From 361d10e6dc68eed1c0ccc8aefa359d29dafacc53 Mon Sep 17 00:00:00 2001 From: Chaitanya Mishra Date: Fri, 16 Jan 2026 08:54:18 +0530 Subject: [PATCH 1/2] fsi: cfam: clamp chunk length to remaining count cfam_{read,write} split requests into up to 4-byte aligned chunks. The per-iteration length is computed from the full count and the current alignment. Once total_len advances, this can exceed the remaining bytes, leading to copy_{to,from}_user() touching bytes past the user buffer and advancing the file offset too far. Clamp each chunk to the minimum of the alignment-based length and the remaining bytes so each iteration handles only the bytes left. Fixes: d1dcd6782576 ("fsi: Add cfam char devices") Signed-off-by: Chaitanya Mishra --- drivers/fsi/fsi-core.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c index c6c115993ebc13..8a2a02df52acf5 100644 --- a/drivers/fsi/fsi-core.c +++ b/drivers/fsi/fsi-core.c @@ -674,8 +674,7 @@ static ssize_t cfam_read(struct file *filep, char __user *buf, size_t count, for (total_len = 0; total_len < count; total_len += read_len) { __be32 data; - read_len = min_t(size_t, count, 4); - read_len -= off & 0x3; + read_len = min_t(size_t, 4 - (off & 0x3), count - total_len); rc = fsi_slave_read(slave, off, &data, read_len); if (rc) @@ -711,8 +710,7 @@ static ssize_t cfam_write(struct file *filep, const char __user *buf, for (total_len = 0; total_len < count; total_len += write_len) { __be32 data; - write_len = min_t(size_t, count, 4); - write_len -= off & 0x3; + write_len = min_t(size_t, 4 - (off & 0x3), count - total_len); rc = copy_from_user(&data, buf + total_len, write_len); if (rc) { From 68edccdbd6f41f1cd39d25b845ed16ee0d3ffa62 Mon Sep 17 00:00:00 2001 From: Chaitanya Mishra Date: Sat, 24 Jan 2026 12:44:44 +0530 Subject: [PATCH 2/2] fsi: master-ast-cf: fix relative address arithmetic --- drivers/fsi/fsi-master-ast-cf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/fsi/fsi-master-ast-cf.c b/drivers/fsi/fsi-master-ast-cf.c index e67d7cd30fcaa4..d9f6f84a72ed7a 100644 --- a/drivers/fsi/fsi-master-ast-cf.c +++ b/drivers/fsi/fsi-master-ast-cf.c @@ -184,7 +184,7 @@ static bool check_relative_address(struct fsi_master_acf *master, int id, /* We know that the addresses are limited to 21 bits, so this won't * overflow the signed rel_addr */ - rel_addr = addr - last_addr; + rel_addr = (int32_t)addr - (int32_t)last_addr; if (rel_addr > 255 || rel_addr < -256) return false;