[3.8.y.z extended stable] Patch "ALSA: control: Handle numid overflow" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Tue Jul 22 20:55:37 UTC 2014 

This is a note to let you know that I have just added a patch titled

    ALSA: control: Handle numid overflow

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.27.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 2514aae2e90128e646ac95d76abc48e431f9064d Mon Sep 17 00:00:00 2001
From: Lars-Peter Clausen <lars at metafoo.de>
Date: Wed, 18 Jun 2014 13:32:34 +0200
Subject: ALSA: control: Handle numid overflow

commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream.

Each control gets automatically assigned its numids when the control is created.
The allocation is done by incrementing the numid by the amount of allocated
numids per allocation. This means that excessive creation and destruction of
controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
eventually overflow. Currently when this happens for the control that caused the
overflow kctl->id.numid + kctl->count will also over flow causing it to be
smaller than kctl->id.numid. Most of the code assumes that this is something
that can not happen, so we need to make sure that it won't happen

Signed-off-by: Lars-Peter Clausen <lars at metafoo.de>
Acked-by: Jaroslav Kysela <perex at perex.cz>
Signed-off-by: Takashi Iwai <tiwai at suse.de>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 sound/core/control.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sound/core/control.c b/sound/core/control.c
index 7619a57..f92ca31 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card,
 {
 	struct snd_kcontrol *kctl;

+	/* Make sure that the ids assigned to the control do not wrap around */
+	if (card->last_numid >= UINT_MAX - count)
+		card->last_numid = 0;
+
 	list_for_each_entry(kctl, &card->controls, list) {
 		if (kctl->id.numid < card->last_numid + 1 + count &&
 		    kctl->id.numid + kctl->count > card->last_numid + 1) {
--
1.9.1

More information about the kernel-team mailing list