| From c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 Mon Sep 17 00:00:00 2001 |
| From: Takashi Iwai <tiwai@suse.de> |
| Date: Mon, 18 Jan 2016 14:12:40 +0100 |
| Subject: ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 |
| |
| From: Takashi Iwai <tiwai@suse.de> |
| |
| commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream. |
| |
| When a TLV ioctl with numid zero is handled, the driver may spew a |
| kernel warning with a stack trace at each call. The check was |
| intended obviously only for a kernel driver, but not for a user |
| interaction. Let's fix it. |
| |
| This was spotted by syzkaller fuzzer. |
| |
| Reported-by: Dmitry Vyukov <dvyukov@google.com> |
| Signed-off-by: Takashi Iwai <tiwai@suse.de> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| sound/core/control.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/sound/core/control.c |
| +++ b/sound/core/control.c |
| @@ -1405,6 +1405,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ |
| return -EFAULT; |
| if (tlv.length < sizeof(unsigned int) * 2) |
| return -EINVAL; |
| + if (!tlv.numid) |
| + return -EINVAL; |
| down_read(&card->controls_rwsem); |
| kctl = snd_ctl_find_numid(card, tlv.numid); |
| if (kctl == NULL) { |
