--- /dev/null
+From 76f22c93b209c811bd489950f17f8839adb31901 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 23 Jun 2021 10:45:21 +0200
+Subject: media: rtl28xxu: fix zero-length control request
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 76f22c93b209c811bd489950f17f8839adb31901 upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Control transfers without a data stage are treated as OUT requests by
+the USB stack and should be using usb_sndctrlpipe(). Failing to do so
+will now trigger a warning.
+
+The driver uses a zero-length i2c-read request for type detection so
+update the control-request code to use usb_sndctrlpipe() in this case.
+
+Note that actually trying to read the i2c register in question does not
+work as the register might not exist (e.g. depending on the demodulator)
+as reported by Eero Lehtinen <debiangamer2@gmail.com>.
+
+Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com
+Reported-by: Eero Lehtinen <debiangamer2@gmail.com>
+Tested-by: Eero Lehtinen <debiangamer2@gmail.com>
+Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type")
+Cc: stable@vger.kernel.org # 4.0
+Cc: Antti Palosaari <crope@iki.fi>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+@@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_
+ } else {
+ /* read */
+ requesttype = (USB_TYPE_VENDOR | USB_DIR_IN);
+- pipe = usb_rcvctrlpipe(d->udev, 0);
++
++ /*
++ * Zero-length transfers must use usb_sndctrlpipe() and
++ * rtl28xxu_identify_state() uses a zero-length i2c read
++ * command to determine the chip type.
++ */
++ if (req->size)
++ pipe = usb_rcvctrlpipe(d->udev, 0);
++ else
++ pipe = usb_sndctrlpipe(d->udev, 0);
+ }
+
+ ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,
--- /dev/null
+From 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 Mon Sep 17 00:00:00 2001
+From: "Alex Xu (Hello71)" <alex_y_xu@yahoo.ca>
+Date: Thu, 5 Aug 2021 10:40:47 -0400
+Subject: pipe: increase minimum default pipe size to 2 pages
+
+From: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
+
+commit 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 upstream.
+
+This program always prints 4096 and hangs before the patch, and always
+prints 8192 and exits successfully after:
+
+ int main()
+ {
+ int pipefd[2];
+ for (int i = 0; i < 1025; i++)
+ if (pipe(pipefd) == -1)
+ return 1;
+ size_t bufsz = fcntl(pipefd[1], F_GETPIPE_SZ);
+ printf("%zd\n", bufsz);
+ char *buf = calloc(bufsz, 1);
+ write(pipefd[1], buf, bufsz);
+ read(pipefd[0], buf, bufsz-1);
+ write(pipefd[1], buf, 1);
+ }
+
+Note that you may need to increase your RLIMIT_NOFILE before running the
+program.
+
+Fixes: 759c01142a ("pipe: limit the per-user amount of pages allocated in pipes")
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/
+Link: https://lore.kernel.org/lkml/1628127094.lxxn016tj7.none@localhost/
+Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/pipe.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -29,6 +29,21 @@
+ #include "internal.h"
+
+ /*
++ * New pipe buffers will be restricted to this size while the user is exceeding
++ * their pipe buffer quota. The general pipe use case needs at least two
++ * buffers: one for data yet to be read, and one for new data. If this is less
++ * than two, then a write to a non-empty pipe may block even if the pipe is not
++ * full. This can occur with GNU make jobserver or similar uses of pipes as
++ * semaphores: multiple processes may be waiting to write tokens back to the
++ * pipe before reading tokens: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/.
++ *
++ * Users can reduce their pipe buffers with F_SETPIPE_SZ below this at their
++ * own risk, namely: pipe writes to non-full pipes may block until the pipe is
++ * emptied.
++ */
++#define PIPE_MIN_DEF_BUFFERS 2
++
++/*
+ * The max size that a non-root user is allowed to grow the pipe. Can
+ * be set by root in /proc/sys/fs/pipe-max-size
+ */
+@@ -653,8 +668,8 @@ struct pipe_inode_info *alloc_pipe_info(
+ user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
+
+ if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) {
+- user_bufs = account_pipe_buffers(user, pipe_bufs, 1);
+- pipe_bufs = 1;
++ user_bufs = account_pipe_buffers(user, pipe_bufs, PIPE_MIN_DEF_BUFFERS);
++ pipe_bufs = PIPE_MIN_DEF_BUFFERS;
+ }
+
+ if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user())
projects / thirdparty / kernel / stable-queue.git / commitdiff
