29 Sep, 2010
1 commit
-
The snd_ctl_new() function in sound/core/control.c allocates space for a
snd_kcontrol struct by performing arithmetic operations on a
user-provided size without checking for integer overflow. If a user
provides a large enough size, an overflow will occur, the allocated
chunk will be too small, and a second user-influenced value will be
written repeatedly past the bounds of this chunk. This code is
reachable by unprivileged users who have permission to open
a /dev/snd/controlC* device (on many distros, this is group "audio") via
the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.Signed-off-by: Dan Rosenberg
Cc:
Signed-off-by: Takashi Iwai
13 Apr, 2010
1 commit
-
Set no_llseek to llseek file ops of each sound component (but for hwdep).
This avoids the implicit BKL invocation via generic_file_llseek() used
as default when fops.llseek is NULL.Also call nonseekable_open() at each open ops to ensure the file flags
have no seek bit.Signed-off-by: Takashi Iwai
01 Feb, 2010
2 commits
-
Allow TLV blocks that do not have any values; the smallest possible TLV
is an empty container or one where the information is only in the tag.Signed-off-by: Clemens Ladisch
Signed-off-by: Jaroslav Kysela -
Creating a control with TLV_COMMAND access was not possible because
snd_ctl_new1() forgot to include it in the mask of allowable access
bits.Signed-off-by: Clemens Ladisch
Signed-off-by: Jaroslav Kysela
04 Dec, 2009
1 commit
18 Nov, 2009
1 commit
-
This function is only called from snd_ctl_ioctl() and the file parameter
can never be null so there is no need to check it here.We dereference file at the start of the function:
struct snd_card *card = file->card;
and it confuses static checkers to dereference a pointer before
checking it.Signed-off-by: Dan Carpenter
Signed-off-by: Takashi Iwai
06 Nov, 2009
2 commits
-
Instead of storing the PID number, take a reference to the task's pid
structure. This protects against duplicates due to PID overflows, and
using pid_vnr() ensures that the PID returned by snd_ctl_elem_info() is
correct as seen from the current namespace.Signed-off-by: Clemens Ladisch
Signed-off-by: Takashi Iwai -
We do not need to save the ID of the process that locked a control
because that information is already available in the owner's file data.Signed-off-by: Clemens Ladisch
Signed-off-by: Takashi Iwai
17 Aug, 2009
4 commits
-
Ensure that userspace can remove only user controls. Controls created
by kernel drivers must not be removed because they might be referenced
in calls to snd_ctl_notify().Signed-off-by: Clemens Ladisch
Signed-off-by: Takashi Iwai -
Move the decrementing of the user controls counter from
snd_ctl_elem_remove to snd_ctl_remove_unlocked_id; this saves the
separate locking of the controls semaphore, and therefore removes
a harmless race.Since the purpose of the function is to operate on user controls (the
control being unlocked is just a prerequisite), rename it to
snd_ctl_remove_user_ctl.Signed-off-by: Clemens Ladisch
Signed-off-by: Takashi Iwai -
Use a common exit path to release the mutex and to return a possible
error.Signed-off-by: Clemens Ladisch
Signed-off-by: Takashi Iwai -
Make sure that no user element that has no values can be added.
The check for count>1024 is not needed because the count is checked
later for the individual control types.Signed-off-by: Clemens Ladisch
Signed-off-by: Takashi Iwai
14 Apr, 2009
1 commit
-
Remove open-coded memdup_user().
Signed-off-by: Li Zefan
Signed-off-by: Takashi Iwai
16 Mar, 2009
1 commit
-
Most fasync implementations do something like:
return fasync_helper(...);
But fasync_helper() will return a positive value at times - a feature used
in at least one place. Thus, a number of other drivers do:err = fasync_helper(...);
if (err < 0)
return err;
return 0;In the interests of consistency and more concise code, it makes sense to
map positive return values onto zero where ->fasync() is called.Cc: Al Viro
Signed-off-by: Jonathan Corbet
02 Nov, 2008
1 commit
-
As it is, all instances of ->release() for files that have ->fasync()
need to remember to evict file from fasync lists; forgetting that
creates a hole and we actually have a bunch that *does* forget.So let's keep our lives simple - let __fput() check FASYNC in
file->f_flags and call ->fasync() there if it's been set. And lose that
crap in ->release() instances - leaving it there is still valid, but we
don't have to bother anymore.Signed-off-by: Al Viro
Signed-off-by: Linus Torvalds
29 Oct, 2008
1 commit
-
This is likely to confuse user interfaces since the end of the control
name is interpreted (eg, "Volume", "Switch").Signed-off-by: Mark Brown
Signed-off-by: Takashi Iwai
09 Sep, 2008
1 commit
-
The lock used in snd_ctl_dev_disconnect() should be card->ctl_files_rwlock
for protection of card->ctl_files entries, instead of card->controls_rwsem.Reported-by: Vegard Nossum
Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela
13 Aug, 2008
1 commit
-
Kill snd_assert() in sound/core/*, either removed or replaced with
if () with snd_BUG_ON().Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela
13 Jun, 2008
1 commit
-
snd_ctl_elem_read() and snd_ctl_elem_write() are no longer used by
any other drivers.Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela
01 Feb, 2008
2 commits
-
This header file exists only for some hacks to adapt alsa-driver
tree. It's useless for building in the kernel. Let's move a few
lines in it to sound/core.h and remove it.
With this patch, sound/driver.h isn't removed but has just a single
compile warning to include it. This should be really killed in
future.Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela -
This patch removes the indirect control access to the control elements.
The indirect access has never been used and is even broken on 32bit
ioctl wrapper. Let's clean it up.
The pointers still remain in snd_ctl_elem_* structs just to make sure
that the struct size won't change. Once after checking the size
consistency, we can get rid of them, too.Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela
23 Oct, 2007
1 commit
-
The lock grabbed in snd_ctl_empty_read_queue() is hardirq-unsafe but we hold
an hardirq-safe one already, so make the &ctl->read_lock also hard-irq-safe.Signed-off-by: Borislav Petkov
Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela
16 Oct, 2007
3 commits
-
Signed-off-by: Jaroslav Kysela
-
snd_ctl_elem_{read,write} no longer have any modular users
Signed-off-by: Adrian Bunk
Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela -
Added helper functions for frequenty used callbacks:
snd_ctl_boolean_mono_info() and snd_ctl_boolean_stereo_info()Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela
09 May, 2007
1 commit
-
Remove includes of where it is not used/needed.
Suggested by Al Viro.Builds cleanly on x86_64, i386, alpha, ia64, powerpc, sparc,
sparc64, and arm (all 59 defconfigs).Signed-off-by: Randy Dunlap
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
13 Feb, 2007
1 commit
-
Many struct file_operations in the kernel can be "const". Marking them const
moves these to the .rodata section, which avoids false sharing with potential
dirty data. In addition it'll catch accidental writes at compile time to
these shared resources.Signed-off-by: Arjan van de Ven
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
09 Feb, 2007
2 commits
-
Now that everyone uses snd_ctl_new1() and noone is using snd_ctl_new()
anymore, we can make it static.Signed-off-by: Adrian Bunk
Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela -
This patch converts most uses of list_for_each to list_for_each_entry all
across alsa. In some place apparently an item can be on a list with
different pointers so of course that isn't compatible with list_for_each, I
therefore didn't touch those places.Signed-off-by: Johannes Berg
Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela
20 Dec, 2006
1 commit
-
This patch removes some obviously dead code spotted by the Coverity
checker.Signed-off-by: Adrian Bunk
Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela
22 Oct, 2006
1 commit
-
Fixed the addition of user-defined boolean controls, the private
data size is corrected to be handled properly.Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela
23 Sep, 2006
6 commits
-
Retrun error to user TLV_READ ioctl if no TLV is defined.
(Until now, nothing was written and rerunred successfully.)Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela -
Fixed the errors at checking info.access field during user TLV_WRITE
call. It should have been zero-initialized.Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela -
The PCM and rawmidi substreams can be selected explicitly by opening
control handle and set via *_PREFER_SUBDEVICE ioctl. But, when
multiple controls are opened, the driver gets confused.
The patch fixes the initialization of prefer_*_subdevice and the
check of multiple controls. The first set subdevice is picked up
as the valid one.Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela -
- added callback option
- added READ/WRITE/COMMAND flags to access member
- added WRITE/COMMAND ioctls
- added SNDRV_CTL_EVENT_MASK_TLV for TLV change notifications
- added TLV support to ELEM_ADD ioctlSigned-off-by: Jaroslav Kysela
-
Orignally proposed by Sam Revitch .
Unregister device files at disconnection to avoid the futher accesses.
Also, the dev_unregister callback is removed and replaced with the
combination of disconnect + free.
A new function snd_card_free_when_closed() is introduced, which is
used in USB disconnect callback.Signed-off-by: Takashi Iwai
Signed-off-by: Jaroslav Kysela -
This patch implements a TLV mechanism to transfer an additional information
like dB scale to the user space. The types might be extended in future.
Acked-by: Takashi IwaiSigned-off-by: Jaroslav Kysela
23 Jun, 2006
1 commit
-
Move EXPORT_SYMBOL()s to places adjacent to functions/variables.
Signed-off-by: Takashi Iwai
31 Mar, 2006
1 commit
-
Removed the unused file argument of snd_power_wait().
Signed-off-by: Takashi Iwai
22 Mar, 2006
1 commit
-
Modules: Control Midlevel
Fix memory leaks in error path of control.c (only with CONFIG_SND_DEBUG=y).
Signed-off-by: Takashi Iwai