Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=linux-4.20.y 2018-09-12T07:14:24+00:00 2018-09-12T07:14:24+00:00 John Hubbard jhubbard@nvidia.com 2018-08-23T06:16:58+00:00 urn:sha1:c1a214ad82d7ac6f19fe48f90b13403b40ead9dc KASAN reports a use-after-free during startup, in mei_cl_write: BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei] (drivers/misc/mei/client.c:1770) This is caused by commit 98e70866aacb ("mei: add support for variable length mei headers."), which changed the return value from len, to buf->size. That ends up using a stale buf pointer, because blocking call, the cb (callback) is deleted in me_cl_complete() function. However, fortunately, len remains unchanged throughout the function (and I don't see anything else that would require re-reading buf->size either), so the fix is to simply revert the change, and return len, as before. Fixes: 98e70866aacb ("mei: add support for variable length mei headers.") CC: Arnd Bergmann <arnd@arndb.de> CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: John Hubbard <jhubbard@nvidia.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-02T08:18:30+00:00 Tomas Winkler tomas.winkler@intel.com 2018-07-31T06:35:35+00:00 urn:sha1:9d89ddfc624649e200aeec57912635dbe259d07b Add dma_ring bit in the mei message header for conveying that the message data itself are on the dma ring. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-08-02T08:18:29+00:00 Tomas Winkler tomas.winkler@intel.com 2018-07-31T06:35:33+00:00 urn:sha1:98e70866aacb1fcaa7b710fc6bca9862bf47421a Remove header size knowledge from me and txe hw layers, this requires to change the write handler to accept header and its length as well as data and its length. HBM messages are fixed to use basic header, hence we add mei_hbm2slots() that converts HBM message length and mei message header, while mei_data2slots() converts data length directly to the slots. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-24T12:16:57+00:00 Tomas Winkler tomas.winkler@intel.com 2018-07-23T10:21:24+00:00 urn:sha1:a1c4d08b6b95a0e296285ee53cc1438b3f168f98 Wrap the mei header boilerplate initialization code in mei_msg_hdr_init function. On the way remove 'completed' field from mei_cl_cb structure as this information is already included in the header and is local to particular fragment. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-24T12:16:57+00:00 Tomas Winkler tomas.winkler@intel.com 2018-07-23T10:21:23+00:00 urn:sha1:8c8d964ce90f16877b76c3f00b27165bf865af69 The host buffer depth is hardware specific so it's better to handle it inside the me and txe hw modules. In me the depth is read from register in txe it's a constant number. The value is now retrieved via mei_hbuf_depth accessor, while it replaces mei_hbuf_max_len. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-24T12:16:57+00:00 Tomas Winkler tomas.winkler@intel.com 2018-07-23T10:21:22+00:00 urn:sha1:9fc5f0f8ad28405145b30fd3b905e368063ee14c Cleanup conversions between slots and data. Define MEI_SLOT_SIZE instead of using 4 or sizeof(u32) across the source code. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-12T14:23:19+00:00 Tomas Winkler tomas.winkler@intel.com 2018-07-12T14:10:10+00:00 urn:sha1:5151e2b578e92f88d676ad78d36a2ef93d0a0dea Use ssize_t for rets variables in mei_write(), mei_read(), and mei_cl_write() as well as change the return type of mei_cl_write() to ssize_t, to prevent assignment of possible 64bit size_t to int 32 bit variable. As by product also eliminate warning drivers/misc/mei/client.c:1702:11: warning: comparison between signed and unsigned integer expressions [-Wsign-compare] Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-07-12T14:23:19+00:00 Tomas Winkler tomas.winkler@intel.com 2018-07-12T14:10:08+00:00 urn:sha1:de8774371cdc4c18cd118490e0d61eccd5f2c4d8 mei_hbuf_empty_slots() may return with an error in case of circular buffer overflow. This type of error may be caused only by a bug. However currently, the error won't be detected due signed type promotion in comparison to u32. We add explicit check for less then zero and explicit cast in comparison to suppress singn-compare warning. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-03-14T18:33:13+00:00 Alexander Usyskin alexander.usyskin@intel.com 2018-02-25T18:07:05+00:00 urn:sha1:af336cabe08363ba8493e7d7e5d070353eb30caa Limit the number of queued writes per client. Writes above this threshold are blocked till place in the transmit queue is available. The limit is configurable via sysfs and defaults to 50. The implementation should provide blocking I/O behavior. Prior to this change one would end up in the hands of OOM. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-03-14T18:33:13+00:00 Tomas Winkler tomas.winkler@intel.com 2018-02-25T18:07:04+00:00 urn:sha1:257355a44b9929e55d6fd47bfff66971dc4de948 Module reference counting is relevant only to the mei client devices. Make the implementation clean and move it to bus.c Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>