| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250912101322.1282507-1-ovidiu.panait.oss@gmail.com>
Date: Fri, 12 Sep 2025 13:13:21 +0300
From: Ovidiu Panait <ovidiu.panait.oss@...il.com>
To: gregkh@...uxfoundation.org,
linux-kernel@...r.kernel.org,
linux-staging@...ts.linux.dev
Cc: gshahrouzi@...il.com,
Ovidiu Panait <ovidiu.panait.oss@...il.com>,
stable@...r.kernel.org
Subject: [PATCH 1/2] staging: axis-fifo: fix TX handling on copy_from_user() failure
If copy_from_user() fails, write() currently returns -EFAULT, but any
partially written data leaves the TX FIFO in an inconsistent state.
Subsequent write() calls then fail with "transmit length mismatch"
errors.
Once partial data is written to the hardware FIFO, it cannot be removed
without a TX reset. Commit c6e8d85fafa7 ("staging: axis-fifo: Remove
hardware resets for user errors") removed a full FIFO reset for this case,
which fixed a potential RX data loss, but introduced this TX issue.
Fix this by introducing a bounce buffer: copy the full packet from
userspace first, and write to the hardware FIFO only if the copy
was successful.
Fixes: c6e8d85fafa7 ("staging: axis-fifo: Remove hardware resets for user errors")
Cc: stable@...r.kernel.org
Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@...il.com>
---
drivers/staging/axis-fifo/axis-fifo.c | 36 ++++++++-------------------
1 file changed, 10 insertions(+), 26 deletions(-)
diff --git a/drivers/staging/axis-fifo/axis-fifo.c b/drivers/staging/axis-fifo/axis-fifo.c
index f54614ba1aa8..c47c6a022402 100644
--- a/drivers/staging/axis-fifo/axis-fifo.c
+++ b/drivers/staging/axis-fifo/axis-fifo.c
@@ -43,7 +43,6 @@
#define DRIVER_NAME "axis_fifo"
#define READ_BUF_SIZE 128U /* read buffer length in words */
-#define WRITE_BUF_SIZE 128U /* write buffer length in words */
#define AXIS_FIFO_DEBUG_REG_NAME_MAX_LEN 4
@@ -305,11 +304,8 @@ static ssize_t axis_fifo_write(struct file *f, const char __user *buf,
{
struct axis_fifo *fifo = (struct axis_fifo *)f->private_data;
unsigned int words_to_write;
- unsigned int copied;
- unsigned int copy;
- unsigned int i;
+ u32 *txbuf;
int ret;
- u32 tmp_buf[WRITE_BUF_SIZE];
if (len % sizeof(u32)) {
dev_err(fifo->dt_device,
@@ -374,32 +370,20 @@ static ssize_t axis_fifo_write(struct file *f, const char __user *buf,
}
}
- /* write data from an intermediate buffer into the fifo IP, refilling
- * the buffer with userspace data as needed
- */
- copied = 0;
- while (words_to_write > 0) {
- copy = min(words_to_write, WRITE_BUF_SIZE);
-
- if (copy_from_user(tmp_buf, buf + copied * sizeof(u32),
- copy * sizeof(u32))) {
- ret = -EFAULT;
- goto end_unlock;
- }
-
- for (i = 0; i < copy; i++)
- iowrite32(tmp_buf[i], fifo->base_addr +
- XLLF_TDFD_OFFSET);
-
- copied += copy;
- words_to_write -= copy;
+ txbuf = vmemdup_user(buf, len);
+ if (IS_ERR(txbuf)) {
+ ret = PTR_ERR(txbuf);
+ goto end_unlock;
}
- ret = copied * sizeof(u32);
+ for (int i = 0; i < words_to_write; ++i)
+ iowrite32(txbuf[i], fifo->base_addr + XLLF_TDFD_OFFSET);
/* write packet size to fifo */
- iowrite32(ret, fifo->base_addr + XLLF_TLR_OFFSET);
+ iowrite32(len, fifo->base_addr + XLLF_TLR_OFFSET);
+ ret = len;
+ kvfree(txbuf);
end_unlock:
mutex_unlock(&fifo->write_lock);
--
2.50.0
Powered by blists - more mailing lists