From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 30 Jan 2013 12:43:21 +0000 (+0100)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.62~19
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=88e8c8134321fd8b053a44ceead4c84f950df64b;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	alsa-usb-audio-fix-invalid-length-check-for-rme-and-other-uac-2-devices.patch
	bluetooth-fix-incorrect-strncpy-in-hidp_setup_hid.patch
	edac-test-correct-variable-in-store-function.patch
---

diff --git a/queue-3.0/alsa-usb-audio-fix-invalid-length-check-for-rme-and-other-uac-2-devices.patch b/queue-3.0/alsa-usb-audio-fix-invalid-length-check-for-rme-and-other-uac-2-devices.patch
new file mode 100644
index 00000000000..03f7f07bb24
--- /dev/null
+++ b/queue-3.0/alsa-usb-audio-fix-invalid-length-check-for-rme-and-other-uac-2-devices.patch
@@ -0,0 +1,58 @@
+From d56268fb108c7c21e19933588ca4d94652585183 Mon Sep 17 00:00:00 2001
+From: Clemens Ladisch <clemens@ladisch.de>
+Date: Thu, 29 Nov 2012 17:04:23 +0100
+Subject: ALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices
+
+From: Clemens Ladisch <clemens@ladisch.de>
+
+commit d56268fb108c7c21e19933588ca4d94652585183 upstream.
+
+Commit 23caaf19b11e (ALSA: usb-mixer: Add support for Audio Class v2.0)
+forgot to adjust the length check for UAC 2.0 feature unit descriptors.
+This would make the code abort on encountering a feature unit without
+per-channel controls, and thus prevented the driver to work with any
+device having such a unit, such as the RME Babyface or Fireface UCX.
+
+Reported-by: Florian Hanisch <fhanisch@uni-potsdam.de>
+Tested-by: Matthew Robbetts <wingfeathera@gmail.com>
+Tested-by: Michael Beer <beerml@sigma6audio.de>
+Cc: Daniel Mack <daniel@caiaq.de>
+Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer.c |   17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/sound/usb/mixer.c
++++ b/sound/usb/mixer.c
+@@ -1238,16 +1238,23 @@ static int parse_audio_feature_unit(stru
+ 		}
+ 		channels = (hdr->bLength - 7) / csize - 1;
+ 		bmaControls = hdr->bmaControls;
++		if (hdr->bLength < 7 + csize) {
++			snd_printk(KERN_ERR "usbaudio: unit %u: "
++				   "invalid UAC_FEATURE_UNIT descriptor\n",
++				   unitid);
++			return -EINVAL;
++		}
+ 	} else {
+ 		struct uac2_feature_unit_descriptor *ftr = _ftr;
+ 		csize = 4;
+ 		channels = (hdr->bLength - 6) / 4 - 1;
+ 		bmaControls = ftr->bmaControls;
+-	}
+-
+-	if (hdr->bLength < 7 || !csize || hdr->bLength < 7 + csize) {
+-		snd_printk(KERN_ERR "usbaudio: unit %u: invalid UAC_FEATURE_UNIT descriptor\n", unitid);
+-		return -EINVAL;
++		if (hdr->bLength < 6 + csize) {
++			snd_printk(KERN_ERR "usbaudio: unit %u: "
++				   "invalid UAC_FEATURE_UNIT descriptor\n",
++				   unitid);
++			return -EINVAL;
++		}
+ 	}
+ 
+ 	/* parse the source unit */
diff --git a/queue-3.0/bluetooth-fix-incorrect-strncpy-in-hidp_setup_hid.patch b/queue-3.0/bluetooth-fix-incorrect-strncpy-in-hidp_setup_hid.patch
new file mode 100644
index 00000000000..7f323778fce
--- /dev/null
+++ b/queue-3.0/bluetooth-fix-incorrect-strncpy-in-hidp_setup_hid.patch
@@ -0,0 +1,43 @@
+From 0a9ab9bdb3e891762553f667066190c1d22ad62b Mon Sep 17 00:00:00 2001
+From: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Date: Sun, 6 Jan 2013 18:28:53 -0400
+Subject: Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()
+
+From: Anderson Lizardo <anderson.lizardo@openbossa.org>
+
+commit 0a9ab9bdb3e891762553f667066190c1d22ad62b upstream.
+
+The length parameter should be sizeof(req->name) - 1 because there is no
+guarantee that string provided by userspace will contain the trailing
+'\0'.
+
+Can be easily reproduced by manually setting req->name to 128 non-zero
+bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on
+input subsystem:
+
+$ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name
+AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af
+
+("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys"
+field in struct hid_device due to overflow.)
+
+Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org>
+Acked-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hidp/core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -934,7 +934,7 @@ static int hidp_setup_hid(struct hidp_se
+ 	hid->version = req->version;
+ 	hid->country = req->country;
+ 
+-	strncpy(hid->name, req->name, 128);
++	strncpy(hid->name, req->name, sizeof(req->name) - 1);
+ 	strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
+ 	strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);
+ 
diff --git a/queue-3.0/edac-test-correct-variable-in-store-function.patch b/queue-3.0/edac-test-correct-variable-in-store-function.patch
new file mode 100644
index 00000000000..5ab5d20c275
--- /dev/null
+++ b/queue-3.0/edac-test-correct-variable-in-store-function.patch
@@ -0,0 +1,30 @@
+From 8024c4c0b1057d1cd811fc9c3f88f81de9729fcd Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 26 Jan 2013 10:49:24 +0300
+Subject: EDAC: Test correct variable in ->store function
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8024c4c0b1057d1cd811fc9c3f88f81de9729fcd upstream.
+
+We're testing for ->show but calling ->store().
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/edac_pci_sysfs.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/edac_pci_sysfs.c
++++ b/drivers/edac/edac_pci_sysfs.c
+@@ -257,7 +257,7 @@ static ssize_t edac_pci_dev_store(struct
+ 	struct edac_pci_dev_attribute *edac_pci_dev;
+ 	edac_pci_dev = (struct edac_pci_dev_attribute *)attr;
+ 
+-	if (edac_pci_dev->show)
++	if (edac_pci_dev->store)
+ 		return edac_pci_dev->store(edac_pci_dev->value, buffer, count);
+ 	return -EIO;
+ }
diff --git a/queue-3.0/series b/queue-3.0/series
index f5f0e64a4c9..b5c89eb4aba 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -6,3 +6,6 @@ arm-dma-fix-struct-page-iterator-in-dma_cache_maint-to-work-with-sparsemem.patch
 bluetooth-fix-sending-hci-commands-after-reset.patch
 ath9k_htc-fix-memory-leak.patch
 ath9k-fix-double-free-bug-on-beacon-generate-failure.patch
+alsa-usb-audio-fix-invalid-length-check-for-rme-and-other-uac-2-devices.patch
+edac-test-correct-variable-in-store-function.patch
+bluetooth-fix-incorrect-strncpy-in-hidp_setup_hid.patch