Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.15.210 2026-06-01T15:35:15+00:00 2026-06-01T15:35:15+00:00 Cássio Gabriel cassiogabrielcontato@gmail.com 2026-03-24T19:59:41+00:00 urn:sha1:5dafcf58b5185dec6ff74678862d8aa43aa3bff6 commit bbc6c0dda54fc0ad8f8aed0b796c23e186e1a188 upstream. snd_seq_oss_write() currently returns the raw load_patch() callback result for SEQ_FULLSIZE events. That callback is documented as returning 0 on success and -errno on failure, but snd_seq_oss_write() is the file write path and should report the number of user bytes consumed on success. Some in-tree backends also return backend-specific positive values, which can still be shorter than the original write size. Return the full byte count for successful SEQ_FULLSIZE writes. Preserve negative errors and convert any nonnegative completion to the original count. Cc: stable@vger.kernel.org Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com> Link: https://patch.msgid.link/20260324-alsa-seq-oss-fullsize-write-return-v1-1-66d448510538@gmail.com Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-09-19T10:22:29+00:00 Takashi Iwai tiwai@suse.de 2023-06-12T12:55:33+00:00 urn:sha1:8c1b60dad0f5a5fb7eae0e80a4b5618df184913f [ Upstream commit 297224fc0922e7385573a30c29ffdabb67f27b7d ] Although snd_seq_oss_midi_open() and snd_seq_oss_midi_close() can be called concurrently from different code paths, we have no proper data protection against races. Introduce open_mutex to each seq_oss_midi object for avoiding the races. Reported-by: "Gong, Sishuai" <sishuai@purdue.edu> Closes: https://lore.kernel.org/r/7DC9AF71-F481-4ABA-955F-76C535661E33@purdue.edu Link: https://lore.kernel.org/r/20230612125533.27461-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-09-08T10:28:07+00:00 Takashi Iwai tiwai@suse.de 2022-08-23T07:27:16+00:00 urn:sha1:9b7a07fcc5d4918c4722a3522a14092efc8ed090 commit 22dec134dbfa825b963f8a1807ad19b943e46a56 upstream. ALSA OSS sequencer refers to a global variable max_midi_devs at creating a new port, storing it to its own field. Meanwhile this variable may be changed by other sequencer events at snd_seq_oss_midi_check_exit_port() in parallel, which may cause a data race. OTOH, this data race itself is almost harmless, as the access to the MIDI device is done via get_mdev() and it's protected with a refcount, hence its presence is guaranteed. Though, it's sill better to address the data-race from the code sanity POV, and this patch adds the proper spinlock for the protection. Reported-by: Abhishek Shah <abhishek.shah@columbia.edu> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/CAEHB2493pZRXs863w58QWnUTtv3HHfg85aYhLn5HJHCwxqtHQg@mail.gmail.com Link: https://lore.kernel.org/r/20220823072717.1706-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-06-17T14:02:26+00:00 Takashi Iwai tiwai@suse.de 2021-06-17T13:47:42+00:00 urn:sha1:c485f7e9863c4483f5d2e9a8da622b52d110d866 The system port creation in ALSA OSS sequencer was wrongly checked against to the port number that can be never negative. The error code should be checked rather against the ioctl call. This patch corrects the error check. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20210617134742.6321-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2021-06-09T15:30:26+00:00 Takashi Iwai tiwai@suse.de 2021-06-08T14:05:30+00:00 urn:sha1:f9a6bb841f737015aface3ba4ac845e66542850e There are lots of places doing assignments in if condition in ALSA sequencer core, which is a bad coding style that may confuse readers and occasionally lead to bugs. This patch is merely for coding-style fixes, no functional changes. Link: https://lore.kernel.org/r/20210608140540.17885-57-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2021-01-18T16:39:23+00:00 Takashi Iwai tiwai@suse.de 2021-01-18T16:39:18+00:00 urn:sha1:c09e28cd1219fd267ed838e1758ff2e7b6ff3ec6 Back-merge of 5.11 devel branch for more works on USB-audio. Signed-off-by: Takashi Iwai <tiwai@suse.de> 2021-01-15T09:35:17+00:00 Takashi Iwai tiwai@suse.de 2021-01-15T09:34:28+00:00 urn:sha1:217bfbb8b0bfa24619b11ab75c135fec99b99b20 snd_seq_oss_synth_make_info() didn't check the error code from snd_seq_oss_midi_make_info(), and this leads to the call of strlcpy() with the uninitialized string as the source, which may lead to the access over the limit. Add the proper error check for avoiding the failure. Reported-by: syzbot+e42504ff21cff05a595f@syzkaller.appspotmail.com Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20210115093428.15882-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2021-01-08T08:30:05+00:00 Joe Perches joe@perches.com 2021-01-04T17:17:34+00:00 urn:sha1:75b1a8f9d62e50f05d0e4e9f3c8bcde32527ffc1 strlcpy is deprecated. see: Documentation/process/deprecated.rst Change the calls that do not use the strlcpy return value to the preferred strscpy. Done with cocci script: @@ expression e1, e2, e3; @@ - strlcpy( + strscpy( e1, e2, e3); This cocci script leaves the instances where the return value is used unchanged. After this patch, sound/ has 3 uses of strlcpy() that need to be manually inspected for conversion and changed one day. $ git grep -w strlcpy sound/ sound/usb/card.c: len = strlcpy(card->longname, s, sizeof(card->longname)); sound/usb/mixer.c: return strlcpy(buf, p->name, buflen); sound/usb/mixer.c: return strlcpy(buf, p->names[index], buflen); Miscellenea: o Remove trailing whitespace in conversion of sound/core/hwdep.c Link: https://lore.kernel.org/lkml/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/ Signed-off-by: Joe Perches <joe@perches.com> Acked-by: Mark Brown <broonie@kernel.org> Link: https://lore.kernel.org/r/22b393d1790bb268769d0bab7bacf0866dcb0c14.camel@perches.com Signed-off-by: Takashi Iwai <tiwai@suse.de> 2020-09-23T12:45:14+00:00 Takashi Iwai tiwai@suse.de 2020-09-22T08:38:56+00:00 urn:sha1:2759caad2600d503c3b0ed800e7e03d2cd7a4c05 Recently we applied a fix to cover the whole OSS sequencer ioctls with the mutex for dealing with the possible races. This works fine in general, but in theory, this may lead to unexpectedly long stall if an ioctl like SNDCTL_SEQ_SYNC is issued and an event with the far future timestamp was queued. For fixing such a potential stall, this patch changes the mutex lock applied conditionally excluding such an ioctl command. Also, change the mutex_lock() with the interruptible version for user to allow escaping from the big-hammer mutex. Fixes: 80982c7e834e ("ALSA: seq: oss: Serialize ioctls") Suggested-by: Pavel Machek <pavel@ucw.cz> Link: https://lore.kernel.org/r/20200922083856.28572-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de> 2020-08-05T06:27:39+00:00 Takashi Iwai tiwai@suse.de 2020-08-04T18:58:15+00:00 urn:sha1:80982c7e834e5d4e325b6ce33757012ecafdf0bb Some ioctls via OSS sequencer API may race and lead to UAF when the port create and delete are performed concurrently, as spotted by a couple of syzkaller cases. This patch is an attempt to address it by serializing the ioctls with the existing register_mutex. Basically OSS sequencer API is an obsoleted interface and was designed without much consideration of the concurrency. There are very few applications with it, and the concurrent performance isn't asked, hence this "big hammer" approach should be good enough. Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com Suggested-by: Hillf Danton <hdanton@sina.com> Cc: <stable@vger.kernel.org> Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de Signed-off-by: Takashi Iwai <tiwai@suse.de>