From: Greg Kroah-Hartman Date: Mon, 9 Aug 2021 09:57:44 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.280~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c3b50c18a8b9a80f7ea5f02ebdcde90e472ef7b9;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: media-rtl28xxu-fix-zero-length-control-request.patch pipe-increase-minimum-default-pipe-size-to-2-pages.patch --- diff --git a/queue-4.9/media-rtl28xxu-fix-zero-length-control-request.patch b/queue-4.9/media-rtl28xxu-fix-zero-length-control-request.patch new file mode 100644 index 00000000000..698b8241fcd --- /dev/null +++ b/queue-4.9/media-rtl28xxu-fix-zero-length-control-request.patch @@ -0,0 +1,58 @@ +From 76f22c93b209c811bd489950f17f8839adb31901 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 23 Jun 2021 10:45:21 +0200 +Subject: media: rtl28xxu: fix zero-length control request + +From: Johan Hovold + +commit 76f22c93b209c811bd489950f17f8839adb31901 upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Control transfers without a data stage are treated as OUT requests by +the USB stack and should be using usb_sndctrlpipe(). Failing to do so +will now trigger a warning. + +The driver uses a zero-length i2c-read request for type detection so +update the control-request code to use usb_sndctrlpipe() in this case. + +Note that actually trying to read the i2c register in question does not +work as the register might not exist (e.g. depending on the demodulator) +as reported by Eero Lehtinen . + +Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com +Reported-by: Eero Lehtinen +Tested-by: Eero Lehtinen +Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type") +Cc: stable@vger.kernel.org # 4.0 +Cc: Antti Palosaari +Signed-off-by: Johan Hovold +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb-v2/rtl28xxu.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c ++++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c +@@ -50,7 +50,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_ + } else { + /* read */ + requesttype = (USB_TYPE_VENDOR | USB_DIR_IN); +- pipe = usb_rcvctrlpipe(d->udev, 0); ++ ++ /* ++ * Zero-length transfers must use usb_sndctrlpipe() and ++ * rtl28xxu_identify_state() uses a zero-length i2c read ++ * command to determine the chip type. ++ */ ++ if (req->size) ++ pipe = usb_rcvctrlpipe(d->udev, 0); ++ else ++ pipe = usb_sndctrlpipe(d->udev, 0); + } + + ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value, diff --git a/queue-4.9/pipe-increase-minimum-default-pipe-size-to-2-pages.patch b/queue-4.9/pipe-increase-minimum-default-pipe-size-to-2-pages.patch new file mode 100644 index 00000000000..974f1abe60c --- /dev/null +++ b/queue-4.9/pipe-increase-minimum-default-pipe-size-to-2-pages.patch @@ -0,0 +1,75 @@ +From 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 Mon Sep 17 00:00:00 2001 +From: "Alex Xu (Hello71)" +Date: Thu, 5 Aug 2021 10:40:47 -0400 +Subject: pipe: increase minimum default pipe size to 2 pages + +From: Alex Xu (Hello71) + +commit 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 upstream. + +This program always prints 4096 and hangs before the patch, and always +prints 8192 and exits successfully after: + + int main() + { + int pipefd[2]; + for (int i = 0; i < 1025; i++) + if (pipe(pipefd) == -1) + return 1; + size_t bufsz = fcntl(pipefd[1], F_GETPIPE_SZ); + printf("%zd\n", bufsz); + char *buf = calloc(bufsz, 1); + write(pipefd[1], buf, bufsz); + read(pipefd[0], buf, bufsz-1); + write(pipefd[1], buf, 1); + } + +Note that you may need to increase your RLIMIT_NOFILE before running the +program. + +Fixes: 759c01142a ("pipe: limit the per-user amount of pages allocated in pipes") +Cc: +Link: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/ +Link: https://lore.kernel.org/lkml/1628127094.lxxn016tj7.none@localhost/ +Signed-off-by: Alex Xu (Hello71) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/pipe.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -29,6 +29,21 @@ + #include "internal.h" + + /* ++ * New pipe buffers will be restricted to this size while the user is exceeding ++ * their pipe buffer quota. The general pipe use case needs at least two ++ * buffers: one for data yet to be read, and one for new data. If this is less ++ * than two, then a write to a non-empty pipe may block even if the pipe is not ++ * full. This can occur with GNU make jobserver or similar uses of pipes as ++ * semaphores: multiple processes may be waiting to write tokens back to the ++ * pipe before reading tokens: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/. ++ * ++ * Users can reduce their pipe buffers with F_SETPIPE_SZ below this at their ++ * own risk, namely: pipe writes to non-full pipes may block until the pipe is ++ * emptied. ++ */ ++#define PIPE_MIN_DEF_BUFFERS 2 ++ ++/* + * The max size that a non-root user is allowed to grow the pipe. Can + * be set by root in /proc/sys/fs/pipe-max-size + */ +@@ -653,8 +668,8 @@ struct pipe_inode_info *alloc_pipe_info( + user_bufs = account_pipe_buffers(user, 0, pipe_bufs); + + if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) { +- user_bufs = account_pipe_buffers(user, pipe_bufs, 1); +- pipe_bufs = 1; ++ user_bufs = account_pipe_buffers(user, pipe_bufs, PIPE_MIN_DEF_BUFFERS); ++ pipe_bufs = PIPE_MIN_DEF_BUFFERS; + } + + if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user()) diff --git a/queue-4.9/series b/queue-4.9/series index 30327ba9772..e58114207fd 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -14,3 +14,5 @@ usb-serial-ch341-fix-character-loss-at-high-transfer-rates.patch usb-serial-ftdi_sio-add-device-id-for-auto-m3-op-com-v2.patch usb-otg-fsm-fix-hrtimer-list-corruption.patch scripts-tracing-fix-the-bug-that-can-t-parse-raw_trace_func.patch +media-rtl28xxu-fix-zero-length-control-request.patch +pipe-increase-minimum-default-pipe-size-to-2-pages.patch