From 80fe6361540fd7e0a38326b02b4f2a5e68c99d0a Mon Sep 17 00:00:00 2001 From: Tomas Winkler Date: Tue, 7 May 2013 21:12:31 +0300 Subject: mei: fix out of array access to me clients array The patch 9f81abdac362: "mei: implement mei_cl_connect function" from Jan 8, 2013, leads to the following static checker warning: "drivers/misc/mei/main.c:522 mei_ioctl_connect_client() warn: check 'dev->me_clients[]' for negative offsets (-2)" Reported-by: Dan Carpenter Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/main.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'drivers/misc/mei/main.c') diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c index 7c44c8dbae42..053139f61086 100644 --- a/drivers/misc/mei/main.c +++ b/drivers/misc/mei/main.c @@ -489,11 +489,16 @@ static int mei_ioctl_connect_client(struct file *file, /* find ME client we're trying to connect to */ i = mei_me_cl_by_uuid(dev, &data->in_client_uuid); - if (i >= 0 && !dev->me_clients[i].props.fixed_address) { - cl->me_client_id = dev->me_clients[i].client_id; - cl->state = MEI_FILE_CONNECTING; + if (i < 0 || dev->me_clients[i].props.fixed_address) { + dev_dbg(&dev->pdev->dev, "Cannot connect to FW Client UUID = %pUl\n", + &data->in_client_uuid); + rets = -ENODEV; + goto end; } + cl->me_client_id = dev->me_clients[i].client_id; + cl->state = MEI_FILE_CONNECTING; + dev_dbg(&dev->pdev->dev, "Connect to FW Client ID = %d\n", cl->me_client_id); dev_dbg(&dev->pdev->dev, "FW Client - Protocol Version = %d\n", @@ -527,11 +532,6 @@ static int mei_ioctl_connect_client(struct file *file, goto end; } - if (cl->state != MEI_FILE_CONNECTING) { - rets = -ENODEV; - goto end; - } - /* prepare the output buffer */ client = &data->out_client_properties; @@ -543,7 +543,6 @@ static int mei_ioctl_connect_client(struct file *file, rets = mei_cl_connect(cl, file); end: - dev_dbg(&dev->pdev->dev, "free connect cb memory."); return rets; } -- cgit v1.2.3 From 7131799b145aa67984cc57e52d6379862c78afa3 Mon Sep 17 00:00:00 2001 From: Tomas Winkler Date: Thu, 23 May 2013 10:03:13 +0300 Subject: mei: deprecate the mei_wd_state_independence_msg wd independence is deprecated, remove it. Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/main.c | 25 ------------------------- 1 file changed, 25 deletions(-) (limited to 'drivers/misc/mei/main.c') diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c index 053139f61086..b9ad5106f5e1 100644 --- a/drivers/misc/mei/main.c +++ b/drivers/misc/mei/main.c @@ -194,7 +194,6 @@ static ssize_t mei_read(struct file *file, char __user *ubuf, struct mei_cl_cb *cb_pos = NULL; struct mei_cl_cb *cb = NULL; struct mei_device *dev; - int i; int rets; int err; @@ -210,20 +209,6 @@ static ssize_t mei_read(struct file *file, char __user *ubuf, goto out; } - if ((cl->sm_state & MEI_WD_STATE_INDEPENDENCE_MSG_SENT) == 0) { - /* Do not allow to read watchdog client */ - i = mei_me_cl_by_uuid(dev, &mei_wd_guid); - if (i >= 0) { - struct mei_me_client *me_client = &dev->me_clients[i]; - if (cl->me_client_id == me_client->client_id) { - rets = -EBADF; - goto out; - } - } - } else { - cl->sm_state &= ~MEI_WD_STATE_INDEPENDENCE_MSG_SENT; - } - if (cl == &dev->iamthif_cl) { rets = mei_amthif_read(dev, file, ubuf, length, offset); goto out; @@ -420,16 +405,6 @@ static ssize_t mei_write(struct file *file, const char __user *ubuf, if (rets) goto out; - cl->sm_state = 0; - if (length == 4 && - ((memcmp(mei_wd_state_independence_msg[0], - write_cb->request_buffer.data, 4) == 0) || - (memcmp(mei_wd_state_independence_msg[1], - write_cb->request_buffer.data, 4) == 0) || - (memcmp(mei_wd_state_independence_msg[2], - write_cb->request_buffer.data, 4) == 0))) - cl->sm_state |= MEI_WD_STATE_INDEPENDENCE_MSG_SENT; - if (cl == &dev->iamthif_cl) { rets = mei_amthif_write(dev, write_cb); -- cgit v1.2.3 From 139aacf757fc89792c43a79ba99bc2361c98ecd3 Mon Sep 17 00:00:00 2001 From: Tomas Winkler Date: Wed, 29 May 2013 20:09:30 +0300 Subject: mei: fix read after read scenario mei read always has to be preceded by write but 'write write read read' scenario should work as well. In this case the offset is not zero but new read should be initiated Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/main.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) (limited to 'drivers/misc/mei/main.c') diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c index b9ad5106f5e1..5e11b5b9b65d 100644 --- a/drivers/misc/mei/main.c +++ b/drivers/misc/mei/main.c @@ -214,19 +214,21 @@ static ssize_t mei_read(struct file *file, char __user *ubuf, goto out; } - if (cl->read_cb && cl->read_cb->buf_idx > *offset) { - cb = cl->read_cb; - goto copy_buffer; - } else if (cl->read_cb && cl->read_cb->buf_idx > 0 && - cl->read_cb->buf_idx <= *offset) { + if (cl->read_cb) { cb = cl->read_cb; - rets = 0; - goto free; - } else if ((!cl->read_cb || !cl->read_cb->buf_idx) && *offset > 0) { - /*Offset needs to be cleaned for contiguous reads*/ + /* read what left */ + if (cb->buf_idx > *offset) + goto copy_buffer; + /* offset is beyond buf_idx we have no more data return 0 */ + if (cb->buf_idx > 0 && cb->buf_idx <= *offset) { + rets = 0; + goto free; + } + /* Offset needs to be cleaned for contiguous reads*/ + if (cb->buf_idx == 0 && *offset > 0) + *offset = 0; + } else if (*offset > 0) { *offset = 0; - rets = 0; - goto out; } err = mei_cl_read_start(cl, length); -- cgit v1.2.3