Fix oops in snd-usb-audio in 32-bit compat environments.

author Chris Wright <chrisw@sous-sol.org>

Tue, 21 Feb 2006 06:03:38 +0000 (22:03 -0800)

committer Chris Wright <chrisw@sous-sol.org>

Tue, 21 Feb 2006 06:03:38 +0000 (22:03 -0800)
author Chris Wright <chrisw@sous-sol.org>
Tue, 21 Feb 2006 06:03:38 +0000 (22:03 -0800)
committer Chris Wright <chrisw@sous-sol.org>
Tue, 21 Feb 2006 06:03:38 +0000 (22:03 -0800)
diff --git a/queue/fix-snd-usb-audio-in-32-bit-compat-environment.patch b/queue/fix-snd-usb-audio-in-32-bit-compat-environment.patch

new file mode 100644 (file)

index 0000000..9dfb1c1
--- /dev/null
+++ b/queue/fix-snd-usb-audio-in-32-bit-compat-environment.patch
@@ -0,0 +1,63 @@
+From stable-bounces@linux.kernel.org  Mon Feb 20 18:32:46 2006
+Date: Mon, 20 Feb 2006 18:28:00 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: tiwai@suse.de, greg@kroah.com, jk@blackdown.de, stable@kernel.org, perex@suse.cz
+Subject: [PATCH] Fix snd-usb-audio in 32-bit compat environment
+
+From: Juergen Kreileder <jk@blackdown.de>
+
+I'm getting oopses with snd-usb-audio in 32-bit compat environments:
+control_compat.c:get_ctl_type() doesn't initialize 'info', so
+'itemlist[uinfo->value.enumerated.item]' in
+usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if
+((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems
+because of the unsigned -> signed conversion.)
+
+Signed-off-by: Juergen Kreileder <jk@blackdown.de>
+Cc: Jaroslav Kysela <perex@suse.cz>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+Cc: Greg KH <greg@kroah.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ sound/core/control_compat.c |   16 +++++++++++-----
+ 1 files changed, 11 insertions(+), 5 deletions(-)
+
+--- linux-2.6.15.4.orig/sound/core/control_compat.c
++++ linux-2.6.15.4/sound/core/control_compat.c
+@@ -164,7 +164,7 @@ struct sndrv_ctl_elem_value32 {
+ static int get_ctl_type(snd_card_t *card, snd_ctl_elem_id_t *id, int *countp)
+ {
+       snd_kcontrol_t *kctl;
+-      snd_ctl_elem_info_t info;
++      snd_ctl_elem_info_t *info;
+       int err;
+ 
+       down_read(&card->controls_rwsem);
+@@ -173,13 +173,19 @@ static int get_ctl_type(snd_card_t *card
+               up_read(&card->controls_rwsem);
+               return -ENXIO;
+       }
+-      info.id = *id;
+-      err = kctl->info(kctl, &info);
++      info = kzalloc(sizeof(*info), GFP_KERNEL);
++      if (info == NULL) {
++              up_read(&card->controls_rwsem);
++              return -ENOMEM;
++      }
++      info->id = *id;
++      err = kctl->info(kctl, info);
+       up_read(&card->controls_rwsem);
+       if (err >= 0) {
+-              err = info.type;
+-              *countp = info.count;
++              err = info->type;
++              *countp = info->count;
+       }
++      kfree(info);
+       return err;
+ }
+ 
diff --git a/queue/series b/queue/series

index 3e18dacc8ac92cec9cdccf89cb50d49d3b235672..0dcce1fad298d3b122170596766c07da77ee5f3e 100644 (file)
--- a/queue/series
+++ b/queue/series
@@ -18,3 +18,4 @@ fix-deadlock-in-ext2.patch
  sys_mbind-sanity-checking.patch
  it87-fix-oops-on-removal.patch
  hwmon-it87-probe-i2c-0x2d-only.patch
+fix-snd-usb-audio-in-32-bit-compat-environment.patch
author	Chris Wright <chrisw@sous-sol.org>
	Tue, 21 Feb 2006 06:03:38 +0000 (22:03 -0800)
committer	Chris Wright <chrisw@sous-sol.org>
	Tue, 21 Feb 2006 06:03:38 +0000 (22:03 -0800)
queue/fix-snd-usb-audio-in-32-bit-compat-environment.patch	[new file with mode: 0644]	patch \| blob
queue/series		patch \| blob \| blame \| history