kernel/linux.git/sound/core/oss, branch v6.18.35Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.352026-06-09T10:28:25+00:00ALSA: pcm: oss: Fix setup list UAF on proc write error2026-06-09T10:28:25+00:00Cássio Gabrielcassiogabrielcontato@gmail.com2026-05-23T01:09:40+00:00urn:sha1:e13922bb97b4e6f94f8ac02d034f2d4bd65eeb3c
[ Upstream commit 4cc54bdd54b337e77115be5b55577d1c58608eae ]
snd_pcm_oss_proc_write() links a newly allocated setup entry into the
OSS setup list before duplicating the task name. If the task-name
allocation fails, the error path frees the already linked entry and
leaves setup_list pointing at freed memory.
A later OSS device open can then walk the stale list entry in
snd_pcm_oss_look_for_setup() and dereference freed memory.
Allocate the task name and initialize the setup entry before publishing
the entry on setup_list. Also fetch the initial proc read iterator only
after taking setup_mutex, so all setup_list traversal follows the same
list lifetime rules.
Reported-by: syzbot+8e498074a794999eb41c@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6a1062b7.170a0220.35b2b7.0003.GAE@google.com
Closes: https://syzkaller.appspot.com/bug?extid=8e498074a794999eb41c
Fixes: 060d77b9c04a ("[ALSA] Fix / clean up PCM-OSS setup hooks")
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
Link: https://patch.msgid.link/20260522-alsa-pcm-oss-setup-uaf-v1-1-40bdcc4d17e8@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
ALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger2026-05-14T13:30:13+00:00Takashi Iwaitiwai@suse.de2026-04-24T11:21:55+00:00urn:sha1:ac3e9b55b7da6f0be51720bd330a0edc1a8b61f1
commit 901ac0ff15edf9503162e2cf6579bd11a30f1ed4 upstream.
Currently the runtime.oss.trigger field may be accessed concurrently
without protection, which may lead to the data race. And, in this
case, it may lead to more severe problem because it's a bit field; as
writing the data, it may overwrite other bit fields as well, which
confuses the operation completely, as spotted by fuzzing.
Fix it by covering runtime.oss.trigger bit fled also with the existing
params_lock mutex in both snd_pcm_oss_get_trigger() and
snd_pcm_oss_poll().
Reported-and-tested-by: Jaeyoung Chung <jjy600901@snu.ac.kr>
Closes: https://lore.kernel.org/20260423145330.210035-1-jjy600901@snu.ac.kr
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20260424112205.123703-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ALSA: mixer: oss: Add card disconnect checkpoints2026-03-04T12:20:08+00:00Takashi Iwaitiwai@suse.de2026-02-09T12:12:11+00:00urn:sha1:e6645e625480cdf1079a4265f758d13b70721029
[ Upstream commit 084d5d44418148662365eced3e126ad1a81ee3e2 ]
ALSA OSS mixer layer calls the kcontrol ops rather individually, and
pending calls might be not always caught at disconnecting the device.
For avoiding the potential UAF scenarios, add sanity checks of the
card disconnection at each entry point of OSS mixer accesses. The
rwsem is taken just before that check, hence the rest context should
be covered by that properly.
Link: https://patch.msgid.link/20260209121212.171430-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer2026-01-23T10:21:23+00:00Jaroslav Kyselaperex@perex.cz2026-01-07T21:36:42+00:00urn:sha1:670cd1c2384acd367da438032084429d1c131b2a
commit 47c27c9c9c720bc93fdc69605d0ecd9382e99047 upstream.
Handle the error code from snd_pcm_buffer_access_lock() in
snd_pcm_runtime_buffer_set_silence() function.
Found by Alexandros Panagiotou <apanagio@redhat.com>
Fixes: 93a81ca06577 ("ALSA: pcm: Fix race of buffer access at PCM OSS layer")
Cc: stable@vger.kernel.org # 6.15
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://patch.msgid.link/20260107213642.332954-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ALSA: pcm: oss: Use guard() for spin locks2025-08-27T08:14:20+00:00Takashi Iwaitiwai@suse.de2025-08-27T08:06:13+00:00urn:sha1:d2de0f8b5a8266eec4611d6b3f580e49d9bfd46c
Clean up the code using guard() for spin locks.
Merely code refactoring, and no behavior change.
Link: https://patch.msgid.link/20250827080618.7682-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: mixer_oss: Remove deprecated strcpy() function calls2025-06-23T15:10:32+00:00Thorsten Blumthorsten.blum@linux.dev2025-06-23T11:38:54+00:00urn:sha1:d5363522042bca867f45174b4d5a8b5a39eae989
Remove the deprecated strcpy() function calls and assign the strings
directly to a 'char *' instead.
Use 'if/else if' instead of two separate if statements.
No functional changes intended.
Link: https://github.com/KSPP/linux/issues/88
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20250623113855.37031-2-thorsten.blum@linux.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: pcm: Fix race of buffer access at PCM OSS layer2025-05-16T08:09:02+00:00Takashi Iwaitiwai@suse.de2025-05-16T08:08:16+00:00urn:sha1:93a81ca0657758b607c3f4ba889ae806be9beb73
The PCM OSS layer tries to clear the buffer with the silence data at
initialization (or reconfiguration) of a stream with the explicit call
of snd_pcm_format_set_silence() with runtime->dma_area. But this may
lead to a UAF because the accessed runtime->dma_area might be freed
concurrently, as it's performed outside the PCM ops.
For avoiding it, move the code into the PCM core and perform it inside
the buffer access lock, so that it won't be changed during the
operation.
Reported-by: syzbot+32d4647f551007595173@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/68164d8e.050a0220.11da1b.0019.GAE@google.com
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20250516080817.20068-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Merge tag 'asoc-fix-v6.12-rc1' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus2024-10-02T19:29:16+00:00Takashi Iwaitiwai@suse.de2024-10-02T19:29:16+00:00urn:sha1:0c436dfe5c25d0931b164b944165259f95e5281f
ASoC: Fixes for v6.12
A bunch of fixes here that came in during the merge window and the first
week of release, plus some new quirks and device IDs. There's nothing
major here, it's a bit bigger than it might've been due to there being
no fixes sent during the merge window due to your vacation.
ALSA: mixer_oss: Remove some incorrect kfree_const() usages2024-09-30T08:12:08+00:00Christophe JAILLETchristophe.jaillet@wanadoo.fr2024-09-26T18:17:36+00:00urn:sha1:368e4663c557de4a33f321b44e7eeec0a21b2e4e
"assigned" and "assigned->name" are allocated in snd_mixer_oss_proc_write()
using kmalloc() and kstrdup(), so there is no point in using kfree_const()
to free these resources.
Switch to the more standard kfree() to free these resources.
This could avoid a memory leak.
Fixes: 454f5ec1d2b7 ("ALSA: mixer: oss: Constify snd_mixer_oss_assign_table definition")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://patch.msgid.link/63ac20f64234b7c9ea87a7fa9baf41e8255852f7.1727374631.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Takashi Iwai <tiwai@suse.de>
ALSA: Fix typos in comments across various files2024-09-30T07:52:31+00:00Yu Jiaoliangyujiaoliang@vivo.com2024-09-24T04:17:45+00:00urn:sha1:73c6e9e16f5bd8709c8cf3861d4b97f6ee23e2b7
This patch fixes typos in comments within the ALSA subsystem.
These changes improve code readability without affecting
functionality.
Signed-off-by: Yu Jiaoliang <yujiaoliang@vivo.com>
Link: https://patch.msgid.link/20240924041749.3125507-1-yujiaoliang@vivo.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>