Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2651272pxj; Mon, 31 May 2021 07:25:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyAYfL52Kd3pMFnswiSVU4zPKF8OFdGJQN2b8WxEAk5leEAiBlndA1lrL/z/GkQeL4xXC1R X-Received: by 2002:a6b:5a16:: with SMTP id o22mr17511352iob.63.1622471106653; Mon, 31 May 2021 07:25:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622471106; cv=none; d=google.com; s=arc-20160816; b=XRnSyabyXF+qKFiNFos9B3btGWFPtDMA7HFfEJQ+WpJ6SmGMdRG/7hwxP0kLAQ1/QU U9wFuTaLrCe1PxKK56EPKQxRb805vCGhR0VB+VZQj8NifIPNWbBJ+GiCnPxAn6jSuRM+ 7Z88SJY1Xb8Vyih34DiexE8XXpUy/KbtjqBn45d1VqLAmo7WWYRzNyENQ0IhXRLpWqY5 IjzbMWXOKKMGylIgz8oBenG3qv6SPU5TF+LuWet+B0y7fF4E3OFtKigX3oVyWgREJycX 8byq4XiP9bmxCxRDzOI7OwWpnMkR9dhCvTddXjcEPNTCI+ff1fuG8+BFR0fHJdAvB4bx h7Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cAcPrwklaBRipNkAuxZppwdH+0XwrIArai3GPp/4f88=; b=Qg0NvzwH/c7m4Pr1ySAHrUORq67I8XXKcr8VAXwlHDMWK4ktpMTtTvKc10QT3Hy/AZ BI5jr9YHYy5gaSWxnXYMaj6CAdlQHHpRP4wIfvoZmZQStrKmZrdVAtCSChBmqydvz4Na A2HK5U67mNp4ilTi8S+CGCJjzOzJe+RTN34qkjIHwysA/qRIgGmn9zIX0KR1RVlp0X0c 6yZm8zhsA8M1rPbP9SMzj9mkb4Ekas60+SWEzFwml8+F6fdudLe1Wm1AC7x7luhbVlLe vYDjdbOoyDXC0wg5/9YpiVrUd4ATv0cCxOMU7Vc6iiKNY6LHn6YEBOa7LNREVhV1a96e 4B6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Bym2JF+7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y10si13873939jaf.62.2021.05.31.07.24.53; Mon, 31 May 2021 07:25:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Bym2JF+7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232694AbhEaOY5 (ORCPT + 99 others); Mon, 31 May 2021 10:24:57 -0400 Received: from mail.kernel.org ([198.145.29.99]:55012 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231690AbhEaNvF (ORCPT ); Mon, 31 May 2021 09:51:05 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 52EE5616E8; Mon, 31 May 2021 13:32:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622467932; bh=5rWazp2KbDTuhosSQAbGfwCpBU+7vJPGsRmvfiWq918=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Bym2JF+7Lvc63E+ljl5Bd26HQTdXOJ5tSymDq3dR9srukSM4oZiOadGN7w+AJ6478 Jzk0KMbNA+nIh9xr1MDXMybC3FJ/fADoToBAAfXpXNTtHSpf/ua0bCSeo+wK8p9pYK H+GXNN34Tc9ADVjfPBxke2bb8ZID/Ra8IIa0880g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mathias Nyman , Mika Westerberg Subject: [PATCH 5.10 055/252] thunderbolt: usb4: Fix NVM read buffer bounds and offset issue Date: Mon, 31 May 2021 15:12:00 +0200 Message-Id: <20210531130659.850188831@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130657.971257589@linuxfoundation.org> References: <20210531130657.971257589@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mathias Nyman commit 22c7a18ed5f007faccb7527bc890463763214081 upstream. Up to 64 bytes of data can be read from NVM in one go. Read address must be dword aligned. Data is read into a local buffer. If caller asks to read data starting at an unaligned address then full dword is anyway read from NVM into a local buffer. Data is then copied from the local buffer starting at the unaligned offset to the caller buffer. In cases where asked data length + unaligned offset is over 64 bytes we need to make sure we don't read past the 64 bytes in the local buffer when copying to caller buffer, and make sure that we don't skip copying unaligned offset bytes from local buffer anymore after the first round of 64 byte NVM data read. Fixes: b04079837b20 ("thunderbolt: Add initial support for USB4") Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman --- drivers/thunderbolt/usb4.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/drivers/thunderbolt/usb4.c +++ b/drivers/thunderbolt/usb4.c @@ -108,15 +108,15 @@ static int usb4_do_read_data(u16 address unsigned int retries = USB4_DATA_RETRIES; unsigned int offset; - offset = address & 3; - address = address & ~3; - do { - size_t nbytes = min_t(size_t, size, USB4_DATA_DWORDS * 4); unsigned int dwaddress, dwords; u8 data[USB4_DATA_DWORDS * 4]; + size_t nbytes; int ret; + offset = address & 3; + nbytes = min_t(size_t, size + offset, USB4_DATA_DWORDS * 4); + dwaddress = address / 4; dwords = ALIGN(nbytes, 4) / 4; @@ -127,6 +127,7 @@ static int usb4_do_read_data(u16 address return ret; } + nbytes -= offset; memcpy(buf, data + offset, nbytes); size -= nbytes;