linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [patch v2] ALSA: off by one bug in snd_riptide_joystick_probe()
       [not found] <s5hy4ogfvc2.wl-tiwai@suse.de>
@ 2015-02-09 13:51 ` Dan Carpenter
  2015-02-09 13:58   ` Takashi Iwai
  0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2015-02-09 13:51 UTC (permalink / raw)
  To: Jaroslav Kysela
  Cc: Takashi Iwai, Lars-Peter Clausen, Hans Wennborg, Benoit Taine,
	Bjorn Helgaas, alsa-devel, linux-kernel, kernel-janitors

The problem here is that we check:

	if (dev >= SNDRV_CARDS)

Then we increment "dev".

       if (!joystick_port[dev++])

Then we use it as an offset into a array with SNDRV_CARDS elements.

	if (!request_region(joystick_port[dev], 8, "Riptide gameport")) {

This has 3 effects:
1) If you use the module option to specify the joystick port then it has
   to be shifted one space over.
2) The wrong error message will be printed on failure if you have over
   32 cards.
3) Static checkers will correctly complain that are off by one.

Fixes: db1005ec6ff8 ('ALSA: riptide - Fix joystick resource handling')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: In the original patch I just made the array larger.

diff --git a/sound/pci/riptide/riptide.c b/sound/pci/riptide/riptide.c
index 29f2827..94639d6 100644
--- a/sound/pci/riptide/riptide.c
+++ b/sound/pci/riptide/riptide.c
@@ -2011,32 +2011,43 @@ snd_riptide_joystick_probe(struct pci_dev *pci, const struct pci_device_id *id)
 {
 	static int dev;
 	struct gameport *gameport;
+	int ret;
 
 	if (dev >= SNDRV_CARDS)
 		return -ENODEV;
+
 	if (!enable[dev]) {
-		dev++;
-		return -ENOENT;
+		ret = -ENOENT;
+		goto inc_dev;
 	}
 
-	if (!joystick_port[dev++])
-		return 0;
+	if (!joystick_port[dev]) {
+		ret = 0;
+		goto inc_dev;
+	}
 
 	gameport = gameport_allocate_port();
-	if (!gameport)
-		return -ENOMEM;
+	if (!gameport) {
+		ret = -ENOMEM;
+		goto inc_dev;
+	}
 	if (!request_region(joystick_port[dev], 8, "Riptide gameport")) {
 		snd_printk(KERN_WARNING
 			   "Riptide: cannot grab gameport 0x%x\n",
 			   joystick_port[dev]);
 		gameport_free_port(gameport);
-		return -EBUSY;
+		ret = -EBUSY;
+		goto inc_dev;
 	}
 
 	gameport->io = joystick_port[dev];
 	gameport_register_port(gameport);
 	pci_set_drvdata(pci, gameport);
-	return 0;
+
+	ret = 0;
+inc_dev:
+	dev++;
+	return ret;
 }
 
 static void snd_riptide_joystick_remove(struct pci_dev *pci)


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [patch v2] ALSA: off by one bug in snd_riptide_joystick_probe()
  2015-02-09 13:51 ` [patch v2] ALSA: off by one bug in snd_riptide_joystick_probe() Dan Carpenter
@ 2015-02-09 13:58   ` Takashi Iwai
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Iwai @ 2015-02-09 13:58 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Jaroslav Kysela, Lars-Peter Clausen, Hans Wennborg, Benoit Taine,
	Bjorn Helgaas, alsa-devel, linux-kernel, kernel-janitors

At Mon, 9 Feb 2015 16:51:40 +0300,
Dan Carpenter wrote:
> 
> The problem here is that we check:
> 
> 	if (dev >= SNDRV_CARDS)
> 
> Then we increment "dev".
> 
>        if (!joystick_port[dev++])
> 
> Then we use it as an offset into a array with SNDRV_CARDS elements.
> 
> 	if (!request_region(joystick_port[dev], 8, "Riptide gameport")) {
> 
> This has 3 effects:
> 1) If you use the module option to specify the joystick port then it has
>    to be shifted one space over.
> 2) The wrong error message will be printed on failure if you have over
>    32 cards.
> 3) Static checkers will correctly complain that are off by one.
> 
> Fixes: db1005ec6ff8 ('ALSA: riptide - Fix joystick resource handling')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: In the original patch I just made the array larger.

Applied, thanks.


Takashi

> 
> diff --git a/sound/pci/riptide/riptide.c b/sound/pci/riptide/riptide.c
> index 29f2827..94639d6 100644
> --- a/sound/pci/riptide/riptide.c
> +++ b/sound/pci/riptide/riptide.c
> @@ -2011,32 +2011,43 @@ snd_riptide_joystick_probe(struct pci_dev *pci, const struct pci_device_id *id)
>  {
>  	static int dev;
>  	struct gameport *gameport;
> +	int ret;
>  
>  	if (dev >= SNDRV_CARDS)
>  		return -ENODEV;
> +
>  	if (!enable[dev]) {
> -		dev++;
> -		return -ENOENT;
> +		ret = -ENOENT;
> +		goto inc_dev;
>  	}
>  
> -	if (!joystick_port[dev++])
> -		return 0;
> +	if (!joystick_port[dev]) {
> +		ret = 0;
> +		goto inc_dev;
> +	}
>  
>  	gameport = gameport_allocate_port();
> -	if (!gameport)
> -		return -ENOMEM;
> +	if (!gameport) {
> +		ret = -ENOMEM;
> +		goto inc_dev;
> +	}
>  	if (!request_region(joystick_port[dev], 8, "Riptide gameport")) {
>  		snd_printk(KERN_WARNING
>  			   "Riptide: cannot grab gameport 0x%x\n",
>  			   joystick_port[dev]);
>  		gameport_free_port(gameport);
> -		return -EBUSY;
> +		ret = -EBUSY;
> +		goto inc_dev;
>  	}
>  
>  	gameport->io = joystick_port[dev];
>  	gameport_register_port(gameport);
>  	pci_set_drvdata(pci, gameport);
> -	return 0;
> +
> +	ret = 0;
> +inc_dev:
> +	dev++;
> +	return ret;
>  }
>  
>  static void snd_riptide_joystick_remove(struct pci_dev *pci)
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-02-09 13:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <s5hy4ogfvc2.wl-tiwai@suse.de>
2015-02-09 13:51 ` [patch v2] ALSA: off by one bug in snd_riptide_joystick_probe() Dan Carpenter
2015-02-09 13:58   ` Takashi Iwai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).