Piteball/android_kernel_google_msm
1
0
Fork 0
mirror of https://github.com/followmsi/android_kernel_google_msm.git synced 2024-11-06 23:17:41 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_google_msm/sound/core
History
Lars-Peter Clausen c2f44eb7b6 ALSA: control: Fix replacing user controls 
There are two issues with the current implementation for replacing user
controls. The first is that the code does not check if the control is actually a
user control and neither does it check if the control is owned by the process
that tries to remove it. That allows userspace applications to remove arbitrary
controls, which can cause a user after free if a for example a driver does not
expect a control to be removed from under its feed.

The second issue is that on one hand when a control is replaced the
user_ctl_count limit is not checked and on the other hand the user_ctl_count is
increased (even though the number of user controls does not change). This allows
userspace, once the user_ctl_count limit as been reached, to repeatedly replace
a control until user_ctl_count overflows. Once that happens new controls can be
added effectively bypassing the user_ctl_count limit.

Both issues can be fixed by instead of open-coding the removal of the control
that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
proper permission checks as well as decrements user_ctl_count after the control
has been removed.

Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
beginning of the function if the control already exists is removed. This is not
a problem though since the check is quite useless, because the lock that is
protecting the control list is released between the check and before adding the
new control to the list, which means that it is possible that a different
control with the same settings is added to the list after the check. Luckily
there is another check that is done while holding the lock in snd_ctl_add(), so
we'll rely on that to make sure that the same control is not added twice.

Change-Id: Ia4bd6bff33e86ee8b971031381d07b80bd383171
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2016-10-31 23:36:23 +11:00
..
oss ALSA: module_param: make bool parameters really bool 2011-12-19 10:34:41 +01:00
seq Documentation: remove references to /etc/modprobe.conf 2012-03-30 16:03:15 -07:00
compress_offload.c ALSA: compress: Memset timestamp structure to zero. 2016-06-03 11:49:10 -07:00
control.c ALSA: control: Fix replacing user controls 2016-10-31 23:36:23 +11:00
control_compat.c ALSA: control: add support for ENUMERATED user space controls 2011-10-09 09:09:11 +02:00
ctljack.c ALSA: hda - Add missing inclusion of linux/export.h 2011-11-16 14:28:33 +01:00
device.c sound: Add export.h for THIS_MODULE/EXPORT_SYMBOL where needed 2011-10-31 19:31:22 -04:00
hrtimer.c ALSA: hrtimer: Fix stall by hrtimer_cancel() 2016-10-29 23:12:35 +08:00
hwdep.c Merge branch 'modsplit-Oct31_2011' of git://git.kernel.org/pub/scm/linux/kernel/git/paulg/linux 2011-11-06 19:44:47 -08:00
hwdep_compat.c
info.c sound: Add module.h to the previously silent sound users 2011-10-31 19:31:21 -04:00
info_oss.c sound: Add export.h for THIS_MODULE/EXPORT_SYMBOL where needed 2011-10-31 19:31:22 -04:00
init.c ALSA: core: prefix the functions uniformly 2013-02-25 11:41:21 -08:00
isadma.c sound: Add export.h for THIS_MODULE/EXPORT_SYMBOL where needed 2011-10-31 19:31:22 -04:00
jack.c ALSA: jack: Update supported jack switch types 2013-02-25 11:41:20 -08:00
Kconfig sound: Add MSM sound drivers 2013-02-25 11:41:24 -08:00
Makefile Merge branch 'topic/hda' into for-linus 2012-01-12 09:59:18 +01:00
memalloc.c treewide: Correct spelling of successfully in comments 2011-09-27 18:08:04 +02:00
memory.c sound: Add export.h for THIS_MODULE/EXPORT_SYMBOL where needed 2011-10-31 19:31:22 -04:00
misc.c ALSA: Fixed a trailing white space error 2012-02-20 15:34:04 +01:00
pcm.c ASoC: pcm: Create PCM streams for ASOC backend 2013-02-25 11:41:09 -08:00
pcm_compat.c ALSA: sound/core/pcm_compat.c: adjust array index 2011-07-28 15:12:02 +02:00
pcm_lib.c ASLA: sound: Add support for compressed formats 2013-02-25 11:41:19 -08:00
pcm_memory.c sound: Add export.h for THIS_MODULE/EXPORT_SYMBOL where needed 2011-10-31 19:31:22 -04:00
pcm_misc.c ASoc: msm: Add AMR NB and AMR WB support for Voip 2013-02-25 11:41:07 -08:00
pcm_native.c ASoC: core: Update ALSA core to issue restart in underrun. 2013-03-07 15:21:54 -08:00
pcm_timer.c
rawmidi.c sound: fix drivers needing module.h not moduleparam.h 2011-10-31 19:31:19 -04:00
rawmidi_compat.c
rtctimer.c ALSA: rtctimer.c needs module.h 2011-07-30 08:03:35 +02:00
sgbuf.c
sound.c ALSA: core: add support for compressed devices 2011-12-23 10:07:46 +01:00
sound_oss.c sound: Add export.h for THIS_MODULE/EXPORT_SYMBOL where needed 2011-10-31 19:31:22 -04:00
timer.c ALSA: timer: Harden slave timer list handling 2016-10-29 23:12:35 +08:00
timer_compat.c
vmaster.c ALSA: fix core/vmaster.c kernel-doc warning 2012-04-18 07:56:15 +02:00