From 2a031aedf7f574a01eb725507cb303d4d7b8b23a Mon Sep 17 00:00:00 2001 From: Clemens Ladisch Date: Mon, 17 Aug 2009 12:25:52 +0200 Subject: sound: snd_ctl_elem_add: fix value count check Make sure that no user element that has no values can be added. The check for count>1024 is not needed because the count is checked later for the individual control types. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai --- sound/core/control.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/core/control.c b/sound/core/control.c index 17b8d47a5cd0..66d6aaf9314c 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -951,7 +951,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file, if (card->user_ctl_count >= MAX_USER_CONTROLS) return -ENOMEM; - if (info->count > 1024) + if (info->count < 1) return -EINVAL; access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE : (info->access & (SNDRV_CTL_ELEM_ACCESS_READWRITE| -- cgit v1.2.3 From 317b80817fcaeac7ae7e062fcccef0d2aba38a78 Mon Sep 17 00:00:00 2001 From: Clemens Ladisch Date: Mon, 17 Aug 2009 12:26:34 +0200 Subject: sound: snd_ctl_remove_unlocked_id: simplify error paths Use a common exit path to release the mutex and to return a possible error. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai --- sound/core/control.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/sound/core/control.c b/sound/core/control.c index 66d6aaf9314c..9d91f77bc880 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -433,15 +433,16 @@ static int snd_ctl_remove_unlocked_id(struct snd_ctl_file * file, down_write(&card->controls_rwsem); kctl = snd_ctl_find_id(card, id); if (kctl == NULL) { - up_write(&card->controls_rwsem); - return -ENOENT; + ret = -ENOENT; + goto error; } for (idx = 0; idx < kctl->count; idx++) if (kctl->vd[idx].owner != NULL && kctl->vd[idx].owner != file) { - up_write(&card->controls_rwsem); - return -EBUSY; + ret = -EBUSY; + goto error; } ret = snd_ctl_remove(card, kctl); +error: up_write(&card->controls_rwsem); return ret; } -- cgit v1.2.3 From f217ac59b6dd73105abc13da3fe656391fa6d135 Mon Sep 17 00:00:00 2001 From: Clemens Ladisch Date: Mon, 17 Aug 2009 12:27:22 +0200 Subject: sound: snd_ctl_remove_unlocked_id: simplify user control counting Move the decrementing of the user controls counter from snd_ctl_elem_remove to snd_ctl_remove_unlocked_id; this saves the separate locking of the controls semaphore, and therefore removes a harmless race. Since the purpose of the function is to operate on user controls (the control being unlocked is just a prerequisite), rename it to snd_ctl_remove_user_ctl. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai --- sound/core/control.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/sound/core/control.c b/sound/core/control.c index 9d91f77bc880..bc64b723415b 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -414,7 +414,7 @@ int snd_ctl_remove_id(struct snd_card *card, struct snd_ctl_elem_id *id) EXPORT_SYMBOL(snd_ctl_remove_id); /** - * snd_ctl_remove_unlocked_id - remove the unlocked control of the given id and release it + * snd_ctl_remove_user_ctl - remove and release the unlocked user control * @file: active control handle * @id: the control id to remove * @@ -423,8 +423,8 @@ EXPORT_SYMBOL(snd_ctl_remove_id); * * Returns 0 if successful, or a negative error code on failure. */ -static int snd_ctl_remove_unlocked_id(struct snd_ctl_file * file, - struct snd_ctl_elem_id *id) +static int snd_ctl_remove_user_ctl(struct snd_ctl_file * file, + struct snd_ctl_elem_id *id) { struct snd_card *card = file->card; struct snd_kcontrol *kctl; @@ -442,6 +442,9 @@ static int snd_ctl_remove_unlocked_id(struct snd_ctl_file * file, goto error; } ret = snd_ctl_remove(card, kctl); + if (ret < 0) + goto error; + card->user_ctl_count--; error: up_write(&card->controls_rwsem); return ret; @@ -1053,18 +1056,10 @@ static int snd_ctl_elem_remove(struct snd_ctl_file *file, struct snd_ctl_elem_id __user *_id) { struct snd_ctl_elem_id id; - int err; if (copy_from_user(&id, _id, sizeof(id))) return -EFAULT; - err = snd_ctl_remove_unlocked_id(file, &id); - if (! err) { - struct snd_card *card = file->card; - down_write(&card->controls_rwsem); - card->user_ctl_count--; - up_write(&card->controls_rwsem); - } - return err; + return snd_ctl_remove_user_ctl(file, &id); } static int snd_ctl_subscribe_events(struct snd_ctl_file *file, int __user *ptr) -- cgit v1.2.3 From 18dd0aa5afea7dc33953aa87de696e39074bbf78 Mon Sep 17 00:00:00 2001 From: Clemens Ladisch Date: Mon, 17 Aug 2009 12:28:09 +0200 Subject: sound: snd_ctl_remove_user_ctl: prevent removal of kernel controls Ensure that userspace can remove only user controls. Controls created by kernel drivers must not be removed because they might be referenced in calls to snd_ctl_notify(). Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai --- sound/core/control.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/core/control.c b/sound/core/control.c index bc64b723415b..a8b7fabe645e 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -436,6 +436,10 @@ static int snd_ctl_remove_user_ctl(struct snd_ctl_file * file, ret = -ENOENT; goto error; } + if (!(kctl->vd[0].access & SNDRV_CTL_ELEM_ACCESS_USER)) { + ret = -EINVAL; + goto error; + } for (idx = 0; idx < kctl->count; idx++) if (kctl->vd[idx].owner != NULL && kctl->vd[idx].owner != file) { ret = -EBUSY; -- cgit v1.2.3