Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp1960107rdh; Tue, 26 Sep 2023 08:19:58 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGq46Xg8pdJt0/jqJQbz5Pb8Zwj36OH36Xm3wF937drNFvAIaKkEyWrfuRy1+2aVJXwKoWO X-Received: by 2002:a05:6a20:12d4:b0:14e:2208:d62f with SMTP id v20-20020a056a2012d400b0014e2208d62fmr5026991pzg.22.1695741597926; Tue, 26 Sep 2023 08:19:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695741597; cv=none; d=google.com; s=arc-20160816; b=iLyXnQvWJd3IGZnUv5edJr2UCgHU0tmYd4YPDWDHkBSoXj8ipc9amdvPN/Nvb9tktx FHJhoMWRTeFpnd1GAi5N7yR9W6CbAfA+jNXyV9Go40oxQ0u/JmpFO6htDdj58R4rjcLm pi6N68E9JTUNLhTrzs2byfCTQECWk5JfLerEhp3t/TIBp3Ewl0OQTWP8omp4iuqPGwxQ geB2yBWeDDTS7SjIFYS9eWTmodcK5z8QFpOEQuJjvP4pjg9P/s/hF6JX81nXEP1P2T1p TXeGJ3h7CbcnQ4is7bWv3Q3NY0NmxCDSkzJIFdG9ifr//wt9zBQ57ZyQzrvJMcBzpTgE cajg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=nGouHzxWe5kzoMakXT7t21X91AZk6rZC1OKWW3eLQSQ=; fh=Z5on+B0X/Hk5EsssVmDL03SpFUclRRIifq2QPgXs+iY=; b=EVfMnowKhYtjH0PLDi0anZ3xcc6Au6yVHxIH2NqFIri+jc8vQLgA78Fl7q+HeRFsa4 TCP9TF8/+bkhfvrJwLX4GzH0XiJdpkwOB/JCQnvc1JQG27EX78GhGavgZV1H3V3edvJx 19qq6jkW08SBr8+snbr/duAzybavtZc2OacJER3vUy2nIDGJ7JmhIqdfJ/u2EyoLBMed rgz91BSaHyk7BpmhkDqQY0z66d21nhOc5eIIflZr914QLYF59FQp354+fjQRVCG2ERZ8 LzrPfmtcjE2tZPmIIaDUuZiHJ34c1UYQIiYzYHC39VCN10wM+eOFTKsJcaCe/NdDWJuH RsIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=mV8fk+Wb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id y30-20020a056a001c9e00b00686e01db946si12600530pfw.64.2023.09.26.08.19.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 08:19:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=mV8fk+Wb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 3ACD0802DF2E; Mon, 25 Sep 2023 23:30:39 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233671AbjIZGai (ORCPT + 99 others); Tue, 26 Sep 2023 02:30:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38256 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229776AbjIZGah (ORCPT ); Tue, 26 Sep 2023 02:30:37 -0400 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BD2ACAF; Mon, 25 Sep 2023 23:30:30 -0700 (PDT) Received: from pps.filterd (m0279873.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 38Q5rexA019211; Tue, 26 Sep 2023 06:30:28 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=qcppdkim1; bh=nGouHzxWe5kzoMakXT7t21X91AZk6rZC1OKWW3eLQSQ=; b=mV8fk+WbImyzXFJ22ps+pMZIhUMAqSoMkJtYJ+Na2+gHOMTDqh3s/3TVmhWglTW07imn YVDTqfQ9fgNGRzcKBsBq2biuNMARJaWLf/lZibv+L8LOA25J6WhDMu4K+KvGadTqD4SU 2jL463JBYUpxoBioph+DjCTzADARbxJhjmN5OJckAXwscfK2Z8NyP/tKytE0oGWrmO7f 2BtdiKX/5zfV1cNllT8p3/HSoC3w16v3EkBtPU+RfBZJAz7RJobNuQVvSNIiMvs4ccUx zm5JR4CO29eeNT+uivOmZ+peve1AONm9JN/M/jZ35N0qC3u7OK7IchWm9en7uRuM/LXZ xA== Received: from nalasppmta04.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3tb72sjdpb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Sep 2023 06:30:28 +0000 Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA04.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 38Q6URqo011047 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Sep 2023 06:30:27 GMT Received: from hu-kriskura-hyd.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.36; Mon, 25 Sep 2023 23:30:24 -0700 From: Krishna Kurapati To: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= , "Greg Kroah-Hartman" CC: , , "Krishna Kurapati" , Subject: [PATCH v3] usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call Date: Tue, 26 Sep 2023 12:00:15 +0530 Message-ID: <20230926063015.21189-1-quic_kriskura@quicinc.com> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: ESzlIhQeff_KPRETL5hlJwzyPRfa7QbG X-Proofpoint-ORIG-GUID: ESzlIhQeff_KPRETL5hlJwzyPRfa7QbG X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-09-26_04,2023-09-25_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 phishscore=0 mlxscore=0 priorityscore=1501 lowpriorityscore=0 clxscore=1015 malwarescore=0 adultscore=0 mlxlogscore=978 spamscore=0 suspectscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2309180000 definitions=main-2309260057 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 25 Sep 2023 23:30:39 -0700 (PDT) When NCM is used with hosts like Windows PC, it is observed that there are multiple NTB's contained in one usb request giveback. Since the driver unwraps the obtained request data assuming only one NTB is present, we loose the subsequent NTB's present resulting in data loss. Fix this by checking the parsed block length with the obtained data length in usb request and continue parsing after the last byte of current NTB. Cc: stable@vger.kernel.org Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") Signed-off-by: Krishna Kurapati --- Changes in v3: Removed explicit typecast for ntb_ptr drivers/usb/gadget/function/f_ncm.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c index 424bb3b666db..9512cec662c8 100644 --- a/drivers/usb/gadget/function/f_ncm.c +++ b/drivers/usb/gadget/function/f_ncm.c @@ -1171,7 +1171,8 @@ static int ncm_unwrap_ntb(struct gether *port, struct sk_buff_head *list) { struct f_ncm *ncm = func_to_ncm(&port->func); - __le16 *tmp = (void *) skb->data; + unsigned char *ntb_ptr = skb->data; + __le16 *tmp; unsigned index, index2; int ndp_index; unsigned dg_len, dg_len2; @@ -1184,6 +1185,10 @@ static int ncm_unwrap_ntb(struct gether *port, const struct ndp_parser_opts *opts = ncm->parser_opts; unsigned crc_len = ncm->is_crc ? sizeof(uint32_t) : 0; int dgram_counter; + int to_process = skb->len; + +parse_ntb: + tmp = (void *)ntb_ptr; /* dwSignature */ if (get_unaligned_le32(tmp) != opts->nth_sign) { @@ -1230,7 +1235,7 @@ static int ncm_unwrap_ntb(struct gether *port, * walk through NDP * dwSignature */ - tmp = (void *)(skb->data + ndp_index); + tmp = (void *)(ntb_ptr + ndp_index); if (get_unaligned_le32(tmp) != ncm->ndp_sign) { INFO(port->func.config->cdev, "Wrong NDP SIGN\n"); goto err; @@ -1287,11 +1292,11 @@ static int ncm_unwrap_ntb(struct gether *port, if (ncm->is_crc) { uint32_t crc, crc2; - crc = get_unaligned_le32(skb->data + + crc = get_unaligned_le32(ntb_ptr + index + dg_len - crc_len); crc2 = ~crc32_le(~0, - skb->data + index, + ntb_ptr + index, dg_len - crc_len); if (crc != crc2) { INFO(port->func.config->cdev, @@ -1318,7 +1323,7 @@ static int ncm_unwrap_ntb(struct gether *port, dg_len - crc_len); if (skb2 == NULL) goto err; - skb_put_data(skb2, skb->data + index, + skb_put_data(skb2, ntb_ptr + index, dg_len - crc_len); skb_queue_tail(list, skb2); @@ -1331,10 +1336,17 @@ static int ncm_unwrap_ntb(struct gether *port, } while (ndp_len > 2 * (opts->dgram_item_len * 2)); } while (ndp_index); - dev_consume_skb_any(skb); - VDBG(port->func.config->cdev, "Parsed NTB with %d frames\n", dgram_counter); + + to_process -= block_len; + if (to_process != 0) { + ntb_ptr = (unsigned char *)(ntb_ptr + block_len); + goto parse_ntb; + } + + dev_consume_skb_any(skb); + return 0; err: skb_queue_purge(list); -- 2.42.0