Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp6772390pxv;
        Fri, 30 Jul 2021 01:52:50 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzj+/v2sa+7aWpQbDNLv4Ysr6H80nVSwUg4atVFBWosbiY1MgM/oA/C02J3vKnczR09jTCC
X-Received: by 2002:a05:6e02:15c8:: with SMTP id q8mr443791ilu.285.1627635170457;
        Fri, 30 Jul 2021 01:52:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1627635170; cv=none;
        d=google.com; s=arc-20160816;
        b=QyitgvWXuZxp51854wTHsDmvXrjVUKpNqbynybvs7wRPzZ2B8bIE10MsRxTPqq9+0X
         An2rjeDO3l/4IroVcePhdfUHiTngiz5/k0/d/MCKWaIP2cvdSfzI/Z/y+FCNbSkSQ8zz
         rpw6NdYcP4qFuq5PwOFbZwtct/Cm58RhH8Q8Xs//NCcx8TdKn5hsd4IOQWgWYz+01UrA
         2TGV/AL4RwJ7qD+TQEzP8O69sG9urq+x1onQmo2fXozunsq+U3P12ZOtPPOnv+lDqs4+
         uWZdFxHeXi7xf+M6w0VV/HDjANwV601Hr4Lp5ZujpyJnt4f2+Pt17ildUNzWPjRPUXOo
         VPCA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=zICkph8qWuhdXggqRMKbQZGvxlKdaMM/U/e6sJduzVY=;
        b=TI3oDFmj6VzJkZne6GA5r18ftaJ9o/iq9L4X+Q4aYOtvFJ+53/RH0B0zgoiYMPHlZO
         PCNwGeN40FRBg6fQ/kqT6i+JUH1Njv2igUmr+11ZiuJgj/Pd25tWnw+2I+iNtgDat5U8
         lHQwhNTMptY7vzG7UfMdBzkdZbWiGPxQbUafa82hIP7pNso7+fu6PFpNQTo1YvZ15zc5
         sgpZLsKhSlsu16fUB8rrWVyBytJiTZjOs0DJRQlc9IEf6wGt6MnV1LdPLbCt0EP2zW9/
         FRnTKTD13bNriEYnOxcX+AOND0sq41LlZMXEhal7+eOVyOzJp42oBFw9hJx2g6kEsog5
         mKKQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v1si1246639ioj.78.2021.07.30.01.52.39;
        Fri, 30 Jul 2021 01:52:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mediatek.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S238212AbhG3IvS (ORCPT <rfc822;linux.sihyeon@gmail.com>
        + 99 others); Fri, 30 Jul 2021 04:51:18 -0400
Received: from mailgw01.mediatek.com ([60.244.123.138]:41564 "EHLO
        mailgw01.mediatek.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org
        with ESMTP id S237928AbhG3Iuu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 30 Jul 2021 04:50:50 -0400
X-UUID: 053be6fc763f45d8ac664e2e2b7e5a62-20210730
X-UUID: 053be6fc763f45d8ac664e2e2b7e5a62-20210730
Received: from mtkmbs10n2.mediatek.inc [(172.21.101.183)] by mailgw01.mediatek.com
        (envelope-from <chunfeng.yun@mediatek.com>)
        (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256)
        with ESMTP id 1007530290; Fri, 30 Jul 2021 16:50:43 +0800
Received: from mtkcas11.mediatek.inc (172.21.101.40) by
 mtkmbs06n1.mediatek.inc (172.21.101.129) with Microsoft SMTP Server (TLS) id
 15.0.1497.2; Fri, 30 Jul 2021 16:50:42 +0800
Received: from localhost.localdomain (10.17.3.153) by mtkcas11.mediatek.inc
 (172.21.101.73) with Microsoft SMTP Server id 15.0.1497.2 via Frontend
 Transport; Fri, 30 Jul 2021 16:50:41 +0800
From:   Chunfeng Yun <chunfeng.yun@mediatek.com>
To:     Rob Herring <robh+dt@kernel.org>,
        Mathias Nyman <mathias.nyman@intel.com>
CC:     Chunfeng Yun <chunfeng.yun@mediatek.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Matthias Brugger <matthias.bgg@gmail.com>,
        <linux-usb@vger.kernel.org>,
        <linux-arm-kernel@lists.infradead.org>,
        <linux-mediatek@lists.infradead.org>, <devicetree@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>,
        Eddie Hung <eddie.hung@mediatek.com>, <stable@vger.kernel.org>
Subject: [PATCH 07/11] usb: xhci-mtk: fix issue of out-of-bounds array access
Date:   Fri, 30 Jul 2021 16:49:58 +0800
Message-ID: <1627635002-24521-7-git-send-email-chunfeng.yun@mediatek.com>
X-Mailer: git-send-email 1.8.1.1.dirty
In-Reply-To: <1627635002-24521-1-git-send-email-chunfeng.yun@mediatek.com>
References: <1627635002-24521-1-git-send-email-chunfeng.yun@mediatek.com>
MIME-Version: 1.0
Content-Type: text/plain
X-MTK:  N
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Bus bandwidth array access is based on esit, increase one
will cause out-of-bounds issue; for example, when esit is
XHCI_MTK_MAX_ESIT, will overstep boundary.

Fixes: 7c986fbc16ae ("usb: xhci-mtk: get the microframe boundary for ESIT")
Cc: <stable@vger.kernel.org>
Reported-by: Stan Lu <stan.lu@mediatek.com>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
---
 drivers/usb/host/xhci-mtk-sch.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/host/xhci-mtk-sch.c b/drivers/usb/host/xhci-mtk-sch.c
index cffcaf4dfa9f..0bb1a6295d64 100644
--- a/drivers/usb/host/xhci-mtk-sch.c
+++ b/drivers/usb/host/xhci-mtk-sch.c
@@ -575,10 +575,12 @@ static u32 get_esit_boundary(struct mu3h_sch_ep_info *sch_ep)
 	u32 boundary = sch_ep->esit;
 
 	if (sch_ep->sch_tt) { /* LS/FS with TT */
-		/* tune for CS */
-		if (sch_ep->ep_type != ISOC_OUT_EP)
-			boundary++;
-		else if (boundary > 1) /* normally esit >= 8 for FS/LS */
+		/*
+		 * tune for CS, normally esit >= 8 for FS/LS,
+		 * not add one for other types to avoid access array
+		 * out of boundary
+		 */
+		if (sch_ep->ep_type == ISOC_OUT_EP && boundary > 1)
 			boundary--;
 	}
 
-- 
2.18.0