This is a note to let you know that I've just added the patch titled ath10k: fix division by zero in send path to the 5.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ath10k-fix-division-by-zero-in-send-path.patch and it can be found in the queue-5.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From a006acb931317aad3a8dd41333ebb0453caf49b8 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan@xxxxxxxxxx> Date: Wed, 27 Oct 2021 10:08:17 +0200 Subject: ath10k: fix division by zero in send path From: Johan Hovold <johan@xxxxxxxxxx> commit a006acb931317aad3a8dd41333ebb0453caf49b8 upstream. Add the missing endpoint max-packet sanity check to probe() to avoid division by zero in ath10k_usb_hif_tx_sg() in case a malicious device has broken descriptors (or when doing descriptor fuzz testing). Note that USB core will reject URBs submitted for endpoints with zero wMaxPacketSize but that drivers doing packet-size calculations still need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip endpoint descriptors with maxpacket=0")). Fixes: 4db66499df91 ("ath10k: add initial USB support") Cc: stable@xxxxxxxxxxxxxxx # 4.14 Cc: Erik Stromdahl <erik.stromdahl@xxxxxxxxx> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx> Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20211027080819.6675-2-johan@xxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/net/wireless/ath/ath10k/usb.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/net/wireless/ath/ath10k/usb.c +++ b/drivers/net/wireless/ath/ath10k/usb.c @@ -865,6 +865,11 @@ static int ath10k_usb_setup_pipe_resourc le16_to_cpu(endpoint->wMaxPacketSize), endpoint->bInterval); } + + /* Ignore broken descriptors. */ + if (usb_endpoint_maxp(endpoint) == 0) + continue; + urbcount = 0; pipe_num = Patches currently in stable-queue which might be from johan@xxxxxxxxxx are queue-5.4/alsa-ua101-fix-division-by-zero-at-probe.patch queue-5.4/ath6kl-fix-control-message-timeout.patch queue-5.4/input-iforce-fix-control-message-timeout.patch queue-5.4/ath10k-fix-division-by-zero-in-send-path.patch queue-5.4/ath10k-fix-control-message-timeout.patch queue-5.4/alsa-line6-fix-control-and-interrupt-message-timeouts.patch queue-5.4/mwifiex-fix-division-by-zero-in-fw-download-path.patch queue-5.4/rtl8187-fix-control-message-timeouts.patch queue-5.4/ath6kl-fix-division-by-zero-in-send-path.patch queue-5.4/alsa-6fire-fix-control-and-bulk-message-timeouts.patch