Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp1416101pxb; Fri, 10 Sep 2021 05:34:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy3ZVDFumSqx+keGjfwrAdaa2cHVWDPcXahp5SBoUNrMzHBX3Zi87e3hkxMpWegOYTO3Wta X-Received: by 2002:a05:6638:399:: with SMTP id y25mr4252647jap.23.1631277281391; Fri, 10 Sep 2021 05:34:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631277281; cv=none; d=google.com; s=arc-20160816; b=PMB8/x2Gs1AWP5Vmt4RwAxB3Dny5J7FY5b/S0ESIgbyAWbkvo6JXku1JcF9qK+19w0 TiCBejYl9ysZpyI4H/DDIXGGMeogJpHA0VG2S6J//8zOoF/Rh5HNEqxdM36zaQ3nXS1T LKfIxAJSlVOcpVCx66pTdA1rArJyTym6kOvNxL5GoOOXNp7+2TluPx9+IHt0PICEgrC0 dukMlZUJM4mKBgZPuJ1sR/wjjpc9PuvBtPa7ZtwUhXsoVVOvdSuSXhJ2JP2ElLPWbb9g Vr/dIX5w0LLnlzdXYEWcjMycKXEaDic8dDePlJvVMEaUzzLc6Ox+5VILKF8FXt0VroNF /CqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=T8wMQ6OEmO3qn+3ySQzsvAz0kaKDOGr2j/SgNzP9YGs=; b=Yw5cv01HCbkG7U0n21tBwsA1CL3quk4namCR3ldwOdL3kE8ZgEh4hSUre32o0CKnq0 /qHcx8ZTbXhLBJqSd6GFg9kUBnJqtUnrx4EjSuB7AdUchN9t92bhgaiFTBM2/CS0gmJK qKzHy4xbbDBATfX/27Q2s/vpMbIhuh+ItZvaTkEbQa3A8iDoAXxWQBzq0pNssw5R/6GD tfwC88h3frqc7xN0vUhs045hSq6QCWTqToizlwbdUd4ZXe84lWZMJJGMCSDSC0eYasDx BzgXAa3HF9CyWQpyrIoir+EATWPZY/8mY11VWtj8axSG9gmeVwtFEOUx2er4YrEm75tV N/oQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=miOgtIvY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 13si4510874ily.171.2021.09.10.05.34.29; Fri, 10 Sep 2021 05:34:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=miOgtIvY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233527AbhIJMdg (ORCPT + 99 others); Fri, 10 Sep 2021 08:33:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:50946 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233689AbhIJMdP (ORCPT ); Fri, 10 Sep 2021 08:33:15 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CF663611C8; Fri, 10 Sep 2021 12:32:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631277124; bh=S3aSsPJhcrwOalra13GitF0GO+XMFjSeZ21XewDVOZQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=miOgtIvYoX8s12G7LAaxwd6pVlnb3P3bOoSQtn9rEnqYFGnOLd95EAG+K9qAWBuKO wlmO4A8V2NZrvy/ixMRQ8yWaPd3S/OpswgQLjLrUpaavb01apwp/znjEVEx1qRZNl2 3cClMOtHjR9r06sx/ZXMuvSJHuNcdyfVf2NdbEsw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stan Lu , Chunfeng Yun Subject: [PATCH 5.13 12/22] usb: xhci-mtk: fix issue of out-of-bounds array access Date: Fri, 10 Sep 2021 14:30:11 +0200 Message-Id: <20210910122916.336471239@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210910122915.942645251@linuxfoundation.org> References: <20210910122915.942645251@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Chunfeng Yun commit de5107f473190538a65aac7edea85209cd5c1a8f upstream. Bus bandwidth array access is based on esit, increase one will cause out-of-bounds issue; for example, when esit is XHCI_MTK_MAX_ESIT, will overstep boundary. Fixes: 7c986fbc16ae ("usb: xhci-mtk: get the microframe boundary for ESIT") Cc: Reported-by: Stan Lu Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/1629189389-18779-5-git-send-email-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci-mtk-sch.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/drivers/usb/host/xhci-mtk-sch.c +++ b/drivers/usb/host/xhci-mtk-sch.c @@ -590,10 +590,12 @@ static u32 get_esit_boundary(struct mu3h u32 boundary = sch_ep->esit; if (sch_ep->sch_tt) { /* LS/FS with TT */ - /* tune for CS */ - if (sch_ep->ep_type != ISOC_OUT_EP) - boundary++; - else if (boundary > 1) /* normally esit >= 8 for FS/LS */ + /* + * tune for CS, normally esit >= 8 for FS/LS, + * not add one for other types to avoid access array + * out of boundary + */ + if (sch_ep->ep_type == ISOC_OUT_EP && boundary > 1) boundary--; }