This is a note to let you know that I've just added the patch titled usb: xhci-mtk: fix issue of out-of-bounds array access to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the usb-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From de5107f473190538a65aac7edea85209cd5c1a8f Mon Sep 17 00:00:00 2001 From: Chunfeng Yun <chunfeng.yun@xxxxxxxxxxxx> Date: Tue, 17 Aug 2021 16:36:25 +0800 Subject: usb: xhci-mtk: fix issue of out-of-bounds array access Bus bandwidth array access is based on esit, increase one will cause out-of-bounds issue; for example, when esit is XHCI_MTK_MAX_ESIT, will overstep boundary. Fixes: 7c986fbc16ae ("usb: xhci-mtk: get the microframe boundary for ESIT") Cc: <stable@xxxxxxxxxxxxxxx> Reported-by: Stan Lu <stan.lu@xxxxxxxxxxxx> Signed-off-by: Chunfeng Yun <chunfeng.yun@xxxxxxxxxxxx> Link: https://lore.kernel.org/r/1629189389-18779-5-git-send-email-chunfeng.yun@xxxxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/host/xhci-mtk-sch.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/usb/host/xhci-mtk-sch.c b/drivers/usb/host/xhci-mtk-sch.c index cffcaf4dfa9f..0bb1a6295d64 100644 --- a/drivers/usb/host/xhci-mtk-sch.c +++ b/drivers/usb/host/xhci-mtk-sch.c @@ -575,10 +575,12 @@ static u32 get_esit_boundary(struct mu3h_sch_ep_info *sch_ep) u32 boundary = sch_ep->esit; if (sch_ep->sch_tt) { /* LS/FS with TT */ - /* tune for CS */ - if (sch_ep->ep_type != ISOC_OUT_EP) - boundary++; - else if (boundary > 1) /* normally esit >= 8 for FS/LS */ + /* + * tune for CS, normally esit >= 8 for FS/LS, + * not add one for other types to avoid access array + * out of boundary + */ + if (sch_ep->ep_type == ISOC_OUT_EP && boundary > 1) boundary--; } -- 2.32.0