--- /dev/null
+From 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 26 Oct 2021 11:55:11 +0200
+Subject: media: uvcvideo: fix division by zero at stream start
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df upstream.
+
+Add the missing bulk-endpoint max-packet sanity check to
+uvc_video_start_transfer() to avoid division by zero in
+uvc_alloc_urb_buffers() in case a malicious device has broken
+descriptors (or when doing descriptor fuzz testing).
+
+Note that USB core will reject URBs submitted for endpoints with zero
+wMaxPacketSize but that drivers doing packet-size calculations still
+need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
+endpoint descriptors with maxpacket=0")).
+
+Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
+Cc: stable@vger.kernel.org # 2.6.26
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -1720,6 +1720,10 @@ static int uvc_init_video(struct uvc_str
+ if (ep == NULL)
+ return -EIO;
+
++ /* Reject broken descriptors. */
++ if (usb_endpoint_maxp(&ep->desc) == 0)
++ return -EIO;
++
+ ret = uvc_init_video_bulk(stream, ep, gfp_flags);
+ }
+
--- /dev/null
+From 8b144dedb928e4e2f433a328d58f44c3c098d63e Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 15 Dec 2021 11:11:05 -0600
+Subject: rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 8b144dedb928e4e2f433a328d58f44c3c098d63e upstream.
+
+Syzbot reports the following WARNING:
+
+[200~raw_local_irq_restore() called with IRQs enabled
+WARNING: CPU: 1 PID: 1206 at kernel/locking/irqflag-debug.c:10
+ warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10
+
+Hardware initialization for the rtl8188cu can run for as long as 350 ms,
+and the routine may be called with interrupts disabled. To avoid locking
+the machine for this long, the current routine saves the interrupt flags
+and enables local interrupts. The problem is that it restores the flags
+at the end without disabling local interrupts first.
+
+This patch fixes commit a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long
+disable of IRQs").
+
+Reported-by: syzbot+cce1ee31614c171f5595@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Fixes: a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long disable of IRQs")
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20211215171105.20623-1-Larry.Finger@lwfinger.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c
+@@ -1062,6 +1062,7 @@ int rtl92cu_hw_init(struct ieee80211_hw
+ _InitPABias(hw);
+ rtl92c_dm_init(hw);
+ exit:
++ local_irq_disable();
+ local_irq_restore(flags);
+ return err;
+ }
can-gs_usb-fix-use-of-uninitialized-variable-detach-device-on-reception-of-invalid-usb-data.patch
can-gs_usb-gs_can_start_xmit-zero-initialize-hf-flags-reserved.patch
drm-i915-avoid-bitwise-vs-logical-or-warning-in-snb_wm_latency_quirk.patch
+media-uvcvideo-fix-division-by-zero-at-stream-start.patch
+rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
