1. Patchew
  2. linux
  3. View series

[PATCH] ALSA: seq: Fix partial userptr event expansion

HyeongJun An posted 1 patch 2 days, 1 hour ago 
sound/core/seq/seq_memory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] ALSA: seq: Fix partial userptr event expansion
Posted by HyeongJun An 2 days, 1 hour ago 
snd_seq_expand_var_event_at() clamps the number of bytes to copy to the
remaining variable-event length, but passes the original buffer size to
expand_var_event().

For SNDRV_SEQ_EXT_USRPTR events, expand_var_event() copies exactly the
size argument from userspace.  On the final chunk, when the remaining
event data is shorter than the caller's buffer, this can read past the
declared event data and can spuriously fail with -EFAULT if the extra
bytes cross an unmapped page.

Pass the clamped length instead.  The chained and kernel-backed paths
already reclamp in dump_var_event(), but the user-pointer path handles
the size directly.

Fixes: ea46f79709b6 ("ALSA: seq: Add snd_seq_expand_var_event_at() helper")
Signed-off-by: HyeongJun An <sammiee5311@gmail.com>
---
 sound/core/seq/seq_memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
index aaf808316c30..ca9f6db0022c 100644
--- a/sound/core/seq/seq_memory.c
+++ b/sound/core/seq/seq_memory.c
@@ -211,7 +211,7 @@ int snd_seq_expand_var_event_at(const struct snd_seq_event *event, int count,
 	len -= offset;
 	if (len > count)
 		len = count;
-	err = expand_var_event(event, offset, count, buf, true);
+	err = expand_var_event(event, offset, len, buf, true);
 	if (err < 0)
 		return err;
 	return len;
-- 
2.43.0
Re: [PATCH] ALSA: seq: Fix partial userptr event expansion
Posted by Takashi Iwai 1 day, 13 hours ago 
On Sat, 06 Jun 2026 06:09:13 +0200,
HyeongJun An wrote:
> 
> snd_seq_expand_var_event_at() clamps the number of bytes to copy to the
> remaining variable-event length, but passes the original buffer size to
> expand_var_event().
> 
> For SNDRV_SEQ_EXT_USRPTR events, expand_var_event() copies exactly the
> size argument from userspace.  On the final chunk, when the remaining
> event data is shorter than the caller's buffer, this can read past the
> declared event data and can spuriously fail with -EFAULT if the extra
> bytes cross an unmapped page.
> 
> Pass the clamped length instead.  The chained and kernel-backed paths
> already reclamp in dump_var_event(), but the user-pointer path handles
> the size directly.
> 
> Fixes: ea46f79709b6 ("ALSA: seq: Add snd_seq_expand_var_event_at() helper")
> Signed-off-by: HyeongJun An <sammiee5311@gmail.com>

Applied to for-next branch now.  Thanks.


Takashi

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.