kernel/linux.git/drivers/thunderbolt, branch v7.1-rc6

thunderbolt: property: Cap recursion depth in __tb_property_parse_dir()

2026-05-11T09:32:03+00:00

A DIRECTORY entry's value field is used as the dir_offset for a recursive call into __tb_property_parse_dir() with no depth counter. A crafted peer that chains DIRECTORY entries into a back-reference loop drives the parser until the kernel stack is exhausted and the guard page fires. Any untrusted XDomain peer (cable, dock, in-line inspector, adjacent host) that reaches the PROPERTIES_REQUEST control-plane exchange can trigger this without authentication. Thread a depth counter through tb_property_parse() and __tb_property_parse_dir(), and reject blocks that exceed TB_PROPERTY_MAX_DEPTH = 8. That is comfortably larger than any observed legitimate XDomain layout. Operators who do not need XDomain host-to-host discovery can disable the path entirely with thunderbolt.xdomain=0 on the kernel command line. Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito Signed-off-by: Mika Westerberg

thunderbolt: property: Reject dir_len < 4 to prevent size_t underflow

2026-05-11T09:31:55+00:00

On the non-root path, __tb_property_parse_dir() takes dir_len from entry->length (u16 widened to size_t). Two distinct OOB conditions follow when entry->length < 4: 1. The non-root path begins with kmemdup(&block[dir_offset], sizeof(*dir->uuid), ...) which always reads 4 dwords from dir_offset. tb_property_entry_valid() only enforces dir_offset + entry->length <= block_len, so a crafted entry with dir_offset close to the end of the property block and entry->length in 0..3 passes that gate but lets the UUID copy run off the block (e.g. dir_offset = 497, dir_len = 3 in a 500-dword block reads block[497..501]). 2. After the kmemdup, content_len = dir_len - 4 underflows size_t to ~SIZE_MAX, nentries becomes SIZE_MAX / 4, and the entry walk runs OOB on each iteration until an entry fails validation or the kernel oopses on an unmapped page. Reject dir_len < 4 on the non-root path *before* the UUID kmemdup, which closes both holes. Also move INIT_LIST_HEAD(&dir->properties) up to immediately after the dir allocation so the new error-return path (and the existing uuid-alloc failure path) calling tb_property_free_dir() sees a walkable list rather than the zero-initialized NULL next/prev that list_for_each_entry_safe() would oops on. Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito Signed-off-by: Mika Westerberg

thunderbolt: property: Reject u32 wrap in tb_property_entry_valid()

2026-05-11T09:31:48+00:00

entry->value is u32 and entry->length is u16; the sum is performed in u32 and wraps. A malicious XDomain peer can pick value = 0xffffff00, length = 0x100 so the sum 0x100000000 wraps to 0 and passes the > block_len check. tb_property_parse() then passes entry->value to parse_dwdata() as a dword offset into the property block, reading attacker-directed memory far past the allocation. For TEXT-typed entries with the "deviceid" or "vendorid" keys this lands in xd->device_name / xd->vendor_name and is readable back via the per-XDomain device_name / vendor_name sysfs attributes; the leak is NUL-bounded (kstrdup() stops at the first zero byte) and untargeted (the attacker picks a delta, not an absolute address). DATA-typed entries are parsed into property->value.data but not generically surfaced to userspace. Use check_add_overflow() so a wrapped sum is rejected. Fixes: cdae7c07e3e3 ("thunderbolt: Add support for XDomain properties") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-6 Assisted-by: Codex:gpt-5-4 Signed-off-by: Michael Bommarito Signed-off-by: Mika Westerberg

Merge tag 'thunderbolt-for-v7.1-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt into usb-next

2026-04-10T11:10:28+00:00

Mika writes: thunderbolt: Changes for v7.1 merge window This includes following USB4/Thunderbolt changes for the v7.1 merge window: - Disable CL-states for Titan Ridge based devices with older firmware. - MAINTAINER update. - Simplify allocation of various structures with kzalloc_flex(). All these have been in linux-next with no reported issues. * tag 'thunderbolt-for-v7.1-rc1' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt: thunderbolt: tunnel: Simplify allocation thunderbolt: Use kzalloc_flex() for struct tb_path allocation thunderbolt: dma_port: kmalloc_array + kzalloc to flex MAINTAINERS: Remove bouncing maintainer, Mika takes over DMA test driver thunderbolt: Disable CLx on Titan Ridge-based devices with old firmware thunderbolt: Read router NVM version before applying quirks

thunderbolt: tunnel: Simplify allocation

2026-04-07T07:00:26+00:00

Use a flexible array member and kzalloc_flex to combine allocations. Add __counted_by for extra runtime analysis. Move counting variable assignment after allocation. kzalloc_flex with GCC >= 15 does this automatically. Signed-off-by: Rosen Penev Signed-off-by: Mika Westerberg

thunderbolt: Use kzalloc_flex() for struct tb_path allocation

2026-03-23T05:49:43+00:00

Simplifies allocation of struct tb_path by using a flexible array member. Also added __counted_by for extra runtime analysis. Signed-off-by: Rosen Penev Reviewed-by: Kees Cook Signed-off-by: Mika Westerberg

thunderbolt: dma_port: kmalloc_array + kzalloc to flex

2026-03-18T13:31:56+00:00

Use a single allocation with a flexible array member. Simplifies allocation and freeing. Signed-off-by: Rosen Penev Signed-off-by: Mika Westerberg

thunderbolt: Fix property read in nhi_wake_supported()

2026-03-09T11:36:54+00:00

device_property_read_foo() returns 0 on success and only then modifies 'val'. Currently, val is left uninitialized if the aforementioned function returns non-zero, making nhi_wake_supported() return true almost always (random != 0) if the property is not present in device firmware. Invert the check to make it make sense. Fixes: 3cdb9446a117 ("thunderbolt: Add support for Intel Ice Lake") Cc: stable@vger.kernel.org Signed-off-by: Konrad Dybcio Signed-off-by: Mika Westerberg

thunderbolt: Disable CLx on Titan Ridge-based devices with old firmware

2026-03-02T06:51:58+00:00

Thunderbolt 3 devices based on Titan Ridge routers with NVM firmware version < 0x65 have been observed to become unstable when CL states are enabled. This can lead to link disconnect events and the device failing to enumerate. Enable CLx on Titan Ridge only when the running NVM firmware version is >= 0x65. Signed-off-by: Rene Sapiens Signed-off-by: Mika Westerberg

thunderbolt: Read router NVM version before applying quirks

2026-03-02T06:51:58+00:00

The router NVM version is currently only available after the NVMem devices have been registered. This is too late for firmware-dependent quirks that are evaluated during tb_switch_add() before device registration. Split router NVM handling into two phases: - tb_switch_nvm_init() allocates the NVM object and reads the version - tb_switch_nvm_add() registers the NVMem devices using the pre-read NVM This makes the NVM major/minor version available before tb_check_quirks() without changing when the NVMem devices are registered. Signed-off-by: Rene Sapiens Signed-off-by: Mika Westerberg