Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2725240pxj; Mon, 31 May 2021 09:10:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyUB0fjk1IWwH/BRga1zGv4Lxx9fE7ge11tukhi0ST2mzYT1vWffl/HBkfvjp4jj66mMoU+ X-Received: by 2002:a17:906:4111:: with SMTP id j17mr14003112ejk.488.1622477417362; Mon, 31 May 2021 09:10:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622477417; cv=none; d=google.com; s=arc-20160816; b=bDS5VQNRgs7AyyysaSdf6EtnyMFGqF/zOy75SDS1K8XnjwpupqplMQXiJPznVCgTqO 7SZXJeScivG/hemXv5+e1o/FV5ZmUSeYvmdXkIYZAiQu/eZNAKj/cy2JmhfvwTUVTaA4 3gETjIS4Luu/4o/ZyyxKdGGGcl8WStPZ81ZfUyCnva6zLMWR8aHjv8F+l7aUmjKEYB2Z ltKR69WR3ae1zMNpTy+6AtCOsvF3Z4Oyo5bLKt/iYBS7mdLKr52uc4PQWW8MpeT4OxgM Duyh/50Gbd0iHtV4CSYA2/FLfJGqP1BkYinIubidJ5KE3f1xlF1reFy2PslD56x+BXiy L2kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Ky1/uPDG13Pfgh/iK++0zPVCUH9IUPySiTMtZ2dObe8=; b=Iia7Ui4+XYkoaBOSoLvpxqw28lC/zPN3BFolqEpR1go70dRJMQWfG6tZde8cJtrao6 /JKRmioVNgawe4TCZuRlxWnT4riSdUk7lxkBzEokWvIS1gsPG2aNPlTet8mvTGDmNVmc BHGjs58oZDkJtyOMIwcDjHBqCkgcPJBNi9USvUDHpOotNIPMSm1NfLx552TP+IzoygaR 6eMsiW3VY/XNPdbxWfWNFtl2hxtTuxqirjicaMGYAjJv/a5fpmtouD/Y3s9bH5G2Uhba F78wlPqFydWOJYOdMqOSQHC+8EIw93qyDV0VWfpr5QS9ZrdcOenAqSV7XggXyqKq2wQz XBtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QPmF1XPR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g8si13156101edb.70.2021.05.31.09.09.53; Mon, 31 May 2021 09:10:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QPmF1XPR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232321AbhEaQKf (ORCPT + 99 others); Mon, 31 May 2021 12:10:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:60892 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233570AbhEaOhT (ORCPT ); Mon, 31 May 2021 10:37:19 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1BF6A61186; Mon, 31 May 2021 13:51:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622469094; bh=jpVMtKXl1RTVWB0Fw22VVI7MVcQq0LTzIpG/V2Ew1vk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QPmF1XPRJk3FeAQlRJgiU8Ufbdj342qNkfW+FHgikbODGKifGsRiVRVlB6JTERvfA /JpxmKkcwctjaLMlGUDfYlr6ndNIlkYmwQEhF+kVkwQu8NRvGAaP4kP0IDxaqn//kD wh/YNH9Z7gZu22p/hZCZHO5C+39WwaQoVat5sW4M= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mathias Nyman , Mika Westerberg Subject: [PATCH 5.12 068/296] thunderbolt: usb4: Fix NVM read buffer bounds and offset issue Date: Mon, 31 May 2021 15:12:03 +0200 Message-Id: <20210531130706.128519532@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130703.762129381@linuxfoundation.org> References: <20210531130703.762129381@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mathias Nyman commit 22c7a18ed5f007faccb7527bc890463763214081 upstream. Up to 64 bytes of data can be read from NVM in one go. Read address must be dword aligned. Data is read into a local buffer. If caller asks to read data starting at an unaligned address then full dword is anyway read from NVM into a local buffer. Data is then copied from the local buffer starting at the unaligned offset to the caller buffer. In cases where asked data length + unaligned offset is over 64 bytes we need to make sure we don't read past the 64 bytes in the local buffer when copying to caller buffer, and make sure that we don't skip copying unaligned offset bytes from local buffer anymore after the first round of 64 byte NVM data read. Fixes: b04079837b20 ("thunderbolt: Add initial support for USB4") Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman --- drivers/thunderbolt/usb4.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/drivers/thunderbolt/usb4.c +++ b/drivers/thunderbolt/usb4.c @@ -68,15 +68,15 @@ static int usb4_do_read_data(u16 address unsigned int retries = USB4_DATA_RETRIES; unsigned int offset; - offset = address & 3; - address = address & ~3; - do { - size_t nbytes = min_t(size_t, size, USB4_DATA_DWORDS * 4); unsigned int dwaddress, dwords; u8 data[USB4_DATA_DWORDS * 4]; + size_t nbytes; int ret; + offset = address & 3; + nbytes = min_t(size_t, size + offset, USB4_DATA_DWORDS * 4); + dwaddress = address / 4; dwords = ALIGN(nbytes, 4) / 4; @@ -87,6 +87,7 @@ static int usb4_do_read_data(u16 address return ret; } + nbytes -= offset; memcpy(buf, data + offset, nbytes); size -= nbytes;