From: Greg Kroah-Hartman Date: Tue, 18 Jan 2022 08:20:58 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v5.16.2~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9d5a69cedc3bb38c9c07ed6ad8a7abe0ce0bcd0c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: media-uvcvideo-fix-division-by-zero-at-stream-start.patch rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch --- diff --git a/queue-4.9/media-uvcvideo-fix-division-by-zero-at-stream-start.patch b/queue-4.9/media-uvcvideo-fix-division-by-zero-at-stream-start.patch new file mode 100644 index 00000000000..76b69741f6e --- /dev/null +++ b/queue-4.9/media-uvcvideo-fix-division-by-zero-at-stream-start.patch @@ -0,0 +1,43 @@ +From 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 26 Oct 2021 11:55:11 +0200 +Subject: media: uvcvideo: fix division by zero at stream start + +From: Johan Hovold + +commit 8aa637bf6d70d2fb2ad4d708d8b9dd02b1c095df upstream. + +Add the missing bulk-endpoint max-packet sanity check to +uvc_video_start_transfer() to avoid division by zero in +uvc_alloc_urb_buffers() in case a malicious device has broken +descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver") +Cc: stable@vger.kernel.org # 2.6.26 +Signed-off-by: Johan Hovold +Reviewed-by: Kieran Bingham +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/uvc/uvc_video.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -1716,6 +1716,10 @@ static int uvc_init_video(struct uvc_str + if (ep == NULL) + return -EIO; + ++ /* Reject broken descriptors. */ ++ if (usb_endpoint_maxp(&ep->desc) == 0) ++ return -EIO; ++ + ret = uvc_init_video_bulk(stream, ep, gfp_flags); + } + diff --git a/queue-4.9/rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch b/queue-4.9/rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch new file mode 100644 index 00000000000..59face282e5 --- /dev/null +++ b/queue-4.9/rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch @@ -0,0 +1,45 @@ +From 8b144dedb928e4e2f433a328d58f44c3c098d63e Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 15 Dec 2021 11:11:05 -0600 +Subject: rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled + +From: Larry Finger + +commit 8b144dedb928e4e2f433a328d58f44c3c098d63e upstream. + +Syzbot reports the following WARNING: + +[200~raw_local_irq_restore() called with IRQs enabled +WARNING: CPU: 1 PID: 1206 at kernel/locking/irqflag-debug.c:10 + warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10 + +Hardware initialization for the rtl8188cu can run for as long as 350 ms, +and the routine may be called with interrupts disabled. To avoid locking +the machine for this long, the current routine saves the interrupt flags +and enables local interrupts. The problem is that it restores the flags +at the end without disabling local interrupts first. + +This patch fixes commit a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long +disable of IRQs"). + +Reported-by: syzbot+cce1ee31614c171f5595@syzkaller.appspotmail.com +Cc: stable@vger.kernel.org +Fixes: a53268be0cb9 ("rtlwifi: rtl8192cu: Fix too long disable of IRQs") +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211215171105.20623-1-Larry.Finger@lwfinger.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/hw.c +@@ -1037,6 +1037,7 @@ int rtl92cu_hw_init(struct ieee80211_hw + _InitPABias(hw); + rtl92c_dm_init(hw); + exit: ++ local_irq_disable(); + local_irq_restore(flags); + return err; + } diff --git a/queue-4.9/series b/queue-4.9/series index c625681341f..4ff20b45787 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -8,3 +8,5 @@ random-fix-data-race-on-crng_node_pool.patch random-fix-data-race-on-crng-init-time.patch staging-wlan-ng-avoid-bitwise-vs-logical-or-warning-in-hfa384x_usb_throttlefn.patch drm-i915-avoid-bitwise-vs-logical-or-warning-in-snb_wm_latency_quirk.patch +media-uvcvideo-fix-division-by-zero-at-stream-start.patch +rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch