serial-tegra-use-uart_xmit_advance-fixes-icount.tx-accounting.patch
serial-tegra-tcu-use-uart_xmit_advance-fixes-icount.tx-accounting.patch
s390-dasd-fix-oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup.patch
+usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch
+vfio-type1-fix-vaddr_get_pfns-return-in-vfio_pin_page_external.patch
--- /dev/null
+From de5107f473190538a65aac7edea85209cd5c1a8f Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Tue, 17 Aug 2021 16:36:25 +0800
+Subject: usb: xhci-mtk: fix issue of out-of-bounds array access
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+commit de5107f473190538a65aac7edea85209cd5c1a8f upstream.
+
+Bus bandwidth array access is based on esit, increase one
+will cause out-of-bounds issue; for example, when esit is
+XHCI_MTK_MAX_ESIT, will overstep boundary.
+
+Fixes: 7c986fbc16ae ("usb: xhci-mtk: get the microframe boundary for ESIT")
+Cc: <stable@vger.kernel.org>
+Reported-by: Stan Lu <stan.lu@mediatek.com>
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/1629189389-18779-5-git-send-email-chunfeng.yun@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mtk-sch.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci-mtk-sch.c
++++ b/drivers/usb/host/xhci-mtk-sch.c
+@@ -539,10 +539,12 @@ static u32 get_esit_boundary(struct mu3h
+ u32 boundary = sch_ep->esit;
+
+ if (sch_ep->sch_tt) { /* LS/FS with TT */
+- /* tune for CS */
+- if (sch_ep->ep_type != ISOC_OUT_EP)
+- boundary++;
+- else if (boundary > 1) /* normally esit >= 8 for FS/LS */
++ /*
++ * tune for CS, normally esit >= 8 for FS/LS,
++ * not add one for other types to avoid access array
++ * out of boundary
++ */
++ if (sch_ep->ep_type == ISOC_OUT_EP && boundary > 1)
+ boundary--;
+ }
+
--- /dev/null
+From 4ab4fcfce5b540227d80eb32f1db45ab615f7c92 Mon Sep 17 00:00:00 2001
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+Date: Mon, 8 Mar 2021 12:24:52 -0500
+Subject: vfio/type1: fix vaddr_get_pfns() return in vfio_pin_page_external()
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+commit 4ab4fcfce5b540227d80eb32f1db45ab615f7c92 upstream.
+
+vaddr_get_pfns() now returns the positive number of pfns successfully
+gotten instead of zero. vfio_pin_page_external() might return 1 to
+vfio_iommu_type1_pin_pages(), which will treat it as an error, if
+vaddr_get_pfns() is successful but vfio_pin_page_external() doesn't
+reach vfio_lock_acct().
+
+Fix it up in vfio_pin_page_external(). Found by inspection.
+
+Fixes: be16c1fd99f4 ("vfio/type1: Change success value of vaddr_get_pfn()")
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Message-Id: <20210308172452.38864-1-daniel.m.jordan@oracle.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/vfio_iommu_type1.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -671,7 +671,12 @@ static int vfio_pin_page_external(struct
+ return -ENODEV;
+
+ ret = vaddr_get_pfns(mm, vaddr, 1, dma->prot, pfn_base, pages);
+- if (ret == 1 && do_accounting && !is_invalid_reserved_pfn(*pfn_base)) {
++ if (ret != 1)
++ goto out;
++
++ ret = 0;
++
++ if (do_accounting && !is_invalid_reserved_pfn(*pfn_base)) {
+ ret = vfio_lock_acct(dma, 1, true);
+ if (ret) {
+ put_pfn(*pfn_base, dma->prot);
+@@ -683,6 +688,7 @@ static int vfio_pin_page_external(struct
+ }
+ }
+
++out:
+ mmput(mm);
+ return ret;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
