[PATCH 3.16.y-ckt 129/180] ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0

From: Luis Henriques
Date: Wed Feb 03 2016 - 18:05:58 EST


3.16.7-ckt24 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Takashi Iwai <tiwai@xxxxxxx>

commit c0bcdbdff3ff73a54161fca3cb8b6cdbd0bb8762 upstream.

When a TLV ioctl with numid zero is handled, the driver may spew a
kernel warning with a stack trace at each call. The check was
intended obviously only for a kernel driver, but not for a user
interaction. Let's fix it.

This was spotted by syzkaller fuzzer.

Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Luis Henriques <luis.henriques@xxxxxxxxxxxxx>
---
sound/core/control.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/sound/core/control.c b/sound/core/control.c
index 8cdf0a4b327b..1d395d865f1b 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1324,6 +1324,8 @@ static int snd_ctl_tlv_ioctl(struct snd_ctl_file *file,
return -EFAULT;
if (tlv.length < sizeof(unsigned int) * 2)
return -EINVAL;
+ if (!tlv.numid)
+ return -EINVAL;
down_read(&card->controls_rwsem);
kctl = snd_ctl_find_numid(card, tlv.numid);
if (kctl == NULL) {