From nobody Mon Jun 8 04:25:15 2026 Received: from mail-dl1-f50.google.com (mail-dl1-f50.google.com [74.125.82.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49CEE33D6F7 for ; Tue, 2 Jun 2026 11:18:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.82.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780399128; cv=none; b=fc6RMzTWTZmzfl7W6qch1nArKfyeiESyyqc6jF4o4pY6tpeMiSQcHaCO6tDpa2fHTeCVJOmHHk5IdYoAOAncnkTqNcuXF1YX89x8FzmQnQ+gSucdtvnlbgvCSvda+5dmm1bhhyhkbWhD3gOql0gkk61gB6ySs0rj7iDA0waFSVg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780399128; c=relaxed/simple; bh=epsJpj7GzgTdJPW98VOURtFXzDyK6zbWQR6U7wLnSlY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=I0qq9wpxfCoI4YbnFUqKjpphhGiZgV5fdGmABAC8upA4kGZa03E5aE18wD3ioKsGGYEt6VBN1ZoJLkqDPT26zke3HaVebNKY86RqMn9wwYPPsxmOoyws2rvNIt/NXHQOBtMLtN8L3DdJc1Zx/vpdgQ3V5ja1viIQvxhseaJ5IcI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dyNDsvue; arc=none smtp.client-ip=74.125.82.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dyNDsvue" Received: by mail-dl1-f50.google.com with SMTP id a92af1059eb24-1370417c01cso10951461c88.1 for ; Tue, 02 Jun 2026 04:18:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780399126; x=1781003926; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=jMKcrAgpQ+ax1Gir9FlpnT6Wsgxa8JaPaMdWrx1Uw1w=; b=dyNDsvueOmFH8eIpHyDuayZGsh+1z0o4TduuQTi3i1bMtAnO22DzhbkzKbhttRd7IK taF8Zt98buqk60BIgjXTkcXH9yRKvwurJ1I7kwVjCpDiZ+SrZO0EdMUCm3tUiMcaSfa7 a2WRYRwSvRuf1GxDDYrvGqxTbCjcM0D5IxAbPGpa6AyeaPiTiWhgs8DsVq2hpuJeMhgS q8sQhr1/QKhTg6WkSRiZcy6nm2g55wZZhLZjVROp8B4ht6Vdso/6H7YbSrHk1X1oEFp2 PnyiaFFoINGSPT9G7a8XI5LnjNATateRCDtrjhphanZolZWwrXu64vvC6K6cK0cj9/5m FsTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780399126; x=1781003926; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=jMKcrAgpQ+ax1Gir9FlpnT6Wsgxa8JaPaMdWrx1Uw1w=; b=lSf7IqdqymZLCOLTCM/+CLMuGa6vkdOHLZDCH6d1SUH1JdLbnNVSwrVjBb/U3b5Ukz R+9T+oTt3fgVay4igukoHbIln7BXuVccTx423o6CnefDng9g8S53ywWM3voNJxqQdqDP CG8KguJWZCo9WfjsJ43fQlI+Jbxw6kl1kt7B5eX7m1rRkTtDdKNfqQ3D0yAC4G0ofOqG KSuHAy13v51UYv1VLnf7ojp8oY36PswRFWveFzInu2bjwiI5DAmCgJDa/0tlzAT3qh3J ou67TbYHvCXOA2UfkBhX6SED5sAu+wVtOUwTkbpggicUTlR7rH2OizlqhaWGXMsQ3KDZ ahaA== X-Forwarded-Encrypted: i=1; AFNElJ+qiwvPpA+thXgj/0pDtfgkAD8BXWMaF5KVdrC65fdkFTOqTxINFpVlSknXcF7+4AuYmnVmC/ihnJGflls=@vger.kernel.org X-Gm-Message-State: AOJu0Yz8gYEs+q4YggY80ldikejIa/JpBk0nGfE6tNXYMiKQehBo0Q38 3EaWBzXSiyB9ZD+rugSz2i3fLcpWJ6QyP8IrkPX5aGOQvf83bi0PHpoT X-Gm-Gg: Acq92OGkp2BmYyRWZSS3GawedUWCD80o/RNPewN2FgQ9yuy/B8quveCJpMi112ZUNPr EKo+EUCPYuTRGUufvdXyB+hsOkqRUdZxoc+b97QOJs1+l9IqbyysJdFa10tGQ/zKAaibwdZrD1z Ei8vC7MrboJmMSCv/bvHuAORIk6Ap9kIKkWW0Psi3LimqFCEEfXUia4TJcWOO98NdvJMQGu7oli yjkA0nlKIAMINOWwBYhphruMKbFteHFI9Ln7NmsPDSMVoNUxQvS2u54z4iClVRpc0IWIHfnxnZd VJpnRtXQRkvGCSQyzQitBQ9PoGm7Bj9UY9bPvAjWpD+2zB50zKmyi50Jk9oaQtDMKZ/rSWGMN2g BLKpnJ5YK55aw5ZuBuJhrLzf3xC9V0p0SkSOaQeF3M9KM81lS+pKJZcTXptXVjhPlQznsKOY8Zc /DhMlR17HTcEaSphZ9qGjkgkiglwffts6a6brijaIJzW3en2n6Hzof8SYumjqurMBDKK6lAiLWV tLLIn6qwtJv X-Received: by 2002:a05:7022:ff48:b0:136:b370:64c5 with SMTP id a92af1059eb24-137d426d974mr6121875c88.30.1780399126176; Tue, 02 Jun 2026 04:18:46 -0700 (PDT) Received: from [192.168.1.18] (177-4-161-23.user3p.v-tal.net.br. [177.4.161.23]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-137b3c7e94asm8963314c88.13.2026.06.02.04.18.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jun 2026 04:18:45 -0700 (PDT) From: =?utf-8?q?C=C3=A1ssio_Gabriel?= Date: Tue, 02 Jun 2026 08:18:39 -0300 Subject: [PATCH] ALSA: seq: oss: Reject reads that cannot fit the next event Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260602-alsa-seq-oss-read-size-check-v1-1-10e59b1742e0@gmail.com> X-B4-Tracking: v=1; b=H4sIAAAAAAAC/yXMQQrCQAwF0KuUrA0koxT0KuJiOvNro9LqREUsv bujLt/mzeQoBqddM1PB09ymsUJXDaUhjkew5WoKElppRTlePLLjxpM7F8TMbm9wGpDOvJHc9aK 63galWlwLenv9+v3hb390J6T796Rl+QDJo/1jgAAAAA== X-Change-ID: 20260601-alsa-seq-oss-read-size-check-40dbf0113921 To: Takashi Iwai , Jaroslav Kysela Cc: linux-sound@vger.kernel.org, linux-kernel@vger.kernel.org, notify@kernel.org, =?utf-8?q?C=C3=A1ssio_Gabriel?= X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1506; i=cassiogabrielcontato@gmail.com; h=from:subject:message-id; bh=epsJpj7GzgTdJPW98VOURtFXzDyK6zbWQR6U7wLnSlY=; b=owGbwMvMwCV2IdZeKur/u2bG02pJDFlye4S/a/1TdG1RaHsbYBX686vqlwWnJyVZaM5kP8uSz f34OMuvjlIWBjEuBlkxRZbVSYss93Q9uFoft8IDZg4rE8gQBi5OAZhI+DeG/z6HZbdnZD7ZE/nv jvie29tWHG2d0Mm+S/2KU/fsUw2Jvv6MDLeP/pA7HfwpeJ3tgXcPBNe/jHgZ2+T1JvPopr3tXz5 862IAAA== X-Developer-Key: i=cassiogabrielcontato@gmail.com; a=openpgp; fpr=AB62A239BC8AE0D57F5EA848D05D3F1A5AFFEE83 snd_seq_oss_read() checks whether the next queued OSS sequencer event fits in the remaining userspace buffer before removing it from the read queue. The check is inverted. It currently stops when the event is smaller than the remaining buffer, so a normal 4-byte event is not copied for an 8-byte read buffer. Conversely, an 8-byte event can be copied for a smaller read count. Break only when the remaining userspace buffer is smaller than the next event, and report -EINVAL if no complete event has been copied. This prevents an undersized read from looking like end-of-file while leaving the event queued for a later read with a large enough buffer. Signed-off-by: C=C3=A1ssio Gabriel --- sound/core/seq/oss/seq_oss_rw.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/core/seq/oss/seq_oss_rw.c b/sound/core/seq/oss/seq_oss_r= w.c index 111c792bc72c..b7147ac78ee8 100644 --- a/sound/core/seq/oss/seq_oss_rw.c +++ b/sound/core/seq/oss/seq_oss_rw.c @@ -57,7 +57,8 @@ snd_seq_oss_read(struct seq_oss_devinfo *dp, char __user = *buf, int count) break; } ev_len =3D ev_length(&rec); - if (ev_len < count) { + if (count < ev_len) { + err =3D -EINVAL; snd_seq_oss_readq_unlock(readq, flags); break; } --- base-commit: 96d4780e9ff5168195e891c474a85bb0d510fe9f change-id: 20260601-alsa-seq-oss-read-size-check-40dbf0113921 Best regards, -- =20 C=C3=A1ssio Gabriel