Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2650982pxj; Mon, 31 May 2021 07:24:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLYrA1/+WtBJw9NwfnZ6BrJqAXYFmF7UndQBgdm9Aua03xJRQIJlQdHlT1MExkaa8Ijfl8 X-Received: by 2002:a17:906:6ada:: with SMTP id q26mr24038278ejs.237.1622471080557; Mon, 31 May 2021 07:24:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622471080; cv=none; d=google.com; s=arc-20160816; b=YFu1JwT+SgSJMOVSLcUXgmsoSpJcxINv62kmVc4YX53Oaper/9p4WmqWmlf9eJI7qN 3K81a75s1EkOd1qN0j16f68CfJld/Lh9QhrikPNg0TQdgYKrw3BHGqJi7UEB37pkdGlh e/hTrbfMqbjHFqbhIpPXGH+Nfza3rt6QMMD2hM+JZDbiGLBwDUz6btw/ye8BVeajbO7V I2VBEiuzKGm21X9fa3I9/4IXUC7yb4c0ymO0w8tX9zK1nAqn2p+Hwu7V9PcSDaSIVSmx By5cRQlJcv7yuseEa11gFhqkICK28NKzgSfh+t/u7qiJMlLt7kOyO7yAmIH3ZhrijPo/ Zrdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=lW6To0no9OyMr/O325CSEI+l8UuBTyNaabb6vWAbFfA=; b=C9vX6jfaQoOGsqShxktydU8oEc4+Z8xidEMQvp23TcNkgfnoqI+fkMOWYyY0GFcyqt sX/oVx9z68W1FgG0CPUv0KjY2L2olXegyaVQS/Hxm45WpB1JnzTic/FBkytRuE2ZtH93 M4TFbtVt9lEd4lC7jNaxRHYxDXJiyvPVCecSYccWEzkPQeiy/D3PYR0Cg4uwZa6N3UZq sqJkuqkwGDvyiB3G2a+AXXFY2yt5BmzFgO9oHfjpUV1MPdnEbTx3hdDDUQmp4+hhkOMy J+3r8JYxxZYqkNJKKJJ3mNq9YI09w2WZhFJ8rjqOxHnh5lmBurNeE1eUNSNh4HYRf1Yl /3Ew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fn2Nm2kR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e6si8369977edz.576.2021.05.31.07.24.18; Mon, 31 May 2021 07:24:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fn2Nm2kR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233640AbhEaOZD (ORCPT + 99 others); Mon, 31 May 2021 10:25:03 -0400 Received: from mail.kernel.org ([198.145.29.99]:55014 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232250AbhEaNvF (ORCPT ); Mon, 31 May 2021 09:51:05 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E0272616EC; Mon, 31 May 2021 13:32:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622467935; bh=zaqc71jmfjSYAhxJFkH0vlK71+sUttf04PqO/8IWQqE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fn2Nm2kRyZS/IsYa0A79Gsm253qcHPodSg6KpRYqoqseRCf7dEoRJDel5sQ43MS6Z zmS5HT9q98O/9UDhicqwXs9xrG9BO2wiucAbzjvUwIqJhkgIdZqzM4Vbbxk4vPa/Fc izicawgCYlldHEZ4Ju1n/LmN0nY9iKXk/tzt9KQk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mathias Nyman , Mika Westerberg Subject: [PATCH 5.10 056/252] thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue Date: Mon, 31 May 2021 15:12:01 +0200 Message-Id: <20210531130659.879830516@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130657.971257589@linuxfoundation.org> References: <20210531130657.971257589@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mathias Nyman commit b106776080a1cf953a1b2fd50cb2a995db4732be upstream. Up to 64 bytes of data can be read from NVM in one go. Read address must be dword aligned. Data is read into a local buffer. If caller asks to read data starting at an unaligned address then full dword is anyway read from NVM into a local buffer. Data is then copied from the local buffer starting at the unaligned offset to the caller buffer. In cases where asked data length + unaligned offset is over 64 bytes we need to make sure we don't read past the 64 bytes in the local buffer when copying to caller buffer, and make sure that we don't skip copying unaligned offset bytes from local buffer anymore after the first round of 64 byte NVM data read. Fixes: 3e13676862f9 ("thunderbolt: Add support for DMA configuration based mailbox") Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman --- drivers/thunderbolt/dma_port.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/drivers/thunderbolt/dma_port.c +++ b/drivers/thunderbolt/dma_port.c @@ -364,15 +364,15 @@ int dma_port_flash_read(struct tb_dma_po void *buf, size_t size) { unsigned int retries = DMA_PORT_RETRIES; - unsigned int offset; - - offset = address & 3; - address = address & ~3; do { - u32 nbytes = min_t(u32, size, MAIL_DATA_DWORDS * 4); + unsigned int offset; + size_t nbytes; int ret; + offset = address & 3; + nbytes = min_t(size_t, size + offset, MAIL_DATA_DWORDS * 4); + ret = dma_port_flash_read_block(dma, address, dma->buf, ALIGN(nbytes, 4)); if (ret) { @@ -384,6 +384,7 @@ int dma_port_flash_read(struct tb_dma_po return ret; } + nbytes -= offset; memcpy(buf, dma->buf + offset, nbytes); size -= nbytes;