From 995d86cfee0353d646b998077b66f9b58e3e5803 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Apr 17 2023 12:19:04 +0000 Subject: ath10k: fix division by zero in send path (git-fixes). --- diff --git a/patches.suse/ath10k-fix-division-by-zero-in-send-path.patch b/patches.suse/ath10k-fix-division-by-zero-in-send-path.patch new file mode 100644 index 0000000..a5fa366 --- /dev/null +++ b/patches.suse/ath10k-fix-division-by-zero-in-send-path.patch @@ -0,0 +1,47 @@ +From a006acb931317aad3a8dd41333ebb0453caf49b8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 27 Oct 2021 10:08:17 +0200 +Subject: [PATCH] ath10k: fix division by zero in send path +Git-commit: a006acb931317aad3a8dd41333ebb0453caf49b8 +References: git-fixes +Patch-mainline: v5.16-rc1 + +Add the missing endpoint max-packet sanity check to probe() to avoid +division by zero in ath10k_usb_hif_tx_sg() in case a malicious device +has broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: 4db66499df91 ("ath10k: add initial USB support") +Cc: stable@vger.kernel.org # 4.14 +Cc: Erik Stromdahl +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027080819.6675-2-johan@kernel.org +Signed-off-by: Oliver Neukum +--- + drivers/net/wireless/ath/ath10k/usb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/usb.c b/drivers/net/wireless/ath/ath10k/usb.c +index 6d831b098cbb..3d98f19c6ec8 100644 +--- a/drivers/net/wireless/ath/ath10k/usb.c ++++ b/drivers/net/wireless/ath/ath10k/usb.c +@@ -853,6 +853,11 @@ static int ath10k_usb_setup_pipe_resources(struct ath10k *ar, + le16_to_cpu(endpoint->wMaxPacketSize), + endpoint->bInterval); + } ++ ++ /* Ignore broken descriptors. */ ++ if (usb_endpoint_maxp(endpoint) == 0) ++ continue; ++ + urbcount = 0; + + pipe_num = +-- +2.40.0 + diff --git a/series.conf b/series.conf index 3c26ed3..194baa9 100644 --- a/series.conf +++ b/series.conf @@ -61741,6 +61741,7 @@ patches.suse/wcn36xx-add-proper-DMA-memory-barriers-in-rx-path.patch patches.suse/ath10k-fix-control-message-timeout.patch patches.suse/ath6kl-fix-control-message-timeout.patch + patches.suse/ath10k-fix-division-by-zero-in-send-path.patch patches.suse/ath6kl-fix-division-by-zero-in-send-path.patch patches.suse/rtl8187-fix-control-message-timeouts.patch patches.suse/msft-hv-2473-net-mana-Fix-the-netdev_err-s-vPort-argument-in-mana.patch