USB: rio500: refuse more than one device at a time
commit 3864d33943b4a76c6e64616280e98d2410b1190f upstream. This driver is using a global variable. It cannot handle more than one device at a time. The issue has been existing since the dawn of the driver. Signed-off-by: Oliver Neukum <oneukum@suse.com> Reported-by: syzbot+35f04d136fc975a70da4@syzkaller.appspotmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> CVE-2019-15212 Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org> Change-Id: I96bac47f327839f08944cb047f20e328ed8e3473
This commit is contained in:
parent
d5b896def0
commit
125c6332eb
|
@ -453,14 +453,22 @@ static int probe_rio(struct usb_interface *intf,
|
|||
{
|
||||
struct usb_device *dev = interface_to_usbdev(intf);
|
||||
struct rio_usb_data *rio = &rio_instance;
|
||||
int retval;
|
||||
int retval = 0;
|
||||
|
||||
dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
|
||||
mutex_lock(&rio500_mutex);
|
||||
if (rio->present) {
|
||||
dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum);
|
||||
retval = -EBUSY;
|
||||
goto bail_out;
|
||||
} else {
|
||||
dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
|
||||
}
|
||||
|
||||
retval = usb_register_dev(intf, &usb_rio_class);
|
||||
if (retval) {
|
||||
err("Not able to get a minor for this device.");
|
||||
return -ENOMEM;
|
||||
retval = -ENOMEM;
|
||||
goto bail_out;
|
||||
}
|
||||
|
||||
rio->rio_dev = dev;
|
||||
|
@ -468,7 +476,8 @@ static int probe_rio(struct usb_interface *intf,
|
|||
if (!(rio->obuf = kmalloc(OBUF_SIZE, GFP_KERNEL))) {
|
||||
err("probe_rio: Not enough memory for the output buffer");
|
||||
usb_deregister_dev(intf, &usb_rio_class);
|
||||
return -ENOMEM;
|
||||
retval = -ENOMEM;
|
||||
goto bail_out;
|
||||
}
|
||||
dbg("probe_rio: obuf address:%pK", rio->obuf);
|
||||
|
||||
|
@ -476,7 +485,8 @@ static int probe_rio(struct usb_interface *intf,
|
|||
err("probe_rio: Not enough memory for the input buffer");
|
||||
usb_deregister_dev(intf, &usb_rio_class);
|
||||
kfree(rio->obuf);
|
||||
return -ENOMEM;
|
||||
retval = -ENOMEM;
|
||||
goto bail_out;
|
||||
}
|
||||
dbg("probe_rio: ibuf address:%pK", rio->ibuf);
|
||||
|
||||
|
@ -484,8 +494,10 @@ static int probe_rio(struct usb_interface *intf,
|
|||
|
||||
usb_set_intfdata (intf, rio);
|
||||
rio->present = 1;
|
||||
bail_out:
|
||||
mutex_unlock(&rio500_mutex);
|
||||
|
||||
return 0;
|
||||
return retval;
|
||||
}
|
||||
|
||||
static void disconnect_rio(struct usb_interface *intf)
|
||||
|
|
Loading…
Reference in New Issue