From 37f7ec38ea5c31180461f82e895e13fdd549b595 Mon Sep 17 00:00:00 2001
From: Jesper Juhl <jj@chaosbits.net>
Date: Mon, 13 Jun 2011 23:52:02 +0200
Subject: ALSA: 6fire: Fix double-free bug in usb6fire_fw_ezusb_upload()

We have a double-free bug in
sound/usb/6fire/firmware.c::usb6fire_fw_ezusb_upload().
We already call release_firmware(fw) on line 258, so when we then do it
again after usb6fire_fw_ezusb_write() returns <0, we have a double-free.
Easily fixed by just removing the last call to release_firmware().

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/usb/6fire/firmware.c | 1 -
 1 file changed, 1 deletion(-)

(limited to 'sound/usb/6fire')

diff --git a/sound/usb/6fire/firmware.c b/sound/usb/6fire/firmware.c
index a91719d5918b..1e3ae3327dd3 100644
--- a/sound/usb/6fire/firmware.c
+++ b/sound/usb/6fire/firmware.c
@@ -270,7 +270,6 @@ static int usb6fire_fw_ezusb_upload(
 	data = 0x00; /* resume ezusb cpu */
 	ret = usb6fire_fw_ezusb_write(device, 0xa0, 0xe600, &data, 1);
 	if (ret < 0) {
-		release_firmware(fw);
 		snd_printk(KERN_ERR PREFIX "unable to upload ezusb "
 				"firmware %s: end message.\n", fwname);
 		return ret;
-- 
cgit v1.2.3


From 0ec5258d68c626922d92e2f0e4e5c689e5360a5d Mon Sep 17 00:00:00 2001
From: Torsten Schenk <torsten.schenk@zoho.com>
Date: Thu, 16 Jun 2011 21:06:27 +0200
Subject: ALSA: 6fire - Fix signedness bug

Fixed remaining issues of the signedness bug discovered by Dan Carpenter.
A check was remaining that tests if unsigned rt->rate is >= 0.
Changed that so that rt->rate now consistently uses ARRAY_SIZE(rates)
as invalid rate value and not -1.

Signed-off-by: Torsten Schenk <torsten.schenk@zoho.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 sound/usb/6fire/pcm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sound/usb/6fire')

diff --git a/sound/usb/6fire/pcm.c b/sound/usb/6fire/pcm.c
index b137b25865cc..d144cdb2f159 100644
--- a/sound/usb/6fire/pcm.c
+++ b/sound/usb/6fire/pcm.c
@@ -395,12 +395,12 @@ static int usb6fire_pcm_open(struct snd_pcm_substream *alsa_sub)
 	alsa_rt->hw = pcm_hw;
 
 	if (alsa_sub->stream == SNDRV_PCM_STREAM_PLAYBACK) {
-		if (rt->rate >= 0)
+		if (rt->rate < ARRAY_SIZE(rates))
 			alsa_rt->hw.rates = rates_alsaid[rt->rate];
 		alsa_rt->hw.channels_max = OUT_N_CHANNELS;
 		sub = &rt->playback;
 	} else if (alsa_sub->stream == SNDRV_PCM_STREAM_CAPTURE) {
-		if (rt->rate >= 0)
+		if (rt->rate < ARRAY_SIZE(rates))
 			alsa_rt->hw.rates = rates_alsaid[rt->rate];
 		alsa_rt->hw.channels_max = IN_N_CHANNELS;
 		sub = &rt->capture;
-- 
cgit v1.2.3