Piteball
/
android_kernel_samsung_msm8226
mirror of https://github.com/S3NEO/android_kernel_samsung_msm8226.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

USB: rio500: refuse more than one device at a time 

commit 3864d33943b4a76c6e64616280e98d2410b1190f upstream.

This driver is using a global variable. It cannot handle more than
one device at a time. The issue has been existing since the dawn
of the driver.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+35f04d136fc975a70da4@syzkaller.appspotmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
CVE-2019-15212
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I96bac47f327839f08944cb047f20e328ed8e3473
This commit is contained in:
Oliver Neukum 2019-05-09 11:30:58 +02:00 committed by matteo0026
parent d5b896def0
commit 125c6332eb
1 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
drivers/usb/misc/rio500.c
View File

@ -453,14 +453,22 @@ static int probe_rio(struct usb_interface *intf,
{
struct usb_device *dev = interface_to_usbdev(intf);
struct rio_usb_data *rio = &rio_instance;
int retval;
int retval = 0;
dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
mutex_lock(&rio500_mutex);
if (rio->present) {
dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum);
retval = -EBUSY;
goto bail_out;
} else {
dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
}
retval = usb_register_dev(intf, &usb_rio_class);
if (retval) {
err("Not able to get a minor for this device.");
return -ENOMEM;
retval = -ENOMEM;
goto bail_out;
}
rio->rio_dev = dev;
@ -468,7 +476,8 @@ static int probe_rio(struct usb_interface *intf,
if (!(rio->obuf = kmalloc(OBUF_SIZE, GFP_KERNEL))) {
err("probe_rio: Not enough memory for the output buffer");
usb_deregister_dev(intf, &usb_rio_class);
return -ENOMEM;
retval = -ENOMEM;
goto bail_out;
}
dbg("probe_rio: obuf address:%pK", rio->obuf);
@ -476,7 +485,8 @@ static int probe_rio(struct usb_interface *intf,
err("probe_rio: Not enough memory for the input buffer");
usb_deregister_dev(intf, &usb_rio_class);
kfree(rio->obuf);
return -ENOMEM;
retval = -ENOMEM;
goto bail_out;
}
dbg("probe_rio: ibuf address:%pK", rio->ibuf);
@ -484,8 +494,10 @@ static int probe_rio(struct usb_interface *intf,
usb_set_intfdata (intf, rio);
rio->present = 1;
bail_out:
mutex_unlock(&rio500_mutex);
return 0;
return retval;
}
static void disconnect_rio(struct usb_interface *intf)