From: Takashi Iwai <tiwai@suse.de>
Date: Mon, 18 Jan 2016 13:12:40 +0000 (+0100)
Subject: ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
X-Git-Tag: v3.2.77~24
X-Git-Url: https://git.openpandora.org/cgi-bin/gitweb.cgi?p=pandora-kernel.git;a=commitdiff_plain;h=c793373eea1dcd0102a4f09edea14d404da9629b;hp=2652a5cb46b8e55c2e62aef48256c31af0127420;ds=sidebyside

ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0

commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream.

When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call.  The check was
intended obviously only for a kernel driver, but not for a user
interaction.  Let's fix it.

This was spotted by syzkaller fuzzer.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---

diff --git a/sound/core/control.c b/sound/core/control.c
index 1ba5d339acd3..96c62e58d950 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1321,6 +1321,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
 		return -EFAULT;
 	if (tlv.length < sizeof(unsigned int) * 2)
 		return -EINVAL;
+	if (!tlv.numid)
+		return -EINVAL;
 	down_read(&card->controls_rwsem);
 	kctl = snd_ctl_find_numid(card, tlv.numid);
 	if (kctl == NULL) {