--- /dev/null
+From d56268fb108c7c21e19933588ca4d94652585183 Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Thu, 29 Nov 2012 17:04:23 +0100
+Subject: ALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit d56268fb108c7c21e19933588ca4d94652585183 upstream.
+
+Commit 23caaf19b11e (ALSA: usb-mixer: Add support for Audio Class v2.0)
+forgot to adjust the length check for UAC 2.0 feature unit descriptors.
+This would make the code abort on encountering a feature unit without
+per-channel controls, and thus prevented the driver to work with any
+device having such a unit, such as the RME Babyface or Fireface UCX.
+
+Reported-by: Florian Hanisch <fhanisch@uni-potsdam.de>
+Tested-by: Matthew Robbetts <wingfeathera@gmail.com>
+Tested-by: Michael Beer <beerml@sigma6audio.de>
+Cc: Daniel Mack <daniel@caiaq.de>
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1238,16 +1238,23 @@ static int parse_audio_feature_unit(stru
+ }
+ channels = (hdr->bLength - 7) / csize - 1;
+ bmaControls = hdr->bmaControls;
++ if (hdr->bLength < 7 + csize) {
++ snd_printk(KERN_ERR "usbaudio: unit %u: "
++ "invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ } else {
+ struct uac2_feature_unit_descriptor *ftr = _ftr;
+ csize = 4;
+ channels = (hdr->bLength - 6) / 4 - 1;
+ bmaControls = ftr->bmaControls;
+- }
+-
+- if (hdr->bLength < 7 || !csize || hdr->bLength < 7 + csize) {
+- snd_printk(KERN_ERR "usbaudio: unit %u: invalid UAC_FEATURE_UNIT descriptor\n", unitid);
+- return -EINVAL;
++ if (hdr->bLength < 6 + csize) {
++ snd_printk(KERN_ERR "usbaudio: unit %u: "
++ "invalid UAC_FEATURE_UNIT descriptor\n",
++ unitid);
++ return -EINVAL;
++ }
+ }
+
+ /* parse the source unit */
--- /dev/null
+From 0a9ab9bdb3e891762553f667066190c1d22ad62b Mon Sep 17 00:00:00 2001
+From: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Date: Sun, 6 Jan 2013 18:28:53 -0400
+Subject: Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()
+
+From: Anderson Lizardo <anderson.lizardo@openbossa.org>
+
+commit 0a9ab9bdb3e891762553f667066190c1d22ad62b upstream.
+
+The length parameter should be sizeof(req->name) - 1 because there is no
+guarantee that string provided by userspace will contain the trailing
+'\0'.
+
+Can be easily reproduced by manually setting req->name to 128 non-zero
+bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on
+input subsystem:
+
+$ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name
+AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af
+
+("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys"
+field in struct hid_device due to overflow.)
+
+Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hidp/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -934,7 +934,7 @@ static int hidp_setup_hid(struct hidp_se
+ hid->version = req->version;
+ hid->country = req->country;
+
+- strncpy(hid->name, req->name, 128);
++ strncpy(hid->name, req->name, sizeof(req->name) - 1);
+ strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
+ strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);
+
--- /dev/null
+From 8024c4c0b1057d1cd811fc9c3f88f81de9729fcd Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 26 Jan 2013 10:49:24 +0300
+Subject: EDAC: Test correct variable in ->store function
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8024c4c0b1057d1cd811fc9c3f88f81de9729fcd upstream.
+
+We're testing for ->show but calling ->store().
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/edac_pci_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/edac_pci_sysfs.c
++++ b/drivers/edac/edac_pci_sysfs.c
+@@ -257,7 +257,7 @@ static ssize_t edac_pci_dev_store(struct
+ struct edac_pci_dev_attribute *edac_pci_dev;
+ edac_pci_dev = (struct edac_pci_dev_attribute *)attr;
+
+- if (edac_pci_dev->show)
++ if (edac_pci_dev->store)
+ return edac_pci_dev->store(edac_pci_dev->value, buffer, count);
+ return -EIO;
+ }
bluetooth-fix-sending-hci-commands-after-reset.patch
ath9k_htc-fix-memory-leak.patch
ath9k-fix-double-free-bug-on-beacon-generate-failure.patch
+alsa-usb-audio-fix-invalid-length-check-for-rme-and-other-uac-2-devices.patch
+edac-test-correct-variable-in-store-function.patch
+bluetooth-fix-incorrect-strncpy-in-hidp_setup_hid.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
