[patch 21/39] [PATCH] Fix snd-usb-audio in 32-bit compat environment

From: Chris Wright
Date: Mon Feb 27 2006 - 17:32:35 EST

Next message: Chris Wright: "[patch 36/39] [PATCH] sbp2: fix another deadlock after disconnection"
Previous message: Chris Wright: "[patch 20/39] [PATCH] hwmon it87: Probe i2c 0x2d only"
In reply to: Chris Wright: "[patch 20/39] [PATCH] hwmon it87: Probe i2c 0x2d only"
Next in thread: Chris Wright: "[patch 36/39] [PATCH] sbp2: fix another deadlock after disconnection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-stable review patch. If anyone has any objections, please let us know.
------------------

I'm getting oopses with snd-usb-audio in 32-bit compat environments:
control_compat.c:get_ctl_type() doesn't initialize 'info', so
'itemlist[uinfo->value.enumerated.item]' in
usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if
((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems
because of the unsigned -> signed conversion.)

Signed-off-by: Juergen Kreileder <jk@xxxxxxxxxxxx>
Cc: Jaroslav Kysela <perex@xxxxxxx>
Acked-by: Takashi Iwai <tiwai@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---

sound/core/control_compat.c | 16 +++++++++++-----
1 files changed, 11 insertions(+), 5 deletions(-)

--- linux-2.6.15.4.orig/sound/core/control_compat.c
+++ linux-2.6.15.4/sound/core/control_compat.c
@@ -164,7 +164,7 @@ struct sndrv_ctl_elem_value32 {
static int get_ctl_type(snd_card_t *card, snd_ctl_elem_id_t *id, int *countp)
{
snd_kcontrol_t *kctl;
- snd_ctl_elem_info_t info;
+ snd_ctl_elem_info_t *info;
int err;

down_read(&card->controls_rwsem);
@@ -173,13 +173,19 @@ static int get_ctl_type(snd_card_t *card
up_read(&card->controls_rwsem);
return -ENXIO;
}
- info.id = *id;
- err = kctl->info(kctl, &info);
+ info = kzalloc(sizeof(*info), GFP_KERNEL);
+ if (info == NULL) {
+ up_read(&card->controls_rwsem);
+ return -ENOMEM;
+ }
+ info->id = *id;
+ err = kctl->info(kctl, info);
up_read(&card->controls_rwsem);
if (err >= 0) {
- err = info.type;
- *countp = info.count;
+ err = info->type;
+ *countp = info->count;
}
+ kfree(info);
return err;
}

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wright: "[patch 36/39] [PATCH] sbp2: fix another deadlock after disconnection"
Previous message: Chris Wright: "[patch 20/39] [PATCH] hwmon it87: Probe i2c 0x2d only"
In reply to: Chris Wright: "[patch 20/39] [PATCH] hwmon it87: Probe i2c 0x2d only"
Next in thread: Chris Wright: "[patch 36/39] [PATCH] sbp2: fix another deadlock after disconnection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]