diff options
| author | Maoyi Xie <maoyixie.tju@gmail.com> | 2026-05-19 03:40:23 +0800 |
|---|---|---|
| committer | Takashi Iwai <tiwai@suse.de> | 2026-05-19 07:39:06 +0200 |
| commit | 92b62b7416af11fcfaab7373b15a32a471500bab (patch) | |
| tree | 8787cf9e39f6c4d05fd2a51d9864a59a5f8bcdea /sound | |
| parent | 34ed2395613b23f8645e320abdcab6d688dc7a80 (diff) | |
| download | linux-next-history-92b62b7416af11fcfaab7373b15a32a471500bab.tar.gz | |
ALSA: seq: avoid past-the-end iterator in snd_seq_create_port()
snd_seq_create_port() walks client->ports_list_head looking for
the ordered insertion point and on loop fall-through passes
&p->list to list_add_tail():
list_for_each_entry(p, &client->ports_list_head, list) {
if (p->addr.port == port) {
kfree(new_port);
return -EBUSY;
}
if (p->addr.port > num)
break;
...
}
list_add_tail(&new_port->list, &p->list);
When the loop walks all entries without break (e.g., the new
port sorts last), p is past-the-end. &p->list aliases
&client->ports_list_head (the list head) via container_of offset
cancellation, so the insert lands at the list tail. That is the
intended behaviour, but the access is undefined per C11 even
though it works in practice.
Track an explicit insert_before pointer initialised to the list
head and overwritten to &p->list only when the loop breaks
early. The observable behaviour is unchanged.
Fixes: 9244b2c3079f ("[ALSA] alsa core: convert to list_for_each_entry*")
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
Link: https://patch.msgid.link/20260518194023.1667857-3-maoyixie.tju@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Diffstat (limited to 'sound')
| -rw-r--r-- | sound/core/seq/seq_ports.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c index da8d358958f15..31ab4681c6012 100644 --- a/sound/core/seq/seq_ports.c +++ b/sound/core/seq/seq_ports.c @@ -144,18 +144,21 @@ int snd_seq_create_port(struct snd_seq_client *client, int port, num = max(port, 0); guard(mutex)(&client->ports_mutex); guard(write_lock_irq)(&client->ports_lock); + struct list_head *insert_before = &client->ports_list_head; list_for_each_entry(p, &client->ports_list_head, list) { if (p->addr.port == port) { kfree(new_port); return -EBUSY; } - if (p->addr.port > num) + if (p->addr.port > num) { + insert_before = &p->list; break; + } if (port < 0) /* auto-probe mode */ num = p->addr.port + 1; } /* insert the new port */ - list_add_tail(&new_port->list, &p->list); + list_add_tail(&new_port->list, insert_before); client->num_ports++; new_port->addr.port = num; /* store the port number in the port */ sprintf(new_port->name, "port-%d", num); |