On Tue, 30 Apr 2019, Oliver Neukum wrote:
> This driver is using a global variable. It cannot handle more than
> one device at a time. The issue has been exisying since the dawn
s/exisying/existing/
> of the driver.
>
> Signed-off-by: Oliver Neukum <oneu...@suse.com>
> Reported-by: syzbot+35f04d136fc975a70...@syzkaller.appspotmail.com
> ---
> drivers/usb/misc/rio500.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/misc/rio500.c b/drivers/usb/misc/rio500.c
> index 13e4889bc34f..a4b6fbea975f 100644
> --- a/drivers/usb/misc/rio500.c
> +++ b/drivers/usb/misc/rio500.c
> @@ -449,7 +449,12 @@ static int probe_rio(struct usb_interface *intf,
> struct rio_usb_data *rio = &rio_instance;
> int retval;
>
> - dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
> + if (rio->present) {
> + dev_info(&intf->dev, "Second USB Rio at address %d refused\n",
> dev->devnum);
> + return -EBUSY;
> + } else {
> + dev_info(&intf->dev, "USB Rio found at address %d\n",
> dev->devnum);
> + }
This will race if more than one Rio is probed at the same time. You
should hold the rio500_mutex throughout this routine.
Alan Stern
