This is a note to let you know that I've just added the patch titled ALSA: line6: fix stack overflow in line6_midi_transmit to the 6.0-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: alsa-line6-fix-stack-overflow-in-line6_midi_transmit.patch and it can be found in the queue-6.0 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From b8800d324abb50160560c636bfafe2c81001b66c Mon Sep 17 00:00:00 2001 From: Artem Egorkine <arteme@xxxxxxxxx> Date: Sun, 25 Dec 2022 12:57:28 +0200 Subject: ALSA: line6: fix stack overflow in line6_midi_transmit From: Artem Egorkine <arteme@xxxxxxxxx> commit b8800d324abb50160560c636bfafe2c81001b66c upstream. Correctly calculate available space including the size of the chunk buffer. This fixes a buffer overflow when multiple MIDI sysex messages are sent to a PODxt device. Signed-off-by: Artem Egorkine <arteme@xxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20221225105728.1153989-2-arteme@xxxxxxxxx Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- sound/usb/line6/midi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/sound/usb/line6/midi.c +++ b/sound/usb/line6/midi.c @@ -44,7 +44,8 @@ static void line6_midi_transmit(struct s int req, done; for (;;) { - req = min(line6_midibuf_bytes_free(mb), line6->max_packet_size); + req = min3(line6_midibuf_bytes_free(mb), line6->max_packet_size, + LINE6_FALLBACK_MAXPACKETSIZE); done = snd_rawmidi_transmit_peek(substream, chunk, req); if (done == 0) Patches currently in stable-queue which might be from arteme@xxxxxxxxx are queue-6.0/alsa-line6-fix-stack-overflow-in-line6_midi_transmit.patch queue-6.0/alsa-line6-correct-midi-status-byte-when-receiving-data-from-podxt.patch