Kernel/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2024-12-29 09:13:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e9e1b20fae
linux/drivers/thunderbolt
History
Mika Westerberg e9e1b20fae thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan() 
KASAN reported following issue:

 BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt]
 Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11
 CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G     U             6.11.0+ #1387
 Tainted: [U]=USER
 Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]
 Call Trace:
  <TASK>
  dump_stack_lvl+0x6c/0x90
  print_report+0xd1/0x630
  kasan_report+0xdb/0x110
  __asan_report_load4_noabort+0x14/0x20
  tb_retimer_scan+0xffe/0x1550 [thunderbolt]
  tb_scan_port+0xa6f/0x2060 [thunderbolt]
  tb_handle_hotplug+0x17b1/0x3080 [thunderbolt]
  process_one_work+0x626/0x1100
  worker_thread+0x6c8/0xfa0
  kthread+0x2c8/0x3a0
  ret_from_fork+0x3a/0x80
  ret_from_fork_asm+0x1a/0x30

This happens because the loop variable still gets incremented by one so
max becomes 3 instead of 2, and this makes the second loop read past the
the array declared on the stack.

Fix this by assigning to max directly in the loop body.

Fixes: ff6ab055e0 ("thunderbolt: Add receiver lane margining support for retimers")
CC: stable@vger.kernel.org
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
2024-10-11 14:23:15 +03:00
..
acpi.c thunderbolt: Don't create device link from USB4 Host Interface to USB3 xHC host 2024-09-03 09:54:39 +02:00
cap.c thunderbolt: cap: Fix kernel-doc formatting issue 2021-01-28 12:33:18 +03:00
clx.c thunderbolt: Check for unplugged router in tb_switch_clx_disable() 2023-10-13 08:49:13 +03:00
ctl.c thunderbolt: Add trace events support for the control channel 2024-02-26 09:12:24 +02:00
ctl.h thunderbolt: Add trace events support for the control channel 2024-02-26 09:12:24 +02:00
debugfs.c thunderbolt: Improve software receiver lane margining 2024-08-22 07:32:06 +03:00
dma_port.c thunderbolt: Use generic tb_nvm_[read|write]_data() for Thunderbolt 2/3 devices 2021-05-31 14:37:54 +03:00
dma_port.h thunderbolt: Convert rest of the driver files to use SPDX identifier 2018-10-02 15:52:08 -07:00
dma_test.c thunderbolt: dma_test: Use enum tb_link_width 2023-10-13 08:49:12 +03:00
domain.c driver core: have match() callback in struct bus_type take a const * 2024-07-03 15:16:54 +02:00
eeprom.c thunderbolt: Ignore data CRC mismatch for USB4 routers 2023-06-16 09:53:27 +03:00
icm.c thunderbolt: Enable NVM upgrade support on Intel Maple Ridge 2024-04-08 07:47:38 +03:00
Kconfig thunderbolt: Add receiver lane margining support for retimers 2024-06-17 12:47:12 +03:00
lc.c thunderbolt: Introduce tb_port_reset() 2024-01-22 13:21:06 +02:00
Makefile thunderbolt: Add trace events support for the control channel 2024-02-26 09:12:24 +02:00
nhi_ops.c thunderbolt: Software CM only should set force power in Tiger Lake 2020-09-03 12:06:40 +03:00
nhi_regs.h thunderbolt: Reset USB4 v2 host router 2023-06-16 09:53:28 +03:00
nhi.c thunderbolt: Correct typo in host_reset parameter 2024-02-13 11:08:36 +02:00
nhi.h thunderbolt: Add support for Intel Lunar Lake 2023-12-14 08:07:45 +02:00
nvm.c thunderbolt: Remove usage of the deprecated ida_simple_xx() API 2024-01-23 13:30:20 +02:00
path.c thunderbolt: Introduce tb_path_deactivate_hop() 2024-01-22 13:21:06 +02:00
property.c thunderbolt: Add tb_property_copy_dir() 2021-03-18 18:25:31 +03:00
quirks.c thunderbolt: Keep the domain powered when USB4 port is in redrive mode 2024-02-26 09:12:12 +02:00
retimer.c thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan() 2024-10-11 14:23:15 +03:00
sb_regs.h thunderbolt: Improve software receiver lane margining 2024-08-22 07:32:06 +03:00
switch.c thunderbolt: Mark XDomain as unplugged when router is removed 2024-08-06 08:01:10 +03:00
tb_msgs.h thunderbolt: Get rid of TB_CFG_PKG_PREPARE_TO_SLEEP 2024-04-19 07:52:45 +03:00
tb_regs.h thunderbolt: Changes for v6.9 merge window 2024-03-02 20:14:03 +01:00
tb.c thunderbolt: Changes for v6.10 merge window 2024-05-10 10:25:22 +01:00
tb.h thunderbolt: Improve software receiver lane margining 2024-08-22 07:32:06 +03:00
test.c thunderbolt: Add test case for 3 DisplayPort tunnels 2023-06-16 09:53:29 +03:00
tmu.c thunderbolt: Unwind TMU configuration if tb_switch_set_tmu_mode_params() fails 2023-12-14 08:07:44 +02:00
trace.h thunderbolt: Correct trace output of firmware connection manager packets 2024-04-29 07:47:54 +03:00
tunnel.c thunderbolt: Fix kernel-doc for tb_tunnel_alloc_dp() 2024-04-27 08:03:56 +03:00
tunnel.h thunderbolt: Introduce tb_tunnel_direction_downstream() 2024-02-16 12:29:23 +02:00
usb4_port.c thunderbolt: Constify the struct device_type usage 2024-02-26 09:15:49 +02:00
usb4.c thunderbolt: Improve software receiver lane margining 2024-08-22 07:32:06 +03:00
xdomain.c thunderbolt: Use correct error code with ERROR_NOT_SUPPORTED 2024-04-19 07:52:38 +03:00