include/sound/seq_device.h | 3 ++- sound/core/seq_device.c | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-)
snd_seq_device_new() allocates struct snd_seq_device together with a
caller-specific argument area. SNDRV_SEQ_DEVICE_ARGPTR() reaches that
area by adding sizeof(struct snd_seq_device) to the object pointer.
Make the trailing storage explicit with a flexible array and allocate it
with struct_size(). This makes the object layout self-describing and
avoids open-coded size arithmetic in the allocation and accessor.
Reject negative argsize values before calculating the allocation size.
Current in-tree callers pass either zero or sizeof() values, but the
function takes an int size argument and should not let a negative value
flow into unsigned allocation arithmetic.
Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
include/sound/seq_device.h | 3 ++-
sound/core/seq_device.c | 5 ++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/include/sound/seq_device.h b/include/sound/seq_device.h
index a72380c202e9..3137d4c5f5a8 100644
--- a/include/sound/seq_device.h
+++ b/include/sound/seq_device.h
@@ -22,6 +22,7 @@ struct snd_seq_device {
void *private_data; /* private data for the caller */
void (*private_free)(struct snd_seq_device *device);
struct device dev;
+ unsigned char args[]; /* driver-specific argument */
};
#define to_seq_dev(_dev) \
@@ -64,7 +65,7 @@ void snd_seq_device_load_drivers(void);
int snd_seq_device_new(struct snd_card *card, int device, const char *id,
int argsize, struct snd_seq_device **result);
-#define SNDRV_SEQ_DEVICE_ARGPTR(dev) (void *)((char *)(dev) + sizeof(struct snd_seq_device))
+#define SNDRV_SEQ_DEVICE_ARGPTR(dev) ((void *)(dev)->args)
int __must_check __snd_seq_driver_register(struct snd_seq_driver *drv,
struct module *mod);
diff --git a/sound/core/seq_device.c b/sound/core/seq_device.c
index 1b062d6b17ea..a7b69ff07261 100644
--- a/sound/core/seq_device.c
+++ b/sound/core/seq_device.c
@@ -234,7 +234,10 @@ int snd_seq_device_new(struct snd_card *card, int device, const char *id,
if (snd_BUG_ON(!id))
return -EINVAL;
- dev = kzalloc(sizeof(*dev) + argsize, GFP_KERNEL);
+ if (argsize < 0)
+ return -EINVAL;
+
+ dev = kzalloc(struct_size(dev, args, argsize), GFP_KERNEL);
if (!dev)
return -ENOMEM;
---
base-commit: c784d0e6a62abbd2af58bbbe2d20f88dd550e3eb
change-id: 20260526-alsa-seq-flex-args-55b980babad7
Best regards,
--
Cássio Gabriel <cassiogabrielcontato@gmail.com>
On Fri, 29 May 2026 15:12:39 +0200,
Cássio Gabriel wrote:
>
> snd_seq_device_new() allocates struct snd_seq_device together with a
> caller-specific argument area. SNDRV_SEQ_DEVICE_ARGPTR() reaches that
> area by adding sizeof(struct snd_seq_device) to the object pointer.
>
> Make the trailing storage explicit with a flexible array and allocate it
> with struct_size(). This makes the object layout self-describing and
> avoids open-coded size arithmetic in the allocation and accessor.
>
> Reject negative argsize values before calculating the allocation size.
> Current in-tree callers pass either zero or sizeof() values, but the
> function takes an int size argument and should not let a negative value
> flow into unsigned allocation arithmetic.
>
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
> ---
> include/sound/seq_device.h | 3 ++-
> sound/core/seq_device.c | 5 ++++-
> 2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/include/sound/seq_device.h b/include/sound/seq_device.h
> index a72380c202e9..3137d4c5f5a8 100644
> --- a/include/sound/seq_device.h
> +++ b/include/sound/seq_device.h
> @@ -22,6 +22,7 @@ struct snd_seq_device {
> void *private_data; /* private data for the caller */
> void (*private_free)(struct snd_seq_device *device);
> struct device dev;
> + unsigned char args[]; /* driver-specific argument */
> };
>
> #define to_seq_dev(_dev) \
> @@ -64,7 +65,7 @@ void snd_seq_device_load_drivers(void);
> int snd_seq_device_new(struct snd_card *card, int device, const char *id,
> int argsize, struct snd_seq_device **result);
>
> -#define SNDRV_SEQ_DEVICE_ARGPTR(dev) (void *)((char *)(dev) + sizeof(struct snd_seq_device))
> +#define SNDRV_SEQ_DEVICE_ARGPTR(dev) ((void *)(dev)->args)
>
> int __must_check __snd_seq_driver_register(struct snd_seq_driver *drv,
> struct module *mod);
> diff --git a/sound/core/seq_device.c b/sound/core/seq_device.c
> index 1b062d6b17ea..a7b69ff07261 100644
> --- a/sound/core/seq_device.c
> +++ b/sound/core/seq_device.c
> @@ -234,7 +234,10 @@ int snd_seq_device_new(struct snd_card *card, int device, const char *id,
> if (snd_BUG_ON(!id))
> return -EINVAL;
>
> - dev = kzalloc(sizeof(*dev) + argsize, GFP_KERNEL);
> + if (argsize < 0)
> + return -EINVAL;
> +
> + dev = kzalloc(struct_size(dev, args, argsize), GFP_KERNEL);
> if (!dev)
> return -ENOMEM;
IIRC, we can use kzalloc_flex() for this kind, too:
dev = kzalloc_flex(*dev, args, argsize);
thanks,
Takashi
On 5/31/26 10:39, Takashi Iwai wrote: >> diff --git a/sound/core/seq_device.c b/sound/core/seq_device.c >> index 1b062d6b17ea..a7b69ff07261 100644 >> --- a/sound/core/seq_device.c >> +++ b/sound/core/seq_device.c >> @@ -234,7 +234,10 @@ int snd_seq_device_new(struct snd_card *card, int device, const char *id, >> if (snd_BUG_ON(!id)) >> return -EINVAL; >> >> - dev = kzalloc(sizeof(*dev) + argsize, GFP_KERNEL); >> + if (argsize < 0) >> + return -EINVAL; >> + >> + dev = kzalloc(struct_size(dev, args, argsize), GFP_KERNEL); >> if (!dev) >> return -ENOMEM; > > IIRC, we can use kzalloc_flex() for this kind, too: > > dev = kzalloc_flex(*dev, args, argsize); Thanks, I missed kzalloc_flex(). I’ll keep the negative argsize check in v2, so invalid callers get -EINVAL before the count is converted to size_t. -- Thanks, Cássio
© 2016 - 2026 Red Hat, Inc.