ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream()...

[pandora-kernel.git] / sound / usb / quirks.c
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c

index a3ddac0..a880e24 100644 (file)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -132,10 +132,15 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
         unsigned *rate_table = NULL;
  
         fp = kmemdup(quirk->data, sizeof(*fp), GFP_KERNEL);
-       if (! fp) {
+       if (!fp) {
                 snd_printk(KERN_ERR "cannot memdup\n");
                 return -ENOMEM;
         }
+       INIT_LIST_HEAD(&fp->list);
+       if (fp->nr_rates > MAX_NR_RATES) {
+               kfree(fp);
+               return -EINVAL;
+       }
         if (fp->nr_rates > 0) {
                 rate_table = kmemdup(fp->rate_table,
                                      sizeof(int) * fp->nr_rates, GFP_KERNEL);
@@ -149,24 +154,31 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
         stream = (fp->endpoint & USB_DIR_IN)
                 ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
         err = snd_usb_add_audio_stream(chip, stream, fp);
-       if (err < 0) {
-               kfree(fp);
-               kfree(rate_table);
-               return err;
-       }
+       if (err < 0)
+               goto error;
         if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber ||
             fp->altset_idx >= iface->num_altsetting) {
-               kfree(fp);
-               kfree(rate_table);
-               return -EINVAL;
+               err = -EINVAL;
+               goto error;
         }
         alts = &iface->altsetting[fp->altset_idx];
+       if (get_iface_desc(alts)->bNumEndpoints < 1) {
+               err = -EINVAL;
+               goto error;
+       }
+
         fp->datainterval = snd_usb_parse_datainterval(chip, alts);
         fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
         usb_set_interface(chip->dev, fp->iface, 0);
         snd_usb_init_pitch(chip, fp->iface, alts, fp);
         snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max);
         return 0;
+
+ error:
+       list_del(&fp->list); /* unlink for avoiding double-free */
+       kfree(fp);
+       kfree(rate_table);
+       return err;
  }
  
  /*
@@ -233,6 +245,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
         fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
         fp->datainterval = 0;
         fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
+       INIT_LIST_HEAD(&fp->list);
  
         switch (fp->maxpacksize) {
         case 0x120:
@@ -256,6 +269,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
                 ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
         err = snd_usb_add_audio_stream(chip, stream, fp);
         if (err < 0) {
+               list_del(&fp->list); /* unlink for avoiding double-free */
                 kfree(fp);
                 return err;
         }
@@ -307,6 +321,7 @@ int snd_usb_create_quirk(struct snd_usb_audio *chip,
                 [QUIRK_MIDI_CME] = create_any_midi_quirk,
                 [QUIRK_MIDI_AKAI] = create_any_midi_quirk,
                 [QUIRK_MIDI_FTDI] = create_any_midi_quirk,
+               [QUIRK_MIDI_CH345] = create_any_midi_quirk,
                 [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk,
                 [QUIRK_AUDIO_FIXED_ENDPOINT] = create_fixed_stream_quirk,
                 [QUIRK_AUDIO_EDIROL_UAXX] = create_uaxx_quirk,
@@ -383,11 +398,13 @@ static int snd_usb_fasttrackpro_boot_quirk(struct usb_device *dev)
                  * rules
                  */
                 err = usb_driver_set_configuration(dev, 2);
-               if (err < 0) {
+               if (err < 0)
                         snd_printdd("error usb_driver_set_configuration: %d\n",
                                     err);
-                       return -ENODEV;
-               }
+               /* Always return an error, so that we stop creating a device
+                  that will just be destroyed and recreated with a new
+                  configuration */
+               return -ENODEV;
         } else
                 snd_printk(KERN_INFO "usb-audio: Fast Track Pro config OK\n");
  
@@ -480,7 +497,7 @@ static int snd_usb_nativeinstruments_boot_quirk(struct usb_device *dev)
  {
         int ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
                                   0xaf, USB_TYPE_VENDOR | USB_RECIP_DEVICE,
-                                 cpu_to_le16(1), 0, NULL, 0, 1000);
+                                 1, 0, NULL, 0, 1000);
  
         if (ret < 0)
                 return ret;
@@ -742,6 +759,7 @@ static void set_format_emu_quirk(struct snd_usb_substream *subs,
                 break;
         }
         snd_emuusb_set_samplerate(subs->stream->chip, emu_samplerate_id);
+       subs->pkt_offset_adj = (emu_samplerate_id >= EMU_QUIRK_SR_176400HZ) ? 4 : 0;
  }
  
  void snd_usb_set_format_quirk(struct snd_usb_substream *subs,