1. Patchew
  2. linux
  3. View series

[PATCH] ALSA: seq: oss: Reject reads that cannot fit the next event

Cássio Gabriel posted 1 patch 5 days, 16 hours ago 
sound/core/seq/oss/seq_oss_rw.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH] ALSA: seq: oss: Reject reads that cannot fit the next event
Posted by Cássio Gabriel 5 days, 16 hours ago 
snd_seq_oss_read() checks whether the next queued OSS sequencer event
fits in the remaining userspace buffer before removing it from the read
queue.

The check is inverted. It currently stops when the event is smaller than
the remaining buffer, so a normal 4-byte event is not copied for an
8-byte read buffer. Conversely, an 8-byte event can be copied for a
smaller read count.

Break only when the remaining userspace buffer is smaller than the next
event, and report -EINVAL if no complete event has been copied. This
prevents an undersized read from looking like end-of-file while leaving
the event queued for a later read with a large enough buffer.

Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>
---
 sound/core/seq/oss/seq_oss_rw.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/core/seq/oss/seq_oss_rw.c b/sound/core/seq/oss/seq_oss_rw.c
index 111c792bc72c..b7147ac78ee8 100644
--- a/sound/core/seq/oss/seq_oss_rw.c
+++ b/sound/core/seq/oss/seq_oss_rw.c
@@ -57,7 +57,8 @@ snd_seq_oss_read(struct seq_oss_devinfo *dp, char __user *buf, int count)
 			break;
 		}
 		ev_len = ev_length(&rec);
-		if (ev_len < count) {
+		if (count < ev_len) {
+			err = -EINVAL;
 			snd_seq_oss_readq_unlock(readq, flags);
 			break;
 		}

---
base-commit: 96d4780e9ff5168195e891c474a85bb0d510fe9f
change-id: 20260601-alsa-seq-oss-read-size-check-40dbf0113921

Best regards,
--  
Cássio Gabriel <cassiogabrielcontato@gmail.com>
Re: [PATCH] ALSA: seq: oss: Reject reads that cannot fit the next event
Posted by Takashi Iwai 5 days, 9 hours ago 
On Tue, 02 Jun 2026 13:18:39 +0200,
Cássio Gabriel wrote:
> 
> snd_seq_oss_read() checks whether the next queued OSS sequencer event
> fits in the remaining userspace buffer before removing it from the read
> queue.
> 
> The check is inverted. It currently stops when the event is smaller than
> the remaining buffer, so a normal 4-byte event is not copied for an
> 8-byte read buffer. Conversely, an 8-byte event can be copied for a
> smaller read count.
> 
> Break only when the remaining userspace buffer is smaller than the next
> event, and report -EINVAL if no complete event has been copied. This
> prevents an undersized read from looking like end-of-file while leaving
> the event queued for a later read with a large enough buffer.
> 
> Signed-off-by: Cássio Gabriel <cassiogabrielcontato@gmail.com>

Applied to for-next branch now.  Thanks.


Takashi

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.