kernel/linux.git/drivers/misc/mei, branch v4.19.16

mei: bus: need to unlink client before freeing

2018-09-12T07:14:24+00:00

In case a client fails to connect in mei_cldev_enable(), the caller won't call the mei_cldev_disable leaving the client in a linked stated. Upon driver unload the client structure will be freed in mei_cl_bus_dev_release(), leaving a stale pointer on a fail_list. This will eventually end up in crash during power down flow in mei_cl_set_disonnected(). RIP: mei_cl_set_disconnected+0x5/0x260[mei] Call trace: mei_cl_all_disconnect+0x22/0x30 mei_reset+0x194/0x250 __synchronize_hardirq+0x43/0x50 _cond_resched+0x15/0x30 mei_me_intr_clear+0x20/0x100 mei_stop+0x76/0xb0 mei_me_shutdown+0x3f/0x80 pci_device_shutdown+0x34/0x60 kernel_restart+0x0e/0x30 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455 Fixes: 'c110cdb17148 ("mei: bus: make a client pointer always available")' Cc: 4.10+ Tested-by: Georg Müller Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman

mei: bus: fix hw module get/put balance

2018-09-12T07:14:24+00:00

In case the device is not connected it doesn't 'get' hw module and hence should not 'put' it on disable. Cc: 4.16+ Fixes:'commit 257355a44b99 ("mei: make module referencing local to the bus.c")' Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455 Tested-by: Georg Müller Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman

mei: fix use-after-free in mei_cl_write

2018-09-12T07:14:24+00:00

KASAN reports a use-after-free during startup, in mei_cl_write: BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei] (drivers/misc/mei/client.c:1770) This is caused by commit 98e70866aacb ("mei: add support for variable length mei headers."), which changed the return value from len, to buf->size. That ends up using a stale buf pointer, because blocking call, the cb (callback) is deleted in me_cl_complete() function. However, fortunately, len remains unchanged throughout the function (and I don't see anything else that would require re-reading buf->size either), so the fix is to simply revert the change, and return len, as before. Fixes: 98e70866aacb ("mei: add support for variable length mei headers.") CC: Arnd Bergmann CC: Greg Kroah-Hartman Signed-off-by: John Hubbard Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman

mei: ignore not found client in the enumeration

2018-09-12T07:14:24+00:00

Some of the ME clients are available only for BIOS operation and are removed during hand off to an OS. However the removal is not instant. A client may be visible on the client list when the mei driver requests for enumeration, while the subsequent request for properties will be answered with client not found error value. The default behavior for an error is to perform client reset while this error is harmless and the link reset should be prevented. This issue started to be visible due to suspend/resume timing changes. Currently reported only on the Haswell based system. Fixes: [33.564957] mei_me 0000:00:16.0: hbm: properties response: wrong status = 1 CLIENT_NOT_FOUND [33.564978] mei_me 0000:00:16.0: mei_irq_read_handler ret = -71. [33.565270] mei_me 0000:00:16.0: unexpected reset: dev_state = INIT_CLIENTS fw status = 1E000255 60002306 00000200 00004401 00000000 00000010 Cc: Reported-by: Heiner Kallweit Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman

mei: define dma ring buffer sizes for PCH12 HW and newer

2018-08-02T08:18:30+00:00

Define dma ring buffer sizes for PCH12 (CLN HW and newer) Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman

mei: restrict dma ring support to hbm version 2.1

2018-08-02T08:18:30+00:00

Only a firmware with version 2.1 and above supports dma ring feature. Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Greg Kroah-Hartman

mei: hbm: introduce dma bit in the message header

2018-08-02T08:18:30+00:00

Add dma_ring bit in the mei message header for conveying that the message data itself are on the dma ring. Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Greg Kroah-Hartman

mei: hbm: define dma ring setup protocol

2018-08-02T08:18:30+00:00

The protocol defines how to setup an I/O ring on top of host memory to utilize the device DMA engine for faster transport. Three memory buffers are allocated. A Host circular buffer for from the Host to Device communication. A Device circular buffer for from Device to the Host communication. And finally a Control block where the pointers for the both circular buffers are managed. Signed-off-by: Tomas Winkler Signed-off-by: Alexander Usyskin Signed-off-by: Greg Kroah-Hartman

mei: add support for variable length mei headers.

2018-08-02T08:18:29+00:00

Remove header size knowledge from me and txe hw layers, this requires to change the write handler to accept header and its length as well as data and its length. HBM messages are fixed to use basic header, hence we add mei_hbm2slots() that converts HBM message length and mei message header, while mei_data2slots() converts data length directly to the slots. Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman

mei: add mei_msg_hdr_init wrapper.

2018-07-24T12:16:57+00:00

Wrap the mei header boilerplate initialization code in mei_msg_hdr_init function. On the way remove 'completed' field from mei_cl_cb structure as this information is already included in the header and is local to particular fragment. Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman