Commit d18ca5b7 authored by Antti Palosaari's avatar Antti Palosaari Committed by Mauro Carvalho Chehab

[media] rtl28xxu: fix control message flaws

Add lock to prevent concurrent access for control message as control
message function uses shared buffer. Without the lock there may be
remote control polling which messes the buffer causing IO errors.
Increase buffer size and add check for maximum supported message
length.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=103391
Fixes: c56222a6 ("[media] rtl28xxu: move usb buffers to state")

Cc: <stable@vger.kernel.org> # 4.0+
Signed-off-by: default avatarAntti Palosaari <crope@iki.fi>
parent 17f38822
...@@ -34,6 +34,14 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req) ...@@ -34,6 +34,14 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req)
unsigned int pipe; unsigned int pipe;
u8 requesttype; u8 requesttype;
mutex_lock(&d->usb_mutex);
if (req->size > sizeof(dev->buf)) {
dev_err(&d->intf->dev, "too large message %u\n", req->size);
ret = -EINVAL;
goto err_mutex_unlock;
}
if (req->index & CMD_WR_FLAG) { if (req->index & CMD_WR_FLAG) {
/* write */ /* write */
memcpy(dev->buf, req->data, req->size); memcpy(dev->buf, req->data, req->size);
...@@ -50,14 +58,17 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req) ...@@ -50,14 +58,17 @@ static int rtl28xxu_ctrl_msg(struct dvb_usb_device *d, struct rtl28xxu_req *req)
dvb_usb_dbg_usb_control_msg(d->udev, 0, requesttype, req->value, dvb_usb_dbg_usb_control_msg(d->udev, 0, requesttype, req->value,
req->index, dev->buf, req->size); req->index, dev->buf, req->size);
if (ret < 0) if (ret < 0)
goto err; goto err_mutex_unlock;
/* read request, copy returned data to return buf */ /* read request, copy returned data to return buf */
if (requesttype == (USB_TYPE_VENDOR | USB_DIR_IN)) if (requesttype == (USB_TYPE_VENDOR | USB_DIR_IN))
memcpy(req->data, dev->buf, req->size); memcpy(req->data, dev->buf, req->size);
mutex_unlock(&d->usb_mutex);
return 0; return 0;
err: err_mutex_unlock:
mutex_unlock(&d->usb_mutex);
dev_dbg(&d->intf->dev, "failed=%d\n", ret); dev_dbg(&d->intf->dev, "failed=%d\n", ret);
return ret; return ret;
} }
......
...@@ -71,7 +71,7 @@ ...@@ -71,7 +71,7 @@
struct rtl28xxu_dev { struct rtl28xxu_dev {
u8 buf[28]; u8 buf[128];
u8 chip_id; u8 chip_id;
u8 tuner; u8 tuner;
char *tuner_name; char *tuner_name;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment