summaryrefslogtreecommitdiffstats
path: root/drivers/misc/mei/client.c
diff options
context:
space:
mode:
authorTomas Winkler <tomas.winkler@intel.com>2018-07-12 16:10:08 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-07-12 16:23:19 +0200
commitde8774371cdc4c18cd118490e0d61eccd5f2c4d8 (patch)
tree30fb1acac5d1fc5f5caeb47de3775f326a8112a2 /drivers/misc/mei/client.c
parentmei: don't update offset in write (diff)
downloadlinux-de8774371cdc4c18cd118490e0d61eccd5f2c4d8.tar.xz
linux-de8774371cdc4c18cd118490e0d61eccd5f2c4d8.zip
mei: check for error returned from mei_hbuf_empty_slots()
mei_hbuf_empty_slots() may return with an error in case of circular buffer overflow. This type of error may be caused only by a bug. However currently, the error won't be detected due signed type promotion in comparison to u32. We add explicit check for less then zero and explicit cast in comparison to suppress singn-compare warning. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/misc/mei/client.c')
-rw-r--r--drivers/misc/mei/client.c22
1 files changed, 16 insertions, 6 deletions
diff --git a/drivers/misc/mei/client.c b/drivers/misc/mei/client.c
index 8d6197a88b54..f8fb7589192e 100644
--- a/drivers/misc/mei/client.c
+++ b/drivers/misc/mei/client.c
@@ -865,8 +865,10 @@ int mei_cl_irq_disconnect(struct mei_cl *cl, struct mei_cl_cb *cb,
msg_slots = mei_data2slots(sizeof(struct hbm_client_connect_request));
slots = mei_hbuf_empty_slots(dev);
+ if (slots < 0)
+ return -EOVERFLOW;
- if (slots < msg_slots)
+ if ((u32)slots < msg_slots)
return -EMSGSIZE;
ret = mei_cl_send_disconnect(cl, cb);
@@ -1054,12 +1056,15 @@ int mei_cl_irq_connect(struct mei_cl *cl, struct mei_cl_cb *cb,
int rets;
msg_slots = mei_data2slots(sizeof(struct hbm_client_connect_request));
- slots = mei_hbuf_empty_slots(dev);
if (mei_cl_is_other_connecting(cl))
return 0;
- if (slots < msg_slots)
+ slots = mei_hbuf_empty_slots(dev);
+ if (slots < 0)
+ return -EOVERFLOW;
+
+ if ((u32)slots < msg_slots)
return -EMSGSIZE;
rets = mei_cl_send_connect(cl, cb);
@@ -1296,8 +1301,10 @@ int mei_cl_irq_notify(struct mei_cl *cl, struct mei_cl_cb *cb,
msg_slots = mei_data2slots(sizeof(struct hbm_client_connect_request));
slots = mei_hbuf_empty_slots(dev);
+ if (slots < 0)
+ return -EOVERFLOW;
- if (slots < msg_slots)
+ if ((u32)slots < msg_slots)
return -EMSGSIZE;
request = mei_cl_notify_fop2req(cb->fop_type);
@@ -1573,6 +1580,9 @@ int mei_cl_irq_write(struct mei_cl *cl, struct mei_cl_cb *cb,
}
slots = mei_hbuf_empty_slots(dev);
+ if (slots < 0)
+ return -EOVERFLOW;
+
len = buf->size - cb->buf_idx;
msg_slots = mei_data2slots(len);
@@ -1581,11 +1591,11 @@ int mei_cl_irq_write(struct mei_cl *cl, struct mei_cl_cb *cb,
mei_hdr.reserved = 0;
mei_hdr.internal = cb->internal;
- if (slots >= msg_slots) {
+ if ((u32)slots >= msg_slots) {
mei_hdr.length = len;
mei_hdr.msg_complete = 1;
/* Split the message only if we can write the whole host buffer */
- } else if (slots == dev->hbuf_depth) {
+ } else if ((u32)slots == dev->hbuf_depth) {
msg_slots = slots;
len = (slots * sizeof(u32)) - sizeof(struct mei_msg_hdr);
mei_hdr.length = len;
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-01 02:10:54 +0100