thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Up to 64 bytes of data can be read from NVM in one go. Read address
must be dword aligned. Data is read into a local buffer.

If caller asks to read data starting at an unaligned address then full
dword is anyway read from NVM into a local buffer. Data is then copied
from the local buffer starting at the unaligned offset to the caller
buffer.

In cases where asked data length + unaligned offset is over 64 bytes
we need to make sure we don't read past the 64 bytes in the local
buffer when copying to caller buffer, and make sure that we don't
skip copying unaligned offset bytes from local buffer anymore after
the first round of 64 byte NVM data read.

Fixes: 3e13676862f9 ("thunderbolt: Add support for DMA configuration based mailbox")
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>

authored by

Mathias Nyman and committed by

Mika Westerberg 4 years ago b1067760 d07f6ca9

+6 -5

1 changed file

expand all

drivers

thunderbolt

dma_port.c

+6 -5

drivers/thunderbolt/dma_port.c

··· 366 366 void *buf, size_t size) 367 367 { 368 368 unsigned int retries = DMA_PORT_RETRIES; 369 - unsigned int offset; 370 - 371 - offset = address & 3; 372 - address = address & ~3; 373 369 374 370 do { 375 - u32 nbytes = min_t(u32, size, MAIL_DATA_DWORDS * 4); 371 + unsigned int offset; 372 + size_t nbytes; 376 373 int ret; 374 + 375 + offset = address & 3; 376 + nbytes = min_t(size_t, size + offset, MAIL_DATA_DWORDS * 4); 377 377 378 378 ret = dma_port_flash_read_block(dma, address, dma->buf, 379 379 ALIGN(nbytes, 4)); ··· 386 386 return ret; 387 387 } 388 388 389 + nbytes -= offset; 389 390 memcpy(buf, dma->buf + offset, nbytes); 390 391 391 392 size -= nbytes;