From 155bb5cd826bfc824d95f14f8c344cdd9fe62622 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 25 Sep 2022 13:41:44 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch
	vfio-type1-fix-vaddr_get_pfns-return-in-vfio_pin_page_external.patch
---
 queue-5.10/series                             |  2 +
 ...-issue-of-out-of-bounds-array-access.patch | 42 ++++++++++++++++
 ...fns-return-in-vfio_pin_page_external.patch | 50 +++++++++++++++++++
 3 files changed, 94 insertions(+)
 create mode 100644 queue-5.10/usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch
 create mode 100644 queue-5.10/vfio-type1-fix-vaddr_get_pfns-return-in-vfio_pin_page_external.patch

diff --git a/queue-5.10/series b/queue-5.10/series
index f8dd3c43c01..786f427a8ca 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -118,3 +118,5 @@ serial-create-uart_xmit_advance.patch
 serial-tegra-use-uart_xmit_advance-fixes-icount.tx-accounting.patch
 serial-tegra-tcu-use-uart_xmit_advance-fixes-icount.tx-accounting.patch
 s390-dasd-fix-oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup.patch
+usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch
+vfio-type1-fix-vaddr_get_pfns-return-in-vfio_pin_page_external.patch
diff --git a/queue-5.10/usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch b/queue-5.10/usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch
new file mode 100644
index 00000000000..d007010538b
--- /dev/null
+++ b/queue-5.10/usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch
@@ -0,0 +1,42 @@
+From de5107f473190538a65aac7edea85209cd5c1a8f Mon Sep 17 00:00:00 2001
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Date: Tue, 17 Aug 2021 16:36:25 +0800
+Subject: usb: xhci-mtk: fix issue of out-of-bounds array access
+
+From: Chunfeng Yun <chunfeng.yun@mediatek.com>
+
+commit de5107f473190538a65aac7edea85209cd5c1a8f upstream.
+
+Bus bandwidth array access is based on esit, increase one
+will cause out-of-bounds issue; for example, when esit is
+XHCI_MTK_MAX_ESIT, will overstep boundary.
+
+Fixes: 7c986fbc16ae ("usb: xhci-mtk: get the microframe boundary for ESIT")
+Cc: <stable@vger.kernel.org>
+Reported-by: Stan Lu <stan.lu@mediatek.com>
+Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Link: https://lore.kernel.org/r/1629189389-18779-5-git-send-email-chunfeng.yun@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-mtk-sch.c |   10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci-mtk-sch.c
++++ b/drivers/usb/host/xhci-mtk-sch.c
+@@ -539,10 +539,12 @@ static u32 get_esit_boundary(struct mu3h
+ 	u32 boundary = sch_ep->esit;
+ 
+ 	if (sch_ep->sch_tt) { /* LS/FS with TT */
+-		/* tune for CS */
+-		if (sch_ep->ep_type != ISOC_OUT_EP)
+-			boundary++;
+-		else if (boundary > 1) /* normally esit >= 8 for FS/LS */
++		/*
++		 * tune for CS, normally esit >= 8 for FS/LS,
++		 * not add one for other types to avoid access array
++		 * out of boundary
++		 */
++		if (sch_ep->ep_type == ISOC_OUT_EP && boundary > 1)
+ 			boundary--;
+ 	}
+ 
diff --git a/queue-5.10/vfio-type1-fix-vaddr_get_pfns-return-in-vfio_pin_page_external.patch b/queue-5.10/vfio-type1-fix-vaddr_get_pfns-return-in-vfio_pin_page_external.patch
new file mode 100644
index 00000000000..186ca6a11d9
--- /dev/null
+++ b/queue-5.10/vfio-type1-fix-vaddr_get_pfns-return-in-vfio_pin_page_external.patch
@@ -0,0 +1,50 @@
+From 4ab4fcfce5b540227d80eb32f1db45ab615f7c92 Mon Sep 17 00:00:00 2001
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+Date: Mon, 8 Mar 2021 12:24:52 -0500
+Subject: vfio/type1: fix vaddr_get_pfns() return in vfio_pin_page_external()
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+commit 4ab4fcfce5b540227d80eb32f1db45ab615f7c92 upstream.
+
+vaddr_get_pfns() now returns the positive number of pfns successfully
+gotten instead of zero.  vfio_pin_page_external() might return 1 to
+vfio_iommu_type1_pin_pages(), which will treat it as an error, if
+vaddr_get_pfns() is successful but vfio_pin_page_external() doesn't
+reach vfio_lock_acct().
+
+Fix it up in vfio_pin_page_external().  Found by inspection.
+
+Fixes: be16c1fd99f4 ("vfio/type1: Change success value of vaddr_get_pfn()")
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Message-Id: <20210308172452.38864-1-daniel.m.jordan@oracle.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/vfio_iommu_type1.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/vfio/vfio_iommu_type1.c
++++ b/drivers/vfio/vfio_iommu_type1.c
+@@ -671,7 +671,12 @@ static int vfio_pin_page_external(struct
+ 		return -ENODEV;
+ 
+ 	ret = vaddr_get_pfns(mm, vaddr, 1, dma->prot, pfn_base, pages);
+-	if (ret == 1 && do_accounting && !is_invalid_reserved_pfn(*pfn_base)) {
++	if (ret != 1)
++		goto out;
++
++	ret = 0;
++
++	if (do_accounting && !is_invalid_reserved_pfn(*pfn_base)) {
+ 		ret = vfio_lock_acct(dma, 1, true);
+ 		if (ret) {
+ 			put_pfn(*pfn_base, dma->prot);
+@@ -683,6 +688,7 @@ static int vfio_pin_page_external(struct
+ 		}
+ 	}
+ 
++out:
+ 	mmput(mm);
+ 	return ret;
+ }
-- 
2.47.3