Commit 6cc816dd authored by Luke Nowakowski-Krijger's avatar Luke Nowakowski-Krijger Committed by Greg Kroah-Hartman

media: hdpvr: Add device num check and handling

[ Upstream commit d4a6a953 ]

Add hdpvr device num check and error handling

We need to increment the device count atomically before we checkout a
device to make sure that we do not reach the max count, otherwise we get
out-of-bounds errors as reported by syzbot.

Reported-and-tested-by: syzbot+aac8d0d7205f112045d2@syzkaller.appspotmail.com
Signed-off-by: default avatarLuke Nowakowski-Krijger <lnowakow@eng.ucsd.edu>
Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 8bc254d3
...@@ -275,6 +275,7 @@ static int hdpvr_probe(struct usb_interface *interface, ...@@ -275,6 +275,7 @@ static int hdpvr_probe(struct usb_interface *interface,
#endif #endif
size_t buffer_size; size_t buffer_size;
int i; int i;
int dev_num;
int retval = -ENOMEM; int retval = -ENOMEM;
/* allocate memory for our device state and initialize it */ /* allocate memory for our device state and initialize it */
...@@ -372,8 +373,17 @@ static int hdpvr_probe(struct usb_interface *interface, ...@@ -372,8 +373,17 @@ static int hdpvr_probe(struct usb_interface *interface,
} }
#endif #endif
dev_num = atomic_inc_return(&dev_nr);
if (dev_num >= HDPVR_MAX) {
v4l2_err(&dev->v4l2_dev,
"max device number reached, device register failed\n");
atomic_dec(&dev_nr);
retval = -ENODEV;
goto reg_fail;
}
retval = hdpvr_register_videodev(dev, &interface->dev, retval = hdpvr_register_videodev(dev, &interface->dev,
video_nr[atomic_inc_return(&dev_nr)]); video_nr[dev_num]);
if (retval < 0) { if (retval < 0) {
v4l2_err(&dev->v4l2_dev, "registering videodev failed\n"); v4l2_err(&dev->v4l2_dev, "registering videodev failed\n");
goto reg_fail; goto reg_fail;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment