enough size, an overflow will occur, the allocated
chunk will be too small, and a second user-influenced value will be
written repeatedly past the bounds of this chunk.  This code is
reachable by unprivileged users who have permission to open
a /dev/snd/controlC* device (on many distros, this is group "audio") via
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-09-28 21:33:16 +02:00
Takashi Iwai 02f4865fa4 ALSA: core - Define llseek fops
Set no_llseek to llseek file ops of each sound component (but for hwdep).
This avoids the implicit BKL invocation via generic_file_llseek() used
as default when fops.llseek is NULL.

Also call nonseekable_open() at each open ops to ensure the file flags
have no seek bit.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
2010-04-13 12:01:21 +02:00