From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-co1nam03on0135.outbound.protection.outlook.com ([104.47.40.135]:48864
        "EHLO NAM03-CO1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1032395AbeCAPeE (ORCPT <rfc822;stable@vger.kernel.org>);
        Thu, 1 Mar 2018 10:34:04 -0500
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
        "stable-commits@vger.kernel.org" <stable-commits@vger.kernel.org>
CC: Malcolm Priestley <tvboxspy@gmail.com>,
        Mauro Carvalho Chehab <mchehab@s-opensource.com>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [added to the 4.1 stable tree] media: dvb-usb-v2: lmedm04: Improve
 logic checking of warm start
Date: Thu, 1 Mar 2018 15:25:59 +0000
Message-ID: <20180301152116.1486-322-alexander.levin@microsoft.com>
References: <20180301152116.1486-1-alexander.levin@microsoft.com>
In-Reply-To: <20180301152116.1486-1-alexander.levin@microsoft.com>
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Malcolm Priestley <tvboxspy@gmail.com>

This patch has been added to the 4.1 stable tree. If you have any
objections, please let us know.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[ Upstream commit 3d932ee27e852e4904647f15b64dedca51187ad7 ]

Warm start has no check as whether a genuine device has
connected and proceeds to next execution path.

Check device should read 0x47 at offset of 2 on USB descriptor read
and it is the amount requested of 6 bytes.

Fix for
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access as

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb=
-usb-v2/lmedm04.c
index 5de6f7c04d09..a98cdf8e5ac1 100644
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
@@ -444,18 +444,23 @@ static int lme2510_pid_filter(struct dvb_usb_adapter =
*adap, int index, u16 pid,
=20
 static int lme2510_return_status(struct dvb_usb_device *d)
 {
-	int ret =3D 0;
+	int ret;
 	u8 *data;
=20
-	data =3D kzalloc(10, GFP_KERNEL);
+	data =3D kzalloc(6, GFP_KERNEL);
 	if (!data)
 		return -ENOMEM;
=20
-	ret |=3D usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
-			0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
-	info("Firmware Status: %x (%x)", ret , data[2]);
+	ret =3D usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+			      0x06, 0x80, 0x0302, 0x00,
+			      data, 0x6, 200);
+	if (ret !=3D 6)
+		ret =3D -EINVAL;
+	else
+		ret =3D data[2];
+
+	info("Firmware Status: %6ph", data);
=20
-	ret =3D (ret < 0) ? -ENODEV : data[2];
 	kfree(data);
 	return ret;
 }
@@ -1150,6 +1155,7 @@ static int lme2510_get_adapter_count(struct dvb_usb_d=
evice *d)
 static int lme2510_identify_state(struct dvb_usb_device *d, const char **n=
ame)
 {
 	struct lme2510_state *st =3D d->priv;
+	int status;
=20
 	usb_reset_configuration(d->udev);
=20
@@ -1158,12 +1164,16 @@ static int lme2510_identify_state(struct dvb_usb_de=
vice *d, const char **name)
=20
 	st->dvb_usb_lme2510_firmware =3D dvb_usb_lme2510_firmware;
=20
-	if (lme2510_return_status(d) =3D=3D 0x44) {
+	status =3D lme2510_return_status(d);
+	if (status =3D=3D 0x44) {
 		*name =3D lme_firmware_switch(d, 0);
 		return COLD;
 	}
=20
-	return 0;
+	if (status !=3D 0x47)
+		return -EINVAL;
+
+	return WARM;
 }
=20
 static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
--=20
2.14.1