Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp6772390pxv; Fri, 30 Jul 2021 01:52:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzj+/v2sa+7aWpQbDNLv4Ysr6H80nVSwUg4atVFBWosbiY1MgM/oA/C02J3vKnczR09jTCC X-Received: by 2002:a05:6e02:15c8:: with SMTP id q8mr443791ilu.285.1627635170457; Fri, 30 Jul 2021 01:52:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627635170; cv=none; d=google.com; s=arc-20160816; b=QyitgvWXuZxp51854wTHsDmvXrjVUKpNqbynybvs7wRPzZ2B8bIE10MsRxTPqq9+0X An2rjeDO3l/4IroVcePhdfUHiTngiz5/k0/d/MCKWaIP2cvdSfzI/Z/y+FCNbSkSQ8zz rpw6NdYcP4qFuq5PwOFbZwtct/Cm58RhH8Q8Xs//NCcx8TdKn5hsd4IOQWgWYz+01UrA 2TGV/AL4RwJ7qD+TQEzP8O69sG9urq+x1onQmo2fXozunsq+U3P12ZOtPPOnv+lDqs4+ uWZdFxHeXi7xf+M6w0VV/HDjANwV601Hr4Lp5ZujpyJnt4f2+Pt17ildUNzWPjRPUXOo VPCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from; bh=zICkph8qWuhdXggqRMKbQZGvxlKdaMM/U/e6sJduzVY=; b=TI3oDFmj6VzJkZne6GA5r18ftaJ9o/iq9L4X+Q4aYOtvFJ+53/RH0B0zgoiYMPHlZO PCNwGeN40FRBg6fQ/kqT6i+JUH1Njv2igUmr+11ZiuJgj/Pd25tWnw+2I+iNtgDat5U8 lHQwhNTMptY7vzG7UfMdBzkdZbWiGPxQbUafa82hIP7pNso7+fu6PFpNQTo1YvZ15zc5 sgpZLsKhSlsu16fUB8rrWVyBytJiTZjOs0DJRQlc9IEf6wGt6MnV1LdPLbCt0EP2zW9/ FRnTKTD13bNriEYnOxcX+AOND0sq41LlZMXEhal7+eOVyOzJp42oBFw9hJx2g6kEsog5 mKKQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v1si1246639ioj.78.2021.07.30.01.52.39; Fri, 30 Jul 2021 01:52:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238212AbhG3IvS (ORCPT + 99 others); Fri, 30 Jul 2021 04:51:18 -0400 Received: from mailgw01.mediatek.com ([60.244.123.138]:41564 "EHLO mailgw01.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S237928AbhG3Iuu (ORCPT ); Fri, 30 Jul 2021 04:50:50 -0400 X-UUID: 053be6fc763f45d8ac664e2e2b7e5a62-20210730 X-UUID: 053be6fc763f45d8ac664e2e2b7e5a62-20210730 Received: from mtkmbs10n2.mediatek.inc [(172.21.101.183)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 1007530290; Fri, 30 Jul 2021 16:50:43 +0800 Received: from mtkcas11.mediatek.inc (172.21.101.40) by mtkmbs06n1.mediatek.inc (172.21.101.129) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 30 Jul 2021 16:50:42 +0800 Received: from localhost.localdomain (10.17.3.153) by mtkcas11.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Fri, 30 Jul 2021 16:50:41 +0800 From: Chunfeng Yun To: Rob Herring , Mathias Nyman CC: Chunfeng Yun , Greg Kroah-Hartman , Matthias Brugger , , , , , , Eddie Hung , Subject: [PATCH 07/11] usb: xhci-mtk: fix issue of out-of-bounds array access Date: Fri, 30 Jul 2021 16:49:58 +0800 Message-ID: <1627635002-24521-7-git-send-email-chunfeng.yun@mediatek.com> X-Mailer: git-send-email 1.8.1.1.dirty In-Reply-To: <1627635002-24521-1-git-send-email-chunfeng.yun@mediatek.com> References: <1627635002-24521-1-git-send-email-chunfeng.yun@mediatek.com> MIME-Version: 1.0 Content-Type: text/plain X-MTK: N Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Bus bandwidth array access is based on esit, increase one will cause out-of-bounds issue; for example, when esit is XHCI_MTK_MAX_ESIT, will overstep boundary. Fixes: 7c986fbc16ae ("usb: xhci-mtk: get the microframe boundary for ESIT") Cc: Reported-by: Stan Lu Signed-off-by: Chunfeng Yun --- drivers/usb/host/xhci-mtk-sch.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/usb/host/xhci-mtk-sch.c b/drivers/usb/host/xhci-mtk-sch.c index cffcaf4dfa9f..0bb1a6295d64 100644 --- a/drivers/usb/host/xhci-mtk-sch.c +++ b/drivers/usb/host/xhci-mtk-sch.c @@ -575,10 +575,12 @@ static u32 get_esit_boundary(struct mu3h_sch_ep_info *sch_ep) u32 boundary = sch_ep->esit; if (sch_ep->sch_tt) { /* LS/FS with TT */ - /* tune for CS */ - if (sch_ep->ep_type != ISOC_OUT_EP) - boundary++; - else if (boundary > 1) /* normally esit >= 8 for FS/LS */ + /* + * tune for CS, normally esit >= 8 for FS/LS, + * not add one for other types to avoid access array + * out of boundary + */ + if (sch_ep->ep_type == ISOC_OUT_EP && boundary > 1) boundary--; } -- 2.18.0