Patch "xhci: fix potential array out of bounds with several interrupters" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 07 May 2021 23:34:49 -0400

This is a note to let you know that I've just added the patch titled

    xhci: fix potential array out of bounds with several interrupters

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     xhci-fix-potential-array-out-of-bounds-with-several-.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d9a1e8787a5fb45d5b11981e8d77a96ccfd92cc9
Author: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx>
Date:   Tue Apr 6 10:02:07 2021 +0300

    xhci: fix potential array out of bounds with several interrupters
    
    [ Upstream commit 286fd02fd54b6acab65809549cf5fb3f2a886696 ]
    
    The Max Interrupters supported by the controller is given in a 10bit
    wide bitfield, but the driver uses a fixed 128 size array to index these
    interrupters.
    
    Klockwork reports a possible array out of bounds case which in theory
    is possible. In practice this hasn't been hit as a common number of Max
    Interrupters for new controllers is 8, not even close to 128.
    
    This needs to be fixed anyway
    
    Signed-off-by: Mathias Nyman <mathias.nyman@xxxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20210406070208.3406266-4-mathias.nyman@xxxxxxxxxxxxxxx
    Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 143e4002e561..de05ac9d3ae1 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -228,6 +228,7 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci)
 	struct device *dev = xhci_to_hcd(xhci)->self.sysdev;
 	int err, i;
 	u64 val;
+	u32 intrs;
 
 	/*
 	 * Some Renesas controllers get into a weird state if they are
@@ -266,7 +267,10 @@ static void xhci_zero_64b_regs(struct xhci_hcd *xhci)
 	if (upper_32_bits(val))
 		xhci_write_64(xhci, 0, &xhci->op_regs->cmd_ring);
 
-	for (i = 0; i < HCS_MAX_INTRS(xhci->hcs_params1); i++) {
+	intrs = min_t(u32, HCS_MAX_INTRS(xhci->hcs_params1),
+		      ARRAY_SIZE(xhci->run_regs->ir_set));
+
+	for (i = 0; i < intrs; i++) {
 		struct xhci_intr_reg __iomem *ir;
 
 		ir = &xhci->run_regs->ir_set[i];






