--- /dev/null
+From 7ee7663da07717a1b31ce60d2ebf12d2058ee975 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Wed, 18 Jun 2014 13:32:35 +0200
+Subject: [PATCH] ALSA: control: Make sure that id->index does not overflow
+
+commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
+
+The ALSA control code expects that the range of assigned indices to a control is
+continuous and does not overflow. Currently there are no checks to enforce this.
+If a control with a overflowing index range is created that control becomes
+effectively inaccessible and unremovable since snd_ctl_find_id() will not be
+able to find it. This patch adds a check that makes sure that controls with a
+overflowing index range can not be created.
+
+Fixes CVE-2014-4656
+Upstream-Status: Backport
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ sound/core/control.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/core/control.c b/sound/core/control.c
+index 93215b4..98a29b2 100644
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -343,6 +343,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
+ if (snd_BUG_ON(!card || !kcontrol->info))
+ goto error;
+ id = kcontrol->id;
++ if (id.index > UINT_MAX - kcontrol->count)
++ goto error;
++
+ down_write(&card->controls_rwsem);
+ if (snd_ctl_find_id(card, &id)) {
+ up_write(&card->controls_rwsem);
+--
+1.9.1
+
--- /dev/null
+From 669982364299f6f22bea4324f0f7ee8f8a361b87 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Wed, 18 Jun 2014 13:32:34 +0200
+Subject: [PATCH] ALSA: control: Handle numid overflow
+
+commit ac902c112d90a89e59916f751c2745f4dbdbb4bd upstream.
+
+Each control gets automatically assigned its numids when the control is created.
+The allocation is done by incrementing the numid by the amount of allocated
+numids per allocation. This means that excessive creation and destruction of
+controls (e.g. via SNDRV_CTL_IOCTL_ELEM_ADD/REMOVE) can cause the id to
+eventually overflow. Currently when this happens for the control that caused the
+overflow kctl->id.numid + kctl->count will also over flow causing it to be
+smaller than kctl->id.numid. Most of the code assumes that this is something
+that can not happen, so we need to make sure that it won't happen
+
+Fixes CVE-2014-4656
+Upstream-Status: Backport
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Acked-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ sound/core/control.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/sound/core/control.c b/sound/core/control.c
+index d4a597f..93215b4 100644
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -289,6 +289,10 @@ static bool snd_ctl_remove_numid_conflict(struct snd_card *card,
+ {
+ struct snd_kcontrol *kctl;
+
++ /* Make sure that the ids assigned to the control do not wrap around */
++ if (card->last_numid >= UINT_MAX - count)
++ card->last_numid = 0;
++
+ list_for_each_entry(kctl, &card->controls, list) {
+ if (kctl->id.numid < card->last_numid + 1 + count &&
+ kctl->id.numid + kctl->count > card->last_numid + 1) {
+--
+1.9.1
+
