From 222ff9f11a25d6c87b172a95c08b749c2d0c9905 Mon Sep 17 00:00:00 2001
From: Chris Wright <chrisw@sous-sol.org>
Date: Mon, 20 Feb 2006 22:03:38 -0800
Subject: [PATCH] Fix oops in snd-usb-audio in 32-bit compat environments.

---
 ...b-audio-in-32-bit-compat-environment.patch | 63 +++++++++++++++++++
 queue/series                                  |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 queue/fix-snd-usb-audio-in-32-bit-compat-environment.patch

diff --git a/queue/fix-snd-usb-audio-in-32-bit-compat-environment.patch b/queue/fix-snd-usb-audio-in-32-bit-compat-environment.patch
new file mode 100644
index 00000000000..9dfb1c11805
--- /dev/null
+++ b/queue/fix-snd-usb-audio-in-32-bit-compat-environment.patch
@@ -0,0 +1,63 @@
+From stable-bounces@linux.kernel.org  Mon Feb 20 18:32:46 2006
+Date: Mon, 20 Feb 2006 18:28:00 -0800
+From: akpm@osdl.org
+To: torvalds@osdl.org
+Cc: tiwai@suse.de, greg@kroah.com, jk@blackdown.de, stable@kernel.org, perex@suse.cz
+Subject: [PATCH] Fix snd-usb-audio in 32-bit compat environment
+
+From: Juergen Kreileder <jk@blackdown.de>
+
+I'm getting oopses with snd-usb-audio in 32-bit compat environments:
+control_compat.c:get_ctl_type() doesn't initialize 'info', so
+'itemlist[uinfo->value.enumerated.item]' in
+usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if
+((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems
+because of the unsigned -> signed conversion.)
+
+Signed-off-by: Juergen Kreileder <jk@blackdown.de>
+Cc: Jaroslav Kysela <perex@suse.cz>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+Cc: Greg KH <greg@kroah.com>
+Cc: <stable@kernel.org>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+
+ sound/core/control_compat.c |   16 +++++++++++-----
+ 1 files changed, 11 insertions(+), 5 deletions(-)
+
+--- linux-2.6.15.4.orig/sound/core/control_compat.c
++++ linux-2.6.15.4/sound/core/control_compat.c
+@@ -164,7 +164,7 @@ struct sndrv_ctl_elem_value32 {
+ static int get_ctl_type(snd_card_t *card, snd_ctl_elem_id_t *id, int *countp)
+ {
+ 	snd_kcontrol_t *kctl;
+-	snd_ctl_elem_info_t info;
++	snd_ctl_elem_info_t *info;
+ 	int err;
+ 
+ 	down_read(&card->controls_rwsem);
+@@ -173,13 +173,19 @@ static int get_ctl_type(snd_card_t *card
+ 		up_read(&card->controls_rwsem);
+ 		return -ENXIO;
+ 	}
+-	info.id = *id;
+-	err = kctl->info(kctl, &info);
++	info = kzalloc(sizeof(*info), GFP_KERNEL);
++	if (info == NULL) {
++		up_read(&card->controls_rwsem);
++		return -ENOMEM;
++	}
++	info->id = *id;
++	err = kctl->info(kctl, info);
+ 	up_read(&card->controls_rwsem);
+ 	if (err >= 0) {
+-		err = info.type;
+-		*countp = info.count;
++		err = info->type;
++		*countp = info->count;
+ 	}
++	kfree(info);
+ 	return err;
+ }
+ 
diff --git a/queue/series b/queue/series
index 3e18dacc8ac..0dcce1fad29 100644
--- a/queue/series
+++ b/queue/series
@@ -18,3 +18,4 @@ fix-deadlock-in-ext2.patch
 sys_mbind-sanity-checking.patch
 it87-fix-oops-on-removal.patch
 hwmon-it87-probe-i2c-0x2d-only.patch
+fix-snd-usb-audio-in-32-bit-compat-environment.patch
-- 
2.47.3