From 858b71cb40e51b4b5aa1246d7900bc0fdfdaddbb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 25 Sep 2022 13:41:37 +0200 Subject: [PATCH] 5.4-stable patches added patches: usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch --- queue-5.4/series | 1 + ...-issue-of-out-of-bounds-array-access.patch | 42 +++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 queue-5.4/usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch diff --git a/queue-5.4/series b/queue-5.4/series index ad8e2209ff0..7b4006dd69a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -92,3 +92,4 @@ serial-create-uart_xmit_advance.patch serial-tegra-use-uart_xmit_advance-fixes-icount.tx-accounting.patch serial-tegra-tcu-use-uart_xmit_advance-fixes-icount.tx-accounting.patch s390-dasd-fix-oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup.patch +usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch diff --git a/queue-5.4/usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch b/queue-5.4/usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch new file mode 100644 index 00000000000..d007010538b --- /dev/null +++ b/queue-5.4/usb-xhci-mtk-fix-issue-of-out-of-bounds-array-access.patch @@ -0,0 +1,42 @@ +From de5107f473190538a65aac7edea85209cd5c1a8f Mon Sep 17 00:00:00 2001 +From: Chunfeng Yun +Date: Tue, 17 Aug 2021 16:36:25 +0800 +Subject: usb: xhci-mtk: fix issue of out-of-bounds array access + +From: Chunfeng Yun + +commit de5107f473190538a65aac7edea85209cd5c1a8f upstream. + +Bus bandwidth array access is based on esit, increase one +will cause out-of-bounds issue; for example, when esit is +XHCI_MTK_MAX_ESIT, will overstep boundary. + +Fixes: 7c986fbc16ae ("usb: xhci-mtk: get the microframe boundary for ESIT") +Cc: +Reported-by: Stan Lu +Signed-off-by: Chunfeng Yun +Link: https://lore.kernel.org/r/1629189389-18779-5-git-send-email-chunfeng.yun@mediatek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mtk-sch.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci-mtk-sch.c ++++ b/drivers/usb/host/xhci-mtk-sch.c +@@ -539,10 +539,12 @@ static u32 get_esit_boundary(struct mu3h + u32 boundary = sch_ep->esit; + + if (sch_ep->sch_tt) { /* LS/FS with TT */ +- /* tune for CS */ +- if (sch_ep->ep_type != ISOC_OUT_EP) +- boundary++; +- else if (boundary > 1) /* normally esit >= 8 for FS/LS */ ++ /* ++ * tune for CS, normally esit >= 8 for FS/LS, ++ * not add one for other types to avoid access array ++ * out of boundary ++ */ ++ if (sch_ep->ep_type == ISOC_OUT_EP && boundary > 1) + boundary--; + } + -- 2.47.3