4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Malcolm Priestley tvboxspy@gmail.com
commit 3d932ee27e852e4904647f15b64dedca51187ad7 upstream.
Warm start has no check as whether a genuine device has connected and proceeds to next execution path.
Check device should read 0x47 at offset of 2 on USB descriptor read and it is the amount requested of 6 bytes.
Fix for kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access as
Reported-by: Andrey Konovalov andreyknvl@google.com Signed-off-by: Malcolm Priestley tvboxspy@gmail.com Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Cc: Ben Hutchings ben.hutchings@codethink.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-)
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c +++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c @@ -503,18 +503,23 @@ static int lme2510_pid_filter(struct dvb
static int lme2510_return_status(struct dvb_usb_device *d) { - int ret = 0; + int ret; u8 *data;
- data = kzalloc(10, GFP_KERNEL); + data = kzalloc(6, GFP_KERNEL); if (!data) return -ENOMEM;
- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), - 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200); - info("Firmware Status: %x (%x)", ret , data[2]); + ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), + 0x06, 0x80, 0x0302, 0x00, + data, 0x6, 200); + if (ret != 6) + ret = -EINVAL; + else + ret = data[2]; + + info("Firmware Status: %6ph", data);
- ret = (ret < 0) ? -ENODEV : data[2]; kfree(data); return ret; } @@ -1199,6 +1204,7 @@ static int lme2510_get_adapter_count(str static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) { struct lme2510_state *st = d->priv; + int status;
usb_reset_configuration(d->udev);
@@ -1207,12 +1213,16 @@ static int lme2510_identify_state(struct
st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
- if (lme2510_return_status(d) == 0x44) { + status = lme2510_return_status(d); + if (status == 0x44) { *name = lme_firmware_switch(d, 0); return COLD; }
- return 0; + if (status != 0x47) + return -EINVAL; + + return WARM; }
static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,