[PATCH] ALSA: seq: Fix partial userptr event expansion

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ALSA: seq: Fix partial userptr event expansion
@ 2026-06-06  4:09 HyeongJun An
  2026-06-06 16:14 ` Takashi Iwai
  0 siblings, 1 reply; 2+ messages in thread
From: HyeongJun An @ 2026-06-06  4:09 UTC (permalink / raw)
  To: Takashi Iwai, Jaroslav Kysela; +Cc: linux-sound, linux-kernel, HyeongJun An

snd_seq_expand_var_event_at() clamps the number of bytes to copy to the
remaining variable-event length, but passes the original buffer size to
expand_var_event().

For SNDRV_SEQ_EXT_USRPTR events, expand_var_event() copies exactly the
size argument from userspace.  On the final chunk, when the remaining
event data is shorter than the caller's buffer, this can read past the
declared event data and can spuriously fail with -EFAULT if the extra
bytes cross an unmapped page.

Pass the clamped length instead.  The chained and kernel-backed paths
already reclamp in dump_var_event(), but the user-pointer path handles
the size directly.

Fixes: ea46f79709b6 ("ALSA: seq: Add snd_seq_expand_var_event_at() helper")
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
 sound/core/seq/seq_memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
index aaf808316c30..ca9f6db0022c 100644
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -211,7 +211,7 @@ int snd_seq_expand_var_event_at(const struct snd_seq_event *event, int count,
 	len -= offset;
 	if (len > count)
 		len = count;
-	err = expand_var_event(event, offset, count, buf, true);
+	err = expand_var_event(event, offset, len, buf, true);
 	if (err < 0)
 		return err;
 	return len;
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] ALSA: seq: Fix partial userptr event expansion
  2026-06-06  4:09 [PATCH] ALSA: seq: Fix partial userptr event expansion HyeongJun An
@ 2026-06-06 16:14 ` Takashi Iwai
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2026-06-06 16:14 UTC (permalink / raw)
  To: HyeongJun An; +Cc: Takashi Iwai, Jaroslav Kysela, linux-sound, linux-kernel

On Sat, 06 Jun 2026 06:09:13 +0200,
HyeongJun An wrote:
> 
> snd_seq_expand_var_event_at() clamps the number of bytes to copy to the
> remaining variable-event length, but passes the original buffer size to
> expand_var_event().
> 
> For SNDRV_SEQ_EXT_USRPTR events, expand_var_event() copies exactly the
> size argument from userspace.  On the final chunk, when the remaining
> event data is shorter than the caller's buffer, this can read past the
> declared event data and can spuriously fail with -EFAULT if the extra
> bytes cross an unmapped page.
> 
> Pass the clamped length instead.  The chained and kernel-backed paths
> already reclamp in dump_var_event(), but the user-pointer path handles
> the size directly.
> 
> Fixes: ea46f79709b6 ("ALSA: seq: Add snd_seq_expand_var_event_at() helper")
> Signed-off-by: HyeongJun An <sammiee5311@gmail.com>

Applied to for-next branch now.  Thanks.


Takashi

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-06 16:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-06  4:09 [PATCH] ALSA: seq: Fix partial userptr event expansion HyeongJun An
2026-06-06 16:14 ` Takashi Iwai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.