[PATCH 4.9 12/88] media: dvb-usb-v2: lmedm04: Improve logic checking of warm start

Thu, 15 Feb 2018 07:26:13 -0800 

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvbox...@gmail.com>

commit 3d932ee27e852e4904647f15b64dedca51187ad7 upstream.

Warm start has no check as whether a genuine device has
connected and proceeds to next execution path.

Check device should read 0x47 at offset of 2 on USB descriptor read
and it is the amount requested of 6 bytes.

Fix for
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access as

Reported-by: Andrey Konovalov <andreyk...@google.com>
Signed-off-by: Malcolm Priestley <tvbox...@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mche...@s-opensource.com>
Cc: Ben Hutchings <ben.hutchi...@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---
 drivers/media/usb/dvb-usb-v2/lmedm04.c |   26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
@@ -504,18 +504,23 @@ static int lme2510_pid_filter(struct dvb
 
 static int lme2510_return_status(struct dvb_usb_device *d)
 {
-       int ret = 0;
+       int ret;
        u8 *data;
 
-       data = kzalloc(10, GFP_KERNEL);
+       data = kzalloc(6, GFP_KERNEL);
        if (!data)
                return -ENOMEM;
 
-       ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
-                       0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
-       info("Firmware Status: %x (%x)", ret , data[2]);
+       ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+                             0x06, 0x80, 0x0302, 0x00,
+                             data, 0x6, 200);
+       if (ret != 6)
+               ret = -EINVAL;
+       else
+               ret = data[2];
+
+       info("Firmware Status: %6ph", data);
 
-       ret = (ret < 0) ? -ENODEV : data[2];
        kfree(data);
        return ret;
 }
@@ -1200,6 +1205,7 @@ static int lme2510_get_adapter_count(str
 static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
 {
        struct lme2510_state *st = d->priv;
+       int status;
 
        usb_reset_configuration(d->udev);
 
@@ -1208,12 +1214,16 @@ static int lme2510_identify_state(struct
 
        st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
 
-       if (lme2510_return_status(d) == 0x44) {
+       status = lme2510_return_status(d);
+       if (status == 0x44) {
                *name = lme_firmware_switch(d, 0);
                return COLD;
        }
 
-       return 0;
+       if (status != 0x47)
+               return -EINVAL;
+
+       return WARM;
 }
 
 static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,

Reply via email to