6.5-stable review patch. If anyone has any objections, please let me know. ------------------ From: Takashi Iwai <tiwai@xxxxxxx> commit 86496fd4a2fabb7c978fdaca2d4b718207a96d36 upstream. The recent fix to clear the padding bytes at snd_seq_expand_var_event() broke the read to user-space with in_kernel=0 parameter. For user-space address, it has to use clear_user() instead of memset(). Fixes: f80e6d60d677 ("ALSA: seq: Clear padded bytes at expanding events") Reported-and-tested-by: Ash Holland <ash@xxxxxxxxx> Closes: https://lore.kernel.org/r/8a555319-9f31-4ea2-878f-adc338bc40d4@xxxxxxxxx Link: https://lore.kernel.org/r/20230905052631.18240-1-tiwai@xxxxxxx Link: https://lore.kernel.org/r/20230905081210.6731-1-tiwai@xxxxxxx Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- sound/core/seq/seq_memory.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/sound/core/seq/seq_memory.c +++ b/sound/core/seq/seq_memory.c @@ -187,8 +187,13 @@ int snd_seq_expand_var_event(const struc err = expand_var_event(event, 0, len, buf, in_kernel); if (err < 0) return err; - if (len != newlen) - memset(buf + len, 0, newlen - len); + if (len != newlen) { + if (in_kernel) + memset(buf + len, 0, newlen - len); + else if (clear_user((__force void __user *)buf + len, + newlen - len)) + return -EFAULT; + } return newlen; } EXPORT_SYMBOL(snd_seq_expand_var_event);