diff options
| author | Takashi Iwai <tiwai@suse.de> | 2016-01-18 14:12:40 +0100 |
|---|---|---|
| committer | Willy Tarreau <w@1wt.eu> | 2016-03-12 14:25:45 +0100 |
| commit | bc0f29c3fc3c52b64fff5f64d56f20e8deeabbd5 (patch) | |
| tree | 9bb13c4883dc49733a4bae5db7e3223b8fbef58c | |
| parent | 99e79f2963d556abc263f2b88adfa41d3022c78a (diff) | |
| download | lwn-bc0f29c3fc3c52b64fff5f64d56f20e8deeabbd5.tar.gz lwn-bc0f29c3fc3c52b64fff5f64d56f20e8deeabbd5.zip | |
ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream.
When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call. The check was
intended obviously only for a kernel driver, but not for a user
interaction. Let's fix it.
This was spotted by syzkaller fuzzer.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
| -rw-r--r-- | sound/core/control.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sound/core/control.c b/sound/core/control.c index ffa7857eb51d..e6fcf56ef615 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -1130,6 +1130,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file, return -EFAULT; if (tlv.length < sizeof(unsigned int) * 3) return -EINVAL; + if (!tlv.numid) + return -EINVAL; down_read(&card->controls_rwsem); kctl = snd_ctl_find_numid(card, tlv.numid); if (kctl == NULL) { |