linux.git/drivers/misc/mei/client.c, branch v5.4.63 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git mei: release me_cl object reference 2020-05-27T15:46:47+00:00 Alexander Usyskin alexander.usyskin@intel.com 2020-05-12T22:31:40+00:00 46f47dda27bc43176c018f96b2b14248c10bdc17 commit fc9c03ce30f79b71807961bfcb42be191af79873 upstream. Allow me_cl object to be freed by releasing the reference that was acquired by one of the search functions: __mei_me_cl_by_uuid_id() or __mei_me_cl_by_uuid() Cc: <stable@vger.kernel.org> Reported-by: 亿一 <teroincn@gmail.com> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Link: https://lore.kernel.org/r/20200512223140.32186-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit fc9c03ce30f79b71807961bfcb42be191af79873 upstream.

Allow me_cl object to be freed by releasing the reference
that was acquired  by one of the search functions:
__mei_me_cl_by_uuid_id() or __mei_me_cl_by_uuid()

Cc: <stable@vger.kernel.org>
Reported-by: 亿一 <teroincn@gmail.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20200512223140.32186-1-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: expose device state in sysfs 2019-04-25T17:33:34+00:00 Alexander Usyskin alexander.usyskin@intel.com 2019-04-22T06:51:07+00:00 43b8a7ed4739a86c1e8543489bf5524780f66284 Expose mei device state to user-space through sysfs. This gives indication to applications that driver is in transition, usefully mostly to detect link reset state. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Expose mei device state to user-space through sysfs.
This gives indication to applications that driver is in transition,
usefully mostly to detect link reset state.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: adjust the copyright notice in the files. 2019-03-27T17:07:54+00:00 Tomas Winkler tomas.winkler@intel.com 2019-03-11T22:10:44+00:00 1e55b609b983f99290d210bf6578cb1a2eb905d2 Use unified version of the copyright notice in the files Update copyright years according the year the files were touched, except this patch and SPDX conversions. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Use unified version of the copyright notice in the files
Update copyright years according the year the files
were touched, except this patch and SPDX conversions.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: convert to SPDX license tags 2019-03-27T17:07:54+00:00 Tomas Winkler tomas.winkler@intel.com 2019-03-11T22:10:41+00:00 9fff0425aab086c10b29ce50d440afde7d31a740 Replace boiler plate licenses texts with the SPDX license identifiers in the mei files header. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Replace boiler plate licenses texts with the SPDX license
identifiers in the mei files header.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: free read cb on ctrl_wr list flush 2019-01-30T14:24:45+00:00 Alexander Usyskin alexander.usyskin@intel.com 2019-01-30T08:12:26+00:00 cee4c4d63ba7b0df9b2d2a6724c41b2a260d72ec There is a little window during disconnection flow when read cb is moved between lists and may be not freed. Remove moving read cbs explicitly during flash fixes this memory leak. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
There is a little window during disconnection flow
when read cb is moved between lists and may be not freed.
Remove moving read cbs explicitly during flash fixes this memory
leak.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: dma ring: implement transmit flow 2018-11-26T15:59:48+00:00 Tomas Winkler tomas.winkler@intel.com 2018-11-22T11:11:40+00:00 c30362cc326ac5c3d4e6c96aa8f68dbd86955489 Implement a circular buffer on allocated system memory. Read and write indices are stored on the control block which is also shared between the device and the host. Two new functions are exported from the DMA module: mei_dma_ring_write, and mei_dma_ring_empty_slots. The former simply copy a packet on the TX DMA circular buffer and later, returns the number of empty slots on the TX DMA circular buffer. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Implement a circular buffer on allocated system memory. Read and write
indices are stored on the control block which is also shared between the
device and the host.
Two new functions are exported from the DMA module: mei_dma_ring_write,
and mei_dma_ring_empty_slots. The former simply copy a packet on the TX
DMA circular buffer and later, returns the number of empty slots on the
TX DMA circular buffer.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: dma ring: implement rx circular buffer logic 2018-11-26T15:59:48+00:00 Tomas Winkler tomas.winkler@intel.com 2018-11-22T11:11:39+00:00 6316321f12ad30cf5af176f26bb39897b320ef46 Implement circular buffer protocol over receive dma buffer. Add extension to the mei message header that holds length of the buffer on the dma buffer. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Implement circular buffer protocol over receive dma
buffer. Add extension to the mei message header that holds
length of the buffer on the dma buffer.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: expedite ioctl return on the notify set operation error 2018-11-07T12:53:03+00:00 Alexander Usyskin alexander.usyskin@intel.com 2018-11-06T10:04:40+00:00 a19bf05359e6c5249766cbbf2937ef83fc9001f9 The notify set operation ioctl will wait till timeout is expired even in case when the FW returned an error. Check the status field of the client object in wait_event_timeout() to determine if the caller can return earlier. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The notify set operation ioctl will wait till timeout is expired
even in case when the FW returned an error.
Check the status field of the client object in wait_event_timeout()
to determine if the caller can return earlier.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: flush queues by the host client only 2018-11-07T12:53:03+00:00 Alexander Usyskin alexander.usyskin@intel.com 2018-11-06T10:04:39+00:00 87d63352b49e421bb272dbb553bcf7db316c168f During queues flush, the me client in most cases is already unlinked hence the me client id is unavailable. The host client structure pointer is enough for identification. The function mei_cl_cmp_id() is dropped as it has no more usage. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
During queues flush, the me client in most cases is already
unlinked hence the me client id is unavailable. The host client
structure pointer is enough for identification.
The function mei_cl_cmp_id() is dropped as it has no more usage.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mei: fix use-after-free in mei_cl_write 2018-09-12T07:14:24+00:00 John Hubbard jhubbard@nvidia.com 2018-08-23T06:16:58+00:00 c1a214ad82d7ac6f19fe48f90b13403b40ead9dc KASAN reports a use-after-free during startup, in mei_cl_write: BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei] (drivers/misc/mei/client.c:1770) This is caused by commit 98e70866aacb ("mei: add support for variable length mei headers."), which changed the return value from len, to buf->size. That ends up using a stale buf pointer, because blocking call, the cb (callback) is deleted in me_cl_complete() function. However, fortunately, len remains unchanged throughout the function (and I don't see anything else that would require re-reading buf->size either), so the fix is to simply revert the change, and return len, as before. Fixes: 98e70866aacb ("mei: add support for variable length mei headers.") CC: Arnd Bergmann <arnd@arndb.de> CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: John Hubbard <jhubbard@nvidia.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
KASAN reports a use-after-free during startup, in mei_cl_write:

    BUG: KASAN: use-after-free in mei_cl_write+0x601/0x870 [mei]
       (drivers/misc/mei/client.c:1770)

This is caused by commit 98e70866aacb ("mei: add support for variable
length mei headers."), which changed the return value from len, to
buf->size. That ends up using a stale buf pointer, because blocking
call, the cb (callback) is deleted in me_cl_complete() function.

However, fortunately, len remains unchanged throughout the function
(and I don't see anything else that would require re-reading buf->size
either), so the fix is to simply revert the change, and return len, as
before.

Fixes: 98e70866aacb ("mei: add support for variable length mei headers.")
CC: Arnd Bergmann <arnd@arndb.de>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: John Hubbard <jhubbard@nvidia.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>