[PATCH] Fix snd-usb-audio in 32-bit compat environment
authorJuergen Kreileder <jk@blackdown.de>
Tue, 21 Feb 2006 02:28:00 +0000 (18:28 -0800)
committerLinus Torvalds <torvalds@g5.osdl.org>
Tue, 21 Feb 2006 04:00:10 +0000 (20:00 -0800)
I'm getting oopses with snd-usb-audio in 32-bit compat environments:
control_compat.c:get_ctl_type() doesn't initialize 'info', so
'itemlist[uinfo->value.enumerated.item]' in
usbmixer.c:mixer_ctl_selector_info() might access random memory (The 'if
((int)uinfo->value.enumerated.item >= cval->max)' doesn't fix all problems
because of the unsigned -> signed conversion.)

Signed-off-by: Juergen Kreileder <jk@blackdown.de>
Cc: Jaroslav Kysela <perex@suse.cz>
Acked-by: Takashi Iwai <tiwai@suse.de>
Cc: Greg KH <greg@kroah.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
sound/core/control_compat.c

index 418c6d4e5daf62b3a57e020c38aec140b4a54c32..a529b62972b46ea92b31b0990b9da6dedefb5213 100644 (file)
@@ -167,7 +167,7 @@ static int get_ctl_type(struct snd_card *card, struct snd_ctl_elem_id *id,
                        int *countp)
 {
        struct snd_kcontrol *kctl;
-       struct snd_ctl_elem_info info;
+       struct snd_ctl_elem_info *info;
        int err;
 
        down_read(&card->controls_rwsem);
@@ -176,13 +176,19 @@ static int get_ctl_type(struct snd_card *card, struct snd_ctl_elem_id *id,
                up_read(&card->controls_rwsem);
                return -ENXIO;
        }
-       info.id = *id;
-       err = kctl->info(kctl, &info);
+       info = kzalloc(sizeof(*info), GFP_KERNEL);
+       if (info == NULL) {
+               up_read(&card->controls_rwsem);
+               return -ENOMEM;
+       }
+       info->id = *id;
+       err = kctl->info(kctl, info);
        up_read(&card->controls_rwsem);
        if (err >= 0) {
-               err = info.type;
-               *countp = info.count;
+               err = info->type;
+               *countp = info->count;
        }
+       kfree(info);
        return err;
 }