From: Malcolm Priestley tvboxspy@gmail.com
This patch has been added to the 4.1 stable tree. If you have any objections, please let us know.
===============
[ Upstream commit 3d932ee27e852e4904647f15b64dedca51187ad7 ]
Warm start has no check as whether a genuine device has connected and proceeds to next execution path.
Check device should read 0x47 at offset of 2 on USB descriptor read and it is the amount requested of 6 bytes.
Fix for kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access as
Reported-by: Andrey Konovalov andreyknvl@google.com Signed-off-by: Malcolm Priestley tvboxspy@gmail.com Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Signed-off-by: Sasha Levin alexander.levin@microsoft.com --- drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c index 5de6f7c04d09..a98cdf8e5ac1 100644 --- a/drivers/media/usb/dvb-usb-v2/lmedm04.c +++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c @@ -444,18 +444,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter *adap, int index, u16 pid,
static int lme2510_return_status(struct dvb_usb_device *d) { - int ret = 0; + int ret; u8 *data;
- data = kzalloc(10, GFP_KERNEL); + data = kzalloc(6, GFP_KERNEL); if (!data) return -ENOMEM;
- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), - 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200); - info("Firmware Status: %x (%x)", ret , data[2]); + ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), + 0x06, 0x80, 0x0302, 0x00, + data, 0x6, 200); + if (ret != 6) + ret = -EINVAL; + else + ret = data[2]; + + info("Firmware Status: %6ph", data);
- ret = (ret < 0) ? -ENODEV : data[2]; kfree(data); return ret; } @@ -1150,6 +1155,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_device *d) static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) { struct lme2510_state *st = d->priv; + int status;
usb_reset_configuration(d->udev);
@@ -1158,12 +1164,16 @@ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
- if (lme2510_return_status(d) == 0x44) { + status = lme2510_return_status(d); + if (status == 0x44) { *name = lme_firmware_switch(d, 0); return COLD; }
- return 0; + if (status != 0x47) + return -EINVAL; + + return WARM; }
static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,