Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp2627014rdh; Wed, 27 Sep 2023 08:06:48 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEsDTSiEpCfmhw4CAecoYd3tdX50KTh3YXlEhwJjwNMySCAEY7FWhsvRY2Deft9rjxkaZrZ X-Received: by 2002:aa7:8881:0:b0:68e:2cf2:1613 with SMTP id z1-20020aa78881000000b0068e2cf21613mr2819251pfe.3.1695827208600; Wed, 27 Sep 2023 08:06:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695827208; cv=none; d=google.com; s=arc-20160816; b=aFeeH7qAXX7gWpcmsdNZVELJy8zkQ9jzXd41AEsEg4sNX/1x9j6v3pTKWaJB62q+Jj UJVpDl2HFIJBHWaY4s3g9PwXLDvUsX6127s+h92IPyocxOxFzI/H7RCmsnXXTD10b0N6 8rEe5ghHlcY/xpFLWo3mSZvjWQ/sNs89/5sq46+09hwTtyLgV/vGL6xs9pF1ovt4ehr0 UZnu8sX/Imcmm98gw7DiPdSKSN5xV+8Nsx+jNyqJiYxgDG+s6luZC08YLXYAEnr68BZy 7VFyulaJsF+Zl1z004QHNsGDWsZRwl6/ymThZ8Ln2FJo27L3wODsBKom0SWvyvKKDVGc hL6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=rOuf5MtDCQLRUngQ4awgcDV/nMQsPByOw/Aas90rjfw=; fh=9wUwERTIPV6Pq/kGZbROlqDw7mqDQqKlfQaJ7sOIt70=; b=xHPuvNwAg+/mK4M4zFqpfXCqmQK/r3zlptXNDIXW7dlxGrhspNHqhKlewHoN6e0LEs NOUEVVggNkEuPfBQcTEFuBDJvvP09vNBNi+tV0EawmB+MxT3qmOlN2hddhsiZR1PLkUu wbf/9Tce5Pz8MYAKGRmX/O7OZsyY/R+u9lgh6YPbqZA7eeae2cVEb7ycAfDjoCdNd2tQ X5lH10obugPK7jZ/W3OUy8epx4UeujS4pkJaIHfGhafX/fZwy+sjIAzZlhV2w9d6Bngd bkGroxpug05mp0axO1aJORI4+tEJVOVHNgogZ9tVMcfvhCg9aPat1m0gOlREbBFPxuvC //WA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=m4tfZO5g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id f9-20020a056a00238900b00690dbd360basi17142815pfc.152.2023.09.27.08.06.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 08:06:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=m4tfZO5g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id 2C2C980238A1; Wed, 27 Sep 2023 03:59:44 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231158AbjI0K7c (ORCPT + 99 others); Wed, 27 Sep 2023 06:59:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36358 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230164AbjI0K73 (ORCPT ); Wed, 27 Sep 2023 06:59:29 -0400 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7296813A; Wed, 27 Sep 2023 03:59:27 -0700 (PDT) Received: from pps.filterd (m0279862.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 38RAZ7mc010443; Wed, 27 Sep 2023 10:59:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : content-type; s=qcppdkim1; bh=rOuf5MtDCQLRUngQ4awgcDV/nMQsPByOw/Aas90rjfw=; b=m4tfZO5gw3QrvzniLLjwfqhOX6kts1VAlYwHbzMXdNORWR1tWQGsPWNbS5hdYNlTb1N5 LG0ybPasFLzA1B4ciMwi8I4+mIdDajG6DaX1EmVXH9vRJQP0FxAhoJ3zJ3chTW71CumI x+acZneAWxRxvTjSYqG/4C3rUJBn2Pu/+9XfXibzHbu3N6NPQPLIwJqlB0odGjgFnWiK cHRuPbavI1ODSEQhHwp6anvMRIqlIbub9nhUVlVE0JegEImVErkAC6aO/o6jCz8g40At lZ1qe20eBGOWoTW8afA2coA4bOSW1VKlb4OOuF4FTpaMqdR22gVbHbcwjqyGBsznoHGs Cw== Received: from nalasppmta04.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3tc4rxhk0y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Sep 2023 10:59:18 +0000 Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA04.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 38RAxBZ7009250 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 27 Sep 2023 10:59:11 GMT Received: from hu-kriskura-hyd.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.36; Wed, 27 Sep 2023 03:59:08 -0700 From: Krishna Kurapati To: Greg Kroah-Hartman , =?UTF-8?q?Maciej=20=C5=BBenczykowski?= CC: , , , , , Krishna Kurapati , Subject: [PATCH v4] usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call Date: Wed, 27 Sep 2023 16:28:58 +0530 Message-ID: <20230927105858.12950-1-quic_kriskura@quicinc.com> X-Mailer: git-send-email 2.42.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-GUID: 9no8INfMF3GZqaPbkRh4wKLkb_pHmU4H X-Proofpoint-ORIG-GUID: 9no8INfMF3GZqaPbkRh4wKLkb_pHmU4H X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-09-27_06,2023-09-27_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 malwarescore=0 suspectscore=0 mlxlogscore=958 adultscore=0 lowpriorityscore=0 mlxscore=0 priorityscore=1501 phishscore=0 bulkscore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2309180000 definitions=main-2309270091 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Wed, 27 Sep 2023 03:59:44 -0700 (PDT) When NCM is used with hosts like Windows PC, it is observed that there are multiple NTB's contained in one usb request giveback. Since the driver unwraps the obtained request data assuming only one NTB is present, we loose the subsequent NTB's present resulting in data loss. Fix this by checking the parsed block length with the obtained data length in usb request and continue parsing after the last byte of current NTB. Cc: stable@vger.kernel.org Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") Signed-off-by: Krishna Kurapati --- Changes in v4: Replaced void* with __le16* typecast for tmp variable Changes in v3: Removed explicit void* typecast for ntb_ptr variable drivers/usb/gadget/function/f_ncm.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c index 424bb3b666db..faf90a217419 100644 --- a/drivers/usb/gadget/function/f_ncm.c +++ b/drivers/usb/gadget/function/f_ncm.c @@ -1171,7 +1171,8 @@ static int ncm_unwrap_ntb(struct gether *port, struct sk_buff_head *list) { struct f_ncm *ncm = func_to_ncm(&port->func); - __le16 *tmp = (void *) skb->data; + unsigned char *ntb_ptr = skb->data; + __le16 *tmp; unsigned index, index2; int ndp_index; unsigned dg_len, dg_len2; @@ -1184,6 +1185,10 @@ static int ncm_unwrap_ntb(struct gether *port, const struct ndp_parser_opts *opts = ncm->parser_opts; unsigned crc_len = ncm->is_crc ? sizeof(uint32_t) : 0; int dgram_counter; + int to_process = skb->len; + +parse_ntb: + tmp = (__le16 *)ntb_ptr; /* dwSignature */ if (get_unaligned_le32(tmp) != opts->nth_sign) { @@ -1230,7 +1235,7 @@ static int ncm_unwrap_ntb(struct gether *port, * walk through NDP * dwSignature */ - tmp = (void *)(skb->data + ndp_index); + tmp = (__le16 *)(ntb_ptr + ndp_index); if (get_unaligned_le32(tmp) != ncm->ndp_sign) { INFO(port->func.config->cdev, "Wrong NDP SIGN\n"); goto err; @@ -1287,11 +1292,11 @@ static int ncm_unwrap_ntb(struct gether *port, if (ncm->is_crc) { uint32_t crc, crc2; - crc = get_unaligned_le32(skb->data + + crc = get_unaligned_le32(ntb_ptr + index + dg_len - crc_len); crc2 = ~crc32_le(~0, - skb->data + index, + ntb_ptr + index, dg_len - crc_len); if (crc != crc2) { INFO(port->func.config->cdev, @@ -1318,7 +1323,7 @@ static int ncm_unwrap_ntb(struct gether *port, dg_len - crc_len); if (skb2 == NULL) goto err; - skb_put_data(skb2, skb->data + index, + skb_put_data(skb2, ntb_ptr + index, dg_len - crc_len); skb_queue_tail(list, skb2); @@ -1331,10 +1336,17 @@ static int ncm_unwrap_ntb(struct gether *port, } while (ndp_len > 2 * (opts->dgram_item_len * 2)); } while (ndp_index); - dev_consume_skb_any(skb); - VDBG(port->func.config->cdev, "Parsed NTB with %d frames\n", dgram_counter); + + to_process -= block_len; + if (to_process != 0) { + ntb_ptr = (unsigned char *)(ntb_ptr + block_len); + goto parse_ntb; + } + + dev_consume_skb_any(skb); + return 0; err: skb_queue_purge(list); -- 2.42.0